Huge Malware/Spyware problem, cannot run anything except web browser.

[TrentWalker]

I did the pre-requisite readings before posting this, but I can't seem to figure anything out.

I'm getting the "Application cannot be executed...file is infected" popup what seems like every 30 seconds randomly and every time I try to run Notepad or any program. I only seem to be able to open Firefox. At first it was the XP Internet Security 2010, then Antivirus Soft, and various other "security" popups.

I tried to run rkill to generate a log, but I'm not sure it works. I get a quick MS-DOS screen, but almost instantly it gets shut down by the "Application cannot be executed" popup. Where is the log supposed to be generated?

Thanks in advance for any help. I'm getting pretty frustrated here.   

[TrentWalker]

Sorry, forgot to add that I am running Windows XP (I think SP3, cannot open my system information in control panel so cannot be 100% sure). 

[evilfantasy]

Try not to restart the computer until one of the tools we use does it  for you or tells you to.

If one of the tools will not run just go on to the next one. Save the logs to post in your next reply.

1) Please download and run the below  tool named Rkill (courtesy of BleepingComputer.com) which  may help allow other programs to run.
 
There are 4 different  versions. If one of them won't run then download and try to run the next  one.
 
Vista and Windows 7 users need to right click Rkill and choose Run as Administrator

You only need to get one of these to run, not all of them. You may get warnings from your  antivirus about this tool, ignore them or shutdown your antivirus.

* Rkill.com
* Rkill.scr
* Rkill.pif
* Rkill.exe

*  Double-click on the Rkill desktop icon to run the tool.
*  If using Vista or Windows 7 right-click on it and  choose Run As Administrator.
* A  black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
* When finished it will create a log.
* Please post the rkill.log in the next reply.

*  If Rkill does not run from the first link, delete the file, then  download and use the one provided in Link 2. If it does not work, repeat the process and attempt to use one of the remaining links until  the tool runs.
* Do not reboot until instructed.
* If the tool does not run from any of the links provided, please let me know.


Once you've gotten one of them to run then try to immediately run the following.


2) Download and run exeHelper

*  Please download  exeHelper from Raktor to your desktop.
* Double-click on  exeHelper.com to run the fix.
* A black window should pop up, press any key to close once the fix is completed.
* A log file named log.txt will be created in the directory where you ran exeHelper.com
*  Add the log.txt file to your next message.

Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs  together (they will both be in the one file).


3) If you already have Malwarebytes be sure to update it before running the scan!

Download Malwarebytes' Anti-Malware (MBAM)

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to the following:

* Update Malwarebytes' Anti-Malware
* Launch Malwarebytes' Anti-Malware

* Then click Finish
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform quick scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy and Paste the entire report in your next reply.

Extra Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.


Logs needed:

• Rkill
  
• exeHelper
  
• Malwarebytes

[TrentWalker]

Thanks for responding.

I was able to get both Rkill and exeHelper to generate logs just before I got hit with the "application is infected..." popup, but the logs were basically blank. It appears the malware stopped them in their tracks.

This is what Rkill said:

This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.
Ran as ZACK MORRIS on 02/25/2010 at 22:07:45.


Processes terminated by Rkill or while it was running:

And exeHelper:

exeHelper by Raktor

That's it.

And I have tried to install Malwarebytes several times with no success. Sometimes it won't complete the install, other times it does complete the install, but when I try to launch the program, it says something like "Cannot locate mbam.exe...". I installed Malwarebytes once in safe mode and it looked like things were going well, but the program shut down by itself in the middle of the full scan.

I read on another help forum about how malware/spyware can be used for identity theft/credit card fraud so now I'm afraid to even have the infected computer logged on to the internet (I'm on a different PC right now). Is this true? and how can I make sure I am not putting myself at risk when I try to fix that computer?   
 

[evilfantasy]

I will be sending you a Private Message with some instructions to follow. We are doing this privately to keep the info out of the hands of the malware creators. Please do not mention the name of utility we will be giving you or where you are getting it from. Just try to do what we ask you to do and then post back here with any problems you had. Again in mentioning your problems, please don't refer to the program by name. Just call it "the utility" or "the program". For example, your response could be:

The program ran OK. Or the program would not run, I received the following error message...(put your error message here).

[TrentWalker]

I was able to get "the program" to run in Safe Mode and it detected like 93 objects, but after I quarantined them it prompted me to restart (which I immediately did) and I was not able to make a log because it restarted into normal mode and it was like "the program" was never installed on my computer.

The good news is after the restart, things started returning back to normal. I was able to double click on install files so I proceeded to install "the program" in normal boot mode. I ran it again and it detected 23 objects this time. Here is the log from that run (2nd run):

Memory items scanned      : 385
Memory threats detected   : 0
Registry items scanned    : 5279
Registry threats detected : 1
File items scanned        : 30144
File threats detected     : 23

Adware.Tracking Cookie
   C:\Documents and Settings\ZACK MORRIS\Cookies\[email protected][2].txt
   C:\Documents and Settings\ZACK MORRIS\Cookies\zack_morris@lucidmedia[2].txt
   C:\Documents and Settings\ZACK MORRIS\Cookies\zack_morris@zedo[2].txt
   C:\Documents and Settings\ZACK MORRIS\Cookies\zack_morris@atdmt[1].txt
   C:\Documents and Settings\ZACK MORRIS\Cookies\zack_morris@imrworldwide[2].txt
   C:\Documents and Settings\ZACK MORRIS\Cookies\zack_morris@revsci[2].txt
   C:\Documents and Settings\ZACK MORRIS\Cookies\[email protected][1].txt
   C:\Documents and Settings\ZACK MORRIS\Cookies\zack_morris@2o7[1].txt
   C:\Documents and Settings\ZACK MORRIS\Cookies\zack_morris@apmebf[2].txt
   C:\Documents and Settings\ZACK MORRIS\Cookies\[email protected][2].txt
   C:\Documents and Settings\ZACK MORRIS\Cookies\[email protected][1].txt
   C:\Documents and Settings\ZACK MORRIS\Cookies\zack_morris@invitemedia[1].txt
   C:\Documents and Settings\ZACK MORRIS\Cookies\zack_morris@mediaplex[2].txt
   C:\Documents and Settings\ZACK MORRIS\Cookies\zack_morris@media6degrees[1].txt
   C:\Documents and Settings\ZACK MORRIS\Cookies\zack_morris@doubleclick[2].txt
   C:\Documents and Settings\ZACK MORRIS\Cookies\[email protected][1].txt
   C:\Documents and Settings\ZACK MORRIS\Cookies\zack_morris@fastclick[2].txt
   C:\Documents and Settings\ZACK MORRIS\Cookies\[email protected][2].txt
   C:\Documents and Settings\ZACK MORRIS\Cookies\[email protected][1].txt
   C:\Documents and Settings\ZACK MORRIS\Cookies\[email protected][1].txt
   C:\Documents and Settings\ZACK MORRIS\Cookies\[email protected][3].txt

Rogue.AntivirusSoft
   HKU\S-1-5-21-2996800989-1999048823-2621022130-1006\Software\avsoft

Trojan.Agent/Gen-Faker
   C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1316\A0193300.EXE

Adware.Vundo/Variant-[Fixed]
   C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1316\A0193302.DLL

I then installed Malwarebytes and ran that:

Malwarebytes' Anti-Malware 1.43
Database version: 3740
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

2/27/2010 3:42:41 PM
mbam-log-2010-02-27 (15-42-41).txt

Scan type: Full Scan (C:\|)
Objects scanned: 229289
Time elapsed: 1 hour(s), 7 minute(s), 32 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 6
Registry Values Infected: 2
Registry Data Items Infected: 6
Folders Infected: 0
Files Infected: 9

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msascui.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\ROUA3O12PW (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msseces.exe (Security.Hijack) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tabasifil (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hosalajono (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: nlauipn.dll  -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 93.188.164.88,93.188.161.39 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{570ac077-8bd7-4f49-8f6c-b5871d60abaa}\NameServer (Trojan.DNSChanger) -> Data: 93.188.164.88,93.188.161.39 -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\nlauipn.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\Temp\11.tmp (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\14.tmp (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\1B.tmp (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\Bvij.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\F.tmp (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\mcmbyn.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\WINDOWS\Tasks\{66BA574B-1E11-49b8-909C-8CC9E0E8E015}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\spool\prtprocs\w32x86\00007fc3.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.

I then ran a quick scan using "the program" one more time just to see if it would catch anything else:

Memory items scanned      : 370
Memory threats detected   : 0
Registry items scanned    : 5278
Registry threats detected : 0
File items scanned        : 88942
File threats detected     : 3

Adware.Tracking Cookie
   C:\Documents and Settings\ZACK MORRIS\Cookies\zack_morris@zedo[2].txt
   C:\Documents and Settings\ZACK MORRIS\Cookies\[email protected][1].txt
   C:\Documents and Settings\ZACK MORRIS\Cookies\zack_morris@2o7[1].txt

And finally a quick scan using Malwarebytes:

Malwarebytes' Anti-Malware 1.43
Database version: 3740
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

2/27/2010 5:32:44 PM
mbam-log-2010-02-27 (17-32-44).txt

Scan type: Quick Scan
Objects scanned: 136946
Time elapsed: 11 minute(s), 40 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

I then decided to run a virus scan with my Avira Antivir. It detected 15 objects, but I'm not sure if I should go ahead and quarantine/delete them. I believe some of them are false positives so I am cautious to proceed. This is not a log, but a copy of what it says after the scan, but before I take any action:

Object         Detection   

rkill.pif                 HIDDENEXT/Crypted
D4EF690Ad01         TR/Dropper.Gen
jar_cache52099.tmp   TR/Dldr.Java.Agent.AH.1
rigslhn.exe         TR/Crypt.XPACK.Gen
rsxeamwonc.tmp        TR/Dldr.Mufanom.muo   
all.pdf            EXP/Pdfka.bpf
newplayer.pdf         EXP/Pdfka.bmg
rkill.pif                 HIDDENEXT.Crypted
jar_cache52099.tmp   TR/Dldr.Java.Agent.AH.1
rigslhn.exe          TR/Crypt.XPACK.Gen
rsxeamwonc.tmp         TR/Dldr.Mufanom.muo
all.pdf            EXP/Pdfka.bpf
newplayer.pdf         EXP/Pdfka.bmg
A0190740.exe        TR/Crypt.XPACK.Gen

Should I click on "Repair All" or no?

Also, it appears there are a few cookies in my internet explorer that I am now unable to delete using the internet options in the control panel. Are these the quarantined cookies?

I'd appreciate any more help to make sure everything is okay.

But your help so far is greatly appreciated. I thought for sure I was going to have to reformat. 

 

[evilfantasy]

Generally cookies are not a problem. All websites use them, even this one.

If you already have ComboFix be sure to delete it and download a new copy.

Download ComboFix© by sUBs from one of the below links. Be sure top save it to the Desktop.

Link #1
Link #2

**Note:  It is important that it is saved directly to your Desktop

Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting ComboFix.

Temporarily disable your antivirus and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.
 
Double click combofix.exe & follow the prompts.
Vista users Right-Click on ComboFix.exe and select Run as administrator (you will receive a UAC prompt, please allow it)
When finished ComboFix will produce a log for you.
Post the ComboFix log in your next reply.

Important: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.

Remember to re-enable your antivirus and antispyware protection when ComboFix is complete.

If you have problems with ComboFix usage, see How to use ComboFix

[TrentWalker]

Here is the log

[Saving space, attachment deleted by admin]

[evilfantasy]

1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C

Code: [Select]

KillAll::

DDS::
uInternet Settings,ProxyServer = http=127.0.0.1:5555
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll

Folder::
c:\documents and settings\NetworkService\Local Settings\Application Data\miqmxq

File::
c:\windows\Tqezewapa.bin
c:\windows\Wmaciseciyo.dat


3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!



ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.

Note: Do not mouseclick ComboFix's window while it is running. That may cause your system to freeze

----------

Download GMER Rootkit Detector and save it your desktop.
 
* Extract it to your desktop and double-click GMER.exe
* Make sure all of the boxes on the right of the screen are checked, EXCEPT for "Show All".
* Click the Rootkit tab and then Scan.
* Don't check the Show All box while scanning in progress!
* When scanning is finished click Copy.
* This copies the log to clipboard
* Post the log in your reply.

[TrentWalker]

Attached is the CFScripted ComboFix log.

Unfortunately, I tried running the GMER program twice and both times it froze up my computer (my computer is pretty old) shortly after beginning the scan.

Any ideas?

Thanks again for everything.   

[Saving space, attachment deleted by admin]

[evilfantasy]

Try this one.

RootRepeal - Rootkit Detector

* Download the following tool: RootRepeal - Rootkit Detector
* Direct download link is here: RootRepeal.zip

* Close all programs and temporarily disable your anti-virus, Firewall and any anti-malware real-time protection before performing a scan.
* Click this link to see a list of such programs and how to disable them.

* Extract the program file to a new folder such as C:\RootRepeal
* Run the program RootRepeal.exe and go to the REPORT tab and click on the Scan button.
* Select ALL of the checkboxes and then click OK and it will start scanning your system.
* If you have multiple drives you only need to check the C: drive or the one Windows is installed on.
* When done, click on Save Report
* Save it to the same location where you ran it from, such as C:RootRepeal
* Save it as rootrepeal.txt
* Then open that log and select all and copy/paste it back on your next reply please.
* Close RootRepeal.

[TrentWalker]

ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time:      2010/02/28 17:52
Program Version:      Version 1.3.5.0
Windows Version:      Windows XP SP3
==================================================

Drivers
-------------------
Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xA5229000   Size: 49152   File Visible: No   Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: Volume C:\
Status: MBR Rootkit Detected!

Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: C:\DVDVideoSoft\FEIST-~4.MP4:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\HelpAssistant\Local Settings\Temp\plugtmp-113\1:5-9
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\HelpAssistant\Local Settings\Temp\plugtmp-115\1:5-9
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\HelpAssistant\Local Settings\Temp\plugtmp-141\1:5-9
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\HelpAssistant\Local Settings\Temp\plugtmp-143\1:5-9
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\HelpAssistant\Local Settings\Temp\plugtmp-146\1:5-9
Status: Visible to the Windows API, but not on disk.

SSDT
-------------------
#: 041   Function Name: NtCreateKey
Status: Hooked by "<unknown>" at address 0xa6e61166

#: 053   Function Name: NtCreateThread
Status: Hooked by "<unknown>" at address 0xa6e6115c

#: 063   Function Name: NtDeleteKey
Status: Hooked by "<unknown>" at address 0xa6e6116b

#: 065   Function Name: NtDeleteValueKey
Status: Hooked by "<unknown>" at address 0xa6e61175

#: 098   Function Name: NtLoadKey
Status: Hooked by "<unknown>" at address 0xa6e6117a

#: 122   Function Name: NtOpenProcess
Status: Hooked by "<unknown>" at address 0xa6e61148

#: 128   Function Name: NtOpenThread
Status: Hooked by "<unknown>" at address 0xa6e6114d

#: 193   Function Name: NtReplaceKey
Status: Hooked by "<unknown>" at address 0xa6e61184

#: 204   Function Name: NtRestoreKey
Status: Hooked by "<unknown>" at address 0xa6e6117f

#: 247   Function Name: NtSetValueKey
Status: Hooked by "<unknown>" at address 0xa6e61170

#: 257   Function Name: NtTerminateProcess
Status: Hooked by "<unknown>" at address 0xa6e61157

==EOF==

[evilfantasy]

Download the MBR Rootkit Detector to your desktop.

Go to Start > Run then copy and paste the following red text into the Open field then click OK:

"%userprofile%\desktop\mbr.exe" -f

Next, double click on the mbr.exe file and post the contents of the new mbr.log


Also let me know how the computer is running now.

[TrentWalker]

I hope I did this right.

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK

The computer is running a bit slower than normal, although it is pretty slow normally. However, I feel that my hard drive is working a bit harder than before as it is noticeably noisier. But that may also just be the age of my computer.

I'm probably going to have to purchase a new notebook anyway, but there are a few important files on this computer so I really appreciate your help in getting it back to normal again. 

[evilfantasy]

Yes that looks good.

I would like to run one more scan to make sure we didn't miss anything.

First a little cleanup.

* Click START then RUN - Vista users press the Windows Key and the R keys for the Run box.
* Now type Combofix /Uninstall in the runbox
* Make sure there's a space between Combofix and /Uninstall
* Then hit Enter

* The above procedure will:
* Delete the following:
* ComboFix and its associated files and folders.
* Reset the clock settings.
* Hide file extensions, if required.
* Hide System/Hidden files, if required.
* Set a new, clean Restore Point.

----------

Clean out your temporary internet files and temp files.

Download TFC by OldTimer to your desktop.

Double-click TFC.exe to run it.

Note: If you are running on Vista, right-click on the file and choose Run As Administrator

TFC will close all programs when run, so make sure you have saved all your work before you begin.

* Click the Start button to begin the cleaning process.
* Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two. 
* Please let TFC run uninterrupted until it is finished.

Once TFC is finished it should restart your computer. If it does not, please manually restart the computer yourself to ensure a complete cleaning.

----------

ESET Online Scan

Scan your computer with the ESET FREE Online Virus Scan

* Click the ESET Online Scanner button.

* For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
* Click on the esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop
* Double click on the esetsmartinstaller_enu.exe icon on your desktop.
* Place a check mark next to YES, I accept the Terms of Use.

* Click the Start button.
* Accept any security warnings from your browser.
* Leave the check mark next to Remove found threats and place a check next to Scan archives.
* Click the Start button.
* ESET will then download updates, install, and begin scanning your computer. Please be patient as this can take some time.
* When the scan completes, click List of found threats.
* Next click Export to text file and save the file to your desktop using a name such as ESETScan. Include the contents of this report in your next reply.
* Click the <<Back button then click Finish.

In your next reply please include the ESET Online Scan Log

[TrentWalker]

Attached is the ESET log.

Question: I still have ESET open. Should I check the "Delete quarantined files" option before I shut it down? It says it cleaned the infected files. Is that good enough, or do they need to be deleted?

Thanks

[Saving space, attachment deleted by admin]

[evilfantasy]

Yes you can delete them.


If there are no more malware issues we can finish up now.

Use the Secunia Software Inspector to check for out of date software.

* Click Start Scanner
* Check the box next to Enable thorough system inspection.
* Click Start
* Allow the scan to finish and scroll down to see if any updates are needed.
* Update anything listed.

----------

Go to Microsoft Windows Update and get all critical updates.

----------

If you are using or have installed IE6 you are using an outdated and soon to be unsupported version of Internet Explorer and I strongly suggest you update to the latest version directly from Microsoft Internet Explorer 8: Home page.

----------

I recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no realtime protection so will not interfere with each other. They do not use any significant amount of resources (except a little disk space) until you run a scan.

I suggest using WOT - Web of Trust. WOT is a free Internet security addon for your browser. It will keep you safe from online scams, identity theft, spyware, spam, viruses and unreliable shopping sites. WOT warns you before you interact with a risky website. It's easy and it's free.

SpywareBlaster - Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.
* Using SpywareBlaster to protect your computer from Spyware and Malware
* If you don't know what ActiveX controls are, see here

Protect yourself against spyware using the Immunize feature in Spybot - Search & Destroy.
* Guide: Use Spybot's Immunize Feature to prevent spyware infection in real-time. Note: To ensure you have the latest Immunizations always update Spybot - Search & Destroy before Immunizing. Spybot - Search & Destroy FAQ

Check out Keeping Yourself Safe On The Web for tips and free tools to help keep you safe in the future.

Also see Slow Computer? It May Not Be Malware for free cleaning/maintenance tools to help keep your computer running smooth.

[TrentWalker]

I tried to update my Adobe Acrobat Reader to the latest version after using Secunia and it didn't complete installation because it had some difficulty with a couple registry keys or something. Probably not a big deal, but is this a sign that malware is still on my computer? 

Thanks again for everything, evilfantasy.

I appreciate your time and patience.

[evilfantasy]

* Go to Add or Remove Programs and uninstall Adobe Acrobat Reader.
* Restart the computer.
* Install the new version of Adobe Reader. http://get.adobe.com/reader/

Important! Be sure to uncheck Free McAfee® Security Scan Plus (optional) before starting the Adobe Reader download.

[TrentWalker]

Uninstalling the old version was a no go as well. Similar error as trying to install the newest version. Could not access HKEY  or something so it failed to remove it.

And now there is definitely something up with my computer as the hard drive won't stop  working/trying to load something. Not sure if it's malware or just unnecessary software running in the background that I don't know of.     

I'm going to try some of the tips on your wordpress page.

[evilfantasy]

Run a new HijackThis scan and post the log please.

[TrentWalker]

Here is the log

[Saving space, attachment deleted by admin]

[evilfantasy]

Try turning off your Firewall and then uninstall it.

[TrentWalker]

It didn't work again. This is the error message:

Error 1402. Could not open key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS.
Verify that you have sufficient access to that key, or contact your support personnel.

Should I try that Windows Installer CleanUp Utility?

[evilfantasy]

Here are a few solutions to that error. http://kb2.adobe.com/cps/329/329137.html

[TrentWalker]

Looks like I'm not out of the woods yet.

Now I'm getting redirects when I click links in google and yahoo searches. This is a new occurrence.

[evilfantasy]

If you already have ComboFix be sure to delete it and download a new copy.

Download ComboFix© by sUBs from one of the below links. Be sure top save it to the Desktop.

Link #1
Link #2

**Note:  It is important that it is saved directly to your Desktop

Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting ComboFix.

Temporarily disable your antivirus and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.
 
Double click combofix.exe & follow the prompts.
Vista users Right-Click on ComboFix.exe and select Run as administrator (you will receive a UAC prompt, please allow it)
When finished ComboFix will produce a log for you.
Post the ComboFix log in your next reply.

Important: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.

Remember to re-enable your antivirus and antispyware protection when ComboFix is complete.

If you have problems with ComboFix usage, see How to use ComboFix

----------

RootRepeal - Rootkit Detector

* Download the following tool: RootRepeal - Rootkit Detector
* Direct download link is here: RootRepeal.zip

* Close all programs and temporarily disable your anti-virus, Firewall and any anti-malware real-time protection before performing a scan.
* Click this link to see a list of such programs and how to disable them.

* Extract the program file to a new folder such as C:\RootRepeal
* Run the program RootRepeal.exe and go to the REPORT tab and click on the Scan button.
* Select ALL of the checkboxes and then click OK and it will start scanning your system.
* If you have multiple drives you only need to check the C: drive or the one Windows is installed on.
* When done, click on Save Report
* Save it to the same location where you ran it from, such as C:RootRepeal
* Save it as rootrepeal.txt
* Then open that log and select all and copy/paste it back on your next reply please.
* Close RootRepeal.

[TrentWalker]

ComboFix log is attached.

Here is the RootRepeal log (also attached):

ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time:      2010/03/02 21:21
Program Version:      Version 1.3.5.0
Windows Version:      Windows XP SP3
==================================================

Drivers
-------------------
Name: catchme.sys
Image Path: C:\ComboFix\catchme.sys
Address: 0xF9810000   Size: 31744   File Visible: No   Signed: -
Status: -

Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xAA46F000   Size: 98304   File Visible: No   Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF9A88000   Size: 8192   File Visible: No   Signed: -
Status: -

Name: PROCEXP113.SYS
Image Path: C:\WINDOWS\system32\Drivers\PROCEXP113.SYS
Address: 0xF9A56000   Size: 7872   File Visible: No   Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xA9C40000   Size: 49152   File Visible: No   Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: Volume C:\
Status: MBR Rootkit Detected!

Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: C:\DVDVideoSoft\FEIST-~4.MP4:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
Status: Visible to the Windows API, but not on disk.

SSDT
-------------------
#: 041   Function Name: NtCreateKey
Status: Hooked by "<unknown>" at address 0xf9b5a166

#: 053   Function Name: NtCreateThread
Status: Hooked by "<unknown>" at address 0xf9b5a15c

#: 063   Function Name: NtDeleteKey
Status: Hooked by "<unknown>" at address 0xf9b5a16b

#: 065   Function Name: NtDeleteValueKey
Status: Hooked by "<unknown>" at address 0xf9b5a175

#: 098   Function Name: NtLoadKey
Status: Hooked by "<unknown>" at address 0xf9b5a17a

#: 122   Function Name: NtOpenProcess
Status: Hooked by "<unknown>" at address 0xf9b5a148

#: 128   Function Name: NtOpenThread
Status: Hooked by "<unknown>" at address 0xf9b5a14d

#: 193   Function Name: NtReplaceKey
Status: Hooked by "<unknown>" at address 0xf9b5a184

#: 204   Function Name: NtRestoreKey
Status: Hooked by "<unknown>" at address 0xf9b5a17f

#: 247   Function Name: NtSetValueKey
Status: Hooked by "<unknown>" at address 0xf9b5a170

#: 257   Function Name: NtTerminateProcess
Status: Hooked by "<unknown>" at address 0xf9b5a157

Stealth Objects
-------------------
Object: Hidden Code [Driver: atapi, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System   Address: 0xffaaba70   Size: 1425

==EOF==

[Saving space, attachment deleted by admin]

[evilfantasy]

Download the MBR Rootkit Detector to your desktop.

Go to Start > Run then copy and paste the following red text into the Open field then click OK:

"%userprofile%\desktop\mbr.exe" -f

Next, double click on the mbr.exe file and post the contents of the new mbr.log

----------

How is the computer running now?

[TrentWalker]

Here is the MBR log:

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\atapi -> 0xffa56f98
NDIS: Intel(R) PRO/100 VE Network Connection -> SendCompleteHandler -> 0xff637330
Warning: possible MBR rootkit infection !
user & kernel MBR OK
copy of MBR has been found in sector 0x012A050FC
malicious code @ sector 0x012A050FF !
PE file found in sector at 0x012A05115 !
Use "Recovery Console" command "fixmbr" to clear infection !

My computer is running horribly right now. Once again, it seems like the hard drive is constantly being worked/trying to open a program. 

BTW, I haven't gotten to removing the old Adobe Acrobat Reader yet. I hope that's not the reason for this.

[evilfantasy]

Try this please.

Please copy and paste MBR.exe from your desktop to your C:\ directory.

* Right click MBR.exe and choose Copy.
* From the desktop open My Computer then open C:\.
* Right click an empty space and choose Paste.
* Then delete the MBR.exe and MBR.log files from your desktop.

Go to Start > Run then copy and paste the following into the Open field (do not copy the word Code):

Code: [Select]

mbr.exe -f
* Click OK
* You will get a security Warning please allow it to Run
* MBR.exe will now begin the fix. A black window will appear then disappear, this is normal.
* Now go to your C:\ directory, please rename the mbr.log to mbr2.log
* To rename, right-click on the log and select rename, input the name I requested above.
* After you renamed the log, please reboot your computer.
* Once you reboot, please go to Start > Run and in the Open field copy and paste the following (do not copy the word Code):

Code: [Select]

c:\mbr.exe
* You will get a security warning once again, please allow it to run.
* The process is automatic, a black DOS window will appear and disappear suddenly. This is normal.
* A log file will then be created at C:\mbr.log
* Please post the contents of both C:\mbr2.log and C:\mbr.log log files in your next reply.

[TrentWalker]

That's strange. I got the MS-DOS screen to appear and quickly disappear, but no log was generated.

I think I may have messed up the procedure because when I read your instructions, I mistakenly did this:

"Please copy and paste MBR.exe from your desktop to your C:\ directory."

and then did this:

* Right click MBR.exe and choose Copy.
* From the desktop open My Computer then open C:\.
* Right click an empty space and choose Paste.
* Then delete the MBR.exe and MBR.log files from your desktop.

As if they were two different steps. So I accidentally copy and pasted the MBR.exe twice.

How do I go back and fix this?

[evilfantasy]

You can re-download the mbr.exe again and put it in C

As long as it is only on C then you are okay.

I'm on my iPod right now. Be back at my PC in a little while.

[TrentWalker]

No rush. I'll be patient and wait until you have free time.

But I saved it to C: and ran the code once again and it's not generating a log. 

[evilfantasy]

Alright. I'll postore later. If you do not have the Recovery Console installed you will need it. Google for Install XP Recovery Console and if you can understand how to install it you can. If you need help wait until I get back.

[evilfantasy]

You have the Recovery Console installed already according to the ComboFix log.

Go here and read the instructions on how to repair your MBR. Use the first set of instructions which are for XP http://helpdeskgeek.com/how-to/fix-mbr-xp-vista/

[TrentWalker]

Sorry it took so long for me to reply.

I couldn't repair my MBR because I did not have a Windows XP disc. My Dell computer didn't come with XP or recovery discs, just a Symantec utility on the computer itself for restoring.

Anyway, I used this problem as an excuse to buy a new notebook PC so everything is all good. 

Thanks again evilfantasy for your assistance. You were able to get the Dell to work so I could save all my important files and then perform a clean system restore. Problem solved.

I ended up giving the Dell to my aunt.

Thanks.