Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Total Internet Firewall


  • Please log in to reply
3 replies to this topic

#1 SkratRadder

SkratRadder

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:05:34 AM

Posted 23 September 2009 - 07:37 PM

I remoted into my computer last night to do work and noticed a new unfriendly looking porn icons on the desktop. I deleted these and immediately started running scans. Spybot wouldn't open, started avg. Got home and everything was screwed up. I rebooted into safemode received a non stop onslaught of errors, the first being something that said unable to run app as dll tell microsoft about this problem, click dont send. then drwatsn32 has failed send message to microsoft. This repeated, was unable to get the task manager up so i could open explorer or programs. It just kept repeating these two messages. I then rebooted back into regular mode. Downloaded combofix, malwarebytes, and mcafee's sdat for dos scan. In regular mode i was unable extract the sdat file. I was able to install malwarebytes, however upon opening and trying to update the files suddenly went missing and now i have broken links. Same thing happened with spybot. It kills any processes of security software. I installed spyware doctor by changing the filename to r.exe. i can only get the program to run when i first log in to regular mode and get all those "cannot run dll as app" error messages before explorer initializes, however it says it cannot find the databases and doesn't click. I can run combo fix from there as well, however it states that it must reboot, upon reboot nothing happens. Each of my two users are at different levels of intensity, however my second user has no admin rights so i'm pretty restricted in there.
A.exe process
Rundll32.exe few entries running as user
Iexplore.exe will not close
Firefox.exe will not close

Trying to enter any version of Safe Mode gives me blue screen of death
each time i log into one of my users the problems increase.
Any idea how to get around the blue screen of death to get into safe mode?
i have dual boot puppy linux installed, is there a virusscan for the ntfs file system that would work from the puppy boot?

Thanks for your help

Winxp sp3

Edited by SkratRadder, 24 September 2009 - 02:11 AM.


BC AdBot (Login to Remove)

 


#2 garmanma

garmanma

    Computer Masochist


  • Members
  • 27,809 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cleveland, Ohio
  • Local time:07:34 AM

Posted 24 September 2009 - 08:51 PM

You have a rootkit infection Do not run Combofix yet
You need to complete a rootkit scan then submit it to HJT
It takes a couple of custom batch files to get rid of it

Try one of these 2 scans



We Need to check for Rootkits with RootRepeal
  • Download RootRepeal from the following location and save it to your desktop.
  • Extract RootRepeal.exe from the archive (If you did not use the "Direct Download" mirror).
  • Open Posted Image on your desktop.
  • Click the Posted Image tab.
  • Click the Posted Image button.
  • Check all seven boxes: Posted Image
  • Push Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the Posted Image button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.

----------------------------------

Please note: If Rootrepeal fails to run, try this step: Click Settings - Options. Set the Disk Access slider to High

Also try: right-click on rootrepeal.exe and rename it to tatertot.scr
--------------------------------------



1. Download Win32kDiag from any of the following locations and save it to your Desktop

http://ad13.geekstogo.com/Win32kDiag.exe

http://download.bleepingcomputer.com/rootr.../Win32kDiag.exe

2. Double-click Win32kDiag.exe to run Win32kDiag and let it finish.
3. When it states "Finished! Press any key to exit...", press any key on your keyboard to close the program.
4. Double-click on the Win32kDiag.txt file that is located on your Desktop and post the entire contents of that log as a reply to this topic.
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#3 SkratRadder

SkratRadder
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:05:34 AM

Posted 25 September 2009 - 09:47 PM

Awesome, I'm glad someone got back to me. I was stumped. I'll run the scan and post the log. After running the scan did you want me to run hijack this and post that log as well, or just the logs produced by the programs listed?

#4 garmanma

garmanma

    Computer Masochist


  • Members
  • 27,809 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cleveland, Ohio
  • Local time:07:34 AM

Posted 26 September 2009 - 05:27 PM

Post both logs in our HJT forum:
http://www.bleepingcomputer.com/forums/f/22/virus-trojan-spyware-and-malware-removal-logs/
Give a brief description and tell them that these logs were all you could get to run successfully
The HJT team is extremely busy, so be patient and good luck
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users