Critical Infestation? Please help

[Esper]

Hi, I recently was infected with some sort of malware. Since then, my computer has experienced the following symptoms:

- Extremely slow startup, taking about thirty minutes for explorer.exe to get going, as well as another ten minutes for the rest my of startup programs to begin
- In the time space on my taskbar, VIRUS ALERT! is written
- At startup, I receive a notice labelled "System Configuration Utility" informing me that I changed the way Windows starts.
- Task Manager is disabled
- Safe Mode cannot be used due to the absence of "stpd.sys" (this might have began earlier; I don't really use Safe Mode very often)
- Three icons on my desktop labelled "Error Cleaner", "Privacy Protector", and "Spyware&Malware Protection" that return whenever I reboot and direct me to viruswebprotect2008,
- Frequent notices telling me that Windows has detected an Internet attack attempt and that somebody is trying to infect my PC (this is obviously fake due to the wording and the fact that it wants me to download a Spyware remover I've never heard of). Pressing OK opens Internet Explorer and leads me to safewebnavigate2008.
- No internet connectivity whatsoever; it seems to be forever acquiring the network status from the look of the icon in the system tray, but hovering over the icon says "Local Area Connection: A network cable is unplugged" (this is supposed to be my wireless..)
- My C: Drive seems to have disappeared from My Computer, but is still accessible by typing C:\ in the address bar
- When running HJT, I am denied access to the hosts file.
- When running HJT, I get an error, which I'm encouraged to submit.
- I often get a "System Alert" from my system tray that informs me of "virus activities".
- Registry editing is disabled.
- A warning that Worm.Win32.Netbooster has infected me. Clicking "Yes" takes me to savewebnavigate2008.

When I try to log on to my friend's account (he uses my laptop occasionally to play CounterStrike), I can use the Task Manager. When I try to log on to my Administrator account, the desktop does not load and I am stuck at the login screen.

I have attached a HJT log. Even if you are unable to help, I sincerely thank you for reading my thread.

 

[Blind Dragon]

First we need to fix the safeboot problem, as I know fixes for most these nasties, but most have to be run from safe mode.

You can download combofix to another computer and transfer with a thumb drive, just make sure to install it to the infected desktop

Combofix

• Download Combofix to your desktop.
• Double click combofix.exe & follow the prompts.
• A window will open with a warning.
• When the scan completes it will open a text window. Please attach that log back here together with a fresh HJT log.

Caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Combofix is a very powerful tool so please do NOT do anything without instruction

Combofix will automatically save the log file to C:\combofix.txt

 

[Esper]

You have no idea how happy I am to see you helping me

I will try that right now, and get back to you.

EDIT:// Uh-oh. I get an error that states, "Installation failed." I put the .exe directly on the desktop (I actually put a shortcut instead the first time), but it still fails. Would you know of any reason this would happen?

In the meantime, I'll try to figure out what's preventing it..

EDIT:// Okay, figured it out, I think. Does this require Admin access? In that case, I'm going to have to restart the computer. I'll use an Admin account to run the program (using Run As while still on my limited account should work, right?) and see what happens.

Another thing: My "Log Off" button is missing..

 

[Blind Dragon]

If it doesn't work, don't try to force it. We will try something else

I also need to know do you normally connect through a proxy?

 

[Esper]

Eh. Isn't working; I get informed that I couldn't "log on" (to my Administrator account) due to "user account restriction".

And to your question, no, I don't. I've been thinking about doing so, but never got around to setting one up. I just connect to a wireless network.

And now it appears as if I can't get on my Administrator account..

Maybe I should just scrap my files and reinstall my OS? My CD's seem to be malfunctioning so I can't save any of my work, but if this going to prevent me from writing my term paper in the comfort of my own bed..

 

[Blind Dragon]

Not a bad idea, I would also recommend changing any passwords for bank accounts or other sensitive information, ect.

The other option is we could try to hack away at it with Hijackthis and manually removing files, a few programs that can run in normal mode.

1) Install Avira Antivir
2) Install Malwarebytes antimalware
3) remove hijackthis entries that i specify and remove bad files/folders

Let me know what you want to do

 

[Esper]

I'm game for pretty much any other option at this point.

Update: Okay, my Administrator account is, after a long time of waiting, working. I should run into less difficulties now. I'll see if I can get ComboFix working and report back.

EDIT: We are go! Combofix is working! I'll wait for the scan to finish and run another HJT. As told, I am avoiding my touchpad and keyboard.

Okay. I ran Combofix and rebooted, and am noticing a considerable increase in login speed. That may have done it! I'll run HJT and post the log just in case, though.

EDIT!: Okay, ran HJT after getting the log from ComboFix. Combofix's log exceeds size limitations, so I just attached hijackthis.log. I'll copy and paste CF's log if needed, however.
Thank you so much! Login time is normal, the popups don't come up at all, and I can connect to the Internet! I'm leaving it alone for now, though.

 

[Blind Dragon]

Thats not a fix all, but its a start. Once I see logs maybe we can reinstall safe mode

 

[Esper]

Should I upload the ComboFix log to another website and link to it, or is the HJT log sufficient? (I attached it via edit to the post before this)

 

[Blind Dragon]

I need to see combofix log, however you can get it to me in .txt format

 

[Esper]

It's 116kb, which is over the 100kb limit, so here is a link:
http://www.freewebs.com/uploadesper/log.txt

 

[Blind Dragon]

Let's see if you can boot safe mode

Download and Install SDFix

• Download SDFix and save it to your Desktop.
• Double click SDFix.exe and it will extract the files to %systemdrive%
  (Drive that contains the Windows Directory, typically C:\SDFix)

Boot into Safe Mode

• Restart your computer and start pressing the F8 key on your keyboard.
• Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.

Run SDFix

• Open the extracted SDFix folder and double click RunThis.bat to start the script.
• Type Y to begin the cleanup process.
• It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
• Press any Key and it will restart the PC.
• When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
• Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
• Attach Report.txt back here

 

[Esper]

I still can't run Safe Mode.. it's the same problem, too. SPTD.sys, I believe. The last thing that loads is multi(0)disk(0)rdisk(0)partition(4)\WINDOWS\System32\Drivers\Mup.sys.

Okay, I was wrong. It's in safe mode, and loading.

 

[Blind Dragon]

try this

Download the ZIP file, extract the SafeBoot-for-Windows-XP-SP2.reg file and merge it into the registry by double-clicking it:
SafeBoot.zip

Click YES on the following screen

 

[Blind Dragon]

I gotta go to bed soon, but we need to either run smitfraud option 2 from safe mode or SDfix from safe mode. No worries from where we are now, we can remove this thing manually if worse comes to worse. Do you have a connection now?

Or if we can't get safe mode back yet do this

Malwarebytes' Anti-Malware

• Please download Malwarebytes' Anti-Malware to your desktop.
  
• Double-click mbam-setup.exe and follow the prompts to install the program.
• At the end, be sure a checkmark is placed next to
  • Update Malwarebytes' Anti-Malware
  • and Launch Malwarebytes' Anti-Malware
• then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select Perform full scan, then click Scan.
• When the scan is complete, click OK, then Show Results to view the results.
• Be sure that everything is checked, and click Remove Selected.
• When completed, a log will open in Notepad. please attach this log with your reply
  • If you accidently close it, the log file is saved here and will be named like this:
  • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

 

[Esper]

Got it to work! And yes, I regained my connection!

You, sir, are awesome. I hereby award you many internets.

 

[Blind Dragon]

We still need to run Smitfraudfix from safe mode and you should also install/update MBAM now, then run that while in safe mode after Smitfraudfix. SDFix didn't pick up the file that is listed in its changelog.

So download and update MBAM, download smitfraudfix using following instructions

Boot safe mode and run Smitfraudfix option 2, then MBAM. Attach both logs for me. And I will start working on a script and a batch file to stop and delete services in the event neither of these programs can do it. I have to sleep though.

Run Smitfraudfix

• Download Smitfraudfix by S!ri from HERE
• Reboot your computer in Safe Mode (before the Windows icon appears, tap the F8 key continually)
• Double-click SmitfraudFix.exe
• Select 2 and hit Enter to delete infected files.
• You will be prompted: Do you want to clean the registry ? answer Y (yes) and hit Enter in order to remove the Desktop background and clean registry keys associated with the infection.
• The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found): Replace infected file ? answer Y (yes) and hit Enter to restore a clean file.
• A reboot may be needed to finish the cleaning process. The report can be found at the root of the system drive, usually at C:\rapport.txt

 

[Blind Dragon]

Good luck and I will check back in about 7 hours after I sleep :grinthumb

 

[Esper]

All right, I am scanning right now and I'll upload the logs when I am finished. Thank you so much for helping me and good night. I'll check back here later, then, although I may still be sleeping.

EDIT:/ Completed! Again, thank you so much.

There's still a few problems, though. On my main account (limited), it still has VIRUS ALERT!!! stamped on all my times. Also, the Log Out button is still missing. Finally, when I turn on my laptop, the disk still runs a check on the C:\ drive (backup), no matter how many times I let it run.

 

[Blind Dragon]

Does your main account have administrative privledges?