semaphore Posted August 23, 2009 ID:113806 Share Posted August 23, 2009 I first posted my problem in the general forum and have been instructed to start again in this forum.I initially had an outbreak of PC Antispyware 2010 that I was eventually able to stop by manually removing almost all the files created on the day this rogue program overtook my system. I also removed those files I could find (2) from those listed in several different web instruction sets for manual removal of PCAV2010.I am now left with the problem of not being able to run any anti-malware like MBAM, Spybot S&D or AVG. HJT would not run. I tried all all of these in both in normal and safe mode with the same non-results. I also tried running them with different filenames, as suggested in several forums. I tried running them with Win2000 or xp compatibility also. Nothing worked. Whatever it is, it also locks out deleting or renaming the .exe files once they have been tried and failed. It seems to have disabled Google's Advanced Search feature also, though that could have been me mucking around in the registry.I was able to get Avira Antivir to run. It detected and quarantined a pile of crap, but did not solve the antimalware hangups. I have that report if you want to see it. I was able to get Avira Rootkit Tool to run. It detected nothing. I tried booting with a Avira Antivir Rescue System boot disk (from disks downloaded on two different machines) and all I got was a screen image of a weird fat little gremlin with a tail, sitting on his ass wearing a tied on fake beak/nose, flashing his feet at me (BTW WTF is up with that!?).I tried LSPFix, which ran but didn't help with the failure to launch problem. WinsockFix would not run.I tried, as instructed, all the fixes suggested in MBAM FAQ #5. No joy. procepxp.exe ran but returned no listings that appeared abnormal. Nothing identifiable as AV360, Fake Alert, TotalSecurity, SystemSecurity...RootRepeal was whacked just like MBAM, AVG, Spybot.... even when renamed.HJT: When newly loaded it seems to run for a few seconds more than the others, but is whacked as above.I read "I am Infected", as instructed, and got nowhere with anything from there.ComboFix reports:Access is denied.Access is denied.Access is denied.Please wait.ComboFix is preparing to run.Access is denied.Win32kDiag.exe finds Mount Points for a lot of stuff under C:\WINDOWS\... and reports their destinations as :\Device\_max++>\^Win32kDiag reports it is denied access to:C:\WINDOWS\pchealth\helpctr\binaries\helpsvc.exeC:\WINDOWS\system32\attrib.exeC:\WINDOWS\system32\config\default.bakC:\WINDOWS\system32\config\sam.bakC:\WINDOWS\system32\config\security.bakC:\WINDOWS\system32\config\software.bakC:\WINDOWS\system32\config\system.bakC:\WINDOWS\system32\cscript.exeC:\WINDOWS\system32\eventlog.dllC:\WINDOWS\system32\findstr.exeC:\WINDOWS\system32\ping.exeC:\WINDOWS\system32\route.exeI booted Norton 360 from theCD-ROM and it found nothing.I made a BartPE bootable CD on my clean laptop and was able to get it to boot my infected machine from the CD-ROM, however, I don't know what I am looking for, where it might be hiding or which, if any, of the listed BartPE pluging might help.When I tried to run MBAM from within BartPE it failed to run, reporting "Unable to access MSVBVM60.dll". This .dll was not included in those burned while making the bootable CD. I tried to add it, but can't get BartPE's setup to put it in the system32 folder with the rest of the .dll's. I am now trying to figure out how to get BartPE to include it in the correct folder. I tried geting the BartPE setup to write to a separate HD folder, added the dll, then wrote that folder's content to a CD, but it doesn't want to boot from this CD. Looking at both the BartPE disks; the one that works and the one that doesn't, using Windows Explorer, they appear to be the same, except for the .dll I added.What next? Link to post Share on other sites More sharing options...
GT500 Posted August 25, 2009 ID:114721 Share Posted August 25, 2009 This is a pretty nasty one. Try RunAlyzer from a BartPE disk. It has the ability to save a HijackThis log. You just have to click on the 'Logs' tab, and click the "Create HJT Log" button. Save that log somewhere that will allow you to copy and paste it into a reply here.If you need me to, I can give you a plugin to add RunAlyzer to a BartPE disk. Link to post Share on other sites More sharing options...
semaphore Posted August 26, 2009 Author ID:114946 Share Posted August 26, 2009 Thank You.I would greatly appreciate that RunAlyzer plugin for BartPE. How would you like to send it?I tried to load a BartPE SpybotSD plugin and could not get pebuilder to include it on the BartPE disk. It was loaded into the correct plugin folder and enabled but on the burnt disk that folder was empty. I couldn't decipher how to get a MBAM plugin from the pages and pages of discussion on its development elsewhere on this forum, as I am a lowly user, not a coder. I also tried to run MBAM from a flashdrive via the BartPE file management program. It asked for a missing MSVBVM60.dll before it would run. When I tried to load this .dll via pebuilder it wouldn't place it anywhere but up front in the "BartPE" folder, even when instructed that the "output" was to "C:\Program Files\BartPE\pebuilder3110a\BartPE\I386\system32"This thing is so weird it has every IT geek I know stumped and scratching their heads (or other body parts) and waiting for a solution so they will know what it was. Link to post Share on other sites More sharing options...
semaphore Posted August 26, 2009 Author ID:115252 Share Posted August 26, 2009 The latest is that DrWeb found Backdoor.Zapinit.122 in C:/windows/system32/user32.dll then reported it as "cured". However, the system still will not initiate MBAM even after I reinstalled it. Link to post Share on other sites More sharing options...
GT500 Posted August 26, 2009 ID:115295 Share Posted August 26, 2009 I would greatly appreciate that RunAlyzer plugin for BartPE. How would you like to send it?Here is a download link. It already has RunAlyzer in it (and thus I should remove the link soon, as I do not have permission to redistribute it). Let me know when you've downloaded it. Just extract it into your PE Builder plugins dir, and compile a new BartPE disk. It's ready to go without any modifications. Link to post Share on other sites More sharing options...
semaphore Posted August 26, 2009 Author ID:115373 Share Posted August 26, 2009 Thanks. I'll try to run this ASAP and report back what it finds. Link to post Share on other sites More sharing options...
semaphore Posted August 27, 2009 Author ID:115420 Share Posted August 27, 2009 I was able to get the RunAlyzer plugin to write to the BartPE disk plugin file. I was given a Ultimate Boot CD 4 Windows with MBAM on it. It ran but did not detect anything.Now we're going to try a .bat to rewrite some registry and services that appear to have been reset.After I run BartPE with RunAlyzer I will report back the results. Link to post Share on other sites More sharing options...
semaphore Posted August 27, 2009 Author ID:115661 Share Posted August 27, 2009 RunAlyzer showed just two suspicious things that remained after using the "Hide Legit" button. When looking at "Advanced Startups" it flagged SCRNSAVE.EXE, under HKEY_USERS\PE_C_(MY NAME)\Control Panel\Desktop\ HKEY_USERS\PE_C_(MY NAME)\SOFTWARE\Policies\Microsoft\Windows\Control panel\Desktop\ HKEY_USERS\PE_C_ALL USERS\Control panel\Desktop\ HKEY_USERS\PE_C_ALL USERS\SOFTWARE\Policies\Microsoft\Windows\Control panel\Desktop\ HKEY_USERS\PE_C_ADMINISTRATOR\Control Panel\Desktop\ HKEY_USERS\PE_C_ADMINISTRATOR\SOFTWARE\Policies\Microsoft\Windows\Control panel\Desktop\ HKEY_USERS\PE_C_DEFAULT USER\Control Panel\Desktop\ HKEY_USERS\PE_C_DEFAULT USER\SOFTWARE\Policies\Microsoft\Windows\Control panel\Desktop\ HKEY_USERS\PE_C_LOCAL SERVICE\Control Panel\Desktop\ HKEY_USERS\PE_C_LOCAL SERVICE\SOFTWARE\Policies\Microsoft\Windows\Control panel\Desktop\ HKEY_USERS\PE_C_NETWORK SERVICE\Control Panel\Desktop\ HKEY_USERS\PE_C_NETWORK SERVICE\SOFTWARE\Policies\Microsoft\Windows\Control panel\Desktop\ HKEY_USERS\PE_C_S-1-5-18\Control Panel\Desktop\ HKEY_USERS\PE_C_S-1-5-18\SOFTWARE\Policies\Microsoft\Windows\Control panel\Desktop\ThreatExpert flags this as 100% threat.When looking at "Explorer Plugins" RunAlyzer flagged TWEXT.DLL, listed with many entries described as "Restricted Sites Zones" under HKEY_USERS\Pe_C_(MY NAME)\SOFTWARE\Microsoft\Windows\Current Version\Internet Settings\ZoneMaps\Domains\There are conflicting opinions in several online discussions as to whether TWEXT.DLL is/is not a threat.Suggestions? Link to post Share on other sites More sharing options...
GT500 Posted August 27, 2009 ID:115805 Share Posted August 27, 2009 RunAlyzer always flags certain things as suspicious. Don't worry unless it highlights the items in red. Just get that HijackThis log, and I'll take a look at it. Link to post Share on other sites More sharing options...
semaphore Posted August 31, 2009 Author ID:118097 Share Posted August 31, 2009 I haven't been able to get HJT to run, thus have nothing to report.I am tired of screwing around with this POS. I found the missing OEM system restore disks so I now plan to transfer my essential files to a external HD, replace the corrupted HD with a new one, format, install the OS from scratch and give the corrupt HD to someone who can figure out what went/is wrong.Thanks for the help though. Link to post Share on other sites More sharing options...
GT500 Posted September 2, 2009 ID:118899 Share Posted September 2, 2009 OK. Reformatting is often the easiest option, and can often get you up and running faster. I'm going to go ahead and close this topic so that no one else comes along and hijacks it. Link to post Share on other sites More sharing options...
Recommended Posts