Hello, I have been battling this virus for a few days and am now at wits end. I originally got a version of the Smart HDD virus. I have run MalwareBytes. That seemed to get rid of most of the virus that were causing me all the pop ups. I am not able to run OTL, aswMBR, or tsskiller when they are saved to the desktop. When I run MalwareBytes again, it says no threats found, but when I run avast, I have MBR:\.\PHYSICALDRIVE0\Partition4 that I can not delete. Really appreciate any help. Thank you.
hey and welcome to the forum the malware expert must have those logs to be able to help you.
http://forum.avast.com/index.php?topic=53253.0
I’m not sure but could you try and run in safe mode or do you get the same thing?
Even in safe mode it won’t open. When I double click, it asks me if I want to run, but when I say yes nothing happens. I was able to get MBRcheck to run, if that helps. I truly don’t know much about this stuff.
Yes could you try in safe mode first. If it fails could you rename otl.exe to otl.scr and then try
Again if there is a failure then what is the operating system -XP<VISTA<7 - 32 or 64bit
Can you access a USB drive of at least 4Gb
Great, got it work with OTL.scr … attaching log
Do you have the option “repair my computer” when you are on the safe mode menu ?
Warning This fix is only relevant for this system and no other, using on another computer may cause problems
Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot
Run OTL
[*]Under the Custom Scans/Fixes box at the bottom, paste in the following
https://dl.dropbox.com/u/73555776/OTL_Fix.GIF
:OTL O2 - BHO: (no name) - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - No CLSID value found. O3 - HKLM\..\Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No CLSID value found. O3 - HKU\S-1-5-21-3893750031-430444558-3952395772-1000\..\Toolbar\WebBrowser: (no name) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No CLSID value found. O3 - HKU\S-1-5-21-3893750031-430444558-3952395772-1000\..\Toolbar\WebBrowser: (no name) - {5B291E6C-9A74-4034-971B-A4B007A0B315} - No CLSID value found. O3 - HKU\S-1-5-21-3893750031-430444558-3952395772-1000\..\Toolbar\WebBrowser: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No CLSID value found. O3 - HKU\S-1-5-21-3893750031-430444558-3952395772-1000\..\Toolbar\WebBrowser: (no name) - {D4027C7F-154A-4066-A1AD-4243D8127440} - No CLSID value found. O4 - HKU\S-1-5-21-3893750031-430444558-3952395772-1000..\Run: [ESm0AIZeKGX958] C:\ProgramData\ESm0AIZeKGX958.exe File not found O4 - HKU\S-1-5-21-3893750031-430444558-3952395772-1000..\Run: [xixqnANuWCTnx.exe] C:\ProgramData\xixqnANuWCTnx.exe File not found O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present [2012/08/02 03:06:25 | 000,000,633 | ---- | C] () -- C:\Users\Jordan\Application Data\Microsoft\Internet Explorer\Quick Launch\File_Recovery.lnk @Alternate Data Stream - 1250 bytes -> C:\Users\Jordan\AppData\Local\vCQTT9nzb:lv5NjaknjN7WlHAq4z:Files
ipconfig /flushdns /c
C:\ProgramData\ESm0AIZeKGX958.exe
C:\ProgramData\xixqnANuWCTnx.exe:Commands
[purity]
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]
[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
THEN
Please download the following tool
Run the tool, click Scan and post the log (Result.txt) it makes.
No, I do not see the repair my computer option… Should I still go ahead and run OTL fix?
Yes please, do you have a USB drive of at least 1Gb ?
Ok, here is the log from the Quick Scan… I did it in safe mode, hopefully that doesn’t matter.
Going to do the ListParts scan now. Yes, I have a USB drive of at least 1GB. Thank you
Here is the Log from ListParts
Please download the following tool
Please open notepad
(Start =>All Programs => Accessories => Notepad)
and copy the entire contents of the code box below.
(To do this highlight the contents of the box, right click on it and select copy.)
Right-click in the open notepad and select Paste.
Disk=0 Partition=3 active
custom
Disk=0 Partition=4 delete
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system.
[*]Save it on to a USB flashdrive as fix.txt
[*]Save ListParts (32bit) or ListParts64 (64bit) onto the same flash drive.
[*]Plug the flashdrive into the infected PC.
[*]Enter System Recovery Options.
To enter System Recovery Options from the Advanced Boot Options:
[list]
[*]Restart the computer.
[*]As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
[*]Use the arrow keys to select the Repair your computer menu item.
[*]Choose your language settings, and then click Next.
[*]Select the operating system you want to repair (normally option 1), and then click Next.
[*]Select your user account and click Next.
.
To enter System Recovery Options by using Windows installation disc:
[*]Insert the installation disc.
[*]Restart your computer.
[*]If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
[*]Click Repair your computer.
[*]Choose your language settings, and then click Next.
[*]Select the operating system you want to repair, and then click Next.
[*]Select your user account an click Next.
[/list][*]On the System Recovery Options menu you will get the following options:
Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt
[*]Select Command Prompt
[*]In the command window type in notepad and press Enter.
[*]A Notepad window will open. Under File menu select Open.
[*]Select “Computer” and find your flash drive letter and then close Notepad.
[*]In the command window type e:\listparts64 (64bit) and press Enter
Note: Replace letter e with the drive letter of your flash drive.
[*]The tool will start to run.[*]Press Fix button.
[*]When it is done close the notification pop up. Click Scan and copy and paste the log (Result.txt) it makes on the flash drive.
When I click on the repair my computer option, A box that says “Other User” pops up, then asks me for a user name and password.
If I try to restore from the disc, do I use the disc that says “Operating System”?
No that will not work … Bear with me and I will prepare the recovery console for you to download
back in two minutes
Download the following three programmes to your desktop :
Please open notepad
(Start =>All Programs => Accessories => Notepad)
and copy the entire contents of the code box below.
(To do this highlight the contents of the box, right click on it and select copy.)
Right-click in the open notepad and select Paste.
Disk=0 Partition=3 active
custom
Disk=0 Partition=4 delete
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system.
[*]Save it on to the desktop as fix.txt
Extract wintoboot to your desktop
Insert a USB drive of at least 1GB
Run Wintoboot
http://dl.dropbox.com/u/73555776/wintoboot.JPG
Drag and drop the Windows Vista ISO to the programme in the space indicated
Tick the Format box and accept the warnings
Press Do It
You will see it progressing
http://dl.dropbox.com/u/73555776/usb%20progress.JPG
It will let you know when it is done
Then copy Listparts64 and fix.txt to the same USB
http://dl.dropbox.com/u/73555776/frstwintoboot.JPG
Insert the USB into the sick computer and start the computer. First ensuring that the system is set to boot from USB
Note: If you are not sure how to do that follow the instructions Here
When you reboot you will see this. Click repair my computer
http://i1224.photobucket.com/albums/ee362/Essexboy3/RepairVista_7275.jpg
Select your operating system
http://i1224.photobucket.com/albums/ee362/Essexboy3/RepairVista_7277202.jpg
Select Command prompt
http://i1224.photobucket.com/albums/ee362/Essexboy3/RepairVista_7277.jpg
At the command prompt type the following :
notepad and press Enter.
The notepad opens. Under File menu select Open.
Select “Computer” and find your flash drive letter and close the notepad.
In the command window type e:\listparts64.exe and press Enter
Note: Replace letter e with the drive letter of your flash drive.
The tool will start to run.
Press Fix button.
It will make a log (listparts.txt) on the flash drive. Please copy and paste it to your reply.
Reboot to normal mode
On the “select your operating system” step, it is blank. There is nothing to select.
Nickers… The malware is getting smarter… OK can you burn a CD and we will do it the old way
I need you to download:
gparted-live-0.10.0-3.iso (115.1 MB)
Create a bootable CD, for Gparted from the ISO image.
You can use ImgBurn do this.
Now boot off of the newly created Gparted CD.
You should be here… Press ENTER
https://dl.dropbox.com/u/73555776/Gpart-Start.GIF
By default, “do not touch keymap” is highlighted.
https://dl.dropbox.com/u/73555776/Gpart-keyselect.GIF
Leave this setting alone and just press ENTER.
https://dl.dropbox.com/u/73555776/Gpart-continue.GIF
Choose your language and press ENTER. English is default [33]
At the mode prompt enter 0, press ENTER
You will now be taken to the main GUI screen below
https://dl.dropbox.com/u/73555776/Gpart-partitions.GIF
According to your logs, the partition that you want to delete is <1MB
Right click this partition and select delete .
https://dl.dropbox.com/u/73555776/GPart-delete.GIF
The Partition has gone
Now select Apply
Now you should be here:
https://dl.dropbox.com/u/73555776/Areyousure.GIF
Select Apply after double checking that the right partition was deleted
Is “boot” next to your OS drive?
If “boot” is not next to your OS drive under “Flags”, right-mouse click the OS drive while in Gparted and select Manage Flags
https://dl.dropbox.com/u/73555776/GPart-flags.GIF
In the menu that pops up, place a checkmark in boot like the picture below, then close :
https://dl.dropbox.com/u/73555776/GPart-bootflag.GIF
Under File select Quit
https://dl.dropbox.com/u/73555776/Gpart-quit.GIF
You will see this small Popup
https://dl.dropbox.com/u/73555776/Gpart-reboot.GIF
Choose reboot and then press OK.
Ok, just did all those steps
One thing worrying me I, before this virus, I had about 11 free gb’s of hard drive space. After, I have about 99 free gigs.
I’m a photographer, so I know pretty much all of those gigs are from my photos, and it appears that they are all still there. Not sure where 90 or so gigs would have gone without losing any pictures.
Reboot to normal mode please and I will check it out
[*] Download RogueKiller and save it on your desktop.
[*]Quit all programs
[*] Start RogueKiller.exe.
[*] Wait until Prescan has finished …
[*] Click on Scan
http://i1224.photobucket.com/albums/ee362/Essexboy3/RogueKiller/RGKRScan.png
[*]Wait for the end of the scan.
[*] The report has been created on the desktop.
[*] Click on the Delete button.
http://i1224.photobucket.com/albums/ee362/Essexboy3/RogueKiller/RGKRDelete.png
[*]The report has been created on the desktop.
[*]Next click on the ShortcutsFix
http://i1224.photobucket.com/albums/ee362/Essexboy3/RogueKiller/RGKRShortcutsFix.png
[*]The report has been created on the desktop.
Please post: All RKreport.txt text files located on your desktop.
Here are the logs from RogueKiller