Solved 8 steps of malware removal required

[maddy04]

Broni

here is the broni.exe log file.

broni where should I contact u if I want to ask u abt softwares? this site will only help when I have problems with my computer, I just require some softwares so where should I contact u? can u give me your any private email ID?

I am sure, any of the people I know wont have so much knowledge like you.
it would be my honour to email you. I promise I wont bother you much.

waiting for yout further instructions...

 

[maddy04]

my id is madhav4sayshi @ yahoo. co. in


plz ignore the space in between.

i am not doing any other task when combo-fix was running. i am sitting on a different machine and doing my techspot work. plz dont worry, combofix was carried out safety on my machine without any interruptions. i have some knowledge abt the hardware and software though not as intense as u.

all your instructions were carried in exactly the way u prescribed

 

[Broni]

There are forum on this board (Software and Utilities, Windows OS), where you post software questions.


1. Please open Notepad

• Click Start , then Run
• Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
c:\windows\system32\drivers\asyncmnt.sys
c:\windows\System32\drivers\snpltwq.sys
c:\windows\system32\drivers\srv2k.sys


Folder::

Driver::
asyncmnt
ydtbrtp
srv2k


Registry::

RegLockDel::

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

• Combofix.txt
• A new HijackThis log.

 

[maddy04]

broni

i did as you told but where to find the 2 files? the combo-fix.txt in c: drive, when i double click on it, a msg appears, "illegal operation attempted on a registry key that has been marked for deletion"

there is a folder named 'Qoobox' which has 4 text files, CFscript_used_200........ , combo-fix2....., combofix-quarantine, add remove. there are also some folders also.

does this folder help?


where to look for hijackthis log file?

 

[maddy04]

broni, no text file is opening. all are giving the same error " illegal operation attempted on a registry key that has been marked for deletion "

not even the notepad.exe is opening.

 

[Broni]

There should be combofix.txt (not combo-fix.txt) file in C: drive.
Don't worry about HJT for now.

 

[maddy04]

broni

i wrote by mistake, it is combofix.txt but no text file is opening. all are giving the same error " illegal operation attempted on a registry key that has been marked for deletion "

not even the notepad.exe is opening.

 

[Broni]

Did Combofix restart computer?
If it didn't, restart it now and see, if it helps.
If Combofix restarted computer, restart again.

I'll be up for another 10 minutes, then - bed time, but we're definitely getting somewhere, so you'll be OK
Just don't try any tricks by yourself
We can always continue tomorrow.

 

[maddy04]

broni

combofix, restarted the computer, i will restart it again

 

[Broni]

OK ...........

 

[maddy04]

broni tomorrow is Monday here, so i have to go to college.

i will be able to come only at 5PM ( indian time). that means we can post each other only once a day.

please of u can stay a little more...

 

[maddy04]

Broni here is the combofix.txt file

it is attached.

I have eset antivirus, but it does not get loaded at startup.

should I put it on manually now? should I put on the windows firewall now???

 

[Broni]

There is no way, we can finish all next steps tonight, but I can give you 5 more minutes.
Did you restart yet?

 

[Broni]

I didn't see your last message. Hold on.

 

[Broni]

Windows firewall, yes. It should always be on. Do it now.
Wait with Eset.

 

[maddy04]

broni can start using my computer normally now?

or should i wait for all the steps u will be telling me to be executed?

 

[Broni]

Yes, you can use your computer normally. Make sure, Windows firewall is on and Eset is on (you'll have to temporarily disable Eset for Kaspersky scan listed below)

Combofix looks good

Uninstall Combofix:
Go Start > Run [Vista users, go Start>"Start search"]
Type in:
Combofix /Uninstall
Note the space between the "Combofix" and the "/Uninstall"
Click OK (Vista users - press Enter).
Restart computer.

Since we renamed Combofix, make sure following files/folders are gone (if not, delete manually)
C:\broni11578b
C:\broni30866b
C:\broni
C:\ComboFix
C:\Qoobox
C:\Combofix.txt
C:\Combofix2.txt

========================================================================

1. Download Temp File Cleaner (TFC)
Double click on TFC.exe to run the program.
Click on Start button to begin cleaning process.
TFC will close all running programs, and it may ask you to restart computer.


2. Go to Kaspersky website and perform an online antivirus scan.

1. Disable your active antivirus program.
2. Read through the requirements and privacy statement and click on Accept button.
3. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
4. When the downloads have finished, click on Settings.
5. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:

• Spyware, Adware, Dialers, and other potentially dangerous programs
  [*] Archives
  [*] Mail databases

6. Click on My Computer under Scan.
7. Once the scan is complete, it will display the results. Click on View Scan Report.
8. You will see a list of infected items there. Click on Save Report As....
9. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Then post it here.

Post fresh HijackThis log as well (you download it in post #3)

When done with Kaspersky scan, make sure to re-enable Eset AV.

======================================================================

So, you have things to do and I can go to bed
Good night and good luck.

 

[maddy04]

broni

i tried to uninstall but when i press enter, i get an error " windows cannot find broni.exe, make sure u typed correctly, and then try again "

I tried 4-5 times, but all giving same error.

i install TFC and the operation was sucessfully carried out as it asked for a restart and i said yes.

i went to Kaspersky website, it said that my system does not meet the requirement for online scan. in the left side of the window where it provides configuration details, a line " Browser: Safari 528.11 " is in red, which means that this part i am not fulfilling.
so should i install this new browser? cant we do without installing it?

 

[Broni]

As for uninstalling Combofix, follow this:

Since we renamed Combofix, make sure following files/folders are gone (if not, delete manually)
C:\broni11578b
C:\broni30866b
C:\broni
C:\ComboFix
C:\Qoobox
C:\Combofix.txt
C:\Combofix2.txt

As for Kaspersky, Safari won't work with any on-line scanners, I'm aware of.
Please, use Internet Explorer, which is installed on every computer.

 

[maddy04]

Broni

I used mozilla for kaspersky.
the log is attached below.

regarding the fresh HijackThis log, do I have to run the Hijackthis again?

the post shows a software named keylogger. I had just installed its various version and unintalled. the software which I had told u abt, was this.

eset does not start, dont know why? it does not get load at startup. When I click on its .exe , it gives error " cannot connect with kernal "

 

[Broni]

I suggest, you reinstall Eset. Sometimes, heavy infection will corrupt AV program files.
You can do it right after running this:

Please download OTM

• Save it to your desktop.
• Please double-click OTM to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
• Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

:Processes

:Services

:Reg

:Files
C:\Dev-Cpp\bin\addr2line.exe	
C:\Dev-Cpp\bin\ar.exe	
C:\Dev-Cpp\mingw32\bin\ar.exe	
C:\setups\actualspy.exe	
C:\setups\Dev C++\BloodShed Dev-C++ IDE + Compiler 5.exe	
C:\setups\Dev C++\devcpp4980.exe	
C:\setups\REFOG Keylogger 5.1.8.934 + Serial [1337x] [Ahmed]\Setup\refog_setup_pm_518.exe	
C:\Users\Madhav\Downloads\elite keylogger 4.3 (build 070).rar	

      
:Commands
[purity]
[resethosts]
[emptytemp]
[Reboot]

• Return to OTM, right click in the Paste Instructions for Items to be Movedwindow (under the yellow bar) and choose Paste.
• Click the red Moveit! button.
• Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
• Close OTM and reboot your PC.

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

 

[maddy04]

broni here is the post of newest log generated.




All processes killed
========== PROCESSES ==========
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
C:\Dev-Cpp\bin\addr2line.exe moved successfully.
C:\Dev-Cpp\bin\ar.exe moved successfully.
C:\Dev-Cpp\mingw32\bin\ar.exe moved successfully.
C:\setups\actualspy.exe moved successfully.
C:\setups\Dev C++\BloodShed Dev-C++ IDE + Compiler 5.exe moved successfully.
C:\setups\Dev C++\devcpp4980.exe moved successfully.
C:\setups\REFOG Keylogger 5.1.8.934 + Serial [1337x] [Ahmed]\Setup\refog_setup_pm_518.exe moved successfully.
C:\Users\Madhav\Downloads\elite keylogger 4.3 (build 070).rar moved successfully.
========== COMMANDS ==========
C:\Windows\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Madhav
->Temp folder emptied: 101091118 bytes
->Temporary Internet Files folder emptied: 5516474 bytes
->Java cache emptied: 128123 bytes
->FireFox cache emptied: 79142467 bytes
->Flash cache emptied: 1274 bytes

User: Public
->Temp folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 33170 bytes
%systemroot%\system32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 177.00 mb


OTM by OldTimer - Version 3.1.10.0 log created on 03152010_005144







broni at the end of this log, it shows that software has cleared large amount of space? how is that possible? when i run diskcleanup program, then y doesnt these get cleaned up?

broni the files have that were infected have disappeared. does our running of OTM has done it?

 

[Broni]

Diskcleanup is not the best tool to clean garbage.
From now on, I recommend you use TFC (weekly).

============================================================================

Please download OTC to your desktop. It'll remove most tools and logs we used so far. If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.

• Double-click OTC.exe to run it. (Vista and 7 users, please right click on OTC and select "Run as an Administrator")
• Click on the CleanUp! button and follow the prompts.
• You will be asked to reboot the machine to finish the Cleanup process, choose Yes. If it doesn't ask you to reboot, restart computer manually.
• After the reboot all the tools we used should be gone.
• The tool will delete itself once it finishes.

=======================================================================

We're almost there
Please, post fresh HJT log.

 

[maddy04]

broni
i did as u told. do should i manually delete rkil, TDSkiller and their logs, kaspersky log, OTL logs? there is a folder named boot in c drive, should i delete it also?

should i run Hijackthis again for the frsh log?

broni when i run ccleaner, for registry errors, there r many many errors showing. what should i do with them?

i have unistalled eset. can u suggest me a gud antivirus with its link? because the eset antivirus did not catch all the virus which u made me delete and it was also not working effectively.

 

[Broni]

when i run ccleaner, for registry errors, there r many many errors showing. what should i do with them?

Never, ever run any registry tools. Period.
That's why I recommended, you use TFC instead of CCleaner. It cleans better and it doesn't have any registry cleaning part.

should i manually delete rkil, TDSkiller and their logs, kaspersky log, OTL logs?

Please do.

should i run Hijackthis again for the frsh log?

Yes.