Dear forum,

My computer has recently been affected with a Win32:RLoader-B virus which has prevented me from accessing Google as well as gained access to my email account sending out lots of spam mails. I suspect the issue occured when MS ended their support of MSE on Win XP and I failed to react and install a new antivirus software immediately.

I found out about the issue when my mail provider shut down my mail whereafter I did a scan with Avast. The following was found but could not be deleted even after several restarts:

File: C:\WINDOWS\system32\c_726556.nls
Threat: Win32:RLoader-B

I have now followed this guide (http://forum.avast.com/index.php?topic=53253.0) and have attached logfiles from MBAM, OTL, and aswMBR. A scan-and-removal with MBAM did not fix the issue.

I hope somebody is willing to take the time and help me out as I’m pretty stuck on what to do next.
I’m running an old Win XP machine.

Kind regards,

Scan with Combofix:

[*] Please download ComboFix by sUBs and save it to your Desktop.
You may read how Combofix works here.

[*] Temporarily disable your AntiVirus program, usually via a right click on the System Tray icon. They may interfere with Combofix.
If you are unsure how to do this please read this or this Instruction.

[*] Run ComboFix. Click on I Agree! & follow the prompts.
Note: If you see a message like “Illegal operation attempted on a registry key that has been marked for deletion” just restart your computer.

[*] When finished, it will produce a report for you. Please attach log reports (ComboFix.txt) back to topic.
(typical log location: C:\ComboFix.txt )

Dear Argus,

Thank you for the quick reply!
I have done as requested and attached the ComboFix log in this post.

Kind regards,

Open notepad and copy/paste the text present inside the code box below:

KillAll::

Registry::
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{D8278076-BC68-4484-9233-6E7F1628B56C}"=-
[-HKEY_CLASSES_ROOT\clsid\{d8278076-bc68-4484-9233-6e7f1628b56c}]
[-HKEY_CLASSES_ROOT\TypeLib\{7C4EE486-5EA5-4683-8C23-BF520933BB5E}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\~\Browser Helper Objects\{4F524A2D-5637-006A-76A7-7A786E7484D7}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{4F524A2D-5637-006A-76A7-7A786E7484D7}"=-
[-HKEY_CLASSES_ROOT\clsid\{4f524a2d-5637-006a-76a7-7a786e7484d7}]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{4F524A2D-5637-006A-76A7-7A786E7484D7}"=-
[-HKEY_CLASSES_ROOT\clsid\{4f524a2d-5637-006a-76a7-7a786e7484d7}]

ClearJavaCache::

Folder::
c:\programmer\AskPartnerNetwork

File::
c:\windows\system32\drivers\bjayuses.sys

Driver::
bjayuses
APNMCP

Save this as CFScript.txt

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Close all browser windows and refering to the picture above.

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will will re-run. When finished, it will produce a log for you.
Attach the contents of the log in your next reply. (typical location: C:[b]ComboFix.txt[/b] )

Dear Argus,

Provided is the log for ComboFix with the CFScript run.

Kind regards,

Looks good,

How is the situation now?

Just started an Avast virus scan. At 3% run the same virus is unfortunately detected. ???

Download TDSSKiller and save it to your desktop

Execute TDSSKiller.exe by doubleclicking on it.
Confirm “End user Licence Agreement” and “KSN Statement” dialog box by clicking on Accept button.

[*]Under Additional options check the boxes next to:
- Verify Driver Digital Signature;
- Detect TDLFS file system
- Use KSN to scan objects
[*] Press Start Scan
[*] If Suspicious object is detected, the default action will be Skip, click on Continue.
[*] If Malicious objects are found, select Cure.

Once complete, a log will be produced at the root drive which is typically C:\ ,for example, C:\TDSSKiller.<version_date_time>log.txt

Please post the contents of that log in your next reply.

Dear Argus,

As requested, the TDSKiller log.

I should maybe mention that I am using TeamViewer to carry out the actions on a remote computer - all other applications and windows are, however, shut off. I hope that it is not something that ruins the process you are guiding me through.

Kind regards,

Please download Farbar Recovery Scan Tool (
http://www.mcshield.net/personal/magna86/Images/FRST_canned.png
) by Farbar and save it to your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them.
Only one of them will run on your system, that will be the right version.

[*]Double-click to run it. When the tool opens click Yes to disclaimer.
[*]Press Scan button.
[*]It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
[*]The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

Dear Argus,

The files are attached.

Kind regards,

Once again we shall use FRST for additional checks. Re-run FRST/FRST64 by double-clicking:

[*]Type rpcss.dll; into the Search: field in FRST then click the Search File(s) button.
[*]FRST will search your computer for files and when finished it will produce a log Search.txt in the same directory the tool is run.
[*]Please attach it to your reply.

Dear Argus,

The result of the search is posted with this reply.

Kind regards,

Please download Malwarebytes AntiRootkit (MBAR) and save it to your desktop.
[i]For full instructions how MBAR works, read this article

> Doubleclick on the MBAR file (
http://www.mcshield.net/personal/magna86/Images/mbar.png
) and allow it to run.
• Click OK on the next screen, to allow the package to extract the contents of the file to its own folder named mbar.
• mbar.exe will launch automatically. On some systems, this may take a few extra seconds. Please be patient and wait for the program to open.
• After reading the Introduction, click Next if you agree.

• On the Update Database screen, click on the Update button. Once you see ‘Success: Database was successfully updated’ click on Next
• Under Scan Targets ensure all boxes are ticked. Then click the Scan button.

Notice: with some infections, you may see two messages boxes:

• ‘Could not load protection driver’. Click ‘OK’.
• ‘Could not load DDA driver’. Click ‘Yes’ to this message, to allow the driver to load after a restart. Allow the computer to restart. Continue with the rest of these instructions.

>> If malware is not detected, click the Exit button to close the program and post the mbar-log-year-month-day.txt and system-log.txt reports.

>> If an infection/s are found ensure Create Restore Point are ticked. Then select the "Cleanup! button to remove threats.
• The clean up procedure will be scheduled for process, pop-up will be shown.
Select the Yes button and the system should re-boot to complete the cleaning process.

>> Notice: only if an RootKit are detected, ensure to run fixdamage.exe tool located in mbar folder, \Plugins\fixdamage.exe

• Run fixdamage.exe, at the black window to continue type Y (alias for Yes). Wait few seconds for execution …
• When you see “press any key to exit” fix is completed, press any key to close the window. Reboot the system.

> The following reports will be created in mbar folder:

1. mbar-log-year-month-day (hour-minute-second).txt
2. system-log.txt

Please post both logs in your next reply.

Dear Argus,

No malware was detected. The two logs are attached.

Kind regards,

Please attach screenshot avast detection.

Detection already present at 1% scan.
Sorry for the non-English language.

Try this:

Open Avast Antivirus-Scan -and select Boot Time scan-Settings and select system drive for you-Restart PC.

Argus,

I just pressed the blue button to have Avast do whatever it want to do with the file to fix it - expecting it to not be able to do anything; but this time when I pressed the button the file was succesfully moved into quarantine.

I have just finished another full system scan including a boot root scan, and the virus is gone!

I want to thank you very much for great guidance and help - without you I would still have been stuck!
You are a great ressource to this community.

All the best,

Super

It is necessary to uninstall ComboFix :

[*] Click Start (or
http://amf.mycity.rs/pg/images/VistaStartButton.png
) then Run.

On Windows7 or Vista you may use Start Search field if Run is not available.

[*] In the line of text type in (Copy) the following:

ComboFix /Uninstall

Note that there is a space between " ComboFix " and " /Uninstall " .

[*] then click OK (or press Enter ).

Wait for the uninstall process is complete.
.

• The following will implement some post-cleanup procedures:

=> Please download DelFix by Xplode to your Desktop.

Run the tool and check the following boxes below;
[i]
http://www.mcshield.net/personal/magna86/Images/checkmark.png
Remove disinfection tools

http://www.mcshield.net/personal/magna86/Images/checkmark.png
Create registry backup

http://www.mcshield.net/personal/magna86/Images/checkmark.png
Purge System Restore [/i]
Click Run button and wait a few seconds for the programme completes his work.
At this point all the tools we used here should be gone. Tool will create an report for you (C:[b]DelFix.txt[/b])

The tool will also record healthy state of registry and make a backup using ERUNT program in %windir%\ERUNT\DelFix
Tool deletes old system restore points and create a fresh system restore point after cleaning.