I'm Getting Smoked...HELP!!!

[CDLehner]

OK...I'm infected. Can't run MWB; I start it, it shuts down in 2 seconds...try to start it again, says programs gone. Tried AVG; found some Trojans, etc, but I'm still infected. Used to be able to boot into Safe Mode, see my desktop; now when I boot into Safe, I get a black screen. Tried to boot into normal mode; I see my desktop image and NOTHING else.

Ran Avira; detected plenty, but still not fixed. Can't run HiJack; it installed, flashed for a few seconds, and then quit. Can't run again, can't find the log.

OK...HELP!!

[negster22]

Hi and Welcome to the Malwarebytes' forum.

Please first see if any of these procedures to unblock MBAM work for you:

http://www.malwarebytes.org/forums/index.php?showtopic=17607

Please download ATF Cleaner by Atribune

• Close Internet Explorer and any other open browsers
  
• Double-click ATF-Cleaner.exe to run the program.
  
• Under Main choose: Select All
  
• Click the Empty Selected button.
  

If you use Firefox browser

• Click Firefox at the top and choose: Select All
  
• Click the Empty Selected button.
  
• NOTE: If you would like to keep your saved passwords, please click
  
• No at the prompt.
  

If you use Opera browser

• Click Opera at the top and choose: Select All
  
• Click the Empty Selected button.
  
• NOTE: If you would like to keep your saved passwords, please click No at the prompt.
  

Click Exit on the Main menu to close the program.

Reboot

Next, download this Antirootkit Program to a folder that you create such as C:\ARK, by choosing the "Download EXE" button on the webpage.

Disable the active protection component of your antivirus by following the directions that apply here:

http://www.bleepingcomputer.com/forums/topic114351.html

Next, please perform a rootkit scan:

• Double-click the randomly name EXE located in the C:\ARK folder that you just downloaded to run the program.
  
• When the program opens, it will automatically initiate a very fast scan of common rootkit hiding places.
  
• When this "quick" scan is finished (a few seconds), copy the quick scan report to the windows clipboard, save it as ARKQ.txt and paste it in a reply back here
  
• Only if the ARK program alerts you to rootkit activity and invites you to complete a complete scan - click the Rootkit/Malware tab,and then select the Scan button.
  
• Now, relaunch the ARK program, and click the Rootkit/Malware tab,and then select the Scan button.
  
• Leave your system completely idle while this longer scan is in progress.
  
• When the scan is done, save the scan log to the Windows clipboard
  
• Open Notepad or a similar text editor
  
• Paste the clipboard contents into a text file by clicking Edit | Paste or Ctl V
  
• Exit the Program
  
• Save the Scan log as ARK.txt and post it in your next reply. If the log is very long attach it please.
  

Please download Combofix from one of these locations:

HERE or HERE

I want you to rename Combofix.exe as you download it to a name of your choice such as detox.exe

Notes:

• It is very important that save the newly renamed EXE file to your desktop.
  
• You must rename Combofixe.exe as you download it and not after it is on your computer.
  You may have to modify your browser settings if you use Firefox, so you can rename Combofix.exe as you download it. To do that:
  • Open Firefox
    
  • Click Tools -> Options -> Main
    
  • Under the downloads section check the button that says "Always ask me where to save files".
    
  • Click OK
    

  [*]For Internet Explorer:

  • Choose to save, not open the file
    
  • When prompted - save the file to your desktop, and rename it anything with an .exe extension on the end.
    

Here is a tutorial that describes how to download, install and run Combofix more thoroughly. Please review it and follow the prompts to install Recovery Console - if you have not done that already:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Very Important! Temporarily disable your antivirus and antimalware real-time protection and any script blocking components of them or your firewall before performing a scan. They can interfere with ComboFix and even remove onboard components so it is rendered ineffective:

http://www.bleepingcomputer.com/forums/topic114351.html

Note: The above tutorial does not tell you to rename Combofix as I have instructed you to do in the above instructions, so make sure you complete the renaming step before launching Combofix.

Running Combofix

In the event you already have Combofix, please delete it as this is a new version.

• Close any open browsers.
  
• Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix.
  

1. Double click on the renamed combofix.exe (detox.exe) & follow the prompts.

2. When finished, it will produce a logfile located at C:\ComboFix.txt

3. Post the contents of that log in your next reply with a new hijackthis log.

Note: Do not mouseclick combofix's window while it is running. That may cause your system to stall/hang. Do not proceed with the rest of the fix if you fail to run combofix.

Please post (do NOT attach) ARKQ.txt or ARK.txt, and C:\ComboFix.txt in your next reply.

[CDLehner]

Almost none of this has worked!! RootRepeal got shut down just like everything else; ATF too. GMER antirootkit ran, but didn't produce any kind of "copy-able" log file (remember, I'm doing everything in safe mode, out of task manager). ComboFix seemed like it was going to work; it ran all 50 stages, said a system file was infected and I should let it reboot the computer. I did, held my breath...nothing. And now I have no log file from ComboFix either.

A lot of these instructions assume you have full access to your PC and desktop; pretty funny. I'm taking the hdd out and going to try and scan it as a slave in another machine, but please...if that doesn't work, where do I go from here? I've never thrown so many things at an infection and walked away empty; starting to get very nervous.

CD

[CDLehner]

OK, here's an update: I'm at work until 5pm eastern...I have the drive hooked up to a usb dock and am currently scanning with MWB. 2 objects infected so far. My question is, once it's done should I get the drive back to my PC and see what's up, or should I do more scanning/scrubbing? Should I post some logs here and wait?

Thanks,

CD

[CDLehner]

OK, here's an update: I'm at work until 5pm eastern...I have the drive hooked up to a usb dock and am currently scanning with MWB. 2 objects infected so far. My question is, once it's done should I get the drive back to my PC and see what's up, or should I do more scanning/scrubbing? Should I post some logs here and wait?

Thanks,

CD

Can I even run a HiJack scan with the drive not hooked up to the PC?

CD

[CDLehner]

Can I even run a HiJack scan with the drive not hooked up to the PC?

CD

OK...put the hdd back in my PC; same thing...no desktop...I see my wallpaper and that's it. Tried to run HiJack This...can't do it. I have the drive back in a usb dock...what now??

CD

[CDLehner]

Forget it; I got beat!! Had to reload.

CD

[negster22]

So do you have the MBAM scan log and where do things stand now with your computer.

If Combofix went to stage 50, then it did something but there is just no log to document unfortunately.

Be sure that no C:\Combofix.txt exists.

You can try to run Combofix again but this time do it on the infected machine, from the run line with a kill all switch to kill interfering processes like so:

Navigate to Start --> Run, or launch from Task Mgr using File -> New Task and enter or copy/paste this command exactly as shown:

"%userprofile%\desktop\detox.exe" /killall"

The above command assumes Combofix.exe resides on your desktop and has been renamed to detox.exe

Make any changes accordingly if yor case differs from this.

Since you can run Task Manager can you see any suspicious processes that are running?

Follow the instructions to install and scan with the Malicious Software Removal Tool:

http://www.pchell.com/virus/malicioussoftw...movaltool.shtml

Since a new Malicious Software Removal Tool was recently released on November 10, it would be better if you can download that new version to portable media (ie USB flash) from here:

http://www.microsoft.com/downloads/details...;displaylang=en

Allow the tool to extract, and then rename the extracted EXE from mrt.exe -> begone.exe

Transfer begone.exe to the infected PC and run a complete scan by double-clicking begone.exe.

The MSRT log will open automatically but should you need to re-access it you can follow these instructions to open the MSRT log below, and post in your next reply:

1) Click on Start -> Run or File -> New Task in Task Manager

2) Type the following and Press Enter

notepad c:\windows\debug\mrt.log

Let me know what happens.

[CDLehner]

Negster, thanks for the reply. I was able to load the drive into a usb dock and scan with MWB. Even though it found 2 trojan.sirefef, when I returned the drive to my PC I was still having trouble. That told me the drive was going to have to be in the machine to be scrubbed, and I was having a hard time getting HJT and CF, etc to run the way directions said they should be.

Since I was able to access the data in the usb dock, I just recovered what I need and did a fresh reload. It was a nasty little guy; first time I've gotten beat like that. Thanks for trying.

CD

[negster22]

You're welcome and I'm sure your approach was the best considering the extent to which the infection had compromised your system. At least you know you're clean now which is a major reason to opt for a reformat and reinstall.