MBR:\\.\PHYSICALDRIVE0\Partition2 --help me get rid of this thing!!

[desperatelyseekinghelp]

Results of Rogue Killer--I will start on next steps.  Also, there is a RK_Quartinbe Folder on my desktop--do you need that as well?

PS: Do you ever take any breaks?  I hope I am not wearing you out!

[desperatelyseekinghelp]

Just wanted to let you know that otl custom fix has been running for about two hours. Is this typical? @ bottom of potl screen it continues to note "killing processes. Do not interrupt."

[essexboy]

You should have all the files and menus back now

Malwarebytes is blocking OTL so stop it and run this modified fix please, then continue with Combofix

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  
  

  :OTL
  FF - prefs.js..extensions.enabledItems: FFToolbar@upromise:7.0.2.4181
  O4 - HKLM..\Run: [gFJReHqAEoXft.exe] C:\Documents and Settings\All Users\Application Data\gFJReHqAEoXft.exe (BFF)
  O4 - HKU\S-1-5-21-1004336348-1454471165-682003330-1003..\Run: [B9Sg1IdyP0tsoc] C:\Documents and Settings\All Users\Application Data\B9Sg1IdyP0tsoc.exe (BFF)
  O4 - HKU\S-1-5-21-1004336348-1454471165-682003330-1003..\Run: [govShell] C:\Documents and Settings\Owner\govdmta.exe (Buffalo Inc.)
  [2012/08/01 08:49:22 | 000,252,928 | -H-- | C] (BFF) -- C:\Documents and Settings\All Users\Application Data\B9Sg1IdyP0tsoc.exe
  [2012/08/01 08:48:57 | 000,345,088 | -H-- | C] (BFF) -- C:\Documents and Settings\All Users\Application Data\gFJReHqAEoXft.exe
  [2012/08/01 08:46:53 | 000,123,392 | ---- | C] (Buffalo Inc.) -- C:\Documents and Settings\Owner\govdmta.exe
  [2012/07/30 21:19:28 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\Owner\Start Menu\Programs\File Recovery
  [2012/08/01 09:12:08 | 000,000,456 | ---- | M] () -- C:\WINDOWS\tasks\WebReg 20120801091207.job
  [2012/08/01 08:49:31 | 000,000,072 | -H-- | M] () -- C:\Documents and Settings\All Users\Application Data\-B9Sg1IdyP0tsocr
  [2012/08/01 08:49:31 | 000,000,072 | -H-- | M] () -- C:\Documents and Settings\All Users\Application Data\-B9Sg1IdyP0tsoc
  [2012/08/01 08:49:29 | 000,000,837 | -H-- | M] () -- C:\Documents and Settings\Owner\Desktop\File_Recovery.lnk
  [2012/08/01 08:49:28 | 000,000,368 | -H-- | M] () -- C:\Documents and Settings\All Users\Application Data\B9Sg1IdyP0tsoc
  [2012/08/01 08:49:22 | 000,252,928 | -H-- | M] (BFF) -- C:\Documents and Settings\All Users\Application Data\B9Sg1IdyP0tsoc.exe
  [2012/08/01 08:46:53 | 000,123,392 | ---- | M] (Buffalo Inc.) -- C:\Documents and Settings\Owner\govdmta.exe
  [2012/08/01 08:46:41 | 000,345,088 | -H-- | M] (BFF) -- C:\Documents and Settings\All Users\Application Data\gFJReHqAEoXft.exe
  [2012/08/01 08:41:30 | 000,000,456 | ---- | M] () -- C:\WINDOWS\tasks\WebReg 20120801084129.job
  [2012/07/31 18:18:16 | 000,000,456 | ---- | M] () -- C:\WINDOWS\tasks\WebReg 20120731181815.job
  [2012/07/30 21:20:31 | 000,000,064 | -H-- | M] () -- C:\Documents and Settings\All Users\Application Data\-nBu12ZR0ug8vrar
  [2012/07/30 21:20:31 | 000,000,064 | -H-- | M] () -- C:\Documents and Settings\All Users\Application Data\-nBu12ZR0ug8vra
  [2012/07/30 21:20:27 | 000,000,368 | -H-- | M] () -- C:\Documents and Settings\All Users\Application Data\nBu12ZR0ug8vra
  [2012/07/30 21:19:30 | 000,000,855 | -H-- | M] () -- C:\Documents and Settings\Owner\Application Data\Microsoft\Internet Explorer\Quick Launch\File_Recovery.lnk
  2012/08/01 09:12:07 | 000,000,456 | ---- | C] () -- C:\WINDOWS\tasks\WebReg 20120801091207.job
  [2012/08/01 08:58:40 | 000,000,316 | ---- | C] () -- C:\WINDOWS\tasks\HP Usg Daily FY04.job
  [2012/08/01 08:49:31 | 000,000,072 | -H-- | C] () -- C:\Documents and Settings\All Users\Application Data\-B9Sg1IdyP0tsocr
  [2012/08/01 08:49:31 | 000,000,072 | -H-- | C] () -- C:\Documents and Settings\All Users\Application Data\-B9Sg1IdyP0tsoc
  [2012/08/01 08:49:28 | 000,000,837 | -H-- | C] () -- C:\Documents and Settings\Owner\Desktop\File_Recovery.lnk
  [2012/08/01 08:49:25 | 000,000,368 | -H-- | C] () -- C:\Documents and Settings\All Users\Application Data\B9Sg1IdyP0tsoc
  [2012/08/01 08:41:29 | 000,000,456 | ---- | C] () -- C:\WINDOWS\tasks\WebReg 20120801084129.job
  [2012/08/01 08:40:14 | 000,000,830 | ---- | C] () -- C:\WINDOWS\tasks\Adobe Flash Player Updater.job
  [2012/07/31 18:18:15 | 000,000,456 | ---- | C] () -- C:\WINDOWS\tasks\WebReg 20120731181815.job
  [2012/07/30 21:19:31 | 000,000,064 | -H-- | C] () -- C:\Documents and Settings\All Users\Application Data\-nBu12ZR0ug8vrar
  [2012/07/30 21:19:31 | 000,000,064 | -H-- | C] () -- C:\Documents and Settings\All Users\Application Data\-nBu12ZR0ug8vra
  [2012/07/30 21:19:30 | 000,000,855 | -H-- | C] () -- C:\Documents and Settings\Owner\Application Data\Microsoft\Internet Explorer\Quick Launch\File_Recovery.lnk
  [2012/07/30 21:19:23 | 000,000,368 | -H-- | C] () -- C:\Documents and Settings\All Users\Application Data\nBu12ZR0ug8vra
  [2011/09/09 21:19:07 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\nJ21100HlNoL21100
  [2012/01/23 22:19:40 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
  
  
  :Files
  ipconfig /flushdns /c
  C:\DOCUMENTS AND SETTINGS\OWNER\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\POS283QM.DEFAULT\EXTENSIONS\FFTOOLBAR@UPROMISE.XPI
  
  :Commands
  [purity]
  [resethosts]
  [CREATERESTOREPOINT]
  [Reboot]
• Then click the Run Fix button at the top
  
• Let the program run unhindered, reboot the PC when it is done
• Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

[desperatelyseekinghelp]

Essex Boy: Sorry for the delay--had to go to work and then when I was going to attempt doing this, I could not get onto the internet--I had to repeatedly hit my icon to finally get on.  So...attached is the recent OTL report.  Now I will go on to step 3.  Thanks again!

[desperatelyseekinghelp]

Update: a message popped up during bluescreen of c:\ combofix..."this machine does not have the Microsoft windows recovery console installed. Alternately, an existing installation of the recovery console may be present but requires updating. Without it combofix shall not attempt the fixing of some serious infections. Click yes to have combofix download/install it....Combofix"     please advise on how i should proceed.

[essexboy]

Yes allow the installation of the recovery console.. You will need to be online for this

[desperatelyseekinghelp]

Next morning and now that is not an option on my computer and desktop no longer has combofix. Try to reboot computer and this message pops Up"windows cannot end this program. It may need more time to complete an operation. To return to windows and check status of Tehran program click cancel. If you  ooze to end program Immediately you will lose any Saved data. To end program now click end now.Click"

So i clicked cancel...and no combo fix to be found...can click omit my computer icon and see an icon for combofix in c: but will not open....please advise.

[essexboy]

Reboot the computer and if it reappears then click end

[desperatelyseekinghelp]

Rebooted and nothing...no combifix on desktop....should i re-start this step and try combifix again ?

[essexboy]

Yes please as I am hoping we can knock it back far enough to enable us to kill the main bad boy

[desperatelyseekinghelp]

Attempted to run combifix and got an error message something about ipxe???  Computer automatically shut down before I could record the message.  What should I do now?  I do not think it likes this combifix thing....

[essexboy]

Did the recovery console get installed ? As we can use that instead of the other cd/usb

If not then do the following to install the recovery console...  Combofix may stall after the recovery console is installed but that is not a problem

 
Go to Microsoft's website => http://support.microsoft.com/kb/310994
 
Scroll down to Step 1, and select the download that's appropriate for your Operating System. Download the file & save it as it's originally named.
 
Note: If you have SP3, use the SP2 package.
 
-------------------------------------------------------------------
 
 
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
 

 
 

• Drag the setup package onto ComboFix.exe and drop it.
• Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.

 
 
 

• At the next prompt, click 'Yes' to run the full ComboFix scan.
• When the tool is finished, it will produce a report for you.

Please post the C:\ComboFix.txt in your next reply.

[desperatelyseekinghelp]

Dragged the setup package into combo fix--no "What next?" prompty appeared.  The blue screen came up appeared to be runningthen stalled and shut down the computer.  Will I ever get my computer back?

[essexboy]

We will do our best

When you download this programme rename it to iexplorer before saving

Download the latest version of TDSSKiller from here and save it to your Desktop.
 
 

• Doubleclick on TDSSKiller.exe to run the application
  
  
  
• Then click on Change parameters.
   
  
   
  
• Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.
   
  
• Click the Start Scan button.
   
   
  
• If a suspicious object is detected, the default action will be Skip, click on Continue.
   
  
   
  
• If malicious objects are found, they will show in the Scan results and offer three (3) options.
• Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.
  
  
• Get the report by selecting Reports

 

• Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.
  

Please copy and paste its contents on your next reply.