My PC can't delete rootkits

Good morning.
I can’t delete rootkits from my PC

I wanted to download a game called “Pro-cycling Manager” free. But I unfortunately downloaded viruses such as Torn TV, Yonto, Cubiez, and a search engine called “Delta search”.

The web pages which I got the viruses from are:

  1. Torrentz: hxxp://torrentz.eu/dcb0d296ada42992f178d471adcbadb841a1ed84
  2. TornTv: hxxp://www.thetorrn-tv.net/download/download7.php?name=CPZ12&magnet=zntarg%3A%3Fkg%3Dhea%3Aogvu%3A3FLASSIAHDHMS4YL2EL23F5AKON2Q3ZR&magnaet=qpo0q296nqn42992s178q471nqponqo841n1rq84

From that page I downloaded the following file:

PCM12.exe

When I wrongly downloaded that file, I wasn’t able to play the game, but I opened Google Chrome, and found as homepage the search engine Delta Search, I went to Start menu, and I found that TornTv was installed. Later, I searched on Google that what was Torntv, and I encountered that program was a virus; I immediately deleted the extensions from all the browsers, from control panel. Then, to be sure, I scanned my PC with Avast!, but on the result, I had found that there were some files that couldn’t be scanned. I saw the results and I wasn’t able to do any action.

Yesterday, I logged on Avast website and I watched a forum which a person had an alike problem, on it, there were some instructions about how could he delete the rootkits. Then, I downloaded programs like MBAM, OTL, adwcleaner and aswMBR.

When I was scanning the last one, that program couldn’t finish the scan because it showed that notice: attachment 4

Later, an Avast web forum user nicknamed iroc9555 said me I tried to scan on safe mode, it continued presenting the same problem.

Pd: Excuse for my English level if you don’t understand it :slight_smile:

Lol…You downloaded something from an illegal torrent site and your wonder why you got infected? And you want help?

so it seems you followed this guide? http://forum.avast.com/index.php?topic=53253.0

to help you, we need the logs Attached here (not copy and paste) … AdwCleaner / Malwarebytes / OTL / aswMBR
if you have problems running any of the programs, try from safe mode

I accept my mistake, and I sure I won’t try to download free programs

Step#1;

Please download Malwarebytes AntiRootkit and save it to your desktop.
http://www.malwarebytes.org/products/mbar/

Full instructions how to use MBAR
http://www.bleepingcomputer.com/virus-removal/how-to-use-malwarebytes-anti-rootkit
Please note: This is a beta version so please be sure to read the disclaimer and note of it.

[*] Unzip/unrar MBAR in a folder to your Desktop
[*] Open the folder where the contents were unzipped to run mbar.exe

[*] Click on Next > then on Update button to download fresh definitions.
[*] When database updates click Next
[*] In the following window ensure “Targets” scan for Drivers; Sectors; System are ticked. Then select “Scan button”

[*] If an infection/s are found ensure “Create Restore Point” is checked, then select the “Cleanup Button” to remove threats.
Or if you are sure any entries should not be kept, just untick them. A list of infected files will be listed.

[*] The Clean up procedure will be Scheduled for process.
[*] When complete pop-up will show you. Select the Yes button and the system should re-boot to complete the cleaning process.

Please attach the two following logs from the mbar folder:

system-log.txt
and
mbar-log-year-month-day (hour-minute-second).txt.

… … … … … … … … … … … …

Step#2;

Download ComboFix from here and save it to your Desktop.
If you are unsure how ComboFix works please read this guide carefully.
note: ComboFix must be downloaded to your Desktop.

Temporarily disable your AntiVirus program.
If you are unsure how to do this please read this or this Instruction.

How to disable avast:

[*]Right-click on the avast! icon in the lower right corner of the screen and choose Open Avast! User Interface.
[*]In the window that opens on the top right corner, click Settings.
[*]In a new window that opens, choose the option Troubleshooting, Uncheck Enable avast! self-defense, and click OK.

[*]Right-click on the avast! icon in the lower right corner of the screen and select avast! shield controls .
[*]In the menu that appears, choose Disable Permanently. When you are prompted to turn off security, click Yes.

Note: Do not forget to turn on this option after the cleaning.

Run ComboFix. Click on I Agree!
ComboFix will check if there is a newer version of ComboFix available.
Click Yes if prompted to download.
ComboFix will display DISCLAIMER OF WARRANTY ON SOFTWARE.
Click Yes to allow ComboFix to continue.
If Recovery Console is not installed, ComboFix will offer download & installation.
Click Yes to allow ComboFix to install Recovery Console.
Note:Do not mouse-click Combofix’s window while it is running.
If you see a message like “Illegal operation attempted on a registry key that has been marked for deletion” just restart computer once more.

When the tool is finished, it will produce a log report for you. (typical location: C:[b]ComboFix.txt[/b] )
Attach log reports ( ComboFix.txt) back to topic.

… … … … … … … … … … … …

Step#3;

Please download zoek.exe and save it to your desktop.

[*] Close any open browsers.

[*] Temporarily disable your AntiVirus program. (If necessary)
If you are unsure how to do this please read this or this Instruction.

[*] Double click on zoek.exe to run the tool .
Please wait while the tool does not start…

[*] Copy the text present inside the code box below and paste it into the large window in the zoek tool:



installedprogs;
filesrcm;
startupall;
firefoxlook;
chromelook;
CD \;b
DIR /S /A:L > %USERPROFILE%\Desktop\JunctionPoints.txt;b


[*] Click on
http://www.mcshield.net/personal/magna86/Images/Run%20Script%20by%20zoek.png
button
Please wait until a logreport will open (this can be after reboot)

[*] Save notepad to your Desktop and attach here zoek-results.log

Note: It will also create a log in the C:\ directory named “zoek-results.log

Also, on Desktop you will see JunctionPoints.txt log. Attach i here.

Hi magna86.

To clarify.

El Juli asked for help in the Spanish forum. He had followed essexboy’s post about the programs needed for help, but aswMBR did not run. I told him to run it in safe mode and to look for help here. It seems that aswMBR did not run in safe mode either.

@ El Juli.

Estas en buenas manos. Si necesitas ayuda con algo, estare pendiente.

Good afternoon.

I ran MBAR, and it showed me no infected files were found. For this reason, I can’t get any log to attach.

I scanned with Combofix and Zoek, I attach the logs here

Hi,

Do you have JunctionPoints.txt on your Desktop? If you do, please attach it here.

Also, I need to see first created AdwCleaner log, not the third one.
C:\AdwCleaner[S1].txt <---- attach here.


Re-run Zoek.exe tool ;

[*] Close any open browsers.

[*] Temporarily disable your AntiVirus program. (If necessary)
If you are unsure how to do this please read this or this Instruction.

[*] Double click on zoek.exe to run the tool .
Please wait while the tool does not start…

[*] Copy the text present inside the code box below and paste it into the large window in the zoek tool:


c:\users\Julian\AppData\Local\CubiezHelper;vs
nbmafkdmkkckhggblphicnnhlgljnoje;chr
C:\Program Files (x86)\TornTV.com;fs
PCM12.exe;z
emptyalltemp;
emptyrecycle.bin; 
autoclean;



[*] Click on
http://www.mcshield.net/personal/magna86/Images/Run%20Script%20by%20zoek.png
button
Please wait until a logreport will open (this can be after reboot)

[*] Save notepad to your Desktop and attach here zoek-results.log

Note: It will also create a log in the C:\ directory named “zoek-results.log

Hi!

Here I attach the logs that are lacking.

How’s your computer running now?

My PC is running well, apparently there are no problems, but I’m not sure if it continues having rootkits.

Re-run zoek tool as you did before but use this script:


c:\users\Julian\AppData\Local\CubiezHelper;f
emptytemp;
My PC is running well, apparently there are no problems, but I'm not sure if it continues having rootkits.

You shouldn’t have any rootkits. I think that there is no need for additional antirootkit checking.

Can you attach zoek results after running latest zoek script?

Hi

I attach the latest scan as you said.

If no future issues then let’s remove used tools.

It is necessary to uninstall ComboFix :

[*] Click Start (or
http://amf.mycity.rs/pg/images/VistaStartButton.png
) then Run.

On Windows7 or Vista you may use Start Search field if Run is not available.

[*] In the line of text type in (Copy) the following:

ComboFix /Uninstall

Note that there is a space between " ComboFix " and " /Uninstall " .

[*] then click OK (or press Enter ).

Wait for the uninstall process is complete.


Please download DelFix by “Xplode” to your Desktop.

Run the tool and check the following boxes below;

[] Remove disinfection tools
[
] Create registry backup
[*] Purge System Restore

Now click on “Run” button. Wait for the programme completes his work.
All the tools we used should be gone.
Tool will create and open an log report (DelFix.txt)
Note: The report will also be stored on C:\DelFix.txt


I recommended to keep Malwarebytes AntiMalware and to use MCShield if you will.
You may download MCShield from one of the following links:

MyCity - Official download link
Softpedija - Mirror download link

It will prevent infection by computer via USB flash drive, mobile phone or any other memory card.
And not only will prevent infection, but it will immediately clean flash drive, memory card or external HDD.

Hi

I fell very relieved for not having any kind of threats on my PC.

Thank you all the people that helped me!

Here the attachment

Pondus, magna86 and iroc9555

Thank you so much :slight_smile:

Pd: I’ve learnt the lesson; Cheaper (free) things are more expensive.