Following instructions - still having trouble

Combofix can be run offline, it will only want to connect to install the recovery console.

Go ahead and run it please. In normal mode if possible, or in safe mode if necessary. Attach the C:\combofix.txt into your next reply.

 

Run this:

Using ESET's Online Scanner

Please run a scan with this: Norman Malware Cleaner

Then after another reboot, see if you are still having problems. Also se if you can get a log from Norman to attach. Ignore any messages about items in the QooBox folder (from ComboFix) or in the MGtools folder being infected.

 

Try this
How to recover from a corrupted registry that prevents Windows XP from starting

 

Sigh, this is the nature of this infection, not nice at all... hang in there while I have a think about how to proceed.

 

Let's see if the problem is due to the infected winlogon.exe file being deleted by Norman.

Boot back into the Recovery Console and run the below steps. The below steps will assume that your CD drive is D so change this to the appropriate drive letter if yours is different.

Once you are back to the C:\Windows> prompt of the Recovery Console, input the below brown bold font commands one at a time each followed by the enter key. Read the notes further down which comment on these commands.

cd system32
copy D:\i386\winlogon.ex_ winlogon.exe
exit


NOTES:

• the first command should cause the prompt to change to C:\windows\system32>
• the second command should copy the compressed winlogon.ex_ file ( yes the underscore is the correct file name ) from the i386 folder of your CD into the system32 folder and rename it to winlogon.exe, the file will automatically be uncompressed. Notice the space after the copy and after the ex_
• the third command should reboot your PC. Remove the CD and see if Windows will boot.

If Norman deleted winlogon.exe, it may have also take the incorrect action of deleting explorer.exe too and it will have to be replace. If Windows boots up this time but you have no Desktop then explorer.exe was deleted and similar steps to the above can be performed to restore it. However you don't need to run the cd system32 command since explorer.exe belongs in the C:\windows folder. Just skip to the second command and replace each case of winlogon with explorer

 

Excellent. Now we will have to see if you are still infected. Please rerun ComboFix and attach a new log.

It is asking you to reactivate Windows? That was not expected but no just copying these files has nothing to do with your license.

 

Looks like the Bamital infection has been fixed. Now onto your other infections.

Download TDSSKiller from Kaspersky to your directly onto your Desktop

• Now double click the TDSSkiller.exe file to run it ( if using Vista or Windows 7 do not double click on it but rather, right click and select Run As Administrartor. )
• Allow the application to run if prompted by Windows or any security programs you have installed
• It will start the scan and run rather quickly and will notify you of whether anything is found or not.
• Follow the instructions to delete/quarantine if asks you what to do when if finds something.
• Whether an infection is found or not, a log file should be created on your C: drive ( or whatever drive you boot from) in the root folder named something like TDSSKiller.2.1.1_27.12.2009_14.17.04_log.txt which is based on the program version # and date and time run. Please attach this log to your next reply. (See: HOW TO: Attach Items To Your Post )

 

You're welcome. Now let's see if TDSSKiller actually fixed the MBR infection.


Also please also download MBRCheck to your desktop

• Double click MBRCheck.exe to run (vista and Win 7 right click and select Run as Administrator)
• It will show a Black screen with some information that will contain either the below line if no problem is found:
  • Done! Press ENTER to exit...
• Or you will see more information like below if a problem is found:
  • Found non-standard or infected MBR.
  • Enter 'Y' and hit ENTER for more options, or 'N' to exit:
• Either way, just choose to exit the program at this point since we want to see only the scan results to begin with.
• MBRCheck will create a log named similar to MBRCheck_07.16.10_00.32.33.txt which is random based on date and time.
• Attach this log to your next message.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

Don't bump, try and be patient, I am guessing you are almost sorted now, but considering Chaslang has been the one to have fixed things for you, I think you are better off waiting for him and his say so on the matter. I am off to work soon, I will check your thread when I return later on this evening.

 

Use Windows Explorer to find and delete:

Also delete all files in the below bold folder except ones from the current date (Windows will not let you delete the files from the current day).

Tell me how things are running now, as we are close to wrapping up as I said.

 

Tell me how things are running now.

 

Then I have a feeling you will have to visit another forum to dicuss this, but don't do that yet. I pointed Chaslang back to your thread so just wait on him now.

 

You are welcome!

If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /uninstall
     • Notes: The space between the combofix" and the /uninstall, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
3. Go back to step 6 of the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
7. Go to add/remove programs and uninstall HijackThis.
8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
   related to MGtools and some other items from our cleaning procedures.
9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
   • Refer to the cleaning procedures pointed to by step 7 of the READ ME
     for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work thru the below link:
    • How to Protect yourself from malware!