ICE virus w/ Maleware and Hitman expired HELP!

[just_apparently_stupid]

I went to Roaming first and it allowed the delete. I went to Local next it did not allow it. I went to ProgramData it did allow the delete. I went back to Local and it allowed the delete. They are not, however, showing up in my recycle bin. I'd expect that at least the ProgramDate file would show up, and I wrong? Should I run the fixlist again to see if it's gone?

[MrCharlie]

OK, go ahead. MrC

[just_apparently_stupid]

It looks like it's gone... right? Let me know. Thanks!

 

****************

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 21-08-2013
Ran by Test at 2013-08-22 17:19:04 Run:4
Running from F:\
Boot Mode: Normal

==============================================

Content of fixlist:
*****************
C:\Users\od\AppData\Roaming\2433f433
C:\ProgramData\2433f433
C:\Users\od\AppData\Local\2433f433

*****************

"C:\Users\od\AppData\Roaming\2433f433" => File/Directory not found.
"C:\ProgramData\2433f433" => File/Directory not found.
"C:\Users\od\AppData\Local\2433f433" => File/Directory not found.

==== End of Fixlog ====

[MrCharlie]

Yes, it's gone.

What problems still remain?? MrC

[just_apparently_stupid]

I had to switch to the Test Account and when I did I'm still getting the warning about Windows security settings (I won't click on THAT again for a while).  I tried to log in to the OD account. It took me into DOS... I wrote down exactly what it said.. it is as follows:

 

*********

 

'"c:\users\od\AppData\Local\Temp\nghynqbcqlsfogvga (then the dot and exe) - i'm afraid to type the dot exe in here incase the system does something wierd- is not recognized as an operable program or batch file"'. the next line is c:\windows\system32> 

[MrCharlie]

See if you can do this:

 

Please download and run  RogueKiller 32 Bit to your desktop.

 

RogueKiller 64 Bit <---use this one for 64 bit systems

 

Quit all running programs.

 

For Windows XP, double-click to start.

For Vista or Windows 7-8, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

 

Click Scan to scan the system.

When the scan completes > Close out the program > Don't Fix anything!

 

Don't run any other options, they're not all bad!!!!!!!

 

Post back the report which should be located on your desktop.

(please don't put logs in code or quotes)

 

MrC

 

 

[just_apparently_stupid]

I messed up! Instead of downloading it I hit "run" by mistake I guess... it popped up and i did the scan and i went to find the log and of course it wasn't there. So I went back and down loaded it to my desktop and tried to start it but it said it is already running and I can't find where it is... gawd I am soo soo sorry. You have been so patient with me and I think we are so close! Any idea where I might find it? Thank you thank you thank you!

[just_apparently_stupid]

I messed up! Instead of downloading it I hit "run" by mistake I guess... it popped up and i did the scan and i went to find the log and of course it wasn't there. So I went back and down loaded it to my desktop and tried to start it but it said it is already running and I can't find where it is... gawd I am soo soo sorry. You have been so patient with me and I think we are so close! Any idea where I might find it? Thank you thank you thank you!

I think I got it running on desktop now. keeping fingers crossed

[just_apparently_stupid]

Okay, I was able to run it again. No report has shown up on my desktop. I do have an ntuser.dat.LOG1 item located in my test file.

[MrCharlie]

Click on the Report button in the right hand column.

http://i.imgur.com/Pxo2vR4.jpg

MrC

[just_apparently_stupid]

Should have it in a few minutes.

[just_apparently_stupid]

copied here as is...

 

RogueKiller V8.6.6 [Aug 19 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.adlice.com/forum/
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows Vista (6.0.6002 Service Pack 2) 32 bits version
Started in : Normal mode
User : od [Admin rights]
Mode : Scan -- Date : 08/22/2013 19:44:08
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 4 ¤¤¤
[RUN][sUSP PATH] HKLM\[...]\RunOnce : Malwarebytes Anti-Malware (cleanup) (rundll32.exe "C:\ProgramData\Malwarebytes\Malwarebytes' Anti-Malware\cleanup.dll",ProcessCleanupScript [x][7][x]) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
[AUTORUN] HKCU\[...]\Command Processor : AutoRun ("C:\Users\od\AppData\Local\Temp\nghynqbcqlsfogvga.exe") -> FOUND

¤¤¤ Scheduled tasks : 0 ¤¤¤

¤¤¤ Startup Entries : 0 ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤

¤¤¤ External Hives: ¤¤¤

¤¤¤ Infection :  ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts

127.0.0.1       localhost
::1             localhost

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: Hitachi HDP725025GLA SCSI Disk Device +++++
--- User ---
[MBR] 28f6c2f2d417a54f50a656fbe901e9e8
[bSP] cbe1a3892920c024e3e7b9efc684338e : MBR Code unknown
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 227239 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 465386985 | Size: 11232 Mo
User = LL1 ... OK!
Error reading LL2 MBR!

+++++ PhysicalDrive1: Hitachi HDP725025GLA SCSI Disk Device +++++
--- User ---
[MBR] bfc2508142cb31e56488e57ad8f80c9c
[bSP] df4f83c1f72e36823a12b0dfc7617313 : Empty MBR Code
Partition table:
0 - [XXXXXX] FAT32-LBA (0x0c) [VISIBLE] Offset (sectors): 32 | Size: 30532 Mo
User = LL1 ... OK!
Error reading LL2 MBR!

Finished : << RKreport[0]_S_08222013_194408.txt >>
RKreport[0]_S_08222013_185930.txt;RKreport[0]_S_08222013_191642.txt;RKreport[0]_S_08222013_193419.txt

 

 

Unfortunately I couldn't post without an AVG Virus threat popping up. I had to click on protect before I could post this. It was the same file that was in my OD user login in DOS

 

 

[MrCharlie]

There it is.......

Run RogueKiller again and click Scan

When the scan completes > click on the Registry tab

Put a check next to all of these and uncheck the rest: (if found)

[AUTORUN] HKCU\[...]\Command Processor : AutoRun ("C:\Users\od\AppData\Local\Temp\nghynqbcqlsfogvga.exe") -> FOUND

Now click Delete on the right hand column under Options

-------------

Let me know.....MrC

[just_apparently_stupid]

I did as you said and deleted the file (there was only one). I rebooted and reran RogueKiller and that file was gone. I'll attach the report I ran afterwards. It was odd, after I shutdown the test account I had to wait for RogueKiller to shut down.. so I went away from the computer and when I came back the user Jim account was up and running... This was the first account I went to when user OD got infected.. then it jumped to Jim so I switched to test user. So I can get into both of those but when I go to the OD account I get sent to the dos screen though there is no messages just the system32 prompt. Maybe I didn't correctly follow your instructions. Here is the log file I ran after the delete and reboot.

*****

RogueKiller V8.6.6 [Aug 19 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.adlice.com/forum/
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows Vista (6.0.6002 Service Pack 2) 32 bits version
Started in : Normal mode
User : od [Admin rights]
Mode : Remove -- Date : 08/23/2013 16:12:23
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 4 ¤¤¤
[RUN][sUSP PATH] HKLM\[...]\RunOnce : Malwarebytes Anti-Malware (cleanup) (rundll32.exe "C:\ProgramData\Malwarebytes\Malwarebytes' Anti-Malware\cleanup.dll",ProcessCleanupScript [x][7][x]) -> NOT SELECTED
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> NOT SELECTED
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> NOT SELECTED
[AUTORUN] HKCU\[...]\Command Processor : AutoRun ("C:\Users\od\AppData\Local\Temp\nghynqbcqlsfogvga.exe") -> REPLACED ()

¤¤¤ Scheduled tasks : 0 ¤¤¤

¤¤¤ Startup Entries : 0 ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤

¤¤¤ External Hives: ¤¤¤

¤¤¤ Infection :  ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts

127.0.0.1       localhost
::1             localhost

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: Hitachi HDP725025GLA SCSI Disk Device +++++
--- User ---
[MBR] 28f6c2f2d417a54f50a656fbe901e9e8
[bSP] cbe1a3892920c024e3e7b9efc684338e : MBR Code unknown
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 227239 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 465386985 | Size: 11232 Mo
User = LL1 ... OK!
Error reading LL2 MBR!

+++++ PhysicalDrive1: Hitachi HDP725025GLA SCSI Disk Device +++++
--- User ---
[MBR] bfc2508142cb31e56488e57ad8f80c9c
[bSP] df4f83c1f72e36823a12b0dfc7617313 : Empty MBR Code
Partition table:
0 - [XXXXXX] FAT32-LBA (0x0c) [VISIBLE] Offset (sectors): 32 | Size: 30532 Mo
User = LL1 ... OK!
Error reading LL2 MBR!

Finished : << RKreport[0]_D_08232013_161223.txt >>
RKreport[0]_S_08222013_185930.txt;RKreport[0]_S_08222013_191642.txt;RKreport[0]_S_08222013_193419.txt
RKreport[0]_S_08222013_194408.txt;RKreport[0]_S_08232013_160229.txt

 

Thanks for all of the progress and time you are making and taking!

[MrCharlie]

No, sounds like you did it right, can you run RK on the account that's giving you trouble??

 

MrC

[just_apparently_stupid]

No, I still cannot access that account. It takes me to the DOS prompt. There is no message, just the system32> prompt. If you can get me in there through typing iexplorer something something like i was able to before when I had this issue I can probably run it from there. Thank you. 

[MrCharlie]

Go to Start > Run > type Regedit > enter

Click the + by HKEY_LOCAL_MACHINE (repeat for the rest)
Software
Microsoft
Click on the folder --->Command Processor
Look for any AutoRun in the right hand column.

Do the same for:
HKEY_CURRENT_USER
Software
Microsoft
Click on the folder --->Command Processor
Look for any AutoRun in the right hand column.


Let me know...MrC

[just_apparently_stupid]

I'm assuming you mean in the file description in the box to the right. I find no auto runs.

[MrCharlie]

OK.....MrC

[just_apparently_stupid]

I'm assessing the Jim login now.. I ran RogueKiller there. It seems to be the same results as when I cleared from the Test account.  Here is the report incase I'm wrong.

 

RogueKiller V8.6.6 [Aug 19 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.adlice.com/forum/
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows Vista (6.0.6002 Service Pack 2) 32 bits version
Started in : Normal mode
User : od [Admin rights]
Mode : Scan -- Date : 08/23/2013 18:53:13
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 3 ¤¤¤
[RUN][sUSP PATH] HKLM\[...]\RunOnce : Malwarebytes Anti-Malware (cleanup) (rundll32.exe "C:\ProgramData\Malwarebytes\Malwarebytes' Anti-Malware\cleanup.dll",ProcessCleanupScript [x][7][x]) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Scheduled tasks : 0 ¤¤¤

¤¤¤ Startup Entries : 0 ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤

¤¤¤ External Hives: ¤¤¤

¤¤¤ Infection :  ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts

127.0.0.1       localhost
::1             localhost

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: Hitachi HDP725025GLA SCSI Disk Device +++++
--- User ---
[MBR] 28f6c2f2d417a54f50a656fbe901e9e8
[bSP] cbe1a3892920c024e3e7b9efc684338e : MBR Code unknown
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 227239 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 465386985 | Size: 11232 Mo
User = LL1 ... OK!
Error reading LL2 MBR!

+++++ PhysicalDrive1: Hitachi HDP725025GLA SCSI Disk Device +++++
--- User ---
[MBR] bfc2508142cb31e56488e57ad8f80c9c
[bSP] df4f83c1f72e36823a12b0dfc7617313 : Empty MBR Code
Partition table:
0 - [XXXXXX] FAT32-LBA (0x0c) [VISIBLE] Offset (sectors): 32 | Size: 30532 Mo
User = LL1 ... OK!
Error reading LL2 MBR!

Finished : << RKreport[0]_S_08232013_185313.txt >>
RKreport[0]_D_08232013_161223.txt;RKreport[0]_S_08222013_185930.txt;RKreport[0]_S_08222013_191642.txt
RKreport[0]_S_08222013_193419.txt;RKreport[0]_S_08222013_194408.txt;RKreport[0]_S_08232013_160229.txt
RKreport[0]_S_08232013_162959.txt

[MrCharlie]

Fix this one as before under registry: (it's not bad but not needed)

[RUN][sUSP PATH] HKLM\[...]\RunOnce : Malwarebytes Anti-Malware (cleanup) (rundll32.exe "C:\ProgramData\Malwarebytes\Malwarebytes' Anti-Malware\cleanup.dll",ProcessCleanupScript [x][7][x]) -> FOUND

MrC

[just_apparently_stupid]

I ran it and rebooted. Still cannot access User OD. And I want to be clear.... I click on that login.. I get the welcome screen then a black full screen with a box about one third the size of the space of the screen. That box contains the dos prompt. Also, I'm still getting warnings that my Windows security center is turned off.

[MrCharlie]

Is this want you get??  MrC

 

http://www.guidebookgallery.org/pics/gui/system/utilities/commandprompt/winnt40.png

[just_apparently_stupid]

Has the same Microsoft stuff but then it says

 

 

c:\Windows\system32

[just_apparently_stupid]

Has the same Microsoft stuff but then it says

 

 

c:\Windows\system32

 

 

 

that should be:          c:\Windows\system32>