IE-redirect, User Profile login error, Windows files not accessible (access denied)

sandsrfr · May 23, 2010

Hello,

Got a Vista computer here that we've been having issues with. Tried running malwarebytes and full AVG scans, but no luck. After one of the restarts, the profile no longer started (ie: we got user profile logon errors, and the system started in a basic profile). Needless to say none of my icons, docs, etc where there because it wasn't logging into my profile.

I've installed and ran superantispyware also and it actually detected a c:/windows/mbr.exe file and was able to remove it (malwarebytes didn't find that).

I have since made a new user account and logged into that as with the original account, I got repeated: "C:\windows\system32\config desktop is not accessible access is denied" whenever I tried to do anything in that account (wheter it was opening explorer, trying to run a command, etc....)

Similar to what this person refered to: http://forums.malwarebytes.org/index.php?s...st&p=139709 (post #2)

I've attached my latest MBAM log (quick scan) and DDM logs.

I am currently scanning with ESET Online Scanner (partially done and it has found 3 threats so far = variant of WIN32/Agent trojan, Unknow NewHeur_PE virus, and multiple threats).

Can someone help me get this resolved! Please?

Thanks

Sands

mbam_log_2010_05_23__14_32_18_.txt

Attach.txt

DDS.txt

sandsrfr · May 23, 2010

Also, I forgot to mention, that prior to running this ESET online scanner, I downloaded the Defogger.exe (as referenced here in the forums) and disabled CD emulator drivers (maybe that is why eset is finding stuff now)?

Maniac · May 23, 2010

Hello sandsrfr! Welcome to MalwareBytes' Anti-Malware Forums!

My name is Borislav and I will be glad to help you solve your problems with malware. Before we begin, please note the following:

The process of cleaning your system may take some time, so please be patient.
Stay with the topic until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.
Instructions that I give are for your system only!
If you don't know or can't understand something please ask.
Do not install or uninstall any software or hardware, while work on.

Please download GMER from one of the following locations and save it to your desktop:

Main Mirror
This version will download a randomly named file (Recommended)
Zipped Mirror
This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.

Disconnect from the Internet and close all running programs.
Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.
GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
Now click the Scan button. If you see a rootkit warning window, click OK.
When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
Click the Copy button and paste the results into your next reply.
Exit GMER and re-enable all active protection when done.

-- If you encounter any problems, try running GMER in Safe Mode.

sandsrfr · May 23, 2010

Hello Borislav,

I downloaded GMER and tryed too scan... By default the 'Files' and the 'C' drive are checked. It started scanning, then it just disappeared.

Do I need to run this program and uncheck the 'files' and 'C' drive to get it to run properly?

Maniac · May 23, 2010

No, they should be checked. Let's try with this tool:

Download RootRepeal Beta on your desktop.

Double click RootRepeal.exe to start the program
Click on the Report tab at the bottom of the program window
Click the Scan button
In the Select Scan dialog, check:
- Drivers
- Files
- Processes
- SSDT
- Stealth Objects
- Hidden Services
[*]Click the OK button
[*]In the next dialog, select all drives showing
[*]Click OK to start the scan
Note: The scan can take some time.
DO NOT
run any other programs while the scan is running
[*]When the scan is complete, the Save Report button will become available
[*]Click this and save the report to your Desktop as RootRepeal.txt
[*]Go to File, then Exit to close the program

If the report is not too long, post the contents of RootRepeal.txt in your next reply. If the report is very long, it will not be complete if you post it, so please attach it to your reply instead.

sandsrfr · May 23, 2010

Okay, here is the GMER log (when I ran it without the C: drive checked, it actually finished then), see attached.

I'll post the rootrepeal log as soon as it finished

GMER.txt

sandsrfr · May 23, 2010

Tried running rootrepeal several times... All times caused the system to restart. I also got a profile error on restart and the new user profile I made earlier is now messed up?

Here is the errors:

Problem signature:

Problem Event Name: BlueScreen

OS Version: 6.0.6002.2.2.0.768.3

Locale ID: 1033

Additional information about the problem:

BCCode: 19

BCP1: 00000020

BCP2: 8A1AB638

BCP3: 8A1ABA40

BCP4: 08810094

OS Version: 6_0_6002

Service Pack: 2_0

Product: 768_1

Files that help describe the problem:

C:\Windows\Minidump\Mini052310-02.dmp

C:\Windows\System32\config\systemprofile\AppData\Local\Temp\WER-65114-0.sysdata.xml

C:\Windows\System32\config\systemprofile\AppData\Local\Temp\WER311D.tmp.version.txt

Read our privacy statement:

http://go.microsoft.com/fwlink/?linkid=501...mp;clcid=0x0409

sandsrfr · May 23, 2010

Each time I try to log in now, I am getting a 'failed to connect to user profile service.....' balloon in the lower right... The desktop is missing the GMER and other programs that I just downloaded to it...???

sandsrfr · May 24, 2010

This program is JUNK!!! It does nothing but restart the computer immediately!

No, they should be checked. Let's try with this tool:
Download RootRepeal Beta on your desktop.
Double click RootRepeal.exe to start the program
Click on the Report tab at the bottom of the program window
Click the Scan button
In the Select Scan dialog, check:

Drivers
Files
Processes
SSDT
Stealth Objects
Hidden Services
[*]Click the OK button
[*]In the next dialog, select all drives showing
[*]Click OK to start the scan
Note: The scan can take some time.
DO NOT
run any other programs while the scan is running
[*]When the scan is complete, the Save Report button will become available
[*]Click this and save the report to your Desktop as RootRepeal.txt
[*]Go to File, then Exit to close the program
If the report is not too long, post the contents of RootRepeal.txt in your next reply. If the report is very long, it will not be complete if you post it, so please attach it to your reply instead.

Maniac · May 24, 2010

Thanks!

Step 1

Please, uninstall the following applications:

Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)
Adobe Reader 8.1.2
Adobe Reader 8.1.2 Security Update 1 (KB403742)

You can read, how to this in:

Step 2

**Note: If you need more detailed information, please visit the web page of ComboFix in BleepingComputer. **

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Stay with me until given the 'all clear' even if symptoms diminish. Lack of symptoms does not always mean the job is complete.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by me or another helper.

Please download ComboFix from

Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

If you are using Firefox, make sure that your download settings are as follows:
- Open Tools -> Options -> Main tab
- Set to Always ask me where to Save the files.

[*]During the download, rename Combofix to Combo-Fix as follows:

[*]It is important you rename Combofix during the download, but not after.

[*]Please do not rename Combofix to other names, but only to the one indicated.

[*]Close any open browsers.

[*]Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

-----------------------------------------------------------

Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause unpredictable results.
Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
-----------------------------------------------------------

Close any open browsers.
WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

-----------------------------------------------------------

[*]Double click on combo-Fix.exe & follow the prompts.

[*]When finished, it will produce a report for you.

[*]Please post the C:\Combo-Fix.txt for further review.

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

In your next reply, please include these log(s) in this sequence:

ComboFix log

sandsrfr · May 27, 2010

Sorry for the delay, here is my full GMER.log

GMER 1.0.15.15281 -

http://www.gmer.net

Rootkit scan 2010-05-27 00:52:57

Windows 6.0.6002 Service Pack 2

Running: mbdwdsbt.exe; Driver: C:\Users\Jason\AppData\Local\Temp\kflyrkob.sys

---- Kernel code sections - GMER 1.0.15 ----

? C:\Users\Jason\AppData\Local\Temp\mbr.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\Windows\system32\svchost.exe[1256] ntdll.dll!NtProtectVirtualMemory 77374D34 5 Bytes JMP 0070000A

.text C:\Windows\system32\svchost.exe[1256] ntdll.dll!NtWriteVirtualMemory 77375674 5 Bytes JMP 0083000A

.text C:\Windows\system32\svchost.exe[1256] ntdll.dll!KiUserExceptionDispatcher 77375DC8 5 Bytes JMP 006F000A

.text C:\Windows\system32\svchost.exe[1256] ole32.dll!CoCreateInstance 77219EA6 5 Bytes JMP 00B3000A

.text C:\Windows\system32\svchost.exe[1256] USER32.dll!GetCursorPos 774F0B88 5 Bytes JMP 00CB000A

.text C:\Windows\Explorer.EXE[3916] ntdll.dll!NtProtectVirtualMemory 77374D34 5 Bytes JMP 008D000A

.text C:\Windows\Explorer.EXE[3916] ntdll.dll!NtWriteVirtualMemory 77375674 5 Bytes JMP 008E000A

.text C:\Windows\Explorer.EXE[3916] ntdll.dll!KiUserExceptionDispatcher 77375DC8 5 Bytes JMP 008C000A

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS[watchdog.sys!WdMadeAnyProgress] [8FEF17D5] \SystemRoot\System32\drivers\watchdog.sys (Watchdog Driver/Microsoft Corporation)

IAT \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS[watchdog.sys!WdCompleteEvent] [8FEF20D6] \SystemRoot\System32\drivers\watchdog.sys (Watchdog Driver/Microsoft Corporation)

IAT \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS[watchdog.sys!WdGetLowestDeviceObject] [8FEF204A] \SystemRoot\System32\drivers\watchdog.sys (Watchdog Driver/Microsoft Corporation)

IAT \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS[watchdog.sys!WdGetDeviceObject] [8FEF2016] \SystemRoot\System32\drivers\watchdog.sys (Watchdog Driver/Microsoft Corporation)

IAT \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS[watchdog.sys!WdGetLastEvent] [8FEF2036] \SystemRoot\System32\drivers\watchdog.sys (Watchdog Driver/Microsoft Corporation)

IAT \SystemRoot\System32\win32k.sys[watchdog.sys!WdEnterMonitoredSection] [8FEF180F] \SystemRoot\System32\drivers\watchdog.sys (Watchdog Driver/Microsoft Corporation)

IAT \SystemRoot\System32\win32k.sys[watchdog.sys!WdExitMonitoredSection] [8FEF188B] \SystemRoot\System32\drivers\watchdog.sys (Watchdog Driver/Microsoft Corporation)

IAT \SystemRoot\System32\win32k.sys[watchdog.sys!WdFreeDeferredWatchdog] [8FEF6014] \SystemRoot\System32\drivers\watchdog.sys (Watchdog Driver/Microsoft Corporation)

IAT \SystemRoot\System32\win32k.sys[watchdog.sys!WdStopDeferredWatch] [8FEF1972] \SystemRoot\System32\drivers\watchdog.sys (Watchdog Driver/Microsoft Corporation)

IAT \SystemRoot\System32\win32k.sys[watchdog.sys!WdStartDeferredWatch] [8FEF16E1] \SystemRoot\System32\drivers\watchdog.sys (Watchdog Driver/Microsoft Corporation)

IAT \SystemRoot\System32\win32k.sys[watchdog.sys!WdAllocateDeferredWatchdog] [8FEF5F7A] \SystemRoot\System32\drivers\watchdog.sys (Watchdog Driver/Microsoft Corporation)

IAT \SystemRoot\System32\win32k.sys[watchdog.sys!WdSuspendDeferredWatch] [8FEF1763] \SystemRoot\System32\drivers\watchdog.sys (Watchdog Driver/Microsoft Corporation)

IAT \SystemRoot\System32\win32k.sys[watchdog.sys!WdResumeDeferredWatch] [8FEF1773] \SystemRoot\System32\drivers\watchdog.sys (Watchdog Driver/Microsoft Corporation)

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Windows\Explorer.EXE[3916] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [74437817] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396