Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Completely In The Weeds After Running Combofix.exe


  • This topic is locked This topic is locked
23 replies to this topic

#1 Indigoblue47

Indigoblue47

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:04:59 AM

Posted 25 March 2008 - 03:18 PM

After detecting Cryp_Tap-2 (with Trend Micro) I was unable to deleted the offending .dll's (because I couldn't tell what process to stop).
I ran ComboFix.exe and it got to a certain point when the screeen went blue and everything stopped. Not a BSOD mind you, just blue.
Since then I can NOT regain access to the PC, even after doing a "repair install" with the XP install disk.
This includes Safe Mode and any of the alternative boot methods.
I'm on the verge of getting a new HD and starting over, here. Of course there's no assurance that I would be able to access my data on the old drive either....
Ideas? Suggestions?
Thanks,
Indigo

BC AdBot (Login to Remove)

 


#2 ruby1

ruby1

    a forum member


  • Members
  • 2,375 posts
  • OFFLINE
  •  
  • Local time:08:59 AM

Posted 25 March 2008 - 03:34 PM

Oh dear :thumbsup:

welcom to this forum :flowers: may one ask who recommended you use the Combofix, and did you read its disclaimer


qwuietman7

It is a powerful tool intended by its creator to be "used under the guidance and supervision of an expert", NOT for private use. Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again. Please read

the disclaimer is
http://img.photobucket.com/albums/v666/sUB...wDisclaimer.gif


what IS your windows version and what will the computer now do, if anything?

#3 mme

mme

  • Members
  • 400 posts
  • OFFLINE
  •  
  • Local time:04:59 AM

Posted 25 March 2008 - 03:59 PM

if you choose to reformat and experiencing difficulty
you could try to wipe your harddrive first
before buying a new one
give boot and nuke a try

http://dban.sourceforge.net/

#4 Indigoblue47

Indigoblue47
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:04:59 AM

Posted 25 March 2008 - 04:02 PM

I was searching for a means to remove Cryp_Tap-2 and stumbled across bleepingcomputer.
I am running WinXP Professional SP2.

#5 Indigoblue47

Indigoblue47
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:04:59 AM

Posted 25 March 2008 - 04:04 PM

Oh, and the pC will boot to the point where the desktop and network login would appear. I see the mouse cursor and can move it but that's as far as I get.

#6 ruby1

ruby1

    a forum member


  • Members
  • 2,375 posts
  • OFFLINE
  •  
  • Local time:08:59 AM

Posted 25 March 2008 - 04:20 PM

my google search for the object on the infection has produced references to the use of a safe program called superantispyware and references to , yes, using Combofix BUT under direct supervision of trained experts

we will need to see what one of the Staff thinks but you may need to reinstall windows :thumbsup:

#7 mme

mme

  • Members
  • 400 posts
  • OFFLINE
  •  
  • Local time:04:59 AM

Posted 25 March 2008 - 05:19 PM

can you boot to safe mode
from there you maybe able to do a system restore
providing you got restore points

turn off computer
turn it back on
tap F8
safemode option will appear
choose safemode using arrow keys
once your in safe mode

start/run/restore/click ok
double click on rstrui.exe
then click next
choose a restore point if any
they will show in bold
click next and follow the prompts

if you still have combo fix delete it

Edited by mme, 25 March 2008 - 10:21 PM.


#8 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,573 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:59 PM

Posted 25 March 2008 - 08:07 PM

You could try running chkdsk from the recovery console.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#9 TheBrit

TheBrit

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:59 AM

Posted 26 March 2008 - 01:26 AM

http://www.superantispyware.com/

will remove it even with the free version.

The fact that you have run combofix may complicate things, it is not for novices like hjt.....

Worst case scenario is you will now have to reload windows....

Edited by TheBrit, 26 March 2008 - 01:29 AM.


#10 Indigoblue47

Indigoblue47
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:04:59 AM

Posted 26 March 2008 - 07:44 AM

Thanks for your input, everyone!
I can't get into Safe Mode. Well, I CAN, but all I see is a black screen with the "Safe Mode" legends on it, a mouse cursor and nothing else.
I'd LOVE to be able to get to a Restore Point!
I'll wait to see what staff come up with, but I fear the worst....

#11 Indigoblue47

Indigoblue47
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:04:59 AM

Posted 26 March 2008 - 07:45 AM

I wonder if I can run System restore form the command line...?

#12 ruby1

ruby1

    a forum member


  • Members
  • 2,375 posts
  • OFFLINE
  •  
  • Local time:08:59 AM

Posted 26 March 2008 - 08:01 AM

you COULD try

http://support.microsoft.com/kb/304449

OR one of these?

http://www.google.co.uk/search?hl=en&q...earch&meta=
THIS and its comment


http://www.ocmodshop.com/ocmodshop.aspx?a=992

Now you're presented with the familiar System Restore wizard, and can get your PC back to the way it was before everything went to hell.

looks helpful?

( MY 'disclaimer'? I for one have NEVER used any of these; but hope they might help you ?)

#13 DASOS

DASOS

    Malware hunter


  • Security Colleague
  • 1,662 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greece loutraki 6 km from korinth canal
  • Local time:10:59 AM

Posted 26 March 2008 - 08:54 AM

Hi Indigoblue47

In order to restore your computer, we will need the XP Installation CD to boot the computer to the Recovery Console.

Please print these instructions out, or save them to a notepad file, for easier reference.

Boot the computer using the XP CD. You may need to change the boot order in the system BIOS so the CD boots before the hard drive. Check your system documentation for steps to access the BIOS and change the boot order.

At boot, you will be prompted with the following options:

A. To setup Windows XP, press Enter.
B. To repair Windows XP installation using recovery console, press R.

Choose the option, "To repair the Windows XP installation using recovery console", press R. If an Administrator Password have been established, you will be prompted to type it in. If no Administrator Password exists, just press ENTER.

You will be presented with the following:


Microsoft Windows® Recovery Console

The Recovery Console provides system repair and recovery functionality.
Type EXIT to quit the Recovery Console and restart the computer.

1: C:\WINDOWS

Which Windows Installation would you like to log onto
(To cancel, press ENTER)?



Press the number 1 on your keyboard and hit Enter.

At the command prompt, type the following command and press Enter:

cd erdnt\hiv-backup

At the next prompt, type the following bolded text, and press Enter:

batch erdnt.con

The erunt backups will begin copying.

Type exit when finished, and then press ENTER to quit Recovery Console. Remove the CD and let the computer start.

NOTE: If you don't have a CD you can download/burn this iso image- -> http://www.thecomputerparamedic.com/rc.iso


Let us know how it goes.

Thanks JSntgRvr!!!

#14 Indigoblue47

Indigoblue47
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:04:59 AM

Posted 26 March 2008 - 02:53 PM

DASOS-
Excellent! That worked. I'm back in the system!
Everything looks good except:
When I log in now, I get two errors that appear in windows labeled RUNDLL...
They both say "The specified module could not be found"
The .DLLs that are mentioned are aqlccyme.dll and kediwiab.dll
I'm certain that kediwiab.dll is one of the .DLLs associated with Cryp_Tap-2 but i'm not so sure about the other. I guess that part of Cryp_Tap-2 is still trying to call .DLLs.
Someone mentioned SuperAntiSpyware... Would that be a good choice for rooting out the remnants of Cryp_Tap-2?

DASOS: Thanks ever so much for your help! This is as happy as I've been about anything computer-oriented since.... I can't remember when!

^5s
Indi

#15 DASOS

DASOS

    Malware hunter


  • Security Colleague
  • 1,662 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greece loutraki 6 km from korinth canal
  • Local time:10:59 AM

Posted 26 March 2008 - 03:10 PM

You’re welcome Indigoblue47 :thumbsup:

I suggest you post a HijackThis log for examination.

A member of the HijackThis Team will walk you through, step by step, how to disinfect your computer.
Once you post your log, don't make any changes to your system, as that could change the results of the posted log, making it difficult to properly clean your system.

Please read, and follow, all directions carefully!!!

Read Preparation Guide for use before posting a HijackThis Log.

Then, run a log, and post it in the HijackThis forum, at this link. Do not, fix anything, yet.
A member, of the HJT Team, will help you out. It may take a while to get a response, because the HJT Team are very busy.

NOTE:
Once you have made the post, please, DO NOT make another post in the HJT forum, until it has been responded to by a member of the HJT Team.
The first thing they look for, when looking for logs to reply to, is 0 replies.
If you make another post, there will be 1 reply.

The team member, glancing over the replies, might assume someone is already helping you out, and will not respond. So, just make your post, and let it sit there, until a team member responds. This way you will be taken care of, in the most timely manner.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users