Recovering after severe virus attack - is it really gone?

By AustinSchnitzel
Jan 21, 2011
  1. You fellows have helped me out of a major bind in the past, and here I am again in dire straits and without a clue.

    Earlier today I was checking out an innocuous corner of the internet, a website I had visited several times in the past with no issues. This time, however, it hit me with a bluescreen out of nowhere. Upon restarting, I saw the HP loading screen, but before the Windows loading bar faded in, four words appeared in the upper left corner of the screen:

    Operating system not found.

    Freaking out, I turned it off and on again. It booted fine and I was able to log in. Everything seemed normal for about five minutes. Then I noticed a program I had double-clicked on wasn't running. I opened up a random folder from the desktop and got a blank Explorer window. I double-clicked a Notepad file. Nothing happened. I opened My Computer from the Start Menu. The usual sidebar on the left was missing... as was the C drive.

    At this point my heart sunk in my chest, and something... further down... felt like it retracted fully to hide beside my pancreas. I'll spare y'all the details, but after a system restore point, many reboots, diagnostics, Safe Mode tinkering and backing up all personal files and folders to an external hard drive, I want to know what I can do to ensure that whatever hit me is completely gone... before it slams me again the next time I boot up.

    Currently I cannot run Avast or Windows Defender unless in Safe Mode. Before just now, I was not able to load past the Welcome screen under normal conditions, nor access the login screen at all while booting in Safe Mode. After a few reboots in relatively quick succession, CHKDSK ran automatically. I don't know how it helped, but here I am. Apart from lack of an active firewall or virus/malware scanner, everything seems to be running stable. But like they say, just because you're not paranoid doesn't mean they're not out to get you...

    I apologize for the overly long/dramatic story, but I'm not so good at explaining things like this in purely technical terms. Probably because this laptop is more than just a machine to me. (Preaching to the choir, right?) I'm just wondering where I can go from here. If I have to restore to Factory Condition, that's fine - I'm not in danger of losing any data. But if I can take care of it without shelling out a C-note to the local PC repair shop, even better.

    (I'm not sure if this situation calls for a HijackThis log, but I've attached one. It's been a while since I visited this forum, I just remember that when the professional helpers dropped in, it was the first thing they asked of everyone with a boot-related issue.)

    Attached Files:

  2. Broni

    Broni Malware Annihilator Posts: 52,801   +343

    Welcome aboard [​IMG]

    Please, complete all steps listed here:
    Make sure, you PASTE all logs. If some log exceeds 50,000 characters post limit, split it between couple of replies.
    Attached logs won't be reviewed.

    Please, observe following rules:
    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running tools or applying updates other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.
  3. AustinSchnitzel

    AustinSchnitzel TS Rookie Topic Starter Posts: 38

    Salutations Broni, glad to have you drop in.

    You know how they say someone shouldn't fall asleep if they're suffering a severe concussion? That's prety much the situation with my laptop. Every time I reboot, it becomes harder to log in. So far, I've waited for over ten minutes at the Welcome screen to no response. Sometimes it fades to black but the desktop never fully loads. There must be something lurking with my startup processes, or otherwise heavily interfering with Avast and Defender.

    I've borrowed my dad's Netbook to post here, and plan to continue the 8-step diagnostic by downloading the diagnostic programs onto my flash drive and running them while my laptop is in Safe Mode (no networking). I don't understand how Safe Mode can load properly one minute and not the next. My best guess is that the CHKDSK utility, slow as it is, is the only thing standing between me and total annihilation.
  4. AustinSchnitzel

    AustinSchnitzel TS Rookie Topic Starter Posts: 38

    MBAM says it found nothing out of the ordinary. GMER gives me a bluescreen partway through the scan:

    I guess I'll try scanning one section at a time, then updating the text log. Through process of elimination I'll figure out which section of the scan is having issues.
  5. AustinSchnitzel

    AustinSchnitzel TS Rookie Topic Starter Posts: 38


  6. AustinSchnitzel

    AustinSchnitzel TS Rookie Topic Starter Posts: 38

    GMER Log

  7. Broni

    Broni Malware Annihilator Posts: 52,801   +343

    Attach.txt part of DDS is missing.
    Please, post it.


    Download MBRCheck to your desktop

    Double click MBRCheck.exe to run (Vista and Windows 7 users, right click and select Run as Administrator).
    It will show a black screen with some data on it.
    Enter N to exit.
    A report called MBRcheckxxxx.txt will be on your desktop
    Open this report and post its content in your next reply.


    Please download ComboFix from Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    1. Please, never rename Combofix unless instructed.
    2. Close any open browsers.
    3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
      • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
      • Close any open browsers.
      • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
      • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    4. Double click on combofix.exe & follow the prompts.
    5. When finished, it will produce a report for you.
    6. Please post the "C:\ComboFix.txt"
    **Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
    **Note 2 for AVG users: ComboFix will not run until AVG is uninstalled as a protective measure against the anti-virus. This is because AVG "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG first.
    Use AppRemover to uninstall it:
    We can reinstall it when we're done with CF.
    **Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.

    Make sure, you re-enable your security programs, when you're done with Combofix.


    If, for some reason, Combofix refuses to run, try one of the following:

    1. Run Combofix from Safe Mode.

    2. Delete Combofix file, download fresh one, but rename combofix.exe to your_name.exe BEFORE saving it to your desktop.
    Do NOT run it yet.

    Please download and run the below tool named Rkill (courtesy of which may help allow other programs to run.

    There are 4 different versions. If one of them won't run then download and try to run the other one.

    Vista and Win7 users need to right click Rkill and choose Run as Administrator

    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

    • Double-click on the Rkill desktop icon to run the tool.
    • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
    • Do not reboot until instructed.
    • If the tool does not run from any of the links provided, please let me know.

    Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

    If normal mode still doesn't work, run BOTH tools from safe mode.

    In case #2, please post BOTH logs, rKill and Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
  8. AustinSchnitzel

    AustinSchnitzel TS Rookie Topic Starter Posts: 38

    The DDS log is attached, though I don't know how the txt file could hold more than what I copied and pasted.

    MBRCheck Log:
    ComboFix log (Thundercats HOOOO!):
    Rkill Log:

    Attached Files:

    • DDS.txt
      File size:
      12.1 KB
  9. Broni

    Broni Malware Annihilator Posts: 52,801   +343

    Then, I said:
    Attach.txt part of DDS is missing.
    Not DDS.txt.


    We need to double check your MBR.

    Download Bootkit Remover to your Desktop.

    • You then need to extract the remover.exe file from the RAR using a program capable of extracing RAR compressed files. If you don't have an extraction program, you can use 7-Zip:
    • After extracing remover.exe to your Desktop, double-click on remover.exe to run the program (Vista/7 users,right click on remover.exe and click Run As Administrator).
    • It will show a Black screen with some data on it.
    • Right click on the screen and click Select All.
    • Press CTRL+C
    • Open a Notepad and press CTRL+V
    • Post the output back here.
  10. AustinSchnitzel

    AustinSchnitzel TS Rookie Topic Starter Posts: 38

    I get it now. The Attach.txt never appeared last time, so I ran DDS again and there it was.

    Remover log:
  11. Broni

    Broni Malware Annihilator Posts: 52,801   +343

    Thanks :)

    We need to fix your MBR...

    Please download NTBR by noahdfear and save it to your Desktop.
    File size: 2.44 MB (2,565,432 bytes)

    • Place a blank CD in your CD drive.
    • Double click on NTBR_CD.exe file and a folder of the same name will appear.
    • Open the folder and double click on BurnItCD.cmd file. If your CD drive will open, simply close it back.
    • Follow the prompts to burn the CD.
    • Now you will need to set the CD-Rom as first boot device if it isn't already (if you don't know how to do it, see HERE)
    • If you have any questions about this step, ask before you proceed. If you enter the BIOS and are unsure if you have carried out the step correctly, there should be an option to exit without keeping changes, so you won't do any harm.
    • Insert the newly created CD into your infected PC and reboot your computer.
    • Once you have rebooted please press Enter when prompted to continue booting from CD - you have a whole 15 seconds to do this!
    • Read the warning and then continue as prompted.
    • You first need to select your keyboard layout - press Enter for English.
    • Next you want to select the appropriate tool. Enter 1 to choose 1. MBRWORK
    • On the following screen enter 5 to select Install Standard MBR code.
    • Enter 1 to overwrite the infected MBR Code with the Standard MBR code.
    • When asked to confirm please do so.
    • Afterwards, please enter E to leave MBRWORK, then 6 to leave the bootable CD.
    • Eject the disc and then press ctrl+alt+del to reboot the PC.
    Once rebooted, run MBRCheck again and post its log.

    **Important note to Dell users - fixing the MBR may prevent access to the Dell Restore Utility, which allows you to press a key on startup and revert your computer to a factory delivered state. If this is Dell computer, let me know before proceeding.
  12. AustinSchnitzel

    AustinSchnitzel TS Rookie Topic Starter Posts: 38

    New MBR Log:
    Is it possible to explain in layman's terms what the purpose of the MBR is, and what difference a nonstandard one could make?
  13. Broni

    Broni Malware Annihilator Posts: 52,801   +343

    In layman terms, huh?
    When a computer starts up, its memory (RAM) is empty, so for the processor (CPU) there is nothing to process, unless it know, where to find some guidance.
    That's where MBR, or Master Boot Record comes helpful.
    It's a small part of your hard drive, where all initial info is stored.
    CPU is programmed to look there and then it knows what to do next.
    More info:

    "non-standard" is not an issue. MBR differs, so it may be some type of MBR, which is just not recognized by our scan.
    That's why, we ran another scan, which said:
    "186 GB \\.\PhysicalDrive0 Unknown boot code"
    Still, it doesn't necessary mean, MBR is infected, but we better re-write it to make sure, you have correct MBR.

    If MBR is in fact infected, it'll ask your computer to do other things, than it's supposed to do.

    Now...good job on fixing MBR :)

    Combofix log looks good, so we can move on...

    How is computer doing at the moment?

    Download OTL to your Desktop.

    • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    • Click the Scan All Users checkbox.
    • Under the Custom Scan box paste this in:

    %systemroot%\*. /mp /s
    %PROGRAMFILES%\bak. /s
    %systemroot%\system32\bak. /s
    %ALLUSERSPROFILE%\Start Menu\*.lnk /x
    %systemroot%\system32\config\systemprofile\*.dat /x
    %APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x
    %PROGRAMFILES%\Common Files\*.*
    %APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x
    %PROGRAMFILES%\Internet Explorer\*.tmp
    %PROGRAMFILES%\Internet Explorer\*.dat
    %USERPROFILE%\My Documents\*.exe
    %systemroot%\SECURITY\Database\*.sdb /x
    %systemroot%\Driver Cache\*.*
    %PROGRAMFILES%\Mozilla Firefox\0*.exe
    %ProgramFiles%\Microsoft Common\*.*
    %USERPROFILE%\Favorites\*.url /x
    %ALLUSERSPROFILE%\*.dat /x
    dir /b "%systemroot%\system32\*.exe" | find /i " " /c
    dir /b "%systemroot%\*.exe" | find /i " " /c
    %PROGRAMFILES%\Mozilla Firefox\*.dat
    %USERPROFILE%\Cookies\*.txt /x
    %systemroot%\pchealth\helpctr\System\*.exe /s
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs

    • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
  14. AustinSchnitzel

    AustinSchnitzel TS Rookie Topic Starter Posts: 38

    OTL textfile:
  15. AustinSchnitzel

    AustinSchnitzel TS Rookie Topic Starter Posts: 38

    OTL continued:
    Extras textfile:
  16. Broni

    Broni Malware Annihilator Posts: 52,801   +343

    Update your Java version here:

    Note 1: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

    Note 2: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. If you don't want to run another extra service, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and restart your computer.

    Now, we need to remove old Java version and its remnants...

    Download JavaRa to your desktop and unzip it to its own folder
    • Run JavaRa.exe (Vista users! Right click on JavaRa.exe, click Run As Administrator), pick the language of your choice and click Select. Then click Remove Older Versions.
    • Accept any prompts.


    Run OTL
    • Under the Custom Scans/Fixes box at the bottom, paste in the following

      O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
      O15 - HKU\.DEFAULT\..Trusted Ranges: Range1 ([http] in Local intranet)
      O15 - HKU\S-1-5-18\..Trusted Ranges: Range1 ([http] in Local intranet)
      O15 - HKU\S-1-5-21-3091605995-3638911993-2397923110-1000\..Trusted Ranges: Range1 ([http] in Local intranet)
      O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - Reg Error: Key error. File not found
      [2008/10/13 09:29:28 | 000,000,013 | -H-- | C] () -- C:\ProgramData\˜113.›sys
      @Alternate Data Stream - 118 bytes -> C:\ProgramData\TEMP:C28667BE
      [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
      "DisableMonitoring" =-
    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • You will get a log that shows the results of the fix. Please post it.


    Last scans...

    1. Download Security Check from HERE, and save it to your Desktop.
    • Double-click SecurityCheck.exe
    • Follow the onscreen instructions inside of the black box.
    • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

      NOTE SecurityCheck may produce some false warning(s), so leave the results reading to me.

    2. Download Temp File Cleaner (TFC)
    • Double click on TFC.exe to run the program.
    • Click on Start button to begin cleaning process.
    • TFC will close all running programs, and it may ask you to restart computer.

    3. Please run a free online scan with the ESET Online Scanner

    • Disable your antivirus program
    • Tick the box next to YES, I accept the Terms of Use
    • Click Start
    • IMPORTANT! UN-check Remove found threats
    • Accept any security warnings from your browser.
    • Check Scan archives
    • Click Start
    • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
    • When the scan completes, push List of found threats
    • Click on Export to text file , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
    • NOTE. If Eset won't find any threats, it won't produce any log.
  17. AustinSchnitzel

    AustinSchnitzel TS Rookie Topic Starter Posts: 38

    OTL again:
    Security Check log:
    ESET log:
  18. Broni

    Broni Malware Annihilator Posts: 52,801   +343

    Java(TM) SE Runtime Environment 6
    Java(TM) 6 Update 2


    Update Adobe Reader

    You can download it from
    After installing the latest Adobe Reader, uninstall all previous versions.
    Note. If you already have Adobe Photoshop® Album Starter Edition installed or do not wish to have it installed UNcheck the box which says Also Download Adobe Photoshop® Album Starter Edition.

    Alternatively, you can uninstall Adobe Reader (33.5 MB), download and install Foxit PDF Reader(3.5MB) from HERE.
    It's a much smaller file to download and uses a lot less resources than Adobe Reader.
    Note: When installing FoxitReader, make sure to UN-check any pre-checked toolbar, or other garbage.


    Uninstall Thunderbird, if you don't use it. Your version is very outdated.


    Run OTL
    • Under the Custom Scans/Fixes box at the bottom, paste in the following

      C:\ProgramData\AOL Downloads\triton_suite_install\\setup.exe 
      C:\Users\All Users\AOL Downloads\triton_suite_install\\setup.exe
    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • You will get a log that shows the results of the fix. Please post it.


    Your computer is clean [​IMG]

    1. We need to reset system restore to prevent your computer from being accidentally reinfected by using some old restore point(s). We'll create fresh, clean restore point, using following OTL script:

    Run OTL

    • Under the Custom Scans/Fixes box at the bottom, paste in the following:

    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • Post resulting log.

    2. Now, we'll remove all tools, we used during our cleaning process

    Clean up with OTL:

    • Double-click OTL.exe to start the program.
    • Close all other programs apart from OTL as this step will require a reboot
    • On the OTL main screen, press the CLEANUP button
    • Say Yes to the prompt and then allow the program to reboot your computer.

    If you still have any tools or logs leftover on your computer you can go ahead and delete those off of your computer now.

    3. Make sure, Windows Updates are current (including Service Pack 2 installation; very important!)

    4. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

    5. Download, and install WOT (Web OF Trust): It'll warn you (in most cases) about dangerous web sites.

    6. Run Malwarebytes "Quick scan" once in a while to assure safety of your computer.

    7. Run Temporary File Cleaner (TFC) weekly.

    8. Download and install Secunia Personal Software Inspector (PSI): The Secunia PSI is a FREE security tool designed to detect vulnerable and out-dated programs and plug-ins which expose your PC to attacks. Run it weekly.

    9. (optional) If you want to keep all your programs up to date, download and install FileHippo Update Checker.
    The Update Checker will scan your computer for installed software, check the versions and then send this information to to see if there are any newer releases.

    10. Run defrag at your convenience.

    11. Read How did I get infected?, With steps so it does not happen again!:

    12. Please, let me know, how your computer is doing.
  19. Broni

    Broni Malware Annihilator Posts: 52,801   +343

    The issue seems to be resolved.
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...