Jump to content

GT500

Emsisoft Employee
  • Content Count

    13983
  • Joined

  • Days Won

    442

Posts posted by GT500

  1. OK, ComboFix isn't deleting part if the infection, so we need to try a different utility. Here are some new instructions:

    1. Please download The Avenger from this link, and make sure to save it on your Desktop.

    • Right click on the Avenger.zip folder and select "Extract All..."
    • Follow the prompts and extract the avenger folder to your desktop

    2. Copy all the text contained in the CODE box below, and it will be pasted into The Avenger in a later step (if you do not know how to copy and paste, then there are instructions at this link):

    Folders to delete:
    c:\documents and settings\LocalService\Local Settings\Application Data\dbwsqsdv

    Note: the above code was created specifically for the person requesting assistance in this forum topic, and it is based entirely on the logs they supplied from their computer. No one else should attempt to run The Avenger with this script, as it may damage their computer!

    3. Now, open the avenger folder on your desktop and start The Avenger program by double-clicking on its icon.

    • Please paste the contents of the CODE box above (which you should have already copied) into the white box in The Avenger (see example picture below).
    • Click on the Execute button in the low-right corner (see example picture below).
      paste_script_into_avenger.png
    • Answer "Yes" twice when prompted.

    4. The Avenger will automatically do the following:

    • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete", The Avenger will actually restart your system twice.)
    • On reboot, it will briefly open a black command window on your desktop, this is normal.
    • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
    • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

    5. Please copy/paste the content of c:\avenger.txt into your reply, and we will go from there.

  2. The only Image File Execution Options oddities that OTL showed in the log were the following:

    O27 - HKLM IFEO\asc.exe: Debugger - C:\Program Files\TuneUp Utilities 2012\TUAutoReactivator32.exe (TuneUp Software)
    O27 - HKLM IFEO\suc12_uninstal.exe: Debugger - C:\Program Files\TuneUp Utilities 2012\TUAutoReactivator32.exe (TuneUp Software)
    O27 - HKLM IFEO\toolbox.exe: Debugger - C:\Program Files\TuneUp Utilities 2012\TUAutoReactivator32.exe (TuneUp Software)
    O27 - HKLM IFEO\turboboost.exe: Debugger - C:\Program Files\TuneUp Utilities 2012\TUAutoReactivator32.exe (TuneUp Software)
    O27 - HKLM IFEO\unins000.exe: Debugger - C:\Program Files\TuneUp Utilities 2012\TUAutoReactivator32.exe (TuneUp Software)

    As you can see, they are all related to TuneUp Utilities 2012, which is a legitimate utility.

    Lets get a registry export of the keys from your screenshot:

    For 32-bit Windows, please download MiniRegTool.zip and unzip it.

    For 64-bit Windows, please download MiniRegTool64.zip and unzip it.

    1. Run the MiniRegTool download.
    2. Copy and paste the following into the rectangular white box in MiniRegTool:
      [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]


    3. Check Export keys radio button.
    4. Press Go button and post the result.

  3. McAfee will need to be disabled before running ComboFix. If it is working, then it will not allow ComboFix to run properly.

    If you are unable to do anything about McAfee, then try following the instructions at this link to remove McAfee. You can reinstall it once we get your computer cleaned up.

    After disabling or uninstalling McAfee, please try the latest CFScript instructions again.

  4. OK, we're going to need to try another CFScript. Here are instructions again on what to do with the script:

    1. Turn off your Anti-Virus software.
    2. Run Rkill just to make sure that nothing interferes with ComboFix while it runs the script. Go ahead and run all three of the ones in the ZIP file I attach to a post earlier, just in case.
    3. Click your Start button, go to All Programs (or just Programs on Vista and Windows 7), go to Accessories, and then open Notepad.
    4. Please copy and paste the contents of the box below into Notepad (here is a link to instructions if you do not know how to copy and paste):
      http://support.emsisoft.com/topic/7475-my-pc-is-infected-and-i-cant-run-otl/
      
      KillAll::
      
      Collect::
      c:\documents and settings\Bunny\Start Menu\Programs\Startup\lhofbvjm.exe
      c:\documents and settings\LocalService\Local Settings\Application Data\dbwsqsdv\lhofbvjm.exe
      c:\windows\Temp\dmjadxlsslpxqsmp.exe
      
      Folder::
      c:\documents and settings\LocalService\Local Settings\Application Data\dbwsqsdv
      
      Registry::
      [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
      "Userinit"="C:\WINDOWS\system32\userinit.exe,"
      [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
      "LhoFbvjm"=-


    5. Save this as a Text Document named CFScript in the same location as ComboFix (which should be on your desktop).
    6. Close Notepad and verify that the CFScript file is saved on your desktop.
    7. Referring to the animated picture below, click the left mouse button on top of the CFScript icon on your desktop, then holding the mouse button down drag the CFScript icon on your desktop onto the ComboFix icon, and then drop it (let go of the mouse button) on top of the ComboFix icon:
      CFScriptB-4.gif

    **NOTE**
    If ComboFix wants to update, then please allow it to do so.

    When finished, it will display a new log in Notepad. Please attach that log to a reply the same way you did before. If you prefer, you can save the log on your desktop to make it easier to find.

  5. Looks like that was a pretty bad infection. From that log, it looks like Safe Mode is broken, and we'll need to fix it after we finish some more cleanup.

    I have written a script that will tell ComboFix how to delete some stuff I saw in your log. Here are instructions on what to do with the script:

    1. Turn off your Anti-Virus software.
    2. Click your Start button, go to All Programs (or just Programs on Vista and Windows 7), go to Accessories, and then open Notepad.
    3. Please copy and paste the contents of the box below into Notepad (here is a link to instructions if you do not know how to copy and paste):
      http://support.emsisoft.com/topic/7475-my-pc-is-infected-and-i-cant-run-otl/
      
      KillAll::
      
      Collect::
      C:\lhofbvjm.exe
      c:\documents and settings\LocalService\Local Settings\Application Data\dbwsqsdv\lhofbvjm.exe
      
      Suspect::
      c:\program files\11201111240856.bat
      c:\program files\08201113562048.bat
      c:\program files\08201118561918.bat
      
      Folder::
      c:\documents and settings\LocalService\Local Settings\Application Data\dbwsqsdv
      c:\documents and settings\Bunny\Local Settings\Application Data\dbwsqsdv
      
      Registry::
      [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
      "Userinit"="C:\WINDOWS\system32\userinit.exe,"


    4. Save this as a Text Document named CFScript in the same location as ComboFix (which should be on your desktop).
    5. Close Notepad and verify that the CFScript file is saved on your desktop.
    6. Referring to the animated picture below, click the left mouse button on top of the CFScript icon on your desktop, then holding the mouse button down drag the CFScript icon on your desktop onto the ComboFix icon, and then drop it (let go of the mouse button) on top of the ComboFix icon:
      CFScriptB-4.gif

    When finished, it will display a new log in Notepad. Please attach that log to a reply the same way you did before. If you prefer, you can save the log on your desktop to make it easier to find.

  6. According to that log, the entries that GMER found do not exist. You may need to run a virus scan with a boot CD in order to determine if there's still an infection.

    Lets try the Dr.Web LiveCD first, and see if it finds anything. Here's a link to the webpage where you can download the ISO image. Let me know if you need any help burning it to a CD.

  7. Please run an online virus scan through ESET by following the steps below:

    1. Turn off your anti-virus software.
    2. Click on this link.
    3. Click on the ESET Online Scanner button.
    4. Put a check in the box that says YES, I accept the Terms of Use.
    5. Click the 'Start' button just to the right of the checkbox.
    6. Uncheck the box that says Remove found threats (this is very important).
    7. Click on Advanced settings.
    8. Put a check in the box that says Scan for potentially unsafe applications.
    9. Verify that Scan for potentially unwanted applications is also checked.
    10. Verify that Enable Anti-Stealth technology is also checked.
    11. Click the Start button in the lower-right corner of the page, and it will begin downloading it's database, and then it will start scanning.
    12. When the scan is done, if it shows a screen that says Threats found!, then click List of found threats, and then click Export to text file... (if nothing was found, then just let me know that no threats were found).
    13. Save that text file on your desktop, and then attach it to a reply (using the More Reply Options button in the lower-right corner of this forum topic) for me.
    14. Close the ESET online scan.

    I will take a look at the log, and let you know if anything needs removed.

  8. Please download Emsiclean from this link (be sure to save it on your desktop), and follow the instructions below to get me a log:

    1. Run the Emsiclean download that you saved on your desktop.
    2. Read the disclaimer. Note that you must agree to it in order to proceed.
    3. Once the scan is finished, simply exit Emsiclean, and do not remove anything.
    4. A new file will be saved on your desktop with a log of what was detected. Please attach that to a reply by using the More Reply Options button to the lower-right of where you type in your reply.

  9. I've asked someone else to look at that log to verify whether or not some of the system files it listed have been modified. Lets go ahead and get a registry export while we wait for that.

    For 32-bit Windows, please download MiniRegTool.zip and unzip it.

    For 64-bit Windows, please download MiniRegTool64.zip and unzip it.

    1. Run the MiniRegTool download.
    2. Copy and paste the following into the rectangular white box in MiniRegTool:
      HKLM\SYSTEM\ControlSet001\services\BTHPORT
      HKLM\SYSTEM\CurrentControlSet\services\BTHPORT
      HKLM\SYSTEM\ControlSet003\services\BTHPORT


    3. Check Export keys radio button.
    4. Press Go button, save the results as a Text Document on your desktop, and attach them to a reply.

×
×
  • Create New...