Can't run programs or connect to internet

[Dr Jay]

See if you can run this:

Download Bootkit Remover to your Desktop.

• You then need to extract the remover.exe file from the RAR using a program capable of extracing RAR compressed files. If you don't have an extraction program, you can use 7-Zip: http://www.7-zip.org/
  
• After extracing remover.exe to your Desktop, double-click on remover.exe to run the program (Vista/7 users,right click on remover.exe and click Run As Administrator.
  
• It will show a Black screen with some data on it.
• Right click on the screen and click Select All.
  
• Press CTRL C
• Open a Notepad and press CTRL V
• Post the output back here.

[Xerinous]

Bootkit Remover version 1.0.0.1
(c) 2009 eSage Lab
www.esagelab.com

\\.\C: -> \\.\PhysicalDrive0
SPTI_Read(): DeviceIoControl() ERROR 1
ERROR: SPTI_Read() fails for \\.\PhysicalDrive0
MD5: 6def5ffcbcdbdb4082f1015625e597bd

     Size  Device Name          MBR Status
 --------------------------------------------
   149 GB  \\.\PhysicalDrive0   OK (DOS/Win32 Boot code found)


Press any key to quit...

[Dr Jay]

Hmm...appears either a disk sector is damaged, or Bootkit Remover cannot read the first sector of the hard disk.

Nonetheless, let's take a look at the kernel.

Download Kernel Detective: http://www.kernelmode.info/ARKs/Kernel_Detective_v1.3.1.zip

Extract the file to your Desktop.

Enter the folder and double-click on Kernel Detective.exe to get started.

We need four different logs, to be uploaded.

Click on Kernel Modifications tab, then click on File > Save Current List, and give it a name. The name should be in *.txt format.

Save the log to your Desktop.

Do the same for the Drivers tab, System Service Descriptor Table, and the System Service Descriptor Table Shadow.

Attach all the logs to your next reply.

[Xerinous]

Alright here are the logs I got, titled by the tab they came from.

[recovering disk space - old attachment deleted by admin]

[Dr Jay]

Try this real quick:

Please open Notepad and enter in the following:

@echo off
start remover.exe fix \.\PhysicalDrive0
exit

Then, click File > Save as...
Save as remove.bat to the same location as remover.exe.
Choose Save as type... All Files.
Click Save.

Then, exit Notepad.

Double-click on remove.bat.

Please re-run remover.exe and post a new log in your next reply.

[Xerinous]

Here's what running remover.exe gave:

Bootkit Remover version 1.0.0.1
(c) 2009 eSage Lab
www.esagelab.com

\\.\C: -> \\.\PhysicalDrive0
SPTI_Read(): DeviceIoControl() ERROR 1
ERROR: SPTI_Read() fails for \\.\PhysicalDrive0
MD5: 6def5ffcbcdbdb4082f1015625e597bd

     Size  Device Name          MBR Status
 --------------------------------------------
   149 GB  \\.\PhysicalDrive0   OK (DOS/Win32 Boot code found)


Press any key to quit...

remover.bat gave an error:

Bootkit Remover version 1.0.0.1
(c) 2009 eSage Lab
www.esagelab.com

CreateFile() ERROR 2
ERROR: Can't open physical disk device.

Press any key to quit...

[Dr Jay]

Try once more, please.

[Xerinous]

Nothing changes, I'm given the exact same messages once more.

[Dr Jay]

Let's try something else...

Please download avz4.zip from

HERE

• Unzip it to your desktop to a folder named avz4
  
• Double click on AVZ.exe to run it.
  
• Run an update by clicking the Auto Update button on the Right of the Log window:
  
• Click Start to begin the update

Note: If you recieve an error message, chose a different source, then click Start again

• Start AVZ.
• Choose from the menu "File" => "Standard scripts " and mark the "Advanced System Analysis with malware removal mode enabled" check box.

• Click on the Execute selected scripts.
• Automatic scanning, healing and system check will be executed.
• A logfile (avz_sysinfo.htm) will be created and saved in the LOG folder in the AVZ directory as virusinfo_syscure.zip.
  [*It is necessary to reboot your machine, because AVZ might disturb some program operations (like antiviruses and firewall) during the system scan.
  
• All applications will work properly after the system restart.

When restarted

• Start AVZ.
• Choose from the menu "File" => "Standard scripts " and mark the Advanced System Analysis" check box.

• Click on the "Execute selected scripts".
• A system check will be automatically performed, and the created logfile (avz_sysinfo.htm) will be saved in the LOG folder in the AVZ directory as virusinfo_syscheck.zip.

Attach both virusinfo_syscure.zip and virusinfo_syscheck.zip to your next post[/list][/list][/list]

[Xerinous]

I can't get the files onto the flashdrive to attach them, I've tried every way I know, nothing works.

[Dr Jay]

The internet is still down on the infected machine?

[Xerinous]

Yes, yes it is.

[Dr Jay]

What other signs of infection are there?

[Xerinous]

Response times are slower than normal, files cannot be moved, by drag-and-drop or otherwise, Internet Explorer doesn't stay open for more than a second or so when the attempt is made (Firefox does, but stays at a blank page), on logging onto a user profile an error message is given:
 "RegisterClassObjects failed: hRes = 0x800706BA
  The RPC server is unavailable
  Maximum retry attempts exceeded".
Most programs that require some form of connection to the internet refuse to run, including Malware Bytes. iTunes opens but does not play anything. My taskbar has changed to the gray block-like appearance found in older versions of Windows, and icons on the desktop cannot be arranged by drag-and-drop but can by right-clicking.

That's what I can see at least.

[Dr Jay]

That means the MBR code from the malware is still there. :|

Whenever rootkit scanners, and antivirus software scan for the rootkit, it gets as close to the system kernel as possible. If the rootkit is beyond that point, it will not be detected.

Problem is, you could try to replace every file on the system, but still the rootkit will show its face.

Please download DrWeb-CureIt and save it to your Desktop. Do NOT perform a scan yet

• Double-click on drweb-cureit.exe to start the program.
  An Express Scan of your PC notice will appear.
  
• Under Start the Express Scan Now, Click OK to start the scan.
  This is a short scan that will scan the files currently running in memory.
  If something is found, click the Yes button when it asks you if you want to cure it.
  
• Once the short scan has finished, Click Options > Change settings
  
• Choose the Scan tab and UNcheck Heuristic analysis
  
• Back at the main window, click Custom Scan, then Select drives (a red dot will show which drives have been chosen).
  
• Then click the Start/Stop Scanning button (green arrow on the right, and the scan will start.
  
• When finished, a message will be displayed at the bottom advising if any viruses were found.
• Click Yes to all if it asks if you want to cure/move the file.
  
• When the scan has finished, look if you can see the icon next to the files found.

If so, click it, then click the next icon right below and select Move incurable.
(This will move it to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if it can't be cured)

• Next, in the Dr.Web CureIt menu on top, click file and choose save report list.
  
• Save the DrWeb.csv report to your Desktop.
  
• Exit Dr.Web Cureit when you have finished.
• Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  
• After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)