Zentom - Rootkit problem

Zentom has disabled my Windows Taskbar, McAfee real-time scanning, regedit, and more, though I no longer get fake Zentom messages. I've gone through the READ AND RUN ME FIRST procedures, and each scan finds and removes or cures several things that reinstall upon reboot (including a registry entry for some randomly named RunOnce executable). From other threads it looks like I need kill code to run with ComboFix, but will gratefully follow your lead. I've attached logs from Malwarebytes' Anti-Malware, SuperAntiSpyware, ComboFix, and TDSSKiller. Thanks in advance!

 

Hi and welcome to Major Geeks, ubermoot!

Please also attach the .zip file from running MGtools.exe
It is this file: C:\MGlogs.zip

 

The MGlogs file is attached. The process finished very quickly, so hopefully it's complete.

 

The MGlogs.zip is incomplete.

Try the below:

http://img822.imageshack.us/img822/6835/baticon.gif Now run C:\MGtools\GetLogs.bat by double-clicking it (Vista and Win7 right-click and select Run as Administrator)
Then attach C:\MGlogs.zip to your next message. (How to attach items to your post)
Notes:

• This will automatically update all the logs inside MGlogs.zip
• Make sure you click Accept on the License Agreement from Trend Micro HiJackThis - v2.0.4 twice if prompted.

 

Not sure this worked any better, but here's the new MGlogs file.

 

Did you run the MGtools.exe again or GetLogs.bat?

http://img651.imageshack.us/img651/733/mgtools.png Please download the following to your desktop: DebugMGT.bat

• Double-click it to run
• Attach mginfo.txt (it's on your desktop) to your next message. (How to attach items to your post)

http://dus.x10.mx/canned/otlicon.gifPlease download OTL by Old Timer to your desktop.

• See the download links under this icon: http://forums.majorgeeks.com/chaslang/images/MGDownloadLoc.gif
• Double-click OTL.exe to run (Vista and Win7 right click and select Run as administrator)
• When the window appears, underneath Output at the top-right, make sure Standard Output is selected.
• Select Scan All Users.
• Under the Extra Registry section, check Use SafeList.
• Check the boxes beside LOP Check and Purity Check.
• Copy the text in the code box below and paste it into the http://img14.imageshack.us/img14/66/otlcustomfix.png text-field.
  
  Code:

  netsvcs
  %systemdrive%\*.exe
  /md5start
  atapi.sys
  csrss.exe
  explorer.exe
  intelppm.sys
  ipnat.sys
  ipsec.sys
  regedit.exe
  svchost.exe
  tcpip.sys
  userinit.exe
  winlogon.exe
  /md5stop
  %systemroot%\*. /mp /s
  %windir%\assembly\tmp\U /s
  %windir%\assembly\GAC\*.ini
  %windir%\assembly\GAC_MSIL\*.ini
  %windir%\assembly\gac_32\*.ini
  hklm\software\clients\startmenuinternet|command /rs
  hklm\software\clients\startmenuinternet|command /64 /rs
  

• Now click the http://img171.imageshack.us/img171/2405/runscanotl.png button.
• When the scan is complete, Notepad will open with the results of the OTL scan.
• Close Notepad.
• There will be two log files on your desktop entitled OTL.txt and Extras.txt.
• Attach both OTL.txt and Extras.txt to your next message. (How to attach items to your post)

http://img87.imageshack.us/img87/5562/gmer.gif Now follow the directions here: Create a GMER Log
Attach ark.txt to your next message. (How to attach items to your post)

 

Logs attached.

 

Are these all renames of anti-malware tools? Let me know what each one is.

http://img853.imageshack.us/img853/6741/addremovexp.gif From Add/Remove Programs (via Control Panel), please uninstall the below:

• Java(TM) 6 Update 22
• Java 2 Runtime Environment, SE v1.4.2

http://dus.x10.mx/canned/otlicon.gifNow we need to make use of OTL by Old Timer.

• Double-click OTL.exe to run (Vista and Win7 right-click and select Run as administrator)
• When OTL opens, copy the text in the code box below and paste it into the http://img14.imageshack.us/img14/66/otlcustomfix.png text-field.
  
  Code:

  [COLOR="DarkRed"]:processes[/COLOR]
  killallprocesses
  [COLOR="DarkRed"]:otl[/COLOR]
  IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,XMLHTTP_UUID_Default = 47 4D 69 06 E5 70 B2 40 81 49 33 A8 29 49 58 63  [binary data]
  IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,XMLHTTP_UUID_Default = 47 4D 69 06 E5 70 B2 40 81 49 33 A8 29 49 58 63  [binary data]
  IE - HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main,XMLHTTP_UUID_Default = 47 4D 69 06 E5 70 B2 40 81 49 33 A8 29 49 58 63  [binary data]
  IE - HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main,XMLHTTP_UUID_Default = 47 4D 69 06 E5 70 B2 40 81 49 33 A8 29 49 58 63  [binary data]
  IE - HKU\S-1-5-21-2699302033-632523459-4123444801-1007\SOFTWARE\Microsoft\Internet Explorer\Main,XMLHTTP_UUID_Default = 47 4D 69 06 E5 70 B2 40 81 49 33 A8 29 49 58 63  [binary data]
  FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}:6.0.22
  O3 - HKU\S-1-5-21-2699302033-632523459-4123444801-1007\..\Toolbar\ShellBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
  O3 - HKU\S-1-5-21-2699302033-632523459-4123444801-1007\..\Toolbar\WebBrowser: (no name) - {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No CLSID value found.
  O16 - DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab (Java Plug-in 1.6.0_22)
  O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab (Java Plug-in 1.6.0_22)
  O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab (Java Plug-in 1.6.0_22)
  [2 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
  [1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
  [2010/04/20 18:17:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
  [2004/07/02 09:00:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint
  [2007/06/05 21:05:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Beth\Application Data\Viewpoint
  @Alternate Data Stream - 95 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:5C321E34
  [COLOR="DarkRed"]:services [/COLOR]
  [COLOR="DarkRed"]:files[/COLOR]
  c:\program files\certdiagpack.exe
  xcopy %temp%\smtmp\1 "%allusersprofile%\start menu" /s /i /h /y /c
  xcopy %temp%\smtmp\2 "%userprofile%\application data\microsoft\internet explorer\quick launch" /s /i /h /y /c
  xcopy %temp%\smtmp\3 "%appdata%\roaming\microsoft\internet explorer\quick launch\user pinned\taskbar" /s /i /h /y /c
  xcopy %temp%\smtmp\4 "%allusersprofile%\desktop" /s /i /h /y /c
  net start McShield /c
  net start mfeapfk /c
  [COLOR="DarkRed"]:reg[/COLOR]
  [HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main]
  "XMLHTTP_UUID_Default"=-
  [HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main]
  "XMLHTTP_UUID_Default"=-
  [HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main]
  "XMLHTTP_UUID_Default"=-
  [HKU\S-1-5-21-2699302033-632523459-4123444801-1007\SOFTWARE\Microsoft\Internet Explorer\Main]
  "XMLHTTP_UUID_Default"=-
  [HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main]
  "XMLHTTP_UUID_Default"=-
  [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
  "*certdiagpack.exe"=-
  [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
  "DisableMonitoring"=dword:00000000
  [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
  "DisableMonitoring"=dword:00000000
  [COLOR="DarkRed"]:commands[/COLOR]
  [purity]
  [emptytemp]
  [emptyflash]
  

• Now click the http://img3.imageshack.us/img3/407/otlrunfix.png button.
• OTL may ask to reboot the machine. Please do so if asked.
• Click the OK button.
• When complete, Notepad will open.
• Close Notepad.
• A log file will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.
• Attach this log to your next message. (How to attach items to your post)

• Now open OTL again and click the http://img683.imageshack.us/img683/4483/quickscanotl.png button
  Note: This automatically updates the OTL.txt log on your desktop.
• Attach OTL.txt to your next message. (How to attach items to your post)

http://img51.imageshack.us/img51/6489/javaicon.gif Now install the current version of Sun Java from: Sun Java Runtime Environment

http://img225.imageshack.us/img225/2641/win32diag.gif Please download Win32kDiag to the root of your C:\ drive. It must be saved here or the below will not work!

• Now press and hold the http://img849.imageshack.us/img849/4325/windowkey.gif Windows key on your keyboard, then press the letter r on your keyboard.
• This opens the Run dialog box.
• Then copy the below bold text and paste it into the Open: text-field and press ENTER.
  C:\win32kdiag.exe -f -r
  
• When it's finished, there will be a log called Win32kDiag.txt on your desktop.
• Attach this log to your next message. (How to attach items to your post)

LET ME KNOW HOW THE PC IS RUNNING AFTER YOU HAVE COMPLETED THESE STEPS​

 

The Java uninstalls want me to to complete with a reboot -- should I before your OTL instructions? I'm hesitant because file names/registry items might be changed, but maybe that doesn't matter.

Forgot to answer about MGlogs. Both I guess - after the first MGlogs didn't work, I tried GetLogs.bat with what looked the exact same result (quick screen, no messages, same size file). My install was from last week and I knew the original instructions were for a fresh one, so I deleted the directory and reinstalled MGlogs.exe to run the GetLogs.bat file again (sorry - shouldn't have). Here's the one straight from C:. The desktop one was just a copy for tracking.

The desktop files you mention are all rkill or the Malwarebytes install (mb987), which only worked if renamed.

I appreciate your putting up with these fumblings. I'll finish your last instructions once you reply about rebooting.

 

Yes, reboot first. Then proceed with the rest of the directions.

I revised my OTL fix. Please refresh your browser page to see the latest one.

 

Attached are the scan logs. I rebooted, and McAfee's Real Time Scanning still won't stay on. Pressing Ctr-Alt-Del leads to just a flash of a screen rather than Task Manager. Regedit is blocked as well.

 

A new malware file appeared.

Please ensure that MSConfig is in Normal Startup mode => Use MSconfig to setup for Normal Startup Mode

Once you have rebooted...

Re-run a Quick Scan with OTL and attach the updated OTL.txt

Then do the following: Please click Start, Run, and enter cmd and click OK. This will open a command prompt window. Enter the below commands at the command prompt each followed by the enter key. The bold black are commands. The purple is merely informational.


cd \MGtools <-- this changes to the MGtools folder and the prompt should change to C:\MGtools>
nwktst <-- this will try to run all one scan from MGtools. Tell me what error messages, if any, you see.
GetRunKey <-- this will try to run all one scan from MGtools. Tell me what error messages, if any, you see.
ShowNew <-- this will try to run all another scan from MGtools. Tell me what error messages, if any, you see.
analyse <-- this attempts to run HijackThis. Be sure to click the Accept button twice in the license agreement popup or it will just sit there and wait.

Now look for the C:\MGlogs.zip file and attach it no matter what happened while doing the above.

 

The OTL.txt file's attached, but I can't upload directly to your site anymore (have to copy to a thumb drive/2nd computer). I'm also blocked from running cmd (quick black screen that closes). Should I try to run those processes through Explorer?

 

Yes try from explorer

 

From Explorer, Nwktst, Getrunkey and ShowNew each resulted in screens that closed fairly quickly after the first line or two (I couldn't read). The analyse scan did run, so I saved the hijackthis log (attached). c:\MGlogs.zip didn't change and is dated yesterday 10/13 at 7:33 (won't upload here because it's already been loaded before).

 

Is this because the internet is no longer working on the infected computer? Please explain why you were not able to upload from the infected computer. If the internet is no longer working, when did you notice it?

Now download exeHelper by Raktor.

• Double-click on exeHelper.com to run the fix.
• A black window should pop up, press any key to close once the fix is completed.
• A log file named exeHelperlog.txt will be created in the directory where you ran exeHelper.com
• Attach the exeHelperlog.txt file to your next message. (How to attach items to your post)
  Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).

http://img716.imageshack.us/img716/4756/msmsg.gif Please download Disable/Remove Windows Messenger by Doug Knox to your desktop.

• See the download links under this icon: http://forums.majorgeeks.com/chaslang/images/MGDownloadLoc.gif
• Double-click MessengerDisable.exe
• Place a check-mark in Uninstall Windows Messenger
• Click Apply
• Click Exit

http://img38.imageshack.us/img38/7284/yse.gif Run C:\MGtools\analyse.exe by double-clicking it (Vista and Win7 right-click and select Run as Administrator)
Shut down your protection software now to avoid possible conflicts.
Note: This is actually Trend Micro HiJackThis - v2.0.4
Choose Do a system scan only and select the following lines but do not click fix until you exit all explorer windows and all browser sessions including the one you are reading in right now:

After clicking Fix, exit out of Trend Micro HiJackThis - v2.0.4

http://dus.x10.mx/canned/otlicon.gifNow we need to make use of OTL by Old Timer.

• Double-click OTL.exe to run (Vista and Win7 right-click and select Run as administrator)
• When OTL opens, copy the text in the code box below and paste it into the http://img14.imageshack.us/img14/66/otlcustomfix.png text-field.
  
  Code:

  [COLOR="DarkRed"]:processes[/COLOR]
  killallprocesses
  [COLOR="DarkRed"]:otl[/COLOR]
  O4 - HKLM..\RunOnce: [*srvautoboot.exe] C:\Documents and Settings\All Users\Application Data\srvautoboot.exe (©if systems)
  [2011/10/14 20:27:13 | 000,209,408 | ---- | C] (©if systems) -- C:\Documents and Settings\All Users\Application Data\srvautoboot.exe
  FF - HKLM\Software\MozillaPlugins\@viewpoint.com/VMP: C:\Program Files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll ()
  O4 - HKLM..\RunOnce: [*authacctbridge.exe] C:\Documents and Settings\All Users\Start Menu\Programs\authacctbridge.exe (©if systems)
  [COLOR="DarkRed"]:files[/COLOR]
  dir "C:\BDS10-11\" /c
  dir "C:\Documents and Settings\All Users\Application Data\TEMP\" /c
  dir "C:\Documents and Settings\All Users\Start Menu\Programs\" /c
  dir "C:\Documents and Settings\All Users\Application Data\" /c
  C:\Documents and Settings\All Users\Start Menu\Programs\authacctbridge.exe
  ipconfig /flushdns /c
  ipconfig /all /c
  ping -n 2 127.0.0.1 /c
  ping -n 2 66.249.80.104 /c
  ping -n 2 www.google.com /c
  

• Now click the http://img3.imageshack.us/img3/407/otlrunfix.png button.
• OTL may ask to reboot the machine. Please do so if asked.
• Click the OK button.
• When complete, Notepad will open.
• Close Notepad.
• A log file will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.
• Attach this log to your next message. (How to attach items to your post)

• Now open OTL again and click the http://img683.imageshack.us/img683/4483/quickscanotl.png button
  Note: This automatically updates the OTL.txt log on your desktop.
• Attach OTL.txt to your next message. (How to attach items to your post)

Please download Tweaking.com - Windows Repair by Tweaking.com to your desktop.

• See the download links under this icon: http://forums.majorgeeks.com/chaslang/images/MGDownloadLoc.gif
• Double-click Tweaking.com-WindowsRepair.exe to run the program.
• Click the Start Repairs tab on the far right.
• Click Custom Mode so there is a bullet in it.
• Click the Start button (bottom right)
• Click Unselect All
• Put a checkmark in Remove Policies Set By Infections
  Note: Leave everything else unchecked
• Put a checkmark in Restart System When Finished
• Now click the Start button (bottom right)

LET ME KNOW HOW THE PC IS RUNNING AFTER YOU HAVE COMPLETED THESE STEPS​

 

I could always connect and download from the internet, but after choosing files to upload today the "upload" button just blanked out the files names and didn't do anything. I noticed it earlier when I tried to load the mglogs.zip file. Now it seems to work again, though. BTW, I've been in Normal Startup mode from the beginning.

After running Tweaking.com.WindowsRepair, and rebooting I tried to turn on McAfee's real-time scanner, but it won't stay on. I was able to run cmd this time and exit normally. I then tried regedit and got in for a few seconds before it closed out. Same with Task Manager. It's as if trying these things kicks off another executable. Now when I run cmd again it closes out.

 

The files seemed to have been stripped from my post after all. Here they are via thumb drive...

 

Your thumb drive may be carrying an infection as well. I don't know for sure yet but to be safe please do not plug in the thumb drive into the infected computer. Upload from the infected computer since you say it works again

http://img805.imageshack.us/img805/9659/rktigzy.gif Please download RogueKiller by Tigzy to your desktop.

• See the download links under this icon: http://forums.majorgeeks.com/chaslang/images/MGDownloadLoc.gif
• Double-click RogueKiller.exe to run it. (Vista and Win7 right-click and select Run as Administrator)
• When it opens, press the number 2 and press ENTER.
• A report should appear.
• Attach RKreport[1].txt to your next message. (How to attach items to your post)
  Note: It will be at whichever location you ran RogueKiller from. I asked that you put it on your desktop, so it should be there.
• You can now type the number 0 and press ENTER to exit RogueKiller.

http://dus.x10.mx/canned/otlicon.gifNow we need to make use of OTL by Old Timer.

• Double-click OTL.exe to run (Vista and Win7 right-click and select Run as administrator)
• When OTL opens, copy the text in the code box below and paste it into the http://img14.imageshack.us/img14/66/otlcustomfix.png text-field.
  
  Code:

  [COLOR="DarkRed"]:processes[/COLOR]
  killallprocesses
  [COLOR="DarkRed"]:otl[/COLOR]
  [2009/07/03 17:39:40 | 000,061,678 | ---- | C] () -- C:\Documents and Settings\Beth\Application Data\PFP120JPR.{PB
  [2009/07/03 17:39:40 | 000,012,358 | ---- | C] () -- C:\Documents and Settings\Beth\Application Data\PFP120JCM.{PB
  [2011/10/14 23:16:21 | 000,209,408 | ---- | C] (©if systems) -- C:\Program Files\scanpagehost.exe
  O4 - HKLM..\RunOnce: [*scanpagehost.exe] C:\Program Files\scanpagehost.exe (©if systems)
  [COLOR="DarkRed"]:files[/COLOR]
  dir "C:\Documents and Settings\Beth\" /c
  

• Now click the http://img3.imageshack.us/img3/407/otlrunfix.png button.
• OTL may ask to reboot the machine. Please do so if asked.
• Click the OK button.
• When complete, Notepad will open.
• Close Notepad.
• A log file will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.
• Attach this log to your next message. (How to attach items to your post)

• Now open OTL again and click the http://img683.imageshack.us/img683/4483/quickscanotl.png button
  Note: This automatically updates the OTL.txt log on your desktop.
• Attach OTL.txt to your next message. (How to attach items to your post)

Follow the steps here: ESET Online Scanner
Remember to attach your log from ESET Online Scanner (How to attach items to your post)

 

If the logs don't upload, I'll try IE instead of Firefox, and if that doesn't work, I'll go back to the thumb drive.

Roguekiller started executing but hung up on scanning "RunOnce" and did not generate a log (I couldn't enter 0,Enter to exit but had to close the window, and I reran the program with the same result). Before that, at the "Run:" portion of the scan it did send SuperAntiSpyware to a quarantine folder and terminated the SuperAntiSpyware process. I had exited the taskbar version of this program before starting -- it's been flashing screens about an update being available.

 

Do not reboot unless requested. Do not use that thumb drive on this infected machine until requested.

Rename RogueKiller.exe to winlogon.exe and try running it now and pressing 2 to obtain a log.

Update MalwareBytes. Rerun a Quick Scan of MalwareBytes. Attach its latest log.
Insert your flash drive, run a scan on the entire flash drive with MBAM. Attach this log.

Also attach the log(s) from running RKill. (C:\rkill.log)

Also download a new MGtools.exe, place it in the root of the C:\ drive and try running it now. Attach MGlogs.zip to your next message.

 

I also want you to complete the below. Make sure you download and run the latest version (v2.6.9.0).

http://img685.imageshack.us/img685/3557/tdsskiller.gif Now we need to run TDSSKiller by Kaspersky
Follow the instructions here and attach your log when you are finished. (How to attach items to your post)

 

Malwarebytes froze twice after about 25 minutes, so I moved on to trying rkill and reinstalling MGtools.exe without success (closed out/no logs). Then I thought to turn my screensaver off and try Malwarebytes again, and that worked. After saving the log I did press "Remove" -- hope that was right. I've attached the post-removal log. The Malwarebytes scan of my thumb drive completed with no findings.

After removal of the Malwarebytes findings I ran Rkill again, but it closed out and no new log was created on C:. During this process a Windows error appeared saying the RunOne file (advaclcenter.exe this time) could not be found. In my TEMP directory there's an rks1.log and another file called rkill.log that contains one line saying one (unnamed) file was removed. I can send these if needed.

At this time I deleted MGtools.exe and downloaded a new one to C:. This time, while it closed quickly, a new MGlogs.zip file was created (attached).

I haven't rebooted during all this, though Malwarebytes requested it. I'll next run TDSSkiller, but it'll probably want a reboot right afterwards. Let me know if I should send you the log and wait on the reboot.

 

Attach C:\rkill.log. It's there according to mginfo.txt.

Run TDSSKiller, if it finds something and asks you to reboot, go ahead and reboot at this time.

If TDSSKiller does NOT find anything, it will not ask you to reboot.

Attach these as well.

For good measure, run a Full Scan using MBAM. Attach its latest log. Hold off on rebooting still. Attach the logs and wait until I review them.

Please download McAfee Fake Alert Stinger to your desktop.
See the download links under this icon: http://forums.majorgeeks.com/chaslang/images/MGDownloadLoc.gif

Double-click stinger.exe to run (Vista and Win7 right-mouse click and select Run as Administrator)

http://img585.imageshack.us/img585/3484/stingermain.png
Stinger opens
Note: Double-check that your C: drive is in the Directories to scan: area.

http://img809.imageshack.us/img809/6539/stingerscannow.png
Click the Scan Now button

When the scan is complete, at the top of the Stinger window..
go to File > Save report to file
stinger.txt will be created on your desktop
Attach stinger.txt to your next message. (How to attach items to your post)

 

TDSSkiller ran clean, so no reboot.

The rkill log under c:\ is dated 10/12 and isn't updated. I've attached the two TEMP versions from today. The full MBAM scan came up with new findings (removed). I have to head out but am going to run Stinger next and will upload the log later.

 

Sounds good. Let me know what is in this folder as well:

C:\Documents and Settings\All Users\Start Menu\Programs\McAfee

 

The Stinger scan had cleaned 6 files when I returned, but for some reason started all over again when I started moving around again. Both scans are in this log, and the second cleaned 5 things.

The McAfee folder named contains only a shortcut to the McAfee SecurityCenter created today at 10:29 a.m. The shortcut leads to "C:\Program Files\McAfee.com\Agent\mcagent.exe" /desktopicon.

 

Interesting.

Please try the below:

http://img18.imageshack.us/img18/6738/autoruns.gif Download Autoruns by SysInternals to your desktop.

• See the download links under this icon: http://forums.majorgeeks.com/chaslang/images/MGDownloadLoc.gif
• Create a folder on your desktop called "autoruns"
• Extract the contents of the Autoruns.zip file into the autoruns folder you created.
• Now open this folder by double-clicking it.
• Now double-click autoruns.exe to run. (Vista and Win7 right-click and select Run as administrator)
  Note: Autoruns will automatically start scanning your system for autorun entries. This process is typically finished within 15 seconds.
• When you see Ready at the bottom-left corner of the Autoruns program, the scan is complete.
• Now click File > Save
• Change the Save as type: to Text (*.txt)
• Save AutoRuns.txt to your desktop or another location you can easily access it.
• Attach AutoRuns.txt to your next message. (How to attach items to your post)

 

Here you go.

 

Ok good, let's see how the PC runs after this. This will reboot your machine which is intended.

http://img839.imageshack.us/img839/3005/combofixicon.gif Now we need to make use of ComboFix by sUBs

• Make sure that ComboFix.exe that you downloaded while doing the READ & RUN ME is on your desktop but do not run it!
  • If it is not on your desktop, the below will not work.
• Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
• Open Notepad and copy/paste the text in the below code box into Notepad:

Code:

[COLOR="DarkRed"]KillAll::[/COLOR]
[COLOR="DarkRed"]ClearJavaCache::[/COLOR]
[COLOR="DarkRed"]DirLook::[/COLOR]
c:\documents and settings\Beth\local settings\temp
c:\documents and settings\all users\start menu\Programs\Startup
C:\Documents and Settings\Beth\Local Settings\Application Data
C:\Documents and Settings\All Users\Start Menu\Programs\McAfee
[COLOR="DarkRed"]Driver::[/COLOR]
dgtgcn
nmlmsig
[COLOR="DarkRed"]File::[/COLOR]
c:\windows\system32\drivers\mvja.sys
c:\windows\system32\drivers\nhrb.sys
c:\documents and settings\all users\start menu\programs\startup\streamdevapp.exe
C:\Documents and Settings\Beth\Start Menu\Programs\Startup\svccenterscan.exe
[COLOR="DarkRed"]Registry::[/COLOR]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"*streamdevapp.exe"=-
"*svccenterscan.exe"=-

• Save the above as CFScript.txt and make sure you save it to the same location (should be on your desktop) as ComboFix.exe
• At this point, you must exit all browsers now before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your desktop.
• Now use your mouse to drag CFScript.txt on top of ComboFix.exe.
  http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
• This shall launch ComboFix.
  Note: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
• Allow ComboFix to update itself if prompted.
• When it finishes, a log will be produced at C:\ComboFix.txt
  Note: If after running ComboFix you discover none of your programs will open up because you receive the following error: Illegal operation attempted on a registry key that has been marked for deletion then you will need to reboot your computer which will normally fix this problem.
• Attach this log to your next message. (How to attach items to your post)

Try running c:\MGtools\GetLogs.bat afterwards. Attach its log (Mglogs.zip) if it was able to create this time.

 

Holding my breath! I don't dare try McAfee or anything yet. Here you go.

 

Not quite there, but making some progress.

http://img839.imageshack.us/img839/3005/combofixicon.gif Now we need to make use of ComboFix by sUBs

• Make sure that ComboFix.exe that you downloaded while doing the READ & RUN ME is on your desktop but do not run it!
  • If it is not on your desktop, the below will not work.
• Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
• Open Notepad and copy/paste the text in the below code box into Notepad:

Code:

[COLOR="DarkRed"]KillAll::[/COLOR]
[COLOR="DarkRed"]File::[/COLOR]
c:\documents and settings\All Users\Application Data\pagedevwin.exe
c:\documents and settings\Beth\local settings\temp\5cbc84aa
c:\documents and settings\Beth\local settings\temp\FY7.tmp
[COLOR="DarkRed"]FileLook::[/COLOR]
c:\documents and settings\Beth\local settings\temp\catchme.dll
[COLOR="DarkRed"]Registry::[/COLOR]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"*pagedevwin.exe"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"=-
"ConsentPromptBehaviorUser"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Taskman"=-
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000000
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000000

• Save the above as CFScript.txt and make sure you save it to the same location (should be on your desktop) as ComboFix.exe
• At this point, you must exit all browsers now before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your desktop.
• Now use your mouse to drag CFScript.txt on top of ComboFix.exe.
  http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
• This shall launch ComboFix.
  Note: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
• Allow ComboFix to update itself if prompted.
• When it finishes, a log will be produced at C:\ComboFix.txt
  Note: If after running ComboFix you discover none of your programs will open up because you receive the following error: Illegal operation attempted on a registry key that has been marked for deletion then you will need to reboot your computer which will normally fix this problem.
• Attach this log to your next message. (How to attach items to your post)

The above should have rebooted your machine.

Now re-run Tweaking.com - Windows Repair and choose the "Remove policies set by infections" again. Restart again.

Now try running GetLogs.bat again. Attach its updated c:\Mglogs.zip

Then Autoruns, get a new log using the same instructions as before. Attach it to your next post.

 

Here are the Combofix.txt, MGlogs.zip and autorun.txt files.

 

There's still something hiding.

Please download SystemLook by jpshortstuff to your desktop.

• Double-click SystemLook.exe to run it.
• Copy the content of the following codebox into the main textfield:
  
  Code:

  :dir
  %userprofile%\AppData\Local /t90
  %appdata% /t90
  %appdata%\Microsoft\Protect
  %appdata%\Microsoft\Windows\Templates
  %homedrive%\Documents and Settings\LocalService\Local Settings\Application Data
  %homedrive%\Documents and Settings\NetworkService\Local Settings\Application Data
  %userprofile%
  %ProgramFiles% /t90
  %ProgramFiles%\Internet Explorer
  %CommonProgramFiles% /t90
  %CommonProgramFiles%\system /t90
  %systemdrive%
  %WinDir%\System32\drivers /t90
  %WinDir%\TEMP /t90
  %systemdrive%\TEMP /t90
  :regfind
  dgtgcn
  nmlmsig
  :service
  dgtgcn
  nmlmsig
  :filefind
  nhrb.sys
  mvja.sys
  hookdll.dll
  mcagent.exe
  catpagebridge.exe
  Zentom
  enemies-names.txt
  finc70dkk.exe
  

• Click the Look button to start the scan.
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply. (How to attach items to your post)
  Note: The log be found on your desktop entitled SystemLook.txt

Pay close attention to these directions. There are some changes I made since the previous times you have run OTL scans.

http://dus.x10.mx/canned/otlicon.gif Obtain a new OTL and Extras log

• Double-click OTL.exe to run (Vista and Win7 right click and select Run as administrator)
• When the window appears, underneath Output at the top-right, make sure Standard Output is selected.
• Select Scan All Users.
• In the Processes box, choose All. <-- This is new!
• In the Services box, choose All. <-- This is new!
• Check the boxes beside LOP Check and Purity Check.
• Copy the text in the code box below and paste it into the http://img14.imageshack.us/img14/66/otlcustomfix.png text-field.
  
  Code:

  netsvcs
  %systemdrive%\*.exe
  /md5start
  afd.sys
  atapi.sys
  csrss.exe
  explorer.exe
  ipnat.sys
  ipsec.sys
  regedit.exe
  services.exe
  svchost.exe
  tcpip.sys
  userinit.exe
  winlogon.exe
  /md5stop
  %systemroot%\*. /mp /s
  %windir%\assembly\GAC\*.ini
  %windir%\assembly\GAC_MSIL\*.ini
  %windir%\assembly\gac_32\*.ini
  %windir%\assembly\gac_64\*.ini
  %windir%\assembly\temp\*.ini
  %windir%\assembly\tmp\u /s
  %allusersprofile%\application data\*.exe
  hklm\software\microsoft\windows\currentversion\run|exe /rs
  hklm\software\microsoft\windows\currentversion\runonce|exe /rs
  

• Now click the http://img171.imageshack.us/img171/2405/runscanotl.png button.
• When the scan is complete, Notepad will open with the results of the OTL scan.
• Close Notepad.
• There will be two log files on your desktop entitled OTL.txt and Extras.txt.
• Attach both OTL.txt and Extras.txt to your next message. (How to attach items to your post)

 

What th--do you ever sleep?
I hope you get a LOT of satisfaction out of not just wiping the drive and handing the a**holes an easy win.

Here are the new scans...

 

:-D

Please download MBRCheck by GeeksToGo to your desktop.
See the download links under this icon http://forums.majorgeeks.com/chaslang/images/MGDownloadLoc.gif

• Double click MBRCheck.exe to run (Vista and Win7 right click and select Run as Administrator)
• It will show a Black screen with some information that will contain either the below line if no problem is found:
  • Done! Press ENTER to exit...
• Or you will see more information like below if a problem is found:
  • Found non-standard or infected MBR.
  • Enter 'Y' and hit ENTER for more options, or 'N' to exit:
• Either way, just choose to exit the program at this point since we want to see only the scan results to begin with.
• MBRCheck will create a log named similar to MBRCheck_07.16.10_00.32.33.txt which is random based on date and time.
• Attach this log to your next message. (How to attach items to your post)

http://img833.imageshack.us/img833/7035/aswmbricon.gif Please download aswMBR by Avast! to your desktop.

• Double-click aswMBR.exe to run it (Vista and Win7 right-click and select Run as Administrator)
• Select No when asked Would you like to download latest Avast! virus definitions?
• Click the [Scan] button.
  Note: This scan should only take a few seconds to complete.
• On completion of the scan click [Save log], save it to your desktop and attach this log to your next message. (How to attach items to your post)

 

Here you go.

 

Uninstall McAfee, we'll reinstall it later. Use the following: > McAfee Removal Tool

Reboot the PC.

Run ComboFix (without any script) -- Attach this new log.

Re-run the SystemLook instructions in post #34. Ensure that you are copying ALL the text inside the code box. -- The log was incomplete. Attach the new SystemLook log to your next message.

 

McAfee is uninstalled now, and the ComboFix and SystemLook logs are attached.

I'm not a great McAfee fan, but it comes free with our DSL, along with the McAfee firewall. I'll figure out how to reinstall later if you think it would have advantages over MS Security Essentials + SuperAntiSpyware. There's still an icon on my desktop for "McAfee Virtual Technician" leading to "C:\...\Temporary Internet Files\Content.IE5\Z2VL1DRF\mvtapp[1].exe", which seems odd.

 

Delete B5dfs50h.com (ComboFix). Download a new ComboFix.exe from here >> Download ComboFix.exe
Leave this one named as ComboFix.exe (don't rename it unless necessary).

Go ahead and delete this file, and the desktop icon. Let me know if there were any problems.

http://img839.imageshack.us/img839/3005/combofixicon.gif Now we need to make use of ComboFix by sUBs

• Make sure that ComboFix.exe that you downloaded while doing the READ & RUN ME is on your desktop but do not run it!
  • If it is not on your desktop, the below will not work.
• Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
• Open Notepad and copy/paste the text in the below code box into Notepad:

Code:

[COLOR="DarkRed"]KillAll::[/COLOR]
[COLOR="DarkRed"]ADS::[/COLOR]
C:\Documents and Settings\All Users\Application Data\TEMP:5C321E34
[COLOR="DarkRed"]ClearJavaCache::[/COLOR]
[COLOR="DarkRed"]DDS::[/COLOR]
uInternet Connection Wizard,ShellNext = hxxp://www.symantec.com/techsupp/oem/
[COLOR="DarkRed"]DirLook::[/COLOR]
C:\Documents and Settings\All Users\Application Data\TEMP
C:\Documents and Settings\Beth\Application Data
C:\Documents and Settings\All Users\Application Data
C:\Documents and Settings\Beth\Application Data\Microsoft\Windows\Templates
C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\Templates
C:\Documents and Settings\Beth\Local Settings\temp\RarSFX0
C:\Program Files\Your Company Name
C:\Program Files\Common Files\System
[COLOR="DarkRed"]Driver::[/COLOR]
5cbc84aa
mcmpfsvc
mcnasvc
mcnaiann
mcods
mcproxy
mcshield
mcmscsvc
mfeapfk
mfeavfk
mfefire
mfefirek
mfehidk
mfendisk
mfendiskmp
mferkdet
mfetdi2k
mfevtp
[COLOR="DarkRed"]File::[/COLOR]
c:\documents and settings\Beth\local settings\temp\5cbc84aa
c:\program files\catappcsc.exe
C:\Documents and Settings\Beth\Application Data\certcplevts.exe
C:\MGlogs.zip
C:\MGlogsold2.zip
C:\MGlogs_old.zip
C:\Documents and Settings\Beth\Local Settings\temp\RarSFX0\procs\explorer.exe
C:\Documents and Settings\Beth\Local Settings\temp\RarSFX0\h\explorer.exe
C:\Documents and Settings\Beth\Local Settings\temp\RarSFX0\userinit.exe
C:\Documents and Settings\Beth\Local Settings\temp\RarSFX0\winlogon.exe
C:\Documents and Settings\All Users\Desktop\McAfee Security Center.lnk
c:\documents and settings\Beth\Local Settings\Application Data\ApplicationHistory\DNGen.exe.8bb9a8a9.ini
c:\documents and settings\Beth\Local Settings\Application Data\ApplicationHistory\QuickConnect.exe.f4c1467e.ini
c:\documents and settings\Beth\Local Settings\Application Data\ApplicationHistory\DS_PASlog.exe.5c97331f.ini
c:\documents and settings\Beth\Local Settings\Application Data\ApplicationHistory\GUI.exe.1cffab20.ini
c:\documents and settings\Beth\Local Settings\Application Data\ApplicationHistory\NGen.exe.2c05686e.ini
c:\documents and settings\Beth\Local Settings\Application Data\ApplicationHistory\DNgen.exe.ead52a2b.ini
c:\documents and settings\Beth\Local Settings\Application Data\ApplicationHistory\startDSLog.exe.39525976.ini
c:\documents and settings\Beth\Local Settings\Application Data\ApplicationHistory\DReg1.exe.c7cc3366.ini
c:\documents and settings\Beth\Local Settings\Application Data\ApplicationHistory\prstp.exe.3ac677f2.ini
c:\documents and settings\Beth\Local Settings\Application Data\ApplicationHistory\NotifyAlert.exe.83a8f8c0.ini
c:\documents and settings\Beth\Local Settings\Application Data\ApplicationHistory\ssIS.exe.d00358d.ini
c:\documents and settings\Beth\Local Settings\Application Data\ApplicationHistory\update21GUI.exe.7a16bd78.ini
c:\documents and settings\Beth\Local Settings\Application Data\ApplicationHistory\WMITarget.exe.19c1b9ec.ini
c:\documents and settings\Beth\Local Settings\Application Data\ApplicationHistory\WMITarget.exe.70cb5133.ini
c:\documents and settings\Beth\Local Settings\Application Data\ApplicationHistory\WMITarget.exe.2003a4b2.ini
c:\documents and settings\Beth\Local Settings\Application Data\ApplicationHistory\AlertView.exe.8de2ebce.ini
c:\documents and settings\Beth\Local Settings\Application Data\ApplicationHistory\WMITarget.exe.fe78d26e.ini
c:\documents and settings\Beth\Local Settings\Application Data\ApplicationHistory\WMITarget.exe.f711c2b7.ini
c:\documents and settings\Beth\Local Settings\Application Data\ApplicationHistory\WMITarget.exe.4babd34.ini
c:\documents and settings\Beth\Local Settings\Application Data\ApplicationHistory\DA_PASlog.exe.266217b1.ini
c:\documents and settings\Beth\Local Settings\Application Data\ApplicationHistory\DFolder.exe.368dcbb5.ini
c:\documents and settings\Beth\Local Settings\Application Data\ApplicationHistory\ExpEval21.exe.8f3e9125.ini
c:\documents and settings\Beth\Local Settings\Application Data\ApplicationHistory\rng.exe.ac4aa698.ini
c:\documents and settings\Beth\Local Settings\Application Data\{7148F0A6-6813-11D6-A77B-00B0D0142000}\Java 2 Runtime Environment, SE v1.4.2.msi
c:\documents and settings\Beth\Local Settings\Application Data\{7148F0A6-6813-11D6-A77B-00B0D0142000}\1033.MST
c:\documents and settings\Beth\local settings\temp\catchme.dll
c:\program files\mcafee.com\agent\mcagent.exe
C:\WINDOWS\TEMP\mcafee_XKLUl9OGhUAG30R
C:\WINDOWS\TEMP\Perflib_Perfdata_2a4.dat
[COLOR="DarkRed"]FileLook::[/COLOR]
c:\windows\system32\drivers\intelppm.sys
C:\WINDOWS\System32\dmadmin.exe
[COLOR="DarkRed"]Folder::[/COLOR]
C:\MGtools
C:\Documents and Settings\All Users\Start Menu\Programs\McAfee
C:\Documents and Settings\Beth\Application Data\McAfee
C:\Program Files\McAfee.com
C:\Program Files\McAfee
C:\Program Files\Viewpoint
C:\Program Files\Common Files\McAfee
[COLOR="DarkRed"]Registry::[/COLOR]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"*catappcsc.exe"=-

• Save the above as CFScript.txt and make sure you save it to the same location (should be on your desktop) as ComboFix.exe
• At this point, you must exit all browsers now before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your desktop.
• Now use your mouse to drag CFScript.txt on top of ComboFix.exe.
  http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
• This shall launch ComboFix.
  Note: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
• Allow ComboFix to update itself if prompted.
• When it finishes, a log will be produced at C:\ComboFix.txt
  Note: If after running ComboFix you discover none of your programs will open up because you receive the following error: Illegal operation attempted on a registry key that has been marked for deletion then you will need to reboot your computer which will normally fix this problem.
• Attach this log to your next message. (How to attach items to your post)

http://img685.imageshack.us/img685/3557/tdsskiller.gif Now we need to run TDSSKiller by Kaspersky
Follow the instructions here and attach your log when you are finished. (How to attach items to your post)

http://img511.imageshack.us/img511/2784/ddsk.gif Please download DDS by sUBs to your desktop.

• See the download links under this icon: http://forums.majorgeeks.com/chaslang/images/MGDownloadLoc.gif
• Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
• Double-click DDS.scr to open and start scanning.
• After it is complete, press the OK button.
• Two Notepad windows will open -- DDS.txt and Attach.txt
• Save both of these text files to your desktop.
• Attach both DDS.txt and Attach.txt to your next message. (How to attach items to your post)

 

Attached are two of the logs. I couldn't get DDS to finish. I had long ago disabled everything in Spywareblaster, but this time I deleted it through the Control Panel/Add/Remove Programs and tried again, but DDS just starts to run, closes out, and doesn't leave any logs. SuperAntiSpyware was disabled long ago and isn't in the taskbar anymore. I could delete that as well.

 

This is something I have not seen before. I think it is a newer variant of this -> QUrl-9!E8407C751A59

I have a feeling the following driver, 5cbc84aa, will show up sooner or later. TDSSKiller is typically pretty good at detecting the ZeroAccess ADS driver.

Go ahead and proceed with the below:

Try running the .pif version of DDS -> Download Link
Attach DDS.txt and Attach.txt to your next message if it was able to run.

Upload the below file to VirusTotal for analysis. Let me know the results!

• c:\windows\system32\winactionapi.exe

http://dus.x10.mx/canned/otlicon.gifNow we need to make use of OTL by Old Timer.

• Double-click OTL.exe to run (Vista and Win7 right-click and select Run as administrator)
• When OTL opens, copy the text in the code box below and paste it into the http://img14.imageshack.us/img14/66/otlcustomfix.png text-field.
  
  Code:

  [COLOR="DarkRed"]:processes[/COLOR]
  killallprocesses
  [COLOR="DarkRed"]:otl[/COLOR]
  [COLOR="DarkRed"]:services [/COLOR]
  5cbc84aa
  [COLOR="DarkRed"]:files[/COLOR]
  c:\windows\system32\winactionapi.exe
  sc config 5cbc84aa start= disabled /c
  [COLOR="DarkRed"]:reg[/COLOR]
  [COLOR="DarkRed"]:commands[/COLOR]
  [purity]
  [emptytemp]
  [emptyflash]
  [resethosts]
  

• Now click the http://img3.imageshack.us/img3/407/otlrunfix.png button.
• OTL may ask to reboot the machine. Please do so if asked.
• Click the OK button.
• When complete, Notepad will open.
• Close Notepad.
• A log file will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.
• Attach this log to your next message. (How to attach items to your post)

• Now open OTL again and click the http://img683.imageshack.us/img683/4483/quickscanotl.png button
  Note: This automatically updates the OTL.txt log on your desktop.
• Attach OTL.txt to your next message. (How to attach items to your post)

Please download SystemLook by jpshortstuff to your desktop.

• Double-click SystemLook.exe to run it.
• Copy the content of the following codebox into the main textfield:
  
  Code:

  :regfind
  5cbc84aa
  :service
  5cbc84aa
  :process
  5cbc84aa
  :filefind
  5cbc84aa
  :folderfind
  5cbc84aa
  

• Click the Look button to start the scan.
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply. (How to attach items to your post)
  Note: The log be found on your desktop entitled SystemLook.txt

http://img685.imageshack.us/img685/3557/tdsskiller.gif TDSSKiller was updated again -- v2.6.10.0. Make sure you update to this version and before scanning, click Change Parameters and select both checkboxes:

• Verify driver digital signatures
• Detect TDLFS file system

Then press Start Scan
Attach its latest log

Also give this a try -> FixTDSS by Symantec.
Double-click it to open and then follow the prompts. Let me know if it detects anything.

SUPERAntiSpyware updated to version 5.0.1134
If you have not received a SAS pop-up to upgrade to the latest version, uninstall SAS and then download the newest version here: SAS v5.0.1134

Download the latest definitions and run a complete scan. Attach its latest log.

 

Hmm. Doesn't an "interesting case" from the doc's perspective usually mean a high chance of mortality?

DDS.pif downloaded as DDS.scr from the Spanish site, so I renamed it DDS.pif with the same results -- screen went away after a few seconds, and no logs generated. I tried it as test.com as well.

I pasted the results from running the analysis of winactionapi.exe as Vtotal.txt. They'd seen the file before, and since "analyze again" just brought me back to the start screen I included their previous results report.

The TDSSkiller came up with a couple things with the recommendation to Skip, so I didn't quarantine omci and USBAAPL (log in next post) FixTDSS started up fine, but didn't come back up on reboot or create a log.

I uninstalled and reinstalled SuperAntiSpyware and got cleaned all 51 results (log in next post).

 

Here are the other 2 logs.

 

Very interesting! :-D

Please upload this file to VirusTotal and let me know the results!

• C:\Documents and Settings\Beth\Local Settings\temp\5cbc84aa

Using SystemLook again...

• Double-click SystemLook.exe to run it.
• Copy the content of the following codebox into the main textfield:
  
  Code:

  :dir
  C:\RECYCLER /s
  

• Click the Look button to start the scan.
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply. (How to attach items to your post)
  Note: The log be found on your desktop entitled SystemLook.txt

For good measure, please delete these as they may have been tampered with.

Let me know if there were any difficulties.

Hrm, well that wasn't intended. See if you can access the .pif version from this post here.

These are not shown in the log you uploaded. The log you uploaded is incomplete. Please try rerunning the scan.

http://img685.imageshack.us/img685/3557/tdsskiller.gif Did you run TDSSKiller prior to creating this topic? If so, do you still have the log from that? Attach it!

I want you to run another Complete Scan of SAS, but this time, I need you to set up the following Scanning Controls so EVERYTHING is checked EXCEPT the below:

• Scan only known file types
• Scan for tracking cookies
• Display scan option in Explorer context (right click) menu

There is a more thorough explanation of how we want you to run SAS here -> SUPERAntiSpyware - running & getting a log
Attach the updated log here when finished.

 

The file 5cbc84aa had no findings in VirusTotal, and SystemLook came up clean (reports attached). I deleted the rkills but can't delete C:\B5dfs50h entirely because the file PV.3XE is locked. Maybe I should have gone through a formal uninstall? The new dds.pif file acted the same as before -- after the opener it started scanning and closed right away, with no logs.

Unfortunately, I don't have a TDSSKiller log from before this thread. I've attached a new one showing the two files skipped. I've also attached the new SAS log. I tried to run the DDS.pif one more time after SAS required a reboot, but it still closes out.

 

Can you .zip up the following file inside C:\RECYCLER and attach it the .zip file as collect.zip to your next post?

 

At this point the desktop.ini file's no longer in Recycler There's one under c:\windows, another under c:\windows\system32, and a ComboFix quarantined one called desktop.ini.vir under the Qoobox folder.

 

If you happen to see a desktop.ini file in the RECYCLER folder again, please attach it to your next post.

In the meantime, do the following:

http://img856.imageshack.us/img856/1766/procexp.gif Please download Process Explorer by SysInternals to your desktop.

• See the download links under this icon: http://forums.majorgeeks.com/chaslang/images/MGDownloadLoc.gif
• Extract the contents of ProcessExplorer.zip into a folder on your desktop entitled "procexp".
• Double-click procexp.exe to open Process Explorer.
• From the menu at the top, select View > Select Columns...
  The Select Columns Dialog box appears.
• In the Process Image tab (you should be here by default), place a check-mark in Command Line.
• In the Process Memory tab, place a check-mark in Working Set Size.
• Now click OK to exit from the Select Columns configuration. menu.
• Now sort the results by Working Set Size -- To do this, click at the top of the column labeled "Working Set".
  Note: It does not matter to me if the numbers in this column are largest to smallest or vice versa.
• Click File > Save As > Procexp.txt
• Attach Procexp.txt to your next message. (How to attach items to your post)

 

Attached. Procexp.exe started up and was then blocked. I renamed it pe8787.exe and was able to run it.