It installed a standard obnoxious UI interface, "System infected with 10 million viruses", etc, it also installed "Antivirus 2010" in the start menu.
Got rid of the front end portion no problem found where the executable it was running out of, all registry keys for it in the obvious places 'HKLM\software\microsoft\windows\currentversion\Run' 'HKLM\software\microsoft\windowsNT\currentversion\winlogon' and it has not altered the Explorer shell.
But whenever I try to run Malwarebytes, Superantispyware, Hijack-This!, the scan will stop after 2 seconds and the permissions are removed for the executable. Whenever I open IE, it will open an additional window with advertisements, it also redirects google links.
I tried searching for all files created/altered between the time of infections included hidden folders, but I can find anything discernible.
I tried running Combofix which successfully ran 1 time, but I can't get it to start again. Here's the log that ran a few days ago:
ComboFix 10-10-22.05 - eclare 10/23/2010 20:37:05.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.624 [GMT -4:00]
Running from: C:\ComboFix.exe
AV: AVG Internet Security Network Edition *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\All Users\Application Data\.wtav
C:\Documents and Settings\All Users\Desktop\Control center.lnk
C:\WINDOWS\java.exe
C:\WINDOWS\System32\drivers\vbma68cb.sys
C:\WINDOWS\system32\USRINI~1.EXE
C:\WINDOWS\System32\drivers\vbma68cb.sys . . . . Failed to delete
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_USERINIT
-------\Service_userinit
-------\Service_vbma68cb
((((((((((((((((((((((((( Files Created from 2010-09-24 to 2010-10-24 )))))))))))))))))))))))))))))))
.
2010-10-24 00:59:03 . 2010-10-24 00:59:03 30720 ----a-w- C:\WINDOWS\system32\drivers\vbma68cb.sys
2010-10-23 22:53:27 . 2010-10-23 22:52:30 389120 ----a-w- C:\WINDOWS\system32\CF18986.exe
2010-10-23 22:53:01 . 2010-10-23 22:53:11 -------- d-----w- C:\Documents and Settings\eclare\Local Settings\Application Data\Temp
2010-10-23 22:53:00 . 2010-10-23 22:53:00 -------- d-----w- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Google
2010-10-23 22:43:01 . 2010-10-23 22:43:01 -------- d-----w- C:\Documents and Settings\eclare\Local Settings\Application Data\Yahoo
2010-10-23 22:42:57 . 2010-10-23 22:42:57 -------- d-----w- C:\Documents and Settings\eclare\Application Data\Yahoo!
2010-10-23 22:37:01 . 2010-10-23 22:37:01 -------- d-----w- C:\Documents and Settings\eclare\Application Data\SUPERAntiSpyware.com
2010-10-23 22:03:27 . 2010-10-23 22:03:27 -------- d-----w- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2010-10-23 22:03:27 . 2010-10-23 22:03:27 -------- d-----w- C:\Documents and Settings\agm\Application Data\SUPERAntiSpyware.com
2010-10-23 22:03:10 . 2010-10-23 22:03:41 -------- d-----w- C:\Program Files\SUPERAntiSpyware
2010-10-23 22:02:46 . 2010-10-23 22:02:39 9578056 ----a-w- C:\SUPERAntiSpyware.exe
2010-10-23 21:54:58 . 2010-10-23 21:54:58 -------- d-----w- C:\Documents and Settings\agm\Application Data\Malwarebytes
2010-10-23 21:54:26 . 2010-10-23 21:54:26 -------- d-----w- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2010-10-23 21:54:25 . 2010-10-24 00:30:28 -------- d-----w- C:\Program Files\Malwarebytes' Anti-Malware
2010-10-21 03:13:27 . 2009-12-24 06:59:40 177664 ------w- C:\WINDOWS\system32\dllcache\wintrust.dll
2010-10-21 03:10:24 . 2010-06-14 14:31:20 744448 ------w- C:\WINDOWS\system32\dllcache\helpsvc.exe
2010-10-20 16:44:03 . 2010-10-20 16:44:03 -------- d-----w- C:\Documents and Settings\NetworkService\Application Data\Yahoo!
2010-10-17 19:16:07 . 2010-10-17 19:16:07 -------- d-----w- C:\Documents and Settings\agm\Local Settings\Application Data\Yahoo
2010-10-14 00:00:34 . 2010-10-21 03:32:01 -------- d-----w- C:\Documents and Settings\agm\Application Data\gtk-2.0
2010-10-14 00:00:06 . 2010-10-14 00:00:06 -------- d-----w- C:\Documents and Settings\agm\.thumbnails
2010-10-13 23:58:47 . 2010-10-21 03:36:11 -------- d-----w- C:\Documents and Settings\agm\.gimp-2.6
2010-10-13 23:58:38 . 2010-10-13 23:58:42 -------- d-----w- C:\Documents and Settings\agm\.gegl-0.0
2010-10-13 23:54:41 . 2010-10-13 23:54:44 -------- d-----w- C:\Documents and Settings\agm\Application Data\My.Freeze.com NetAssistant
2010-10-13 23:54:03 . 2010-10-13 23:54:20 -------- d-----w- C:\Program Files\Gimp-2.0
2010-10-13 23:53:29 . 2010-10-20 02:34:40 -------- d-----w- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2010-10-13 23:53:08 . 2010-10-13 23:53:10 -------- d-----w- C:\Program Files\Free Offers from Freeze.com
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-10-23 22:54:50 . 2009-10-01 20:25:28 3884040 ----a-r- C:\ComboFix.exe
2010-08-27 20:08:17 . 2009-11-07 22:42:28 1426872 ----a-w- C:\WINDOWS\system32\rmconfig.EXE
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SlowFile Icon Overlay]
@="{7D688A77-C613-11D0-999B-00C04FD655E1}"
[HKEY_CLASSES_ROOT\CLSID\{7D688A77-C613-11D0-999B-00C04FD655E1}]
2010-07-27 06:30:35 8462336 ----a-w- C:\WINDOWS\SYSTEM32\shell32.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RealPlayer"="C:\Program Files\Real\RealPlayer\realplay.exe" [2006-05-28 13:11:15 1003520]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-04-03 19:09:23 68856]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2007-07-02 21:10:58 23237416]
"AdobeUpdater"="C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2008-12-07 06:30:55 2356088]
"Google Update"="C:\Documents and Settings\agm\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-08-25 21:57:07 136176]
"IPEVO Control Center"="C:\Program Files\IPEVO\Control Center\IPEVO Control Center.exe" [2009-11-06 19:51:16 1491456]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-09-28 14:04:57 2424560]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-11 00:51:55 39792]
"Kaseya Agent Service Helper"="C:\Program Files\Kaseya\Agent\KaUsrTsk.exe" [2008-09-04 17:35:10 229376]
"VirginAtlanticListener"="C:\Program Files\Virgin Atlantic\Virgin Atlantic Listener\VAA.exe" [2005-06-23 08:02:50 507904]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2004-05-20 20:53:46 180269]
"ButtonMonitor"="C:\Program Files\Verbatim\ButtonMonitor.exe" [2007-03-16 02:39:00 53248]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2010-03-19 02:16:10 421888]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2010-07-16 11:41:58 141608]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"Printing Migration"="C:\WINDOWS\System32\spool\migrate.dll" [2003-03-31 16:00:00 30208]
I ran Kaspersky TDSSKiller, and it detects rootkits on ever scan, but when I delete and reboot and run the scan again, they reappear.
Please let me know if you can assist.
Thanks,
Ed