I have the same problem, my netbook is infected by Win32Vitro AND I’ve been following manner informed by “esexboy” .
Hi,
1. Please download [b]ComboFix[/b] by [b]sUBs[/b] [url=http://download.bleepingcomputer.com/sUBs/ComboFix.exe][u][b]from here[/b][/u][/url] and save it to your [b]Desktop[/b].
[i]If you are unsure how ComboFix works please read [url=http://www.bleepingcomputer.com/combofix/how-to-use-combofix][i][b]this guide[/b][/i][/url] carefully.
[i]Note:[/i] ComboFix must be downloaded to your [b]Desktop[/b].[/i]
--------------------------------------------------------------------
2. Temporarily disable your [b]AntiVirus[/b] program, usually via a right click on the System Tray icon. They may interfere with Combofix.
[i] If you are unsure how to do this please read [url=http://www.techsupportforum.com/forums/f50/how-to-disable-your-security-applications-490111.html][b][i]this[/i][/b][/url] or [url=http://www.bleepingcomputer.com/forums/topic114351.html][i][b]this[/b][/i][/url] Instruction.[/i]
[b]Instructions how to disable avast:[/b]
[*]Right click on the avast! system tray icon (
http://www.mcshield.net/pg/images/avast5.png
) in the lower right corner of the screen and scroll up to avast! shield controls;
[*]In the menu that appears, choose Disable Permanently. When you are prompted to turn off security, click Yes.
[b]Note: [/b][i]Do not forget to turn back on this option after the cleaning by choosing [b]avast! shield controls[/b] > [b]Enable all shield[/b] options.[/i]
--------------------------------------------------------------------
3. Run [b]ComboFix[/b]. Click on [b]I Agree![/b]
[i][size=7pt]- ComboFix will display [b]DISCLAIMER[/b] of warranty on software.
By clicking [b]I Agree[/b] ComboFix shall continue.
- ComboFix will check if there is a newer version of ComboFix available.
Click [b]Yes[/b] if prompted to download.[/size]
-If [b]Recovery Console[/b] is not installed, ComboFix will offer download & installation.
Click [b]Yes[/b] to allow ComboFix to install [b]Recovery Console[/b].
- ComboFix will scan your computer in stages, total of [b]50[/b] stages.
Do not mouse-click around while ComboFix is running.
Note:If you see a message like "[i][b]Illegal operation attempted on a registry key that has been marked for deletion[/b][/i]" just restart your computer.
[/i]
--------------------------------------------------------------------
4. When the tool is finished, it will produce a log report for you. (typical location: C:\[b]ComboFix.txt[/b] )
Attach log reports ( ComboFix.txt) back to topic.
after this what should I do?
4. When the tool is finished, it will produce a log report for you. (typical location: C:\ComboFix.txt )
Attach log reports ( ComboFix.txt) back to topic.
Attach the log under C:/ComboFix.txt
As Steven said, I shall need ComboFix.txt log for future malware analysis.
Hi SisiliaYM,
Feel for the victim, any file infector is always a “sad and serious” sort of detection. Hope the qualified removers can save your OS.
polonus
I’ve run the mobofix and follow the instructions suddenly my netbook shutdown then comes the choice of window xp, microsoft windows recovery console and another one I forget what his choice. then I choose the windows recovery console then appear as in attacment
What should I do ……
this is the log
this is the log
[list]Hi, ComboFix has been set up Recovery Console … That black screen should be Ok.
We need to continue with ComboFix as it first run it has been done greate job. Now it is time to run it again but via CFScript.
Multiple Antivirus Programs
You are running more than 1 Antivirus program!
AV: avast! Antivirus
AV: Baidu Security
Running - more than one - antivirus program is not recommended because:
[*]They can conflict with each other.
[*]Report the other antivirus software as malicious.
[*]Antivirus programs use an enormous amount of computer’s resources… actively scanning your computer.
[*]Can cause your computer to become unstable…run slowly and even, in rare cases, BSOD crash…etc
I strongly suggest you uninstall one of them. Which one, is your decision.
ComboFix via CFScript
-
Delete old ComboFix (drag&drop into recycle bin) and download new, fresh copy.
-
Open notepad and copy/paste the text present inside the code box below:
ClearJavaCache::Registry::
[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
“c:\WINDOWS\system32\muzapp.exe”=-
“\??\c:\WINDOWS\system32\winlogon.exe”=-KillAll::
Driver::
Update outobox
Util outobox
WpmFolder::
c:\program files\outobox
c:\documents and settings\All Users\Application Data\WPMDDS::
uStart Page = hxxp://en.v9.com/?utm_source=b&utm_medium=bnd&utm_campaign=eXQ&utm_content=hp&from=bnd&uid=HitachiXHTS543232A7A384_E2034243HDZ7ADHDZ7ADX&ts=1381936112
mStart Page = hxxp://en.v9.com/?utm_source=b&utm_medium=bnd&utm_campaign=eXQ&utm_content=hp&from=bnd&uid=HitachiXHTS543232A7A384_E2034243HDZ7ADHDZ7ADX&ts=1381936112Firefox::
FF - ProfilePath - c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\mxiu297v.default
FF - prefs.js: browser.search.selectedEngine - v9
FF - prefs.js: browser.startup.homepage - hxxp://home.tb.ask.com/index.jhtml?ptb=3F4AFEF0-0550-49FB-A78C-9D83E565F107&n=77fce3e6&p2=^ZX^fox000^YY^
FF - prefs.js: keyword.URL - hxxp://search.tb.ask.com/search/GGmain.jhtml?st=kwd&ptb=3F4AFEF0-0550-49FB-A78C-9D83E565F107&n=77fce3e6&ind=2013062118&p2=^ZX^fox000^YY^&searchfor=
FF - ExtSQL: !HIDDEN! 2013-06-21 17:35; 4jffxtbr@RadioRage_4j.com; c:\program files\RadioRage_4j\bar\2.bin
Save this as CFScript.txt
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
Close all browser windows and refering to the picture above.
Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will will re-run. When finished, it will produce a log for you.
Attach the contents of the log in your next reply. (typical location: C:[b]ComboFix.txt[/b] )
Hi, this is the log and i’ve been uninstalled the AV: Baidu security, I actually think it’s application to speed up netbook or Laptop or Pc , It turns out there are antivirus and other uses. I also installed it because i saw the application on my uncle laptop.
ComboFix via CFScript
Open notepad and copy/paste the text present inside the code box below:
Driver::
BprotectEx
File::
c:\windows\System32\drivers\BprotectEx.sys
Folder::
c:\program files\RadioRage_4j
Firefox::
FF - ExtSQL: !HIDDEN! 2013-06-21 17:35; 4jffxtbr@RadioRage_4j.com; c:\program files\RadioRage_4j\bar\2.bin
Save this as CFScript.txt
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
Close all browser windows and refering to the picture above.
Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will will re-run. When finished, it will produce a log for you.
Attach the contents of the log in your next reply. (typical location: C:[b]ComboFix.txt[/b] )
avast! Boot-Time scan
Follow guide from here for running avast! boot-time scan and post me the aswBoot.txt logreprots:
http://www.davescomputertips.com/perform-a-boot-time-scan-with-avast-free-2014/
Post me the results:
C:\Documents and Settings\All Users\Application Data\AVAST Software\Avast\report\aswBoot.txt
I don’t get The log from the Boot-time Scan i run earlier. Then i also look to "C:\Documents and Settings\All Users\Application Data\AVAST Software\Avast\report\aswBoot.txt " but when i click “All User” then appear folder desktop, shared documents, Favorites, strat menu (in my netbook) no folder “Aplication Data”. What should i do???
Let’s skip that for now. I want to see is there anything lefted after ComboFix’s work.
Re-run OTL.exe to preform fresh scaning …
[*]Copy and paste the following text written inside of the quote box into the Custom Scans/Fixes box.
type c:\C:\Documents and Settings\All Users\Application Data\AVAST Software\Avast\report\aswBoot.txt /c
[*]Then click the RunScan button at the top.
[*]Post here fresh created OTL.txt logreport.
Hi.
This is the log
Ok, we shall run ComboFix one more time using CFScript. CF among other things shall attempt to delete some Baidu leftovers. With OTL we’re kill some remains lefted in browsers related registey. After CFScript and OTLFix, tell me how is computer running now?
Open notepad and copy/paste the text present inside the code box below:
KillAll::
ClearJavaCache::
File::
C:\WINDOWS\System32\drivers\BprotectEx.sys
C:\WINDOWS\system32\drivers\Bhbase.sys
C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\mxiu297v.default\extensions\{1a147621-8c9a-4d6b-a557-6513a40d3207}.xpi
C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\mxiu297v.default\searchplugins\ask.xml
Folder::
C:\Program Files\RadioRage_4j
C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\cekcjpgehmohobmdiikfnopibipmgnml
Save this as CFScript.txt
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
Close all browser windows and refering to the picture above.
Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will will re-run. When finished, it will produce a log for you.
Attach the contents of the log in your next reply. (typical location: C:[b]ComboFix.txt[/b] )
Then …
Re-run OTL.exe.
[*]Copy and paste the following text written inside of the quote box into the Custom Scans/Fixes box.
:OTL
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
IE - HKLM\..\SearchScopes\{33BB0A4E-99AF-4226-BDF6-49120163DE86}: "URL" = http://search.v9.com/web/?utm_source=b&utm_medium=bnd&utm_campaign=eXQ&utm_content=ds&from=bnd&uid=HitachiXHTS543232A7A384_E2034243HDZ7ADHDZ7ADX&ts=1381936144&type=default&q={searchTerms}
IE - HKU\S-1-5-21-1275210071-1454471165-515967899-1003\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
IE - HKU\S-1-5-21-1275210071-1454471165-515967899-1003\..\SearchScopes\{33BB0A4E-99AF-4226-BDF6-49120163DE86}: "URL" = http://search.v9.com/web/?utm_source=b&utm_medium=bnd&utm_campaign=eXQ&utm_content=ds&from=bnd&uid=HitachiXHTS543232A7A384_E2034243HDZ7ADHDZ7ADX&ts=1381936144&type=default&q={searchTerms}
FF - HKLM\Software\MozillaPlugins\@RadioRage_4j.com/Plugin: C:\Program Files\RadioRage_4j\bar\2.bin\NP4jStub.dll File not found
[2014/01/28 11:52:17 | 000,008,941 | ---- | M] () (No name found) -- C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\mxiu297v.default\extensions\{1a147621-8c9a-4d6b-a557-6513a40d3207}.xpi
[2013/06/21 18:58:04 | 000,009,565 | ---- | M] () -- C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\mxiu297v.default\searchplugins\ask.xml
CHR - Extension: No name found = C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\cekcjpgehmohobmdiikfnopibipmgnml\1.4_0\
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[*]Then click the Run Fix button at the top.
[*]Let the program run unhindered; it will reboot the system when it is done and open notepad with logreport. Attach here that logreport.
If the log doesn’t appear, it can be found here:
c:_OTL\MovedFiles\mmddyyyy_hhmmss.log
Hi, this is the log. sorry for the delay
Hi, please re-read my instructions. I’ll need fresh ComboFix.txt logfile after running CFScript and “mmddyyyy_hhmmss.log” created by OTL after the Fix.
sorry because i dont read the reply, this is the log from combofix