Department of Justice Block

[Nonnie]

Operating system: windows 7
Architecture: 64 bit
Antivirus software and on-demand scanners on this system : None
Date and how issue started: This started the 22nd (last night) while I was online.
Current issues and symptoms: Well, now I have no background (everything is just black) and I have to use the Task manager to do anything.
Steps taken in order to remove the infection: Hitmanpro (3? maybe? I don't know but it did something)
REQUESTED LOGS: OTL LOG
aswMBR LOG
There was a similar thread here that was having the same exact probem as me for the same reasons so I followed the instructions given to him and it has all been going accordingly but I cannot proceed with a script written for him so here I am. I did the OTL and aswMBR logs. I only hope I've done them right so I can figure out what to do from here. Any guidance would be much appreciated!

[kuttus]

Hi and welcome to the MalwareTips.com forums!

I'm Kuttus and I am going to try to assist you with your problem. Please take note of the below:

• I will start working on your malware issues, this may or may not, solve other issues you have with your machine.
• The fixes are specific to your problem and should only be used for this issue on this machine!
• The process is not instant. Please continue to review my answers until I tell you your machine is clear. Absence of symptoms does not mean that everything is clear.
• If you don't know, stop and ask! Don't keep going on.
• Please reply to this thread. Do not start a new topic.
• Refrain from running self fixes as this will hinder the malware removal process.
• It may prove beneficial if you print of the following instructions or save them to notepad as I post them.

Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.


Before we start:
Please be aware that removing malware is a potentially hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.

Because of this, I advise you to backup any personal files and folders before you start.

---

Please don't use the steps give to other users. Those steps are strictly for that user only.. Trying those steps in your computer may crash your computer...

STEP 1: Repair your Windows Registry from this infection malicious changes.

This infection has changed your Windows registry settings so that when you try to start the computer it will load the infections instead of your Windows Desktop.

1. Download the WinlogOnFix.reg file to fix the malicious registry changes from This infection.
   REGISTRYFIX.REG DOWNLOAD LINK (This link will automatically download the registry fix called WinlogonFix.reg)
2. Double-click on WinlogonFix.reg file to run it. Click “Yes” for Registry Editor prompt window,then click OK.
   

---

Now restart the computer and check if you are able to start the computer normally.


You should be able to run both scans while in Normal mode...
STEP 2: Run a scan with Malwarebytes Anti-Malware in Chamelon mode

1. Download Malwarebytes Chameleon from here and extract it to a folder in a convenient location
2. Make certain that your PC is connected to the internet and then open the folder where you extracted Chameleon to and double-click on the Chameleon help file and then follow the onscreen instructions to use it.
3. If the Chameleon help file itself will not open, then double-click each file one by one until you find one that works, which will be indicated by a black DOS/command prompt window Note: Do not attempt to open mbam-killer as that is not a Chameleon executable and serves a different purpose)
4. Follow the onscreen instructions to press a key to continue and Chameleon will proceed to download and install Malwarebytes Anti-Malware for yo
5. Once it has done this, it will attempt to update Malwarebytes Anti-Malware, click OK when it says that the database was updated successful
6. Next, Malwarebytes Anti-Malware will automatically open and perform a Quick scan
7. Upon completion of the scan, if anything has been detected, click on Show Result
8. Have Malwarebytes Anti-Malware remove any threats that are detected and click Yes if prompted to reboot your computer to allow the removal process to complete
9. After your computer restarts, open Malwarebytes Anti-Malware and perform a Full System scan to verify that there are no remaining threats
Please add both logs in your next reply.

---

What's next?

Add the following logs to your next post (You can find here details on how to use the Attachment System):
1. MalwareBytes log
2. Let me know if you had any problems with the above instructions and also let me know how things are running now!

---

[Nonnie]

The first link you gave me, "REGISTRYFIX.REG DOWNLOAD LINK" would just open up Windows Media Player. So I'm not sure what to do.

[kuttus]

(01-23-2013 02:31 PM)Nonnie wrote:  The first link you gave me, "REGISTRYFIX.REG DOWNLOAD LINK" would just open up Windows Media Player. So I'm not sure what to do.

Please right click on that link and select Save Link as... After that save it on your computer. Then open the file...

[Nonnie]

Well I did as instructed and everything seems to be working perfectly! My desktop is back and the scans showed that everything is okay. I attached to logs anyway though, just in case.

[kuttus]

It is nice to see your desktop is back... There is some more infected files showing in your last OTL log... Try the following steps to remove them..

STEP 1: Run the below OTL fix

1. Start OTL.exe
2. Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL
   
   
   Code:
   

   :Files
C:\ProgramData\dsgsdgdsgdsgw.js
C:\windows\tasks\ROC_JAN2013_TB_rmv.job
C:\ProgramData\KGyGaAvL.sys
C:\Users\Nikita\AppData\Local\recently-used.xbel
C:\Users\Nikita\AppData\Roaming\.freeciv-client-rc-2.3



:Commands
[EmptyTemp]
[EmptyFlash]
[EmptyJava]
[Reboot]
   
   NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system
3. Then click the Run Fix button at the top
4. Let the program run unhindered, reboot when it is done
5. Attach the new log produced by OTL (C:\_OTL)

---

[Nonnie]

All processes killed
========== FILES ==========
C:\ProgramData\dsgsdgdsgdsgw.js moved successfully.
C:\windows\tasks\ROC_JAN2013_TB_rmv.job moved successfully.
C:\ProgramData\KGyGaAvL.sys moved successfully.
C:\Users\Nikita\AppData\Local\recently-used.xbel moved successfully.
C:\Users\Nikita\AppData\Roaming\.freeciv-client-rc-2.3 moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 56466 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Nikita
->Temp folder emptied: 2952843201 bytes
->Temporary Internet Files folder emptied: 1476935945 bytes
->Java cache emptied: 18161 bytes
->Google Chrome cache emptied: 6473344 bytes
->Flash cache emptied: 8067488 bytes

User: Public

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 390730623 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temp​orary Internet Files folder emptied: 67429 bytes
RecycleBin emptied: 492274374 bytes

Total Files Cleaned = 5,081.00 mb


[EMPTYFLASH]

User: All Users

User: Default
->Flash cache emptied: 0 bytes

User: Default User
->Flash cache emptied: 0 bytes

User: Nikita
->Flash cache emptied: 0 bytes

User: Public

Total Flash Files Cleaned = 0.00 mb


[EMPTYJAVA]

User: All Users

User: Default

User: Default User

User: Nikita
->Java cache emptied: 0 bytes

User: Public

Total Java Files Cleaned = 0.00 mb


OTL by OldTimer - Version 3.2.69.0 log created on 01242013_070314

Files\Folders moved on Reboot...
C:\Users\Nikita\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.
C:\Users\Nikita\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\YG7ZJEC2\search[5].htm moved successfully.
C:\Users\Nikita\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PSV9RVME\1[1].gif moved successfully.
C:\Users\Nikita\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PSV9RVME\1[2].gif moved successfully.
C:\Users\Nikita\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PSV9RVME\1[3].gif moved successfully.
C:\Users\Nikita\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PSV9RVME\1[4].gif moved successfully.
C:\Users\Nikita\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\C1FSY0O0\fastbutton[1].htm moved successfully.
C:\Users\Nikita\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\C1FSY0O0\processInputRequest[1].htm moved successfully.
C:\Users\Nikita\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\C1FSY0O0\Thread-Department-of-Justice-Block[1] moved successfully.
C:\Users\Nikita\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B3E6Y67H\1[1].gif moved successfully.
C:\Users\Nikita\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B3E6Y67H\1[2].gif moved successfully.
C:\Users\Nikita\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B3E6Y67H\fastbutton[1].htm moved successfully.
C:\Users\Nikita\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B3E6Y67H\Thread-Department-of-justice-block-malware-help[1] moved successfully.
C:\Users\Nikita\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B3E6Y67H\tweet_button.1359007731[1].htm moved successfully.

PendingFileRenameOperations files...

Registry entries deleted on Reboot...

---

Sorry, it wouldn't let me attach it. I hope that's okay.

[kuttus]

No problem...

Please run the following tools and send me the logfiles.....

STEP 1: Run Temp File Cleaner by OldTimer

1. You can download the TFC utility from the below link
   TFC DOWNLOAD LINK (This link will automatically download Temp File Cleaner on your computer)
2. Please double-click TFC.exe to run it. (Note: If you are running on Vista or 7, right-click on the file and choose Run As Administrator).
3. It will close all programs when run, so make sure you have saved all your work before you begin.
4. Click the Start button to begin the process. Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two. Let it run uninterrupted to completion.
5. Once it's finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.

---

STEP 2: Run a scan with AdwCleaner

1. Download AdwCleaner from the below link.
   ADWCLEANER DOWNLAOD LINK (This link will automatically download Security Check on your computer)


2. Close all open programs and internet browsers.
3. Double click on adwcleaner.exe to run the tool.
4. Click on Delete,then confirm each time with Ok.
5. Your computer will be rebooted automatically. A text file will open after the restart.
6. Please post the contents of that logfile with your next reply.
7. You can find the logfile at C:\AdwCleaner[S1].txt as well.

---

STEP 3: Run a scan with ESET Online Scanner

1. Download ESET Online Scanner utility from the below link
   ESET ONLINE SCANNER DOWNLOAD LINK (This link will automatically download ESET Online Scanner on your computer.)
2. Double click on the Eset installer program (esetsmartinstaller_enu.exe).
3. Check Yes, I accept the Terms of Use
4. Click the Start button.
5. Check Scan archives
6. Push the Start button.
7. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
8. When the scan completes, push List of found threats
9. Push Export to Text file and save the file to your desktop using a unique name, such as ESET Scan. Include the contents of this report in your next reply.Note - when ESET doesn't find any threats, no report will be created.
10. Push the back button.
11. Push Finish

---

[Nonnie]

These are the results.

[kuttus]

Okay Cool... That one seems Fine... Are you facing any other issues on the computer now??


STEP 1 : Run a scan with Kaspersky TDSSKiller

1. Download Kaspersky TDSKiller from the below link.
   KASPERKSY TDSSKILLER DOWNLOAD LINK (This link will automatically download Kaspersky TDSSKiller on your computer)
   
2. Double-click on TDSSKiller.exe to run the application.
   
3. Click Change parameters
   
4. Check the boxes next to Verify Driver Digital Signature and Detect TDLFS file system, then click OK
   
5. Click on the Start Scan button to begin the scan and wait for it to finish.
   NOTE: Do not use the computer during the scan!
6. During the scan it will look similar to the image below:
   
7. When it finishes, you will either see a report that no threats were found like below:
   
   If no threats are found at this point, just click the Report selection on the top right of the form to generate a log. A log file report will pop which you can just close since the report file is already saved.
8. If any infection or suspected items are found, you will see a window similar to below:
   
   
   • If you have files that are shown to fail signature check do not take any action on these. Make sure you select Skip. I will tell you what to do with these later. They may not be issues at all.
   • If Suspicious objects are detected, the default action will be Skip. Leave the default set to Skip.
   • If Malicious objects are detected, they will show in the Scan results. TDSSKiller automatically selects an action (Cure or Delete) for malicious objects
     Make sure that Cure is selected. VERY IMPORTANT! - If Cure is not available, please choose Skip instead. DO NOT choose Delete unless instructed to do so.
9. Click Continue to apply selected actions.
10. A reboot may be required to complete disinfection. A window like the below will appear:
    
    Reboot immediately if TDSSKiller states that one is needed.
11. Whether an infection is found or not, a log file should have already been created on your C: drive (or whatever drive you boot from) in the root folder named something like TDSSKiller.2.1.1_2.12.2012_14.17.04_log.txt which is based on the program version # and date and time run.
12. Attach this log to your next reply.

---

Can you please run again HitmanPro and save a log.
STEP 2: Run a HitmanPro scan

1. Download the latest official version of HitmanPro.
   HITMANPRO DOWNLOAD LINK (This link will open a download page in a new window from where you can download HitmanPro)
2. Start a HitmanPro scan by double clicking on the previously downloaded file and then following the prompts.
   
3. Once the scan is complete, a screen displaying all the malicious files that the program found will be shown as seen in the image below.
   DO NOT REMOVE ANYTHING!,instead click on the Save log button (next to the green Buy now button) , then click on Close.
   
   
4. Post the HitmanPro log in your next reply