MBR:\\.\PHYSICALDRIVE0\Partition2 --help me get rid of this thing!!

Viruses and worms
1

I was attempting to do this on my own…but I need help–I am in way over my head and do not speak “tech”. Tried Essexboy’s step 1 trying to download Malwarebytes Anti-Malware 1.62.0.1300 and it would not complete the set-up and forced the computer to restart. Now what do I do?? HELP!!

2

Hi a few questions first

What version of windows are you using

Does aswMBR run

Does OTL run

3

Windows XP Professional Version 2002 Service Pack 3 and I have no idea what your other questions mean??!! (So sorry!!)

4

OK lets try these three programmes first - they are purely analysis at the moment, if one fails then go straight to the next one

Download OTL to your Desktop

[*]Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.

https://dl.dropbox.com/u/73555776/OTL_Main_Tutorial.gif

[*]Select All Users
[*]Under the Custom Scan box paste this in
netsvcs
%SYSTEMDRIVE%*.exe
/md5start
services.*
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
HKEY_CURRENT_USER\Software\Microsoft\Windows Media\WMSDK\Local\AutoProxyCache /s
CREATERESTOREPOINT
[*]Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
[*]When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
[*]Post both logs

THEN

Download aswMBR.exe ( 4.8mb ) to your desktop.
Double click the aswMBR.exe to run it Click the “Scan” button to start scan

http://dl.dropbox.com/u/73555776/aswMBRscan.png

On completion of the scan click save log, save it to your desktop and post in your next reply

http://dl.dropbox.com/u/73555776/aswMBRlog.png

FINALLY

Please download the following tool

Listparts

Run the tool, click Scan and post the log (Result.txt) it makes.

https://dl.dropbox.com/u/73555776/listparts.GIF

5

Here is the OTL reports

6

successfully downloaded the aswMBR but then it would not open or run from my desktop. So jumped to step 3…those results are attached. Thanks again for your patience and help–it is very much appreciated!!

7

Checking the logs now but I can see the main culprit and I will be back in a bit… Can you burn a CD ?

8

This computer has never been able to properly burn a CD–can I download whatever you need onto a thumbdrive instead? Thanks again for your help–no rush!!

9

Yes we can put it on a USB. What we will do is create the USB first, once you have done that I will then give you the directions for the fix. It will be quite long as first I will need to recover your files and menus, then remove the malware resident on the hard drive and finally remove the bad partition using the USB you created

Download GParted Live to your desktop
Download Tuxbot to your desktop

The instructions along with screenshot for Tuxbot are Here
Follow these to get a bootable USB drive

Once you have the Bootable USB drive let me know and we will then commence the killing spree

10

attempting to download GParted Live on my desktop–it looks sketchy: source is http://w1.dailybag.net/g12/1343848950250-ccc5d947b803 and notes that I need to download video performer “free”–is this safe?

11

No you have been redirected … This is a direct link http://sourceforge.net/projects/gparted/files/gparted-live-stable/0.13.0-3/gparted-live-0.13.0-3.iso/download

12

OK successfully got the GParted Live on desktop but when I go to the other link for Tuxbot–there are 3 different downloads images on the page to click on and they all are leading to things called “download manager” and 7zip–is this correct?? I am getting overwelmed…

13

OK I made that on the fly and I have the direct download for that one as well… http://sourceforge.net/projects/tuxboot/files/0.3/windows-32bit/tuxboot-0.3.exe/download

I will refine my instructions to include the direct download links from now on

14

Just attempted downloading and received this error message: Exploroer.Exe Application Error: The instruction at “0x7c91206” reference memory at “0x3a690603”. The memory could not be … and then I was forced to terminate the download

15

That is the malware, OK I will kill what I can see first and then we will try again on the partition

You can save all the logs until we have completed this marathon

[*] Download RogueKiller and save it on your desktop.
[*]Quit all programs
[*] Start RogueKiller.exe.
[*] Wait until Prescan has finished …
[*] Click on Scan

http://i1224.photobucket.com/albums/ee362/Essexboy3/RogueKiller/RGKRScan.png

[*]Wait for the end of the scan.
[*] The report has been created on the desktop.
[*] Click on the Delete button.

http://i1224.photobucket.com/albums/ee362/Essexboy3/RogueKiller/RGKRDelete.png

[*]The report has been created on the desktop.

[*]Next click on the ShortcutsFix

http://i1224.photobucket.com/albums/ee362/Essexboy3/RogueKiller/RGKRShortcutsFix.png

[*]The report has been created on the desktop.

Please post: All RKreport.txt text files located on your desktop.

NEXT

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

https://dl.dropbox.com/u/73555776/OTL_Fix.GIF

:OTL FF - prefs.js..extensions.enabledItems: FFToolbar@upromise:7.0.2.4181 O4 - HKLM..\Run: [gFJReHqAEoXft.exe] C:\Documents and Settings\All Users\Application Data\gFJReHqAEoXft.exe (BFF) O4 - HKU\S-1-5-21-1004336348-1454471165-682003330-1003..\Run: [B9Sg1IdyP0tsoc] C:\Documents and Settings\All Users\Application Data\B9Sg1IdyP0tsoc.exe (BFF) O4 - HKU\S-1-5-21-1004336348-1454471165-682003330-1003..\Run: [govShell] C:\Documents and Settings\Owner\govdmta.exe (Buffalo Inc.) [2012/08/01 08:49:22 | 000,252,928 | -H-- | C] (BFF) -- C:\Documents and Settings\All Users\Application Data\B9Sg1IdyP0tsoc.exe [2012/08/01 08:48:57 | 000,345,088 | -H-- | C] (BFF) -- C:\Documents and Settings\All Users\Application Data\gFJReHqAEoXft.exe [2012/08/01 08:46:53 | 000,123,392 | ---- | C] (Buffalo Inc.) -- C:\Documents and Settings\Owner\govdmta.exe [2012/07/30 21:19:28 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\Owner\Start Menu\Programs\File Recovery [2012/08/01 09:12:08 | 000,000,456 | ---- | M] () -- C:\WINDOWS\tasks\WebReg 20120801091207.job [2012/08/01 08:49:31 | 000,000,072 | -H-- | M] () -- C:\Documents and Settings\All Users\Application Data\-B9Sg1IdyP0tsocr [2012/08/01 08:49:31 | 000,000,072 | -H-- | M] () -- C:\Documents and Settings\All Users\Application Data\-B9Sg1IdyP0tsoc [2012/08/01 08:49:29 | 000,000,837 | -H-- | M] () -- C:\Documents and Settings\Owner\Desktop\File_Recovery.lnk [2012/08/01 08:49:28 | 000,000,368 | -H-- | M] () -- C:\Documents and Settings\All Users\Application Data\B9Sg1IdyP0tsoc [2012/08/01 08:49:22 | 000,252,928 | -H-- | M] (BFF) -- C:\Documents and Settings\All Users\Application Data\B9Sg1IdyP0tsoc.exe [2012/08/01 08:46:53 | 000,123,392 | ---- | M] (Buffalo Inc.) -- C:\Documents and Settings\Owner\govdmta.exe [2012/08/01 08:46:41 | 000,345,088 | -H-- | M] (BFF) -- C:\Documents and Settings\All Users\Application Data\gFJReHqAEoXft.exe [2012/08/01 08:41:30 | 000,000,456 | ---- | M] () -- C:\WINDOWS\tasks\WebReg 20120801084129.job [2012/07/31 18:18:16 | 000,000,456 | ---- | M] () -- C:\WINDOWS\tasks\WebReg 20120731181815.job [2012/07/30 21:20:31 | 000,000,064 | -H-- | M] () -- C:\Documents and Settings\All Users\Application Data\-nBu12ZR0ug8vrar [2012/07/30 21:20:31 | 000,000,064 | -H-- | M] () -- C:\Documents and Settings\All Users\Application Data\-nBu12ZR0ug8vra [2012/07/30 21:20:27 | 000,000,368 | -H-- | M] () -- C:\Documents and Settings\All Users\Application Data\nBu12ZR0ug8vra [2012/07/30 21:19:30 | 000,000,855 | -H-- | M] () -- C:\Documents and Settings\Owner\Application Data\Microsoft\Internet Explorer\Quick Launch\File_Recovery.lnk 2012/08/01 09:12:07 | 000,000,456 | ---- | C] () -- C:\WINDOWS\tasks\WebReg 20120801091207.job [2012/08/01 08:58:40 | 000,000,316 | ---- | C] () -- C:\WINDOWS\tasks\HP Usg Daily FY04.job [2012/08/01 08:49:31 | 000,000,072 | -H-- | C] () -- C:\Documents and Settings\All Users\Application Data\-B9Sg1IdyP0tsocr [2012/08/01 08:49:31 | 000,000,072 | -H-- | C] () -- C:\Documents and Settings\All Users\Application Data\-B9Sg1IdyP0tsoc [2012/08/01 08:49:28 | 000,000,837 | -H-- | C] () -- C:\Documents and Settings\Owner\Desktop\File_Recovery.lnk [2012/08/01 08:49:25 | 000,000,368 | -H-- | C] () -- C:\Documents and Settings\All Users\Application Data\B9Sg1IdyP0tsoc [2012/08/01 08:41:29 | 000,000,456 | ---- | C] () -- C:\WINDOWS\tasks\WebReg 20120801084129.job [2012/08/01 08:40:14 | 000,000,830 | ---- | C] () -- C:\WINDOWS\tasks\Adobe Flash Player Updater.job [2012/07/31 18:18:15 | 000,000,456 | ---- | C] () -- C:\WINDOWS\tasks\WebReg 20120731181815.job [2012/07/30 21:19:31 | 000,000,064 | -H-- | C] () -- C:\Documents and Settings\All Users\Application Data\-nBu12ZR0ug8vrar [2012/07/30 21:19:31 | 000,000,064 | -H-- | C] () -- C:\Documents and Settings\All Users\Application Data\-nBu12ZR0ug8vra [2012/07/30 21:19:30 | 000,000,855 | -H-- | C] () -- C:\Documents and Settings\Owner\Application Data\Microsoft\Internet Explorer\Quick Launch\File_Recovery.lnk [2012/07/30 21:19:23 | 000,000,368 | -H-- | C] () -- C:\Documents and Settings\All Users\Application Data\nBu12ZR0ug8vra [2011/09/09 21:19:07 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\nJ21100HlNoL21100 [2012/01/23 22:19:40 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}

:Files
ipconfig /flushdns /c
C:\DOCUMENTS AND SETTINGS\OWNER\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\POS283QM.DEFAULT\EXTENSIONS\FFTOOLBAR@UPROMISE.XPI

:Commands
[purity]
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]


[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

NEXT

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

  • IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

[*]Double click on ComboFix.exe & follow the prompts.
[]Accept the disclaimer and allow to update if it asks
[]Allow the installation of the recovery console

http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png

http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png

[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.

Notes:

  1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
  2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
  3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

16

Results of Rogue Killer–I will start on next steps. Also, there is a RK_Quartinbe Folder on my desktop–do you need that as well?

PS: Do you ever take any breaks? I hope I am not wearing you out!

17

Just wanted to let you know that otl custom fix has been running for about two hours. Is this typical? @ bottom of potl screen it continues to note “killing processes. Do not interrupt.”

18

You should have all the files and menus back now

Malwarebytes is blocking OTL so stop it and run this modified fix please, then continue with Combofix

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

https://dl.dropbox.com/u/73555776/OTL_Fix.GIF

:OTL FF - prefs.js..extensions.enabledItems: FFToolbar@upromise:7.0.2.4181 O4 - HKLM..\Run: [gFJReHqAEoXft.exe] C:\Documents and Settings\All Users\Application Data\gFJReHqAEoXft.exe (BFF) O4 - HKU\S-1-5-21-1004336348-1454471165-682003330-1003..\Run: [B9Sg1IdyP0tsoc] C:\Documents and Settings\All Users\Application Data\B9Sg1IdyP0tsoc.exe (BFF) O4 - HKU\S-1-5-21-1004336348-1454471165-682003330-1003..\Run: [govShell] C:\Documents and Settings\Owner\govdmta.exe (Buffalo Inc.) [2012/08/01 08:49:22 | 000,252,928 | -H-- | C] (BFF) -- C:\Documents and Settings\All Users\Application Data\B9Sg1IdyP0tsoc.exe [2012/08/01 08:48:57 | 000,345,088 | -H-- | C] (BFF) -- C:\Documents and Settings\All Users\Application Data\gFJReHqAEoXft.exe [2012/08/01 08:46:53 | 000,123,392 | ---- | C] (Buffalo Inc.) -- C:\Documents and Settings\Owner\govdmta.exe [2012/07/30 21:19:28 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\Owner\Start Menu\Programs\File Recovery [2012/08/01 09:12:08 | 000,000,456 | ---- | M] () -- C:\WINDOWS\tasks\WebReg 20120801091207.job [2012/08/01 08:49:31 | 000,000,072 | -H-- | M] () -- C:\Documents and Settings\All Users\Application Data\-B9Sg1IdyP0tsocr [2012/08/01 08:49:31 | 000,000,072 | -H-- | M] () -- C:\Documents and Settings\All Users\Application Data\-B9Sg1IdyP0tsoc [2012/08/01 08:49:29 | 000,000,837 | -H-- | M] () -- C:\Documents and Settings\Owner\Desktop\File_Recovery.lnk [2012/08/01 08:49:28 | 000,000,368 | -H-- | M] () -- C:\Documents and Settings\All Users\Application Data\B9Sg1IdyP0tsoc [2012/08/01 08:49:22 | 000,252,928 | -H-- | M] (BFF) -- C:\Documents and Settings\All Users\Application Data\B9Sg1IdyP0tsoc.exe [2012/08/01 08:46:53 | 000,123,392 | ---- | M] (Buffalo Inc.) -- C:\Documents and Settings\Owner\govdmta.exe [2012/08/01 08:46:41 | 000,345,088 | -H-- | M] (BFF) -- C:\Documents and Settings\All Users\Application Data\gFJReHqAEoXft.exe [2012/08/01 08:41:30 | 000,000,456 | ---- | M] () -- C:\WINDOWS\tasks\WebReg 20120801084129.job [2012/07/31 18:18:16 | 000,000,456 | ---- | M] () -- C:\WINDOWS\tasks\WebReg 20120731181815.job [2012/07/30 21:20:31 | 000,000,064 | -H-- | M] () -- C:\Documents and Settings\All Users\Application Data\-nBu12ZR0ug8vrar [2012/07/30 21:20:31 | 000,000,064 | -H-- | M] () -- C:\Documents and Settings\All Users\Application Data\-nBu12ZR0ug8vra [2012/07/30 21:20:27 | 000,000,368 | -H-- | M] () -- C:\Documents and Settings\All Users\Application Data\nBu12ZR0ug8vra [2012/07/30 21:19:30 | 000,000,855 | -H-- | M] () -- C:\Documents and Settings\Owner\Application Data\Microsoft\Internet Explorer\Quick Launch\File_Recovery.lnk 2012/08/01 09:12:07 | 000,000,456 | ---- | C] () -- C:\WINDOWS\tasks\WebReg 20120801091207.job [2012/08/01 08:58:40 | 000,000,316 | ---- | C] () -- C:\WINDOWS\tasks\HP Usg Daily FY04.job [2012/08/01 08:49:31 | 000,000,072 | -H-- | C] () -- C:\Documents and Settings\All Users\Application Data\-B9Sg1IdyP0tsocr [2012/08/01 08:49:31 | 000,000,072 | -H-- | C] () -- C:\Documents and Settings\All Users\Application Data\-B9Sg1IdyP0tsoc [2012/08/01 08:49:28 | 000,000,837 | -H-- | C] () -- C:\Documents and Settings\Owner\Desktop\File_Recovery.lnk [2012/08/01 08:49:25 | 000,000,368 | -H-- | C] () -- C:\Documents and Settings\All Users\Application Data\B9Sg1IdyP0tsoc [2012/08/01 08:41:29 | 000,000,456 | ---- | C] () -- C:\WINDOWS\tasks\WebReg 20120801084129.job [2012/08/01 08:40:14 | 000,000,830 | ---- | C] () -- C:\WINDOWS\tasks\Adobe Flash Player Updater.job [2012/07/31 18:18:15 | 000,000,456 | ---- | C] () -- C:\WINDOWS\tasks\WebReg 20120731181815.job [2012/07/30 21:19:31 | 000,000,064 | -H-- | C] () -- C:\Documents and Settings\All Users\Application Data\-nBu12ZR0ug8vrar [2012/07/30 21:19:31 | 000,000,064 | -H-- | C] () -- C:\Documents and Settings\All Users\Application Data\-nBu12ZR0ug8vra [2012/07/30 21:19:30 | 000,000,855 | -H-- | C] () -- C:\Documents and Settings\Owner\Application Data\Microsoft\Internet Explorer\Quick Launch\File_Recovery.lnk [2012/07/30 21:19:23 | 000,000,368 | -H-- | C] () -- C:\Documents and Settings\All Users\Application Data\nBu12ZR0ug8vra [2011/09/09 21:19:07 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\nJ21100HlNoL21100 [2012/01/23 22:19:40 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}

:Files
ipconfig /flushdns /c
C:\DOCUMENTS AND SETTINGS\OWNER\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\POS283QM.DEFAULT\EXTENSIONS\FFTOOLBAR@UPROMISE.XPI

:Commands
[purity]
[resethosts]
[CREATERESTOREPOINT]
[Reboot]


[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

19

Essex Boy: Sorry for the delay–had to go to work and then when I was going to attempt doing this, I could not get onto the internet–I had to repeatedly hit my icon to finally get on. So…attached is the recent OTL report. Now I will go on to step 3. Thanks again!

20

Update: a message popped up during bluescreen of c:\ combofix…“this machine does not have the Microsoft windows recovery console installed. Alternately, an existing installation of the recovery console may be present but requires updating. Without it combofix shall not attempt the fixing of some serious infections. Click yes to have combofix download/install it…Combofix” please advise on how i should proceed.