Zentom - Rootkit problem

Did you receive any error messages when you were blocked from running procexp.exe as procexp.exe? Any information at all on what exactly happens would be helpful. If you rename it back to procexp.exe, is it blocked again?

Also see if this tool can find anything.

http://img534.imageshack.us/img534/8407/rku.gif Please download RootKit Unhooker by EP_X0FF and MP_ART to your desktop.

• Now double-click on RKUnhookerLE.exe to run it.
• Click the Report tab, then click Scan.
• Check (Tick) Drivers, Stealth. Uncheck the rest and then click OK.
• Wait till the scanner has finished and then click File, Save Report.
• Save the report somewhere where you can find it. Click Close.
• Attach Report.txt to your next message. (How to attach items to your post)

Note: You may get the following warning, just click OK and continue.
"Rootkit Unhooker has detected a parasite inside itself!
It is recommended to remove parasite, okay?"

 

Procexp.exe sometimes opens for a couple seconds, then just closes. I can open it under an alternate name pe3434.exe and watch the processes as I run procexp.exe at the same time. It'll sometimes not respond, and sometimes stay open a couple seconds (process turns green for "on" and then red for "shutting down"). The process lsass also activates while this is going on and goes still when procexp has closed. Usually when any program's been blocked by this thing it'll open for a little bit at first and then not even respond when clicked.

Attached is the RKUnhooked report with Drivers/Stealth ticked (no results), but I also included one with just "Code Hooks" ticked (indicating rootkit activity). No parasite warnings.

This is probably to be expected, but during this whole thread yellow system warning flags have constantly flahsed on and off (sometimes 2 or 4 at a time) in the right corner, telling me spyware protection is disabled. My Windows Securities Center is blocked (runs a few seconds).

 

Nothing to worry about / false-positive.

http://img225.imageshack.us/img225/2641/win32diag.gif Please download Win32kDiag to the root of your C:\ drive. It must be saved here or the below will not work!

• Now press and hold the http://img849.imageshack.us/img849/4325/windowkey.gif Windows key on your keyboard, then press the letter r on your keyboard.
• This opens the Run dialog box.
• Then copy the below bold text and paste it into the Open: text-field and press ENTER.
  C:\win32kdiag.exe -f -r
  
• When it's finished, there will be a log called Win32kDiag.txt on your desktop.
• Attach this log to your next message. (How to attach items to your post)

Now we need to scan the system with this special tool.

• Please download Junction.zip and save it to your root folder (C:\Junction.zip)
• Unzip it and put junction.exe in the root folder (C:\junction.exe)
• Now click Start => Run... => Copy and paste the following command in the run box and click OK:
  
  cmd /c junction -s c:\ >C:\log.txt
  ​
• A command prompt window opens and also a license agreement from SysInternals will appear.
• Accept the license agreement and the scan will begin.
• Wait until a log file opens. Attach this C:\log.txt when it finishes (the command prompt window will close when it finishes). (How to attach items to your post)
• NOTE: It scans your whole hard disk so if can take a long time. Be patient and don't do anything else while it is scanning.

 

The Win32kDiag file is attached. However, cmd is blocked and I couldn't run junction.exe from there (black screen flashes and closes right away). It creates a 0 kb log called log.txt under C:\. Should I try another way?

 

Re-run the Tweaking.com Windows Repair program and only check to fix Remove Policies Set By Infections again, reboot, then try the below:

Download Sigcheck by Mark Russinovich to your desktop.

• Extract sigcheck.exe to your desktop.
• Now press and hold the http://img849.imageshack.us/img849/4325/windowkey.gif Windows key on your keyboard, then press the letter r on your keyboard.
• This opens the Run dialog box.
• Then copy the below bold text and paste it into the Open: text-field and press ENTER.
  cmd /c %userprofile%\desktop\sigcheck -q -u -e -h c:\windows\system32 >%userprofile%\desktop\sigcheck.txt
  
• When it's finished, there will be a log called sigcheck.txt on your desktop.
• Attach this log to your next message. (How to attach items to your post)

 

Tweaking.com Windows Repair indicated a new version was available, so I went through the original link in this thread and downloaded it again to run. After the reboot, I still couldn't execute the sigcheck line with cmd (flash of a black screen that closes right away). No logs were generated.

I'm not sure which program made this mginfo.log on my desktop recently, but here it is.

 

Can you attach this to your next message.

I appreciate you being patient throughout this process. I assure you this is a new type of infection and unfortunately there is very little information on it so far. There are only about 4 threads that I have been following with the same type of new Zentom System Guard variant packed with a ZeroAccess rootkit, and so far, nobody has been able to successfully determine what is spawning these random RunOnce reg entries with the random .exe files.

 

Thanks for the update. I'm fitting a full-time job in between posts, so it's YOU who seems patient!

The Major Geeks site doesn't allow a file to be uploaded twice, even renamed. You can see TDSSKiller.2.6.8.0_12.10.2011_21.04.20_log.txt in Post #1.

 

Ah there it is

Re-use SystemLook by jpshortstuff

• Double-click SystemLook.exe to run it.
• Copy the content of the following codebox into the main textfield:
  
  Code:

  :regfind
  intelppm
  :filefind
  intelppm*
  

• Click the Look button to start the scan.
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply. (How to attach items to your post)
  Note: The log be found on your desktop entitled SystemLook.txt

 

Here it is.

I can tell you exactly how I contracted this malware. I missed an episode of Breaking Bad and wanted to watch it free on my PC. It wasn't on Hulu or the network site, so I wound up on Sidereel.com, which is fairly respectable. It didn't have the episode but through it you can search outside links that DID have the show, though I would be leaving that site and be on my own.

I think all the links were named megavideo, and after a little search about this I clicked one. It probably asked permission to download a codec, and once I consented, no number of antivirus or spyware programs would have helped. The blinking flags and warnings and Zentom icons appeared almost immediately. Like a big dummy I opened the door wide, waved it in, plumped a cushion for its big, greasy butt, and asked if it wanted a soda or something. Embarrassing.

 

I edited the previous SystemLook code box. Can you re-run a scan using the updated version of code and then attach this log.

 

Here's the new one.

 

It's incomplete. Try again, also try this:

http://img64.imageshack.us/img64/6438/cce.gif Download Comodo Cleaning Essentials 32 Bit 2.0.212902.151 Beta to your desktop.

• Extract the CCE folder to your desktop.
• Double-click CCE.exe.
• Go to Tools > Options
• Change Heuristics Scanning Level to High.
• Click OK to exit the Options configuration.
• Click Full Scan.
• When prompted, allow CCE to restart your PC for the rootkit scanning.
• Once scanning is complete, go to Tools > Browser Logs...
• Inside there will be a .txt file named CCE_yyyymmdd_hhmmss.txt where yyyymmdd_hhmmss symbolizes the date of the tool run.
• Attach this log to your next message. (How to attach items to your post)

Afterwards, do the following:

http://dus.x10.mx/canned/otlicon.gif Obtain a new OTL and Extras log...

• Double-click OTL.exe to run (Vista and Win7 right click and select Run as administrator)
• When the window appears, underneath Output at the top-right, make sure Standard Output is selected.
• Select Scan All Users.
• In the Processes box, choose All.
• In the Services box, choose All.
• Check the boxes beside LOP Check and Purity Check.
• Copy the text in the code box below and paste it into the http://img14.imageshack.us/img14/66/otlcustomfix.png text-field.
  
  Code:

  netsvcs
  %systemdrive%\*.exe
  /md5start
  afd.sys
  atapi.sys
  csrss.exe
  explorer.exe
  intelpmm.sys
  ipnat.sys
  ipsec.sys
  regedit.exe
  services.exe
  svchost.exe
  tcpip.sys
  userinit.exe
  winlogon.exe
  /md5stop
  %systemroot%\*. /mp /s
  %windir%\assembly\GAC\*.ini
  %windir%\assembly\GAC_MSIL\*.ini
  %windir%\assembly\gac_32\*.ini
  %windir%\assembly\gac_64\*.ini
  %windir%\assembly\temp\*.ini
  %windir%\assembly\tmp\u /s
  %allusersprofile%\application data\*.exe
  hklm\software\microsoft\windows\currentversion\run|exe /rs
  hklm\software\microsoft\windows\currentversion\runonce|exe /rs
  

• Now click the http://img171.imageshack.us/img171/2405/runscanotl.png button.
• When the scan is complete, Notepad will open with the results of the OTL scan.
• Close Notepad.
• There will be two log files on your desktop entitled OTL.txt and Extras.txt.
• Attach both OTL.txt and Extras.txt to your next message. (How to attach items to your post)

I will be back later to review your results.

 

Here's SystemLook again. The Extras.txt log didn't appear, but I've attached OTL.txt. The CCE process must not have finished after reboot. I tried twice, but it only generated a *.tmp file in the logs, and nothing was running. The tmp file doesn't upload, but here's a Notepad version.

 

http://img685.imageshack.us/img685/3557/tdsskiller.gif Please update/download the latest version of TDSSKiller from here > v2.6.11.0

• Open TDSSKiller and click the Change Parameters button.
• Put checkmarks in both of the additional options.
• Now Start Scan and attach the latest log. (How to attach items to your post)

http://img64.imageshack.us/img64/6438/cce.gif Open CCE again. Try running a Smart Scan instead. Attach the log if it creates one this time. (How to attach items to your post)

http://dus.x10.mx/canned/otlicon.gifNow we need to make use of OTL by Old Timer.

• Double-click OTL.exe to run (Vista and Win7 right-click and select Run as administrator)
• When OTL opens, copy the text in the code box below and paste it into the http://img14.imageshack.us/img14/66/otlcustomfix.png text-field.
  
  Code:

  [COLOR="DarkRed"]:processes[/COLOR]
  killallprocesses
  [COLOR="DarkRed"]:otl[/COLOR]
  O4 - HKLM..\RunOnce: [*parsecryptadv.exe] C:\Documents and Settings\All Users\Start Menu\Programs\parsecryptadv.exe (©if systems)
  O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
  O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
  [2011/10/20 07:39:48 | 000,209,408 | ---- | C] (©if systems) -- C:\Documents and Settings\All Users\Start Menu\Programs\parsecryptadv.exe
  [2011/10/14 17:52:06 | 016,897,824 | ---- | C] (Sun Microsystems, Inc.) -- C:\Documents and Settings\Beth\Desktop\jre-6u27-windows-i586.exe
  [2 C:\Documents and Settings\Beth\Desktop\*.tmp files -> C:\Documents and Settings\Beth\Desktop\*.tmp -> ]
  [COLOR="DarkRed"]:services [/COLOR]
  [COLOR="DarkRed"]:files[/COLOR]
  C:\Documents and Settings\All Users\Start Menu\Programs\parsecryptadv.exe /D
  C:\WINDOWS\ServicePackFiles\i386\sp3.cab:intelppm.sys /e
  C:\WINDOWS\system32\drivers\intelppm.sys|c:\intelppm.sys /replace
  dir "C:\Documents and Settings\LocalService\" /c
  dir "C:\DOCUMENTS AND SETTINGS\ALL USERS\START MENU\PROGRAMS\STARTUP\" /c
  dir "C:\DOCUMENTS AND SETTINGS\beth\START MENU\PROGRAMS\STARTUP\" /c
  dir "c:\documents and settings\beth\application data\" /c
  dir "c:\documents and settings\beth\local settings\Temp\" /c
  [COLOR="DarkRed"]:reg[/COLOR]
  [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce]
  "*parsecryptadv.exe"=-
  "parsecryptadv.exe"=-
  [COLOR="DarkRed"]:commands[/COLOR]
  [purity]
  [emptytemp]
  [emptyflash]
  [resethosts]
  

• Now click the http://img3.imageshack.us/img3/407/otlrunfix.png button.
• OTL may ask to reboot the machine. Please do so if asked.
• Click the OK button.
• When complete, Notepad will open.
• Close Notepad.
• A log file will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.
• Attach this log to your next message. (How to attach items to your post)

Download Inherit by sUBs to your desktop.

• Now open explorer and browse to this folder: C:\Windows\system32
• While inside this folder, locate cmd.exe and command.com
• Now drag cmd.exe on top of Inherit.exe.
• A "Finish - OK" dialog box should appear. -- just click OK.
• Note: This attempts to give you full permissions back to this file.
• Now drag command.com on top of Inherit.exe, and click OK afterwards.

http://img651.imageshack.us/img651/733/mgtools.png Now download a new copy of MGtools.exe from here > MGtools Download Link

• Save it to the root of your C:\ drive (C:\MGtools.exe)
• Close all other applications at this time.
• Double-click MGtools.exe to run, let it run unhindered.
• Attach MGlogs.zip to your next message. (How to attach items to your post)

http://dus.x10.mx/canned/otlicon.gif Obtain a new OTL log...

• Double-click OTL.exe to run (Vista and Win7 right click and select Run as administrator)
• When the window appears, underneath Output at the top-right, make sure Standard Output is selected.
• Select Scan All Users.
• Change the File Age dropdown to 90 days. <- New!!
• Check the boxes beside LOP Check and Purity Check.
• Copy the text in the code box below and paste it into the http://img14.imageshack.us/img14/66/otlcustomfix.png text-field.
  
  Code:

  netsvcs
  %systemdrive%\*.exe
  /md5start
  command.com
  cmd.exe
  mgtools.exe
  intelppm.sys
  /md5stop
  %systemroot%\*. /mp /s
  %windir%\assembly\GAC\*.ini
  %windir%\assembly\GAC_MSIL\*.ini
  %windir%\assembly\gac_32\*.ini
  %windir%\assembly\gac_64\*.ini
  %windir%\assembly\temp\*.ini
  %windir%\assembly\tmp\u /s
  %allusersprofile%\application data\*.exe
  hklm\software\microsoft\windows\currentversion\run|exe /rs
  hklm\software\microsoft\windows\currentversion\runonce|exe /rs
  

• Now click the http://img171.imageshack.us/img171/2405/runscanotl.png button.
• When the scan is complete, Notepad will open with the results of the OTL scan.
• Close Notepad.
• Attach OTL.txt to your next message. (How to attach items to your post)

 

No luck on running CCE -- it just created a tmp file like the other times, and I tried twice. The other programs seemed to run. MGTools didn't take long (may have been blocked) but did leave a new zip file.

 

I guess that's why it's a beta :-D

Unplug your ethernet cable before continuing...

http://img685.imageshack.us/img685/3557/tdsskiller.gif Re-run TDSSKiller the same way as before (with the 2 additional options enabled)

Have it quarantine both files:

• C:\WINDOWS\system32\DRIVERS\omci.sys
• C:\WINDOWS\system32\Drivers\usbaapl.sys

Reboot if asked to.

For the remainder of these steps. Do not reboot. OTL below should not ask you to reboot.

http://dus.x10.mx/canned/otlicon.gifNow we need to make use of OTL by Old Timer.

• Double-click OTL.exe to run (Vista and Win7 right-click and select Run as administrator)
• When OTL opens, copy the text in the code box below and paste it into the http://img14.imageshack.us/img14/66/otlcustomfix.png text-field.
  
  Code:

  [COLOR="DarkRed"]:processes[/COLOR]
  killallprocesses
  [COLOR="DarkRed"]:otl[/COLOR]
  @Alternate Data Stream - 95 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:5C321E34
  [COLOR="DarkRed"]:services [/COLOR]
  [COLOR="DarkRed"]:files[/COLOR]
  c:\documents and settings\Beth\local settings\temp\*.tmp /S 
  c:\documents and settings\all users\start menu\Programs\*.exe /S
  c:\documents and settings\Beth\start menu\Programs\*.exe /S
  C:\WINDOWS\System32\config\systemprofile\Application Data\parsednssvc.exe /D
  C:\WINDOWS\System32\config\systemprofile\Application Data\*.exe /S
  dir "C:\Documents and Settings\LocalService\Application Data\" /c
  [COLOR="DarkRed"]:reg[/COLOR]
  [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce]
  "*parsednssvc.exe"=-
  "parsednssvc.exe"=-
  

• Now click the http://img3.imageshack.us/img3/407/otlrunfix.png button.
• OTL may ask to reboot the machine. Please do so if asked.
• Click the OK button.
• When complete, Notepad will open.
• Close Notepad.
• A log file will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.
• Attach this log to your next message. (How to attach items to your post)

• Now open OTL again and click the http://img683.imageshack.us/img683/4483/quickscanotl.png button
  Note: This automatically updates the OTL.txt log on your desktop.
• Attach OTL.txt to your next message. (How to attach items to your post)

http://img87.imageshack.us/img87/5562/gmer.gif Gather another GMER log for me: How-To
Attach ark.txt to your next message. (How to attach items to your post)

After you finish this last step, do not reboot!!

 

Aw, crum. I started in on your instructions, but the first OTL run did ask me to reboot, and I clicked OK reflexively (not sure I had another option). I'm posting from another computer, and upon reboot a windows error is on the screen saying Windows cannot find c:\...desktop\otl.exe. [Press OK]

The internet still unplugged. Do you want to amend the rest of your instructions, or should I just plug on from there?

 

keep ethernet unplugged.

attach that log from the OTL fix you ran.

Then start all over from the top with the same fixes. you should have done TDSSkiller first. this time the log should come up clean so you should not be prompted to reboot.

 

Sorry -- going slowly with this one.

I probably had twenty malware tool programs on my desktop from this thread, and most of them are gone after that reboot (not even in RECYCLER), OTL and TDSSSkiller included.My other program icons look untouched. I'd have to download the programs again, which either means plugging into the ethernet or using a thumb drive from another computer. Preference?

I did run the TDSSSkiller before OTL last time, and I could get you that log either by thumb drive or ethernet.

I've got MGTools, debgtMGT.bat, CCE, process explorer, gmer.zip, sigcheck.zip, dds.scr and dds.pif left on the desktop.

 

Thumb drive.

Yes sorry there was a non-intended line in the OTL script. It's removed now.

 

After quarantine in TDSSSkiller, the OTL Fix step DOES still require a reboot to finish. Because the Fix instructions mentioned a reboot and there's no choice given, I allowed it (you didn't expect OTL to ask). The OTL scan ran fine after that, but after a long scan gmer just produced a two-line log.

I started from the top again, and at the OTL Fix pressed the corner x to cancel rebooting to finish, but it rebooted anyway. Maybe there's a way to stop this? After another OTL scan I ran gmer, and it looks the same. Attached are logs from this time around. Let me know if you want them from the first time around, but they seem the same.

 

Another mistake on my end, the killallprocesses entry was forcing the reboot.

Doubt it would have mattered anyway. I am seeking advice from my colleagues. Thank you for your continued patience.

 

Update

Found a thread where Microsoft Security Essentials was successful in removing all traces of these random RunOnce .exe spawns, including future ones that are not even detected by logs. I am guessing it will be something MGtools and other log gathering tools will track from now on.

Anyways, let's see if it will work for you as well. *fingers crossed*

Download MSE from here >> Microsoft Security Essentials for Windows v2.1.1116

Install it, fully update it, and run a full scan. Post the results in your next reply.

Then run a Quick Scan with OTL. Attach that log to your next message.

 

I'm back. I wish the fix were that straightforward, though there's some progress. During the update process, Security Essentials suspended the Severe Threat level Trojan called Win32/FalseYak and stopped everything to ask if I want to remove it. The first time, since the threat was suspended already, I still just went into a full scan, which moved very slowly until it stopped progressing and popped up a message about the severe threat again, do I want to REMOVE. Finally, I chose to remove it, and then rebooted to finish. I clicked the xed MSE taskbar icon, which opened with a message saying it wasn't working and wasn't updated (?), because the service had been stopped. After a little bit MSE's real-time scanning function rebounded (icon turned green), and then it found the threat again, which I quarantined this time. In MSE's history are listed the removal and quarantine options, but also an "Allowed" action let in at reboot that I hadn't chosen. So more had to be removed before a reboot.

This time I quarantined the threat (a TEMP file called FY2.tmp), unplugged the ethernet, and did an MSE quick scan. This found the threat again, so I quarantined it again and immediately went into a full scan. That's where I am now. I get secondary MSE taskbar windows saying a potential threat is suspended and a restart is required to complete cleanup, and the full scan is going extremely slow (maybe 1/5 of the way done after an hour). The scan keeps removing Rogue:Win32/FakeYak every 12 minutes or so, describing it as a "dangerous" program that "executes commands from an attacker."

More later, if and when the scan finishes...

 

Ok, keep me posted. We now know where those RunOnce entries are spawning from so we should be able to remove all traces of infection if MSE is unsuccessful.

 

Here's the play-by-play. The scan got a bit quicker and finally finished. I copied MSE's History from the start into one text file (attached). You can see how threats generate once removed, and at the end besides FalseYak a medium-level threat was found in Program:Win32/PowerRegScheduler (quarantined). MSE detected single-file threats to be removed two times in a row right after the scan's fixes, and then I got the request to restart in order to finish cleaning.

Errors popped up at reboot: Windows couldn't find c:\...Programs\packhostdiag.exe or \Programs\Startup\pagescanboot.exe or certrescore.exe or \AllUsers\Application Data\audioappadv.exe or \svccplres.exe or \resparsescan.exe or LocalService\Application Data\packcachecert.exe or All Users\Start Menu\Progams\editcabboot.exe or LocalService\Local Settings\Application Data\audioeditcpl.exe ... (I missed one here)...upon reboot. Windows also couldn't access c:\windows\aclcryptproxy.exe or cscbridgeauto.exe.

Then my desktop appeared. The MSE icon was red (FakeYak found again), and now it's back to green active "protection" status. The interval finding and removing nonsense has started again. Since things keep changing up, I haven't done an OTL scan, but let me know if you still need it.

 

Yes I've learned that this infection is rather tricky and targets a specific registry key not monitored by the majority of log gathering tools. Why MSE is not seeing them now for you is kind of interesting as it worked perfectly fine here. MGtools was recently updated to track it but since you are not able to run it let's try to find what is hiding another way...

http://dus.x10.mx/canned/otlicon.gif Scan with OTL using these instructions...

• Double-click OTL.exe to run (Vista and Win7 right click and select Run as administrator)
• When the window appears, underneath Output at the top-right, make sure Standard Output is selected.
• Select Scan All Users.
• Check the boxes beside LOP Check and Purity Check.
• Copy the text in the code box below and paste it into the http://img14.imageshack.us/img14/66/otlcustomfix.png text-field.
  
  Code:

  netsvcs
  %systemdrive%\*.exe
  /md5start
  cmd.exe
  command.com
  /md5stop
  %systemroot%\*. /mp /s
  hklm\software\microsoft\windows\currentversion\run|exe /rs
  hklm\software\microsoft\windows\currentversion\runonce|exe /rs
  HKEY_USERS\S-1-5-21-2699302033-632523459-4123444801-1007\Software\Microsoft\Windows\CurrentVersion\Run
  HKEY_USERS\S-1-5-21-2699302033-632523459-4123444801-1007\Software\Microsoft\Windows\CurrentVersion\RunOnce
  

• Now click the http://img171.imageshack.us/img171/2405/runscanotl.png button.
• When the scan is complete, Notepad will open with the results of the OTL scan.
• Close Notepad.
• There will be a log file on your desktop entitled OTL.txt.
• Attach OTL.txt to your next message. (How to attach items to your post)

 

Sorry --game changer here. :banghead MSE might have battled this thing all night, but in the morning I came into a BSOD referencing the bad file KsecDD.sys, a Windows Operating System file that can be masked by malware. I can't boot into any other mode without coming up with the same blue screen. Though I can boot to CD, my WinXP disk is only for reinstallation, not repair.

I can boot to an Ubuntu Live CD for a graphical interface, access to Firefox, and any files I want to move to or from a thumb drive. I also made a BartPE bootable CD today with the default tools plus Chkdsk (no immediate recognition there of the thumb drive). I'll follow your lead, including resorting to an OS reinstall if you think it best. Any data I want is backed up elsewhere, and the programs can be reconfigured.

 

The fastest resolution of course would be to backup and reinstall Windows. I don't mind continuing to help you getting the system back up though.

Can you first upload the logs from the BSODs you are getting?

They can be found at C:\Windows\Minidump
They have the .dmp extension. Zip these up and upload here for analysis.

Just for my knowledge, was MSE doing Full Scans or Smart scans?

 

Here you go -- just one. I don't know what the ongoing real-time scanning in MSE would be considered (whatever the default is). This was the first that the malware didn't stop. I chose Quick Scan once where noted and Full Scans the other times.

 

This log is from 10/14/2009 -- It's not related to this infection.

At this point, I think it would be best to reinstall Windows.

 

That was painful, but necessary! Thanks for all your help -- this site is a terrific resource, and I hope there are some takeaways for someone else.

 

Sorry we couldn't get it sorted all out for you. This rootkit appears to be doing more and more damage to the OS as it evolves.

You're welcome though, surf safely!