System Progressive Protection Removal Guide Question

[showard]

Operating system: Widows 7
Architecture: 64 bit
Antivirus software and on-demand scanners on this system : Microsoft Security Essentials
Date and how issue started: 11/20/12
Steps taken in order to remove the infection: Followed the remove system progressive protection guide on malwaretips.com
REQUESTED LOGS: OTL LOG
aswMBR LOG
I followed the System Progressive Protection removal guide, and got all the way to the last step with Emsisoft Emergency Kit. The Scan found a number of items, and quarantined them all except for one. I received this message:

\DosDevices\PhysicalDrive0 - Rootkits can't be removed automatically. Please consult the experts in the Emsisoft online forum for help with manual removal of this Malware: http://support.emsisoft.com
\Program Files (x86)\Google\Google Desktop Search\GoogleDesktopAPI2.dll

What should I do to deal with this file?

Thanks for your help.

[kuttus]

Hi and welcome to the MalwareTips.com forums!

I'm Kuttus and I am going to try to assist you with your problem. Please take note of the below:

• I will start working on your malware issues, this may or may not, solve other issues you have with your machine.
• The fixes are specific to your problem and should only be used for this issue on this machine!
• The process is not instant. Please continue to review my answers until I tell you your machine is clear. Absence of symptoms does not mean that everything is clear.
• If you don't know, stop and ask! Don't keep going on.
• Please reply to this thread. Do not start a new topic.
• Refrain from running self fixes as this will hinder the malware removal process.
• It may prove beneficial if you print of the following instructions or save them to notepad as I post them.

Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.


Before we start:
Please be aware that removing malware is a potentially hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.

Because of this, I advise you to backup any personal files and folders before you start.

---

Please run the follwoing tools so that I can check logs file of your computer.

STEP 1 : Run a scan with Combofix

Please read and follow very carefully the below instructions

Download ComboFix from one of the following locations:

COMBOFIX DOWNLOAD LINK #1 (This link will automatically download Combofix on your computer)
COMBOFIX DOWNLOAD LINK #2 (This link will automatically download Combofix on your computer)

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

• Close any open browsers.
• Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
• WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
• Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

How to run the Combofix scan :

1. Double click on ComboFix.exe & follow the prompts.
   - If you are prompted to install Windows Recovery Console or update Combofix please allow this requests.
2. Accept the disclaimer and allow to update if it asks
3. Combofix will now start scanning your computer.
4. When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
   

Additional notes:

1. DO NOT mouse-click Combofix's window while it is running. That may cause it to stall.
2. DO NOT "re-run" Combofix. If you have a problem, reply back for further instructions.
3. IF after the reboot you get errors about programms being marked for deletion then reboot, that will cure it.

---

STEP 2: Run a scan with Kaspersky TDSSKiller

1. Download Kaspersky TDSKiller from the below link.
   KASPERKSY TDSSKILLER DOWNLOAD LINK (This link will automatically download Kaspersky TDSSKiller on your computer)
   
2. Double-click on TDSSKiller.exe to run the application.
   
3. Click Change parameters
   
4. Check the boxes next to Verify Driver Digital Signature and Detect TDLFS file system, then click OK
   
5. Click on the Start Scan button to begin the scan and wait for it to finish.
   NOTE: Do not use the computer during the scan!
6. During the scan it will look similar to the image below:
   
7. When it finishes, you will either see a report that no threats were found like below:
   
   If no threats are found at this point, just click the Report selection on the top right of the form to generate a log. A log file report will pop which you can just close since the report file is already saved.
8. If any infection or suspected items are found, you will see a window similar to below:
   
   
   • If you have files that are shown to fail signature check do not take any action on these. Make sure you select Skip. I will tell you what to do with these later. They may not be issues at all.
   • If Suspicious objects are detected, the default action will be Skip. Leave the default set to Skip.
   • If Malicious objects are detected, they will show in the Scan results. TDSSKiller automatically selects an action (Cure or Delete) for malicious objects
     Make sure that Cure is selected. VERY IMPORTANT! - If Cure is not available, please choose Skip instead. DO NOT choose Delete unless instructed to do so.
9. Click Continue to apply selected actions.
10. A reboot may be required to complete disinfection. A window like the below will appear:
    
    Reboot immediately if TDSSKiller states that one is needed.
11. Whether an infection is found or not, a log file should have already been created on your C: drive (or whatever drive you boot from) in the root folder named something like TDSSKiller.2.1.1_2.12.2012_14.17.04_log.txt which is based on the program version # and date and time run.
12. Attach this log to your next reply.

---

What's next?

Please post in your next reply:
1.Combofix log
2. Kaspersky TDSSKiller
3.Let me know if you had any problems with the above instructions and also let me know how things are running now!

[showard]

I followed the two steps above, and have attached the logs. There were two logs produced when I ran kaspersky. Not sure why. I have attached both.

I had one issue when I ran Kaspersky, I received the following message: "Can't cure MBR. Write standard boot code? If you have installed custom bootloader, you will need to reinstall them after the treatment." I selected ok, to finish the Kaspersky process.

Also, I had not been able to open my antivirus program, Microsoft Security Essentials, so I uninstalled it, and installed Avast. But I had the same problem with Avast--it too would not run.

After I performed these two steps, however, I was able to open Avast.

[kuttus]

Okay. Please try the following steps..

STEP 1: Run a scan with aswMBR:

1. Download aswmbr.exe from the below link:
   aswMBR DOWNLOAD LINK (This link will automatically download aswMBR on your computer)
2. Double click the aswMBR.exe to run it.
3. Click the [Scan] button to start scan
   
4. On completion of the scan click [Save log], save it to your desktop and post in your next reply.
   

---

STEP 2: Screen Shots of Disk Management:

1. Press the Windows key and R key on your keyboard together.
2. Now you will get a Run window. In that run window type DISKMGMT.MSC and press on Ok.
3. Now you will be able to See a Disk Management Window.
4. Open that Disk Management Window and Maximize it.
5. After that press on Print Screen Key (Prt Scr) on your keyboard once.
6. Now Open the Microsoft Paint. Open Paint by clicking the Start button Picture of the Start button, clicking All Programs, clicking Accessories, and then clicking Paint.
7. Now Click on the Edit Menu in the Paint and press of Paste.
   
8. Now you have to save the file on your desktop. After that upload that file in your next replay.
   

NOTE : What I want to see in that Disk Management window is the Status of each drives and it's Capacity on your computer. See the Screen shots.

---

What's next?

Add the following logs to your next post (You can find here details on how to use the Attachment System):
1. aswMBR Log
2. Screen Shots of Disk Management
3. Let me know if you had any problems with the above instructions and also let me know how things are running now!

[showard]

Ok, I have attached the two items you requested.

Things are running ok, however I got a message from my anti-virus that said they thought a file having to do with HitManPro was malicious. I ignored it because I installed HitManPro when I went through the System Progressive Protection Removal Guide.

What do you think?

[kuttus]

Okay. That's fine... Run the following tools and upload me the logs files...


STEP 1: Run a HitmanPro scan

1. Download the latest official version of HitmanPro.
   HITMANPRO DOWNLOAD LINK (This link will open a download page in a new window from where you can download HitmanPro)
2. Start HitmanPro by double clicking on the previously downloaded file. and then following the prompts.
   
3. Once the scan is complete, a screen displaying all the malicious files that the program found will be shown as seen in the image below.After reviewing each malicious object click Next .
   
4. Click Activate free license to start the free 30 days trial and remove the malicious files.
   
5. HitmanPro will now start removing the infected objects, and in some instances, may suggest a reboot in order to completely remove the malware from your system. In this scenario, always confirm the reboot action to be on the safe side.
   

Add to your next reply, any log that HitmanPro might generate.

---

You should be able to run both scans while in Normal mode...
STEP 2: Run a scan with Malwarebytes Anti-Malware in Chamelon mode

1. Download Malwarebytes Chameleon from here and extract it to a folder in a convenient location
2. Make certain that your PC is connected to the internet and then open the folder where you extracted Chameleon to and double-click on the Chameleon help file and then follow the onscreen instructions to use it.
3. If the Chameleon help file itself will not open, then double-click each file one by one until you find one that works, which will be indicated by a black DOS/command prompt window Note: Do not attempt to open mbam-killer as that is not a Chameleon executable and serves a different purpose)
4. Follow the onscreen instructions to press a key to continue and Chameleon will proceed to download and install Malwarebytes Anti-Malware for yo
5. Once it has done this, it will attempt to update Malwarebytes Anti-Malware, click OK when it says that the database was updated successful
6. Next, Malwarebytes Anti-Malware will automatically open and perform a Quick scan
7. Upon completion of the scan, if anything has been detected, click on Show Result
8. Have Malwarebytes Anti-Malware remove any threats that are detected and click Yes if prompted to reboot your computer to allow the removal process to complete
9. After your computer restarts, open Malwarebytes Anti-Malware and perform a Full System scan to verify that there are no remaining threats
Please add both logs in your next reply.

---

STEP 3: Run Temp File Cleaner by OldTimer

1. You can download the TFC utility from the below link
   TFC DOWNLOAD LINK (This link will automatically download Temp File Cleaner on your computer)
2. Please double-click TFC.exe to run it. (Note: If you are running on Vista or 7, right-click on the file and choose Run As Administrator).
3. It will close all programs when run, so make sure you have saved all your work before you begin.
4. Click the Start button to begin the process. Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two. Let it run uninterrupted to completion.
5. Once it's finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.

---

What's next?

Add the following logs to your next post (You can find here details on how to use the Attachment System):
1. HitmanPro Log
2. Malwarebytes Anti-Malware log
3. Let me know if you had any problems with the above instructions and also let me know how things are running now!

---

[showard]

I just saw your message about running KASPERKSY TDSSKILLER again. I just did that too, and have attached the log. It did not come up with any serious issues.

[kuttus]

Okay Cool...

Please try the above tools and upload me the Log Files.....