New
#11
Last try...go back to Safe Mode with Command Prompt as you did before
At the Command Prompt, proceed with the following commands:
The above should display the contents of the file.Code:j: attrib -h -r -s autorun.inf edit autorun.inf
To copy the info provided, right-click the small command prompt icon on the upper left side
From the menu, go to Edit > Select All
Next, go to Edit > Copy
Now, to close the Command Prompt, type in: exit
Open Notepad (Start > All Programs > Accessories > Notepad), and paste the contents of the copied info for autorun.inf in your reply.
^^ If the above does not work, the Panda USB Vaccine must have blocked the autorun.inf file, preventing it from being read, or modified. This cannot be reversed except with a format.
Can't do!
Pressing on with FRST...
Please open Notepad (Start > All Programs > Accessories > Notepad)
Copy the entire contents of the quote box below (Do not copy the word 'Quote')
Save it on the Desktop, and name it: fixlist.txt
This script is written specifically for ducat1base, and, only for use on this infected computer.start
HKCU\...\CurrentVersion\Windows: [Load] C:\Users\Owner\LOCALS~1\Temp\msofzw.cmd <===== ATTENTION!
Winsock: Catalog5 01 %SystemRoot%\System32\mswsock.dll [232448] (Microsoft Corporation) ATTENTION: The LibraryPath should be "%SystemRoot%\system32\NLAapi.dll"
Winsock: Catalog5-x64 01 %SystemRoot%\System32\mswsock.dll [326144] (Microsoft Corporation) ATTENTION: The LibraryPath should be "%SystemRoot%\system32\NLAapi.dll"
end
Running this on another computer may cause damage to the Operating System!!
Run FRST, and press the Fix button, just once, and wait.
The tool creates a report on the Desktop called: Fixlog.txt
Please post the Fixlog.txt in your reply.
Now, let's use unhide.exe to see if it can reveal what was hidden...
Download:
http://www.bleepingcomputer.com/download/unhide/
Save to the Desktop.
Double-click on the Unhide icon to run the program.
When done, the program displays an alert stating that your files are restored.
Reboot your computer for the settings to go into effect.
Check the SD card, and see if the images show now.
Next, please use RKill.exe to terminate any malware processes (if still present): http://www.bleepingcomputer.com/download/rkill/
Save to the Desktop.
If RKill.exe does not run, then download and try to run RKill.com:
http://www.bleepingcomputer.com/download/rkill/
You only need to get one of the versions of RKill to run.
There are additional versions:
RKill.scr: http://www.bleepingcomputer.com/download/rkill/
Also, RKill, renamed, can be downloaded from the following links:
iExplore.exe: http://www.bleepingcomputer.com/download/rkill/
uSeRiNiT.exe: http://www.bleepingcomputer.com/download/rkill/
WiNlOgOn.exe: http://www.bleepingcomputer.com/download/rkill/
If your AntiVirus warns you about this tool, ignore the warning, or temporarily disable your AntiVirus.
Right-click on the downloaded RKill file and select: Run as Administrator
A black DOS box briefly flashes and then disappear. This is normal and indicates the tool ran successfully.
After running the tool, do not reboot.
When the scan is done Notepad opens with the RKill report.
Please post the RKill report in your reply.
Without a reboot, please close all windows and browsers, and run RogueKiller again.
Right-click and select: Run as Administrator
At the program console, wait for the Prescan to finish. (Under Status, it says: Prescan finished.)
Press: SCAN
When done, a report opens on the Desktop: RKreport.txt
Please provide the RKreport.txt (Mode: Scan) in your reply.
Follow up with Malwarebytes Anti-Malware:
Download: http://www.bleepingcomputer.com/down...-anti-malware/
Save to the Desktop
Make sure J: (the SD Card) is the only removable storage connected to the computer.
Right-click the downloaded MBAM file, and select: Run as Administrator
When the installation begins, follow the prompts in the setup process.
DO NOT make any changes to default settings and when the program has finished installing, make sure only the Update Malwarebytes’ Anti-Malware and Launch Malwarebytes’ Anti-Malware options are checked.
Uncheck: Enable free trial of Malwarebytes Anti-Malware PRO
Click on the Finish button.
If an update is found, the program automatically updates itself.
At the program console, on the Scanner tab, and select: Perform Full Scan
When the Select the Drives to scan appears, make sure all drives (except CD-Rom, DVD) are selected, and in particular, J:.
Next, click on the Scan button.
When the Malwarebytes scan is completed, click on: Show Results
When presented with a screen showing the malware detected, make sure everything is Checked, and click on: Remove Selected
When removal is completed, a report opens in Notepad.
Please copy/paste the entire contents of the MBAM report in your reply.
Note: If MBAM encounters a file that is difficult to remove, you are asked to reboot the computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) prevents MBAM from removing all the malware.
Last edited by cottonball; 27 Aug 2013 at 13:57.