Avast blocked an internet page saying a threat had been detected. Shortly afterwards, error messages started to appear, then a smart repair window scanning my PC and asking me to pay for fixing it, then the desktop became black with no icon and the start menu became blank every other time or so. The scan brought no result but avast still tells me there is a threat.

Cruising aroung with another computer, I slowly understood (I am far from being a pro) I got infected by smart repair that appears to be difficult to treat by various antivirus. Today, when I rebooted the computer, Avast updated and told me to run a scan right away.

Its result :
c:\programData\ge697PHqssaffz.exe infected par Win32 : Dropper-gen [Drp] (where I wrote 7 is actually a sign I don’t know, close to 7 but the bottom part is vertical. Rest of the scan result
Click on
1 Cancel
2 Cancel all
3 Quarantine
4 Quarantine all
5 Fix
6 Fix all
7 Ignore
8 Ignore all
I clicked on 5 to fix and got error 42060 (the file didn’t get fixed).

At this point, I don’t know what to do because I am paranoied of doing something wrong and I need to enter something to get further. Can somebody tell me what to do?

Thanks,

Yveline

The safest option would be to Quarantine as that at least leaves you other options, whilst Delete doesn’t leave any.

Thank you
I’ll do that.
Yveline

Hey i would also recommend you do a scan with malware bytes anti malware witch is a good program to clean this kind of rough programs witch smart repair is.

http://filehippo.com/download_malwarebytes_anti_malware/

good luck.

You’re welcome.

Hi do you have the desktop and icons back ?

If not

[*] Download RogueKiller and save it on your desktop.
[*]Quit all programs
[*] Start RogueKiller.exe.
[*] Wait until Prescan has finished …
[*] Click on Scan

http://i1224.photobucket.com/albums/ee362/Essexboy3/RogueKiller/RGKRScan.png

[*]Wait for the end of the scan.
[*] The report has been created on the desktop.
[*] Click on the Delete button.

http://i1224.photobucket.com/albums/ee362/Essexboy3/RogueKiller/RGKRDelete.png

[*]The report has been created on the desktop.

[*]Next click on the ShortcutsFix

http://i1224.photobucket.com/albums/ee362/Essexboy3/RogueKiller/RGKRShortcutsFix.png

[*]The report has been created on the desktop.

Please attach: All RKreport.txt text files located on your desktop.

THEN

Download OTL to your Desktop

[*]Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
[*]Select All Users
[*]Under the Custom Scan box paste this in
netsvcs
%SYSTEMDRIVE%*.exe
/md5start
services.*
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
CREATERESTOREPOINT
[*]Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
[*]When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
[*]Attach both logs

Wow! You’re faster than I am. Your post regarding roguekiller was there before I had completed the process with malware byte. I was surprized it went fast since I read it took several hours. But, true, I went for the recommended quick scan. Should I go for the thourough scan?

Here is the report from malware byte. I saved it but don’t know what to do with it.

Malwarebytes Anti-Malware 1.61.0.1400 www.malwarebytes.org Version of the database: v2012.06.15.07 Windows Vista x86 Service Pack 2 NTFS Internet Explorer 9.0.8112.16421 Rogine :: PC-DE-ROGINE [Administrator] 15/06/2012 18:31:10 mbam-log-2012-06-15 (19-12-54). txt Type: Full scan Scan options enabled: Memory | Start | Register | File System | Heuristic / Extra | Heuristic / Shuriken | PUP | PUM Scan options disabled: P2P Item (s) analyzed (s): 194581 Time elapsed: 5 minute (s), 37 second (s) Process memory detected (s): 0 (No malicious items detected) Module (s) detected memory (s): 0 (No malicious items detected) Key (s) detected the registry (s): 0 (No malicious items detected) Value (s) of the detected registry (s): 0 (No malicious items detected) Item (s) Memory Processes detected (s): 2 HKLM \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Explorer \ Advanced | Start_ShowMyComputer (PUM.Hijack.StartMenu) → Bad: (0) Good: (1) → No action taken. HKLM \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Explorer \ Advanced | Start_ShowSearch (PUM.Hijack.StartMenu) → Bad: (0) Good: (1) → No action taken. File (s) detected (s): 0 (No malicious items detected) File (s) detected (s): 0 (No malicious items detected) (end)

Regarding roguekiller, I have tried to download it but I got a red alert window that told me it might damage my computer. So I shied away. I had the same with pre_scan.

The programme is safe otherwise I would not recommend it, if it is IE with the red alert then select Actions > Run anyway
If it is Avast then select run normally.

This programme should restore all your folders and icons and OTL will show me what remains ;D

Does the malware byte report tell you anything?

It tells me that you may have a new variant as nothing was detected

Weird! The screen (before clicking on save report) tells me they detected 2 malware PUM.hijack.start menu
I’ll now proceed to do something about roguekiller.
Yveline

They were just some registry entries that may be either good or bad dependant on what they are used for (Potential Unwanted Modification)

I completed the first part of rogue killer and attached the 3 files you said. I also have a quarantine file that was not there before.
I am moving on to next step and trying to find what is that page that popped out (system check). Maybe it is what you said next step should be)
Yveline

OK there are all the files and folders back… Next OTL to remove what remains ;D

RogueKiller V7.5.4 [07/06/2012] par Tigzy
mail: tigzyRKgmailcom
Remontees: http://www.sur-la-toile.com/discussion-193725-1-BRogueKillerD-Remontees.html
Blog: http://tigzyrk.blogspot.com

Systeme d’exploitation: Windows Vista (6.0.6002 Service Pack 2) 32 bits version
Demarrage : Mode normal
Utilisateur: Rogine [Droits d’admin]
Mode: Raccourcis RAZ – Date: 15/06/2012 20:16:18

¤¤¤ Processus malicieux: 0 ¤¤¤

¤¤¤ Driver: [CHARGE] ¤¤¤

¤¤¤ Attributs de fichiers restaures: ¤¤¤
Bureau: Success 15 / Fail 0
Lancement rapide: Success 2 / Fail 0
Programmes: Success 3 / Fail 0
Menu demarrer: Success 30 / Fail 0
Dossier utilisateur: Success 4839 / Fail 0
Mes documents: Success 8695 / Fail 0
Mes favoris: Success 48 / Fail 0
Mes images: Success 552 / Fail 0
Ma musique: Success 2 / Fail 0
Mes videos: Success 3 / Fail 0
Disques locaux: Success 10562 / Fail 0
Sauvegarde: [FOUND] Success 0 / Fail 1

Lecteurs:
[C:] \Device\HarddiskVolume1 – 0x3 → Restored
[D:] \Device\HarddiskVolume2 – 0x3 → Restored
[E:] \Device\CdRom0 – 0x5 → Skipped
[F:] \Device\HarddiskVolume7 – 0x2 → Restored
[G:] \Device\HarddiskVolume3 – 0x2 → Restored
[H:] \Device\HarddiskVolume4 – 0x2 → Restored
[I:] \Device\HarddiskVolume5 – 0x2 → Restored
[J:] \Device\HarddiskVolume6 – 0x2 → Restored

¤¤¤ Infection : Rogue.FakeHDD ¤¤¤

Termine : << RKreport[3].txt >>
RKreport[1].txt ; RKreport[2].txt ; RKreport[3].txt

Well, I went on with next step which was downloading OTL. I first had a red alert from smart screen telling me it could damage the computer but I did proceed, and once it was downloaded, my antivrus (avast) popped out saying it found it suspicious and ran it in “the sandbox”. Should I keep going?
Yveline

Restart OTL and when Avast sandboxes, it in the drop down box select run as normal and tick the remember box.

I had some trouble proceeding. Avast did want to run OTL in the sandbox and thge scan took a while.
Attached are both logs.
Yveline

OK lets now run this - once done could you let me know if you are having any problems

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTL O2 - BHO: (no name) - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - No CLSID value found. O3 - HKLM\..\Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No CLSID value found. [2012/06/15 01:20:26 | 000,000,152 | ---- | M] () -- C:\ProgramData\-ge69lPHqSsaFFzr [2012/06/15 01:20:26 | 000,000,000 | ---- | M] () -- C:\ProgramData\-ge69lPHqSsaFFz [2012/06/15 01:20:24 | 000,000,609 | ---- | M] () -- C:\Users\Rogine\Desktop\Data_Recovery.lnk [2012/06/15 01:20:22 | 000,000,256 | ---- | M] () -- C:\ProgramData\ge69lPHqSsaFFz

:Files
ipconfig /flushdns /c

:Commands
[purity]
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]

Here are the logs. I can see no additional file compared to last time but I can see these files got modified. So, I assume the new logs are on them.

Now, the icons came back on the desktop and the start menu is populated again (don’t know yet if everything is there) but the desktop is still black.

Yveline

Whilst I look at the log, right click on the desktop and select personalise
Select a new background … Does it change ?