Win-32 Malware

[janvanderscheer]

Frustrating... IceSword doesn't work either. After clicking the Icesword application, it tells me "Initialize Failed[1]!". I've extracted it to my Desktop, tried a reboot and shutting down all other programs. Should I try it without Avast or Windows Defender enabled?
Jan

[essexboy]

Hi someone has just created a programme to look for the data I need

1. Go HERE and download FileLister.

• Save it to your Desktop
• Rt Click ->> Extract all ->> And extract it to your Desktop
  
• Additional help on extracting zip files can be found HERE
  
• Open the File Lister Folder.
• Note: Leave the FileLister.vbe file in the folder and run it from there.
  

• Rt Click FileLister.vbe ->>Select Open Then Open to confirm.
  
• When the program is fnished it will produce a log for you Files.txt
  
• Which will be located in the default location from which FileLister was run(the FileLister folder)

Copy and paste the contents of that log in your reply.

[janvanderscheer]

I got a blue windows error screen again, but it seems that it produced a log.
Since then, Avast started to report the old Win-32 Malware again...

[essexboy]

Could you delete your current copy of Combofix and download the latest version from here 
Link 1
Link 2

Run and then post the log please

[janvanderscheer]

I cannot post the log, since then my browser tells me that the sever has been reinitialized... I tried all day yesterday and this morning and then I found out that that was the problem.

Where do you want me to post the Combofix log alternatively?

Jan

[essexboy]

You could mail it to me - I will PM you with the address

[essexboy]

That does seem rather large

I will use an analysis tool instead - although Avenger had killed the rootkit.   Uploadthe two zip files to Mediafire and post the sharing link.

Download avz4.zip from HERE

• Unzip it to your desktop to a folder named avz4
  
• Double click on AVZ.exe to run it.
  
• Run an update by clicking the Auto Update button on the Right of the Log window:
  
• Click Start to begin the update

Note: If you recieve an error message, chose a different source, then click Start again

• Start AVZ.
• Choose from the menu "File" => "Standard scripts " and mark the "Advanced System Analysis with malware removal mode enabled" check box.

• Click on the “Execute selected scripts”.
• Automatic scanning, healing and system check will be executed.
• A logfile (avz_sysinfo.htm) will be created and saved in the LOG folder in the AVZ directory as virusinfo_syscure.zip.
  
• It is necessary to reboot your machine, because AVZ might disturb some program operations (like antiviruses and firewall) during the system scan.
• All applications will work properly after the system restart.

When restarted

• Start AVZ.
• Choose from the menu "File" => "Standard scripts " and mark the “Advanced System Analysis" check box.

• Click on the "Execute selected scripts".
• A system check will be automatically performed, and the created logfile (avz_sysinfo.htm) will be saved in the LOG folder in the AVZ directory as virusinfo_syscheck.zip.

Upload both virusinfo_syscure.zip and virusinfo_syscheck.zip to your next post

[janvanderscheer]

Mmm, I'm starting to worry. Avz also shuts down after 3/4 of the analysis. I've tried it several times, yesterday and today. Do I need to try Combofix again? Or do I need to start thinking about a complete format of my PC?

Jan

[essexboy]

I would commence backing up your data at this stage just to be safe

Delete your current combofix and download a new copy

Download ComboFix from one of these locations:


Link 1
Link 2

[janvanderscheer]

Combofix worked hard and well; see log.
In between, I'm still very much appreciating the help I'm getting!

[essexboy]

Looks like CF got it that time

Besmet exemplaar van c:\windows\system32\drivers\kbdclass.sys werd aangetroffen en gedesinfecteerd 
Hersteld exemplaar van - Kitty had a snack :p

This variant is proving elusive and hard to kill - but the authors of the tools I use are working hard to get round it

Redirects should have gone now