Hello again...

I arrived home to be informed that the desktop computer is "acting weird". Looks like a virus or malware became active in the afternoon while my sister was using the computer. Looking at the computer I could see something has infected the computer. Kept getting these "Windows" like alerts about a virus or a attack from another user. My sister had tried to run Trend Micro Internet security but the scan was hung up. I decided to reboot into safe mode.

From my clean laptop I downloaded and installed HJT and Mbam and performed the updates for Mbam. Also downloaded and installed Crap cleaner to the flash drive.

Ran the crap cleaner from the flash drive on the infected computer. Went into advanced settings to make sure all temp files would be deleted.

Next, trying to open Mbam and HJT from the desktop of the infected computer doesn't work. The programs don't open (in normal mode or safe mode). From the flash drive I can open both HJT and Mbam. However, running a scan cause both programs to close prematurely. Mbam scans for about three second and closes. HJT runs the scan but cloes before it done and a log can be created and saved.

I ran Trend Micro Internet Security in safe mode and it ran through a commanp prompt and saved a log.

Final piece of info is the repeated error window that appears. It reads:

Assert in LSP
Original==reinterpret_cast<PROC>(instance->org_startup)
capture\lsp\nolsp\wsp_patches.cpp:262

Here is the Virus Scan log

Copyright © 1990 - 2006 Trend Micro Inc.
Report Date : 8/24/2009 18:57:47
VSAPI Engine Version : 8.500-1002
VSCANTM Version : 2.00-1000 (Official Build)

VSGetVirusPatternInformation is invoked

Virus Pattern Version : 385 (469205/508389 Patterns) (2009/08/22) (638550)

VSGetVirusPatternInformation is invoked

Virus Pattern Version : 813 (39184/508389 Patterns) (2009/08/19) (81300)

Command Line: C:\Program Files\Trend Micro\Internet Security\TVScan32.exe -S -SSAPTN -VSSPYWARE+ -c -d2 -I -LC=C:\Documents and Settings\Administrator\Desktop\Virus Scan.log A:\ C:\ D:\ E:\ F:\ G:\ H:\ I:\ J:\

Fail to Clean [TROJ_FAKEAVAL.LF]( 1) from C:\WINDOWS\system32\resdll.dll
Success Delete [TROJ_FAKEAVAL.LF]( 1) from C:\WINDOWS\system32\resdll.dll
156094 files have been read.
156094 files have been checked.
156015 files have been scanned.
257915 files have been scanned. (including files in archived)
1 files containing viruses.
Found 1 viruses totally.
Maybe 0 viruses totally.
Stop At: 8/24/2009 20:13:00 1 hour 15 minutes 10 seconds (4509.84 seconds) has elapsed.(28.892 msec/file)
---------*---------*---------*---------*---------*---------*---------*---------*

I did not notice any change after the Trend Micro scan. The LSP error keeps popping up and HJT and Mbam still close from the flash drive when trying to scan. Hopefully someone has an idea to disable this bug to allow Mbam to get it.

Hi VK...download RSIT to the desktop and see if it will run.

Having a network connection and trying to use the internet from infected computer gives me windows security alerts.

Trying to download the RSIT on the clean computer did not work as Trend Micro blocks access the website despite adding the url to the list of allowed websites. I did have a copy of RSIT on the clean computer from back in March which I transferred to USB drive. Put a copy on desktop of infected computer running in safe mode with no networking.

RSIT opens and runs but it doesn't look like a log file is saved.

Try renaming RSIT.exe on the flash drive to 123.com, then running it from the flash drive.

We have to get some kind of idea of what the infection is. Does the task manager show any unusual processes?

I also forgot to mention that some program installed. My sister said she didn't install anything. When the computer starting acting weird something popped up and asked if it wanted to remove mbam to which she said "no". Something called "Protection System" installed and is in the starup menu. It appears to be a microsoft program by look of the colored shield icon to the program. I've not clicked on it. It has an Unistall program with it but I did not click on that cause I thought it would do more damage.

Renaming RSIT to 123 still results in same issue. Scan runs, looks like to completion but no log file is saved.

Running safe mode, here are the processes from task manager:
svchost.exe
ctfmon.exe
iexplore.exe
explorer.exe
smss.exe
taskmgr.exe
wmiprvse.exe
svchost.exe
svchost.exe
svchost.exe
lsass.exe
services.exe
winlogon.exe
csrss.exe
smss.exe
System
System Idle Process

I've uploaded pics of the Device Manager Non plug and play devices.
Device Manager1
Device Manager2

It just seems the computer Gods have it in for me

VK, rename the Hijack This file to Go123 or something, and move it on to your computer already renamed. Then try running it. Same with MB.

The file names were already changed but I renamed as suggested and moved to desktop of infected computer.

Same reult for HJT. Progarm opens. Scan begins and almost reaches completion and then it closes. No log is generated.

Moved renamed MBAM to desktop of infected computer and got an error code: 707 (3,0).

Hi VK...Protection System is one of those rogue applications masquerading as a spyware scanner. It seems to have a rootkit component. You were right not to click on anything, or even try to uninstall it.

The Device Manager shots show nothing as the driver is well hidden.

Can you click on my user name and send me an email. I'll send you a zipped copy of Combofix (renamed). Save it to the flash drive and run it from there.

I used an old copy of Combofix I had from June. Tried running Combofix from both the desktop and the flash drive and the program doesn't open. I see it running in the processes in the task manager.

Also, I noticed that the HJT program I put on the desktop named Go123 has been changed into an MS DOS executeable. Icon changed. It looks like it is pointing to a rootkit as you suggested. I took a screen shot but it is to large to attached and for some reason my photobucket account is acting up where I can get to the page to upload a pic.

If you renamed it with a COM extension, it will look like that. I worked on a similar infection on a friend's computer last weekend and there was a rootkit involved that regenerated malware files after they had been deleted.

See if GMER will run and generate a log. It will download as a randomly-named file, so no need to rename it.

GMER download went smoothly. Transfered to flash drive and then onto infected computer desktop. It launched OK in safe mode. Scan was in progress when a system error shut down windows

"A problem has been dtected and windows has been shut down to provent damage to your computer. The problem seems to be caused by the following file: aujasnkj.sys

And attempt was made to write to read-only memory..."

Will attempt to run the scan again.

Aujasnkj.sys is the rootkit. Seems to run from a temp folder. It operates outside of the Windows graphical user interface, which is why we need the fix tools to work. Getting rid of this bugger manually is next to impossible.

Just my luck it seems

Well, tried it again and it automatically did a brief scan and detected a service and asked if I wanted to do full scan. I said yes and while scanning Windows shuts down again with the same stop error an aujasnkj.sys file named.

"Technical information:
***Stop: 0x000000BE (0xF7B6106C, 0x0A92D161, 0xB9C99B7, 0x0000000B)

*** aujasnkj.sys - Address B99944670 base at B9939000, DateStamp 4a891380 ..."

I decided not to run the full system scan after the intital quick scan. I disabled the one detected rootkit and rebooted. Ran GMER again and see that the rootkit is still disabled. Saved a log for you to look at:

GMER 1.0.15.15077 [sjc4uxbr.exe] - http://www.gmer.net
Rootkit quick scan 2009-08-26 22:58:34
Windows 5.1.2600 Service Pack 3


---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs SymSnap.sys (StorageCraft Volume Snap-Shot/StorageCraft)
AttachedDevice \FileSystem\Fastfat \Fat SymSnap.sys (StorageCraft Volume Snap-Shot/StorageCraft)

---- Services - GMER 1.0.15 ----

Service C:\WINDOWS\system32\drivers\UACklpykyulrh.sys (*** hidden *** ) [DISABLED] UACd.sys <-- ROOTKIT !!!

---- EOF - GMER 1.0.15 ----

Should I go ahead and delete this rootkit and then attempt another full scan? I'm still working in safe mode.

EDIT**
I decided to go ahead and run another full scan with this prelim rootkit disabled. Crossing fingers that perhaps this allows scan to complete.

Hi VK...with two of the rootkits disabled, there appears to be some light at the end of the tunnel.

Once the rootkits are out of the way, it should be a routine fix.

I've tried to run the GMER scan a few times. Last night it was taking so long that I let it run over night. It looks like I'm still having the issues in the the GMER scan terminates early and no log file is created or saved. I ran it again in the AM and left for work and came back home to find that the program closed and no log file.

I tried rebooting into normal mode thinking perhaps some other rootkits or other malware might be detected in that mode but I got a shut down warning about some service file not loading properly. So the computer shutdowns and restart after 60 seconds. Can't even log on to one of the computer profiles.

Booted back into safe mode again. Let scan run for almost two hours, come back and the program is closed and no log file. What I did next was to manualy terminate the scan and then save a partial log file. Only left it scaning (slowly) for about an hour. Here is the partial log (which I know still might tell you much of anything).

GMER 1.0.15.15077 [sjc4uxbr.exe] - http://www.gmer.net
Rootkit scan 2009-08-27 21:19:04
Windows 5.1.2600 Service Pack 3


---- Kernel code sections - GMER 1.0.15 ----

? win32k.sys:1 The filename, directory name, or volume label syntax is incorrect. !
? win32k.sys:2 The filename, directory name, or volume label syntax is incorrect. !

---- User code sections - GMER 1.0.15 ----

? C:\WINDOWS\system32\drivers\smss.exe[844] number of sections mismatch; time/date stamp mismatch; unknown module: oleaut32.dll
.text C:\WINDOWS\Explorer.exe[864] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\94CA9E00.x86.dll
.text C:\WINDOWS\Explorer.exe[864] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\94CA9E00.x86.dll
.text C:\WINDOWS\Explorer.exe[864] USER32.dll!CallNextHookEx + 4A 7E42B410 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\94CA9E00.x86.dll

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\WINDOWS\Explorer.exe[864] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\94CA9E00.x86.dll
IAT C:\WINDOWS\Explorer.exe[864] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\94CA9E00.x86.dll

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs SymSnap.sys (StorageCraft Volume Snap-Shot/StorageCraft)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 SymSnap.sys (StorageCraft Volume Snap-Shot/StorageCraft)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 SymSnap.sys (StorageCraft Volume Snap-Shot/StorageCraft)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 SymSnap.sys (StorageCraft Volume Snap-Shot/StorageCraft)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume4 SymSnap.sys (StorageCraft Volume Snap-Shot/StorageCraft)
AttachedDevice \FileSystem\Fastfat \Fat SymSnap.sys (StorageCraft Volume Snap-Shot/StorageCraft)
---- Processes - GMER 1.0.15 ----

Library \\?\globalroot\Device\__max++>\94CA9E00.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [540] 0x35670000
Library \\?\globalroot\Device\__max++>\94CA9E00.x86.dll (*** hidden *** ) @ C:\WINDOWS\Explorer.exe [864] 0x35670000

---- Services - GMER 1.0.15 ----

Service C:\WINDOWS\system32\drivers\UACklpykyulrh.sys (*** hidden *** ) [DISABLED] UACd.sys <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys@start 1
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys@type 1
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys@imagepath \systemroot\system32\drivers\UACklpykyulrh.sys
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys@group file system
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@UACd \\?\globalroot\systemroot\system32\drivers\UACklpykyulrh.sys
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@UACc \\?\globalroot\systemroot\system32\UACsapwnnoept.dll
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@uacbbr \\?\globalroot\systemroot\system32\UACodpumflpas.dll
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@uacsr \\?\globalroot\systemroot\system32\UACaehhcxllye.dat
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@uacav \\?\globalroot\systemroot\system32\UACoknhvdwypx.dll
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@uacserf \\?\globalroot\systemroot\system32\UACuvjtmblnmj.dll
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys@start 1
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys@type 1
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys@imagepath \systemroot\system32\drivers\TDSSmqlt.sys
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys@group file system
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\modules@TDSSserv \systemroot\system32\drivers\TDSSmqlt.sys
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\modules@TDSSl \systemroot\system32\TDSSoiqt.dll
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\modules@tdssservers \systemroot\system32\TDSSmtvd.dat
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\modules@tdssmain \systemroot\system32\TDSShrxx.dll
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\modules@tdsslog \systemroot\system32\TDSSvkql.dll
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\modules@tdssadw \systemroot\system32\TDSSxfum.dll
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\modules@tdssinit \systemroot\system32\TDSSlxwp.dll
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\modules@tdssurls \systemroot\system32\TDSSnmxh.log
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\modules@tdsspanels \systemroot\system32\TDSSsahc.dll
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\modules@tdsserrors \systemroot\system32\TDSSkhyp.log
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\modules@TDSSproc \systemroot\system32\TDSSkkai.log
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys@start 4
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys@imagepath \systemroot\system32\drivers\UACklpykyulrh.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys@group file system
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@UACd \\?\globalroot\systemroot\system32\drivers\UACklpykyulrh.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@UACc \\?\globalroot\systemroot\system32\UACsapwnnoept.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uacbbr \\?\globalroot\systemroot\system32\UACodpumflpas.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uacsr \\?\globalroot\systemroot\system32\UACaehhcxllye.dat
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uacav \\?\globalroot\systemroot\system32\UACoknhvdwypx.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uacserf \\?\globalroot\systemroot\system32\UACuvjtmblnmj.dll
Reg HKLM\SOFTWARE\Classes\CLSID\{2B281F75-2A00-CEB2-C5CE-143F6EB652C1}\Implemented Categories\{C501EDBE-9E70-11D1-9053-00C04FD9189D}
Reg HKLM\SOFTWARE\Classes\CLSID\{2B281F75-2A00-CEB2-C5CE-143F6EB652C1}\InprocServer32@ C:\WINDOWS\system32\Dxtmsft.dll
Reg HKLM\SOFTWARE\Classes\CLSID\{2B281F75-2A00-CEB2-C5CE-143F6EB652C1}\InprocServer32@ThreadingModel Both
Reg HKLM\SOFTWARE\Classes\CLSID\{2B281F75-2A00-CEB2-C5CE-143F6EB652C1}\ProgID@ DXImageTransform.Microsoft.CrBlinds.1
Reg HKLM\SOFTWARE\Classes\CLSID\{2B281F75-2A00-CEB2-C5CE-143F6EB652C1}\ToolBoxBitmap32@ C:\WINDOWS\system32\Dxtmsft.dll,235
Reg HKLM\SOFTWARE\Classes\CLSID\{2B281F75-2A00-CEB2-C5CE-143F6EB652C1}\VersionIndependentProgID@ DXImageTransform.Microsoft.CrBlinds

---- EOF - GMER 1.0.15 ----


When ending the scan early the two libray services about the rootkit I disabled earlier are in red. However, right clicking doesn't give me the option to disable or delete (both grayed out). Options weren't available on any of the other items in black.

That is truly nasty. I don't know if this is fixable.

Download MBR.exe from here.

Save the file to your desktop and double click on it.

A new text file will appear on your desktop, created by the tool. Copy and paste that file here.

I had a feeling this was pretty bad. I don't know how I got infected. I've been diligent with running MBAM and the antivirus at least once a week. *sigh*

Here's the log


Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.6 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK

At least the master boot record is OK.

Let's try another rootkit program (best run in safe mode):

Download RootRepeal to your desktop.

* Close all programs and temporarily disable your anti-virus, firewall and any anti-malware real-time protection before performing a scan.
* Create a new folder on your hard drive called RootRepeal (C:\RootRepeal) and extract (unzip) RootRepeal.zip.
* Open the folder and double-click on RootRepeal.exe to launch it. If using Vista, right-click and Run as Administrator...
* Click on the Report tab at the bottom of the program window
* Click the Scan button
* In the Select Scan dialog, check:

* Drivers
* Processes
* SSDT
* Hidden Services

* Click the OK button
* In the next dialog, select all drives showing
* Click OK to start the scan
* When the scan has completed, a list of files will be generated in the RootRepeal window.
* Click on the Save Report button and save it as rootrepeal.txt to your desktop or the same location where you ran the tool from.
* Exit RootRepeal and be sure to re-enable your anti-virus, firewall and any other security programs you had disabled.
* Post the contents of rootrepeal.txt

RootRepeal step went without a hitch. Here's the log:

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/08/28 13:59
Program Version: Version 1.3.5.0
Windows Version: Windows XP Media Center Edition SP3
==================================================

Drivers
-------------------
Name: dump_iaStor.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_iaStor.sys
Address: 0xBA23F000 Size: 749568 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xB99D9000 Size: 49152 File Visible: No Signed: -
Status: -

Name: win32k.sys:1
Image Path: C:\WINDOWS\win32k.sys:1
Address: 0xF775F000 Size: 20480 File Visible: No Signed: -
Status: -

Name: win32k.sys:2
Image Path: C:\WINDOWS\win32k.sys:2
Address: 0xBA673000 Size: 61440 File Visible: No Signed: -
Status: -

Hidden Services
-------------------
Service Name: UACd.sys
Image Path: C:\WINDOWS\system32\drivers\UACklpykyulrh.sys

==EOF==

I had a weird blip with the clean laptop I'm working from after my sister used it to do some job searching. I'm wondering if one of the sites she's visiting or her flash drive is infected. I ran Super Anti spyware, Mbam and Trend Micro AntiVirus on the laptop. Just some adware cookies were detected and removed. Here's the HJT log for the laptop. (I wasn't sure if I should have created a separate thread. If should, I can do that)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:19:30 PM, on 8/28/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18294)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Program Files\Dell\DellDock\DellDock.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\DellTPad\Apoint.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Windows\System32\WLTRAY.EXE
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\Program Files\Dell DataSafe Online\DataSafeOnline.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Windows\ehome\ehtray.exe
C:\Users\Andre\Program Files\DNA\btdna.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Google\Google Toolbar\GoogleToolbarUser.exe
C:\Windows\system32\Macromed\Flash\FlashUtil10c.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\System32\mobsync.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\Hcheck\Diana123.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: AIM Toolbar Search Class - {03402f96-3dc7-4285-bc50-9e81fefafe43} - C:\Program Files\AIM Toolbar\aimtb.dll
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.15642\swg.dll
O2 - BHO: AIM Toolbar Loader - {b0cda128-b425-4eef-a174-61a11ac5dbf8} - C:\Program Files\AIM Toolbar\aimtb.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll
O3 - Toolbar: AIM Toolbar - {61539ecd-cc67-4437-a03c-9aaccbd14326} - C:\Program Files\AIM Toolbar\aimtb.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [ECenter] C:\Dell\E-Center\EULALauncher.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\Windows\system32\WLTRAY.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\MediaDirect\PCMService.exe"
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKLM\..\Run: [Dell DataSafe Online] "C:\Program Files\Dell DataSafe Online\DataSafeOnline.exe" /m
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Users\Andre\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - .DEFAULT User Startup: Dell Dock First Run.lnk = C:\Program Files\Dell\DellDock\DellDock.exe (User 'Default user')
O4 - Startup: Dell Dock.lnk = C:\Program Files\Dell\DellDock\DellDock.exe
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O4 - Global Startup: QuickSet.lnk = C:\Program Files\Dell\QuickSet\quickset.exe
O8 - Extra context menu item: &AIM Toolbar Search - C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: AIM Toolbar - {0b83c99c-1efa-4259-858f-bcb33e007a5b} - C:\Program Files\AIM Toolbar\aimtb.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.apple.com.edgesuite.net/co...ex/qtplugin.cab
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll
O23 - Service: Andrea ST Filters Service (AESTFilters) - Andrea Electronics Corporation - C:\Windows\system32\aestsrv.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Dock Login Service (DockLoginService) - Stardock Corporation - C:\Program Files\Dell\DellDock\DockLogin.exe
O23 - Service: Google Desktop Manager 5.7.801.7324 (GoogleDesktopManager-010708-104812) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: OpenCASE Media Agent - ExtendMedia Inc. - C:\Program Files\OpenCase\OpenCASE Media Agent\MediaAgent.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: SigmaTel Audio Service (STacSV) - IDT, Inc. - C:\Windows\system32\STacSV.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\Windows\System32\WLTRYSVC.EXE
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 11150 bytes

That log looks clean, but HijackThis will not show infections like the one we're dealing with. Let me know of any more 'weird blips'.

You should run Flash Disinfector on the flash drive to be on the safe sideI want to see if Avenger will work. Download Flash_Disinfector by sUBs and save it to your desktop.

* Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
* The utility may ask you to insert your flash drive and/or other removable drives. Please do so and allow the utility to clean up those drives as well.
* Wait until it has finished scanning and then exit the program.
* Reboot your computer when done.

Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive that is plugged in when you ran it. Don't delete this folder...it will help protect your drives from future infection.

Back to the infected computer. I want to see if Avenger will work. Download The Avenger and unzip it to the desktop. Run Avenger.exe and copy/paste the contents of the Code box below to the section under 'Input script here':



Click on Execute and reboot when prompted.

Post the Avenger log (C:\Avenger.txt).

That is not the full list of files to delete. If Avenger works, we can use it to delete the other files. I'm hoping to cripple this infection enough to get MBAM or one of the fix tools to work.

My Trend Micro internet security is blocking the Flash_Disinfector site. If I recall correctly the software also removes the disinfector file as it says it is infected with a virus. Can a download the flash_disinfector from another source?

I'll email it to you.

I looked but did not see e-mail. Checked spam folders and didn't find it there either. I'll keep looking for it.

I've attached it.

Thanks for the flash disinfector again.

Avenger ran. Here's the log.

Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

Driver "UACd.sys" deleted successfully.

Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\TDSSserv.sys" not found!
Deletion of driver "TDSSserv.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

File "C:\WINDOWS\system32\drivers\UACklpykyulrh.sys" deleted successfully.
File "C:\WINDOWS\system32\drivers\smss.exe" deleted successfully.

Error: file "C:\WINDOWS\win32k.sys" not found!
Deletion of file "C:\WINDOWS\win32k.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Completed script processing.

*******************

Finished! Terminate.

It's a good sign that Avenger works.

Use this code in Avenger:



See if either HJT, MBAM, RSIT or Combofix will run after rebooting.

Here is the Avenger log:

Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!


Error: file "C:\Windows\system32\drivers\TDSSmqlt.sys" not found!
Deletion of file "C:\Windows\system32\drivers\TDSSmqlt.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

File "C:\Windows\system32\UACsapwnnoept.dll" deleted successfully.
File "C:\Windows\system32\UACodpumflpas.dll" deleted successfully.
File "C:\Windows\system32\UACaehhcxllye.dat" deleted successfully.
File "C:\Windows\system32\UACoknhvdwypx.dll" deleted successfully.
File "C:\Windows\system32\UACuvjtmblnmj.dll" deleted successfully.

Error: file "C:\Windows\system32\TDSSoiqt.dll" not found!
Deletion of file "C:\Windows\system32\TDSSoiqt.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\Windows\system32\TDSSmtvd.dat" not found!
Deletion of file "C:\Windows\system32\TDSSmtvd.dat" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\Windows\system32\TDSShrxx.dll" not found!
Deletion of file "C:\Windows\system32\TDSShrxx.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\Windows\system32\TDSSvkql.dll" not found!
Deletion of file "C:\Windows\system32\TDSSvkql.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\Windows\system32\TDSSxfum.dll" not found!
Deletion of file "C:\Windows\system32\TDSSxfum.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\Windows\system32\TDSSlxwp.dll" not found!
Deletion of file "C:\Windows\system32\TDSSlxwp.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\Windows\system32\TDSSnmxh.log" not found!
Deletion of file "C:\Windows\system32\TDSSnmxh.log" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\Windows\system32\TDSSsahc.dll" not found!
Deletion of file "C:\Windows\system32\TDSSsahc.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\Windows\system32\TDSSkhyp.log" not found!
Deletion of file "C:\Windows\system32\TDSSkhyp.log" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\Windows\system32\TDSSkkai.log" not found!
Deletion of file "C:\Windows\system32\TDSSkkai.log" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Completed script processing.

*******************

Finished! Terminate.


None of the other scans work. HJT and MBAM open and scan but the scan is terminated before completion (MBAM scans for 3 seconds and closes). No luck geting RSIT or Combofix to launch fully.

Can you run GMER again and post the log. It seems to work best, even if it is a partial scan.

I've attached Combilook.zip that contains a BAT file. Save it to the desktop and unzip it there. It will look for any UAC* or TDSS* files and open a log file. Post that as well please.

Forgot to attach the file.

Here is the combi look log:

Volume in drive C has no label.
Volume Serial Number is A0D5-DC27

Directory of c:\Documents and Settings\Andre\Desktop

03/16/2009 11:48 PM <DIR> UACScan
03/16/2009 11:44 PM 189 UACScan.zip
1 File(s) 189 bytes

Directory of c:\Documents and Settings\Andre\Desktop\UACScan

03/16/2009 11:48 PM 80 UACScan.bat
1 File(s) 80 bytes

Directory of c:\Documents and Settings\Andre\Recent

03/16/2009 11:44 PM 396 UACScan.zip.lnk
1 File(s) 396 bytes

Directory of c:\Documents and Settings\Janeen\Local Settings\temp

08/24/2009 04:18 PM 343,040 UACcfcd.tmp
1 File(s) 343,040 bytes

Directory of c:\WINDOWS\system32

08/24/2009 11:24 PM 6,525 uacinit.dll
1 File(s) 6,525 bytes

Directory of c:\WINDOWS\Temp

08/24/2009 04:35 PM 49,152 uac5015.tmp
08/24/2009 04:35 PM 31,232 uac5332.tmp
08/24/2009 04:35 PM 44,032 uac5593.tmp
08/24/2009 04:35 PM 53,248 uac5872.tmp
08/24/2009 04:35 PM 2,519,040 uac5c2b.tmp
08/24/2009 04:34 PM 3,478,520 uac67f7.tmp
08/24/2009 04:35 PM 2,005,140 uacf8cd.tmp
7 File(s) 8,180,364 bytes

Total Files Listed:
12 File(s) 8,530,594 bytes
1 Dir(s) 14,531,756,032 bytes free


Here is the GMER log (fun for about 40 minutes or so):

GMER 1.0.15.15077 [sjc4uxbr.exe] - http://www.gmer.net
Rootkit scan 2009-08-30 00:37:57
Windows 5.1.2600 Service Pack 3


---- Kernel code sections - GMER 1.0.15 ----

? win32k.sys:1 The system cannot find the file specified. !
? win32k.sys:2 The system cannot find the file specified. !

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs SymSnap.sys (StorageCraft Volume Snap-Shot/StorageCraft)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 SymSnap.sys (StorageCraft Volume Snap-Shot/StorageCraft)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 SymSnap.sys (StorageCraft Volume Snap-Shot/StorageCraft)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 SymSnap.sys (StorageCraft Volume Snap-Shot/StorageCraft)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume4 SymSnap.sys (StorageCraft Volume Snap-Shot/StorageCraft)
AttachedDevice \FileSystem\Fastfat \Fat SymSnap.sys (StorageCraft Volume Snap-Shot/StorageCraft)
---- Processes - GMER 1.0.15 ----

Library \\?\globalroot\Device\__max++>\63EA3F4E.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [548] 0x35670000
Library \\?\globalroot\Device\__max++>\63EA3F4E.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1080] 0x35670000

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys@start 1
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys@type 1
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys@imagepath \systemroot\system32\drivers\UACklpykyulrh.sys
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys@group file system
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@UACd \\?\globalroot\systemroot\system32\drivers\UACklpykyulrh.sys
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@UACc \\?\globalroot\systemroot\system32\UACsapwnnoept.dll
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@uacbbr \\?\globalroot\systemroot\system32\UACodpumflpas.dll
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@uacsr \\?\globalroot\systemroot\system32\UACaehhcxllye.dat
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@uacav \\?\globalroot\systemroot\system32\UACoknhvdwypx.dll
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@uacserf \\?\globalroot\systemroot\system32\UACuvjtmblnmj.dll
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys@start 1
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys@type 1
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys@imagepath \systemroot\system32\drivers\TDSSmqlt.sys
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys@group file system
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\modules@TDSSserv \systemroot\system32\drivers\TDSSmqlt.sys
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\modules@TDSSl \systemroot\system32\TDSSoiqt.dll
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\modules@tdssservers \systemroot\system32\TDSSmtvd.dat
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\modules@tdssmain \systemroot\system32\TDSShrxx.dll
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\modules@tdsslog \systemroot\system32\TDSSvkql.dll
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\modules@tdssadw \systemroot\system32\TDSSxfum.dll
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\modules@tdssinit \systemroot\system32\TDSSlxwp.dll
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\modules@tdssurls \systemroot\system32\TDSSnmxh.log
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\modules@tdsspanels \systemroot\system32\TDSSsahc.dll
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\modules@tdsserrors \systemroot\system32\TDSSkhyp.log
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\modules@TDSSproc \systemroot\system32\TDSSkkai.log
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@AppInit_DLLs C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{2B281F75-2A00-CEB2-C5CE-143F6EB652C1}\Implemented Categories\{C501EDBE-9E70-11D1-9053-00C04FD9189D}
Reg HKLM\SOFTWARE\Classes\CLSID\{2B281F75-2A00-CEB2-C5CE-143F6EB652C1}\InprocServer32@ C:\WINDOWS\system32\Dxtmsft.dll
Reg HKLM\SOFTWARE\Classes\CLSID\{2B281F75-2A00-CEB2-C5CE-143F6EB652C1}\InprocServer32@ThreadingModel Both
Reg HKLM\SOFTWARE\Classes\CLSID\{2B281F75-2A00-CEB2-C5CE-143F6EB652C1}\ProgID@ DXImageTransform.Microsoft.CrBlinds.1
Reg HKLM\SOFTWARE\Classes\CLSID\{2B281F75-2A00-CEB2-C5CE-143F6EB652C1}\ToolBoxBitmap32@ C:\WINDOWS\system32\Dxtmsft.dll,235
Reg HKLM\SOFTWARE\Classes\CLSID\{2B281F75-2A00-CEB2-C5CE-143F6EB652C1}\VersionIndependentProgID@ DXImageTransform.Microsoft.CrBlinds

---- EOF - GMER 1.0.15 ----

Reading through the logs again, three critical Windows system files have been infected:

Explorer.exe
Svchost.exe
Kernel32.dll

This infection isn't going to go away unless we replace those files.

Can you remember if the Recovery Console was ever installed (it's an option with Combofix). If it was, there would be an option on the boot menu when Windows starts.

If the RC was not installed, we can try making a Knoppix (Linux) DVD on a clean computer, then boot to Knoppix to replace the files (I can email you the correct versions of the files for SP2).

The Combilook log shows UACScan:

Directory of c:\Documents and Settings\Andre\Desktop\UACScan

That is just a part of Combilook that doesn't look for TDSS. Are you sure you used the right file - Combilook.bat?

I have to go and make lunch. Back in about an hour if you're still around. Please note my question above about the Recovery Console.

Sorry I couldn't keep my eyes open any longer and headed off to bed.

It looks like the recovery console was installed. When booting into safe mode I can choose to boot into safe mode and then it gives me the choice to boot the recovery console or a safe mode version of Windows XP. Normally when the computer is first turned on Windows doesn't boot up right away. I have the option to press F1 to go into Windows or F2 to go into the Setup menu. After pressing F1 is when I press F8 to get to safe mode. Otherwise Windows loads normally though a very breif flash of the choice of the recovery console option is seen before Windows loads.

I just tried to launch the recovery console and got a Stop error screen.

I did use the Combilook.bat file you sent. Transferred the zip file to desktop (I've been using the Administrator profile while in safe mode). The UAC Scan folder holds another bat file that you might have sent to me regarding the issue back in March of this year with this same computer. The folder with the bat file is still be sitting on the desktop of my profile.

I ran the Combilook again and the log it produced is the same as I posted above.

If the Recovery Console blue screens, we're going to have to use a Knoppix DVD to access the files and delete them.

I'm still not confident that it's possible to recover from this. You would definitely be better off backing up what you can then reinstalling Windows. However, I'm willing to continue with this as long as you are.

One more try with Avenger as Combilook has detected many more malware files than GMER.



Reboot and run GMER again.

I'd appreciate if we can try the Knoppix DVD first. If that doesn't work then I concede to a reinstallation.

Here is the Avenger log:

Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!


Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\UACd.sys" not found!
Deletion of driver "UACd.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\TDSSserv.sys" not found!
Deletion of driver "TDSSserv.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\63EA3F4E" not found!
Deletion of driver "63EA3F4E" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\Windows\system32\drivers\TDSSmqlt.sys" not found!
Deletion of file "C:\Windows\system32\drivers\TDSSmqlt.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\Windows\system32\UACsapwnnoept.dll" not found!
Deletion of file "C:\Windows\system32\UACsapwnnoept.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\Windows\system32\UACodpumflpas.dll" not found!
Deletion of file "C:\Windows\system32\UACodpumflpas.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\Windows\system32\UACaehhcxllye.dat" not found!
Deletion of file "C:\Windows\system32\UACaehhcxllye.dat" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\Windows\system32\UACoknhvdwypx.dll" not found!
Deletion of file "C:\Windows\system32\UACoknhvdwypx.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\Windows\system32\UACuvjtmblnmj.dll" not found!
Deletion of file "C:\Windows\system32\UACuvjtmblnmj.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\Windows\system32\TDSSoiqt.dll" not found!
Deletion of file "C:\Windows\system32\TDSSoiqt.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\Windows\system32\TDSSmtvd.dat" not found!
Deletion of file "C:\Windows\system32\TDSSmtvd.dat" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\Windows\system32\TDSShrxx.dll" not found!
Deletion of file "C:\Windows\system32\TDSShrxx.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\Windows\system32\TDSSvkql.dll" not found!
Deletion of file "C:\Windows\system32\TDSSvkql.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\Windows\system32\TDSSxfum.dll" not found!
Deletion of file "C:\Windows\system32\TDSSxfum.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\Windows\system32\TDSSlxwp.dll" not found!
Deletion of file "C:\Windows\system32\TDSSlxwp.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\Windows\system32\TDSSnmxh.log" not found!
Deletion of file "C:\Windows\system32\TDSSnmxh.log" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\Windows\system32\TDSSsahc.dll" not found!
Deletion of file "C:\Windows\system32\TDSSsahc.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\Windows\system32\TDSSkhyp.log" not found!
Deletion of file "C:\Windows\system32\TDSSkhyp.log" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\Windows\system32\TDSSkkai.log" not found!
Deletion of file "C:\Windows\system32\TDSSkkai.log" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

File "c:\Documents and Settings\Janeen\Local Settings\temp\UACcfcd.tmp" deleted successfully.
File "c:\WINDOWS\system32\uacinit.dll" deleted successfully.
File "c:\WINDOWS\Temp\uac5015.tmp" deleted successfully.
File "c:\WINDOWS\Temp\uac5332.tmp" deleted successfully.
File "c:\WINDOWS\Temp\uac5593.tmp" deleted successfully.
File "c:\WINDOWS\Temp\uac5872.tmp" deleted successfully.
File "c:\WINDOWS\Temp\uac5c2b.tmp" deleted successfully.
File "c:\WINDOWS\Temp\uac67f7.tmp" deleted successfully.
File "c:\WINDOWS\Temp\uacf8cd.tmp" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.


I'm running GMER now. I'll let it run to see if it will run to completion and create log. If not, I'll re-run tomorrow with a partial scan and save a log.

Again I appreciate your help in all this. Try as I might I just can't seem to please the computer gods lol.

OK...not much I can do without seeing what GMER reports.

Can you run the CombiLook file again and see if it finds anything.

You'll need to install ImgBurn on the clean computer in preparation for making the Knoppix DVD.

Also, can you let me know if the infected computer is XP SP2. When replacing the infected Windows files, I want to use the correct versions. Even though you probably have backups in various Service Pack folders, I don't want to use them.

Here is the GMER log (ran for about an hour - manual stop)

GMER 1.0.15.15077 [sjc4uxbr.exe] - http://www.gmer.net
Rootkit scan 2009-08-31 09:51:51
Windows 5.1.2600 Service Pack 3


---- Kernel code sections - GMER 1.0.15 ----

? ejubgxku.sys The system cannot find the file specified. !
? win32k.sys:1 The system cannot find the file specified. !
? win32k.sys:2 The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\Explorer.exe[868] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\665B2ECC.x86.dll
.text C:\WINDOWS\Explorer.exe[868] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\665B2ECC.x86.dll
.text C:\WINDOWS\Explorer.exe[868] USER32.dll!CallNextHookEx + 4A 7E42B410 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\665B2ECC.x86.dll

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\WINDOWS\Explorer.exe[868] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\665B2ECC.x86.dll
IAT C:\WINDOWS\Explorer.exe[868] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\665B2ECC.x86.dll

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs SymSnap.sys (StorageCraft Volume Snap-Shot/StorageCraft)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 SymSnap.sys (StorageCraft Volume Snap-Shot/StorageCraft)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 SymSnap.sys (StorageCraft Volume Snap-Shot/StorageCraft)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 SymSnap.sys (StorageCraft Volume Snap-Shot/StorageCraft)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume4 SymSnap.sys (StorageCraft Volume Snap-Shot/StorageCraft)
AttachedDevice \FileSystem\Fastfat \Fat SymSnap.sys (StorageCraft Volume Snap-Shot/StorageCraft)
---- Processes - GMER 1.0.15 ----

Library \\?\globalroot\Device\__max++>\665B2ECC.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [548] 0x35670000
Library \\?\globalroot\Device\__max++>\665B2ECC.x86.dll (*** hidden *** ) @ C:\WINDOWS\Explorer.exe [868] 0x35670000

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys@start 1
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys@type 1
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys@imagepath \systemroot\system32\drivers\UACklpykyulrh.sys
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys@group file system
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@UACd \\?\globalroot\systemroot\system32\drivers\UACklpykyulrh.sys
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@UACc \\?\globalroot\systemroot\system32\UACsapwnnoept.dll
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@uacbbr \\?\globalroot\systemroot\system32\UACodpumflpas.dll
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@uacsr \\?\globalroot\systemroot\system32\UACaehhcxllye.dat
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@uacav \\?\globalroot\systemroot\system32\UACoknhvdwypx.dll
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@uacserf \\?\globalroot\systemroot\system32\UACuvjtmblnmj.dll
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys@start 1
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys@type 1
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys@imagepath \systemroot\system32\drivers\TDSSmqlt.sys
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys@group file system
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\modules@TDSSserv \systemroot\system32\drivers\TDSSmqlt.sys
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\modules@TDSSl \systemroot\system32\TDSSoiqt.dll
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\modules@tdssservers \systemroot\system32\TDSSmtvd.dat
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\modules@tdssmain \systemroot\system32\TDSShrxx.dll
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\modules@tdsslog \systemroot\system32\TDSSvkql.dll
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\modules@tdssadw \systemroot\system32\TDSSxfum.dll
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\modules@tdssinit \systemroot\system32\TDSSlxwp.dll
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\modules@tdssurls \systemroot\system32\TDSSnmxh.log
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\modules@tdsspanels \systemroot\system32\TDSSsahc.dll
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\modules@tdsserrors \systemroot\system32\TDSSkhyp.log
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\modules@TDSSproc \systemroot\system32\TDSSkkai.log
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@AppInit_DLLs C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{2B281F75-2A00-CEB2-C5CE-143F6EB652C1}\Implemented Categories\{C501EDBE-9E70-11D1-9053-00C04FD9189D}
Reg HKLM\SOFTWARE\Classes\CLSID\{2B281F75-2A00-CEB2-C5CE-143F6EB652C1}\InprocServer32@ C:\WINDOWS\system32\Dxtmsft.dll
Reg HKLM\SOFTWARE\Classes\CLSID\{2B281F75-2A00-CEB2-C5CE-143F6EB652C1}\InprocServer32@ThreadingModel Both
Reg HKLM\SOFTWARE\Classes\CLSID\{2B281F75-2A00-CEB2-C5CE-143F6EB652C1}\ProgID@ DXImageTransform.Microsoft.CrBlinds.1
Reg HKLM\SOFTWARE\Classes\CLSID\{2B281F75-2A00-CEB2-C5CE-143F6EB652C1}\ToolBoxBitmap32@ C:\WINDOWS\system32\Dxtmsft.dll,235
Reg HKLM\SOFTWARE\Classes\CLSID\{2B281F75-2A00-CEB2-C5CE-143F6EB652C1}\VersionIndependentProgID@ DXImageTransform.Microsoft.CrBlinds

---- EOF - GMER 1.0.15 ----


Here is the combilook log:

Volume in drive C has no label.
Volume Serial Number is A0D5-DC27

Directory of c:\Avenger

08/24/2009 04:35 PM 49,152 uac5015.tmp
08/24/2009 04:35 PM 31,232 uac5332.tmp
08/24/2009 04:35 PM 44,032 uac5593.tmp
08/24/2009 04:35 PM 53,248 uac5872.tmp
08/24/2009 04:35 PM 2,519,040 uac5c2b.tmp
08/24/2009 04:34 PM 3,478,520 uac67f7.tmp
08/24/2009 04:18 PM 343,040 UACcfcd.tmp
08/24/2009 04:35 PM 2,005,140 uacf8cd.tmp
08/24/2009 11:24 PM 6,525 uacinit.dll
9 File(s) 8,529,929 bytes

Directory of c:\Documents and Settings\Andre\Desktop

03/16/2009 11:48 PM <DIR> UACScan
03/16/2009 11:44 PM 189 UACScan.zip
1 File(s) 189 bytes

Directory of c:\Documents and Settings\Andre\Desktop\UACScan

03/16/2009 11:48 PM 80 UACScan.bat
1 File(s) 80 bytes

Directory of c:\Documents and Settings\Andre\Recent

03/16/2009 11:44 PM 396 UACScan.zip.lnk
1 File(s) 396 bytes

Total Files Listed:
12 File(s) 8,530,594 bytes
1 Dir(s) 14,528,589,824 bytes free


I downloaded the imgburn to the desktop of clean computer.

The infected computer is running XP Version 2002 Service Pack 3.

What version of Windows is on the clean computer?

On the infected computer, I need you to check the Properties sheets of these three files (right-click > Properties > Version tab):

C:\Windows\Explorer.exe
C:\Windows\System32\Svchost.exe
C;\Windows\System32\Kernel32.dll

The version number of the files we use to replace these need to be as close as possible to those of the above files. I have XP SP2 and the versions are, respectively:

6.0.2900.3156
5.1.2600.2180
5.1.2600.3119

I can send you these files if needed.

The clean computer is running Windows Vista Ultimate ver 2007 Service Pack 1.

Here are the versions of the respective files:

6.0.2900.5512
5.1.2600.5512
5.1.2600.5781

Are those the file versions on the infected computer?

Download Knoppix from here. It's all in German, so I'll walk you through it:

Click on Download, then on the Knoppix Mirrors page, scroll down to the bottom of the page and click on the Purdue University link. On the next page, click on 'Akzeptieren', then click on KNOPPIX_V5.1.0CD-2006-12-30-EN.iso, 7th line from the top. Download the file to the desktop, pop a new DVD blank in the drive and click on the downloaded file. ImgBurn will handle the rest.

Those are the file versions from the infected computer.

I have the Knoppix burned as an image file on the DVD.

Hi VK...I need you to find the correct versions of those files. You will find other versions in the C:\WINDOWS\$hf_mig$ folder. It's a hidden folder, so unhide it in Tools > Folder Options > View tab > Show Hidden Files and Folders > click Apply. While you're there UNcheck 'Hide extensions for known file types' > click Apply and OK.

Use the Search function to locate the three files - Explorer.exe, Svchost.exe and Kernel32.dll. You should find at least one of each file in the KBxxxxxx folders in the $hf_mig$ folder. Right-click on each and check the Properties sheet for the file versions. Also, check the exact file size on the General tab and post the file size and file size on disk in bytes. It's not unheard of for malware like this to infect backup files in other locations and I don't want to replace the infected files with other infected files.

Looks like we've run into a snag...

Folder Options is not available under tools in safe mode. I can only map a network drive, disconnect network drive or synchronize. Worse is that I can't boot into normal mode. I get the system shutdown notice on the user profile select screen.

"'C:\\Windows\systmes32\services.exe' terminated unexpectedly..." is the message (with a status code) given. The system is suposed to terminate and restart after 60 seconds. Clicking on any of the profiles and the computer hangs while loading personal settings of the profile.

Anything else to try? Or is this the end?

Let's see if you can get the Folder Options back.

Start > Run > type regedit in the Open box and click OK. Click on the + signs to expand each section below:

+HKEY_CURRENT_USER
+Software
+Microsoft
+Windows
+CurrentVersion
+Policies
Click on the Explorer folder

In the right-side pane, check whether a DWORD value named NoFolderOptions exists or not. If it exists then right-click and delete the NoFolderOptions key.

Do the same for:

+HKEY_LOCAL_MACHINE
+Software
+Microsoft
+Windows
+CurrentVersion
+Policies
Explorer

Close the registry editor, reboot and see if Folder Options is available.

Sorry I wasn't online last night. Long faimly drama talk last night till the wee hours of the morning.

Doing the registry edits opened up the folder options and I was able to get the folder options back.

Here the the file versions for the three files located in the $hf_mig$ folder directory.

Explorer.exe - 6.0.2900.3156 (last modified 6/13/2007)

Svchost.exe - No file found in the $hf_mig$ folder. Found a version in C:\i386. It's file version is 5.1.2600.2180 (last modified 8/10/2004)

Kernel32.dll - 5.1.2600.5781 (last modified 3/21/2009)

OK...looks like we're finally set to go.

Copy/paste those three files to the USB drive and boot to Knoppix. When Knoppix has finished loading, you'll see icons for the drives on the desktop. Click on each so you know what they are.

Right-click on sda2 (or whatever the C: drive is) and select 'Change read/write mode'. You'll get this message: "Do you really want to change the partition to be writable?". Click Yes.

Do the same for sdc1 (or whatever the USB drive designation is).

Locate C:\Windows\Explorer.exe and delete it. Do the same for C:\Windows\System32\Svchost.exe and C:\Windows\System32\Kernel32.dll

Locate Explorer.exe on the USB drive, right-click on it and select 'Copy to'. On the left of the panel that opens (not on the drop-down menu), click on Copy to Storage Media, then Local Disk (it may not be called Local Disk, but you should be able to tell from the files/folders showing). Click on the Windows folder, then copy the file to it.

Locate the other two files on the USB drive and copy them to the C:\Windows\System32 folder.

Look carefully in the C:\Windows\System32 and C:\Windows\System32\Drivers folders for any files beginning with UAC and TDSS. Delete any found.

Boot to Windows and see if you can run ComboFix or MBAM.

I copied the files to the USB and booted into Knoppix. However I get an error when tring to 'Change read/write mode' to the hard drive:

"The remount command failed. Maybe there is another process acessing the filesytem currently"

I notice I get the same error for the back up drive D as well. Is there something else I need to do to be able to read/write to the drive through Knoppix?

Is the file format NTFS?

I remember we had a similar situation a while back. The solution was to open the Konsole and typing su (for super user), then:

mount -t ntfs /dev/hda1 /mnt/hda1

I'm going to locate my Knoppix disk and see if can be a little more specific.