Disk antivirus - black screen

[Giving heart]

I went through your online thread about removing this virus. Went into safe mode and went through RKILL and then reinstalled malware bytes which I had previously. It went through the quick scan and I removed the 8 problems. Now when attempting to restart I have only a black screen. When I tried to go back to safe mode again, that just says safe mode at the top and nothing else.

 

[Fiery]

Hi,

Please print these instruction out so that you know what you are doing

• Download OTLPE from here to your desktop
• Double click OTLPEStd.exe and this will then open imgburn to burn the file to CD
• Reboot your system using the boot CD you just created.
  Note : If you do not know how to set your computer to boot from CD follow the steps here
• Wait for the CD to detect your hardware and load the operating system
• Your system should now display a Reatogo desktop
  Note : as you are running from CD it is not exactly speedy
  While in OTLPE, double click the OTLPE icon.
  
• Select the Windows folder of the infected drive if it asks for a location.
• When asked Do you wish to load the remote registry, select Yes.
• When asked Do you wish to load remote user profile(s) for scanning, select Yes.
• Ensure the box Automatically Load All Remaining Users is checked and press OK.
• OTL should now start
• Check the boxes beside LOP Check and Purity Check
• Press the Run Scan button
• When finished, the file will be saved in drive C:\OTL.txt
• Copy this file to a USB drive if you do not have internet connection on the system.
• Please attach the content of OTL.txt in your next reply.

 

[Giving heart]

I finally managed to get back on the computer - in Safe Mode. I didn't want to chance another problem so I didn't go any further.

I've downloaded the OTL program and the information is attached below.

 

[Fiery]

Before we start:

• Note that the removal process is not immediate. Depending on the severity of your infection, it could take a long time.
• Malware removal can be dangerous. I cannot guarantee the safety of your system as malware can be unpredictable. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system. Therefore, I would advise you to backup all your important files before we start.
• Please be patient and stay with me until I give you the green lights and inform you that your PC is clean.
• Some tools may be flagged by your antivirus as harmful. Rest assure that ALL the tools we use are safe, the detections are false positives.
• The absence of symptoms does not mean your PC is fully disinfected.
• If you are unclear about the instructions, please stop and ask. Following the steps in the order that I post them in is vital.
• Lastly, if you have requested help on other sites, that will delay and hinder the removal process. Please only stick to one site.

<hr>
Open OTL. Under custom scan/fixes, copy and paste the following:

:OTL
DRV - (afic) -- System32\drivers\qxftelsy.sys File not found
[2013/03/16 21:36:52 | 000,065,536 | -H-- | M] () -- E:\WINDOWS\System32\asr_smui.dll
[2012/05/16 17:11:55 | 000,000,008 | -H-- | C] () -- E:\Documents and Settings\Vicky\Local Settings\Application Data\L8457789120
[2013/03/16 21:36:34 | 000,002,048 | -HS- | M] () -- E:\RECYCLER\S-1-5-18\$b4ba0b39cab3abde4ddb40444bf49fef\@
[2013/03/16 21:36:34 | 000,000,000 | -HSD | M] -- E:\RECYCLER\S-1-5-18\$b4ba0b39cab3abde4ddb40444bf49fef\L
[2013/03/16 21:36:50 | 000,000,000 | -HSD | M] -- E:\RECYCLER\S-1-5-18\$b4ba0b39cab3abde4ddb40444bf49fef\U
[2013/03/16 21:36:50 | 000,000,928 | ---- | M] () -- E:\RECYCLER\S-1-5-18\$b4ba0b39cab3abde4ddb40444bf49fef\U\00000001.@
[2013/03/16 21:36:50 | 000,011,776 | ---- | M] () -- E:\RECYCLER\S-1-5-18\$b4ba0b39cab3abde4ddb40444bf49fef\U\80000000.@
[2013/03/16 21:36:50 | 000,021,504 | ---- | M] () -- E:\RECYCLER\S-1-5-18\$b4ba0b39cab3abde4ddb40444bf49fef\U\800000cb.@
[2013/03/17 13:53:18 | 000,002,048 | -HS- | M] () -- E:\recycler\S-1-5-21-2000478354-2147159105-1417001333-1003\$b4ba0b39cab3abde4ddb40444bf49fef\@
[2013/03/16 21:36:32 | 000,000,000 | -HSD | M] -- E:\recycler\S-1-5-21-2000478354-2147159105-1417001333-1003\$b4ba0b39cab3abde4ddb40444bf49fef\L
[2013/03/16 21:36:32 | 000,000,000 | -HSD | M] -- E:\recycler\S-1-5-21-2000478354-2147159105-1417001333-1003\$b4ba0b39cab3abde4ddb40444bf49fef\U

:Files
ipconfig /flushdns /c

:Commands
[EMPTYTEMP]
[RESETHOSTS]

Then click Run Fix. Let your PC reboot to normal mode. A new log will be created automatically, post the content in the next reply.

---

Download & SAVE to your Desktop RogueKiller or from here

• Quit all programs that you may have started.
• Please disconnect any USB or external drives from the computer before you run this scan!
• For Vista or Windows 7, right-click and select Run as Administrator to start
• Wait until Prescan has finished, then click on "Scan" button
• Wait until the Status box shows "Scan Finished"
• Click on "Report" and copy/paste the content of the Notepad into your next reply.
• The log should be found in RKreport[1].txt on your Desktop
  Exit/Close RogueKiller+

 

[Giving heart]

Thank you for helping with this....the good news is that I'm back online in normal mode )) I am assuming that you want me to post the new log BEFORE I do the RogueKiller? I've posted the log below and will wait for you to tell me that it's okay to proceed with the RogueKiller part.

 

[Fiery]

Go ahead with RogueKiller now

 

[Giving heart]

Here is the information from RogueKiller. I tried to close that program but it says that no items have been removed....I'll keep it up for the next step

 

[Fiery]

You can press delete in RogueKiller. After it finishes deleting, click Report again to generate another log and post it

Please download AdwCleaner by Xplode onto your desktop.

• Close all open programs and internet browsers.
• Double click on AdwCleaner.exe to run the tool(For Vista or Windows 7, right-click and select Run as Administrator to start)
• Click delete
• Please post the content of that logfile with your next reply.
• You can find the logfile at C:\AdwCleaner[S1].txt

Download TDSSkiller from here

• Double-Click on TDSSKiller.exe to run the application
• When TDSSkiller opens, click change parameters , check the box next to Loaded modules . A reboot will be required.
• After reboot, TDSSKiller will run again. Click Change parameters again and make sure everything is checked.
  
  
• click Start scan .
  
• If a suspicious object is detected, the default action will be Skip, click on Continue. (If it saids TDL4/TDSS file system, select delete)
• If malicious objects are found, ensure Cure (default) is selected, then click Continue and Reboot now to finish the cleaning process.

Post the log after (usually C:\ folder in the form of TDSSKiller.[Version]_[Date]_[Time]_log.txt

 

[Giving heart]

2nd RogueKiller report.....

 

[Giving heart]

Here is what I got from AdwCleaner.....when I closed that program, it said something about my closing it before removing any of the programs, but I clicked out anyway.....

 

[Giving heart]

Here is the TDSSKiller log. Question.....after going through all this, what do I need on my computer? Want to ensure this is avoided again. Also, would the recommendations that you suggest be applicable for Win8 also? I've had a Win8 computer since November and I'm still uncomfortable using it <G>.

Note: When I went to upload this log, I saw 3 .txt notes. They might be duplicates but thought I'd send all of them.

 

[Fiery]

Question.....after going through all this, what do I need on my computer? Want to ensure this is avoided again. Also, would the recommendations that you suggest be applicable for Win8 also? I've had a Win8 computer since November and I'm still uncomfortable using it <G>.

Once we finish cleaning up your PC, I will make recommendations to help secure your PC against future malware threats. The recommendations will be applicable to win8 too but let's get rid of the bad guys on your PC first.

Re-run adwCleaner and click delete as none of the things got deleted.

Your PC is heavily infected. Please re-run TDSSKiller with the same settings as above. For:

\Device\Harddisk1\DR1 ( TDSS File System ) - User select action: Skip

Choose delete or quarantine if delete is not available.

Next, please download ComboFix from one of these locations:

<a title="External link" href="http://download.bleepingcomputer.com/sUBs/ComboFix.exe" rel="external"><>Link 1</></a>
<a title="External link" href="http://www.infospyware.net/antimalware/combofix/" rel="external"><>Link 2</></a>

<ul>
<li>Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
See <a title="External link" href="http://www.bleepingcomputer.com/forums/topic114351.html" rel="external">HERE</a> for help</li>
<li>Double click on Combo-Fix & follow the prompts.</li>
<li>As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's ly recommended to have this pre-installed on your machine before doing any malware removal.  It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.</li>
<li>Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.</li>
</ul>
**Please note: (This applies to Windows XP systems only) If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

<img src="http://img.photobucket.com/albums/v706/ried7/RcAuto1.gif" alt="Posted Image" />
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

<img src="http://img.photobucket.com/albums/v706/ried7/whatnext.png" alt="Posted Image" />
Click on <>Yes</>, to continue scanning for malware.

When finished, ComboFix will produce a log.

<>Note:</>
1. Do not mouseclick combofix's window while it's running. That may cause it to stall!
2. Remember to re-enable your anti-virus and anti-spyware before reconnecting to the Internet.

 

[Giving heart]

I went back to adwCleaner and the text is listed below. I'm apparently having a problem with the TDSSKiller instructions. I went through the process but after the scan, it never rebooted. I then hit scan again, to no avail. I'm attaching all of the reports that got generated.

I'll wait to see if I need to go forward with ComboFix and if I need to reboot on my own.

Note: Unable to add the last report because apparently I've reached a quota here on the boards.

 

[Fiery]

Yes, reboot manually.

Afterwards, go ahead with combofix

 

[Giving heart]

okay.....I've finished with Combo-Fix. Here is the log.

 

[Fiery]

Looking good.

Please download Malwarebytes' Anti-Malware from here to your desktop.

• Double-click mbam-setup.exe and follow the prompts to install the program.
• At the end, be sure a checkmark is placed next to
  • Update Malwarebytes' Anti-Malware
  • and Launch Malwarebytes' Anti-Malware
• then click Finish.
• If an update is found, it will download and install the latest version.
• When it prompts you to try their 30-day trail, click decline
• Once the program has loaded, select Perform quick scan, then click Scan.
• When the scan is complete, click OK, then Show Results to view the results.
• Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
• When completed, a log will open in Notepad. please copy and paste the log into your next reply
  • If you accidently close it, the log file is saved here and will be named like this:
  • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Run Eset NOD32 Online AntiVirus here

Note: You will need to use Internet Explorer for this scan.
Vista / 7 users: You will need to to right-click on the Internet Explorer icon and select Run as Administrator

• Tick the box next to YES, I accept the Terms of Use.
• Click Start
• When asked, allow the activex control to install
• Disable your current antivirus software. You can usually do this with its Notfication Tray icon near the clock.
• Make sure that the option "Remove found threats" is Un-checked, and the following Advance Settings are Checked
  • Scan unwanted applications
  • Scan for potentially unsafe applications
  • Enable Anti-Stealth Technology
• Click Scan
• Wait for the scan to finish
• When the scan is done, if it shows a screen that says "Threats found!", then click "List of found threats", and then click "Export to text file..."
• Save that text file on your desktop. Copy and paste the contents of that log in your next reply to this topic.
• The log can also be found in logfile located at C:\Program Files\ESET\Eset Online Scanner\log.txt

 

[Giving heart]

I had Malwarebytes already on my computer but I removed it and reinstalled to make sure I worked along with what you needed. In the end, there were no threats detected, so there wasn't an opportunity to click on the "show results" area.

 

[Giving heart]

I've run into a problem. When installing Eset Online AntiVirus, it tells me that it's detected 2 antivirus software programs.....Avast and something called VIPRE. I looked under Program files and both are listed, as well as AVG.

But I don't see where any are running - certainly not on the right side of the bottom tray. In fact, the only things showing there is Windows Security Alerts which indicates that virus protection is off.

I went ahead and ran the scan anyway (I clicked on the one-time scan option). I was so happy to see 0 threats and then towards the end, they popped up. I honestly thought with everything we'd done to this point, most were gone. So I'm attaching this file now. It's 3:40 am....thank you for all you've done and I'll check back later today for the rest.

 

[Fiery]

The good news is.. all the files ESET detected were already quarantined by previous tools and they pose no threat to your system. How is your PC running now?

Also, have you ever had AVG, Avast or VIPRE installed on your PC before?

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

• Double-click SystemLook.exe to run it.
• Copy the content of the following codebox into the main textfield:
  

  :filefind
  *avg*
  *vipre*
  *avast*
  
  :folderfind
  *avg*
  *vipre*
  *avast*
  
  :Regfind
  avg
  avast
  Vipre

• Click the Look button to start the scan.
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt


Download Security Check by screen317 from here or here.

• Save it to your Desktop.
• Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
• A notepad document should open automatically called checkup.txt.
• Please post the contents of that document in your next reply. Please do not attach it!

 

[Giving heart]

I avoided using it since my virus program isn't running yet, but so far so good on what I tried. I've used AVG and Avast....Avast more recently becuse it wasn't having the conflicts that I had gotten before with AVG. I have no idea what VIPRE is.

Part of the problem is that I've had 4 different computer guys work on my computer and everyone has their own idea of what works. That's why everything is on an E drive too.....the computer crashed big time 3 years ago and they were able to resurrect it by using a different drive. Will provide feedback summaries shortly.