Safe Mode Compromised: ZEDO, BBC, Adserver HELP!

Hello and thank you in advance to anyone that takes their time to assist in this.

I am computer savvy (although not to your extent) and I have been battling malware on my computer for sometime without success. (even as I type this there is major keyboard lag due to what I assume is a nasty key logger).

I have read other hijackthis forums and this one to try and solve my problems for myself, but have been unable.

Here are the symptoms of my problems that led me to start trojan/malware hunting:
-Trend Micro PcCillin wants to update with an unknown 36kb file. Trend Micro support cant figure it out and uninstall reinstall results in same problem.
-Media Center and ATI catalyst no longer initialize properly and wont run (I do have Win SP1 and up to date .NET framework)
-PcCillin finds no problems, but Lavasoft Ad Aware SE finds a constant cookie called ZEDO
-AVG Anti-Spyware finds no problems at all, yet my PEERGUARDIAN2 (which shows me all IP and connections my comp connects to) shows my computer constantly trying to connect to 'BBC' and 'Beyond the Network America, Inc.' regardless of what website I travel to (this occurs on every software update of any program I have as well)
-Constant keyboard lag when typing (key logger evidence)
-Massive system spikes from my CPU which normally handles everything fine in idle at 0-1%, now hits 90% on idle.
-Task Manager shows no foriegn tasks running, yet my WINLOGON task, System task, and Explorer task are running at very high System Resources -- much above normal usage

& the worst:
-When I try and logon to Windows SAFE MODE, my first logon attempt seems to just cycle and then asks for my logon again (not in password error, it accepts my password logon, yet cycles over like I never logged in in the first place)

Because of this last problem, ad-aware or AVG find ZERO problems on scans while in Safe Mode. Ad-aware always finds the ZEDO trojan upon scanning in regular Windows mode (logged in as owner/admin).

I have 3 gig ram, Pentium D 820, ati 1900, etc... so none of these lags and problems should be a result of poor resources.

--I am at the point of full System Recovery, but I am afraid that after backing up important files and then wiping the slate clean and restarting (using Gateway F11 system recovery disk on partition) that I will either end up with the same infection or I will reload it from my backed up files.

I would LOVE to kill these bugs before I start over with my system (I'm afraid after all the scans and removals of the bugged files over time has crushed or deleted certain important system files/programs needed, therefore I will have to reload).

I have read through your READ AND DO FIRST section and have performed most of that work and scanning, yet I'm afraid due to my SAFE MODE problem, this may not have been effective.

Any help would be greatly apprectiated!

 

I have COMPLETELY and THOROUGHLY run all steps 1 through 6.

Some programs didnt give me a log file (panda scan didnt detect anything twice) and BitDefender would not launch at all, stating there was an error in the activeX from the originating site and to email bitdefender about it.

I have attached all of my logs that I have, including my HJT (anaysethis log) and I also included my own lavasoft ad aware SE log that shows this nasty ZEDO cookie.

My Windows Safe Mode problem still occurred on the first safe mode boot (it lets me logon and then starts my settings, then LOGSOFF automatically and then asks me to logon again... seems tainted), but on second boot of safe mode with networking this error didnt occur.

Also, my program Peerguardian2 still shows that my computer is trying to connect to the BBC (IP = 212.58.240.142). I have researched this and noted that BBC is a burly trojan, I'm assuming I still have this.

Also, as I type this I notice me keys are still lagging, making me think I have a key logger at work still.

ZEDO cookie didn't get picked up in any scans, but in the past it has gone dormant for a few boots and then reappears.

Any other action I need to take, please inform as I would LOVE to clear my system of these nasties...

(I will have to post 1 more time in order to get the other CounterSpy log in)

 

Here is the rest of my pertinent logs.

I have more information for anyone that could help (including suspicious TEMP files taht continue to pop up on BOOTUP and folders).

 

Run the BitDefender and Panda ActiveScan online scanners in Normal Mode and post the logs.

 

Ok, I have tried to run both programs again.
BitDefender will NOT run, regardless of what my IE security settings are.
The ActiveX will install, but as it seems to start up, an error message appears that says "This website is not authorized to host this ActiveX control. Please contact the webmaster or the website at: scanonline@bitdefender.com"

Panda Active Scan does not find anything, and therefore, doesn't allow me to post a log from it.

My IE add-ons folder seems possibly infected, since as I look through my add-ons, my IE reports an error and shuts down.

I KNOW I AM STILL INFECTED though, my computer is still calling out to this very dangerous key logger dummy site, BBC (IP = 212.58.240.42).

Also, as I type this, every 12 keys seem to lag brutally, as if being recorded or cached somewhere.

Please instruct me on what I should try next.

I can list all add-ons files in my IE if that will help?

 

Sorry, not trying to keep bumping this, but I wanted to give as much information to whomever may try and help.

I have uninstalled just about every program on my comptuer at this point, including FIREFOX and Trend Micro. Uninstalling trend micro solved teh ZEDO problem, which makes me think that the ZEDO bug resided inside Trend Micro's Rootkit (ouch, yes they use a rootkit much like Norton).

I have 2 files/processes that seem to be a bit off and possibly are part of the problem. CTFMON.exe is a running process on my system. When it is stopped, it restarts itself. I dont have Microsoft Office so this process shouldn't be running at all on my system. When I search for ctfmon.exe, it shows up as .prefect file and as an application named ctfmon.exe. AS SOON AS I DELETE CTFMON.exe it is IMMEDIATELY rebuilt/replaced by a DLL CACHE of this file. I have found, through some research, that this file is a possible fake spyware scanner.

My computer is still trying to call out to BBC dummy site and to BEYOND THE NETWORK AMERICA, INC. (what is this site????????) so I know there are still problems remaining.

Also, I still am at the point of reinstalling windows, but my manufacturer Gateway didnt give me a system Disc. They instead created a partition on my C drive (called the D drive) where my System Disc resides (an F11 recovery style system Disc).

I'm afraid taht if I do scrap everything and start my system back to its initial manufacturer state (i.e. reimage) that it will still be COMPROMISED or TAINTED.

I am pulling my hair out as I have probably put over 40 hours in of scans, reboots, research, etc...

Thank you for anyone who has TAKEN THEIR TIME to help me and have READ all the logs I have provided.

p.s. I still am unable to run BITDEFENDER in any manner and upon further research into my ADD-ONS sectino of my IE7, there is a strange ADD-ON called 'UNINSTALL BitDefend Online Scanner V8' and it is a Browser EXtension. This BrowserExtention can ONLY be DISABLED and cannot be Deleted. This is odd and makes me think that whatever malware I have contracted is using this extension to block BitDefender.

 

HijackThis is not in the location specified by our Read Me. Move HijackThis to C:\Program Files\HJT.

You are running an out-dated version of Acrobat; visit Adobe and install the latest version.

Using Add or Remove Programs in the Control Panel; uninstall the following:

Install Java Runtime Environment (JRE) 6 available from Sun Microsystems.

Copy the contents of the below quote box to Notepad; Save As FixReg.reg to your Desktop; make sure File Type is set to All Files.

Close Notepad.

Locate FixReg.reg on your Desktop. Double-click on it and answer 'Yes' when asked if you want to merge with the registry.

Download DelDomains and unzip it to your desktop.

Find the files from deldomains.zip on your Desktop and RightClick on the deldomains.inf file and select Install.

Afterwards run Spybot and make sure you re-Immunize immediately. Then run a full system scan. If you get any reported problems, attach the log from Spybot.X

Now Run HijackThis. Click the 'Do a system scan only' button. Place a checkmark in the box next to the following lines:

Click on the 'Fix checked' button. Wait for HijackThis to finish; close HijackThis.

Follow the directions for Using Sophos Anti-Rootkit.

Post a fresh HijackThis log and the Sophos Anti-Rootkit log.

 

Shadow Peter Dude, thanks, your knowledge and unselfishness is HUMBLING!

I had uninstalled just about everything while I was awaiting help and somehow through uninstalling Firefox, Quicktime, and Trend Micro my system stopped calling out to BBC, etc... Trend MIcro support also sent me some amazing links for massive stand alone spyware scanner and DOS based virus scanner (amazing programs that they give out to customers who are in deep doo-doo).

BUT, I am still having minor problems as a result of this (ATI catalyst control driver fails at startup and Windows Media Center 2005 will not load its interface/TV viewing system), so I have followed all of your instructions to see if there are more problems at hand.

Results:
I have had trouble getting the JRE 6 installed, but the rest of the Jave 5 (update 2 and 10) are uninstalled.

I used your FixReg and merged it (amazing knowledge, thank you for that).

I installed delDomains, but cant tell what it has done as my ADD-ONS section of IE7 still has the UNISTALL BitDefender Browser Extension - its disabled but can't be deleted still.

I immunized with Spybot and then checked for problems - none.

I moved HJT to its correct location (sorry about that mistake) and ran the System Only scan. I was able to check all of those except the second R1 (5486).

I wasnt able to download the Sophos Rootkit program, the link failed and when I tried to download from Sophos, it would stall everytime I would enter my information to qualify for the download. Not sure why.

I have a couple of questions on what the HJT System Scan showed [I attached my recent HJT log also]. I am not sure why these entries are showing up and I assume they shouldn't be there, can you verify for me?? Entries I question:
-'09 Extra Button: (no name) - {....etc....}%windir%\bdoscandel.exe (file Missing)'
-'09 Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner V8 ..... etc.....%windir%\bdoscandel.exe (file Missing)'
-'023 Service: Ati Smart - Unknown Owner - C:\Windows\System33\ati2sag.exe'
-'023 Service: InstallDriver Table Manager (IdriverT) - Macrovision Corporation - C:\Program Files\CommonFiles\InstallShield\Driver\11\Intel 32\IDriverT.exe'

Some additional information that may or may not be associated with these problems:
-I have an ATI 1900gt, but upon login I get an error message when the Catalyst Control Center tries to load upon bootup, error is 'The application failed to initialize properly (0xc0000135). Click OK to terminate the application'
-I have Windows Media Center 2005 and I get this EXACT error message occurs when I try and load the WIndows Media Center 2005 interface (for watching TV on the computer)

Looks like I am ALMOST completely cleaned up, hopefully you can take a look through my HJT log and let me know what to do about these last few problems.

-----------------

Also, the program that allowed me to block the BBC dummy site and to let me know what and when my computer was calling out is called PEERGUARDIAN2. Its an amazing tiny firewall program that comes preloaded (and updateable) with known malware sites, gov't sites, ad sites, etc... I HIGHLY recommend it.

 

Re: MEMSWEEP2 trojan!

UPDATE:

My Trojam Sweeper program is finding something associated with MEMSWEEP2 every time I startup.

I remove the registry item associated to it, something usually named IE.tmp or 3.txt, etc... random file names.

I did a search for MEMSWEEP2 but I cant find it.

Sophos Rootkit analyzer did finally get downloaded but it is not finding anything (no log to include).

I used HJT to check and fix the registry item associated with 'Uninstall BitDefender v8' and that has finally removed that Browser Extension.

 

Your HijackThis log shows no signs of Malware. However, it is missing several lines I would expect to see in a "Normal" log.

Download GMER

1. Save the GMER.zip file to your desktop
2. Now uzip it to your desktop to reveal a GMER.exe file
3. Double click the GMER.exe file
4. Click the Rootkit tab and then click the Scan button.
5. IMPORTANT: Do NOT use the computer while the scan is in progress.
6. Do not select the "Show all" checkbox during the scan.
7. When it finishes, click the Copy button. This will copy the results to your clipboard.
8. Paste the clipboard into a notepad file and save it to a log (like gmer.log).
9. Attach your log to your next reply.

If you don't know how to open notepad, click Start, Run, and enter notepad and click OK. To paste the info you copied into notepad, just hit CTRL-V. Then save the log.

 

Thanks again for your assistance, especialy HOW TO OPEN NOTEPAD, lol.

My internet usage has crawled to a halt now.
NOt sure if things have gotten worse from this or better now.

I'm VERY FRUSTRATED with this, to download GER.Zip it took 40 minutes!!!!!!

What is going on here???? My cpu usage spikes to 100% just using IE7 with nothing else running. Web pages take 2-3 minutes JUST TO LOAD.

My computer is not calling out to any foreign sites and besides a couple of suspicious processes that SHADOW PETER DUDE doesnt see as malicious (ctfmon.exe will not close or cannot be blocked on startup, ehRecvr.exe is taking lots of resourses, mcrdsvc.exe closes and reopens automatically, userint starts on logon).

I dont understand, shouldnt clearing my computer of these nasy malware infestations SPEED UP MY COMPUTER instead of slowing it down?

Could there be a service that has been DISABLED that could cause this slow down?

I'm at the end of my rope with this, I have put weeks into this now and feel I have moved backward, HELP PLEASE, anyone??!

 

IE7 is loading ctfmon, you can keep disabling it and it will reload every time. MS doesn't seem to understand that when someone disables ctfmon it is because they don't want it running EVER.

There is obviously something going on that is not visible in the other logs. That is why I am trying to obtain a log from a RootKit detector.

Follow the directions I posted for GMER earlier and post the log.

 

Thank you for your time and effort (once again). I have been forced to lose everything on my system and do a full Destructive Reimage of my HD and start from scratch.

Although at times the problem seemed to get better, in the end the repair and removal instructions seem to make matters much worse. Visiting any website was near impossible with 5+minute load up times. Downloading a 4000kb file should not take 40 minutes. Every single malware scanner (online and off, safe mode, safe mode w/networking, normal mode) could not identify a problem.

I dont believe that experts here could beat the problem; unfortunately PETER was the only person to respond after 100+ viewings.

I think those that lend their time to help people like me are very unselfish and should be thanked for their efforts.

THANK YOU.

p.s. remember that it takes a lot of trust to post sensitive system information on an forum such as this. When you insult someone by giving in depth instructions on how to OPEN NOTEPAD, you show that you dont have respect for the system/person you are assisting, which leads to lack of trust. You brush over things like what some registry lines are doing or what program and site I am going to download software, yet you take time to 'teach me how to copy and paste text in notepad'.

 

We get users of different expertise levels and backgrounds. Most don't even know what Notepad is let alone how to use it. The is no insult intended. I, like the others who help here, have a stock of boilerplates I use to speed-up working threads. These boilerplates are targeted at the non-technical user.

Now your insulting me.

We don't have the time to cover most things in-depth, simply because must posters fail to throughly read our instructions, let alone follow them.