BleepingComputer.com: XP Restore Malware Removal

THANK YOU GUYS FOR SUCH A GREAT FORUM!!

I had somehow got the XP Restore Malware Removal on my computer. Followed the instructions with TDSSKiller, Malwarebytes and believe I was able to remove all the items. After running unhide, most of my desktop files were restored and my start item folders were restored but no programs or files in the start items folders are showing up-I am however able to open files with programs that are not in the start folder. For example, although the Microsoft Office folder says "empty", when I open a doc file, the program launches fine.


I disabled my Avira and Malwarebytes when running unhide but still same issue, what next-here are all the log files:

Im including some older MBRcheck scan logs before and after too.

I should note that on few sites when I click on them on google after a search Im redirected to another site. I did run the rootkill file too, but nothing. So im assume some rootkit/malware is still there. Gmer log also attached.

ENJOY!!

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.

• Please subscribe to this topic, if you haven't already. Click the Watch This Topic button at the top on the right.
  
  
  
• Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.
  
  
  
• Please reply to this post so I know you are there.

The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks

Hey thanks, Im here and awaiting your valuable instructions

It looks like you winged it. Let's check for more trouble with aswMBR

Please download aswMBR ( 511KB ) to your desktop.

• Double click the aswMBR.exe icon to run it
  
• Click the Scan button to start the scan
  
• On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

 aswMBR.txt (1.63K)
Number of downloads: 3Thanks, here it is

An encouraging lack of rootkit there.

Please run Combofix next

Please download ComboFix from one of these locations:

• Bleepingcomputer
  
• ForoSpyware

* IMPORTANT !!! Save ComboFix.exe to your Desktop making sure you rename it comfix.exe

• Disable your AntiVirus and AntiSpyware applications including Firewalls, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  
• Double click on Comfix.exe & follow the prompts.
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Thanks, see attached log file.

After rebooting, I saw a window that stated "ERROR LOADING.....wmicrtport.dll"

All my programs are now back, and seem to work

This post has been edited by ericke1: 22 June 2011 - 09:37 PM

Not a file I recognise. Let's track down the registry entry that is attempting to load it.

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

• Double-click SystemLook.exe to run it.
  
• Copy the content of the following codebox into the main textfield:
  

  :regfind
  wmicrtport
  

  
  
  
• Click the Look button to start the scan.
  
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

Now after restarting, that dll missing popup didnt appear again, but Windows selection screen, ie XP Pro, Safe Mode keeps coming on without me pressing F8 (this happened when combofix ran the first time too) but it automatically selects Windows XP and starts

Here is the logfile anyway

That startup change is the Windows Recovery Console which Combofix installs. As the link explains it is a safeguard.

Loks like Combofix also completed the removal of the file we were looking for too.

Please run the system through ESET's online scanner

I'd like us to scan your machine with ESET OnlineScan

• Hold down Control and click on the following link to open ESET OnlineScan in a new window.
  ESET OnlineScan
  
• Click the button.
  
• For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
  • Click on to download the ESET Smart Installer. Save it to your desktop.
    
  • Double click on the icon on your desktop.
  
  
• Check
  
• Click the button.
  
• Accept any security warnings from your browser.
  
• Under scan settings, check and check Remove found threats
  
• Click Advanced settings and select the following:
  • Scan potentially unwanted applications
    
  • Scan for potentially unsafe applications
    
  • Enable Anti-Stealth technology
  
  
• ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  
• When the scan completes, push
  
• Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  
• Push the button.
  
• Push

If no log is generated that means nothing was found. Please let me know if this happens.

Wow it found even more stuff, anyway I can remove the combofix startup enabling safety feature?

This post has been edited by ericke1: 26 June 2011 - 04:14 PM

It found only what was already locked in Combofix's quarantine, what it believed to be malware, Ask, what was in the system restore folder and the legitimate antimalware tool SDFix executable file.

Really, that was pretty clean


Deleting the Recovery Console isn't straightforward but here it is

Warning: To remove the Recovery Console you need to modify the Boot.ini file. Modifying this file incorrectly can prevent your computer from starting properly. Please only attempt this step if you feel comfortable doing this.

To remove the Recovery Console from your hard drive follow these steps:

1. Double-click on My Computer and then double-click on the drive you installed the Recovery Console (usually the C: drive).

2. Click on the Tools menu and select Folder Options.

3. Click on the View tab.

4. Select Show hidden files and folders and uncheck Hide protected operating system files.

5. Press the OK button.

6. Now at the root folder delete the Cmdcons folder and the Cmldr file.

7. At the root folder, right-click the Boot.ini file, and then click Properties.

8. Click to clear the Read-only check box, and then click the OK button.

9. Click on Start, then Run and type Notepad.exe c:\boot.ini in the Open: field and press the OK
button.

10. Remove the entry for the Recovery Console. It will look similar to this:

C:\cmdcons\bootsect.dat="Microsoft Windows Recovery Console" /cmdcons

Make sure you only delete that one entry.

11. When you are done, close the notepad and save when it asks.

12. Right click again on the boot.ini file and select Properties.

13. Put a checkmark back in the Read-only checkbox and then press the OK button.

The recovery console should now be removed from your system.


How is the machine running now

Hi, it says access denied when I try to delete the cmdcons folder, Im in administrator mode too

This is a permissions issue.

ComboFix often removes file and folder access permissions. So you need to take ownership of the folder cmdcons which you already have done. You are the owner now, but have you set the permissions of what you can do with that folder. Right-click on the folder, select Security tab, and check Allow in front of Full Control and save settings.

Can you now delete it?

When you right click, both under properties as well as "sharing and security" there is no such option

Computer seems same as before we ran combofix but now websites at least dont point me to another website when I put in a web address