Support Forums

Pages: 1 2 3 4 5 6 7 8 9 10 11 12 13 14

Step 16

Open Notepad.

Copy (Ctrl +C) and paste everything in the quote box below:

Quote:@echo off
pushd\windows\system32\drivers\etc
attrib -h -s -r hosts
echo 127.0.0.1 localhost>HOSTS
attrib +r +h +s hosts
popd
del %0

In the Notepad interface, go to File > Save As.

Specify the file name as reset.bat or anything you wish however using the same file extension.

Change Save As Type to All Files and save the file to your desktop.

Now double-click on reset.bat located at your desktop to run the batch file. It will self-delete when completed.

Step 17

Please set Windows Vista to show both hidden and system files and folders so that you can find specific files to delete.
- Click Start and navigate to Control Panel.
  If you are in Classic View:
  1. Click on Folder Options
  2. On the View tab, uncheck the following:
    - Hide file extensions for known file types
    - Hide protected operating system files (Recommended)
  3. Click Yes on the warning message.
  4. Under Hidden files and folders, check Show hidden files and folders.
  5. Click Apply to All Folders.
  6. Click OK.
  - If you are in Control Panel Home View:
    1. Click on Appearance and Personalization > Show Hidden Files or Folders.
    2. On the View tab, uncheck the following:
      - Hide file extensions for known file types
      - Hide protected operating system files (Recommended)
    3. Click Yes on the warning message.
    4. Under Hidden files and folders, check Show hidden files and folders.
    5. Click Apply to All Folders.
    6. Click OK.
Note: I will give you instructions for hiding them again once your system seems clean.

Step 18

We need to do a quick check.
- Go to 'VirusTotal'.
- Click Browse.
- Copy and paste the exact file name(s) in bold (if there are more than one file listed, please open multiple tabs) to the address bar located on top of the new window that appeared:
  - c:\windows\system32\deployJava1.dll
    c:\windows\system32\usbaaplrc.dll
    c:\windows\system32\flash_player.exe
    c:\windows\system32\drivers\gkfgefdi.sys
    c:\windows\system32\drivers\TsUsbFlt.sys
- Click Open > Send File.
- Copy and paste back the link(s) to the result(s) once VirusTotal has finished scanning the file.

Step 19

Please download ComboFix from one of the following locations:

'Link 1'
'Link 2'

**IMPORTANT!**

Let me give you a warning beforehand. I am instructing you to use one of the most powerful removal tool created. A simple mistake of running ComboFix without a helper's advice might render your machine unbootable. Do note that the steps below are crucial for the success of the clean-up you are currently undergoing. If by any chance you failed to meet any of them, I can almost guarantee a dreadful occurrence happening. See to it that you read the instructions first up to the very end and follow them accordingly after to ensure the best possible performance.

- Save ComboFix to your desktop.
- Disable your anti-virus and anti-spyware applications, usually via a right-click on the System Tray icon. They may otherwise interfere with ComboFix. If you have difficulty properly disabling your protective programs, refer to 'this' link.
- Double-click ComboFix.exe and follow the prompts.
- As part of its process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery or repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
- Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
- If the Microsoft Windows Recovery Console is already installed, ComboFix will continue its malware removal procedures.

- Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
- Click on Yes, to continue scanning for malware.
- When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Reminders:

Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
Do not "re-run" ComboFix. If you have a problem, reply back for further instructions.
ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
ComboFix prevents autorun of all CD, floppy and USB devices to assist with malware removal and increase security. If this is an issue or makes it difficult for you - please tell me.
ComboFix disconnects your machine from the Internet. The connection is automatically restored before ComboFix completes its run. If ComboFix runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

In your next post, please provide the following:
- A Fresh HijackThis (HJT) Log
- ComboFix Log
- Doesn't Do Squat (DDS) Logs
  - DDS.txt
  - Attach.txt
- VirusTotal Results

Format of Response

As part of my service terms, you are to fill this up every time you respond to your log. Copy and paste the content inside the code box and write directly after the closing tags.

Example: (Click to View)
Step # 1
Problems Encountered: N/A

Step # 2
Problems Encountered: N/A

Step # 3
Problems Encountered: The scan did not finish.

Step # 4
Problems Encountered: N/A

Link To Requested Logs:

http://pastebin.com/example
http://pastebin.com/example
http://pastebin.com/example
http://pastebin.com/example

Code:
[b]Step # [/b] [b]Problems Encountered: [/b] [b]Step # [/b] [b]Problems Encountered: [/b] [b]Step # [/b] [b]Problems Encountered: [/b] [b]Step # [/b] [b]Problems Encountered: [/b] [b]Link To Requested Logs: [/b]

Step # 16
Problems Encountered: N/A

Step # 17
Problems Encountered: N/A

Step # 18
Problems Encountered: N/A

Step # 19
Problems Encountered: BSOD upon opening.

Link To Requested Logs:

Edit: Just got another Rogue Antivirus pop-up. This is getting really damn frustrating... Sad

Step 20

Please run HijackThis as an administrator. Click Do a system scan only and place a check next to the following line(s) if present:

F2 - REGystem.ini: UserInit=userinit.exe
O4 - HKLM\..\Run: [cftmon] C:\Windows\system32\gvjhu.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [D1T2EUR7FZ] C:\Windows\TEMP\Lbe.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [D1T2EUR7FZ] C:\Windows\TEMP\Lbe.exe (User 'Default user')

Then, close all other open windows and click Fix Checked. You are to reboot your system afterwards.

If you are having a problem running HijackThis as an administrator (Windows Vista and Windows 7), please follow the steps below.

- On your desktop, right-click the HijackThis icon and select Properties.
- Navigate to the Compatibility tab and put a check on the Run this program as an administrator box.
- Click Apply > OK.
- HijackThis should prompt you to run it as an administrator every time you open it.

Step 21

Please download the OldTimer's Move-It (OTM) from 'here'.
- Save it to your desktop.
- Please double-click OTM.exe to run it.
- Copy the lines inside the Code box below to the Clipboard by highlighting all of the content and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  
  Code:
  :Processes explorer.exe :Files c:\windows\system32\gvjhu.exe c:\windows\temp\Lbe.exe c:\users\tyler\appdata\roaming\8BD3CBF1A238C722473BB8C7B3E545D4 c:\users\tyler\appdata\roaming\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe c:\windows\system32\drivers\gkfgefdi.sys :Commands [purity] [emptytemp] [start explorer] [Reboot]

- Return to OTM, right-click in the Paste Instructions for Items to be Moved window and choose Paste.
- Click the red MoveIt! button.
- Copy everything in the Results window to the Clipboard by highlighting all of the content and by pressing CTRL + C (or, after highlighting, right-click and choose Copy).
- Paste it in your next reply.
- Close OTM.
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the moving process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start > All Programs > Accessories > Notepad) and click File > Open. In the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest log file present. Copy and paste the contents of that document back here in your next post.

Step 22

Please download OldTimer ListIt (OTL) from 'here'. Please click the Go (Arrow Button) or press Enter in the URL address bar to start the download.

- Save it to your desktop.
- Please double-click OTL.exe to run it.
- Make sure all other windows are closed to let it run uninterrupted.
- Under the Custom Scan box paste this in:
  
  Code:
  %systemroot%\*. /mp /s %systemroot%\system32\*.dll /lockedfiles %systemroot%\system32\*.exe /lockedfiles %systemroot%\Tasks\*.job /lockedfiles %systemroot%\system32\drivers\*.sys /lockedfiles %systemroot%\System32\config\*.sav %systemroot%\system32\*.sys %systemroot%\system32\drivers\*.dll %systemroot%\system32\drivers\*.ini %systemroot%\system32\drivers\*.exe %SYSTEMDRIVE%\*.* %PROGRAMFILES%\*. %appdata%\*.* netsvcs msconfig safebootminimal safebootnetwork activex drivers32 /md5start eventlog.dll scecli.dll netlogon.dll cngaudit.dll sceclt.dll ntelogon.dll logevent.dll iaStor.sys nvstor.sys atapi.sys IdeChnDr.sys viasraid.sys AGP440.sys vaxscsi.sys nvatabus.sys viamraid.sys nvata.sys nvgts.sys iastorv.sys ViPrt.sys eNetHook.dll ahcix86.sys KR10N.sys disk.sys nvstor32.sys ahcix86s.sys nvrd32.sys symmpi.sys adp3132.sys mv61xx.sys usbstor.sys /md5stop CREATERESTOREPOINT HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs

- Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan won't take long.
- When the scan completes, it will open two Notepad windows.
  - OTL.txt
  - Extras.txt
- These are saved in the same location as OTL.
- Please copy (Right-click > Select All > Copy) the contents of these files, one at a time, and post it with your next reply.

In your next post, please provide the following:
- A Fresh HijackThis (HJT) Log
- ComboFix Log
- Doesn't Do Squat (DDS) Logs
  - DDS.txt
  - Attach.txt
- OTL Log
- OTM Log

Format of Response

Code:
[b]Step # [/b] [b]Problems Encountered: [/b] [b]Step # [/b] [b]Problems Encountered: [/b] [b]Step # [/b] [b]Problems Encountered: [/b] [b]Step # [/b] [b]Problems Encountered: [/b] [b]Link To Requested Logs: [/b]

Comments:
- Try running ComboFix by running this in the Run prompt: "%userprofile%\desktop\combofix.exe"
- If you get another BSOD, please do so in Safe Mode.

C:\Users\Tyler\desktop\combofix.exe

Application not found

I have it on my desktop named as ComboFix.exe

Proceed to Safe Mode then.

Spoiler (Click to View)

I get this when I try opening ComboFix. Ran it as Administrator, still the same result.

Should I execute steps 20-22 or is ComboFix a priority?

Well they were labeled for a reason. Roflmao

Please do the previous fixes first. Tell me when you are at the ComboFix part once again.

I somehow got ComboFix to run in Safe Mode. Now it says to disable AntiVir Desktop, but I don't see it in my System Tray nor the task manager.

Open Notepad. Copy and paste the content below.

Code:
@echo off

sc stop AntiVirSchedulerService

sc stop AntiVirService

del %0

Save it, and run it as an administrator.

Pages: 1 2 3 4 5 6 7 8 9 10 11 12 13 14

Quintus

Deltron

Deltron

Quintus

Deltron

Quintus

Deltron

Quintus

Deltron

Quintus