133 replies to this topic

[ken545]

That file in Qoobox is just a back up of what Combfix removed, but lets get rid of it.

Open Notepad Go to Start> All Programs> Assessories> Notepad ( this will only work with Notepad )and copy all the text inside the Codebox by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above File::

File::
C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\GZzviPbdBiShIt.exe.vir

Save this as CFScript to your desktop.

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.




This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.





Drag TDSSkiller to the trash, even what you extracted and redownload it again but run this program first, after running RKill try TDSSKiller again.

• Please download rkill (Courtesy of Bleepingcomputer.com).
• There are 5 different versions of this tool. If one of them will not run, please try the next one in the list.
• Note: Vista and Windows 7 Users must right click and select "Run as Administrator" to run the tool.
• Note: You only need to get one of the tools to run, not all of them.

1. rkill.exe
2. rkill.com
3. rkill.scr
4. WiNlOgOn.exe
5. uSeRiNiT.exe

Note: You will likely see a message from this rogue telling you the file is infected. Ignore the message. Leave the message OPEN, do not close the message.

Run rkill repeatedly until it's able to do it's job. This may take a few tries.

You'll be able to tell rkill has done it's job when your desktop (explorer.exe) cycles off and then on again.



If TDSSKiller still wont run than try running it in Safemode


To Enter Safemode

• Go to Start> Shut off your Computer> Restart
• As the computer starts to boot-up, Tap the F8 KEY somewhat rapidly,
  this will bring up a menu.
• Use the Up and Down Arrow Keys to scroll up to Safemode with Networking
• Then press the Enter Key on your Keyboard

Tutorial if you need it How to boot into Safemode

[Dean N]

I managed to get rid of that Qoobox backup via combofix, and I ran rkill. I still had total failure with that TDSSKiller after removing it and reloading it, twice, and even in safe mode with networking and then without networking. When I double click on the icon after extracting, I just get the fast hourglass blink, then nothing.

And now it gets worse. After things seemed to be getting more manageable, the virus is much more severe.. I can't access anything now; IE is totally hijacked. I'm actually posting from a different machine... help! I have no idea how to get control of anything now...

[ken545]

OK, just hang on a bit, I am looking at the questionable entry and want to make sure it can be removed safely

[ken545]

See if you can run this program

Download the GMER Rootkit Scanner. Unzip it to your Desktop.

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

• Double click GMER.exe.
  
• If it gives you a warning about rootkit activity and asks if you want to run a full scan...click on NO, then use the following settings for a more complete scan..
• In the right panel, you will see several boxes that have been checked. Ensure the following are UNCHECKED ...
  • IAT/EAT
  • Drives/Partition other than Systemdrive (typically C:\)
  • Show All (don't miss this one)
    
    Click the image to enlarge it
• Then click the Scan button & wait for it to finish.
• Once done click on the [Save..] button, and in the File name area, type in "ark.txt"
• Save the log where you can easily find it, such as your desktop.

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries
Please copy and paste the report into your Post.

[Dean N]

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-01-01 11:32:47
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\DEANNI~1\LOCALS~1\Temp\pxtdapow.sys


---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run@dplaysvr C:\Documents and Settings\Dean Nicholson\Application Data\dplaysvr.exe
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@RequireSignedAppInit_DLLs 1
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Run@dplaysvr C:\Documents and Settings\Dean Nicholson\Application Data\dplaysvr.exe
Reg HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache@C:\Documents and Settings\Dean Nicholson\Application Data\dplaysvr.exe dplaysvr

---- Files - GMER 1.0.15 ----

File C:\Documents and Settings\Dean Nicholson\Application Data\dplaysvr.exe 71168 bytes executable
File C:\Documents and Settings\Dean Nicholson\Application Data\dplayx.dll 31232 bytes executable
File C:\WINDOWS\system32\dllcache\dplaysvr.exe 29696 bytes executable
File C:\WINDOWS\system32\dllcache\dplayx.dll 229888 bytes executable
File C:\WINDOWS\system32\dplaysvr.exe 29696 bytes executable
File C:\WINDOWS\system32\dplayx.dll 229888 bytes executable

---- EOF - GMER 1.0.15 ----

[ken545]

Dean,

Looks ok, drag aswMBR to the trash along with any previous aswMBR text files, then redownload it and run it again please


Download aswMBR.exe ( 511KB ) to your desktop.

Double click the aswMBR.exe to run it

Click the "Scan" button to start scan


On completion of the scan click save log, save it to your desktop and post in your next reply

[Dean N]

aswMBR version 0.9.9.1124 Copyright© 2011 AVAST Software Run date: 2011-12-29 19:00:31 ----------------------------- 19:00:31.628 OS Version: Windows 5.1.2600 Service Pack 3 19:00:31.628 Number of processors: 2 586 0xF06 19:00:31.628 ComputerName: D2 UserName: 19:00:34.737 Initialze error 0 - driver not loaded 19:01:15.253 AVAST engine defs: 11122901 19:02:58.893 Service scanning 19:02:59.987 Modules scanning 19:02:59.987 Disk 0 trace - called modules: 19:02:59.987 19:03:00.831 AVAST engine scan C:\WINDOWS 19:03:02.831 AVAST engine scan C:\WINDOWS\system32 19:04:44.456 AVAST engine scan C:\WINDOWS\system32\drivers 19:04:52.393 AVAST engine scan C:\Documents and Settings\Dean Nicholson 19:07:21.862 AVAST engine scan C:\Documents and Settings\All Users 19:07:22.159 File: C:\Documents and Settings\All Users\Application Data\gCewtKdyITBp.exe **INFECTED** Win32:FakeAlert-BTP [Trj] 19:07:22.237 File: C:\Documents and Settings\All Users\Application Data\GZzviPbdBiShIt.exe **INFECTED** Win32:FakeAlert-BTP [Trj] 19:07:23.925 Scan finished successfully 19:31:16.675 The log file has been saved successfully to "C:\Documents and Settings\Dean Nicholson\My Documents\aswMBR.txt" aswMBR version 0.9.9.1124 Copyright© 2011 AVAST Software Run date: 2011-12-30 19:27:56 ----------------------------- 19:27:56.984 OS Version: Windows 5.1.2600 Service Pack 3 19:27:56.984 Number of processors: 2 586 0xF06 19:27:56.984 ComputerName: D2 UserName: 19:27:57.671 Initialze error 0 - driver not loaded 19:31:06.718 AVAST engine defs: 11123001 19:34:32.125 Service scanning 19:34:33.156 Modules scanning 19:34:33.156 Disk 0 trace - called modules: 19:34:33.156 19:34:33.828 AVAST engine scan C:\WINDOWS 19:34:35.781 AVAST engine scan C:\WINDOWS\system32 19:35:38.515 AVAST engine scan C:\WINDOWS\system32\drivers 19:35:44.890 AVAST engine scan C:\Documents and Settings\Dean Nicholson 19:36:15.578 File: C:\Documents and Settings\Dean Nicholson\Local Settings\Application Data\pjq.exe **INFECTED** Win32:MalOb-GR [Cryp] 19:36:38.140 AVAST engine scan C:\Documents and Settings\All Users 19:36:39.890 Scan finished successfully 19:37:20.078 The log file has been saved successfully to "C:\Documents and Settings\Dean Nicholson\My Documents\aswMBR.txt" aswMBR version 0.9.9.1124 Copyright© 2011 AVAST Software Run date: 2012-01-01 12:27:05 ----------------------------- 12:27:05.906 OS Version: Windows 5.1.2600 Service Pack 3 12:27:05.906 Number of processors: 2 586 0xF06 12:27:05.906 ComputerName: D2 UserName: 12:27:06.515 Initialze error 0 - driver not loaded 12:32:42.859 AVAST engine defs: 12010100 12:39:36.187 The log file has been saved successfully to "C:\Documents and Settings\Dean Nicholson\My Documents\aswMBR.txt"

[ken545]

Its not loading the driver for it to run properly, try running it in Safemode

To Enter Safemode

• Go to Start> Shut off your Computer> Restart
• As the computer starts to boot-up, Tap the F8 KEY somewhat rapidly,
  this will bring up a menu.
• Use the Up and Down Arrow Keys to scroll up to Safemode with Networking
• Then press the Enter Key on your Keyboard

Tutorial if you need it How to boot into Safemode

[ken545]

If still no luck with aswMBR, lets move on, you already have MBRCheck on your desktop, run it again with option 1

The reason for all this madness is we are trying to determine if your MBR is infected, if it is its most likely responsible for all your grief.



Re-run MBRCheck again.
When prompted, enter Y
Then enter 1 to dump the MBR to physical disk
Name the dumped file as Dump.dat

Enter -1 to exit

A log file named "dump.dat" will be located in the same folder as MBRCheck was saved, please zip it up and attach in your next reply.

[Dean N]

Not sure if aswMBR worked properly in Safe Mode, but here is the log: aswMBR version 0.9.9.1124 Copyright© 2011 AVAST Software Run date: 2012-01-01 14:45:04 ----------------------------- 14:45:04.156 OS Version: Windows 5.1.2600 Service Pack 3 14:45:04.156 Number of processors: 2 586 0xF06 14:45:04.156 ComputerName: D2 UserName: 14:45:05.296 Initialze error 0 - driver not loaded 14:45:10.343 AVAST engine download error: 0 14:45:35.984 Service scanning 14:45:41.984 Modules scanning 14:45:42.000 Disk 0 trace - called modules: 14:45:42.015 14:45:42.046 Scan finished successfully 14:46:09.500 The log file has been saved successfully to "C:\Documents and Settings\Administrator\My Documents\aswMBR2.txt" ================================================================================ ================== I also ran MBRCheck again, here is the log file....not sure if this worked either?? Should I be running MBRCheck in Safe Mode (which is what I did)?

Attached Files

•  dump.zip   114bytes   273 downloads

[ken545]

Thanks, aswMBR did not run properly as the driver did not load. What I need to do is send the dump file to be analyzed, be back to you as soon as I can. Thanks for hanging in with me, your doing fine. Been at this for close to 10 years and this garbage is harder and harder to remove each day

[ken545]

in the meantime to cover all corners, submit the dump file you just extracted to Jotti and post the report

http://virusscan.jotti.org/en

[Dean N]

The dump file was empty; I also ran the aswMBR log, and all of the available scanners showed nothing. It didn't give me any option to get a report or log file.

[ken545]

OK, thanks for that information, hang on a bit and lets see what they say when its analysed

[ken545]

Your correct, that file has zero bytes, something went wrong, this is what we need to do

We'll use a CD that we will make bootable. We also need a USB flashdrive that has some space on it. We will not be changing any of the data on the usb device just using it for a file.

If you have an problems with these steps please let me know. These may look complicated but it's fairly straight forward and for the most part automated.

Please note commands used with this tool are case sensitive and must be typed exactly as shown.


Download GETxPUD.exe to the desktop of your clean computer

• Run GETxPUD.exe by double clicking it.
• A new folder will appear on the desktop.
• Open the GETxPUD folder and click on the get&burn.bat
• The program will download xpud_0.9.2.iso, and when finished, it will open BurnCDCC which will be ready to burn the image.
• Click on Start and follow the prompts to burn the image to a CD

You may want to print out this part as you will not be able to view these instructions.

• Attach the usb device attached to the computer
• Boot the infected computer with the CD you just burned
  • with the CD in the computer, restart the computer
  • The computer must be set to boot from the CD,depending on your computer you can either do this by pressing F12 and selecting the CD as the first boot option or it can be set in the BIOS
• Once you have the computer set to boot from the CD allow it to boot
• A Welcome to xPUD screen will appear
• Click on File
• Expand mnt
• sda1,2...usually corresponds to your HDD
• sdb1 is likely your USB
• Click on the folder that represents your USB drive (sdb1 ?)
  (you will be able to tell if it the right one as the screen will populate with your files)
• Press Tool at the top
• Choose Open Terminal
• Type the following and press enter:
  
  dd if=/dev/sda of=mbr.bin bs=512 count=1
  
  (note there is a space after dd and a space after sda, a space after bin and after 512)
  
• After it has finished a file will be located on your USB drive named mbr.bin

To exit out of Xpud

• close the terminal window
• click the Home icon
• Remove the CD and click Power off
• Click restart system

Once the computer has rebooted open the usb device and locate mbr.bin, zip it up and attach it to your next reply.