BleepingComputer.com: Zero access/root kit plus redirect

so i tried to self help by reading through as much of the forum as i possibly can relating to my problem. it first started with 40413892:0199283.exe and from there i got cloud protection trojan and things just keep getting worse. I wiped out Cloud protection using the instructions you guys gave but the random number colon (8283233:23023823.exe) cannot be killed from my task manager. i ran through all of the software given to me by this website and others except combofix. I got rid of the random number colon thing but now i still cannot open the AV software like malware, or spydoctor. im pretty sure the virus is still here somewhere embedded so deep that i have no choice but to run combofix. thank you guys for all the help.

DDS.txt
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_14
Run by Administrator at 7:53:38 on 2011-10-11
Microsoft Windows XP Professional 5.1.2600.3.936.86.1033.18.2047.1385 [GMT -7:00]
.
AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe
C:\Program Files\Soluto\SolutoService.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\PROGRA~1\McAfee\MSM\McSmtFwk.exe
.
============== Pseudo HJT Report ===============
.
uInternet Connection Wizard,ShellNext = hxxp://www.114la.com/index.htm
mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\program files\soluto\soluto.exe /userinit
BHO: PC Tools Browser Guard BHO: {2a0f3d1b-0909-4ff4-b272-609cce6054e7} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll
BHO: {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - No File
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20111010202725.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
TB: PC Tools Browser Guard: {472734ea-242a-422b-adf8-83d1e48cc825} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll
mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
dRun: [ctfmon.exe] ctfmon.exe
StartupFolder: c:\documents and settings\administrator\start menu\programs\startup\READ ME FIRST.txt
uPolicies-explorer: NoInstrumentation = 1 (0x1)
uPolicies-explorer: NoThumbnailCache = 1 (0x1)
uPolicies-explorer: ForceStartMenuLogOff = 1 (0x1)
uPolicies-explorer: NoResolveTrack = 1 (0x1)
dPolicies-explorer: NoInstrumentation = 1 (0x1)
dPolicies-explorer: NoThumbnailCache = 1 (0x1)
dPolicies-explorer: ForceStartMenuLogOff = 1 (0x1)
dPolicies-explorer: NoResolveTrack = 1 (0x1)
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
Trusted Zone: internet
Trusted Zone: mcafee.com
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
TCP: DhcpNameServer = 192.168.2.1
TCP: Interfaces\{3E431F82-4642-42EA-A9D0-B04EFC924A22} : DhcpNameServer = 192.168.2.1
Filter: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\progra~1\mcafee\msc\McSnIePl.dll
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\administrator\application data\mozilla\firefox\profiles\vw2axyf9.default\
FF - prefs.js: browser.startup.homepage - mail.yahoo.com
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 53758
FF - prefs.js: network.proxy.type - 0
FF - component: c:\program files\mozilla firefox\distribution\bundles\{d19ca586-dd6c-4a0a-96f8-14644f340d60}\components\scriptff.dll
FF - plugin: c:\documents and settings\administrator\application data\move networks\plugins\npqmp071505000010.dll
FF - plugin: c:\documents and settings\administrator\local settings\application data\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\progra~1\mcafee\msc\npMcSnFFPl.dll
FF - plugin: c:\program files\final codecs\mozillaplugins\nppl3260.dll
FF - plugin: c:\program files\final codecs\mozillaplugins\nprjplug.dll
FF - plugin: c:\program files\final codecs\mozillaplugins\nprpjplug.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npMozCouponPrinter.dll
FF - plugin: c:\program files\plugins\npqtplugin.dll
FF - plugin: c:\program files\plugins\npqtplugin2.dll
FF - plugin: c:\program files\plugins\npqtplugin3.dll
FF - plugin: c:\program files\plugins\npqtplugin4.dll
FF - plugin: c:\program files\plugins\npqtplugin5.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
FF - Ext: Personas: personas@christopher.beard - %profile%\extensions\personas@christopher.beard
FF - Ext: DownloadHelper: {b9db16a4-6edc-47ec-a1f4-b86292ed211d} - %profile%\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Move Media Player: moveplayer@movenetworks.com - c:\documents and settings\administrator\application data\Move Networks
.
---- FIREFOX POLICIES ----
user_pref(security.warn_viewing_mixed,false);
user_pref(security.warn_viewing_mixed.show_once,false);
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
user_pref(security.warn_submit_insecure,false);
FF - user.js: security.warn_submit_insecure.show_once - false
.
============= SERVICES / DRIVERS ===============
.
R0 a347bus;a347bus;c:\windows\system32\drivers\a347bus.sys [2008-2-24 160640]
R0 a347scsi;a347scsi;c:\windows\system32\drivers\a347scsi.sys [2008-2-24 5248]
R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2010-5-2 461864]
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2011-6-12 218592]
R0 Soluto;Soluto;c:\windows\system32\drivers\Soluto.sys [2011-7-14 51144]
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2010-5-2 89624]
R2 McNaiAnn;McAfee VirusScan Announcer;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2010-5-2 214904]
R2 McShield;McAfee McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2010-5-2 166024]
R2 mfefire;McAfee Firewall Core Service;c:\program files\common files\mcafee\systemcore\mfefire.exe [2010-5-2 160344]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\common files\mcafee\systemcore\mfevtps.exe [2010-5-2 148520]
R2 SolutoService;Soluto PCGenome Core Service;c:\program files\soluto\SolutoService.exe [2011-5-18 376352]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2010-5-2 180072]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2010-5-2 59288]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2010-5-2 338040]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [2010-5-2 83688]
S3 Browser Defender Update Service;Browser Defender Update Service;c:\program files\spyware doctor\bdt\BDTUpdateService.exe [2011-6-12 112592]
S3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2010-5-2 57432]
S3 McProxy;McAfee Proxy Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2010-5-2 214904]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [2010-5-2 83688]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-5-2 87808]
S3 P1130VID;Creative WebCam NX Pro;c:\windows\system32\drivers\P1130Vid.sys [2008-4-16 90229]
S3 pohci13F;pohci13F;\??\c:\docume~1\admini~1\locals~1\temp\pohci13f.sys --> c:\docume~1\admini~1\locals~1\temp\pohci13F.sys [?]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2011-6-12 366840]
S3 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2011-6-12 1142224]
S3 ViBus;ViBus;c:\windows\system32\drivers\ViBus.sys [2007-10-18 16896]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2004-8-4 14336]
S4 ATIIDE;ATIIDE; [x]
S4 ide376xp;ide376xp; [x]
.
=============== Created Last 30 ================
.
2011-10-11 00:46:52 -------- d-sha-r- C:\cmdcons
2011-10-11 00:44:39 98816 ----a-w- c:\windows\sed.exe
2011-10-11 00:44:39 518144 ----a-w- c:\windows\SWREG.exe
2011-10-11 00:44:39 256000 ----a-w- c:\windows\PEV.exe
2011-10-11 00:44:39 208896 ----a-w- c:\windows\MBR.exe
2011-10-10 19:17:54 -------- d-----w- c:\documents and settings\all users\application data\SUPERAntiSpyware.com
2011-10-10 17:41:47 -------- d-----w- c:\program files\GridinSoft Trojan Killer
2011-10-10 17:30:55 -------- d-----w- c:\windows\system32\wbem\repository\FS
2011-10-10 17:30:55 -------- d-----w- c:\windows\system32\wbem\Repository
2011-10-10 17:30:50 -------- d-----w- c:\windows\system32\AwwkUUVrlOBtP0c
2011-10-10 17:30:20 -------- d-----w- c:\windows\048298C9A4D3490B9FF9AB023A9238F3.TMP
2011-10-10 16:17:51 -------- d--h--w- c:\documents and settings\all users\application data\Common Files
2011-10-10 16:17:01 -------- d-----w- c:\documents and settings\all users\application data\AVG2012
2011-10-10 16:16:28 -------- d-----w- c:\program files\AVG
2011-10-10 16:11:28 -------- d-----w- c:\documents and settings\all users\application data\MFAData
2011-10-10 15:33:59 94896 ----a-w- c:\windows\system32\drivers\22136733.sys
2011-10-10 15:16:06 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-09-25 19:35:58 94896 ----a-w- c:\windows\system32\drivers\21570199.sys
2011-09-16 23:32:22 28504 ----a-w- c:\program files\mozilla firefox\distribution\bundles\{d19ca586-dd6c-4a0a-96f8-14644f340d60}\components\scriptff.dll
2011-09-15 21:37:33 25048 ----a-w- c:\program files\mozilla firefox\components\browserdirprovider.dll
2011-09-15 21:37:33 140248 ----a-w- c:\program files\mozilla firefox\components\brwsrcmp.dll
2011-09-15 21:37:32 66520 ----a-w- c:\program files\mozilla firefox\plugins\npnul32.dll
2011-09-15 21:37:32 505816 ----a-w- c:\program files\mozilla firefox\sqlite3.dll
2011-09-15 21:37:31 1015256 ----a-w- c:\program files\mozilla firefox\js3250.dll
2011-09-13 22:58:01 -------- d-----w- c:\documents and settings\administrator\local settings\application data\Threat Expert
.
==================== Find3M ====================
.
2011-09-29 00:23:59 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-09-07 18:27:41 43520 ----a-w- c:\windows\system32\CmdLineExt03.dll
2011-09-01 00:00:50 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-08-30 15:59:05 4194304 ----a-w- c:\windows\system32\xkymougc.dll
2011-08-15 17:00:06 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2011-08-15 17:00:06 89624 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys
2011-08-15 17:00:06 87808 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2011-08-15 17:00:06 83688 ----a-w- c:\windows\system32\drivers\mfendisk.sys
2011-08-15 17:00:06 59288 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2011-08-15 17:00:06 57432 ----a-w- c:\windows\system32\drivers\cfwids.sys
2011-08-15 17:00:06 461864 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2011-08-15 17:00:06 338040 ----a-w- c:\windows\system32\drivers\mfefirek.sys
2011-08-15 17:00:06 180072 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2011-08-15 17:00:06 119808 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
2010-11-30 01:19:36 800048 ----a-w- c:\program files\QTPlugin.ocx
2010-11-30 01:19:36 1234224 ----a-w- c:\program files\QuickTimePlayer.exe
2010-11-30 01:14:54 7869728 ----a-w- c:\program files\QuickTimePlayer.dll
2010-11-30 01:14:54 369952 ----a-w- c:\program files\QTUIPanelControl.dll
2010-11-30 01:14:44 894240 ----a-w- c:\program files\QTOControl.dll
2010-11-30 01:14:44 820512 ----a-w- c:\program files\QTOLibrary.dll
2010-11-30 01:14:42 824608 ----a-w- c:\program files\QTInfo.exe
2010-11-30 00:38:18 421888 ----a-w- c:\program files\QTTask.exe
2010-11-30 00:38:06 561152 ----a-w- c:\program files\PictureViewer.exe
.
============= FINISH: 7:57:28.82 ===============

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.

• Do not run any other tool untill instructed to do so!
  
• please Do not Attach logs or put in code boxes.
  
• Tell me about any problems that have occurred during the fix.
  
• Tell me of any other symptoms you may be having as these can help also.
  
• Do not run anything while running a fix.
  
• Do not run any other tool untill instructed to do so!

Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links.

Link 1
Link 2
Link 3

1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

In your next post I need the following


• Log from Combofix
  
• let me know of any problems you may have had
  
• How is the computer doing now?

Gringo

After i ran combofix, everything seems to run okay but none of my anti-virus software can be opened. Malwarebytes cannot be opened because of 'windows cannot access the specified device, path, file'. Spydoctor is the same thing. My CPU is also taking a beating whenever i go on Chrome or Firefox when flash is running.

Greetings

Good That cleaned up some bad guys but I see some other stuff that we need to go after, so I want you to run this custom script for me.


Let me know if this fixes your security programs


:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

ClearJavaCache::

File::
c:\windows\system32\drivers\22136733.sys
c:\windows\system32\drivers\21570199.sys

Folder::
c:\windows\system32\AwwkUUVrlOBtP0c

Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe

This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

"information and logs"

In your next post I need the following


• report from Combofix
  
• let me know of any problems you may have had
  
• How is the computer doing now after running the script?

Gringo

heres after the 2nd combofix

Hello

Please do the following:

Step One
Please download Junction.zip and save it to your desktop.
Unzip it and extract junction.exe to your C:\ drive.

Step Two
Now copy (Ctrl +C) and paste (Ctrl +V) the text inside the code box below into Notepad.

@ECHO OFF
cd c:\
junction -s c:\>log.txt
start log.txt
del %0

Save it to your desktop as File name: junc.bat
Save as type: All Files

Step Three
Double click junc.bat to run it. A log will be presented. Copy and paste or attach the content of the log in your next reply.

Gringo

nevermind. i got a log. sorry for the past 2 post...

This post has been edited by deadman316: 16 October 2011 - 01:40 AM

thinking i did it wrong, i extracted to c: drive, double clicked the junc.bat on desktop...the CMD window opened to nothing.

Hello

1. make sure junction.exe is on the C drive

2.click on start

3. click on run

4. type CMD into the run box and click on OK

5. copy and paste thes line into the CMD window

cd c:\
junction -s c:\>log.txt
start log.txt

6. wait about 5 min untill the report popsup

7.copy and paste this report here

gringo

sorry, i was a little impatient there. here's the log.txt

Hello

We need to reset some permisions that the virus changed

Download GrantPerms.zip and save it to your desktop.

Unzip the file and depending on the system run GrantPerms.exe or GrantPerms64.exe
Copy and paste the following in the edit box:

c:\\Program Files\Spyware Doctor\pctsSvc.exe
c:\\Program Files\Malwarebytes' Anti-Malware\mbam.exe
c:\\Program Files\AVG\AVG2012\avgcsrvx.exe

Click Unlock. When it is done click "OK".
Click List Permissions and post the result (Perms.txt) that pops up. A copy of Perms.txt will be saved in the same directory the tool is run.

Gringo

is it a good thing there's nothing in the txt?

no it is not


try and run it again

heres what i did in order:
extract grantperms.exe onto desktop

double clicked the exe

copy and pasted c:\\Program Files\Spyware Doctor\pctsSvc.exe
c:\\Program Files\Malwarebytes' Anti-Malware\mbam.exe

pressed unlock. Pressed okay after unlock operation completed

pressed list permissions.

spat out a Perms.txt

i've attached a new one at 12:20 AM PST

Greetings

We need to reset the permissions altered by the malware on a file.

• Download this tool and save it to the desktop: http://download.bleepingcomputer.com/sUBs/...xes/Inherit.exe
  
• Go to Start => Run => Copy and paste the following lines one at a time in the run box and click OK:
  
  
  
  "%userprofile%\desktop\inherit" "c:\Program Files\Spyware Doctor\pctsSvc.exe"
  
  "%userprofile%\desktop\inherit" "c:\Program Files\Malwarebytes' Anti-Malware\mbam.exe"
  
  "%userprofile%\desktop\inherit" "c:\Program Files\AVG\AVG2012\avgcsrvx.exe"
  
  
  
  
  
  
• If you get a security warning select Run.
  
• You will get a "Finish" popup. Click OK.

When you have completed this run Juncion once more and send me the new report

Gringo