kaspersky rescue not finding threats

[clydewine]

I have the DOJ virus and followed the 3 options. The virus will not let me bootup in any safe mode. I tried the hitmanpro booting from the USB but it would say loading bootcode and stay there. I followed the kaspersky method. Everything was good until I scanned. It immeadiatly said no threats detected.
Thank you

 

[TwinHeadedEagle]

Hi, what is the version of your system, and architecture (32-bit or 64-bit)?

 

[clydewine]

Hi, what is the version of your system, and architecture (32-bit or 64-bit)?

sorry, windows 7 32 bit I think. Although my labtop is 64 bit and that is the only version kaspersky would let me download

 

[TwinHeadedEagle]

Please download Farbar Recovery Scan Tool and save it to a flash drive.

• Plug the flashdrive into the infected PC.
• Restart your computer and tap F8 to bring up the Advanced Menu, then click Repair your computer
• Follow the prompt to enter keyboard input method, and then the prompt to enter a password. If the machine does not have a password, simply click Enter.

In the next menu, use the arrow keys on the keyboard to highlight Command Prompt and press Enter.

• In the command window type in notepad and press Enter.
• When notepad opens, click File and select Open.
• Select "Computer" and find your flash drive letter and close the notepad.
• In the command window type e:\frst.exe and press Enter.

Note: Replace letter e with the drive letter of your flash drive.

• The tool will start to run. When the tool opens click Yes to disclaimer.
• Press Scan button.

It will make a log (FRST.txt) on the flash drive. Please attach it to your reply.

 

[clydewine]

The virus will not let me use any of the f8 functions. It will shut windows down and reboot normally. However I did get FRST.txt using reatogo.xp following another thread. Here it is
Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 09-12-2013
Ran by SYSTEM on REATOGO on 10-12-2013 10:11:42
Running from C:\
WIN_XP (X86) OS Language: English(US)
Boot Mode: Recovery
Attention: Could not load system hive.
Error: The system was unable to find the specified registry key or value
Attention: System hive is missing.
==================== Registry (Whitelisted) ==================
ATTENTION: Software hive is missing.
ATTENTION: Software hive is not loaded.

========================== Services (Whitelisted) =================

==================== Drivers (Whitelisted) ====================

==================== NetSvcs (Whitelisted) ===================

==================== One Month Created Files and Folders ========
2013-12-10 10:11 - 2013-12-10 10:11 - 00000000 ____D C:\FRST
2013-12-10 10:11 - 2013-12-10 10:11 - 00000000 _____ C:\FRST.txt
2013-12-10 09:25 - 2013-12-10 09:22 - 01060641 _____ (Farbar) C:\FRST.exe
2013-12-10 09:17 - 2013-12-10 09:17 - 00000000 __SHD C:\FOUND.000
==================== One Month Modified Files and Folders =======
2013-12-10 10:11 - 2013-12-10 10:11 - 00000000 ____D C:\FRST
2013-12-10 10:11 - 2013-12-10 10:11 - 00000000 _____ C:\FRST.txt
2013-12-10 09:22 - 2013-12-10 09:25 - 01060641 _____ (Farbar) C:\FRST.exe
2013-12-10 09:17 - 2013-12-10 09:17 - 00000000 __SHD C:\FOUND.000
==================== Known DLLs (Whitelisted) ============

==================== Bamital & volsnap Check =================
C:\Windows\explorer.exe IS MISSING <==== ATTENTION!.
C:\Windows\System32\winlogon.exe IS MISSING <==== ATTENTION!.
C:\Windows\System32\svchost.exe IS MISSING <==== ATTENTION!.
C:\Windows\System32\services.exe IS MISSING <==== ATTENTION!.
C:\Windows\System32\User32.dll IS MISSING <==== ATTENTION!.
C:\Windows\System32\userinit.exe IS MISSING <==== ATTENTION!.
C:\Windows\System32\Drivers\volsnap.sys IS MISSING <==== ATTENTION!.
==================== EXE ASSOCIATION =====================
HKLM\...\.exe: <===== ATTENTION!
HKLM\...\exefile\DefaultIcon: <===== ATTENTION!
HKLM\...\exefile\open\command: <===== ATTENTION!
==================== Restore Points (XP) =====================

==================== Memory info ===========================
Percentage of memory in use: 7%
Total physical RAM: 3062.39 MB
Available physical RAM: 2845.41 MB
Total Pagefile: 2887.11 MB
Available Pagefile: 2828.17 MB
Total Virtual: 2047.88 MB
Available Virtual: 1994.25 MB
==================== Drives ================================
Drive b: (RAMDisk) (Fixed) (Total:0.06 GB) (Free:0.06 GB) NTFS
Drive c: (HITMANPRO) (Removable) (Total:7.45 GB) (Free:7.44 GB) FAT32
Drive f: (NIKON D5100) (Removable) (Total:15.02 GB) (Free:6.73 GB) FAT32
Drive x: (ReatogoPE) (CDROM) (Total:0.43 GB) (Free:0 GB) CDFS
Drive y: (HITMANPRO) (Removable) (Total:7.45 GB) (Free:7.44 GB) FAT32
==================== MBR & Partition Table ==================
========================================================
Disk: 0 (Size: 7 GB) (Disk ID: 84C3731B)
Partition 1: (Active) - (Size=7 GB) - (Type=0B)
========================================================
Disk: 3 (Size: 15 GB) (Disk ID: 8DC18DC1)
Partition 1: (Not Active) - (Size=15 GB) - (Type=0C)
==================== End Of Log ============================

 

[TwinHeadedEagle]

Within REATOGO desktop select command prompt and type in the following command :

chkdsk c: /r

On completion retry a normal boot. If boot fails, go to REAGOTO again and produce fresh FRST report...

 

[clydewine]

The virus will not let me use any of the f8 functions. It will shut windows down and reboot normally. However I did get FRST.txt using reatogo.xp following another thread. Here it is
Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 09-12-2013
Ran by SYSTEM on REATOGO on 10-12-2013 10:11:42
Running from C:\
WIN_XP (X86) OS Language: English(US)
Boot Mode: Recovery
Attention: Could not load system hive.
Error: The system was unable to find the specified registry key or value
Attention: System hive is missing.
==================== Registry (Whitelisted) ==================
ATTENTION: Software hive is missing.
ATTENTION: Software hive is not loaded.

========================== Services (Whitelisted) =================

==================== Drivers (Whitelisted) ====================

==================== NetSvcs (Whitelisted) ===================

==================== One Month Created Files and Folders ========
2013-12-10 10:11 - 2013-12-10 10:11 - 00000000 ____D C:\FRST
2013-12-10 10:11 - 2013-12-10 10:11 - 00000000 _____ C:\FRST.txt
2013-12-10 09:25 - 2013-12-10 09:22 - 01060641 _____ (Farbar) C:\FRST.exe
2013-12-10 09:17 - 2013-12-10 09:17 - 00000000 __SHD C:\FOUND.000
==================== One Month Modified Files and Folders =======
2013-12-10 10:11 - 2013-12-10 10:11 - 00000000 ____D C:\FRST
2013-12-10 10:11 - 2013-12-10 10:11 - 00000000 _____ C:\FRST.txt
2013-12-10 09:22 - 2013-12-10 09:25 - 01060641 _____ (Farbar) C:\FRST.exe
2013-12-10 09:17 - 2013-12-10 09:17 - 00000000 __SHD C:\FOUND.000
==================== Known DLLs (Whitelisted) ============

==================== Bamital & volsnap Check =================
C:\Windows\explorer.exe IS MISSING <==== ATTENTION!.
C:\Windows\System32\winlogon.exe IS MISSING <==== ATTENTION!.
C:\Windows\System32\svchost.exe IS MISSING <==== ATTENTION!.
C:\Windows\System32\services.exe IS MISSING <==== ATTENTION!.
C:\Windows\System32\User32.dll IS MISSING <==== ATTENTION!.
C:\Windows\System32\userinit.exe IS MISSING <==== ATTENTION!.
C:\Windows\System32\Drivers\volsnap.sys IS MISSING <==== ATTENTION!.
==================== EXE ASSOCIATION =====================
HKLM\...\.exe: <===== ATTENTION!
HKLM\...\exefile\DefaultIcon: <===== ATTENTION!
HKLM\...\exefile\open\command: <===== ATTENTION!
==================== Restore Points (XP) =====================

==================== Memory info ===========================
Percentage of memory in use: 7%
Total physical RAM: 3062.39 MB
Available physical RAM: 2845.41 MB
Total Pagefile: 2887.11 MB
Available Pagefile: 2828.17 MB
Total Virtual: 2047.88 MB
Available Virtual: 1994.25 MB
==================== Drives ================================
Drive b: (RAMDisk) (Fixed) (Total:0.06 GB) (Free:0.06 GB) NTFS
Drive c: (HITMANPRO) (Removable) (Total:7.45 GB) (Free:7.44 GB) FAT32
Drive f: (NIKON D5100) (Removable) (Total:15.02 GB) (Free:6.73 GB) FAT32
Drive x: (ReatogoPE) (CDROM) (Total:0.43 GB) (Free:0 GB) CDFS
Drive y: (HITMANPRO) (Removable) (Total:7.45 GB) (Free:7.44 GB) FAT32
==================== MBR & Partition Table ==================
========================================================
Disk: 0 (Size: 7 GB) (Disk ID: 84C3731B)
Partition 1: (Active) - (Size=7 GB) - (Type=0B)
========================================================
Disk: 3 (Size: 15 GB) (Disk ID: 8DC18DC1)
Partition 1: (Not Active) - (Size=15 GB) - (Type=0C)
==================== End Of Log ============================

Within REATOGO desktop select command prompt and type in the following command :

chkdsk c: /r

On completion retry a normal boot. If boot fails, go to REAGOTO again and produce fresh FRST report...

After posting the frst.txt file to you I saw that my computer was at a system recovery option screen. This screen had a option for the command prompt. THis was the first time since the virus hit. I typed rstrui.exe and choosed to restore windows to an earlier time. It has been running for several hours saying restoring files. I do not know if it is fake or just taking a long time. I still have access to the command prompt. Should I let it continue to run?

 

[TwinHeadedEagle]

Restoring should be your last option, first we should try to remove this virus. This kind of viruses are easy to remove without any harm to system, but if you are currently restoring files let it finish.

If you want for us to try, execute chkdisk and attach FRST report after it.

 

[clydewine]

Restoring should be your last option, first we should try to remove this virus. This kind of viruses are easy to remove without any harm to system, but if you are currently restoring files let it finish.

If you want for us to try, execute chkdisk and attach FRST report after it.

Hi guys,
This thing is still saying it is restoring files. I do not want to do anything else without letting you know. Should I stop it and get you another FRST report? I really appreicate you helping me.

 

[TwinHeadedEagle]

Stop it, no way it is taking so long. Follow my instructions, and please do not attempt anything until we're finished...be patient and we'll fix your issues

 

[clydewine]

Stop it, no way it is taking so long. Follow my instructions, and please do not attempt anything until we're finished...be patient and we'll fix your issues

I stopped it waiting for your instructions

 

[TwinHeadedEagle]

Within REATOGO desktop select command prompt and type in the following command :

chkdsk c: /r

On completion retry a normal boot. If boot fails, go to REAGOTO again and produce fresh FRST report...

 

[clydewine]

Within REATOGO desktop select command prompt and type in the following command :

chkdsk c: /r

On completion retry a normal boot. If boot fails, go to REAGOTO again and produce fresh FRST report...

chkdsk c: /r gives me cannot open volume for direct access

 

[TwinHeadedEagle]

Then make a new FRST report...

 

[clydewine]

Then make a new FRST report...

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 09-12-2013
Ran by SYSTEM on REATOGO on 11-12-2013 08:46:40
Running from C:\
WIN_XP (X86) OS Language: English(US)
Boot Mode: Recovery
Attention: Could not load system hive.
Error: The system was unable to find the specified registry key or value
Attention: System hive is missing.
==================== Registry (Whitelisted) ==================
ATTENTION: Software hive is missing.
ATTENTION: Software hive is not loaded.

========================== Services (Whitelisted) =================

==================== Drivers (Whitelisted) ====================

==================== NetSvcs (Whitelisted) ===================

==================== One Month Created Files and Folders ========
2013-12-11 08:46 - 2013-12-11 08:46 - 00000000 ____D C:\FRST
2013-12-11 08:46 - 2013-12-11 08:46 - 00000000 _____ C:\FRST.txt
2013-12-11 07:15 - 2013-12-10 09:22 - 01060641 _____ (Farbar) C:\FRST.exe
2013-12-10 12:48 - 2013-12-10 10:11 - 00003366 _____ C:\111.txt
2013-12-10 09:17 - 2013-12-10 09:17 - 00000000 __SHD C:\FOUND.000
==================== One Month Modified Files and Folders =======
2013-12-11 08:46 - 2013-12-11 08:46 - 00000000 ____D C:\FRST
2013-12-11 08:46 - 2013-12-11 08:46 - 00000000 _____ C:\FRST.txt
2013-12-10 10:11 - 2013-12-10 12:48 - 00003366 _____ C:\111.txt
2013-12-10 09:22 - 2013-12-11 07:15 - 01060641 _____ (Farbar) C:\FRST.exe
2013-12-10 09:17 - 2013-12-10 09:17 - 00000000 __SHD C:\FOUND.000
==================== Known DLLs (Whitelisted) ============

==================== Bamital & volsnap Check =================
C:\Windows\explorer.exe IS MISSING <==== ATTENTION!.
C:\Windows\System32\winlogon.exe IS MISSING <==== ATTENTION!.
C:\Windows\System32\svchost.exe IS MISSING <==== ATTENTION!.
C:\Windows\System32\services.exe IS MISSING <==== ATTENTION!.
C:\Windows\System32\User32.dll IS MISSING <==== ATTENTION!.
C:\Windows\System32\userinit.exe IS MISSING <==== ATTENTION!.
C:\Windows\System32\Drivers\volsnap.sys IS MISSING <==== ATTENTION!.
==================== EXE ASSOCIATION =====================
HKLM\...\.exe: <===== ATTENTION!
HKLM\...\exefile\DefaultIcon: <===== ATTENTION!
HKLM\...\exefile\open\command: <===== ATTENTION!
==================== Restore Points (XP) =====================

==================== Memory info ===========================
Percentage of memory in use: 7%
Total physical RAM: 3062.39 MB
Available physical RAM: 2844.23 MB
Total Pagefile: 2887.11 MB
Available Pagefile: 2828.16 MB
Total Virtual: 2047.88 MB
Available Virtual: 1994.25 MB
==================== Drives ================================
Drive b: (RAMDisk) (Fixed) (Total:0.06 GB) (Free:0.06 GB) NTFS
Drive c: (HITMANPRO) (Removable) (Total:7.45 GB) (Free:7.41 GB) FAT32
Drive f: (NIKON D5100) (Removable) (Total:15.02 GB) (Free:2.62 GB) FAT32
Drive x: (ReatogoPE) (CDROM) (Total:0.43 GB) (Free:0 GB) CDFS
Drive y: (HITMANPRO) (Removable) (Total:7.45 GB) (Free:7.41 GB) FAT32
==================== MBR & Partition Table ==================
========================================================
Disk: 0 (Size: 7 GB) (Disk ID: 84C3731B)
Partition 1: (Active) - (Size=7 GB) - (Type=0B)
========================================================
Disk: 3 (Size: 15 GB) (Disk ID: 8DC18DC1)
Partition 1: (Not Active) - (Size=15 GB) - (Type=0C)
==================== End Of Log ============================

 

[TwinHeadedEagle]

For some reason FRST doens't reconize your hard disk with Windows installed? Can you tell me why, is it plugged in?

 

[clydewine]

For some reason FRST doens't reconize your hard disk with Windows installed? Can you tell me why, is it plugged in?

C: is working. I can access it from the kaspersky rescue disk. Can I run FRST from the USB there?

 

[TwinHeadedEagle]

C: you mean system partition? If you can, run FRST...

 

[clydewine]

C: you mean system partition? If you can, run FRST...

would not let me post more than 10000 characters. I'll try to send the file

 

[TwinHeadedEagle]

On your clean PC, download the following file by right-clicking it and select save as

fixlist.txt

and save it onto your flash drive.

Then, boot to REATOGO, plug in your flash drive, open FRST and click fix. Post the generated log.

Attempt to boot normally.