Mandiant virus, can't boot after Kaspersky

[elliemik]

I don't know how to get the requested logs unless I can get them from the Kaspersky environment? If so, please tell me how.

I'm hoping there is a solution that won't wipe out everything on my hard drive. Thank you for any help you can provide.

 

[Fiery]

Hi and welcome to MalwareTips!

I'm Fiery and I would gladly assist you in removing the malware on your computer.

PLEASE NOTE: The first 3 posts of ALL new members require approval by mods/admins. Please be patient if you don't see your post immediately after submitting it.

Before we start:

• Note that the removal process is not immediate. Depending on the severity of your infection, it could take a long time.
• Malware removal can be dangerous. I cannot guarantee the safety of your system as malware can be unpredictable. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system. Therefore, I would advise you to backup all your important files before we start.
• Please be patient and stay with me until I give you the green lights and inform you that your PC is clean.
• Some tools may be flagged by your antivirus as harmful. Rest assure that ALL the tools we use are safe, the detections are false positives.
• The absence of symptoms does not mean your PC is fully disinfected.
• If you are unclear about the instructions, please stop and ask. Following the steps in the order that I post them in is vital.
• Lastly, if you have requested help on other sites, that will delay and hinder the removal process. Please only stick to one site.

<hr>
Download Farbar Recovery Scan Tool from the below link:
<ul><li>For 64 bit systems download <a title="External link" href="http://download.bleepingcomputer.com/farbar/FRST64.exe" rel="nofollow external"><>Farbar Recovery Scan Tool x64</></a> and save it to a USB/flash drive.</li>

<li>Plug the flashdrive into the infected PC.</li>

<li>Enter <>System Recovery Options</>.</li>

<>To enter System Recovery Options from the Advanced Boot Options:</>
<ul>
<li>Restart the computer.</li>
<li>As soon as the BIOS is loaded begin tapping the<> F8</> key until Advanced Boot Options appears.</li>
<li>Use the arrow keys to select the <>Repair your computer</> menu item.</li>
<li>Select <>US</> as the keyboard language settings, and then click <>Next</>.</li>
<li>Select the operating system you want to repair, and then click <>Next</>.</li>
<li>Select your user account an click <>Next</>.</li>
</ul>

<li>On the System Recovery Options menu you will get the following options:</span>
<pre>Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt</pre>
<ol>
<li>Select <>Command Prompt</></li>
<li>In the command window type in <>notepad</> and press <>Enter</>.</li>
<li>The notepad opens. Under File menu select <>Open</>.</li>
<li>Select "Computer" and find your flash drive letter and close the notepad.</li>
<li>In the command window type <><span style="color: #ff0000;">e</span>:\frst64</> and press <>Enter</>
<>Note:</><span style="color: #ff0000;"> Replace letter <>e</> with the drive letter of your flash drive.</span></li>
<li>The tool will start to run.</li>
<li>When the tool opens click <>Yes</> to disclaimer.</li>
<li>Press <>Scan</> button.</li>
<li><>FRST</> will let you know when the scan is complete and has written the <>FRST.txt</> to file, close the message.
<li>Type exit</li>
<li>Please copy and paste FRST.txt in your next reply</li></li>
</ol>
</ul>

 

[elliemik]

Thanks for your response. I can't do this--System Recovery Options, Repair Your Computer gives me the Windows Error Recovey screen, with the two options Launch Startup Repair and Start Windows Normally. Clicking on either of those just gives me the same Windows Error Recovery Screen, again and again.

 

[Fiery]

Download Windows 7 Home Premium Iso from:

http://msft.digitalrivercontent.net/win/X17-58997.iso

Note: This is an installation file released by Microsoft, not a cracked, pirated or fully activated version of windows

Then download: http://www.microsoftstore.com/store/msstore/html/pbPage.Help_Win7_usbdvd_dwnTool

NOTE: You can use a DVD or USB to store the .iso file. If you use an USB, the steps below will erase everything on your USB so make sure you don't have any important files on it.

• Install the Windows 7 USB/DVD Download Tool
• Open the program and it will prompt you to select a source file. Select the .iso file you just downloaded.
• Select the correct USB or DVD drive and click Begin Copying.
• Once it saids "USB/DVD device has been created successfully" download:
  • For 64-bit systems, download<a title="External link" href="http://download.bleepingcomputer.com/farbar/FRST64.exe" rel="nofollow external"><> Farbar Recovery Scan Tool x64</></a>
  [*] Download List Parts and save it to the flash drive also.
  [*]Place your USB or DVD that has the .iso file in to your PC [*]Select boot from the drive that has the .iso file. If you don't know how to change the boot order, follow the steps here

You will get to a screen like:

Click next and follow the prompts. When you get to:

Click Repair Your Computer. See if you are able to start Command Prompt from there. If so,
<ul>
<li>In the command prompt, type in <>notepad</> and press <>Enter</>.</li>
<li>In Notpad, under File menu select <>Open</>.</li>
<li>Select "Computer" and find your flash drive letter and close the notepad.</li>
<li>In the command window type <><span style="color: #ff0000;">e</span>:\frst.exe</> (for x64 bit version type <><span style="color: #ff0000;">e</span>:\frst64</>) and press <>Enter</>
<>Note:</><span style="color: #ff0000;"> Replace letter <>e</> with the drive letter of your flash drive.</span></li>
<li>The tool will start to run.</li>
<li>When the tool opens click <>Yes</> to disclaimer.</li>
<li>Press <>Scan</> button.</li>
<li><>FRST</> will let you know when the scan is complete and has written the <>FRST.txt</> to file, close out this message,
<li>Type <>exit</> and turn your PC off</li>
<li>Plug the USB onto another PC and copy and paste the FRST.txt in your reply.</li></li>
</ol>
</ul>

 

[elliemik]

I'm downloading the .iso file to a DVD now, but I don't know what you want me to download from the second link (http://www.microsoftstore.com/store/msstore/html/pbPage.Help_Win7_usbdvd_dwnTool)--it sends me to a help page.

 

[elliemik]

I'm also confused by this set of directions:
•Install the Windows 7 USB/DVD Download Tool
----------I assume I'm installing to my noninfected alternate computer, right?

•Open the program and it will prompt you to select a source file. Select the .iso file you just downloaded.
•Select the correct USB or DVD drive and click Begin Copying.
----------Do you mean copy to a second DVD or USB?

•Once it saids "USB/DVD device has been created successfully" download:
◦For 64-bit systems, download Farbar Recovery Scan Tool x64
----------Where am I downloading this to?

Sorry if these are dumb questions, but I am not tech savvy.

 

[Fiery]

Hi,

I'm downloading the .iso file to a DVD now, but I don't know what you want me to download from the second link (http://www.microsoftstore.com/store/msst...nTool)--it sends me to a help page.

Apologies, here is the direct link
http://images2.store.microsoft.com/prod/clustera/framework/w7udt/1.0/en-us/Windows7-USB-DVD-tool.exe

Install the Windows 7 USB/DVD Download Tool
----------I assume I'm installing to my noninfected alternate computer, right?

Correct

•Open the program and it will prompt you to select a source file. Select the .iso file you just downloaded.
•Select the correct USB or DVD drive and click Begin Copying.

You can go about this step in 2 ways.
1) Use a DVD and install the window 7 .iso file onto the DVD. Then Download the Farbar tool onto a USB.
2) Install the window 7 .iso file onto an USB then download the Farbar tool onto the same USB as well. (You will need a USB that is larger than 4GB)

•Once it saids "USB/DVD device has been created successfully" download:
◦For 64-bit systems, download Farbar Recovery Scan Tool x64

Download this onto your non infected PC and transfer it to an USB or the USB that has the window 7 .iso file on it.

 

[elliemik]

OK, I had a few hiccups along the way, but finally got to the command prompt and created the FRST.txt file:



LOG DELETED

 

[Fiery]

Hi,

On your clean PC, download the following file by right-clicking it and select save as

[attachment=5996]

and save it onto your flash drive.

Then, boot to system recovery, plug in your flash drive, open FRST and click fix. Post the generated log.

Unplug your USB and remove the DVD (if you used it) and try to boot normally. If unsuccessful, delete the Listparts.exe on your USB and download this one: http://www.bleepingcomputer.com/download/listparts/dl/78/

Then go back to the system recovery mode (the mode in which you ran FRST). First, run a new scan with FRST and post that log.

Exit FRST and
<ol>
<li>Select <>Command Prompt</></li>
<li>In the command window type <><span style="color: #ff0000;">e</span>:\ListParts64.exe</>) and press <>Enter</>
<>Note:</><span style="color: #ff0000;"> Replace letter <>e</> with the drive letter of your flash drive.</span></li>
<li>The tool will start to run.</li>
<li>When the tool opens click <>Yes</> to disclaimer.</li>
<li>Put check mark on List BCD.
<li>Press <>Scan</> button.</li>
<li>It will make a log (Result.txt) in the flash drive. Please copy and paste it to your reply.
</ol>

 

[elliemik]

Thanks, I downloaded the fixlist.txt to the flash drive, but I don't know what you mean by:

"Then, boot to system recovery, plug in your flash drive, open FRST and click fix. Post the generated log."

Am I using the DVD I created yesterday that gives me the Windows "repair" option? Then what?

 

[Fiery]

Thanks, I downloaded the fixlist.txt to the flash drive, but I don't know what you mean by:

"Then, boot to system recovery, plug in your flash drive, open FRST and click fix. Post the generated log."

Am I using the DVD I created yesterday that gives me the Windows "repair" option? Then what?

Yes, boot using the DVD and go into windows repair options. Then plug in your USB with FRST and fixlist.txt. Start FRST like you did last time but click fix

 

[elliemik]

YAY!!!!

It worked! Computer booted up normally. I did not have to use the ListParts64.exe; it worked with the previously downloaded ListParts.exe.

I cannot thank you enough; I especially appreciate your patience with my dumb questions. I am thrilled to have my computer back.

Anything else I need to do to be sure the computer is truly back to normal?

Thank you, thank you, thank you!

 

[Fiery]

That's good news

We are far from done though. Additional scans are required to ensure that your PC is cleaned. I recommend you backup any important files onto your USB just in case.

Download TDSSkiller from here

• Double-Click on TDSSKiller.exe to run the application
• When TDSSkiller opens, click change parameters , check the box next to Loaded modules . A reboot will be required.
• After reboot, TDSSKiller will run again. Click Change parameters again and make sure everything is checked.
  
  
• click Start scan .
  
• If a suspicious object is detected, the default action will be Skip, click on Continue. (If it saids TDL4/TDSS file system, select delete)
• If malicious objects are found, ensure Cure (default) is selected, then click Continue and Reboot now to finish the cleaning process.

Post the log after (usually C:\ folder in the form of TDSSKiller.[Version]_[Date]_[Time]_log.txt

Download Malwarebytes Anti-Rootkit from here to your Desktop

• Open the folder where the contents were unzipped and run mbar.exe
• Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
• Make sure there is a check next to Create Restore Point and click the Cleanup button to remove any threats. Reboot if prompted to do so.
• After the reboot, perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If there are threats, click Cleanup once more and reboot.
• When done, please post the two logs in the MBAR folder(mbar-log.txt and system-log.txt)

 

[elliemik]

Here's the log from the TDSSKiller scan:

DELETED

 

[Fiery]

Please attach your TDSSkiller log as it is too long to fit into 1 reply. Click New Reply and scroll down to the Attachment section.

 

[elliemik]

OK, here are the results.

I'm running the mbar.exe now.

 

[elliemik]

Here are the files from the mbar.exe scans. I have run it three times--after the second time there was still an infected file, so I ran it again. Third one still showed the infected file. So I'm running it yet again.

I've attached only the last of the log files; do you want the first two also?

 

[Fiery]

Looks like the rootkit is still there. No need to post the previous 2 logs.

Download & SAVE to your Desktop RogueKiller or from here

• Quit all programs that you may have started.
• Please disconnect any USB or external drives from the computer before you run this scan!
• For Vista or Windows 7, right-click and select Run as Administrator to start
• Wait until Prescan has finished, then click on "Scan" button
• Wait until the Status box shows "Scan Finished"
• Click delete and wait until it saids deleting finished
• Click on "Report" and copy/paste the content of the Notepad into your next reply.
• The log should be found in RKreport[1].txt on your Desktop
  Exit/Close RogueKiller+

Please download ComboFix from one of these locations:

<a title="External link" href="http://download.bleepingcomputer.com/sUBs/ComboFix.exe" rel="external"><>Link 1</></a>
<a title="External link" href="http://www.infospyware.net/antimalware/combofix/" rel="external"><>Link 2</></a>
<ul>
<li>Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
See <a title="External link" href="http://www.bleepingcomputer.com/forums/topic114351.html" rel="external">HERE</a> for help</li>
<li>Double click on Combo-Fix & follow the prompts.</li>
</ul>

When finished, ComboFix will produce a log.

<>Note:</>
1. Do not mouseclick combofix's window while it's running. That may cause it to stall!
2. Remember to re-enable your anti-virus and anti-spyware before reconnecting to the Internet.

 

[elliemik]

RogueKiller put two reports on my desktop, both are RKreport[0]. I've attached them both.

 

[elliemik]

Here is the ComboFix log.

Is my computer finally clean, I hope?