Blackbeard Trojan

I installed Avast today and scanned my PC, and it found five viruses. I hit the ‘fix automatically’ button, since I’ve never had a trojan or other virus this bad before and I didn’t know what’d happen next.

http://i.imgur.com/2Sdgrhj.jpg – The list of viruses (I can’t attach it to the post since it only allows four attachments and I don’t want to double post) after I hit the ‘fix automatically’ button.

After rebooting, it went to POST, then the ‘Windows is starting up’ screen, and then it went to a black screen with my mouse cursor. After a minute, my PC restarted, and this loop continued until I held down F8 and used the Last Known Good Configuration tool to reboot my PC. I then used the tools as instructed in this thread ( http://forum.avast.com/index.php?topic=53253.0 ) and I’ve attached the logs.

hey and welcome to the forum. you have done the right thing and attached the needed log.

now you just have to wait for an malware expert how will help you out. but to speed that up i will go and notife someone on your topic.

The list of viruses ([b]I can't attach it to the post since it only allows four attachments and I don't want to double post[/b])
you just hit reply button and attach in next post ;)
  1. Please download ComboFix by sUBs from here and save it to your Desktop.
    If you are unsure how ComboFix works please read this guide carefully.
    Note: ComboFix must be downloaded to your Desktop.

  1. Temporarily disable your AntiVirus program, usually via a right click on the System Tray icon. They may interfere with Combofix.
    If you are unsure how to do this please read this or this Instruction.

Instructions how to disable avast:

[*]Right click on the avast! system tray icon (
http://www.mcshield.net/pg/images/avast5.png
) in the lower right corner of the screen and scroll up to avast! shield controls;
[*]In the menu that appears, choose Disable Permanently. When you are prompted to turn off security, click Yes.

Note: Do not forget to turn back on this option after the cleaning by choosing avast! shield controls > Enable all shield options.


  1. Run ComboFix. Click on I Agree!

[i][size=7pt]- ComboFix will display DISCLAIMER of warranty on software.
By clicking I Agree ComboFix shall continue.

  • ComboFix will check if there is a newer version of ComboFix available.
    Click Yes if prompted to download.[/size]
    -If Recovery Console is not installed, ComboFix will offer download & installation.
    Click Yes to allow ComboFix to install Recovery Console.
  • ComboFix will scan your computer in stages, total of 50 stages.
    Do not mouse-click around while ComboFix is running.
    Note:If you see a message like “Illegal operation attempted on a registry key that has been marked for deletion” just restart your computer.
    [/i]

  1. When the tool is finished, it will produce a log report for you. (typical location: C:[b]ComboFix.txt[/b] )
    Attach log reports ( ComboFix.txt) back to topic.

Alrighty, I ran ComboFix.

Open notepad and copy/paste the text present inside the code box below:

FCOPY:: 
c:\windows\winsxs\amd64_microsoft-windows-com-base-qfe-rpcss_31bf3856ad364e35_6.1.7601.17514_none_c7f0e16b547f887d\rpcss.dll|c:\windows\system32\rpcss.dll

ClearJavaCache::

Save this as CFScript.txt

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Close all browser windows and refering to the picture above.

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will will re-run. When finished, it will produce a log for you.
Attach the contents of the log in your next reply. (typical location: C:[b]ComboFix.txt[/b] )

Okay, I did that.

How is the situation now?

I did another scan with Avast, and this came up.

I googled what Qoobox was, and it’s apparently part of ComboFix. Does this mean the virus is ‘quarantined’ in that folder, so to speak?

Yes, that file is quarantined :slight_smile:

Your PC is clean, so we’re done here :slight_smile:

The following will implement some post-cleanup procedures:

=> Please download DelFix by Xplode to your Desktop.

Run the tool and check the following boxes below;
[i]
http://www.mcshield.net/personal/magna86/Images/checkmark.png
Remove disinfection tools

http://www.mcshield.net/personal/magna86/Images/checkmark.png
Create registry backup

http://www.mcshield.net/personal/magna86/Images/checkmark.png
Purge System Restore [/i]
Click Run button and wait a few seconds for the programme completes his work.
At this point all the tools we used here should be gone. Tool will create an report for you (C:[b]DelFix.txt[/b])

The tool will also record healthy state of registry and make a backup using ERUNT program in %windir%\ERUNT\DelFix
Tool deletes old system restore points and create a fresh system restore point after cleaning.