Help! "Disc Repair" virus

[shuonder771]

I'm trying to clean my wife's laptop. It's a HP Pavillion dv2000.

It is infected with "Disk Repair" virus. It looks the same as the screen shots of what others call HDD Defragmenter. I can't access much of anything in normal mode and can only get online in Safe Mode with networking. I tried following the steps in the pinned thread "I'm infected..." and succeeded up to the GMER scan at which point I got a blue screen.

Problem signature:

Problem Event Name: BlueScreen

OS Version: 6.0.6001.2.1.0.768.3

Locale ID: 1033

Additional information about the problem:

BCCode: 4e

BCP1: 00000007

BCP2: 000936BE

BCP3: 00000001

BCP4: 00000000

OS Version: 6_0_6001

Service Pack: 1_0

Product: 768_1

Files that help describe the problem:

C:\Windows\Minidump\Mini122210-01.dmp

C:\Users\Owner\AppData\Local\Temp\WER-76237-0.sysdata.xml

C:\Users\Owner\AppData\Local\Temp\WERFCA6.tmp.version.txt

DDS (Ver_10-12-12.02) - NTFSx86 NETWORK

Run by Owner at 18:00:02.03 on Wed 12/22/2010

Internet Explorer: 7.0.6001.18000 BrowserJavaVersion: 1.6.0_16

Microsoft

[LDTate]

Please don't attach the scans / logs, use "copy/paste".

I see your already have MalwareBytes (MBAM).

Can you run a scan and post the results?

[shuonder771]

Malwarebytes' Anti-Malware 1.50.1.1100

www.malwarebytes.org

Database version: 5371

Windows 6.0.6001 Service Pack 1 (Safe Mode)

Internet Explorer 7.0.6001.18000

12/22/2010 5:17:29 PM

mbam-log-2010-12-22 (17-17-29).txt

Scan type: Quick scan

Objects scanned: 156460

Time elapsed: 3 minute(s), 21 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 2

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

c:\programdata\jojwknhfjv.dll (Trojan.FakeAlert.Gen) -> Quarantined and deleted successfully.

c:\programdata\tituuliasa2vbcs.exe (Trojan.FakeAlert.Gen) -> Quarantined and deleted successfully.

[LDTate]

Can you run MBAM in Normal Mode now?

[shuonder771]

Was able to run in normal mode however it appears avg was also freed up and scanning. Took a lot longer than previously. Also before last scan web access was still blocked and Disk Repair was on screen. After restart DR does not appear to be running though desktop icon remains. I do have web access in normal mode now.

Malwarebytes' Anti-Malware 1.50.1.1100

www.malwarebytes.org

Database version: 5371

Windows 6.0.6001 Service Pack 1

Internet Explorer 7.0.6001.18000

12/22/2010 7:50:40 PM

mbam-log-2010-12-22 (19-50-40).txt

Scan type: Quick scan

Objects scanned: 159020

Time elapsed: 12 minute(s), 57 second(s)

Memory Processes Infected: 1

Memory Modules Infected: 1

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 2

Memory Processes Infected:

c:\programdata\hazifyvopx.exe (Trojan.FakeAlert.Gen) -> 2928 -> Unloaded process successfully.

Memory Modules Infected:

c:\programdata\jojwknhfjv.dll (Trojan.FakeAlert.Gen) -> Delete on reboot.

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

c:\programdata\jojwknhfjv.dll (Trojan.FakeAlert.Gen) -> Delete on reboot.

c:\programdata\hazifyvopx.exe (Trojan.FakeAlert.Gen) -> Quarantined and deleted successfully.

[LDTate]

Delete this file if you can.

c:\progra~2\rjFRhQwHwq.exe

Next:

Vista and Windows 7 users:

1. These tools MUST be run from the executable. (.exe) every time you run them

2. With Admin Rights (Right click, choose "Run as Administrator")

Download ComboFix from one of these locations:

Link 1

Link 2 If using this link, Right Click and select Save As.

* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : Protective Programs
  
• Double click on ComboFix.exe & follow the prompts.
  Notes: Combofix will run without the Recovery Console installed. Skip the Recovery Console part if you're running Vista or Windows 7.
  Note: If you have SP3, use the SP2 package.
  If Vista or Windows 7, skip the Recovery Console part
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt using Copy / Paste in your next reply.

Notes:

1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.

2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.

3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.

4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Give it atleast 20-30 minutes to finish if needed.

Please do not attach the scan results from Combofx. Use copy/paste.

Also please describe how your computer behaves at the moment.

[shuonder771]

Windows cannot find file. Also Resident Shield keeps putting up alerts. Just continue with directions?

[LDTate]

Windows cannot find file. Also Resident Shield keeps putting up alerts. Just continue with directions?

Disable AVG by right clicking on the icon is the system tray and continue on.

[shuonder771]

Actually, Resident Shield has it. Asking to Heal/Move to vault.

[LDTate]

Move to vault

[shuonder771]

Disable was not enough. CF said to uninstall. Restart to complete. DR back after restart, blocking web. Im back in safe.

[LDTate]

You'll need to uninstall AVG.

Due to recent changes in AVG and how it interacts with CF, AVG must be uninstalled to run ComboFix.

AVG > AVG Removal Tool (x86) - AVG Removal Tool (x64)

AVG Identity Protection > AVGIDPUninstaller

[shuonder771]

I already uninstalled through control panel and it appeared to work. I had to restart to complete uninstall so now Disk Repair is back and blocking the web. No web appears to be a problem for CF. Im back in safe mode now as DR is active. Do I still need to use the AVG removal tools?

[LDTate]

Run Combofix

[shuonder771]

In safe mode? I tried to run it in normal but it seemed to freeze. I left it for about 5 min with no activity. Does it need web access? DR is blocking web. Sorry to be a pain, I just want to be clear. I really appreciate your help.

[LDTate]

It's always best to do in Normal Mode but if that's not possible, run in Safe Mode.

It can take up to 30 minutes or longer to complete.

If the web is blocked you won't be able to update it or install the recovery console but it will run anyway.

[shuonder771]

I was able to run CF in normal mode. Web is no longer blocked. DR desktop icon remains.

ComboFix 10-12-22.01 - Owner 12/22/2010 21:20:59.1.2 - x86

Microsoft

[LDTate]

You have some files we need to collect

Copy/paste the text in the Codebox below into notepad:

Here's how to do that:

Click Start > Run type Notepad click OK.

This will open an empty notepad file:

Take your mouse, and place your cursor at the beginning of the text in the box below, then click and hold the left mouse button, while pulling your mouse over the text. This should highlight the text. Now release the left mouse button. Now, with the cursor over the highlighted text, right click the mouse for options, and select 'copy'. Now over the empty Notepad box, right click your mouse again, and select 'paste' and you will have copied and pasted the text.

http://forums.malwarebytes.org/index.php?showtopic=70962

Collect::
c:\programdata\pakmgUn41WkIaX.exe
c:\programdata\JojWkNhfJv.dll
c:\programdata\rjFRhQwHwq.exe

Folder::
c:\windows\BB77DC4CB8184FD48D1D5D3B617B78B4.TMP
c:\windows\A055FB62CF734839AD83122ABCB92418.TMP
c:\windows\C6359569E03E4CDC98E8CDD080C6EEB5.TMP


Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"rjFRhQwHwq.exe"=-

Save this file to your desktop, Save this as "CFScript"

Here's how to do that:

1.Click File;

2.Click Save As... Change the directory to your desktop;

3.Change the Save as type to "All Files";

4.Type in the file name: CFScript

5.Click Save ...

Drag CFScript.txt into ComboFix.exe

Then post the results log using Copy / Paste

Also please describe how your computer behaves at the moment.

[shuonder771]

PC seems to behaving normally though I haven't explored. Once during scan screen went black except for blue CF dialog box, then reloaded. Wallpaper still gone, black backround. CF attempted to upload log, but failed though web is active.

ComboFix 10-12-22.01 - Owner 12/22/2010 22:00:16.2.2 - x86

Microsoft

[LDTate]

Please disable this program and leave it disabled until we are finished.

SPYBOT TEATIMER

• Launch Spybot S&D, go to the Mode menu and make sure "Advanced Mode" is selected.
  
• On the left hand side, click on Tools, then click on the Resident Icon in the list.
  
• Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
  
• Click on the "System Startup" icon in the List
  
• Uncheck the "TeaTimer" box and "OK" any prompts.
  
• If Teatimer gives you a warning that changes were made, click the "Allow Change" box when prompted.
  
• Exit Spybot S&D when done.
  
• (When we are done, you can re-enable Teatimer using the same steps but this time place a check next to "Resident TeaTimer" and check the "TeaTimer" box in System Startup.]
  

Copy/paste the text in the Codebox below into notepad:

Here's how to do that:

Click Start > Run type Notepad click OK.

This will open an empty notepad file:

Take your mouse, and place your cursor at the beginning of the text in the box below, then click and hold the left mouse button, while pulling your mouse over the text. This should highlight the text. Now release the left mouse button. Now, with the cursor over the highlighted text, right click the mouse for options, and select 'copy'. Now over the empty Notepad box, right click your mouse again, and select 'paste' and you will have copied and pasted the text.

KillAll::

File::
c:\programdata\pakmgUn41WkIaX.exe
c:\programdata\JojWkNhfJv.dll
c:\programdata\rjFRhQwHwq.exe

Save this file to your desktop, Save this as "CFScript"

Here's how to do that:

1.Click File;

2.Click Save As... Change the directory to your desktop;

3.Change the Save as type to "All Files";

4.Type in the file name: CFScript

5.Click Save ...

Drag CFScript.txt into ComboFix.exe

Then post the results log using Copy / Paste

Also please describe how your computer behaves at the moment.

[shuonder771]

CF restarted pc before log was created. After restart Spybot started up again and forced Confirm changes to continue. CF finished and created log. I then attempted to open Firefox to post results and got the following msg: Illegal operation attempted on a registration key that has been marked for deletion. Internet Explorer had no response at all. No busy or working animation, nothing. Had to go back to safe mode to post this. DR did not start or show in normal mode, but desktop icon remains.

ComboFix 10-12-22.01 - Owner 12/22/2010 22:37:12.3.2 - x86

Microsoft

[LDTate]

I'm headed to bed and will check back in the morning..

Use Add/Remove Programs and uninstall SpyBot altogether.

Then do this again.

Copy/paste the text in the Codebox below into notepad:

Here's how to do that:

Click Start > Run type Notepad click OK.

This will open an empty notepad file:

Take your mouse, and place your cursor at the beginning of the text in the box below, then click and hold the left mouse button, while pulling your mouse over the text. This should highlight the text. Now release the left mouse button. Now, with the cursor over the highlighted text, right click the mouse for options, and select 'copy'. Now over the empty Notepad box, right click your mouse again, and select 'paste' and you will have copied and pasted the text.

KillAll::

File::
c:\programdata\pakmgUn41WkIaX.exe
c:\programdata\JojWkNhfJv.dll
c:\programdata\rjFRhQwHwq.exe

Save this file to your desktop, Save this as "CFScript"

Here's how to do that:

1.Click File;

2.Click Save As... Change the directory to your desktop;

3.Change the Save as type to "All Files";

4.Type in the file name: CFScript

5.Click Save ...

Drag CFScript.txt into ComboFix.exe

Then post the results log using Copy / Paste

Also please describe how your computer behaves at the moment.

[shuonder771]

Deleted Spybot. Scan took longer. Restarted again before log creation. Restart took longer. Also took much longer to finish log. Then unexpected restart 10 minutes later.

ComboFix 10-12-22.04 - Owner 12/22/2010 23:48:11.4.2 - x86

Microsoft

[LDTate]

Something is stopping those from getting removed.

http://www.eset.eu/online-scanner

Go here to run an online scannner from ESET.

Click the green ESET Online Scanner button.

Read the End User License Agreement and check the box: YES, I accept the Terms of Use.

Click on the Start button next to it.

You may receive an alert on the address bar that "This site might require the following ActiveX control...Click here to install...". Click on that alert and then click Insall ActiveX component.

A new window will appear asking "Do you want to install this software?"".

Answer Yes to download and install the ActiveX controls that allows the scan to run.

Click Start.

Check Remove found threats and Scan potentially unwanted applications.

Click Scan to begin.

If offered the option to get information or buy software. Just close the window.

Wait for the scan to finish

Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt

Copy and paste that log as a reply to this topic.

[shuonder771]

ESETSmartInstaller@High as downloader log:

all ok

# version=7

# OnlineScannerApp.exe=1.0.0.1

# OnlineScanner.ocx=1.0.0.6419

# api_version=3.0.2

# EOSSerial=b48cc0744f66364280df6657924a364c

# end=finished

# remove_checked=true

# archives_checked=false

# unwanted_checked=true

# unsafe_checked=false

# antistealth_checked=true

# utc_time=2010-12-23 06:58:14

# local_time=2010-12-23 12:58:14 (-0600, Central Standard Time)

# country="United States"

# lang=1033

# osver=6.0.6001 NT Service Pack 1

# compatibility_mode=1024 16777215 100 0 53866782 53866782 0 0

# compatibility_mode=2560 16777215 100 0 0 0 0 0

# compatibility_mode=5892 16776573 100 100 0 129732640 0 0

# compatibility_mode=8192 67108863 100 0 0 0 0 0

# scanned=206285

# found=1

# cleaned=1

# scan_time=5582

C:\Users\Owner\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\60\4ed30d7c-48b4306d a variant of Win32/Kryptik.JBF trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C