TDSSkiller and combofix do not work on my computer, what next?

[Nigel]

Hello. Welcome to the Christmas Eve edition of this saga!

I booted the computer normally and Rkill worked fine. I attach the log.

I started Combofix, renamed as nigel.exe. It gave me its usual six warnings that iexplore.exe is not working.

It then started to look encouraging. It started a list of phases which it said were complete. Somewhere in the thirties, it said that PEV.exe had stopped working.

When it was up around 50, I went out of the room for a few moments. When I got back, it had rebooted and was asking for my password, which I inserted. There was then a short duration window to say that I should not run any other program until combofix was finished. It then crashed to a blue screen.

I had run out of time, but today tried to run combofix again. It only got as far as the "this may take 10 minutes, or maybe longer" message. After two and a half hours, it had not got any further. The mouse indicator was also frozen.

I then moved to your last suggestion to run FRST again, and I attach that log.

Phew. I am now away for Christmas day, but can resume this adventure on 26 Dec.

Festive Greetings.

Nigel

 

[Fiery]

Greetings,

Ok, can you do another FRST log for me in system recovery (without booting from the CD if possible)when you get back

Happy holidays and enjoy!
Fiery

 

[Nigel]

Good morning. Welcome to the next episode!

I tried booting from disc via "repair your computer". As before, it goes straight to a screen which says 'other user'. There is NO other user on my computer. I type in 'Nigel' and my standard password. It says 'The specified domain either does not exist or could not be contacted".

I then rebooted from the Vista CD, and downloaded a fresh copy of FRST onto my flash drive via my 'clean computer'. The FRST and search scans are attached.

Thank you.

Nigel

 

[Fiery]

Hi Nigel,

Please save and backup all your important documents, files, and/or picture onto a USB or an external hard-drive. The fixes we will perform next will be risky, so I don't want you to lose your important files. Please let me know when you have backed up all your files and we will continue.

 

[Nigel]

Hi Fiery

Okay, they are all backed up to an external hard drive.

Lets do it!!

 

[Fiery]

Ok.

Please download ListParts from here onto your flash drive.

You can delete all the FRST logs. Don't delete FRST.

Open notepad and copy & paste the following:

• 
  Disk=0 Partition=2 active
  Disk=0 Partition=4 type=07

Click Format and select Word Wrap. Then save it to your flash drive as Fix.txt.

Reboot your infected PC into system recovery again using your window CD (same instructions as before with FRST). However this time at the command prompt:

Type e:/listparts.exe and hit Enter (where e: is replaced by the drive letter for your USB drive)

ListParts will start to run.

• Press the Fix button.
• ListParts will process the script in Fix.txt
• When finished please press the Scan button.
• A log Result.txt will be saved to the flash drive.

post the Result.txt file after it's done.

 

[Nigel]

Okay, done and attached.

 

[Fiery]

Download a new copy of TDSSkiller and see if you can run it in normal or safe mode. When TDSSkiller opens, click change parameters , check the box next to Loaded modules . A reboot will be required.

After reboot, TDSSKiller will run again. Click Change parameters again and make sure everything is checked.

and click start scan .

If a suspicious object is detected, the default action will be Skip, click on Continue. (If it saids TDL4/TDSS file system, select delete)
If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
Ensure Cure (default) is selected, then click Continue and Reboot now to finish the cleaning process.

Post the log after.

Then download a new copy of Combofix.

Open up Notepad and paste the following:

Killall::

File::
C:\Users\Nigel\AppData\Roaming\sbthn.dll

DirLook::
C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0

SRPEEK::
C:\Windows\System32\Drivers\volsnap.sys

ClearJavaCache::

* Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
* At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
* You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
* Now use your mouse to drag CFscript.txt on top of ComboFix.exe

* Follow the prompts.
* When it finishes, a log will be produced named c:\combofix.txt
* I will ask for this log below

 

[Nigel]

When I try to boot from the hard drive, I am getting "BOOT MGR is missing. Press Control Alt Delete". It then cycles back to the same message.

If I boot from the disc, I get the "Windows Vista Install Now" page, and the "repair my computer" prompt as the other option, which we have been using so far.

If I select Repair my computer, I get a page which is headed "System Recovery Options" and underneath says "Windows found problems with your computer's start up options. Do you want to apply repairs and restart your computer". Should I select that or do something else?

 

[Fiery]

Yes, select repair and restart your computer.

 

[Nigel]

Phew. It looks like we are getting there!

TDSSkiller worked for the very first time, without renaming. "No threat found".

Combofix ran, without renaming. The usual six warnings about ieplore.exe not working appeared. But this time the scan finished. The log is attached as combofix.txt.

What now?

Many thanks.

 

[Fiery]

Hi Nigel,

You didn't seem to attach the combofix.txt can you do it again?

Thanks

 

[Nigel]

Oooops. Sorry, I should have checked that it actually went!

 

[Fiery]

No worries

Before we continue, I would like you to remove one of the two antiviruses you have installed. It is NOT safe to have more than one anti-virus installed. Having multiple antivirus will cause system conflicts, errors, destabilization and lower system security. Please either uninstall McAfee Anti-Virus and Anti-Spyware or AVG Internet Security 2013.

Uninstall one of them, then go to the link associated with the product you uninstalled below:

McAfee
AVG

Download the .exe file and run it. If you uninstall AVG, make sure you download the AVG Remover(32bit) 2013.

ONLY move on to the next step once you have removed AVG or McAfee.

-------------------------------
Next, delete all the CFscripts on your desktop and make a new one.

Open notepad and copy & paste the follwoing:

Killall::

Driver::
91261369
34371453

File::
C:\Users\Nigel\AppData\Roaming\sbthn.dll

DirLook::
C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0

SRPEEK::
C:\Windows\System32\Drivers\volsnap.sys

ClearJavaCache::

* Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
* At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
* You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
* Now use your mouse to drag CFscript.txt on top of ComboFix.exe

* Follow the prompts.
* When it finishes, a log will be produced named c:\combofix.txt
* I will ask for this log below

----
Please download Malwarebytes' Anti-Malware to your desktop.

• Double-click mbam-setup.exe and follow the prompts to install the program.
• At the end, be sure a checkmark is placed next to
  • Update Malwarebytes' Anti-Malware
  • and Launch Malwarebytes' Anti-Malware
• then click Finish.
• If an update is found, it will download and install the latest version.
• When it prompts you to try their 30-day trail, click decline
• Once the program has loaded, select Perform quick scan, then click Scan.
• When the scan is complete, click OK, then Show Results to view the results.
• Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
• When completed, a log will open in Notepad. please copy and paste the log into your next reply
  • If you accidently close it, the log file is saved here and will be named like this:
  • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

 

[Nigel]

I uninstalled AVG 2013, and then ran Combofix. That worked all the way through to the prompt that no programs should be run until the log had been produced. The screen and mouse then froze, and remained that way until I shut the computer down.

I used the version of combofix downloaded yesterday. Should it have been a fresh version?

I also have malwarebutes on my desktop. Should I use that when it comes to it? It will also mean reconnecting the infected computer to the internet, I guess. Is that okay? For the past few days, I have been downloading stuff onto my laptop and flash drive. I have then run desktop progams from the flash drive.

Request instructions!

 

[Fiery]

Yes, delete the old version of combofix and download a new version. Then follow the script instructions above. You can also try combofix in safemode as well.

You can connect to the internet to update malwarebytes. Afterwards, disconnect it and let malwarebytes run.

 

[Nigel]

The computer was started normally, and a new copy of Combofix, with CFscript superimposed, was started. Quite soon, that crashed to a blue screen.

The computer was restarted in Safe Mode, and another freshly brewed Combofix, with CFscript, was started. That ran all the way through to "preparing log report. Do not start any programs until Combofix has finished." It never did finish.

The computer was started again, this time normally, and the copy of malwarebytes on the infected computer was updated online. When completed, the computer was again disconnected from the internet.

It ran normally, and reported that it could not find any issue. After clicking "OK", "show results" was not an option. However, a notepad report appeared and that is attached.

The system still says that the Recycle bin is corrupted, but it is possible to delete files if the option to empty the recycle bin is accepted.

I am seriously considering switching ALL my devices to Apple!!

 

[Fiery]

Hi Nigel,

Please follow the steps here and see if that fixes your problem.

http://www.vistax64.com/tutorials/131294-recycle-bin-corrupted-cannot-delete-file-folder.html

Also, if combofix ran but didn't finish preparing its log, check your c:\. It may have an incomplete one but it is better than nothing.

 

[Nigel]

Hi Fiery

I had a look at the recycle bin restoration advice. It was foundering a bit on a simple point. The \ on my other keyboard was not working in that mode. I am not sure what else to press!

There was no combofix report when I looked, but then just randomly, I ran it again just now, and it DID produce a report this time. The only difference was that the computer was connected to the internet.

I'll try the recycle bin repair again tomorrow when I have time.

Cheers

Nigel

 

[Fiery]

Ok, let me know.

If the "\" key isn't working, try method two on that site. (To get to Folder Options, goto Start > Computer > Organize )

Goto www.virustotal.com and upload c:\windows\system32\drivers\volsnap.sys and click Scan It

Copy the URL or link and paste it in your next reply.

Then,
Double click on OTL.exe to run it.

• Under Output, ensure that Minimal Output is selected.
• Under Extra Registry section, select Use SafeList.
• Click the Scan All Users checkbox.
• Click on Run Scan at the top left hand corner.
• When done, two Notepad files will open.
  • OTListIt.txt <-- Will be opened
  • Extra.txt <-- Will be minimized
• Please post the contents of these 2 Notepad files in your next reply.