jatoghia

Sorry. Here it is. report.txt

Attached is the report.txt file generated after I mapped both my main NTFS partition (x) and also my recovery partition (y) in Ubuntu.

Sorry for the delay. I got sent out of town for work. I just have two questions before proceeding. First, since I already have a UNIX partition on my system, wouldn't it just be easier to mount my NTFS partition and run whatever UNIX-based tools you want me to run from that? Second, I once removed a rootkit device driver that had added itself to Vista's essential device list. With the driver removed, the system would mo longer boot and would wind up loading the repair console. Do you think that could happen again here?

My frustration is only mounting. So I booted into safe mode, dragged the CFScript.txt onto Combofix.exe, and first I got a warning about Avira, so I went to disable it, but there is nothing for Avira running in the system tray in safe mode, so then I launch the AntiVir Control Center and it shows that Avira is not currently running. I then when to Task Manager and couldn't see any Avira processes running on the system, so I went ahead and ran Combofix despite the warning about my anti-virus software which as far as I could tell was not running. During the execution of Combofix in safe mode, I got two Access Denied: Administrative privs are required messages (one at the very beginning, and one around Stage 38), which is particularly odds since UAC is supposed to be disabled in safe mode (a fact that I confirmed). Now that I think about it, I have been noticing weird issues with my permissions for a while now, such as when I tried to save a file to a directory and Windows told me I needed administrative privs (even though I am an administrator) and wouldn't even allow me to elevate the task. I also tried running TDSSKiller thinking that I might have an MBR infection, but whether I select "Run as administrator" or even try to run from safe mode using the "Run as administrator" option, I still get the stupid "You need to have administrative privs" error message and the program quits. The only conclusion I can reach is that this infection is obviously much deeper than anything we've tried thus far. I appreciate your help if you still have any ideas. And yes, the system is still running ridiculously slowly. ComboFix.txt

Same blue screen. It says it is happening on pwdiipow.sys which is the driver we supposedly removed.

Now I cannot run GMER. Last two attempts both resulted in BSOD, Paged Access to Non-Paged Area.

Correction, I meant my GMER log was included in the zip file I attached to the inital post. Sorry for any confusion.

OK. I will run GMER again when I get home. If you recall, my GMER log was included with the email following the "now what do I do?" procedures pinned to the top of this forum. Do you think it will catch something new this time or did you want to look at the ark.txt file I attached at the very beginning?

It simply reported 1 hidden object in its scan summary. When I checked the scan log it listed "c:\windows\explorer.exe" as a hidden object. Unfortunaely, the computer doesn't appear to be running any faster. The hard drive continues to have extremely long pauses between short bursts of reads, causing major performance problems. It takes nearly 10 minutes from password login until I can actually use the computer. 1-2 minute delays occur when launching apps, especially bad for those that require elevated administrative privs. Video playback is impossible as it keeps pausing. This is with a Western Digital Black (performance) drive. I ran SMART to make sure the problem wasn't hardware related, and besides, my Ubuntu and Windows recovery partitions are not exhibiting the problem, so it must be software related. Strangest of all is that this wasn't a performance degradation issue but like a light switch, my machine went from working fine to having all these problems, more like a Trojan that decided to go active, and if memory serves, I hadn't installed anything before the problem started, and the last thing I remember was that I had to abruptly shut down the machine (couldn't wait for clean software shutdown) so I tried "checkdsk /f" and also "sfc /scannow" to see if there was any corruption of my OS, but nothing was detected, and the fact that spybot, malwarebytes, and Avira are all returning completely clean scans when there is usually at least 1-2 tracking cookies on the system is enough to convince me that something is still hiding all the malware.

Here you go. What should we do next? Is it at all useful to you that Avira is reporting explorer.exe as a hidden object? ComboFix.txt

Sorry, earlier problem with the attachment. Here you go. ComboFix.txt

I briefly used the proxy server to stream some news from the BBC (that needed to think my computer was in the UK, but I immediately disabled it afterwards.) Machine still slow. Combofix.txt attached. Thank you for all your assistance thus far.

Here you go. ComboFix.txt

So a few days ago, all of a sudden, I noticed that my system was taking longer to boot up, and then I noticed that my system performance had ground to a screeching halt. The hard drive in my system appears to be accessed in very short bursts with long pauses in between. I ran a scan with Avira and noticed in the log that it was preventing my hiddenobject search from taking place. I also noticed that when UAC needs permission it is now coming up with a completely different allow/deny prompt that looks more like a Norton Labs-style prompt, and I've never had Norton installed on this system. The system delays are particularly bad when I have to approve something to run as administrator, which can take several minutes to start running. One last observation, was that when I followed the steps on this site to download DDS, that was when Avira detect dds.pif as a virus, so I'm pretty sure whatever this rootkit is it has gotten its hooks into my antivirus software as well. Thank you for your help. DDS.txt follows: . DDS (Ver_11-03-05.01) - NTFSx86 Run by toghia at 21:51:39.01 on Tue 03/29/2011 Internet Explorer: 8.0.6001.19019 Microsoft Attach.zip mbam-log-2011-03-29 (21-18-39).txt