Cleanup the computer after bootkit removal

**hostess** · 20-04-2011

I am having Dell Inspirion 1420 on which I have installed Windows Vista Home Premium. It was infected with something which was reloading the ad-ware for the various non legit antimalware. I have also found the malicious startup entries and which I wanted to get rid of. Avast was reporting that there was something in the MBR of the computer. I tried to fix the same by using Avast but it did not help me out to fix the problem. let me know if you are having any particular solution to solve the matter. Thanks a lot in advance.

**Amie** · 20-04-2011

I want to know about the log file which is being generated by the Combofix log. You can get the log file into C:\ComboFix.txt. You should copy and paste the log file over here so that I can view an let you know about the further steps for the troubleshooting. Another thing I want to discuss over here is that the Malware is seems to be buggy and unstable so I recommend that you should back up the data before you go for the solving the matter of yours.

**HiSpeed** · 20-04-2011

I am suggesting the following instruction which you can use to create the manually log file on the computer of yours.

First of all you need to close all the browsers.
You should disable the security program on the computer so that it could not cause any conflict while using the ComboFix.
Now you need to copy and paste the below mentioned text on the notepad.

Code:

KillAll::

RenV::
c:\program files\Adobe\Reader 8.0\Reader\Reader_sl .exe
c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM .exe
c:\program files\Dell\MediaDirect\PCMService .exe
c:\program files\Dell Support Center\bin\sprtcmd .exe
c:\program files\Dell Support Center\gs_agent\custom\dsca .exe
c:\program files\DellTPad\Apoint .exe
c:\program files\Microsoft IntelliPoint\ipoint .exe
c:\program files\QuickTime\QTTask .exe
File::
c:\windows\system32\zyiit.exe
c:\users\Andrea\AppData\Local\Temp\Sk4.exe
c:\users\Andrea\AppData\Local\Temp\B.exe
c:\users\Andrea\AppData\Local\Temp\IPGVLDEHLLUBE.exe
c:\users\Andrea\AppData\Local\Temp\LKHJBRKP.exe
c:\users\Andrea\AppData\Local\Temp\NYK.exe
c:\users\Andrea\AppData\Local\Temp\OCYHYONSF.exe
c:\users\Andrea\AppData\Local\Temp\OWBGPYZ.exe
c:\users\Andrea\AppData\Local\Temp\PMIGLQAQ.exe
Driver::
B
IPGVLDEHLLUBE
LKHJBRKP
NYK
OCYHYONSF
OWBGPYZ
PMIGLQAQ
Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\W5E7SH31DG]
RegLock::
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10o_ActiveX.exe,-101"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10o_ActiveX.exe"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
[HKEY_LOCAL_MACHINE\system\ControlSet006\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
[HKEY_LOCAL_MACHINE\system\ControlSet006\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
[HKEY_LOCAL_MACHINE\system\ControlSet006\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
[HKEY_LOCAL_MACHINE\system\ControlSet006\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
[HKEY_LOCAL_MACHINE\system\ControlSet006\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
[HKEY_LOCAL_MACHINE\system\ControlSet006\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0005\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

Now you should save the file as CFScript.txt and drag the CFScript into the ComboFix.exe.
Once you have done it will generate the log file in the C:\ComboFix.txt location.

**BiGMaCHiNe** · 20-04-2011

I was having the same problem which you have mentioned over here. I have tried lots of stuffs to fix the problem of mine but it did not helped me. Finally one of the friend of mine told me to use ESET Online Scan to fix the matter. Well I have used the same and after using the same I have successfully get rid of from that particular threat from the computer of mine. Hence I recommend that you should also use the same and I am hoping that it will help you out.

**Connect_Me** · 20-04-2011

I am suggesting the following thing which you can use to make use of ESET Online Scan.

You need to visit the official website and simply download the ESET Smart Installer on the computer.
Once you have downloaded you need to install on the computer.
After finishing with installation you need to reboot the computer and click on the Start button.
The antivirus program will install the updates and begin with the scanning of the computer.

It might took several hours to accomplish the thing. So try the above mentioned thing as early as possible.

**hostess** · 21-04-2011

Thanks a lot for the prompt replies of yours. Well the ESET Online Scan was really helpful to me. I really want to appreciate your efforts which you have put in to fix the matter of yours. After using this particular program I am not having any issue which I have posted in this particular thread. Hence again I want to appreciate your efforts for providing the such a efficient solution. Thanks a lot again.