Huge Malware/Spyware problem, cannot run anything except web browser.

[TrentWalker]

Attached is the ESET log.

Question: I still have ESET open. Should I check the "Delete quarantined files" option before I shut it down? It says it cleaned the infected files. Is that good enough, or do they need to be deleted?

Thanks

[Saving space, attachment deleted by admin]

[evilfantasy]

Yes you can delete them.


If there are no more malware issues we can finish up now.

Use the Secunia Software Inspector to check for out of date software.

* Click Start Scanner
* Check the box next to Enable thorough system inspection.
* Click Start
* Allow the scan to finish and scroll down to see if any updates are needed.
* Update anything listed.

----------

Go to Microsoft Windows Update and get all critical updates.

----------

If you are using or have installed IE6 you are using an outdated and soon to be unsupported version of Internet Explorer and I strongly suggest you update to the latest version directly from Microsoft Internet Explorer 8: Home page.

----------

I recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no realtime protection so will not interfere with each other. They do not use any significant amount of resources (except a little disk space) until you run a scan.

I suggest using WOT - Web of Trust. WOT is a free Internet security addon for your browser. It will keep you safe from online scams, identity theft, spyware, spam, viruses and unreliable shopping sites. WOT warns you before you interact with a risky website. It's easy and it's free.

SpywareBlaster - Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.
* Using SpywareBlaster to protect your computer from Spyware and Malware
* If you don't know what ActiveX controls are, see here

Protect yourself against spyware using the Immunize feature in Spybot - Search & Destroy.
* Guide: Use Spybot's Immunize Feature to prevent spyware infection in real-time. Note: To ensure you have the latest Immunizations always update Spybot - Search & Destroy before Immunizing. Spybot - Search & Destroy FAQ

Check out Keeping Yourself Safe On The Web for tips and free tools to help keep you safe in the future.

Also see Slow Computer? It May Not Be Malware for free cleaning/maintenance tools to help keep your computer running smooth.

[TrentWalker]

I tried to update my Adobe Acrobat Reader to the latest version after using Secunia and it didn't complete installation because it had some difficulty with a couple registry keys or something. Probably not a big deal, but is this a sign that malware is still on my computer? 

Thanks again for everything, evilfantasy.

I appreciate your time and patience.

[evilfantasy]

* Go to Add or Remove Programs and uninstall Adobe Acrobat Reader.
* Restart the computer.
* Install the new version of Adobe Reader. http://get.adobe.com/reader/

Important! Be sure to uncheck Free McAfee® Security Scan Plus (optional) before starting the Adobe Reader download.

[TrentWalker]

Uninstalling the old version was a no go as well. Similar error as trying to install the newest version. Could not access HKEY  or something so it failed to remove it.

And now there is definitely something up with my computer as the hard drive won't stop  working/trying to load something. Not sure if it's malware or just unnecessary software running in the background that I don't know of.     

I'm going to try some of the tips on your wordpress page.

[evilfantasy]

Run a new HijackThis scan and post the log please.

[TrentWalker]

Here is the log

[Saving space, attachment deleted by admin]

[evilfantasy]

Try turning off your Firewall and then uninstall it.

[TrentWalker]

It didn't work again. This is the error message:

Error 1402. Could not open key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS.
Verify that you have sufficient access to that key, or contact your support personnel.

Should I try that Windows Installer CleanUp Utility?

[evilfantasy]

Here are a few solutions to that error. http://kb2.adobe.com/cps/329/329137.html

[TrentWalker]

Looks like I'm not out of the woods yet.

Now I'm getting redirects when I click links in google and yahoo searches. This is a new occurrence.

[evilfantasy]

If you already have ComboFix be sure to delete it and download a new copy.

Download ComboFix© by sUBs from one of the below links. Be sure top save it to the Desktop.

Link #1
Link #2

**Note:  It is important that it is saved directly to your Desktop

Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting ComboFix.

Temporarily disable your antivirus and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.
 
Double click combofix.exe & follow the prompts.
Vista users Right-Click on ComboFix.exe and select Run as administrator (you will receive a UAC prompt, please allow it)
When finished ComboFix will produce a log for you.
Post the ComboFix log in your next reply.

Important: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.

Remember to re-enable your antivirus and antispyware protection when ComboFix is complete.

If you have problems with ComboFix usage, see How to use ComboFix

----------

RootRepeal - Rootkit Detector

* Download the following tool: RootRepeal - Rootkit Detector
* Direct download link is here: RootRepeal.zip

* Close all programs and temporarily disable your anti-virus, Firewall and any anti-malware real-time protection before performing a scan.
* Click this link to see a list of such programs and how to disable them.

* Extract the program file to a new folder such as C:\RootRepeal
* Run the program RootRepeal.exe and go to the REPORT tab and click on the Scan button.
* Select ALL of the checkboxes and then click OK and it will start scanning your system.
* If you have multiple drives you only need to check the C: drive or the one Windows is installed on.
* When done, click on Save Report
* Save it to the same location where you ran it from, such as C:RootRepeal
* Save it as rootrepeal.txt
* Then open that log and select all and copy/paste it back on your next reply please.
* Close RootRepeal.

[TrentWalker]

ComboFix log is attached.

Here is the RootRepeal log (also attached):

ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time:      2010/03/02 21:21
Program Version:      Version 1.3.5.0
Windows Version:      Windows XP SP3
==================================================

Drivers
-------------------
Name: catchme.sys
Image Path: C:\ComboFix\catchme.sys
Address: 0xF9810000   Size: 31744   File Visible: No   Signed: -
Status: -

Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xAA46F000   Size: 98304   File Visible: No   Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF9A88000   Size: 8192   File Visible: No   Signed: -
Status: -

Name: PROCEXP113.SYS
Image Path: C:\WINDOWS\system32\Drivers\PROCEXP113.SYS
Address: 0xF9A56000   Size: 7872   File Visible: No   Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xA9C40000   Size: 49152   File Visible: No   Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: Volume C:\
Status: MBR Rootkit Detected!

Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: C:\DVDVideoSoft\FEIST-~4.MP4:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
Status: Visible to the Windows API, but not on disk.

SSDT
-------------------
#: 041   Function Name: NtCreateKey
Status: Hooked by "<unknown>" at address 0xf9b5a166

#: 053   Function Name: NtCreateThread
Status: Hooked by "<unknown>" at address 0xf9b5a15c

#: 063   Function Name: NtDeleteKey
Status: Hooked by "<unknown>" at address 0xf9b5a16b

#: 065   Function Name: NtDeleteValueKey
Status: Hooked by "<unknown>" at address 0xf9b5a175

#: 098   Function Name: NtLoadKey
Status: Hooked by "<unknown>" at address 0xf9b5a17a

#: 122   Function Name: NtOpenProcess
Status: Hooked by "<unknown>" at address 0xf9b5a148

#: 128   Function Name: NtOpenThread
Status: Hooked by "<unknown>" at address 0xf9b5a14d

#: 193   Function Name: NtReplaceKey
Status: Hooked by "<unknown>" at address 0xf9b5a184

#: 204   Function Name: NtRestoreKey
Status: Hooked by "<unknown>" at address 0xf9b5a17f

#: 247   Function Name: NtSetValueKey
Status: Hooked by "<unknown>" at address 0xf9b5a170

#: 257   Function Name: NtTerminateProcess
Status: Hooked by "<unknown>" at address 0xf9b5a157

Stealth Objects
-------------------
Object: Hidden Code [Driver: atapi, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System   Address: 0xffaaba70   Size: 1425

==EOF==

[Saving space, attachment deleted by admin]

[evilfantasy]

Download the MBR Rootkit Detector to your desktop.

Go to Start > Run then copy and paste the following red text into the Open field then click OK:

"%userprofile%\desktop\mbr.exe" -f

Next, double click on the mbr.exe file and post the contents of the new mbr.log

----------

How is the computer running now?

[TrentWalker]

Here is the MBR log:

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\atapi -> 0xffa56f98
NDIS: Intel(R) PRO/100 VE Network Connection -> SendCompleteHandler -> 0xff637330
Warning: possible MBR rootkit infection !
user & kernel MBR OK
copy of MBR has been found in sector 0x012A050FC
malicious code @ sector 0x012A050FF !
PE file found in sector at 0x012A05115 !
Use "Recovery Console" command "fixmbr" to clear infection !

My computer is running horribly right now. Once again, it seems like the hard drive is constantly being worked/trying to open a program. 

BTW, I haven't gotten to removing the old Adobe Acrobat Reader yet. I hope that's not the reason for this.