Trojan Horse Crypt.ANVH in AFD.SYS

Welcome to Major Geeks!

Correct! Don't remove it.

Yes you should follow our cleaning procedure and attach the logs we requesst. DO NOT RUN any scans with AVG. In fact, it is recommended to uninstall AVG so that you can properly run ComboFix and to avoid having AVG get in the way of malware removal.

 

While this is useful because we would have asked you to run some of these steps later, it will not fix this problem.

Your TDSSkiller log shows the below two items. Run TDSSkiller again and if they still show, delete them and only them:

23:15:52.0999 5992 \Device\Harddisk0\DR0 ( TDSS File System ) - skipped by user
23:15:53.0000 5992 \Device\Harddisk0\DR0 ( TDSS File System ) - User select action: Skip

Yes get the log from MBRcheck and attach it and then immediately move on to the READ & RUN ME core instructions as this is what we will need information from inorder to provide manual fixes that will still be necessary.

 

No. Please complete all the steps and then attach all the logs. We cannot work up a fix until we have all the results.

 

Just continue on.

 

Yes. We need the other logs so that we can properly help you. They will contain the information we will need to get things fixed up.

 

More than likely, you will not be able to kill ComboFix and may have to hold in the power button to shut down your PC.

Do not attempt to run ComboFix again. Just move on to the next steps. But do tell me whether you had all protection software disabled? Also is User Account Control ( UAC ) disabled?

 

You can terminate RootRepeal and move on to MGtools which at this point is going to be the most important log we need.

 

Please download Farbar Service Scanner and run it on the computer with the issue.

• Make sure "Include All Files" option remains checked.
• Press "Scan".
• It will create a log (FSS.txt) in the same directory the tool is run.
• Please attach this log to your next reply.

 

After attaching the log from Farbar's Service Scanner, continue with the below.
First please run MSconfig and put your PC into normal startup mode as requested in step 4 of the READ & RUN ME.

Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista or Win 7, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 93.188.163.205,93.188.160.125
O17 - HKLM\System\CS2\Services\Tcpip\..\{21A7F731-933E-43A9-BA4A-BD74EE16153C}: NameServer = 93.188.163.205,93.188.160.125
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 93.188.163.205,93.188.160.125
O17 - HKLM\System\CS3\Services\Tcpip\..\{21A7F731-933E-43A9-BA4A-BD74EE16153C}: NameServer = 93.188.163.205,93.188.160.125
O17 - HKLM\System\CS4\Services\Tcpip\Parameters: NameServer = 93.188.163.205,93.188.160.125
O17 - HKLM\System\CS4\Services\Tcpip\..\{21A7F731-933E-43A9-BA4A-BD74EE16153C}: NameServer = 93.188.163.205,93.188.160.125
O17 - HKLM\System\CS5\Services\Tcpip\Parameters: NameServer = 93.188.163.205,93.188.160.125
O17 - HKLM\System\CS5\Services\Tcpip\..\{21A7F731-933E-43A9-BA4A-BD74EE16153C}: NameServer = 93.188.163.205,93.188.160.125
O17 - HKLM\System\CS6\Services\Tcpip\Parameters: NameServer = 93.188.163.205,93.188.160.125
O17 - HKLM\System\CS6\Services\Tcpip\..\{21A7F731-933E-43A9-BA4A-BD74EE16153C}: NameServer = 93.188.163.205,93.188.160.125
O17 - HKLM\System\CS7\Services\Tcpip\Parameters: NameServer = 93.188.163.205,93.188.160.125
O17 - HKLM\System\CS7\Services\Tcpip\..\{21A7F731-933E-43A9-BA4A-BD74EE16153C}: NameServer = 93.188.163.205,93.188.160.125
O17 - HKLM\System\CS8\Services\Tcpip\Parameters: NameServer = 93.188.163.205,93.188.160.125
O17 - HKLM\System\CS8\Services\Tcpip\..\{21A7F731-933E-43A9-BA4A-BD74EE16153C}: NameServer = 93.188.163.205,93.188.160.125
O17 - HKLM\System\CS9\Services\Tcpip\Parameters: NameServer = 93.188.163.205,93.188.160.125
O17 - HKLM\System\CS9\Services\Tcpip\..\{21A7F731-933E-43A9-BA4A-BD74EE16153C}: NameServer = 93.188.163.205,93.188.160.125
O17 - HKLM\System\CS10\Services\Tcpip\Parameters: NameServer = 93.188.163.205,93.188.160.125
O17 - HKLM\System\CS10\Services\Tcpip\..\{21A7F731-933E-43A9-BA4A-BD74EE16153C}: NameServer = 93.188.163.205,93.188.160.125
O17 - HKLM\System\CS11\Services\Tcpip\Parameters: NameServer = 93.188.163.205,93.188.160.125
O17 - HKLM\System\CS11\Services\Tcpip\..\{21A7F731-933E-43A9-BA4A-BD74EE16153C}: NameServer = 93.188.163.205,93.188.160.125
O17 - HKLM\System\CS12\Services\Tcpip\Parameters: NameServer = 93.188.163.205,93.188.160.125
O17 - HKLM\System\CS12\Services\Tcpip\..\{21A7F731-933E-43A9-BA4A-BD74EE16153C}: NameServer = 93.188.163.205,93.188.160.125
O17 - HKLM\System\CS13\Services\Tcpip\Parameters: NameServer = 93.188.163.205,93.188.160.125
O17 - HKLM\System\CS13\Services\Tcpip\..\{21A7F731-933E-43A9-BA4A-BD74EE16153C}: NameServer = 93.188.163.205,93.188.160.125
O17 - HKLM\System\CS14\Services\Tcpip\Parameters: NameServer = 93.188.163.205,93.188.160.125
O17 - HKLM\System\CS14\Services\Tcpip\..\{21A7F731-933E-43A9-BA4A-BD74EE16153C}: NameServer = 93.188.163.205,93.188.160.125
After clicking Fix, exit HJT.

Now we need to use ComboFix

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
• If ComboFix tells you it has expired or need to be updated to a new version, make sure you allow it to update.
• Open Notepad and copy/paste the text in the below quote box into it:

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

If after running Combofix you discover none of your programs will open up because you recieve the following error: Illegal operation attempted on a registry key that has been marked for deletion then you will need to reboot your computer which will normally fix this problem.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

• C:\ComboFix.txt
• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

Okay, also do the below to fix a problem that is stopping some services from running.

• Please click Start, and type regedit into the search box.
• You should see a regedit.exe and icon appear in the Programs area of the Start Menu.
• Right click on regedit.exe and select Run As Administrator.
• Then in the Registry Editor click File, Import.
• Navigate your way to the C:\MGtools folder and locate the FixW7FW.reg file and select it.
• Then click the Open button and allow this to be added into your registry
• Tell me what happend exactly. Like do you get any error messages or do you get a success message?

 

Continue on anyway and see my other message about importing a registry patch.

 

Your logs are looking much better now. One more fix to do.

Now we need to use ComboFix

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
• If ComboFix tells you it has expired or need to be updated to a new version, make sure you allow it to update.
• Open Notepad and copy/paste the text in the below quote box into it:

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

If after running Combofix you discover none of your programs will open up because you recieve the following error: Illegal operation attempted on a registry key that has been marked for deletion then you will need to reboot your computer which will normally fix this problem.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

• C:\ComboFix.txt
• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

You did not address what I requested in the last line of my previous message

 

That's good because your logs are clean.


If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /uninstall
     • Notes: The space between the combofix" and the /uninstall, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
3. Go back to step 6 oof the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
6. If running Vista or Win 7, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
7. Go to add/remove programs and uninstall HijackThis.
8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
   related to MGtools and some other items from our cleaning procedures.
9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
   • Refer to the cleaning procedures pointed to by step 7 of the READ ME
     for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work thru the below link:
    • How to Protect yourself from malware!

 

Yes this may have cause the full execution to fail. You can either cleanup manually or redownload and run MGtools.exe again. And after it finishes, just make sure your protection is disabled and then run MGclean.bat

 

Try shutting down Comodo and any other protection software and see if that helps.

If not, then try the below.

Download Windows Repair by Tweaking.com and unzip the contents into a newly created folder on your desktop.

• Now open Repair_Windows.exe
• Go to Start Repairs tab.
• Choose "Custom Mode" and press "Start".
• Create a System Restore point if prompted.
• In the Custom Mode window, select the following repair options:
  • Repair Windows Firewall
  • Repair Internet Explorer
  • Repair Hosts File
  • Remove Policies Set By Infections
  • Repair Winsock & DNS Cache
  • Repair Windows Updates
• Now click the Start button.
• Be patient while the tool repairs the selected items.
• If asked to reboot the computer for the changes to take affect, make sure other tasks in the program are not still running before accepting to restart.

Reboot after running Windows Repair.


If neither of those help, try posting in the Software Forum for additional ideas.