So I got this virus about a week ago. Thought I got rid of it myself, and about a week later it popped back (so I either never got rid of it and it laid dormant OR I got it again).
So, what I have done so far…
Re-booted in Safe Mode.
Ran rkill
Ran Spy-bot
Ran MalwareBytes
Ran HitmanPro (not the boot-up, just normal)
Ran Avast! (which is my main virus protection)
and finally… Ran ComboFix.
I just want to be sure this thing is gone (I think HimManPro really got rid of it, but just to be sure).
Attached is my ComboFix log (this was after I ran rkill)
[*]Plug the flashdrive into the infected PC.
[*]Restart your computer and tap F8 to bring up the Advanced Menu, then click Repair your computer
[*]Follow the prompt to enter keyboard input method, and then the prompt to enter a password. If the machine does not have a password, simply click Enter.
In the next menu, use the arrow keys on the keyboard to highlight Command Prompt and press Enter.
[*] In the command window type in notepad and press Enter.
[*] When notepad opens, click File and select Open.
[*]Select “Computer” and find your flash drive letter and close the notepad.
[*]In the command window type e:\frst.exe and press Enter.
Note: Replace letter e with the drive letter of your flash drive.
[*]The tool will start to run. When the tool opens click Yes to disclaimer.
[*]Press Scan button.
It will make a log (FRST.txt) on the flash drive. Please attach it to your reply.
I am running into an issue even getting this started…
When I re-boot, F8 does not seem to do anything. During boot up (before Windows Vista starts) I only see two options…
F2 which is for System Setup (goes into CMOS) and then F12 which has a small menu:
F12
*Hard Drive
*Optical Drive
*USB-Zip
*System Setup (goes to CMOS, same as F2)
*Diagnostics
*Boot Partition
I WAS able to somehow get to a System Repair screen at one point (I think simply from booting and rebooting the PC so many times) but I never got any of the options you suggested. It was at System Repair for like 10 minutes, then just rebooted my system on its own…
[color=green]Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them.
Only one of them will run on your system, that will be the right version.
[*]Double-click to run it. When the tool opens click Yes to disclaimer.
[*]Under Optional Scan ensure “List BCD” and “Driver MD5” are ticked.
[*]Press Scan button.
[*]It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
[*]The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.
Open notepad and copy/paste the text present inside the code box below. To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system
Save notepad as fixlist.txt NOTE. It’s important that both files, FRST and fixlist.txt are in the same location or the fix will not work.
Run FRST/FRST64 and press the Fix button just once and wait.
If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.
The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.
Note: If the tool warned you about the outdated version please download and run the updated version.
=========== THEN ============
Re-run FRST.exe ;
Put checkmark on box for options “Addition.txt”
Press Scan button …
Please attach here bouth fresh created FRST and Addition.txt logs
Open notepad and copy/paste the text present inside the code box below. To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system
Save notepad as fixlist.txt NOTE. It’s important that both files, FRST and fixlist.txt are in the same location or the fix will not work.
Run FRST/FRST64 and press the Fix button just once and wait.
If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.
The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.
Note: If the tool warned you about the outdated version please download and run the updated version.
Close all browser windows and refering to the picture above.
Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will will re-run. When finished, it will produce a log for you.
Attach the contents of the log in your next reply. (typical location: C:[b]ComboFix.txt[/b] )Open notepad and copy/paste the text present inside the code box below:
Also, you need to attach here C:\Qoobox[b]ComboFix-quarantined-files.txt.[/b]
Since you have been running CF few times I have to see what CF has worked in the past …
Ok, I think I got what you asked for… Just a couple of things I was confused on in your last instructions…
I took this to mean, when I download Combofix, it saves it in my downloads, and you wanted me to move it to Desktop. Which is what I did. Actually, it was a Shortcut from Desktop (the root file was still under \Downloads). Hopefully that didn’t affect anything. I was still able to run it by drag-dropping as your icon suggested.
Secondly, you mentioned…
I only ran ComboFix once in your instructions, so I was confused when you said it will re-run. If I missed something and you wanted me to run ComboFix more than once, let me know…
I took this to mean, when I download Combofix, it saves it in my downloads, and you wanted me to move it to Desktop. Which is what I did. Actually, it was a Shortcut from Desktop (the root file was still under \Downloads). Hopefully that didn't affect anything. I was still able to run it by drag-dropping as your icon suggested.
I see everything. ;D It is recommended that Combofix before launching is on the desktop, not in the download folder.
Running from: c:\users\James[b]Downloads[/b]\ComboFix.exe
Command switches used :: c:\users\James[b]Desktop[/b]\CFScript.txt
Shortcut does not count.
I only ran ComboFix once in your instructions, so I was confused when you said it will re-run
When you drag notepad ( CFScript.txt ) over Combofix.exe icon, Combofix will re-run. You have run Combofix regularly (Shortcut does not count. ;D)
All logs looks clean. How’s your computer running now? Any ransomware traces? 8)
Now click on “Run” button. Wait for the programme completes his work.
All the tools we used should be gone.
Tool will create and open an log report (DelFix.txt) Note: The report will also be stored on C:\DelFix.txt
I don’t need DelFix log report.
I recommended you to use MCShield if you will.
You may download MCShield from one of the following links:
It will prevent infection by computer via USB flash drive, mobile phone or any other memory card.
And not only will prevent infection, but it will immediately clean flash drive, memory card or external HDD.
Can you recommend a program that might help “speed up” my computer. Some times it runs a it sluggish, specifically when attempting to open IE, it can sometimes take a few seconds top launch IE, and sometimes multiple instances of IE pop open at once (even though I hit the icon just once). Just as an example of what I mean. I think I might have old files or old registry items on my system that are no longer in use and might be bogging it down.
Not sure if you know of any tests I can run or programs that will look at my system and recommend on how to improve speed?