Solved DDS not running- 5-step viruses/spyware/malware preliminary removal instructions

[Bobbye]

OTL Custom Scan Fixes

• Run OTL
• Copy the contents of the Code box and paste in the Custom Scans/Fixes box at the bottom:
  
  

  :OTL
  @Alternate Data Stream - 138 bytes -> C:\ProgramData\Temp:0B4227B4
  @Alternate Data Stream - 130 bytes -> C:\ProgramData\Temp:C10F9B26
  "{885D5915-C0AC-4E57-95AF-92FB72F2D6B7}" = protocol=17 | dir=in | app=c:\program files\bittorrent\bittorrent.exe |
  "{9B8E7DD2-47F0-4F5B-B989-E1E758D00A82}" = protocol=6 | dir=in | app=c:\program files\bittorrent\bittorrent.exe |
  [2012/02/27 07:56:28 | 000,302,592 | ---- | M] () -- C:\Users\The Perrrys\Desktop\58bfqs9w.exe
  [2012/02/26 19:48:33 | 000,000,000 | ---D | M] -- C:\Users\The Perrrys\AppData\Roaming\BitTorrent
  
  :Files
  C:\Program Files\Softonic-Canada_\prxtbSoft.dll
  C:\Windows\system32\Drivers\tcpip.sys| C:\Windows\winsxs\x86_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.0.6002.22719_none_b58c64c97caa1c43\tcpip.sys /replace
  
  :Reg
  [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
  "Softonic-Canada_ Toolbar"=-
  "BitTorrent" =-
  
  :Commands
  [purity]
  [emptytemp]
  [emptyflash]
  [emptyjava]
  [resethosts]
  [CreateRestorePoint]
  [Reboot]

• Then click the Run Fix button at the top
• Let the program run uninterrupted, reboot the PC when it is done
• Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

===========================
I'd like you to do a current Eset scan. Please update and run again.
=========================
Please give me a report on how the system is doing. Hopefully this will finish us up.

 

[Jack Johnson]

OTL LOG:


All processes killed
========== OTL ==========
ADS C:\ProgramData\Temp:0B4227B4 deleted successfully.
ADS C:\ProgramData\Temp:C10F9B26 deleted successfully.
C:\Users\The Perrrys\Desktop\58bfqs9w.exe moved successfully.
C:\Users\The Perrrys\AppData\Roaming\BitTorrent\dlimagecache folder moved successfully.
C:\Users\The Perrrys\AppData\Roaming\BitTorrent\apps folder moved successfully.
C:\Users\The Perrrys\AppData\Roaming\BitTorrent folder moved successfully.
========== FILES ==========
C:\Program Files\Softonic-Canada_\prxtbSoft.dll moved successfully.
Unable to replace file: C:\Windows\system32\Drivers\tcpip.sys with C:\Windows\winsxs\x86_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.0.6002.22719_none_b58c64c97caa1c43\tcpip.sys without a reboot.
========== REGISTRY ==========
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\\Softonic-Canada_ Toolbar not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\\BitTorrent not found.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Public
->Temp folder emptied: 0 bytes

User: The Perrrys
->Temp folder emptied: 83464383 bytes
->Temporary Internet Files folder emptied: 14655196 bytes
->Java cache emptied: 2027 bytes
->FireFox cache emptied: 339588877 bytes
->Google Chrome cache emptied: 171037473 bytes
->Flash cache emptied: 6456 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 1480880 bytes
Windows Temp folder emptied: 33971151 bytes
RecycleBin emptied: 4917141911 bytes

Total Files Cleaned = 5 304.00 mb


[EMPTYFLASH]

User: All Users

User: Default
->Flash cache emptied: 0 bytes

User: Default User
->Flash cache emptied: 0 bytes

User: Public

User: The Perrrys
->Flash cache emptied: 0 bytes

Total Flash Files Cleaned = 0.00 mb


[EMPTYJAVA]

User: All Users

User: Default

User: Default User

User: Public

User: The Perrrys
->Java cache emptied: 0 bytes

Total Java Files Cleaned = 0.00 mb

C:\Windows\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully


OTL by OldTimer - Version 3.2.34.0 log created on 03162012_221919

Files\Folders moved on Reboot...
C:\Users\The Perrrys\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\AntiPhishing\ED8654D5-B9F0-4DD9-B3E8-F8F560086FDF.dat moved successfully.
C:\Users\The Perrrys\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\MSIMGSIZ.DAT moved successfully.
File\Folder C:\Windows\temp\TMP000000018AA6A637AFD50B05 not found!

Registry entries deleted on Reboot...


-------------------

ESET:

C:\Qoobox\Quarantine\C\Windows\system32\Drivers\dfsc.sys.vir a variant of Win32/Rootkit.Kryptik.JV trojan
C:\_OTM\MovedFiles\03012012_142004\C_Users\The Perrrys\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\34\6a1afde2-66a40ab8 a variant of Java/Exploit.CVE-2011-3544.AV trojan
C:\_OTM\MovedFiles\03012012_142004\C_Users\The Perrrys\AppData\Roaming\AVG\Rescue\PC Tuneup 2011\111017124817065.rsc a variant of Win32/InstallCore.D application
C:\_OTM\MovedFiles\03012012_142004\C_Users\The Perrrys\Downloads\cnet2_easydvd_download_com_exe.exe a variant of Win32/InstallCore.D application
C:\_OTM\MovedFiles\03012012_142004\C_Users\The Perrrys\Downloads\cnet_vfcssetup_exe.exe a variant of Win32/InstallCore.D application
C:\_OTM\MovedFiles\03012012_142004\C_Users\The Perrrys\Downloads\fsSetup132.exe Win32/Adware.Toolbar.Dealio application
C:\_OTM\MovedFiles\03012012_142004\C_Windows\System32\drivers\dfsc.sys a variant of Win32/Rootkit.Kryptik.JV trojan
C:\_OTM\MovedFiles\03012012_142004\C_Windows\winsxs\x86_microsoft-windows-dfsclient_31bf3856ad364e35_6.0.6002.18451_none_894b9dbde369cb1f\dfsc.sys a variant of Win32/Rootkit.Kryptik.JV trojan

This is the same as the last time (finding the ones in Qoobox and the ones moved by OTM) and no new threats were found.


On the performance side, things are great. No unnatural behaviour, no pop-ups and MS Security Essentials is not finding anything. I am however still a little paranoid.

I used my flash once when the pc was infected. I looked for that file you told me might be created "USB drives; when it detects a new drive, it will make a fresh copy of itself, on the USB drive in the following directory:
Recycler\S-x-x-xx-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxx-xxxx\file-name.exe. It will also create an autorun.inf file that will point to the new copy. "
I couldn't find that file or the autorun. MS SEcurity Essentials also didn't pick up anything on the USB. Does that mean it should be ok?

Once again, I cannot tell you how much I appreciate your assistance Bobbye. :approve:

 

[Bobbye]

By gosh I think we got it! Glad to help, glad to have the system finally clean.

Please note: The operative word on both if the following is hidden

About the flash drive: If you didn't run this earlier, please do so now:

Please disinfect all movable drives

1. Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
2. Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
   Note: Some security programs will flag Flash_Disinfector as being some sort of malware, you can safely ignore these warnings
3. The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
4. Wait until it has finished scanning and then exit the program.
5. Reboot your computer when done.

Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder. It will help protect your drives from future infection.
=================
About the Recycler:
The Recycler folder is a hidden folder where the files you delete are stored, until you empty the Recycle Bin on NTFS partition.

The Recycler folder contains a Recycle Bin for each user that logs on to the computer, sorted by their security identifier (SID).Example: S-1-5-21-330564415-2671475969-752554860-1006

Note: The Reycle Bin on the Desktop must be empty. Close any running programs

Use either of the following methods:

1.Clear the Recycler using Command Prompt?

1. Click on Start> Run> type in cmd> (OS version dependent) enter
2. Right-click cmd.exe> click Run as administrater> Continue
3. At the elevated command prompt typea Command Prompt type rd /s /q c:\recycler
   Note: If C is not the Hard Drive letter, change the c in the entry to the Drive letter.
4. Windows will create a new recycler for the drive when the computer is rebooted.

2.Clear the Recycler using Windows Explorer

1. Right click on Start> Explore> Computer> Local Drive
2. Go to Tools> Folder Options> View tab
3. Check 'show hidden files and folders
4. Uncheck 'hide protected system files (Recommended)
5. Click Yes to confirm
6. Double click C Drive> Scroll down to and double click on the Recycler
7. Highlight all the files> Hold shift and press the Delete key

Reset the Hidden files and folders

• Go back to Folder Options> View tab

• • Check 'do not show hidden files and folders'
  • Recheck 'hide proected systm files' (Recommended)
  • Click on OK> Apply> OK> Exit Windows Explorer.
  
  Please go back and re-hide the files.
  
  Note: Recycler
  Any entry in the logs that showed "Failed to delete" or "Could not be removed" then most likely the flash drive is the source.
  c:\windows\$NtUninstallKB62280$> Failed to delete . . . .
  =================================================
  Removing all of the tools we used and the files and folders they created
  • Uninstall ComboFix and all Backups of the files it deleted
  • Click START> then RUN
  • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    
    
  • Download OTCleanIt by OldTimer and save it to your Desktop.
  • Double click OTCleanIt.exe.
  • Click the CleanUp! button.
  • Select Yes when the "Begin cleanup Process?" prompt appears.
  • If you are prompted to Reboot during the cleanup, select Yes.
  • The tool will delete itself once it finishes.
  -----
  Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.
  
  Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.
  ------------------------------------------
  • You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.
  • Go to Start > All Programs > Accessories > System Tools
  • Click "System Restore".
  • Choose "Create a Restore Point" on the first screen then click "Next".
  • Give the Restore Point a name> click "Create".
    
  • Go back and follow the path to > System Tools.
    [*]Choose Disc Cleanup
    [*]Click "OK" to select the partition or drive you want.
    [*]Click the "More Options" Tab.
    [*]Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.
  
  
  Empty the Recycle Bin

 

[Jack Johnson]

By gosh I think we got it!

:LOL! :haha:

Was getting so excited to tie up the ends, but Flash_DIsinfector is not working. Downloaded it to the desktop, double-click on it and it loads for 3 seconds and then nothing else occurs.
When I watch this happen in the task manager under processes, Flash_DIsinfector.exe appears for about 3 seconds, then disappears.

As per your instructions, I am asking for gui8dance and not trying to be a hero and fix it myself. When we are so close to the end, it is not the time to think I can do this on my own!!:

 

[Bobbye]

Give this one a try:

• Please download Panda USB Vaccine(you must provide valid e-mail and they will send you download link to this e-mail address) to your desktop.
• Install and run it.
• Plug in USB drive and click on Vaccinate USB and Vaccinate computer.

Consider the possibility that if you ran a disinfector previously, it did work then and there is no infection to remove.
==================================
Do you still have Combofix installed? I need to stop a couple of processes?

Also to ask: Do you have this Service set to run:
LogonHours>> disconnects user when logon hours expire

 

[Jack Johnson]

Panda USB worked great, all sorted there.

Yes Combofix and all other programs you instructed me to install are still installed. Trying to follow your instructions in the order given.

There seems to be no file on the local drive (which is C drive) or even on the Recovery (D drive) named Recycler. Only thing close is a file on C:\$RECYCLE.BIN. Only thing inside there is the recycle bin icon/file.
Tried to use command prompt and said "The system can't find the file"

I have selected it to show all hidden files and folders and unchecked hide protected system files. But no luck finding a folder like that.

Searched my computer for a folder called recycler and nothing came up.

However, in the Recover D: drive under the $Recycle.bin folder (there is a C:\$Recycle.bin, and a D;\$Recycle.bin), there the recylcle bin icon/file AND there was a folder named S-1-5-21-513904107-2587497094-3204873482-500, which looks mighty similar to the one in your post.

What should I do from here?

Running VIsta 32bit with SP2 if that makes any difference.

 

[Bobbye]

See if you can delete S-1-5-21-513904107-2587497094-3204873482-500

Basically, the contents of the Recycler are overwritten in time. But here's why it's best to delete the contents of the Recylcler if it shows up in these logs:
Globally unique identifier (GUID) based folder names can be exploited by computer worms—malicious software that can "reproduce"—hidden in a folder posing as a system folder such as the Recycle Bin, by employing its system application GUID shortcut. For example, a malicious file located at E:\Recycler\bin.{645ff040-5081-101b-9f08-00aa002f954e}\VIRUS.exe cannot be viewed in Explorer (opening the folder in order to view/delete would redirect to the Recycle Bin) and the folder cannot be deleted while the worm is running. Such a shortcut can be bypassed with the use of an active antivirus, or by booting from another operating system.
=========================================
The system is clean. o ahead and just delete>>this>>C:\programfiles\easybitsforkids\promo
=========================================
Okay to go ahead and remove the cleaning tools.

Let me know if you have any more questions.

 

[Jack Johnson]

I deleted the file S-1-5-21-513904107-2587497094-3204873482-500 successfully. Emptied recycle bin afterwards.

Uninstalled the listed programs under the control panel function of Programs and Features.
Tried to delete Combofix like you instructed..it starts deleting some files (as the combofix window shows files being deleted), then it immediately starts extracting files and running combofix again!

On C: drive, there is a C:\combofix with one folder inside called Test4Max and two files contained in there (SYS_LINKED Files).
Then there is the combofix.exe file which I downloaded (which is elswhere on the C: drive) and a few txt files with the name combofix in.
Can I manually delete all of the above?

Also, when manually deleting the other programs, must/can I delete the folder C\Qoobox?
I will delete all other programs you asked me to download manually, and will run OTCLeanit once done.

Will wait for your answer on Combofix first though.

 

[Bobbye]

There is a note in the clean up directions telling you to delete an of the tools or logs that didn't get removed. Please do that.

The system is clean. I'm closing the thread.