I’ve just read the two sticky notes at the top of the forum. Before doing anything, I wanted to check to see if the instructions given in the Malware removal post will be effective since I have a worm?

Avast advised it had blocked Rontokbr-K, approximately 42 times in rapid succession. I disabled System Restore and did a Boot Scan. The boot scan moved 2010 files to the chest. As soon as I started using the machine again, I got another notification about the Rontokbr-K.

I’m going out of town in the morning and won’t be back until Monday. I’ll be shutting the machine down, but I did want to post here for help. I’ll check in with my laptop to see what anyone has to say. Thanks!

what do you mean by effective?..and why should it be different with a worm?

follow the guide, attach the logs from Malwarebytes / OTL / aswMBR http://forum.avast.com/index.php?topic=53253.0

when done, malware exoerts will be notified and help you. they are usually online after work hours european time

have you used any USB sticks or removable drives on that computer?

Pomdus, Effective means in his case “To work well or disable the worm”.

From the link Pondus gave you, install MCShield

Pomdus, Effective means in his case "To work well or disable the worm".

however i know essexboys tricks works with all malware

By “effective” I meant would it work to remove a worm infestation as well as malware (I don’t actually know the difference between the two, so I don’t know why it would be any different, thus my question).

I’ve scanned three different drives, all three drives have had to have files deleted that avast is telling me are infected with this worm. The alert avast popped up told me it had just blocked the threat. Semantics? :-\

Yes, one machine had an external drive attached to it which was being used as a backup drive. I have removed that drive from the network and scanned it. Fortunately, it only had three infected files and they were not any of the 2,010 files that had to be deleted from the first machine I scanned. Beyond that, no sticks or other external devices. I don’t think the external drive was the source of the infection though. I can’t know of course, but I suspect it was my own stupidity clicking a link I normally would have known better than clicking… :-[

And, apologies for the gender confusion, I’m a she. Just got home from out of town. I’ll check the links you’ve provided in the morning and send reports out. Thanks for the help.

Monitoring… Malware is malware irrespective of the name used. Some are more difficult to remove is the only real difference

Hello. I’ve run MBAM and OL and attached those logs here. I was running aswmbr and crashed with a BSOD. Decided to send what I had before attempting the aswmbr again.

Well it is a long time since I have come across this and none of the usual suspects are present so it may be a new variant

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

• IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks

http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png

http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png

[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.

Notes:

1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

and here’s the aswMTR.txt…

ComboFix text file attached…

After combofix has done its thing could you then run a quickscan with Avast to see if the infection is cured

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

FCopy:: c:\windows\winsxs\amd64_microsoft-windows-user32_31bf3856ad364e35_6.1.7601.17514_none_2b5e71b083fc0973\user32.dll|c:\windows\system32\user32.dll c:\windows\winsxs\wow64_microsoft-windows-user32_31bf3856ad364e35_6.1.7601.17514_none_35b31c02b85ccb6e\user32.dll|c:\windows\SysWOW64\user32.dll

Save this as CFScript.txt, in the same location as ComboFix.exe

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt which I will require in your next reply.

ComboFix has been run a second time with that log attached. I’ve also run an Avast quickscan and received a zero threats detected report back. That sounds like a cure to me. Sound good to you?

Sure does Any further problems ?

No, everything is lovely here. Thanks SO much for your patient help. Much appreciated.
(please see attachment ;))

In that case methinks I will send you on your merry way

Subject to no further problems

I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems

Now the best part of the day ----- Your log now appears clean

Delete AswMBR from the desktop

A good workman always cleans up after himself so…The following will implement some cleanup procedures as well as reset System Restore points:

Remove ComboFix
[*]Hold down the Windows key + R on your keyboard. This will display the Run dialogue box
[*]In the Run box, type in ComboFix /Uninstall
(Notice the space between the “x” and “/”)
then click OK

http://i1224.photobucket.com/albums/ee362/Essexboy3/Misc%20screen%20shots/CF_Uninstall-1.jpg

[]Follow the prompts on the screen
[]A message should appear confirming that ComboFix was uninstalled

Run OTL and hit the cleanup button. It will remove all the programmes we have used plus itself.

Clear Restore Points

Go Start > All Programmes > Accessories > System tools
Right click Disc Cleanup and select run as administrator
When it pops up at the first prompt select OK after it has done some calculations the tabs will appear
Select More Options tab
Press Sytem Restore and Shadow Copies Cleanup button

: Keep Java Updated :

WARNING: Java is the #1 exploited program at this time. The Department of Homeland Security recommends that computer users disable Java
See this article and this article.
I would recommend that you completely uninstall Java unless you need it to run an important software.
In that instance I would recommend that you disable Java in your browsers until you need it for that software and then enable it. (See How to diasble Java in your web browser and How to unplug Java from the browser)

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:

CryptoPrevent install this programme to lock down and prevent crypto ransome ware

https://dl.dropboxusercontent.com/u/73555776/CryptoPrevent.JPG

Malwarebytes.

Update and run weekly to keep your system clean

It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To learn more about how to protect yourself while on the internet read our little guide How did I get infected in the first place ?Keep safe

Ah, would that I were gone. It appears that more damage was done. Probably beyond the scope of your services, but I did want to ask your help with part of it.

I had hired someone to do some upgrading of my computers over the summer and it appears that they used bootleg MS Win7 Ultimate OS software. I’m taking care of that (money, harm done, etc.), but in the meantime, I have to get the computers, licenses, etc. right. Not using them to fix it obviously. I’m not sure, but maybe in cleaning up the infection we also removed something that was hiding the fact that it was an illegal copy?

Now almost anything I try to do I’m being stopped by various error messages. My guess is part of the problem may be some essential files have been removed - whether Windows files or other program files. My plan now is to do clean installs on two machines (after all your hard work!) so I’m trying to gather as complete a listing as I can of files that were deleted. So grateful I’ve been diligent about backups!

Will the Avast logs give me lists of all files that have been deleted? Could you tell me other log names if there are others I need to print out before I start doing the cleanup process you’ve laid out for me?

The main problem file (I.e. infected) was user32.dll that was replaced with a good backup copy
The other deletions were just general adware and of no consequence

What are the error messages that you are getting ?

I can’t exactly say the error messages. I’ve never seen them before, I haven’t figured out how to capture them (snipping tool is disabled, print screen doesn’t capture it, ??). Most I can’t duplicate. But, for instance, when I tried to print, this is what happened twice: both monitors turn light blue, main monitor has two error/message boxes with two different messages. One says something about a required file being missing. The other said something about a tool being unavailable. The tool had something to do with printing, was a three word phrase, I’m pretty sure it started with ‘interactive,’ might have been interactive digital, but I don’t remember. And as with most of them, it hasn’t been back. I still can’t print though. Tried re-installing drivers, no good. Odd though that if nothing of consequence was deleted in the cleanup, where did they go?

The whole thing has me a little weirded out. Some of what I’m seeing is sometimes just a flash of red here or there. ?? Maybe I’m just being paranoid. I’ll be glad when it’s cleaned up and I can move on.

What printer are you using (make and model) and does this occur if you are in single monitor mode ?