TDSSkiller and combofix do not work on my computer, what next?

Nigel

New Member
Thread author
Verified
Dec 15, 2012
27
I think I have summarised the issue in the boxes above. I would be very grateful if you can advise me what to do next (apart from throwing the machine out of the window!) I can live with the pop ups, if I have to. But I am much more worried about what the rootkit (presumably) might do in the future.

Many thanks.
 

Attachments

  • ComboFix.txt
    16.9 KB · Views: 174
  • OTL.Txt
    113.4 KB · Views: 180
  • Extras.Txt
    56.1 KB · Views: 166

Fiery

Level 1
Jan 11, 2011
2,007
Hi, welcome to MT!

I'm Fiery and I will assist you with your problem.

Step 1:
Please download AdwCleaner by Xplode onto your desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click on Search.
  • Please post the content of that logfile with your next answer.
  • You can find the logfile at C:\AdwCleaner[S1].txt as well.


Step 2:

Download & SAVE to your Desktop RogueKiller or from here
  • Quit all programs that you may have started.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista or Windows 7, right-click and select "Run as Administrator to start"
  • Wait until Prescan has finished ...
  • Then Click on "Scan" button
  • Wait until the Status box shows "Scan Finished"
  • Click on "Report" and copy/paste the content of the Notepad into your next reply.
  • The log should be found in RKreport[1].txt on your Desktop
    Exit/Close RogueKiller+
 

Nigel

New Member
Thread author
Verified
Dec 15, 2012
27
Hi Fiery

Many thanks fo your reply. I have run the two programs and attach the reports.

I could not resist pressing the 'fix' button on Roguekiller, but I am not sure whether it did anything. I note that Monsieur Tigzy has a Youtube video on how to remover the zeroaccess virus. I will try to follow it if I have to, but if there is an easier way, that would be great. I am already operating beyond the limits of my computer knowledge!

Nigel
 

Attachments

  • AdwCleaner[R1].txt
    8.3 KB · Views: 157
  • RKreport[3]_S_12172012_02d1132.txt
    3.6 KB · Views: 147

Fiery

Level 1
Jan 11, 2011
2,007
Yes, open Roguekiller, do a search again and click delete. Post the log after.

Do the same with adwCleaner and press Delete. Post that log as well.

Next, try a TDSS killer scan and post that log.

<h2> Then, Download Malwarebytes' Anti-Malware(download link) to your desktop
1208__malwarebytes.png
</h2>
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to
    • Update Malwarebytes' Anti-Malware
    • and Launch Malwarebytes' Anti-Malware
  • then click Finish.
  • Malwarebytes Anti-Malware will now start and you'll be prompted to start a trial period , please select '<>Decline</>'
    <img title="Decline trial period in Malwarebytes Anti-Malware" src="http://malwaretips.com/images/removalguide/mbam3.PNG" alt="[Image: Decline Malwarebytes trial]" width="432" height="165" border="0" />
    [*]If an update is found, it will download and install the latest version.

    42456544.jpg



    [*]Once the program has loaded, select Perform quick scan, then click Scan.
    [*]When the scan is complete, click OK, then Show Results to view the results.


    55713761.jpg



    [*]Be sure that everything is Checked (ticked) and click on Remove Selected.
    [*]Reboot your computer if prompted.


<h2>Lastly, remove any left over malicious files with HitmanPro</h2>
<ol>
<li>This step can be performed in <>Normal Mode</> ,so please <>download the latest official version of HitmanPro</>.
<a href="http://www.surfright.nl/en/hitmanpro/" rel="nofollow" target="_blank"> <>HITMANPRO DOWNLOAD LINK</></a> <em>(This link will open a download page in a new window from where you can download HitmanPro)</em></li>
<li><>Double click on the previously downloaded file</> to start the HitmanPro installation.
<img title="HitmanPro Installer" src="http://malwaretips.com/images/removalguide/hpro1.png" alt="[Image: hitmanpro-icon.png]" width="54" height="58" border="0" />
<>IF</> you are experiencing problems while trying to starting HitmanPro, you can use the "<em>Force Breach</em>" mode.To start this program in Force Breach mode,<> hold down the left CTRL-key when you start HitmanPro</> and all non-essential processes are terminated, including the malware process. (<a href="http://www.youtube.com/watch?feature=player_embedded&v=m6eRWTv2STk" target="_blank">How to start HitmanPro in Force Breach mode - Video</a>)</li>
<li>Click on <>Next </>to install HitmanPro on your system.
<img title="HitmanPro installation process" src="http://malwaretips.com/images/removalguide/hpro2.png" alt="[Image: installing-hitmanpro.png]" width="532" height="421" border="0" /></li>
<li>The setup screen is displayed, from which you can decide whether you wish to install HitmanPro on your machine or just perform a one-time scan, select a option then click on <>Next </>to start a system scan.
<img title="HitmanPro setup options" src="http://malwaretips.com/images/removalguide/hpro3.png" alt="[Image: hitmanpro-setup-options.png]" width="532" height="421" border="0" /></li>
<li>HitmanPro will start scanning your system for malicious files. Depending on the the size of your hard drive, and the performance of your computer, this step will take several minutes.
<img title="HitmanPro scanning for Win 8 Security System" src="http://malwaretips.com/images/removalguide/hpro4.png" alt="[Image: hitmanpro-scanning.png]" width="532" height="421" border="0" /></li>
<li>Once the scan is complete,a screen displaying all the malicious files that the program found will be shown as seen in the image below.After reviewing each malicious object click <>Next</>.
<img title="HitmanPro Win 8 Security System scan results" src="http://malwaretips.com/images/removalguide/hpro5.png" alt="[Image: hitmanpro-scan-results.png]" width="532" height="421" border="0" /></li>
<li>Click <>Activate free license </>to start the free 30 days trial and remove the malicious files.
<img title="Activate HitmanPro free license to remove detected infections" src="http://malwaretips.com/images/removalguide/hpro6.png" alt="[Image: hitmanpro-activation.png]" width="532" height="421" border="0" /></li>
<li>HitmanPro will now start removing the infected objects, and in some instances, may suggest a reboot in order to completely remove the malware from your system. In this scenario, always confirm the reboot action to be on the safe side.</li>
</ol>
 
Last edited by a moderator:

Nigel

New Member
Thread author
Verified
Dec 15, 2012
27
Okay...The roguekiller report is attached (I had to run that from a download on a "clean" computer, burn it to disc, and run from the disc.)

The adwcleaner report is attached. There is an R3 and S1 report so I attach both.

TDSSkiller, renamed as iexplorer.exe, would not run, even from disc.

Malwarebytes ran okay.

Hitmanpro ran okay, and did not detect any problem.

AVG 2013 says that there is still are still two rootkits there.....IRP hook and a hidden driver.

What now, Please?!

Many thanks.

Nigel
 

Attachments

  • RKreport[6]_D_12182012_02d1213.txt
    2.5 KB · Views: 132
  • AdwCleaner[R3].txt
    8.4 KB · Views: 138
  • AdwCleaner[S1].txt
    8.1 KB · Views: 209

Fiery

Level 1
Jan 11, 2011
2,007
That is odd, when you ran Roguekiller again, it did not detect the Zeroaccess rootkit. What happened to the original Roguekiller copy on your infect computer?
 

Fiery

Level 1
Jan 11, 2011
2,007
Can you run the original Roguekiller.exe (NOT the one from your CD) on your infected computer again, do a scan and under the Files tab, can you confirm if there is the following entry? If so, click delete

[ZeroAccess][FOLDER] U : C:\$recycle.bin\S-1-5-18\$6eafbdfb16247891b48cd81310fa2096\U --> FOUND
[ZeroAccess][FOLDER] U : C:\$recycle.bin\S-1-5-21-2237648750-519446113-968589488-1001\$6eafbdfb16247891b48cd81310fa2096\U --> FOUND
[ZeroAccess][FOLDER] L : C:\$recycle.bin\S-1-5-18\$6eafbdfb16247891b48cd81310fa2096\L --> FOUND
[ZeroAccess][FOLDER] L : C:\$recycle.bin\S-1-5-21-2237648750-519446113-968589488-1001\$6eafbdfb16247891b48cd81310fa2096\L --> FOUND
 

Nigel

New Member
Thread author
Verified
Dec 15, 2012
27
Good morning!

The roguekiller copy on my infected machine has never worked properly. I have tried again a few times.....it starts okay but then becomes unresponsive. The window freezes up, or turns black. I have let it run for a while, but no report appeared. I downloaded it again onto the infected machine but with the same results when I tried to run it.

I ran my disc copy again with no problem. There was nothing listed under files, but a large warning triangle was flashing ROOT.MBR, Selecting the MBR button, it produced this information. The program offered an MBR FIX prompt, but nothing happened after selecting it.

-- LL1 ---
[MBR] 3dde04b16800a1ee74639bee1bbc152e
[BSP] bf6026b50f8ed3e9396c5e581582cd0b : Windows Vista MBR Code [possible maxSST in 3!]
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 39 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 81920 | Size: 15000 Mo
2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 30801920 | Size: 290204 Mo
3 - [ACTIVE] NTFS (0x17) [HIDDEN!] Offset (sectors): 625140400 | Size: 0 Mo
User != LL2 ... KO!
--- LL2 ---
[MBR] 3dde04b16800a1ee74639bee1bbc152e
[BSP] bf6026b50f8ed3e9396c5e581582cd0b : Windows Vista MBR Code [possible maxSST in 3!]
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 39 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 81920 | Size: 15000 Mo
2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 30801920 | Size: 290204 Mo
3 - [ACTIVE] NTFS (0x17) [HIDDEN!] Offset (sectors): 625140400 | Size: 0 Mo

I attach the log report from the lastest scan.

I am still getting "recycle bin" corrupted messages. And still getting uncommanded web pages in Internet explorer.

What do you think?!
 

Attachments

  • RKreport[7]_S_12192012_02d0907.txt
    2.5 KB · Views: 128

Fiery

Level 1
Jan 11, 2011
2,007
Ok, let try this. Delete the old copy of combofix and download a new copy to your desktop. Do NOT run it yet.


Open up Notepad and paste the following:

Code:
Killall::

Rootkit::
C:\$recycle.bin\S-1-5-18\$6eafbdfb16247891b48cd81310fa2096\
C:\$recycle.bin\S-1-5-21-2237648750-519446113-968589488-1001\$6eafbdfb16247891b48cd81310fa2096\
C:\$recycle.bin\S-1-5-18\$6eafbdfb16247891b48cd81310fa2096\
C:\$recycle.bin\S-1-5-21-2237648750-519446113-968589488-1001\$6eafbdfb16247891b48cd81310fa2096\

File:: 
C:\Users\Nigel\AppData\Roaming\sbthn.dll

* Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
* At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
* You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
* Now use your mouse to drag CFscript.txt on top of ComboFix.exe
CFScript.gif

* Follow the prompts.
* When it finishes, a log will be produced named c:\combofix.txt
* I will ask for this log below


Then,

Download Farbar Recovery Scan Tool from the below link:
<ul><li>For x32 (x86) bit systems download <a title="External link" href="http://download.bleepingcomputer.com/farbar/FRST.exe" rel="nofollow external"><>Farbar Recovery Scan Tool</></a> and save it to a flash drive.
For x64 bit systems download <a title="External link" href="http://download.bleepingcomputer.com/farbar/FRST64.exe" rel="nofollow external"><>Farbar Recovery Scan Tool x64</></a> and save it to a flash drive.</li>

<li>Plug the flashdrive into the infected PC.</li>

<li>Enter <>System Recovery Options</>.</li>

<>To enter System Recovery Options from the Advanced Boot Options:</>
<ul>
<li>Restart the computer.</li>
<li>As soon as the BIOS is loaded begin tapping the<> F8</> key until Advanced Boot Options appears.</li>
<li>Use the arrow keys to select the <>Repair your computer</> menu item.</li>
<li>Select <>US</> as the keyboard language settings, and then click <>Next</>.</li>
<li>Select the operating system you want to repair, and then click <>Next</>.</li>
<li>Select your user account an click <>Next</>.</li>
</ul>
<>To enter System Recovery Options by using Windows installation disc:</>
<ul>
<li>Insert the installation disc.</li>
<li>Restart your computer.</li>
<li>If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.</li>
<li>Click <>Repair your computer</>.</li>
<li>Select <>US</> as the keyboard language settings, and then click <>Next</>.</li>
<li>Select the operating system you want to repair, and then click <>Next</>.</li>
<li>Select your user account and click <>Next</>.</li>
</ul>
<li>On the System Recovery Options menu you will get the following options:</span>
<pre>Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt</pre>
<ol>
<li>Select <>Command Prompt</></li>
<li>In the command window type in <>notepad</> and press <>Enter</>.</li>
<li>The notepad opens. Under File menu select <>Open</>.</li>
<li>Select "Computer" and find your flash drive letter and close the notepad.</li>
<li>In the command window type <><span style="color: #ff0000;">e</span>:\frst.exe</> (for x64 bit version type <><span style="color: #ff0000;">e</span>:\frst64</>) and press <>Enter</>
<>Note:</><span style="color: #ff0000;"> Replace letter <>e</> with the drive letter of your flash drive.</span></li>
<li>The tool will start to run.</li>
<li>When the tool opens click <>Yes</> to disclaimer.</li>
<li>Press <>Scan</> button.</li>
<li><>FRST</> will let you know when the scan is complete and has written the <>FRST.txt</> to file, close out this message, then type the following into the search box:
<>services.exe</></li>
<li>Now press the <>Search</> button</li>
<li>When the search is complete, search.txt will also be written to your USB</li>
<li>Type <>exit</> and reboot the computer normally</li>
<li>Please copy and paste both logs in your reply.(FRST.txt and Search.txt)</li></li>
</ol>
</ul>
 
Last edited by a moderator:

Nigel

New Member
Thread author
Verified
Dec 15, 2012
27
I dragged CFscript over combofix, and it started running. I then got five warnings that iexplore.exe had stopped working. A short time later, a blue box appears with "administrator" at the top. After a couple of steps, it says scanning for infected files. Then words to the effect that this might take ten minutes, but maybe longer. It never gets, beyond that step.

Do you want me to do the second operation anyway?

Sorry I am taking so much of your time. :-(

Nigel
 

Fiery

Level 1
Jan 11, 2011
2,007
Yes, the second option will likely work.

Don't worry. The malware removal is not instant. Especially for rootkits, they may take a while to delete them since the infection is deep in the system; thus, making them hard to remove.
 

Nigel

New Member
Thread author
Verified
Dec 15, 2012
27
"Hard to remove"? Yes, I'll buy that!

Okay, I select 'Repair your computer'. It does not offer me keyboard language or ask me what I want to repair. It goes straight to a screen which says 'other user'. There is NO other user on my computer. I type in 'Nigel' and my standard password. It says 'The specified domain either does not exist or could not be contacted".

I then tried booting from the original Vista disc. All went well until it said 'set up is starting windows'. It then went to a blue stop screen, saying that the computer was being shutdown to protect it. It suggested that I check for viruses. Doh! The stop code was 0X0000007B.

Back to you again, please,
 

Fiery

Level 1
Jan 11, 2011
2,007
Hello,

A few things I want to ask you.

That's odd, you can't access your account in system recovery? Did you see the following prompts when you try to access system recovery with a CD?

windows-vista-startup-repair-4.jpg


windows_logo_stuck_on_screen_vista_startup_repair_3.jpg


windows_logo_stuck_on_screen_vista_startup_repair_4.jpg


Also, after you click Repair your computer and selected the operating system, are there other user accounts that you can access? There may be an account called Adminastrator account. Try all the user accounts that it gives you.

Also, when you booted with the Vista CD, did you change the BIOS to boot from the CD ROM? If not, please try again but this time, change the BIOS to boot from CD ROM rather than the default. Here is a link with instructions on how to change the boot order. http://helpdeskgeek.com/how-to/change-boot-order-xp-vista/

If you are still uncertain on how to change the BIOS setting, let me know what is your PC's manufacturer.

Lastly, have you try booting into safe mode or safe mode with networking? Instructions to boot into Safe Mode

If safe mode work and windows loads, plug in your flash drive and run FRST and do a scan with it, if possible.


If nothing works, we can try one more solution by making a bootable CD.

Please print these instruction out so that you know what you are doing
  • Download OTLPENet.exe to your desktop
  • Download Farbar Recovery Scan Tool and save it to a flash drive.
  • Download List Parts and save it to the flash drive also.
  • Ensure that you have a blank CD in the drive
  • Double click OTLPENet.exe and this will then open imgburn to burn the file to CD
  • Reboot your system using the boot CD you just created.
    Note : If you do not know how to set your computer to boot from CD follow the steps here
  • Wait for the CD to detect your hardware and load the operating system
  • Your system should now display a Reatogo desktop
    Note : as you are running from CD it is not exactly speedy
  • Insert the USB with FRST
  • Locate the flash drive with FRST and double click
  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.
  • Next click List Parts and then click Scan
    It will make a log Results.txt on the flash drive. Please copy and paste it to your reply.
 

Nigel

New Member
Thread author
Verified
Dec 15, 2012
27
Okay, I wish to plead incompetence from yesterday. It would have helped if I had loaded a Vista disc, rather than the XP disc I found at first.

It took me most of the day to find the Vista disc, but finally I located it.

I am attaching FRST.txt and Search txt. I hope it means something to you.

Nigel
 

Attachments

  • FRST.txt
    5.6 KB · Views: 172
  • Search.txt
    594 bytes · Views: 123

Fiery

Level 1
Jan 11, 2011
2,007
Hi there,

The FRST log looks very unusual as it should have way more entries than that. Can you boot normally (you'll have to switch the BIOS to boot from the hard-drive instead of the CD), plug in your USB and run a FRST scan.

If normal mode doesn't boot, try safe mode http://windows.microsoft.com/en-CA/windows-vista/Start-your-computer-in-safe-mode

Also what is your PC manufacturer and/or hard-drive manufacturer?

Thanks
 

Nigel

New Member
Thread author
Verified
Dec 15, 2012
27
Hi Again

The computer booted normally, and the Farbar recovery scan tool ran fine, as far as I know.

I attach the file report. I also typed in services.exe and ran a search. That report is attached.

I have not connected the computer to the internet for a couple of days. Might this affect the results? It seems to run fine without interference from outside! (I file these reports from my laptop.)

The computer is a Dell XPS One.

Thanks again.

Nigel
 

Attachments

  • FRST.txt
    28.1 KB · Views: 139
  • Search.txt
    1.2 KB · Views: 125

Fiery

Level 1
Jan 11, 2011
2,007
Hello,

It is good that you don't connect to the internet as the malware may download more stuff as we remove them.

The FRST log looks way better now. Below I have listed the instructions in the order that I want you to attempt them. DO NOT attempt another option if the previous one worked successfully (by successfully, I mean the program ran smoothly without being stopped).


Option 1:
On the clean computer, open notepad and copy & paste the following:
2012-12-14 17:02 - 2012-12-14 17:02 - 00000001 ____A C:\Users\All Users\D42QGqj2.exe_.b
2012-12-14 17:02 - 2012-12-14 17:02 - 00000001 ____A C:\Users\All Users\D42QGqj2.exe.b
2012-12-14 17:02 - 2012-12-14 17:02 - 00000000 ____A C:\Users\All Users\0W5T14F23.dat
2012-12-20 20:31 - 2012-12-20 20:31 - 00160256 ____A (Donkey) C:\Users\Nigel\AppData\Roaming\dsnpb.dll
2012-12-20 20:30 - 2012-12-20 16:59 - 00209920 ____A C:\Users\Nigel\vlbzffwzvifwuduuanrznwauf.exe
2012-12-14 17:02 - 2012-12-14 17:02 - 00000000 ____A C:\Users\All Users\0W5T14F23.dat

and save it as fixlist.txt onto your flash drive. Then try booting to system recovery and to command prompt as before or with the CD (Follow the FRST instructions I gave you previously). If you are able to start FRST in system recovery, click Fix. Post the generated log. If you can't try option 2.

===================================
Option 2
On a clean computer, download a new copy of Combofix onto your flash drive but rename it to Nigel.exe. Transfer the copy onto the infected PC's Desktop. Also, download a copy of rKill to your desktop as well and transfer it over to the infected one. (You may want to download all 3 versions in case 1 doesn't work).

Download and run RKill
Download mirror 1 - Download mirror 2 - Download mirror 3


  • Transfer it to your Desktop.
  • Double click the RKill desktop icon.
  • It will quickly run. If it does not run, try another download link from above.
<img title="RKILL Command prompt" src="http://malwaretips.com/images/removalguide/rkill2.png" alt="[Image: run-rkill-2.png]" width="507" height="256" border="0" />
  • When Rkill has completed its task, it will <>generate a log</>. You can then <>proceed with the rest of the guide</>.

<img title="RKILL LOG" src="http://malwaretips.com/images/removalguide/rkill3.png" alt="[Image: XP Defender 2013 rkill3.jpg]" width="414" height="187" border="0" /></li>
</ol><br>
<br><>WARNING: Do not reboot your computer after running RKill as the malware process will start again , preventing you from properly performing the next step.</>

Before you run combofix: Please let combofix run for an hour or two atleast if it hangs on the "might take ten minutes, but maybe longer" step. This infection is severe so let it run and be patient.

Open up Notepad and paste the following:

Killall::

Rootkit::
C:\$recycle.bin\S-1-5-18\$6eafbdfb16247891b48cd81310fa2096
C:\$recycle.bin\S-1-5-21-2237648750-519446113-968589488-1001\$6eafbdfb16247891b48cd81310fa2096
C:\$recycle.bin\S-1-5-18\$6eafbdfb16247891b48cd81310fa2096
C:\$recycle.bin\S-1-5-21-2237648750-519446113-968589488-1001\$6eafbdfb16247891b48cd81310fa2096

File::
C:\Users\Nigel\AppData\Roaming\sbthn.dll
C:\Users\All Users\0W5T14F23.dat
C:\Users\All Users\D42QGqj2.exe.b
C:\Users\All Users\D42QGqj2.exe_.b
C:\Users\Nigel\vlbzffwzvifwuduuanrznwauf.exe
C:\Users\All Users\0W5T14F23.dat

DirLook::
C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0

SRPEEK::
C:\Windows\System32\Drivers\volsnap.sys

ClearJavaCache::

* Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
* At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
* You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
* Now use your mouse to drag CFscript.txt on top of ComboFix.exe
CFScript.gif

* Follow the prompts.
* When it finishes, a log will be produced named c:\combofix.txt
* I will ask for this log below

===========================
Option 3
Similar to option 1, but NOT in system recovery. Do this is normal mode.

Open notepad and copy & paste the following:
start
2012-12-14 17:02 - 2012-12-14 17:02 - 00000001 ____A C:\Users\All Users\D42QGqj2.exe_.b
2012-12-14 17:02 - 2012-12-14 17:02 - 00000001 ____A C:\Users\All Users\D42QGqj2.exe.b
2012-12-14 17:02 - 2012-12-14 17:02 - 00000000 ____A C:\Users\All Users\0W5T14F23.dat
2012-12-20 20:31 - 2012-12-20 20:31 - 00160256 ____A (Donkey) C:\Users\Nigel\AppData\Roaming\dsnpb.dll
2012-12-20 20:30 - 2012-12-20 16:59 - 00209920 ____A C:\Users\Nigel\vlbzffwzvifwuduuanrznwauf.exe
2012-12-14 17:02 - 2012-12-14 17:02 - 00000000 ____A C:\Users\All Users\0W5T14F23.dat
end

and save it as fixlist.txt onto your flash drive.

Plug it into your infect PC, open FRST and click fix

Post the log afterwards.
 
Last edited by a moderator:

Nigel

New Member
Thread author
Verified
Dec 15, 2012
27
Option One worked, although I had to boot from disc.

I attach the new log, as requested.

(I discovered why the very first log was so short. The system changes the drive letter in recovery, and the first log was only looking at the recovery drive, not the main drive. Why did it do that??!!)

I have rebooted the computer normally, but still not connected it to the internet. It still says that my recycle bin is corrupted. I cannot run AVG 2013 to see what it says because it wants money from me. I'll do that, if it is worthwhile, but remove the prograam if it isnt.

Best regards

Nigel
 

Attachments

  • Fixlog.txt
    564 bytes · Views: 115

Fiery

Level 1
Jan 11, 2011
2,007
Ok good, now let see if we can run combofix now. FRST was scanning the recovery environment which it shouldn't. Also I notice that OTL says your main drive is the C drive but then FRST says D is your main drive, which is weird. But anyways, let's try to remove the remaining malware off.

Please follow the instructions above to download rkill. Run it then try combofix.

Let combofix run for an hour or two atleast if it hangs on the "might take ten minutes, but maybe longer" step. This infection is severe so let it run and be patient.

Open up Notepad and paste the following:

Killall::

Rootkit::
C:\$recycle.bin\S-1-5-18\$6eafbdfb16247891b48cd81310fa2096
C:\$recycle.bin\S-1-5-21-2237648750-519446113-968589488-1001\$6eafbdfb16247891b48cd81310fa2096
C:\$recycle.bin\S-1-5-18\$6eafbdfb16247891b48cd81310fa2096
C:\$recycle.bin\S-1-5-21-2237648750-519446113-968589488-1001\$6eafbdfb16247891b48cd81310fa2096

File::
C:\Users\All Users\0W5T14F23.dat

DirLook::
C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0

SRPEEK::
C:\Windows\System32\Drivers\volsnap.sys

ClearJavaCache::

* Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
* At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
* You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
* Now use your mouse to drag CFscript.txt on top of ComboFix.exe
CFScript.gif

* Follow the prompts.
* When it finishes, a log will be produced named c:\combofix.txt
* I will ask for this log below
 

Fiery

Level 1
Jan 11, 2011
2,007
After a few hours if Combofix hangs, then do the following:

Delete the fixlist.txt on your flash drive, and let's make a new one with the following code:

start
C:\$recycle.bin\S-1-5-18\$6eafbdfb16247891b48cd81310fa2096
C:\$recycle.bin\S-1-5-21-2237648750-519446113-968589488-1001\$6eafbdfb16247891b48cd81310fa2096
C:\$recycle.bin\S-1-5-18\$6eafbdfb16247891b48cd81310fa2096
C:\$recycle.bin\S-1-5-21-2237648750-519446113-968589488-1001\$6eafbdfb16247891b48cd81310fa2096
end

save it as fixlist.txt again and boot to system recovery against. Open FRST and click fix and post the log again.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top