Sign in to follow this  
silvercat

infostealer.gampass virus need help

Recommended Posts

I rebooted twice, the second time the desktop came back. I was greeted with 16 warning windows from Avira. I finally got the ComboFix log but it took forever for each step this poor thing is slow to the point of almost non functional. I had to connect to the internet to copy and paste this log in here.

 

The log FINALLY:

 

 

Driver::

Pandrv

secctrl

zghs1234

 

File::

C:\WINDOWS\SYSTEM32\rgfjmq.dll

C:\WINDOWS\SYSTEM32\notepde.exe

C:\WINDOWS\SYSTEM32\ssave.exe

C:\WINDOWS\SYSTEM32\ttjj5.ini

C:\WINDOWS\SYSTEM32\interne.exe

C:\WINDOWS\SYSTEM32\sysave.exe

C:\WINDOWS\SYSTEM32\Com\AtiSrvn.exe

C:\WINDOWS\SYSTEM32\Com\AtiSrvn.exe

C:\WINDOWS\SYSTEM32\Com\heii4.exe

C:\WINDOWS\SYSTEM32\Com\man24.exe

C:\WINDOWS\SYSTEM32\Com\man24.exe

C:\WINDOWS\Temp\rtdrvmon.exe

C:\WINDOWS\system32\Com\heih.exe

C:\WINDOWS\SYSTEM32\Com\SVCHOST.EXE

C:\WINDOWS\SYSTEM32\qoq.exe

C:\WINDOWS\TEMP\Pandrv.sys

 

Registry::

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]

"{a11725a0-8be3-44ae-b51c-7c0aced01f6c}"=-

"{3171a1d3-76ea-4dd0-b4ed-fe6da4e445a4}"=-

"{c4bf46a2-1c05-427d-992f-4e24f7d57f68}"=-

"{396f1715-e494-4aeb-8c0e-7c98486b3fd1}"=-

"{29fab913-d0cd-477b-a3f0-3d7c3a90379b}"=-

"{79dae25e-7bee-4484-bb1a-f30c45d535d9}"=-

"{432a9d34-f494-4382-9c6f-ae1ed5181f1c}"=-

"{5136d0e5-bad9-4d8e-9b62-7492bf467388}"=-

"{84143967-B645-4BFF-B873-DA1DC886E9A7}"=-

"{3FA10261-B890-F432-A453-69F1023513F3}"=-

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\360Loader.exe]

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\360Safe.exe]

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\360tray.exe]

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ccEvtMgr.exe]

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ccSetApp.exe]

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ccSetMgr.exe]

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ctfmon.exe]

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\DefWatch.exe]

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\FWMon.exe]

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\IceSword]

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Iparmor.exe]

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\kavsvc.exe]

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\kmailmon.exe]

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KVMonXP.exe]

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\McAgent.exe]

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\mctskshd.exe]

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\mcupdmgr.exe]

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\NAVSetup.exe]

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\PFWLveUpdate.exe]

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ras]

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\rfwProxy.exe]

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\RsAqent.exe]

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\rtvscan.exe]

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\runiep]

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\taskmgr.exe]

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\UpLive.EXE.exe]

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\zxsweep.exe]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"C:\\WINDOWS\\system32"=-

Share this post


Link to post
Share on other sites

Hmm...... Pull the internet plug out, and uninstall Avira.

 

Btw.... That log is the incorrect one :)

 

You send me the script I wrote for you. Look for C:\ComboFix.txt and post that. I'm not sure whether the latest script went through the process completely. We'll retry running SDFix IF the latest CFScript did what it was supposed to. :)

 

This thing sure has gone a bit complex, but we'll get it sorted, I'm sure.

Share this post


Link to post
Share on other sites

there are two txt logs in C:ComboFix

this one is titled "pend". I imagine that is for 'pending' and is the last one that ComboFix did not complete.

I can't figure out how to disconnect this computer from the internet without also disconnect the other one which I'm running my business on, so I can't have it disconnected for more than a few minutes.

.:\\(0!|0\)

C:\\WINDOWS\\system32\\(0!|0\)

C:\\WINDOWS\\system32\\config\\(0!|0\)

C:\\WINDOWS\\system32\\csrss.exe\\(0!|0\)

C:\\WINDOWS\\system32\\drivers\\(0!|0\)

C:\\WINDOWS\\system32\\hal.dll\\(0!|0\)

C:\\WINDOWS\\system32\\lsass.exe\\(0!|0\)

C:\\WINDOWS\\system32\\ntdll.dll\\(0!|0\)

C:\\WINDOWS\\system32\\services.exe\\(0!|0\)

C:\\WINDOWS\\system32\\smss.exe\\(0!|0\)

C:\\WINDOWS\\system32\\svchost.exe\\(0!|0\)

C:\\WINDOWS\\system32\\userinit.exe\\(0!|0\)

C:\\WINDOWS\\system32\\wbem\\(0!|0\)

C:\\WINDOWS\\system32\\winlogon.exe\\(0!|0\)

C:\\boot.ini\\(0!|0\)

C:\\ntdetect.com\\(0!|0\)

C:\\ntldr\\(0!|0\)

C:\\WINDOWS\\(0!|0\)

C:\\WINDOWS\\explorer.exe\\(0!|0\)

 

 

Also, I want to tell you that every mouse click requires 30 seconds to a minute for the computer to respond. It has also frozen

a few times and then comes back.

Share this post


Link to post
Share on other sites

I said there are 2 .txt logs in ComboFix. Here is the other one:

 

ComboFix 08-04-13.1 - Ann 2008-04-14 8:55:11.3 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.238 [GMT -4:00]

Running from: C:\Documents and Settings\Ann\Desktop\ComboFix.exe

Command switches used :: C:\Documents and Settings\Ann\Desktop\CFScript.txt

* Created a new restore point

 

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

 

FILE ::

C:\WINDOWS\SYSTEM32\Com\AtiSrvn.exe

C:\WINDOWS\system32\Com\heih.exe

C:\WINDOWS\SYSTEM32\Com\heii4.exe

C:\WINDOWS\SYSTEM32\Com\man24.exe

C:\WINDOWS\SYSTEM32\Com\SVCHOST.EXE

C:\WINDOWS\SYSTEM32\interne.exe

C:\WINDOWS\SYSTEM32\notepde.exe

C:\WINDOWS\SYSTEM32\qoq.exe

C:\WINDOWS\SYSTEM32\rgfjmq.dll

C:\WINDOWS\SYSTEM32\ssave.exe

C:\WINDOWS\SYSTEM32\sysave.exe

C:\WINDOWS\SYSTEM32\ttjj5.ini

C:\WINDOWS\TEMP\Pandrv.sys

C:\WINDOWS\Temp\rtdrvmon.exe

.

 

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

C:\WINDOWS\608769MM.DLL

C:\WINDOWS\cmdbcs.exe

C:\WINDOWS\Fonts\gjcscss.dll

C:\WINDOWS\Fonts\gjcuaxw.fon

C:\WINDOWS\SHAProc.exe

C:\WINDOWS\system32\cedafb.dll

C:\WINDOWS\system32\cmdbcs.dll

C:\WINDOWS\SYSTEM32\Com\AtiSrvn.exe

C:\WINDOWS\SYSTEM32\Com\man24.exe

C:\WINDOWS\system32\com\smss.exe

C:\WINDOWS\SYSTEM32\Com\SVCHOST.EXE

C:\WINDOWS\system32\gjcscyc.dll

C:\WINDOWS\system32\hfjg.dll

C:\WINDOWS\SYSTEM32\interne.exe

C:\WINDOWS\system32\mseion.sys

C:\WINDOWS\system32\msepbe.dll

C:\WINDOWS\SYSTEM32\notepde.exe

C:\WINDOWS\SYSTEM32\qoq.exe

C:\WINDOWS\SYSTEM32\rgfjmq.dll

C:\WINDOWS\system32\rhs.dll

C:\WINDOWS\system32\SHAProc.dat

C:\WINDOWS\SYSTEM32\ssave.exe

C:\WINDOWS\SYSTEM32\sysave.exe

C:\WINDOWS\SYSTEM32\ttjj5.ini

C:\WINDOWS\system32\ywg32.dll

C:\WINDOWS\system32\ywtlgfl.dll

C:\WINDOWS\Temp\rtdrvmon.exe

 

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

-------\Legacy_PANDRV

-------\Legacy_SECCTRL

-------\Legacy_ZGHS1234

-------\Service_Pandrv

-------\Service_secctrl

-------\Service_zghs1234

 

 

((((((((((((((((((((((((( Files Created from 2008-03-14 to 2008-04-14 )))))))))))))))))))))))))))))))

.

 

2008-04-14 07:52 . 2008-04-14 07:52 15,850 --a------ C:\WINDOWS\SYSTEM32\gjcsczc.exe

2008-04-13 22:51 . 2008-04-12 19:17 <DIR> d-------- C:\SDFix

2008-04-13 22:38 . 2008-04-13 22:38 52,665 ---hs---- C:\WINDOWS\SYSTEM32\baidu.exe

2008-04-13 21:52 . 2008-04-13 21:52 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AdobeUM

2008-04-13 17:53 . 2008-04-13 17:53 <DIR> d-------- C:\Program Files\Avira

2008-04-13 17:53 . 2008-04-13 17:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira

2008-04-12 15:08 . 2008-04-12 15:08 <DIR> d-------- C:\Program Files\Trend Micro

2008-04-12 14:48 . 2008-04-12 14:48 <DIR> d-------- C:\Program Files\Lavasoft

2008-04-12 14:48 . 2008-04-12 14:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft

2008-04-12 14:45 . 2008-04-12 14:45 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard

2008-04-12 11:06 . 2008-04-12 11:06 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware

2008-04-12 11:06 . 2008-04-12 11:06 <DIR> d-------- C:\Documents and Settings\Ann\Application Data\Malwarebytes

2008-04-12 11:06 . 2008-04-12 11:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes

2008-04-12 01:34 . 2008-04-12 01:34 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Symantec

2008-03-16 19:38 . 2008-03-16 19:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\View22

2008-03-16 19:38 . 2006-05-02 14:37 1,706,800 --a------ C:\WINDOWS\SYSTEM32\gdiplus.dll

2008-03-14 20:43 . 2008-03-14 20:57 <DIR> d-------- C:\Program Files\View22

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-04-13 20:59 --------- d-----w C:\Program Files\Common Files\Symantec Shared

2008-04-13 20:58 --------- d-----w C:\Program Files\Symantec

2008-04-13 20:54 --------- d-----w C:\Program Files\Norton AntiVirus

2008-04-13 20:54 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec

2008-04-12 18:12 --------- d-----w C:\Program Files\Google

2008-04-12 17:25 --------- d-----w C:\Program Files\Dell AIO Printer A920

2008-03-27 23:30 --------- d-----w C:\Documents and Settings\Ann\Application Data\WeatherBug

2008-03-25 22:32 --------- d-----w C:\Documents and Settings\Ann\Application Data\U3

2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\SYSTEM32\win32k.sys

2008-03-19 09:47 1,845,248 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\win32k.sys

2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\SYSTEM32\gdi32.dll

2008-02-20 06:51 282,624 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\gdi32.dll

2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\SYSTEM32\dnsrslvr.dll

2008-02-20 05:32 45,568 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\dnsrslvr.dll

2008-02-20 05:32 148,992 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\dnsapi.dll

2008-02-15 09:07 18,432 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\iedw.exe

2005-01-06 06:55 172 ---ha-w C:\Documents and Settings\Ann\hpothb07.dat

2005-01-06 06:55 164 ---ha-w C:\Documents and Settings\All Users\hpothb07.dat

2004-12-10 00:53 0 ---ha-w C:\Documents and Settings\Emily\hpothb07.dat

2004-12-08 22:50 67,160 ----a-w C:\Program Files\Aim.exe

2006-10-19 02:47 81,920 --sh--w C:\WINDOWS\SoundMan.exe

.

 

((((((((((((((((((((((((((((( [email protected]_16.00.30.64 )))))))))))))))))))))))))))))))))))))))))

.

- 2008-04-13 19:55:24 2,048 --s-a-w C:\WINDOWS\BOOTSTAT.DAT

+ 2008-04-14 13:00:13 2,048 --s-a-w C:\WINDOWS\BOOTSTAT.DAT

+ 2008-04-14 02:38:23 53,248 --sh--w C:\WINDOWS\SYSTEM32\Com\CONIME.EXE

+ 2008-04-14 11:52:29 28,809 ----a-w C:\WINDOWS\SYSTEM32\Com\heii21.exe

+ 2007-04-16 15:52:53 17,195 ------w C:\WINDOWS\SYSTEM32\crugd.dll

+ 2007-08-09 17:04:11 40,768 ----a-w C:\WINDOWS\SYSTEM32\DRIVERS\avgntdd.sys

+ 2007-07-18 18:22:19 21,312 ----a-w C:\WINDOWS\SYSTEM32\DRIVERS\avgntmgr.sys

+ 2007-09-07 16:05:19 62,016 ----a-w C:\WINDOWS\SYSTEM32\DRIVERS\avipbb.sys

+ 2007-03-01 14:34:36 28,352 ----a-w C:\WINDOWS\SYSTEM32\DRIVERS\ssmdrv.sys

+ 2008-04-14 13:00:28 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_280.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24 1694208]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00 15360]

"LDM"="C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe" [2007-12-25 20:08 32768]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-25 14:52 339968]

"IntelMeM"="C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 22:12 221184]

"Dell AIO Printer A920"="C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe" [2004-04-15 04:32 270336]

"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-11-16 02:05 127035]

"REGSHAVE"="C:\Program Files\REGSHAVE\REGSHAVE.exe" [2002-02-04 23:32 53248]

"Motive SmartBridge"="C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe" [2007-02-12 17:40 380928]

"DiskeeperSystray"="C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe" [2005-11-22 18:38 221184]

"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2006-05-10 10:48 94208 C:\WINDOWS\KHALMNPR.Exe]

"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-12-02 09:58 185896]

"SoundMan"="SoundMan.exe" [2006-10-18 22:47 81920 C:\WINDOWS\SoundMan.exe]

"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2007-08-31 12:25 249896]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00 15360]

 

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\

APC UPS Status.lnk - C:\Program Files\APC\APC PowerChute Personal Edition\Display.exe [2007-06-19 22:14:17 221247]

Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [2007-12-25 20:08:58 450560]

Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2007-12-25 20:07:24 593920]

 

[HKEY_LOCAL_MACHINE\software\policies\microsoft\windows\windowsupdate\au]

"NoAutoUpdate"= 1 (0x1)

Share this post


Link to post
Share on other sites

Ok, let's try if you can manage this. :)

 

That last log is OK, just shows that ComboFix didn't finish.

 

Please print these instructions out, or write them down, as you can't read them during the fix.

 

Next, please reboot your computer in Safe Mode by doing the following:

1) Restart your computer

2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.

3) Instead of Windows loading as normal, a menu should appear

4) Select the first option, to run Windows in Safe Mode.

5) Choose your usual account.

 

When in Safe Mode....

 

Please open notepad and copy/paste the text in the quotebox into it

 

File::

C:\WINDOWS\SYSTEM32\gjcsczc.exe

C:\WINDOWS\SYSTEM32\baidu.exe

C:\WINDOWS\SYSTEM32\Com\heii21.exe

C:\WINDOWS\SYSTEM32\crugd.dll

 

Save it as CFScript.txt on your desktop.

 

CFScript.gif

 

Referring to the picture above, drag CFScript.txt into ComboFix.exe

 

When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply when rebooted back to normal Windows.

 

Note:

Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

Share this post


Link to post
Share on other sites

:)

 

I booted into safe mode but couldn't figure out how to copy and paste into notebook what you posted here.

Since I can't browse the internet in safe mode to open this page. And I can't copy it from my other computer where I see it.

Edited by silvercat

Share this post


Link to post
Share on other sites

Two options. You can either make the CFScript.txt on your other PC, then transfer the file on the other PC or create it before booting to Safe Mode and then boot into Safe Mode. :)

Share this post


Link to post
Share on other sites

I first tried the option of creating the script before going into safe mode. I tried to reboot three times and still don't get a desktop.

 

So I tried the second option. I copied it on my good pc, then booted the bad pc into safe mode to transfer the file and I see there

is no icon for CFScript or ComboFix in safe mode.

Share this post


Link to post
Share on other sites

You can try this in Safe Mode. :)

 

Click Start -> Run and type in (or save the command to notepad file to be able to paste it in Safe Mode):

 

ComboFix "C:\Documents and Settings\Ann\Desktop\CFscript.txt"

 

Then click on OK. This should do the same thing as dragging the file.

Share this post


Link to post
Share on other sites
You can try this in Safe Mode. :)

 

Click Start -> Run and type in (or save the command to notepad file to be able to paste it in Safe Mode):

 

ComboFix "C:\Documents and Settings\Ann\Desktop\CFscript.txt"

 

Then click on OK. This should do the same thing as dragging the file.

 

 

I typed that in and a window popped up and said " Windows cannot find

C:\Documents"

Share this post


Link to post
Share on other sites

Rawe, This evening I will have help to re-install the operating system. I really think this is too far broken. And I am worried too about

something getting left behind that is looking for passwords. Not sure if I feel safe to operate as usual on it. Perhaps a clean slate would

be best?

Share this post


Link to post
Share on other sites

That's weird to say the least :)

 

You SURE you wrote the command completely?

 

ComboFix "C:\Documents and Settings\Ann\Desktop\CFScript.txt"

 

Alright ..........

 

Please retry running SDFix while in Safe Mode. Does it still give you problems when pressing Y to start the fix?

 

As for the internet connection, do you have one ADSL box/modem/router whatever which connects your both machines to the Internet? If so, simply pull the plug out of the infected one and leave the other one intact. Not sure how you've set it up.

 

Let's also rerun Malwarebytes' Anti-Malware, update it by downloading the latest mbam-rules.exe from the link I provided earlier on the other machine and then transfer that .exe on to your infected one and double-click on it to update (on Normal mode) -- do you still get no desktop when you boot regularly?

Share this post


Link to post
Share on other sites
Rawe, This evening I will have help to re-install the operating system. I really think this is too far broken. And I am worried too about

something getting left behind that is looking for passwords. Not sure if I feel safe to operate as usual on it. Perhaps a clean slate would

be best?

Well, I would tend to agree, while we could clean this up to the point it would run as regular, it's quite severely infected now and one couldn't guarantee it would be the same as it was before getting infected. :)

 

If you do want to give a shot at cleaning this mess up, you know where to continue.

 

It was quite an ugly infection + if there's no way you can't shut the internet connection off completely while doing the fixes, it does make things a bit more difficult.

Share this post


Link to post
Share on other sites
That's weird to say the least :)

 

You SURE you wrote the command completely?

 

ComboFix "C:\Documents and Settings\Ann\Desktop\CFScript.txt"

 

Alright ..........

 

Please retry running SDFix while in Safe Mode. Does it still give you problems when pressing Y to start the fix?

 

As for the internet connection, do you have one ADSL box/modem/router whatever which connects your both machines to the Internet? If so, simply pull the plug out of the infected one and leave the other one intact. Not sure how you've set it up.

 

Let's also rerun Malwarebytes' Anti-Malware, update it by downloading the latest mbam-rules.exe from the link I provided earlier on the other machine and then transfer that .exe on to your infected one and double-click on it to update (on Normal mode) -- do you still get no desktop when you boot regularly?

Share this post


Link to post
Share on other sites

Okay I am taking a deep breath. I did NOT type the whole thing in. I only typed in what was in the quotation marks. I wasted more time.

I typed it in exactly as you said and now the ComboFix is running. I'll paste the log as soon as it comes up.

Share this post


Link to post
Share on other sites

Antivir might still be causing troubles after reboot if it's still there, so try not to click on anything when ComboFix boots and shows it's still running; let the warnings just flood in if they do.

 

Then when ComboFix has done running and provided a log, you can take care of the warnings and post the log here. :)

Share this post


Link to post
Share on other sites

The ComboFix ran fine. But now that it has rebooted, I cant open notepad. Whenever I try, it does not open and I get another Avira warning.

Share this post


Link to post
Share on other sites

Ok, can you try opening the C:\ComboFix.txt file in some other text app other than Notepad? M$ Word? Wordpad? :)

Share this post


Link to post
Share on other sites

I'm not sure if I can open it some other way. I think the writing is on the wall and I'm going to have to re-install the os.

We have spent 3 days on this and at this point, reinstalling the os seems far less daunting a task.

Thank you for your time and help. We really gave it a good try.

Share this post


Link to post
Share on other sites

Right-clicking -> open in another application -> choose another text editor. Give it a shot. I'd like to see the latest ComboFix log just so I know I won't be giving up if we're close. :)

 

Another question, are you still having as much issues as you had earlier? Everything slow, including the mouse, etc etc?

 

Edit: but as you wish. The machine is/was quite badly infected, maybe reinstall is the best choice.

Share this post


Link to post
Share on other sites
Sign in to follow this