OK did not know you had lost files as that is a slightly different infection

[*] Download RogueKiller and save it on your desktop.
[*]Quit all programs
[*] Start RogueKiller.exe.
[*] Wait until Prescan has finished …
[*] Click on Scan

http://i1224.photobucket.com/albums/ee362/Essexboy3/RogueKiller/RGKRScan.png

[*]Wait for the end of the scan.
[*] The report has been created on the desktop.
[*] Click on the Delete button.

http://i1224.photobucket.com/albums/ee362/Essexboy3/RogueKiller/RGKRDelete.png

[*]The report has been created on the desktop.

[*]Next click on the ShortcutsFix

http://i1224.photobucket.com/albums/ee362/Essexboy3/RogueKiller/RGKRShortcutsFix.png

[*]The report has been created on the desktop.

Please post: All RKreport.txt text files located on your desktop.

Here comes the report from RogueKiller…

You should have all the shortcuts back now. Did combofix install the recovery console as we will need to use that once I have the right partition numbers

And the MBR infection was a double one

Please download the following tool

Listparts

Run the tool, click Scan and post the log (Result.txt) it makes.

https://dl.dropbox.com/u/73555776/listparts.GIF

Here comes the log from Listparts…

Im not sure i know what you meant about the recovery tool, but i might got a recovery tool that is from microsoft as i installed one of the programs. When im starting the computer something gives me two options in which one of them might be recovery something. The picture only lasts for two seconds, but i think i have option to chose from something that says Windows XP and also Recovery.

Could you download to your C drive the following programme

[*]Download Farbar Recovery Scan Tool

Once it is there then reboot the computer and in the two seconds available select recovery console
This will bring up a command prompt
At the prompt type the following :

CD…

Do this until you get the C> command prompt

At the C prompt type

FRST.exe

[*]The tool will start to run.

http://i1224.photobucket.com/albums/ee362/Essexboy3/Farbar/FRST2.gif

[*]When the tool opens click Yes to disclaimer.
[*]Press Scan button.
[]It will make a log (FRST.txt) on the C drive.
[]Reboot to normal mode
Please copy and paste it to your reply.

I rebooted and chose Recovery Tool, and then the picture froze as the message “reset console is being loaded” or something like that.

All the files at C-drive is not hidden anymore, but the program maps in windows start-meny are all empty.

OK looks like we will have to work outside of windows with this beasty. We will fix the start menu once we have slain this beast

OK next we will work outside of windows
Please print these instruction out so that you know what you are doing

[*]Download OTLPENet.exe to your desktop
[]Download Farbar Recovery Scan Tool and save it to a flash drive.
[*]Ensure that you have a blank CD in the drive
[*]Double click OTLPENet.exe and this will then open imgburn to burn the file to CD
[*]Reboot your system using the boot CD you just created.
Note : If you do not know how to set your computer to boot from CD follow the steps here
[*]As the CD needs to detect your hardware and load the operating system, I would recommend a nice cup of tea whilst it loads
[*]Your system should now display a Reatogo desktop.
Note : as you are running from CD it is not exactly speedy
[]Insert the flash drive with FRST on it
[]Locate the flash drive and run FSRT
[]The tool will start to run.

http://i1224.photobucket.com/albums/ee362/Essexboy3/Farbar/FRST2.gif

[*]When the tool opens click Yes to disclaimer.
[*]Press Scan button.
[*]It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.

Here is the log from Farbar… I did have a checkmark on “List drivers MD5” as that it was checked when I opened the program. I hope that will be fine, tell me if not.

Got it now

Could you copy listparts to the same USB as FRST
Then copy the attached fix.txt to the same USB
Insert the USB
Run Listparts and select fix

Once it has completed it will produce a log
Reboot to normal mode and post the log

What do you mean by reboot to normal mode? I ran it (as you said) from windows normal mode using the file on the USB. Or did you mean i should have rebooted and use the program i burnt on CD yesterday and open it from that system? Here comes the log I got now…

Sorry yes run it from the OTLPE as the malware is blocking any programme run from normal windows

Here comes tha log from Listpart…

Could you now go to normal windows please

Then run TDSSKiller

Here comes the report from TDSSkiller which i copied to notepad.

OK we beat it

How is the computer behaving now ?

Great! Its much better now i think. Are there any virus/malware och virus-deseased files on my computer now?

The program maps on my start menu are there, but they are all empty… Could I remove all the programs Installed and the files/maps created on my C-drive like C:_OTL, C:\Qoobox, C:\TDSSKiller_Quarantine, C:\FRST, C:\Gotcha, C:\FRST.exe? and maybe some more files…

Should I do anything more to get everything back to normal?

Thank you for all the help, a great THANKS to you!

Essexboy will give you advice on the removal of the tools and general advice for the future.

OK lets get the menus back where we can, I will remove all the programmes when you are happy

But first lets check the bad partition has gone, if not you can delete it ;D

Go Start > Run
Type in the following and press enter:

diskmgmt.msc

This will open the disc management console
Look at the partitions is there a second one of 10Mb size ?
If so then right click that partition and select delete

MENUS

Restore Accessories Program Files Menu

Please download this tool [here.

You will need to unzip the tool first.

Once you’ve unzipped the tool, please double-click on it to run it.

Ensure that the following check boxes are checked (as seen in this image below):

http://i1224.photobucket.com/albums/ee362/Essexboy3/XP%20restore%20shots/restore-start-menu-accessories-folder.gif

Once they are, click on the Restore button.

Restore Admin Tools Program Files Menu

Please download this tool here.

You will need to unzip the tool first.

Once you’ve unzipped the tool, please double-click on it to run it.

Click on the Restore Administrative Tools Items button.

As seen in this image below:

http://i1224.photobucket.com/albums/ee362/Essexboy3/XP%20restore%20shots/RestoreAdministrativeTools.gif

This next one will produce the necessary shortcut links which you can cut and paste into the start menu folder
Download the repair.vbs file to your destop
Run the repair.vbs
It will ask for a folder name call it recovery
The tool will let you know when it is finished
On the desktop will be a recovery folder
Open the folder
Cut and Paste the links that you want to C:\documents and settings[i]your name[/i]\start menu

http://i1224.photobucket.com/albums/ee362/Essexboy3/XP%20restore%20shots/recoverxp1.gif

http://i1224.photobucket.com/albums/ee362/Essexboy3/XP%20restore%20shots/recoverxp2.gif

Hi,

I have been away on holiday for the last three weeks but now Im back.

I only have one partition left, which looks okay. The restore accessories program ran without any problem. When I ran restore admin tools I got an error message, and same happened with repair.vbs (see attachment). Can you help me out?

Are there anyone that can help me to finish this?