Can NOT fully remove Win32 Dorkbot virus

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by EntJ, Sep 16, 2011.

  1. EntJ

    EntJ Private E-2

    Please help! I'm in Peace Corps so my response time may lag, but I plan to check back here as much as possible.

    I received a "RECYCLER" virus some days ago on my flash drive which hides files on my USB and created shortcuts or new folders. When running Microsoft Security Essentials, it shows that the virus itself is called "Win32 Dorkbot." It is able to locate the virus, but never fully deletes it.

    I'm not even sure if it's deleted from my USB completely, other than checking it on a friend's PC and them running Essentials on it. How can I know if it's clean? I'm not sure what is infecting what, though I do feel it's more likely I just haven't deleted it fully from my computer.

    Judging from Microsoft`s page about the virus, it's exactly what I have.

    I'm now stuck because I've run EVERYTHING on this page...http://forums.majorgeeks.com/showthread.php?t=139681 with no success. In addition, the ROOTREPEAL program never even could open, stating there was a problem

    I would upload logs, but I can't even open my application data folder...

    However... Superantispyware, malwarebytes, combofix, and MGTools have not fixed the problem : (

    PLEASE HELP!!!
     

    Attached Files:

  2. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    I need to be able to see those logs before I can give you a fix.
     
  3. EntJ

    EntJ Private E-2

    Ok I've found how to attach the logs.

    like I said, I can run everything BUT Rootrepeal, but I've attached the error log.

    Thanks so much!
     

    Attached Files:

  4. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    c:\users\Speare\AppData\Roaming\Antqtq.exe <--- delete this file if it exists.


    Insert your flash drive before we begin. Hold down the Shift key when inserting the flash drive until Windows detects it to bypass the autorun feature. This will keep the autorun.inf from executing automatically.

    Please have all your removable storage devices ready for disinfection.

    Download Flash Disinfector by sUBs and save it to your desktop.

    • Double-click Flash_Disinfector.exe to run it.
    • Your desktop and icons may disappear. This is normal.
    • It will do a cleanup of removable storage devices, and write a protected Autorun.inf file to help prevent re-infection.
    • Follow any prompts that may appear.
    • The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
    • Wait until it has finished scanning and then exit the program.
    • There will be no GUI interface or log file produced.
    • Reboot your computer when done.

    Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder. It will help protect your drives from future infection.

    Does this help you? You might also try giving this a run:

    Microsoft Safety Scanner
     
  5. EntJ

    EntJ Private E-2

    The Antqtq file doesn't exist, at least not in that location (or any other that I can tell)

    I inserted my flash drive (which i cleaned on another computer) holding shift like you said, and then WATCHED as the RECYCLER file and a bunch of short cuts magically appeared after a little time. This seems to show that the computer keeps giving it to the USB drive, and not the other way around.

    I downloaded the two programs but they won't run!

    I click "run" for the Flash Disinfector and then NOTHING happens

    As for the Windows Security Scanner program, I click "run" and I get an error message saying that it is not a valid Win32 application...

    what do I do now??? Nothing will run!

    Oh, and it is worth mentioning that I also tried running them in Safe mode with no luck either.
     
    Last edited by a moderator: Sep 17, 2011
  6. EntJ

    EntJ Private E-2

    The Antqtq file doesn't exist, at least not in that location (or any other that I can tell)

    I inserted my flash drive (which i cleaned on another computer) holding shift like you said, and then WATCHED as the RECYCLER file and a bunch of short cuts magically appeared after a little time. This seems to show that the computer keeps giving it to the USB drive, and not the other way around.

    I downloaded the two programs but they won't run!

    I click "run" for the Flash Disinfector and then NOTHING happens

    As for the Windows Security Scanner program, I click "run" and I get an error message saying that it is not a valid Win32 application...

    what do I do now??? Nothing will run!
     
  7. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Give me the exact locations of the threats being found?

    Download this file to your desktop

    Kaspersky Virus Removal Tool

    Run the program you have just downloaded to your desktop (it will be randomly named )

    First we will run a virus scan.
    • On the first tab select all elements down to Computer and then select start scan.
    • Once it has finished select report and post that.

    Do not close AVPTool or it will self uninstall, if it does uninstall - then just rerun the setup file on your desktop.

    Now an analysis scan

    • Select the Manual Disinfection tab
    • Press the Gather System Information button
    • Once done Open the last report saved folder then attach the zip file to your next post.
    • The file is located at C:\Users\your name\Desktop\Virus Removal Tool\setup_9.0.0.722_05.01.2011_20-34\LOG\avptool_sysinfo.zip
    Please attach that too.
     
  8. EntJ

    EntJ Private E-2

    I think that actually worked! At the very least, the antivirus sites are no longer blocked.

    I have attached the system log file, but majorgeeks kept showing an error message about a security file missing so I can't even post them simply copied. there are two. One is from the first complete scan, but for some reason my computer restarted so I redid the scan again.

    Thanks for all your help I really appreciate it.



    Is it safe to say that my USBs are still infected even if cleaned with Microsoft Security Essentials?

    What anitvirus program should I get to make sure this doesn't happen again? Because it seems that even though Essentials can identify it, it couldn't delete it.
     
  9. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Can you run Combofix again please and attach the log? Also I would really like to see the avptool_sysinfo.zip

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. (Right click and run as admin if using Vista or Windows7) Then attach the new C:\MGlogs.zip file that will be created by running this.
     
  10. EntJ

    EntJ Private E-2

    I've attached the Combofix log and the MG log file.

    I can't seem to locate the avptool_sysinfo.zip file. Do you know where the file would be located.

    Thanks a lot for you're help!

    I still would like to know what you would recommend to avoid this again, especially since it's quite possible that my USBs still have the virus. I want to completely fix my computer and install some sort of antivirus program before I try to connect them again.

    Thanks!
     
  11. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    They did not attach.
    Yes, here: C:\Users\your name\Desktop\Virus Removal Tool\setup_9.0.0.722_05.01.2011_20-34\LOG\avptool_sysinfo.zip
    You're welcome!
    I will address this once I have seen the latest logs.
     
  12. EntJ

    EntJ Private E-2

    I've attached the Combofix log and the MG log file.

    I can't seem to locate the avptool_sysinfo.zip file. Do you know where the file would be located.

    Thanks a lot for you're help!

    I still would like to know what you would recommend to avoid this again, especially since it's quite possible that my USBs still have the virus. I want to completely fix my computer and install some sort of antivirus program before I try to connect them again.

    Thanks!
     

    Attached Files:

  13. EntJ

    EntJ Private E-2

    Yes, here: C:\Users\your name\Desktop\Virus Removal Tool\setup_9.0.0.722_05.01.2011_20-34\LOG\avptool_sysinfo.zip


    Ah, the problem is that the "setup" is an application not a folder, the Kapersky virus removal tool
     
  14. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    SystemLook

    Please download SystemLook from one of the links below and save it to your Desktop.
    Download Mirror #1
    Download Mirror #2

    • Double-click SystemLook.exe to run it.
    • Copy the content of the following codebox into the main textfield:
      Code:
      :filefind
      avptool_sysinfo.zip
    • Click the Look button to start the scan.
    • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
    Note: The log can also be found on your Desktop entitled SystemLook.txt
     
  15. EntJ

    EntJ Private E-2

    Done : )

    Perhaps this file was deleted when I ran the Kapersky?
     

    Attached Files:

  16. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    • O4 - Startup: _uninst_.lnk = C:\Users\Speare\AppData\Local\temp\_uninst_.bat

    After clicking Fix exit HJT.


    Now we need to use ComboFix by sUBs

    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    • If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
    • Open Notepad and copy/paste the text in the below quote box. Ensure you scroll down to select ALL the lines:
    Code:
    KILLALL::
    
    File::
    c:\users\Speare\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_uninst_.lnk
    c:\users\Speare\AppData\Local\temp\_uninst_.bat
    c:\windows\system32\drivers\rolll.sys 
    Fcopy::
    C:\Windows\winsxs\x86_microsoft-windows-t..cesframework-ctfmon_31bf3856ad364e35_6.1.7600.16385_none_9d06e2f6f1e51f98\ctfmon.exe | C:\Windows\system32\ctfmon.exe
    Registry::
    [-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}]
    
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe

      [​IMG]

    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    If after running Combofix you discover none of your programs will open up, and you recieve the following error: "Illegal operation attempted on a registry key that has been marked for deletion". Then the answer is to REBOOT the machine, and all will be corrected.



    Could you please get this: 54266884.sys into a zipped file and attach it for me in your next post? To do this, see the below:

    Please go to start > Run and paste in the following:
    log retrievable @ C:\collect.zip



    Please go to virustotal and upload the following files for analysis, and let me know the results.

    • C:\Windows\System32\drivers\54266884.sys


    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. (Right click and run as admin if using Vista or Windows7) Then attach the new C:\MGlogs.zip file that will be created by running this.
     
  17. EntJ

    EntJ Private E-2

    1. I followed the instructions to the letter for MGtools by making the document and dragging it, updating MGTools etc, but unforunately I accidentally closed the window when it said it was preparing the log file and that it would be located on my C drive because I mistakenly thought it had finished. Should I run it again and attach the log? sorry about that. My computer did restart during the process, but I never got the error message you wrote about.

    2. the file, 54266884.sys, does not exist under the file name you gave me.

    3. I have attached the new mglogs zip

    4. Question: Under users..Speare.. I have a bunch of ntuser files that I can't delete because it says the system is using them. what are they?
     

    Attached Files:

  18. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Download and run OTM.

    Download OTM by Old Timer and save it to your Desktop.

    • Right-click OTM.exe And select " Run as administrator " to run it.
    • Paste the following code under the [​IMG] area. Do not include the word Code.
    Code:
    :reg
    [-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}]
    
    :services
    rolll
    
    :files
    c:\windows\system32\drivers\54266884.sys
    c:\users\Speare\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_uninst_.lnk
    c:\users\Speare\AppData\Local\temp\_uninst_.bat
    c:\windows\system32\drivers\rolll.sys 
    
    :Commands
    [emptytemp]
    [Reboot]
    • Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.
    • Push the large [​IMG] button.
    • OTM may ask to reboot the machine. Please do so if asked.
    • Copy everything in the Results window (under the green bar), and paste it into notepad, save it as something appropriate and attach it into your next reply.

    NOTE: If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and attach the contents of that document back here in your next post.


    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. (Right click and run as admin if using Vista or Windows7) Then attach the new C:\MGlogs.zip file that will be created by running this.
     
    Last edited: Sep 20, 2011
  19. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Also, once we have made some more progress, we can try having you run a complete scan with Malware Bytes and SUPERantispyware with the flashdrive plugged in. I can then check the log.

    Please tell me what this is: C:\removerecycler.exe
     
    Last edited: Sep 20, 2011
  20. EntJ

    EntJ Private E-2

    the recycler.exe is a program i downloaded to delete the folder on my USB

    I can't find its URL, but it opens a program that does some commands on the black screen and deletes it.
     

    Attached Files:

  21. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    As I suspected, had to be sure though.


    Please go to virustotal and upload the following files for analysis, and let me know the results.

    C:\Windows\5637185drv.spi


    Could you please get this: 5637185drv.spi into a zipped file and attach it for me in your next post? To do this, see the below:

    Please go to start > Run and paste in the following:
    log retrievable @ C:\collect.zip

    Now please insert your flashdrive and run a FULL scan with Malware Bytes after updating it, ensuring you include to scan the flashdrive. Attach the log please as well as the collect.zip and let me know the results from VT. :)
     
  22. EntJ

    EntJ Private E-2

    File name: 5637185drv.spi
    Submission date: 2011-09-21 23:13:21 (UTC)
    Current status: finished
    Result: 0/ 44 (0.0%)
    -----------------------------
    I'm really hesitant about inserting my flash drive until I KNOW my computer can handle deleting the virus if my USB is still infected and that I won't simply reinfect it. Since I have basically the same computer set up that I did when it first got infected, should I be inserting the drive without first having gotten some extra protection?

    It is also very likely I'd be getting a USB that's infected in the future because I use this computer so much for work.
     
  23. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Hmm, I'll have a word with the others and see what they suggest. Hang in there. Apart from this issue everything else looks good now.
     
  24. EntJ

    EntJ Private E-2

    Thanks a lot! Please let me know!
     
  25. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Download this tool and run it with the flash drive connected to the computer:
    Panda USB Vaccine. Let Kes know what happens.
     
  26. EntJ

    EntJ Private E-2

    Worked awesomely! The USB is connected with no problems!

    Couple of questions:

    Does the Panda USB vaccine program need to be launched EVERY time I put in a new USB in my computer or will it just do it automatically?

    Does the program create an autorun.inf file in order to prevent viruses from creating one on the drive?
     
  27. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    I personally have not used it, so I can't answer those questions. If you want something to run automatically, you can use AutoEater.
     
  28. EntJ

    EntJ Private E-2

    *****!!!!

    I just connected my external and it DOES have the recycler virus on it. The PANDA program didn't work and showed me a message saying. NTFS support disabled. Consult help.

    What do I do now?
     
  29. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Best suggestion would be to reformat the thumb drive.
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds