Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

DDS.scr Issues


  • Please log in to reply
3 replies to this topic

#1 Rathgar2

Rathgar2

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Los Angeles, CA, USA
  • Local time:12:12 PM

Posted 04 April 2010 - 12:13 PM

I believe I have a malware root kit on my machine. I have been reading these forums and have finally come to the conclusion that I am needing to detail and post my specific problem.

I am at steps 7+8 of gathering the info that helpers will need to help and am having trouble. I am running DDS.scr to get the logs. It runs very very slow and appears to take longer than 3 minutes to crank through. The first time I ran it last night I gave up waiting for the logs after 45 mins and left it running to get them this morning. When I returned the predicted notepad files were not displayed, a notice box was there giving a msg about how the logs needed to be saved now. I clicked OK and the logs did not pop up. Did they go away last night while I slept? Is the root kit blocking them too?

I have been having troubles with this issue including being unable to run Malwarebytes as the exe gets trashed upon install. PcTools Spyware Doctor scans and finds the trojans but cannot get them removed (it thinks it can and then they return on the next scan). So I am again running DDS.scr and have the infected system unplugged from the internet. I know DDS.scr is trying to do something because I see the ':' (colons) stacking up. I am guessing that this is not normal. Could McAfee be interfering? I have attached the screenshot of the DSS msg I get at the end of it's scan I bet you will find it to be familiar. No notepads accompany this Msg Box.

I have ran DDS.scr 3 times now and have not restarted the machine. I was looking in my Task Manager to try to fully kill McAfee (no internal controls to fully shut it off, just controls to do so component by component and the damn thing just sits there in the systray and won't die grrr. ). So I found Notepad.exe listed 6 times! WTF???!

Thanx in advance, I am at your mercy.
WTTW Ken

Edited by Rathgar2, 04 April 2010 - 04:03 PM.
Move to AII as no logs posted. ~ OB


BC AdBot (Login to Remove)

 


#2 Rathgar2

Rathgar2
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Los Angeles, CA, USA
  • Local time:12:12 PM

Posted 04 April 2010 - 07:27 PM

More Info...
I am having a huge problem with some nasty malware that I believe has installed a root kit on my system. I have a 6 year old Dell XPS running Windows XP SP3. with 2GB of RAM and have 3 internal Hardrives. I run McAfee Antivirus L which I am unhappy with but….

On Thursday 4-1-10 just before I was about to shut my computer down for the night I was visiting a link to join LinkedIn.com and was browsing a Facebook game when my browser that was on the LinkedIn page locked up during the joining process. I was surprised that next an App that called itself “Antivirus XP” had launched itself and started a “Scan” and was “finding” threats. At once I knew there was a problem (I know I never installed such crap myself) and started to search Google for advice. Started with Malware Bytes, the install would not work. I got a BSOD citing “Driver_IRQL_Not_Less or Equal” and included the iastor.sys file. I then loaded the system recovery from my XP Install Disk and ran a CHKDSK. By then it was 1am and I left it to run and set my alarm clock for 4am and crashed for some rest.

At 4am I woke and came back to my system. I was still getting BSOD errors and disabled my extra hardrives in the BIOS and was able to keep the system stable. Got it rebooted in Safe Mode and MBAM still would not install. Everything is running slow so what normally takes 30 seconds to do is taking 4mins and seems to stall before doing anything.

I tried system restore and could not launch it. Then I could not run any EXE files nor RegEdit. I went to another uninfected system and searched for a solution and got a Visual Basic Script to fix the EXE’s and another to fix RegEdit. I downloaded PCTools Spyware Doctor (and paid for it) and got it to run a couple of times and it repeatedly found Trojans such as:

· Downloader.Suuurch
· Downloader.Agent.OGP
· Virtumode
· Vundo.H
· Malware.Trace
· And many more.

Since they would reappear and more would appear I pulled the Internet feed so it could not fetch any of its’ friends. Then left late for work and left PCTools to do a full scan. I have had to run these tools in roundabout ways because of the EXE association being broken half of the time. When I correct one problem another seems to appear to confound me.

I have tried to install Hijack This and it won’t install.

During my searches to see if I can get my system restore back I found a program called Combo Fix, but shied away from it because of a warning not to use it unless a helper was directing me to do it. Half of the time either my RegEdit is disabled, or my EXE’s are disabled. I would try to roll the system back to before these issues and cannot because I get a message that “System Restore has been turned off by group policy.” I looked up a manual way to get this corrected. One way was to boot into Safemode with Command Prompt and run “%systemroot%\sytem32\restore\rstrui.exe,” didn’t work.

Next I have gotten the RegEdit working again and was told to navigate to this reg key,
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsNT\Systemrestore
…and delete these values: DisableConfig (not present in my registry) and DisableSR (which is). I deleted it and when I refresh with F5 it is right back there!

I believe I have a malware root kit on my machine. I have been reading forums and have finally come to the conclusion that I am needing to detail and post my specific problem.

I am at steps 7+8 (Bleepingcomputer.com steps) of gathering the info that helpers will need to help and am having trouble. I am trying to run DDS.scr to get the logs. It runs very very slow and appears to take longer than 90 minutes to crank through. The first time I ran it last night I gave up waiting for the logs after 45 mins and left it running to get them this morning. When I returned the predicted notepad files were not displayed, a notice box was there giving a msg about how the logs needed to be saved now. I clicked OK and the logs did not pop up. Did they go away last night while I slept? Is the root kit blocking them too?

I have been having troubles with this issue including being unable to run Malwarebytes as the exe gets trashed upon install. PcTools Spyware Doctor scans and finds the trojans but cannot get them removed (it thinks it can and then they return on the next scan). So I am again running DDS.scr and have the infected system unplugged from the internet. I know DDS.scr is trying to do something because I see the ':' (colons) stacking up. I am guessing that this is not normal. Could McAfee be interfering? I have attached the screenshot of the DSS msg I get at the end of it's scan I bet you will find it to be familiar. No notepads accompany this Msg Box.

I have ran DDS.scr 3 times now and have not restarted the machine. I was looking in my Task Manager to try to fully kill McAfee (no internal controls to fully shut it off, just controls to do so component by component and the damn thing just sits there in the systray and won't die grrr. ). So I found Notepad.exe listed 6 times! WTF???!

GMER utility will also not run at all. So in Summary:
· I can get PCTools to run but not update because I have unplugged the internet.
· Cannot run MBAM, HijackThis, DSS.scr, GMER
· Cannot get System Restore back via rstrui.exe or deleting the Reg Value DisableSR.
How can I proceed if I cannot get these logs to find the identity of my malicious malware?

#3 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,221 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:12 PM

Posted 04 April 2010 - 10:18 PM

If you cannot get DDS to work, please try this instead.

Please download RSIT by random/random and save it to your Desktop.
Note: You will need to run this tool while connected to the Internet so it can download HijackThis if it is not located on your system. If you get a warning from your firewall or other security programs regarding RSIT attempting to contact the Internet, please allow the connection.
  • Close all applications and windows so that you have nothing open and are at your Desktop.
  • Double-click on RSIT.exe to start the program.
  • If using Windows Vista, be sure to Run As Administrator.
  • Click Continue after reading the disclaimer screen.
  • Leave the drop down box set to default: "List/folders created or modified in the last 1 month (30 days).
  • When the scan is complete, a text file named log.txt will automatically open in Notepad.
  • Save the log file to your desktop and copy/paste the contents into a new topic in the Virus, Trojan, Spyware, and Malware Removal Logs forum, NOT here.
Important: Be sure to mention that you tried to follow the Prep Guide but were unable to get DDS to run.
If RSIT did not work, then reply back here.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#4 Rathgar2

Rathgar2
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Los Angeles, CA, USA
  • Local time:12:12 PM

Posted 05 April 2010 - 11:30 AM

Thanx for the above. After I posted a friend was recruited to help out and via Teamviewer he had me go into Safe Mode. I ran the VB scripts to restore EXE's and did a fresh download of Malware Bytes, and Spybot Serach & Destroy, and was able to (while in safe mode with Internet) was able to get both running concurrently. Did a round of cleanup, had Spybot Iminunize and scan. Then while still in safe mode got a fresh download of Hijack This and was able to install that. My friend carefully combed through the processes and nipped a few Overrides and BHO's and other entries. Ran about 3 passes of MBAM and Spybot and was able to greatly improve the situation.

Replaced the McAfee with Avast and that is where I am currently at. When I can get the system to run stable I will try again to run DDS.scr, GMER and if needed RSIT.exe and update this post. Thanx for your time that you have already put into helping me.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users