Zero Access, Desktop.ini, web redirection, and WinDefender issues

I have no idea what happened, so here's the basic run down.

Found out a little while back that I had an issue with desktop.ini (32 and 64), but since I was preparing for a move I didn't have a lot of time to mess with it and it didn't seem to be causing that much of an issue.

Last night, while doing normal browsing, a lot of windows defender shields popped up in the action icon area in the lower left hand corner. I shut down and went into safe mode. I've run everything I know and still when I try to log into windows normally it gives me a black screen after logging in, has severely reduced processes (almost none of the normal ones), and is running wdfender*32.exe.

I have done all the instructions and have attached them here. I'm running Windows 7 Home Premium.

 

Welcome to MajorGeeks, krazyjethro

Please attach the logs from the following tools:

• HitmanPro
• MGtools

 

Here are the additional items.

Thanks in advance for all the help.

KJ

 

http://3.bp.blogspot.com/-tH5H1icUyOc/T1XP6r4puoI/AAAAAAAAAQE/jLwmqQECjCg/s1600/hitmanpro.gif - Rescan with HitmanPro

This time if the below detections are found, choose the action I've listed below:

• services.exe - Trojan ==> Replace
• LGUTchkdl.dll - Trojan ==> Delete
• shoger.dll - Trojan ==> Delete
• Desktop.ini - Trojan ==> Delete

Ignore any other detections and click the Next button.
HitmanPro may want to reboot the PC in order for the changes to take affect, please do so.

__

http://3.bp.blogspot.com/-tH5H1icUyOc/T1XP6r4puoI/AAAAAAAAAQE/jLwmqQECjCg/s1600/hitmanpro.gif Once you are back in Windows, run another scan with HitmanPro and then attach the latest hitmanpro.zip log. (How to attach)

__

Try to delete following items manually using Windows Explorer

• c:\windows\installer\{ac2d0088-833e-f07c-b782-e09d01da9c07} <== Folder
• c:\users\chicken mcdickle\appdata\local\{ac2d0088-833e-f07c-b782-e09d01da9c07} <== Folder
• c:\users\chicken mcdickle\AppData\Roaming\svcnem.dll <== File

Let me know if you were successful or not.

__

http://img205.imageshack.us/img205/1894/otl.gif Please download OTL by OldTimer.

• Save it to your desktop.
• Right mouse click on the OTL icon on your desktop and select Run as Administrator
• Check the "Scan All Users" checkbox.
• Check the "Standard Output".
• Change the setting of "Drivers" and "Services" to "All"
• Copy the text in the code box below and paste it into the http://img14.imageshack.us/img14/66/otlcustomfix.png text-field.
  
  Code:

  activex
  netsvcs
  /md5start
  services.exe
  svcnem.dll
  /md5stop
  %windir%\installer\{ac2d0088-833e-f07c-b782-e09d01da9c0*.
  c:\users\chicken mcdickle\appdata\local\{ac2d0088-833e-f07c-b782-e09d01da9c0*.
  

• Now click the http://img171.imageshack.us/img171/2405/runscanotl.png button.
• One report will be created:
  • OTL.txt <-- Will be opened
• Attach OTL.txt to your next message. (How to attach)

 

First, thanks thisisu for the help.

I followed the directions to the letter, and yes I was successful in removing those folders/file and checked upon reboot and they remained gone.

I've attached the new logs and included the extras.txt for good measure

 

http://img850.imageshack.us/img850/4746/programsandfeatureswin7.gif From Programs and Features (via Control Panel), please uninstall the below:

• Java(TM) 6 Update 31

__

/!\ Please Disable Spybot's TeaTimer
Leave it disabled for the remainder of malware removal.

__


http://img205.imageshack.us/img205/1894/otl.gif Fix items using OTL by OldTimer

Double-click OTL.exe to run. (Vista/7 right-click and select Run as Administrator)
Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
Copy the text in the code box below and paste it into the http://img14.imageshack.us/img14/66/otlcustomfix.png text-field.

Code:

[COLOR="DarkRed"]:otl[/COLOR]
IE - HKU\S-1-5-21-2685182556-2384134339-2750481275-1001\..\URLSearchHook: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - No CLSID value found
O3:64bit: - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKU\S-1-5-21-2685182556-2384134339-2750481275-1001\..\Toolbar\WebBrowser: (no name) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No CLSID value found.
O3 - HKU\S-1-5-21-2685182556-2384134339-2750481275-1001\..\Toolbar\WebBrowser: (no name) - {BF7380FA-E3B4-4DB2-AF3E-9D8783A45BFC} - No CLSID value found.
O3 - HKU\S-1-5-21-2685182556-2384134339-2750481275-1001\..\Toolbar\WebBrowser: (no name) - {D4027C7F-154A-4066-A1AD-4243D8127440} - No CLSID value found.
O33 - MountPoints2\{915c352b-262c-11e1-ad16-842b2bb20887}\Shell - "" = AutoRun
O33 - MountPoints2\{915c352b-262c-11e1-ad16-842b2bb20887}\Shell\AutoRun\command - "" = J:\TL_Bootstrap.exe
O33 - MountPoints2\{e1e8077f-0eee-11e0-bfdf-806e6f6e6963}\Shell - "" = AutoRun
O33 - MountPoints2\{e1e8077f-0eee-11e0-bfdf-806e6f6e6963}\Shell\AutoRun\command - "" = D:\setup.exe
O33 - MountPoints2\I\Shell - "" = AutoRun
O33 - MountPoints2\I\Shell\AutoRun\command - "" = I:\HumbleIndieBundleV.exe
O33 - MountPoints2\J\Shell - "" = AutoRun
O33 - MountPoints2\J\Shell\AutoRun\command - "" = J:\TL_Bootstrap.exe
[2012/07/20 00:36:18 | 000,000,000 | -HSD | C] -- C:\Windows\SysWow64\%APPDATA%
[1 C:\Windows\SysNative\*.tmp files -> C:\Windows\SysNative\*.tmp -> ]
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]
[2012/07/10 14:16:55 | 000,000,564 | -H-- | M] () -- C:\Windows\tasks\PCDoctorBackgroundMonitorTask.job
[2012/07/10 02:30:00 | 000,000,564 | -H-- | M] () -- C:\Windows\tasks\PCDoctorBackgroundMonitorTask-Delay.job
@Alternate Data Stream - 24 bytes -> C:\Windows:F168B4EC4716AC3A
@Alternate Data Stream - 176 bytes -> C:\ProgramData\TEMP:58E38390
[COLOR="DarkRed"]:files[/COLOR]
C:\Windows\tasks\SystemToolsDailyTest.job /d
C:\Users\chicken mcdickle\AppData\Roaming\LdrYn.txt
C:\Users\chicken mcdickle\AppData\Roaming\msregsvv.dll
C:\Users\chicken mcdickle\AppData\Roaming\shoger.dll
C:\Users\chicken mcdickle\AppData\Roaming\svcnem.dll
C:\Windows\assembly\GAC_32\Desktop.ini
C:\Windows\assembly\GAC_64\Desktop.ini
[COLOR="DarkRed"]:reg[/COLOR]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"=-
[HKEY_USERS\S-1-5-21-2685182556-2384134339-2750481275-1001\Software\Microsoft\Windows\CurrentVersion\run]
"SpybotSD TeaTimer"=-
[COLOR="DarkRed"]:commands[/COLOR]
[clearallrestorepoints]
[emptytemp]
[resethosts]

Now click the http://img3.imageshack.us/img3/407/otlrunfix.png button.
If the fix needed a reboot please do it.
Click the OK button (upon reboot).
When OTL is finished, Notepad will open. Close Notepad.
A log file will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.
Attach this log to your next message. (How to attach)

__

http://img97.imageshack.us/img97/8120/fss.gif Please download Farbar Service Scanner and run it on the computer with the issue.

• Make sure all the options are checked
• Press Scan.
• It will create a log (FSS.txt) in the same directory the tool was run.
• Please attach FSS.txt to your next message. (How to attach)

 

OK, back with the latest batch of logs.

Thanks for the prompt replies!

 

You're welcome.

http://img406.imageshack.us/img406/3189/windowsrepair.gif Download Windows Repair by Tweaking.com and unzip the contents into a newly created folder on your desktop.

• Now open Repair_Windows.exe
• Go to the Start Repairs tab.
• Press the Start button
• Create a System Restore point if prompted.
• In the Repair Options window, choose the following repairs:
  • Reset Registry Permissions
  • Repair Windows Firewall
  • Repair Winsock & DNS Cache
  • Repair Windows Updates
• Place a checkmark in Restart/Shutdown System When Finished
• Fill in the Restart System bubble
• Now click the Start button.
• Be patient while the tool repairs the selected items. Your computer should automatically restart when finished.

__

http://img205.imageshack.us/img205/4783/regeditb.gif NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

• Attached are two files:
  • WinDefend.zip
  • wscsvc.zip
• Download each of these to the desktop of the computer with problems.
• Now open each .zip file and extract the .reg file inside of each to the desktop.
• Try to merge wscsvc.reg into the registry by double-clicking with your left-mouse clicker and saying yes to the prompt that you want to merge into registry.
• Let me know if the merge was successful or not.
  • If successful, do the same thing for WinDefend.reg
• Let me know if this one was successful too.
  • If both were successful, reboot Windows and test to see if Windows Defender is now working.