Ok it has come back on, no log has been produced from the combo run - avast and windows updates still not available
Additional notes: Having intermittent issues with the internet now, keep getting boxes saying “you are leaving secure space” or something like that when i log into facebook, also cant view some pics on facebook, and i’m having an ongoing issue with my battery - this i am not sure is related to the virus but thougt i’d mention it…!
I will use the same designator as that may well have come back
- Please download The Avenger by Swandog46 to your Desktop.
[*]Right click on the Avenger.zip folder and select “Extract All…”
[*] Follow the prompts and extract the avenger folder to your desktop
- Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):
Begin copying here:
Files to delete:
C:\Windows\System32\drivers\b2892b92cea0254.sys
Drivers to delete:
b2892b92cea0254
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.
- Now, open the avenger folder and start The Avenger program by clicking on its icon.
https://dl.dropbox.com/u/73555776/Avenger%20icon.GIF
[*]Accept the disclaimer
https://dl.dropbox.com/u/73555776/Avenger%20disclaim.GIF
[*] Right click on the window under Input script here:, and select Paste.
https://dl.dropbox.com/u/73555776/Avenger%20run.GIF
[*] You can also click on this window and press (Ctrl+V) to paste the contents of the clipboard.
[*] Click on Execute
[*] Answer “Yes” twice when prompted.
- The Avenger will automatically do the following:
[*]It will Restart your computer. ( In cases where the code to execute contains “Drivers to Delete”, The Avenger will actually restart your system twice.)
[*]On reboot, it will briefly open a black command window on your desktop, this is normal.
[*]After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
[*] The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
- Please copy/paste the content of c:\avenger.txt into your reply.
Hi - I did the Avenger thing, it rebooted once but nothing happened when it came back on and there was no log that i could see. Ii rebooted again and it just died and won’t come back on again now for some reason?? I wonder if this is somehow affecting the battery, it’s plugged in to the power though so i’m not sure…
Could you rename Combofix to Gotcha please and then run … This one is a darn sight tougher than the last one
Ignore my previous I have thought of a different way
First :
Open Avast and go to the virus chest
Right click the blank area and select add
http://dl.dropbox.com/u/73555776/open%20chest.jpg
Navigate to C:\Windows\System32\drivers\b2892b92cea0254.sys
http://dl.dropbox.com/u/73555776/navigate.JPG
Select the file
http://dl.dropbox.com/u/73555776/select.JPG
Right click the file in the chest and select submit to virus labs
http://dl.dropbox.com/u/73555776/add%20submit.JPG
Once done manually update the virus definitions to send it
THEN
Download the latest version of TDSSKiller from here and save it to your Desktop.
[*]Doubleclick on TDSSKiller.exe to run the application
http://dl.dropbox.com/u/73555776/TDSSFront.JPG
[*]Then click on Change parameters.
http://dl.dropbox.com/u/73555776/TDSSConfig.JPG
[*]Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.
[*]Click the Start Scan button.
[*]If a suspicious object is detected, the default action will be Skip, click on Continue.
http://dl.dropbox.com/u/73555776/TDSSFound.JPG
[*]If malicious objects are found, they will show in the Scan results and offer three (3) options.
[*]Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.
[*]Get the report by selecting Reports
http://dl.dropbox.com/u/73555776/TDSSEnd.JPG
[*]Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.
Please copy and paste its contents on your next reply.
Hi - i can’t even find the driver you’re refering to? I can get to System 32 folder/ drivers but i cannot see anything in there which is b2892b92cea0254.sys
Go to control panel > Folder options
Select advanced tab
Select show hidden folders
Deselect Hide system files
Then see if it is there
I did this, it was already showing as show hidden files, ive tried again and cant find it
OK maybe we did kill it and something else has arrived… Continue with TDSSKiller please
Ok when i downloaded the program it said “error cannot load driver”, i clicked ok and it then was ok. I selected the boxes, did the scan and it found absolutely loads of suspect files, the top was as marked in red and it was this rootkit one, it said its malicious and would only let me delete, skip or quarantine. So i seleted skip on that one and all the others, clicked continue and then it just saidn “there are unprocessed malware objects” and here is the report:
Run TDSSKiller again and when you get to this select delete
b2892b92cea0254 ( Rootkit.Win32.Necurs.gen ) -
21:32:46.0139 0740 b2892b92cea0254 ( Rootkit.Win32.Necurs.gen ) -
Hi - i did the TDSS it didn’t find anything malicious just some medium risk files, i skipped them and it rebooted. I then started getting prompts to update my avast which i’ve done now and am currently trying to do the windows updates (which is taking a long time is this normal?)
Anything else i should check?
Could you run an OTL quick scan please to see if it has gone, 'cos this is one sneaky bugger
yep here it is
Now that looks clean, how is the computer behaving now
Words i’ve been waiting to hear! It’s a bit slow but i’m doing a full Avast system scan so i think that’ll be why. All the windows updates went fine, avast is up and running again it all seems ok. I’m now just thinking how do i avoid this happening again…? My firewall is switched on and Avast seems fine now will this be ok or would you recommend any further protection?
Ps THANK YOU!!! You are an absolute star for helping me fix this, and if i ever have issues again i will come back to you as you’ve been excellent 
This something new, I have only seen four of these now and as of yet have been unable to determine what it is doing. Is there a copy of the file in either TDSSKiller quarantine or Combofix quarantine ? As I would like to get a copy to Avast, so far TDSSKiller is the only one that recognises it for what it is. If there is a copy in one of the quarantine folders could you upload to Avast as per the previous. Then once that is done I will remove my junk
I dont know where to find the quarantine for TDSS or Combofix?
It will be at either c:\qoobox\Quarantine or C:\TDSSKiller\quarantine