zero access root infection?

[Jintan]

Good so far.

2011/08/14 10:14:19.0747 3388   HiddenFile.Multi.Generic(8479081d) - User select action: Skip

Run TDSSKiller again, and this time allow it to do whatever it recommends on that item. If it does not provide a recommendation, allow it to Quarantine the item. Then try ComboFix again.

[Milena E.]

C:\Windows\487094660:2072442850.exe - copied to quarantine

[Jintan]

Oops - I know that file name. It's left over from AntiZeroAccess infection, but is supposed to go away once a reboot is done. But let's see if ComboFix will run now.

[Milena E.]

How come it shows some hidden files as threats if I chose the "show hidden files" option? I can't find any of those files he marked as threats. I'm thinking of deleting everything and installing Windows again. The guy who services my computer will literally KILL me when he sees what I've done with it (and I can't delete anything I've downloaded)
ComboFix doesn't work any more
I ran GMER again, it found rootkit modifications

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2011-08-14 22:37:41
Windows 6.1.7600  Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 FUJITSU_MJA2250BH_G2 rev.0084001C
Running: lj01t628.exe; Driver: C:\Users\ADMINI~1\AppData\Local\Temp\pwlyraob.sys


---- System - GMER 1.0.15 ----

SSDT            \??\C:\Program Files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_WIN7\AVGIDSShim.sys                              ZwOpenProcess [0x8FE88730]
SSDT            \??\C:\Program Files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_WIN7\AVGIDSShim.sys                              ZwTerminateProcess [0x8FE887E0]
SSDT            \??\C:\Program Files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_WIN7\AVGIDSShim.sys                              ZwTerminateThread [0x8FE88880]
SSDT            \??\C:\Program Files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_WIN7\AVGIDSShim.sys                              ZwWriteVirtualMemory [0x8FE88920]

---- Kernel code sections - GMER 1.0.15 ----

.text           ntoskrnl.exe!ZwSaveKeyEx + 13B1                                                                                          82C3B8E9 1 Byte  [06]
.text           ntoskrnl.exe!KiDispatchInterrupt + 5A2                                                                                   82C5B3B2 19 Bytes  [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
.text           ntoskrnl.exe!KeRemoveQueueEx + 165F                                                                                      82C628EC 4 Bytes  [30, 87, E8, 8F]
.text           ntoskrnl.exe!KeRemoveQueueEx + 192F                                                                                      82C62BBC 8 Bytes  [E0, 87, E8, 8F, 80, 88, E8, ...]
.text           ntoskrnl.exe!KeRemoveQueueEx + 19A3                                                                                      82C62C30 4 Bytes  [20, 89, E8, 8F]
?               C:\Windows\system32\Drivers\PROCEXP113.SYS                                                                               The system cannot find the file specified. !
?               C:\Users\ADMINI~1\AppData\Local\Temp\aswMBR.sys                                                                          The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text           C:\Users\Administrator\AppData\Local\Google\Chrome\Application\chrome.exe[2172] ntdll.dll!NtCreateFile + 6               77634A16 4 Bytes  [28, 00, 07, 00]
.text           C:\Users\Administrator\AppData\Local\Google\Chrome\Application\chrome.exe[2172] ntdll.dll!NtCreateFile + B               77634A1B 1 Byte  [E2]
.text           C:\Users\Administrator\AppData\Local\Google\Chrome\Application\chrome.exe[2172] ntdll.dll!NtMapViewOfSection + 6         77635076 1 Byte  [28]
.text           C:\Users\Administrator\AppData\Local\Google\Chrome\Application\chrome.exe[2172] ntdll.dll!NtMapViewOfSection + 6         77635076 4 Bytes  [28, 03, 07, 00]
.text           C:\Users\Administrator\AppData\Local\Google\Chrome\Application\chrome.exe[2172] ntdll.dll!NtMapViewOfSection + B         7763507B 1 Byte  [E2]
.text           C:\Users\Administrator\AppData\Local\Google\Chrome\Application\chrome.exe[2172] ntdll.dll!NtOpenFile + 6                 77635126 4 Bytes  [68, 00, 07, 00]
.text           C:\Users\Administrator\AppData\Local\Google\Chrome\Application\chrome.exe[2172] ntdll.dll!NtOpenFile + B                 7763512B 1 Byte  [E2]
.text           C:\Users\Administrator\AppData\Local\Google\Chrome\Application\chrome.exe[2172] ntdll.dll!NtOpenProcess + 6              776351D6 4 Bytes  [A8, 01, 07, 00]
.text           C:\Users\Administrator\AppData\Local\Google\Chrome\Application\chrome.exe[2172] ntdll.dll!NtOpenProcess + B              776351DB 1 Byte  [E2]
.text           C:\Users\Administrator\AppData\Local\Google\Chrome\Application\chrome.exe[2172] ntdll.dll!NtOpenProcessToken + B         776351EB 1 Byte  [E2]
.text           C:\Users\Administrator\AppData\Local\Google\Chrome\Application\chrome.exe[2172] ntdll.dll!NtOpenProcessTokenEx + 6       776351F6 4 Bytes  [A8, 02, 07, 00]
.text           C:\Users\Administrator\AppData\Local\Google\Chrome\Application\chrome.exe[2172] ntdll.dll!NtOpenProcessTokenEx + B       776351FB 1 Byte  [E2]
.text           C:\Users\Administrator\AppData\Local\Google\Chrome\Application\chrome.exe[2172] ntdll.dll!NtOpenThread + 6               77635256 4 Bytes  [68, 01, 07, 00]
.text           C:\Users\Administrator\AppData\Local\Google\Chrome\Application\chrome.exe[2172] ntdll.dll!NtOpenThread + B               7763525B 1 Byte  [E2]
.text           C:\Users\Administrator\AppData\Local\Google\Chrome\Application\chrome.exe[2172] ntdll.dll!NtOpenThreadToken + 6          77635266 4 Bytes  [68, 02, 07, 00]
.text           C:\Users\Administrator\AppData\Local\Google\Chrome\Application\chrome.exe[2172] ntdll.dll!NtOpenThreadToken + B          7763526B 1 Byte  [E2]
.text           C:\Users\Administrator\AppData\Local\Google\Chrome\Application\chrome.exe[2172] ntdll.dll!NtOpenThreadTokenEx + B        7763527B 1 Byte  [E2]
.text           C:\Users\Administrator\AppData\Local\Google\Chrome\Application\chrome.exe[2172] ntdll.dll!NtQueryAttributesFile + 6      77635386 4 Bytes  [A8, 00, 07, 00]
.text           C:\Users\Administrator\AppData\Local\Google\Chrome\Application\chrome.exe[2172] ntdll.dll!NtQueryAttributesFile + B      7763538B 1 Byte  [E2]
.text           C:\Users\Administrator\AppData\Local\Google\Chrome\Application\chrome.exe[2172] ntdll.dll!NtQueryFullAttributesFile + B  7763543B 1 Byte  [E2]
.text           C:\Users\Administrator\AppData\Local\Google\Chrome\Application\chrome.exe[2172] ntdll.dll!NtSetInformationFile + 6       77635A86 4 Bytes  [28, 01, 07, 00]
.text           C:\Users\Administrator\AppData\Local\Google\Chrome\Application\chrome.exe[2172] ntdll.dll!NtSetInformationFile + B       77635A8B 1 Byte  [E2]
.text           C:\Users\Administrator\AppData\Local\Google\Chrome\Application\chrome.exe[2172] ntdll.dll!NtSetInformationThread + 6     77635AE6 4 Bytes  [28, 02, 07, 00]
.text           C:\Users\Administrator\AppData\Local\Google\Chrome\Application\chrome.exe[2172] ntdll.dll!NtSetInformationThread + B     77635AEB 1 Byte  [E2]
.text           C:\Users\Administrator\AppData\Local\Google\Chrome\Application\chrome.exe[2172] ntdll.dll!NtUnmapViewOfSection + 6       77635E06 1 Byte  [68]
.text           C:\Users\Administrator\AppData\Local\Google\Chrome\Application\chrome.exe[2172] ntdll.dll!NtUnmapViewOfSection + 6       77635E06 4 Bytes  [68, 03, 07, 00]
.text           C:\Users\Administrator\AppData\Local\Google\Chrome\Application\chrome.exe[2172] ntdll.dll!NtUnmapViewOfSection + B       77635E0B 1 Byte  [E2]
.text           C:\Users\Administrator\AppData\Local\Google\Chrome\Application\chrome.exe[3740] ntdll.dll!NtCreateFile + 6               77634A16 4 Bytes  [28, 00, 07, 00]
.text           C:\Users\Administrator\AppData\Local\Google\Chrome\Application\chrome.exe[3740] ntdll.dll!NtCreateFile + B               77634A1B 1 Byte  [E2]
.text           C:\Users\Administrator\AppData\Local\Google\Chrome\Application\chrome.exe[3740] ntdll.dll!NtMapViewOfSection + 6         77635076 1 Byte  [28]
.text           C:\Users\Administrator\AppData\Local\Google\Chrome\Application\chrome.exe[3740] ntdll.dll!NtMapViewOfSection + 6         77635076 4 Bytes  [28, 03, 07, 00]
.text           C:\Users\Administrator\AppData\Local\Google\Chrome\Application\chrome.exe[3740] ntdll.dll!NtMapViewOfSection + B         7763507B 1 Byte  [E2]
.text           C:\Users\Administrator\AppData\Local\Google\Chrome\Application\chrome.exe[3740] ntdll.dll!NtOpenFile + 6                 77635126 4 Bytes  [68, 00, 07, 00]
.text           C:\Users\Administrator\AppData\Local\Google\Chrome\Application\chrome.exe[3740] ntdll.dll!NtOpenFile + B                 7763512B 1 Byte  [E2]
.text           C:\Users\Administrator\AppData\Local\Google\Chrome\Application\chrome.exe[3740] ntdll.dll!NtOpenProcess + 6              776351D6 4 Bytes  [A8, 01, 07, 00]
.text           C:\Users\Administrator\AppData\Local\Google\Chrome\Application\chrome.exe[3740] ntdll.dll!NtOpenProcess + B              776351DB 1 Byte  [E2]
.text           C:\Users\Administrator\AppData\Local\Google\Chrome\Application\chrome.exe[3740] ntdll.dll!NtOpenProcessToken + B         776351EB 1 Byte  [E2]
.text           C:\Users\Administrator\AppData\Local\Google\Chrome\Application\chrome.exe[3740] ntdll.dll!NtOpenProcessTokenEx + 6       776351F6 4 Bytes  [A8, 02, 07, 00]
.text           C:\Users\Administrator\AppData\Local\Google\Chrome\Application\chrome.exe[3740] ntdll.dll!NtOpenProcessTokenEx + B       776351FB 1 Byte  [E2]
.text           C:\Users\Administrator\AppData\Local\Google\Chrome\Application\chrome.exe[3740] ntdll.dll!NtOpenThread + 6               77635256 4 Bytes  [68, 01, 07, 00]
.text           C:\Users\Administrator\AppData\Local\Google\Chrome\Application\chrome.exe[3740] ntdll.dll!NtOpenThread + B               7763525B 1 Byte  [E2]
.text           C:\Users\Administrator\AppData\Local\Google\Chrome\Application\chrome.exe[3740] ntdll.dll!NtOpenThreadToken + 6          77635266 4 Bytes  [68, 02, 07, 00]
.text           C:\Users\Administrator\AppData\Local\Google\Chrome\Application\chrome.exe[3740] ntdll.dll!NtOpenThreadToken + B          7763526B 1 Byte  [E2]
.text           C:\Users\Administrator\AppData\Local\Google\Chrome\Application\chrome.exe[3740] ntdll.dll!NtOpenThreadTokenEx + B        7763527B 1 Byte  [E2]
.text           C:\Users\Administrator\AppData\Local\Google\Chrome\Application\chrome.exe[3740] ntdll.dll!NtQueryAttributesFile + 6      77635386 4 Bytes  [A8, 00, 07, 00]
.text           C:\Users\Administrator\AppData\Local\Google\Chrome\Application\chrome.exe[3740] ntdll.dll!NtQueryAttributesFile + B      7763538B 1 Byte  [E2]
.text           C:\Users\Administrator\AppData\Local\Google\Chrome\Application\chrome.exe[3740] ntdll.dll!NtQueryFullAttributesFile + B  7763543B 1 Byte  [E2]
.text           C:\Users\Administrator\AppData\Local\Google\Chrome\Application\chrome.exe[3740] ntdll.dll!NtSetInformationFile + 6       77635A86 4 Bytes  [28, 01, 07, 00]
.text           C:\Users\Administrator\AppData\Local\Google\Chrome\Application\chrome.exe[3740] ntdll.dll!NtSetInformationFile + B       77635A8B 1 Byte  [E2]
.text           C:\Users\Administrator\AppData\Local\Google\Chrome\Application\chrome.exe[3740] ntdll.dll!NtSetInformationThread + 6     77635AE6 4 Bytes  [28, 02, 07, 00]
.text           C:\Users\Administrator\AppData\Local\Google\Chrome\Application\chrome.exe[3740] ntdll.dll!NtSetInformationThread + B     77635AEB 1 Byte  [E2]
.text           C:\Users\Administrator\AppData\Local\Google\Chrome\Application\chrome.exe[3740] ntdll.dll!NtUnmapViewOfSection + 6       77635E06 1 Byte  [68]
.text           C:\Users\Administrator\AppData\Local\Google\Chrome\Application\chrome.exe[3740] ntdll.dll!NtUnmapViewOfSection + 6       77635E06 4 Bytes  [68, 03, 07, 00]
.text           C:\Users\Administrator\AppData\Local\Google\Chrome\Application\chrome.exe[3740] ntdll.dll!NtUnmapViewOfSection + B       77635E0B 1 Byte  [E2]

---- User IAT/EAT - GMER 1.0.15 ----

IAT             C:\Windows\system32\rundll32.exe[3212] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!GetProcAddress]                    [75605D3D] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT             C:\Windows\system32\rundll32.exe[3212] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!GetProcAddress]                     [75605D3D] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT             C:\Windows\system32\rundll32.exe[3212] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress]                   [75605D3D] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT             C:\Windows\system32\rundll32.exe[3212] @ C:\Windows\system32\WININET.dll [KERNEL32.dll!GetProcAddress]                   [75605D3D] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT             C:\Windows\system32\rundll32.exe[3212] @ C:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress]                  [75605D3D] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT             C:\Windows\system32\rundll32.exe[3212] @ C:\Windows\system32\CRYPT32.dll [KERNEL32.dll!GetProcAddress]                   [75605D3D] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice  \FileSystem\Ntfs \Ntfs                                                                                                   AVGIDSFilter.sys
AttachedDevice  \Driver\tdx \Device\Tcp                                                                                                  avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice  \Driver\volmgr \Device\HarddiskVolume1                                                                                   fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice  \Driver\volmgr \Device\HarddiskVolume1                                                                                   rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
AttachedDevice  \Driver\volmgr \Device\HarddiskVolume2                                                                                   fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice  \Driver\volmgr \Device\HarddiskVolume2                                                                                   rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
AttachedDevice  \Driver\volmgr \Device\HarddiskVolume3                                                                                   fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice  \Driver\volmgr \Device\HarddiskVolume3                                                                                   rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
AttachedDevice  \Driver\volmgr \Device\HarddiskVolume4                                                                                   fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice  \Driver\volmgr \Device\HarddiskVolume4                                                                                   rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
AttachedDevice  \Driver\volmgr \Device\HarddiskVolume5                                                                                   fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice  \Driver\volmgr \Device\HarddiskVolume5                                                                                   rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)

Device          \Driver\ACPI_HAL \Device\0000004b                                                                                        halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)

AttachedDevice  \Driver\tdx \Device\Udp                                                                                                  avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice  \Driver\tdx \Device\RawIp                                                                                                avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice  \FileSystem\fastfat \Fat                                                                                                 fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice  \FileSystem\fastfat \Fat                                                                                                 AVGIDSFilter.sys
---- Processes - GMER 1.0.15 ----

Library         C:\32788R22FWJFW\iexplore.exe (*** hidden *** ) @ C:\32788R22FWJFW\iexplore.exe [2980]                                   0x00400000                                                                                                                                          
Library         C:\32788R22FWJFW\iexplore.exe (*** hidden *** ) @ C:\32788R22FWJFW\iexplore.exe [3112]                                   0x00400000                                                                                                                                          
Library         C:\32788R22FWJFW\iexplore.exe (*** hidden *** ) @ C:\32788R22FWJFW\iexplore.exe [3128]                                   0x00400000                                                                                                                                          
Library         C:\32788R22FWJFW\iexplore.exe (*** hidden *** ) @ C:\32788R22FWJFW\iexplore.exe [3136]                                   0x00400000                                                                                                                                          
Library         C:\32788R22FWJFW\iexplore.exe (*** hidden *** ) @ C:\32788R22FWJFW\iexplore.exe [3152]                                   0x00400000                                                                                                                                          

---- Files - GMER 1.0.15 ----

File            C:\Windows\$NtUninstallKB29595$\2222524445                                                                               0 bytes
File            C:\Windows\$NtUninstallKB29595$\2222524445\L                                                                             0 bytes
File            C:\Windows\$NtUninstallKB29595$\2222524445\L\xadqgnnk                                                                    78336 bytes
File            C:\Windows\$NtUninstallKB29595$\2222524445\loader.tlb                                                                    2540 bytes
File            C:\Windows\$NtUninstallKB29595$\2222524445\U                                                                             0 bytes
File            C:\Windows\$NtUninstallKB29595$\2222524445\U\@00000001                                                                   41360 bytes
File            C:\Windows\$NtUninstallKB29595$\2222524445\U\@000000c0                                                                   2560 bytes
File            C:\Windows\$NtUninstallKB29595$\2222524445\U\@000000cb                                                                   2048 bytes
File            C:\Windows\$NtUninstallKB29595$\2222524445\U\@000000cf                                                                   1536 bytes
File            C:\Windows\$NtUninstallKB29595$\2222524445\U\@80000000                                                                   24576 bytes
File            C:\Windows\$NtUninstallKB29595$\2222524445\U\@800000c0                                                                   33280 bytes
File            C:\Windows\$NtUninstallKB29595$\2222524445\U\@800000cb                                                                   27648 bytes
File            C:\Windows\$NtUninstallKB29595$\2222524445\U\@800000cf                                                                   27648 bytes
File            C:\Windows\$NtUninstallKB29595$\2222524445\{1B372133-BFFA-4dba-9CCF-5474BED6A9F6}                                        2048 bytes
File            C:\Windows\$NtUninstallKB29595$\750493546                                                                                0 bytes
ADS             C:\Windows\487094660:2072442850.exe                                                                                      816 bytes executable                                                                                                                                  <-- ROOTKIT !!!

---- Services - GMER 1.0.15 ----

Service         C:\Windows\487094660:2072442850.exe                                                                                      [MANUAL] 8479081d                                                                                                                                     <-- ROOTKIT !!!

---- EOF - GMER 1.0.15 ----

[Jintan]

Do you have HijackThis installed there, and will it run (remember - right click - Run as administrator)?

[Jintan]

If not, click here and download Merjin's older ADS Spy, unzip that then click to run it.

Click "Full scan (all NTFS drives)", uncheck "Ignore safe system info data streams....", then click:

Scan the system for alternate data streams

When the scan is completed, locate in the list the following item:

C:\Windows\487094660

Then click "Remove selected streams", and close ADS Spy once that is completed.

Then run AntiZeroAccess again. Then TDSSKiller, allowing both to quarantine or remove what they find.

Then try ComboFix. Delete the existing copy, and download ComboFix.exe from here to your desktop. However, as you download it I would like you to rename it to cman.scr, then click that to run that scan.

[Milena E.]

ADS Spy won't open. Same old story "you may not have the permission to access blah blah blah", I'm tired of it. AntiZeroAccess and Kaspersky didn't find anything (no threat detected). I managed to download ComboFix twice, first time it found the rootkit, rebooted twice, deleted some files and then blocked again trying to create a log file. Second time it found the rootkit again, rebooted, started deleting same files again and then blocked again

[Jintan]

Keep in mind the steps here:

cd "%userprofile%\desktop"

cacls antizeroaccess.exe /e /g everyone:f

antizeroaccess.exe

So if you have ADSSpy.exe directly on your desktop (you can just move it from the unzip folder), then you can use:

cd "%userprofile%\desktop"

cacls ADSSpy.exe /e /g everyone:f

ADSSpy.exe

Also did ComboFix create a C:\ComboFix.txt log you can post here?

[Milena E.]

No, ADS spy just won't work under any conditions. I tried to download it again and I can't. ComboFix didn't create log file, every time it tries to do it blocks.
I think I'm going to give up on this.

[Milena E.]

I somehow ran ComboFix and it blocked again, this time while deleting C:Windows\$Ntuninstall KB29595$\3528677882 whatever that is

[Jintan]

That is a "junction" that points to the actual malware - it is a type of pointer. And what we have been trying to take out as well. Do you have HijackThis installed, and will it open?

[Milena E.]

I don't have Hijack this installed

[Jintan]

Download System Repair Engineer. Use the Local Download button to download sreng2.zip.

Extract (unzip) it to it's own folder on your Desktop, then double click SREngLdr.exe to run it.

When the display opens, click the "System Repair" icon in the left hand column.

Under the first "File Association" tab it will have already placed checkmarks in the boxes next to file associations it sees as incorrect. Don't make any changes, and just click Repair. The display will flicker briefly, and then the results should reflect all are "Normal".

You will see many other options to use this tool for, but unless you truly know what they are indicating and what changes System Repair Engineer might make it is really not something you should try in any way (and a reason why I tend to avoid providing this repair tool).

Again, you can try (at the cmd.exe prompt):

cd "%userprofile%\desktop"

cacls SREngLdr.exe /e /g everyone:f

SREngLdr.exe

-----------

Download The Avenger by Swandog from here and save it to your Desktop, and unzip the downloaded avenger.zip file. Then in the new avenger folder created locate and click on avenger.exe to run the tool.

Okay the warning. When the Avenger display opens place a check in the following box:

Automatically disable any rootkits found

Then copy/paste the following text inside the Code box into the Avenger box titled "Input script here:". Then click the Execute button to run the repair, click Yes, then allow Avenger to reboot your system.

Code:

Begin copying here:
Files to delete:
C:\Windows\$NtUninstallKB29595$
Folders to delete:
C:\Windows\$NtUninstallKB29595$

Your system may reboot twice to complete the repairs. After the reboot a text will open - copy/paste those contents back here please. The log can also be found at C:\avenger.txt.

Each change you make there that works, be sure to immediately try to run aswMBR, having it Fix what it locates, as well as TDSSKiller, again allowing it to fix or quarantine what it locates.

[Milena E.]

I can't download anything to my desktop, it all goes to downloads and then won't open. I'm totally desperate, I've tried everything

[Jintan]

Help me out here, other than the concern about this person who fixes your computer.

You have access to cmd.exe, and the command window opens?

You do the cmd procedures I have posted, but they do not allow you to open programs I have suggested? These work on my infected Windows 7 test system, is why I ask.

These:

File            C:\Windows\$NtUninstallKB29595$\750493546                                                                                0 bytes
ADS             C:\Windows\487094660:2072442850.exe                                                                                      816 bytes executable                                                                                                                                  <-- ROOTKIT !!!

---- Services - GMER 1.0.15 ----

Service         C:\Windows\487094660:2072442850.exe                                                                                      [MANUAL] 8479081d                                                                                                                                     <-- ROOTKIT !!!

---- EOF - GMER 1.0.15 ----

Run Gmer again, right click on each of those, and see if there is an option to delete or do other changes to them. If so, do those, and agree to any warnings. If Gmer says the change failed, you may find it actually didn't, and the change will allow you to run some of the other scans I have suggested.

-----------

Have a flash drive installed (I assume you have used one there during this). You may need to change the following to match the flash drive letter - for here, I am using E.

Go to Start Search, type cmd.exe in the Start Search box. Cmd.exe will appear at the top of the Menu. Rightclick on it and choose "Run as administrator".  At the prompt copy/paste the following, pressing Enter after each:

copy C:\Windows\487094660 E:\Windows\jen

copy E:\Windows\jen C:\Windows\487094660

exit

Just an attempt to remove the ADS attachment.