Hello,
It is good that you don't connect to the internet as the malware may download more stuff as we remove them.
The FRST log looks way better now. Below I have listed the instructions
in the order that I want you to
attempt them.
DO NOT attempt another option if the previous one worked successfully (by successfully, I mean the program ran smoothly without being stopped).
Option 1:
On the clean computer, open notepad and copy & paste the following:
2012-12-14 17:02 - 2012-12-14 17:02 - 00000001 ____A C:\Users\All Users\D42QGqj2.exe_.b
2012-12-14 17:02 - 2012-12-14 17:02 - 00000001 ____A C:\Users\All Users\D42QGqj2.exe.b
2012-12-14 17:02 - 2012-12-14 17:02 - 00000000 ____A C:\Users\All Users\0W5T14F23.dat
2012-12-20 20:31 - 2012-12-20 20:31 - 00160256 ____A (Donkey) C:\Users\Nigel\AppData\Roaming\dsnpb.dll
2012-12-20 20:30 - 2012-12-20 16:59 - 00209920 ____A C:\Users\Nigel\vlbzffwzvifwuduuanrznwauf.exe
2012-12-14 17:02 - 2012-12-14 17:02 - 00000000 ____A C:\Users\All Users\0W5T14F23.dat
and save it as
fixlist.txt onto your flash drive. Then try booting to system recovery and to command prompt as before or with the CD (Follow the FRST instructions I gave you previously). If you are able to start FRST in system recovery, click
Fix. Post the generated log. If you can't try option 2.
===================================
Option 2
On a clean computer, download a new copy of Combofix onto your flash drive but rename it to
Nigel.exe. Transfer the copy onto the infected PC's
Desktop. Also, download a copy of rKill to your desktop as well and transfer it over to the infected one. (You may want to download all 3 versions in case 1 doesn't work).
Download and run
RKill
Download mirror 1 -
Download mirror 2 -
Download mirror 3
- Transfer it to your Desktop.
- Double click the RKill desktop icon.
- It will quickly run. If it does not run, try another download link from above.
<img title="RKILL Command prompt" src="http://malwaretips.com/images/removalguide/rkill2.png" alt="[Image: run-rkill-2.png]" width="507" height="256" border="0" />
- When Rkill has completed its task, it will <>generate a log</>. You can then <>proceed with the rest of the guide</>.
<img title="RKILL LOG" src="http://malwaretips.com/images/removalguide/rkill3.png" alt="[Image: XP Defender 2013 rkill3.jpg]" width="414" height="187" border="0" /></li>
</ol><br>
<br><>WARNING: Do not reboot your computer after running RKill as the malware process will start again , preventing you from properly performing the next step.</>
Before you run combofix: Please let combofix run for an hour or two atleast if it hangs on the "might take ten minutes, but maybe longer" step. This infection is severe so let it run and be patient.
Open up Notepad and paste the following:
Killall::
Rootkit::
C:\$recycle.bin\S-1-5-18\$6eafbdfb16247891b48cd81310fa2096
C:\$recycle.bin\S-1-5-21-2237648750-519446113-968589488-1001\$6eafbdfb16247891b48cd81310fa2096
C:\$recycle.bin\S-1-5-18\$6eafbdfb16247891b48cd81310fa2096
C:\$recycle.bin\S-1-5-21-2237648750-519446113-968589488-1001\$6eafbdfb16247891b48cd81310fa2096
File::
C:\Users\Nigel\AppData\Roaming\sbthn.dll
C:\Users\All Users\0W5T14F23.dat
C:\Users\All Users\D42QGqj2.exe.b
C:\Users\All Users\D42QGqj2.exe_.b
C:\Users\Nigel\vlbzffwzvifwuduuanrznwauf.exe
C:\Users\All Users\0W5T14F23.dat
DirLook::
C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
SRPEEK::
C:\Windows\System32\Drivers\volsnap.sys
ClearJavaCache::
* Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
* At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
* You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
* Now use your mouse to drag CFscript.txt on top of ComboFix.exe
* Follow the prompts.
* When it finishes, a log will be produced named c:\combofix.txt
* I will ask for this log below
===========================
Option 3
Similar to option 1, but NOT in system recovery. Do this is normal mode.
Open notepad and copy & paste the following:
start
2012-12-14 17:02 - 2012-12-14 17:02 - 00000001 ____A C:\Users\All Users\D42QGqj2.exe_.b
2012-12-14 17:02 - 2012-12-14 17:02 - 00000001 ____A C:\Users\All Users\D42QGqj2.exe.b
2012-12-14 17:02 - 2012-12-14 17:02 - 00000000 ____A C:\Users\All Users\0W5T14F23.dat
2012-12-20 20:31 - 2012-12-20 20:31 - 00160256 ____A (Donkey) C:\Users\Nigel\AppData\Roaming\dsnpb.dll
2012-12-20 20:30 - 2012-12-20 16:59 - 00209920 ____A C:\Users\Nigel\vlbzffwzvifwuduuanrznwauf.exe
2012-12-14 17:02 - 2012-12-14 17:02 - 00000000 ____A C:\Users\All Users\0W5T14F23.dat
end
and save it as fixlist.txt onto your flash drive.
Plug it into your infect PC, open FRST and click fix
Post the log afterwards.