Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Botched virus removal


  • Please log in to reply
11 replies to this topic

#1 Eric Ladd

Eric Ladd

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:12:53 AM

Posted 12 October 2009 - 03:32 AM

My son took it upon himself to clean our computer from a virus and it does not appear to have gone well. I wonder if anyone can help me salvage it before I simply reinstall everything.

I am running Windows XP. I do not know what virus/hijacker infected the computer. I do know that Combo-Fix was used to attempt to fix it and now hardware seems turned off. For instance, the computer no longer recognizes the 3-D video card completely so software cannot run that requires that feature.

I have downloaded and run ATF Cleaner. I have downloaded and run Malwarebytes' Anti-Malware. It is up to date and no malware is present.

Any help in getting the computer working properly and completely is greatly appreciated.

BC AdBot (Login to Remove)

 


#2 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,612 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:07:53 AM

Posted 12 October 2009 - 04:03 AM

Hi Eric Lad and :thumbsup: to Bleeping Computer!


Please note: ComboFix is an extremely powerful tool which should only be used when instructed to do so by someone who has been properly trained. ComboFix is intended by its creator to be "used under the guidance and supervision of an expert." It is NOT for unsupervised use. Please read Combofix's Disclaimer.

Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.


First of all I want to know if, besides the possible hardware-related issues, you are still having symptoms of active malware, as pop-ups, redirects, strange errors, slow speed and so on.


Please download HardwareLook
Unzip it to your desktop and double click on HardwareLook.exe to run it.
Press the scan button, when the scan is done, press the exit button.
You should now have a file named harewarelook.txt on your desktop. Please post its contents in your next reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif


#3 Eric Ladd

Eric Ladd
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:12:53 AM

Posted 12 October 2009 - 06:53 AM

Thanks for the help, Elise025.

I am not experiencing any of the effects of the previous malware, but the system does seem slow. I don't know if that is the graphics card simply not working properly or if some malware still resides on the computer. Some research leads me to believe it was Total Security that was afflicting my computer.

Here are the logs from running HardwareLook

Devices.txt gave me the following:
Device logfile of Aommaster's HardwareLook v.0.8.2b
#############
Conflicting Devices
#############
----------------------------
Name: Intel® 82850/82860 Processor to AGP Controller - 2532
----------------------------
Manufacturer: Intel
Description: Intel® 82850/82860 Processor to AGP Controller - 2532
Problem: Failure using the VxD loader

----------------------------
Name: Multimedia Controller
----------------------------
Description: Multimedia Controller
Problem: Device drivers are not installed

----------------------------
Name: Microsoft PS/2 Mouse
----------------------------
Manufacturer: Microsoft
Description: Microsoft PS/2 Mouse
Problem: Device is not present, not working properly, or does not have all of its drivers installed


~~~EOF~~~


log.txt gave me the following:
Computer logfile of Aommaster's HardwareLook v.0.8.2b
###############
Computer information
###############
Manufacturer: D850GB
Model: GB85010A
Type: Unknown

##############
Partition information
##############
--------------
Drive A:
--------------
Media Type: Floppy

--------------
Drive C:
--------------
Media Type: Fixed
File System: NTFS
Total Space: 58.59 GB
Free Space: 20.81 GB
Used Space: 37.78 GB

--------------
Drive D:
--------------
Media Type: Fixed
File System: NTFS
Total Space: 58.59 GB
Free Space: 17.59 GB
Used Space: 40.99 GB

--------------
Drive E:
--------------
Media Type: Fixed
File System: NTFS
Total Space: 58.59 GB
Free Space: 41.41 GB
Used Space: 17.18 GB

--------------
Drive F:
--------------
Media Type: Fixed
File System: NTFS
Total Space: 122.3 GB
Free Space: 17.83 GB
Used Space: 104.47 GB

--------------
Drive G:
--------------
Media Type: Removable

--------------
Drive H:
--------------
Media Type: Fixed
File System: NTFS
Total Space: 55.89 GB
Free Space: 43.75 GB
Used Space: 12.14 GB


###########
OS information
###########
----------------------------
Operating System: Microsoft Windows XP Professional
----------------------------
Service Pack: SP3
Total Virtual Memory: 1.99 GB
Free Virtual Memory: 1.96 GB
Pagefile Initial Size: 768 MB
Pagefile Maximum Size: 1536 MB


###########
RAM information
###########
----------------------------
Name: Physical Memory 0
----------------------------
RAM: 128 MB
Speed: 400 MHz
Type: Other

----------------------------
Name: Physical Memory 1
----------------------------
RAM: 128 MB
Speed: 400 MHz
Type: Other

----------------------------
Name: Physical Memory 2
----------------------------
RAM: 128 MB
Speed: 400 MHz
Type: Other

----------------------------
Name: Physical Memory 3
----------------------------
RAM: 128 MB
Speed: 400 MHz
Type: Other


###########
CPU information
###########
----------------------------
Name: Intel® Pentium® 4 CPU 2.00GHz
----------------------------
Type: 64-bit
OS Type: 32-bit
Cores: 1
Maximum Clock Speed: 1.9 GHz
Current Clock Speed: 1.9 GHz


###########
GPU information
###########


~~~EOF~~~

#4 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,612 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:07:53 AM

Posted 12 October 2009 - 07:59 AM

Okay, we have a few missing drivers here, which we should take care of first.

Click Start > Run, in the box that opens type devmgmt.msc and press enter.

Look for the following devices in the list (they may be named Unknown Device and/or have an ! or an ? in front of them).
Intel® 82850/82860 Processor to AGP Controller - 2532
Multimedia Controller
Microsoft PS/2 Mouse


IF they have an ! or ? in front of them, right click on them and select Update drvier. Allow your computer to search the internet and to install found updates automatically.

Let me know how this went (were updates found or not).

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif


#5 Eric Ladd

Eric Ladd
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:12:53 AM

Posted 12 October 2009 - 08:27 AM

Here is what I have done:

Intel® 82850/82860 Processor to AGP Controller - 2532 - DONE
Multimedia Controller - Can't find a driver
Microsoft PS/2 Mouse - Not in need of a driver

The Multimedia Controller must be a sound card on the motherboard and I don't use it. I run my sound through a Hercules sound card with attached box for additional USB and Audio connections

I use a USB mouse and there is not PS/2 mouse installed. Not sure why that is coming up as a device conflict.

#6 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,612 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:07:53 AM

Posted 12 October 2009 - 08:50 AM

Looks good :thumbsup:

For good order, it is best to disable devices you don't use, in this case the Multimedia controller. You can do this in Device Management, by right clicking on it and selecting disable.

After you do that, please post again devices.txt (a new one). No need to post log.txt

Let me know how everything is running now (if all went right, we took care of hardware/driver issues) so I can see what needs still resolved.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif


#7 Eric Ladd

Eric Ladd
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:12:53 AM

Posted 12 October 2009 - 05:38 PM

Everything is looking better now, Elise. Thanks again. Here is the log:

Device logfile of Aommaster's HardwareLook v.0.8.2b
#############
Conflicting Devices
#############
----------------------------
Name: Multimedia Controller
----------------------------
Description: Multimedia Controller
Problem: Device is disabled

----------------------------
Name: Microsoft PS/2 Mouse
----------------------------
Manufacturer: Microsoft
Description: Microsoft PS/2 Mouse
Problem: Device is not present, not working properly, or does not have all of its drivers installed


~~~EOF~~~

#8 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,612 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:07:53 AM

Posted 13 October 2009 - 03:07 AM

Okay, thats good :thumbsup:

Now lets concentrate on possible malware issues.


TFC
--------
Download TFC by OldTimer to your desktop.
(TFC only cleans temp folders. It will not clean URL history, prefetch, or cookies).
Close any open windows.
  • Double click the TFC icon to run the program
  • TFC will close all open programs itself in order to run,
  • Click the Start button to begin the process.
  • Allow TFC to run uninterrupted.
  • The program should not take long to finish it's job.
Once its finished it should automatically reboot your machine, if it doesn't, manually reboot to ensure a complete clean

NOTE:
It's normal after running TFC cleaner that the PC will be slower to boot the first time.

TFC (Temp File Cleaner) will clear out all temp folders for all user accounts (temp, IE temp, java, FF, Opera, Chrome, Safari), including Administrator, All Users, LocalService, NetworkService, and any other accounts in the user folder.



ROOTREPEAL
-------------
We need to check for rootkits with RootRepeal
  • Download RootRepeal from the following location and save it to your desktop.
  • Extract RootRepeal.exe from the archive.
  • Open Posted Image on your desktop.
  • Click the Posted Image tab.
  • Click the Posted Image button.
  • Check all seven boxes: Posted Image
  • Push Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the Posted Image button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.
SUPERANTISPYWARE
-----------------------------
Please download and scan with SUPERAntiSpyware Free
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If it will not start, go to Start > All Prgrams > SUPERAntiSpyware and click on Alternate Start.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
  • In the Main Menu, click the Preferences... button.
  • Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen and exit the program.
  • Do not run a scan just yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with SUPERAntiSpyware as follows:
  • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes" and reboot normally.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif


#9 Eric Ladd

Eric Ladd
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:12:53 AM

Posted 13 October 2009 - 07:53 AM

Elise,

Here is what I have done and the results:

*** TFC was run and I rebooted the computer.
*** ROOTREPEL was run and here is the log:

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/10/13 06:46
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xF697B000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF8C3A000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xB9504000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

==EOF==


*** SUPERAntiSpyware Free Edition was run in SAFE MODE with complete scan and no spyware was found.

Once again, thanks for your gracious help. I will wait for the next step.

#10 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,612 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:07:53 AM

Posted 13 October 2009 - 08:10 AM

Well, that looks great :thumbsup: How is everything running?

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif


#11 Eric Ladd

Eric Ladd
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:12:53 AM

Posted 15 October 2009 - 05:58 AM

Elise,

Thank you once again. Everything is working just great.

#12 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,612 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:07:53 AM

Posted 15 October 2009 - 06:41 AM

Glad I could help you :trumpet:

Please read these advices, in order to prevent reinfecting your PC:
  • Install and update the following programs regularly:
    • an outbound firewall
      A comprehensive tutorial and a list of possible firewalls can be found here.
    • an AntiVirus Software
      It is imperative that you update your AntiVirus Software on regular basis.If you do not update your AntiVirus Software then it will not be able to catch the latest threats.
    • an Anti-Spyware program
      Malware Byte's Anti Malware is an excellent Anti-Spyware scanner. It's scan times are usually under ten minutes, and has excellent detection and removal rates.
      SUPERAntiSpyware is another good scanner with high detection and removal rates.
      Both programs are free for non commercial home use but provide a resident and do not nag if you purchase the paid versions.
    • Spyware Blaster
      A tutorial for Spywareblaster can be found here. If you wish, the commercial version provides automatic updating.
    • MVPs hosts file
      A tutorial for MVPs hosts file can be found here. If you would like automatic updates you might want to take a look at HostMan host file manager. For more information on thehosts file, and what it can do for you,please consult the Tutorial on the Hosts file
  • Keep Windows (and your other Microsoft software) up to date!
    I cannot stress how important this is enough. Often holes are found in Internet Explorer or Windows itself that require patching. Sometimes these holes will allow an attacker unrestricted access to your computer.
    Therefore, please, visit the Microsoft Update Website and follow the on screen instructions to setup Microsoft Update. Also follow the instructions to update your system. Please REBOOT and repeat this process until there are no more updates to install!!
  • Keep your other software up to date as well
    Software does not need to be made by Microsoft to be insecure. You can use the Secunia Online Software occasionally to help you check for out of date software on yourmachine.
  • Stay up to date!
    The MOST IMPORTANT part of any security setup is keeping the software up to date. Malware writers release new variants every single day. If your software updates don't keep up, then the malware will always be one step ahead. Not a good thing :flowers:.
Some more links you might find of interest:

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users