8 steps completed, here's my logs

How do you clean the quarantines in Dr.Web. Theirs no options for anything about the quarantines. Just physically delete it?

Yes!

Will check in tomorrow.

Goodnight,
Mike

What should I do about rar files in system volume info. I had given myself access to it for a previous clean a while back. But let me know what you suggest. A lot of the rar files in there are the only remaining sources of the viruses. This NOD32 scan is pretty clean for the most part. Dr.Web has picked up some others. All in sdfix's quarantine.

We are not completely finished but close enough to do the closing. part of this clears System Restore (System Volume Information).

But first Update and run Quick scans in MBAM and SAS SDFix and ComboFix. With what all you had just being Paranoid..

Thread Closing-------------------------------------------------------------------

Some of these tools update so often they require downloading again later if needed. But keep and run MBAM and SAS to maintain.

Remove ComboFix
Start-Run
type
combofix /u
Hit enter or click OK.

Please download OTCleanIt http://download.bleepingcomputer.com/oldtimer/OTCleanIt.exe

Save to desktop.

This will remove all the tools we used to clean your computer.


Double-click OTCleanIt.exe. Click CleanUp. Yes to the "Begin cleanup Process?"

Approve all if prompted by Firewall. Approve Widows Defender or other guards or security programs while OTCleanIt attempting access to the Internet to allow all.

If prompted to Reboot click, Yes.
OTCleanit will delete itself when finished, If not delete it by yourself.

-------------------------------------------------------------------------------------
Run CCleaner http://www.ccleaner.com/download/builds (get SLIM at bottom no Yahoo toolbar)
Run twice or more on Cleanup temps, then on left click Registry then Scan for issues also repeat till clean.

Run ATF-Cleaner http://majorgeeks.com/ATF_Cleaner_d4949.html Temp and Registry, repeatedly until no more found.

KCleaner ftp://ftp2.kcsoftwares.com/kcsoftwa/files/kcleaner.exe
Fantastic cleaner. (When installing uncheck Relevant Knowledge do not install)
-------------------------------------------------------------------------------------
The issues can and are likely found is in System Restore so do the below

Start-Programs-Accessories-System Tools-Disk- System Restore and create a new Restore point. Name it "After cleanup at TechSpot".

Then Start-Programs-Accessories-System Tools-Disk Cleanup
Click OK to accept C:
Select all Boxes
Then click More Options
Here click System Restore and OK to "Are you sure" and the OK to Run.

As this runs it clears all but the most recent Restore Point but it does one other thing that can contain infested files and a huge amount of disk space.

It clears what is known as Shadow copies which are used by specialized back up programs.

This is if you have the Volume Shadow Copy running which is the default.
-------------------------------------------------------------------------------------

Every two weeks or so, run MBAM and SAS until clean.

They take a while, so leave scanning while you are sleeping working or watching TV. If not done under the gun they can be scheduled not to interfere with computer time.

If they find something they can not clean, then get back to us.

Additionally run CCleaner. ATF-Cleaner and KCleaner.
----------------------------------------------------------------------------------------
I have been using ThreatFire for more than a year, it just went from ver 3 to ver 4.

It was designed to be used with and to co-exist with other Virus scanners.

Additionally it uses a totally different process to protect. While conventional Virus scanners work from definitions ThreatFire works on recognizing Virus/Malware activity.

It's like looking at it with 2 sets of eyes and from a different angle.

It works like some Firewalls do to learn what is good/bad.

After install it will ask you about everything that could be a security issue. For example the first time you run IE or FireFox it will prompt you. You would answer to approve and remember the setting. From then on no more prompts about IE or FireFox unless the exe changes like in an update.

As it queries you about the prompt to help you determine to approve or not you can google it with one click.

http://www.threatfire.com/Download/
-------------------------------------------------------------------------------------
Look at http://www.javacoolsoftware.com/spywareblaster.html

Run SpyBot ocassionally and use the Immunize function.
http://www.safer-networking.org/en/download/

I highly reccomend Hostman: Hostman http://majorgeeks.com/HostsMan_d4592.html

Download install run and allow it to disable DNS Client and select all Host files and then Update and install all host files.

A Disk Scan (chkdsk) and Defrag are in order.

Mike

I'm not really sure how to get the NOD32 log. It was enabled to save as nod32.log. I searched for it and couldn't find it. Installer works (Not sure about from add&remove) but it did uninstall the old SAS when I was prompted that there was an older version installed. SAS and SDFix sent me to the blue screen. So here are the two other logs, Combo and MBAM.

Nod32 log does not work lately?

Uninstall then redownload and reinstall SAS.

Delete the SDFix folder that contains runthis.bat and the install on your desktop, then redownload and install and run.

A new ComboFix was issued on 2/28 so if you uninstalled as part of the closing above redownload it and run again as it had finding I did not expect!

We need to bring this together inorder to have you ready for classes.

Mike

I still have the old combo called 12cbf34 on my desktop from before. But I didn't use it I downloaded a new one because the uninstall wouldn't work it says no such program called combofix. And I did delete that folder of sdfix and reinstall and did remove SAS and reinstall and same outcomes.

Rename the 12cbf34.exe back to ComboFix.exe then do the ComboFix /u

Then get new Combofix and again rename it to 12cbf34.exe and run it.

Then rename the SDFix RunThis.bat to12rt34.bat try to run again!

Mike

combofix still says unable to find after i change the name, it said it before we changed the name to 12cbf34 as well. I'll try sdfix now. gotta boot to safe.

This is not good!

Mike

The combofix I downloaded today uninstalled after use. Along with the same for SDFix but SDFix went to blue screen, yet still uninstalled. The old combofix won't uninstall and when it runs it doesn't go through the steps like combofix normally does on a scan. It just opens says most machines take about 10 minutes badily infected machines can take longer. Says its scanning. Then eventually produces a log and reboots. I uninstalled then deleted all traces of SAS, downloaded again and still sent me to the blue screen.

EDIT: Also noticed that this file of the MBAM log; C:\WINDOWS\system32\2.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
Was one of several I myself deleted 1 through 50.tmp's from the sys32 folder at the start of all this when I realized that those were the processes starting up when I would go on the internet. Prior to when I reposted about the infections coming back.

OK let me see the log it did produce!

mike

I took that line out of the mbam log I posted up a few posts. The one with the combofix. I removed SAS through add and remove I'm going to try reinstall and run again.

EDIT: SAS once again sent me to the blue screen. Whats next? I'm gonna run another combofix again I just redownloaded it, although 12cbf34 is still there because it will not remove, will deleting it off the desktop be good enough or no?

Actually rename the new one to 12cbf345.exe.

The rename the 12cbf34.exe back to ComboFix. exe then it should uninstall!

Mike

Here's a HJT log and a Combo log.

Nolan we seem to be loosing ground

COMBOFIX-Script
Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.

Code:

File::
c:\windows\mqcd.dbt
c:\windows\system32\rkoq.pxf
c:\windows\system32\odjan.wa
c:\windows\system32\kei1w.an
c:\windows\system32\kdoqmn.sr
c:\windows\system32\doqkm.zt
c:\windows\system32\drivers\cmudaxu.sys.bak
c:\windows\adobe.bat
c:\windows\DUMP856c.tmp
c:\documents and settings\Nolan Brassard\Application Data\ipomoqeb.reg
c:\program files\Common Files\sazunep.inf
c:\documents and settings\Nolan Brassard\Application Data\awelifu.sys
c:\documents and settings\Nolan Brassard\Application Data\kixad.pif
c:\program files\Common Files\ymuko.dll
c:\documents and settings\Nolan Brassard\Application Data\ovusov.bat
c:\documents and settings\Nolan Brassard\Application Data\ozej.pif
c:\program files\Common Files\ovahawaj.sys
c:\documents and settings\Nolan Brassard\Application Data\kyfykeb.com
c:\program files\Common Files\ajab.com
c:\documents and settings\Nolan Brassard\Application Data\imaxuda.com
c:\documents and settings\Nolan Brassard\Application Data\wagehi.dat
c:\program files\Common Files\elupepiw.dat
c:\program files\Common Files\kabos.dat

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\a.exe]
"Debugger"=c:\windows\system32\alg.exe
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\matrix31290.exe]
"Debugger"=c:\windows\system32\alg.exe
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\~tmpa.exe]
"Debugger"=c:\windows\system32\alg.exe
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\~tmpb.exe]
"Debugger"=c:\windows\system32\alg.exe
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\~tmpc.exe]
"Debugger"=c:\windows\system32\alg.exe

Then drag this script and drop on top of ComboFix.

ComboFix will now run a scan on your system.

It may reboot your system when it finishes. This is normal.

When finished, it will create a log. Attach the log back to us.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

Post its log followed by another ComboFix without the Script!

No reboot!

Then go back we you got Norman and DrWeb and do Kaspersky.

After this if not successful, I hate to say, we may be looking at a format!

Mike

Here's the combo logs. I am leaving class now I will run the scans when I get home. Is there a possibility that I have a hardware problem that is causing that blue screen? Although it only appears on scans. It appeared on my first attempt at applying that script to Combofix as well. Then rebooted and it worked fine the second time.

This may be our last shot!

Left Drag mouse and Copy for Pasting all text in the box below.
Make sure the slider bar goes to bottom from the @ to the end of the second exit.
Then paste to the black screen of an open command prompt.

Code:

@echo off
cd\windows
md save

copy /v /y c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\svchost.exe c:\windows\save
copy /v /y c:\windows\$hf_mig$\KB938828\SP2QFE\explorer.exe c:\windows\save

exit
exit

Then immediately reboot to recovery console

Then print the below as it has to be manually typed into the recovery Console.

copy save\svchost.exe system32
copy save\svchost.exe system32\dllcache
copy save\explorer.exe system32
copy save\explorer.exe system32\dllcache
ren system32 spoolsv.exe spoolsv.exz

Overwrite answer yes
Then type exit to reboot

The run ComboFix attach log!

Mike

Gonna reformat. Net's gone again seems we're back to the start. Also both are still infected according to combo scan. Would you suggest a specific way for reformat or no? And for future reference of this issue be sure to tell people to not go online. Seems it got significantly worse rather quickly when going back online. It's all good though very good learning process for both of us and others. Thanks for all the help. Also the last line of that recovery console did not work.

I agree it is time!

Back up all important files emails etc to a portable or Flash drive but scan them well before putting them back.

Full Format not quick. Get it installed and on the net! Add nothing else but Avira and Threatfire before even downloading windows updates.

Once under the protection of the 2 above then Scan your backed up data on the other drive before putting it back! Actually scan entire backup drive.

Good luck you went way beyond and I hope others can learn from this.

Mike