Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unknown Infection


  • Please log in to reply
9 replies to this topic

#1 Kerokero

Kerokero

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:09:49 AM

Posted 28 May 2010 - 06:07 AM

Greetings Anyone and All~

For almost the last 36 hours, I've been trying to resolve this issue with no success. This is what's happening.

Last week, I had a trojan with fake anti-virus alerts. I had to run Hijackthis so I could updated my Malbytes software and get it to run. I thought I had removed the issue since the alerts stopped showing up.

Two days ago, my computer decided to restart on it's own randomly. I partly thought it was due to the heat wave in my area that we were experiencing, which caused the auto-restart. My computer's always had issues of just shutting down randomly, even when it was brand new, so I didn't think much of it.

Unfortunately, when it rebooted, everything started up as usual except the audio is now not working properly, I'm 90% sure it's the virus blocking it because I always hear Skype booting up with it's sound effects, but nothing else gives out any audio, videos or prompt popups. Which leads into the next issue. My Network Connections are all missing, so I have no internet access.


I was originally Googling for an answer through my phone web access, and now I'm currently at work so I'm trying to write this out.

Thinking that whatever infected me just deleted the drivers, I tried to reinstall, no success. I tried to reinstall the Audio Drivers as well, through Safe Mode. Although it installs properly, no success in making it actually work.

Last night, from my friend's computer, I downloaded Dr. CureWeb (I think this was the name) and had that running. It found one virus, which I had it try to "Cure" it and delete if that failed.

I did notice one other thing that I wasn't familiar with, a new folder named "32788R22WJFW" appeared, I'm not sure where it originated from.

Short of just formatting and starting anew, is there anything that I can do to resolve this issue? I know that I shouldn't have done this in the first place, but I'm currently working off of a 1 TB SATA drive, so I'm trying to avoid formatting.


Right now, as I said, I'm at work so I won't be able to try any methods right away, but I certainly appreciate any attempts and suggestions. I'll be checking periodically until about 1 PM EST.

One other thing to note is that I will not be around this weekend (Memorial Day Weekend) and won't be back until Midday on Monday, but I'll try anything suggested once I return.


Thank you in advance for your time and any assistance you can provide for me!

-Kero

Edited by Kerokero, 28 May 2010 - 06:23 AM.


BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,088 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:49 AM

Posted 28 May 2010 - 07:46 AM

I did notice one other thing that I wasn't familiar with, a new folder named "32788R22WJFW" appeared, I'm not sure where it originated from.

Have you used ComboFix? If so, be aware that it creates folders named 32788R22FWJFW.**.tmp on drive C: after failed attempts to run the tool. The folder can contain such files as PV.cfxxe, pv.com, catchme.cfexe and Combo-Fix.sys. It will also create a folder named Qoobox on drive C: to quarantine any infected files found during its routine.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 Kerokero

Kerokero
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:09:49 AM

Posted 28 May 2010 - 08:03 AM

I did notice one other thing that I wasn't familiar with, a new folder named "32788R22WJFW" appeared, I'm not sure where it originated from.

Have you used ComboFix? If so, be aware that it creates folders named 32788R22FWJFW.**.tmp on drive C: after failed attempts to run the tool. The folder can contain such files as PV.cfxxe, pv.com, catchme.cfexe and Combo-Fix.sys. It will also create a folder named Qoobox on drive C: to quarantine any infected files found during its routine.


I have run ComboFix in the past, but I never saw this folder before. I had not attempted to run ComboFix this time since I had no internet connection to process to auto-update.

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,088 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:49 AM

Posted 28 May 2010 - 09:01 AM

If you cannot use the Internet or download any required programs to the infected machine, try downloading them from another computer (family member, friend, library, etc) with an Internet connection. Save to a flash (usb, pen, thumb, jump) drive or CD, transfer to the infected machine, then install and run the program(s). If you cannot copy files to your usb drive, make sure it is not "Write Protected".

Please download the TDSS Rootkit Removing Tool (TDSSKiller.zip) and save it to your Desktop. <-Important!!!
Be sure to print out and follow the instructions provided on that same page for performing a scan or refer to these instructions.
  • Extract (unzip) the file to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop. (click here if you're not sure how to do this. Vista users refer to these instructions.)
  • Double-click on TDSSKiller.exe to run the tool and scan your computer for known TDSS variants.
  • If any variants are found, TDSSKiller will advise what has been detected.
  • It will then prompt you to type delete into into the screen. Type delete and press Enter
  • You will be prompted to reboot the computer to finish the cleaning process. When prompted to reboot, press the Y key and press Enter.
  • If not prompted, reboot manually.
Please download and scan with the Kaspersky Virus Removal Tool.

Edited by quietman7, 28 May 2010 - 09:05 AM.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 Kerokero

Kerokero
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:09:49 AM

Posted 28 May 2010 - 10:06 AM

Thank you, Quietman.

I'm printing out the directions now, I have it downloaded to a USB Drive as well. I'll be attempting this on Monday Night when I return from my trip and give you an update, hopefully from my home computer.

And I'm sorry, I should have mentioned this earlier, I am running Windows XP Professional Edition.

#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,088 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:49 AM

Posted 28 May 2010 - 03:31 PM

Not a problem.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 Kerokero

Kerokero
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:09:49 AM

Posted 31 May 2010 - 05:07 PM

Success!

I just ran that first step, TDSSKiller.exe

It said that ftdisk.exe was infected and would cure it upon reboot.
After I did such, I have audio and my internet access back!

Currently, I'm installing the Virus Removal Tool program as I update.

Thank you so much for saving me from formatting!

--Kero

#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,088 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:49 AM

Posted 01 June 2010 - 07:35 AM

How is your computer running now? Are there any more reports/alerts, signs of infection or issues with your browser?
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#9 Kerokero

Kerokero
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:09:49 AM

Posted 01 June 2010 - 10:22 AM

I don't notice anything unusual now. Kaspersky did remove like 14 Trojans, as well as WinRAR which I'm not sure exactly why, but I just reinstalled it so it wasn't an issue.

I haven't really surfed a lot on the internet yet, but it seems to be so far so good.

Question though, you left directions to uninstall once I was done, is it harmful to leave Kaspersky left installed?

#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,088 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:49 AM

Posted 01 June 2010 - 10:45 AM

Its not harmful, but like similar tools it is updated frequently so previous versions become outdated and not as effective. If needed again, you can always redownload the most current version.

If there are no more problems or signs of infection, you should Create a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been backed up, renamed and saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Posted Image > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then use Disk Cleanup to remove all but the most recently created Restore Point.
  • Go to Posted Image > Run... and type: Cleanmgr
  • Click "Ok". Disk Cleanup will scan your files for several minutes, then open.
  • Click the "More Options" tab, then click the "Clean up" button under System Restore.
  • Click Ok. You will be prompted with "Are you sure you want to delete all but the most recent restore point?"
  • Click Yes, then click Ok.
  • Click Yes again when prompted with "Are you sure you want to perform these actions?"
  • Disk Cleanup will remove the files and close automatically.
Vista and Windows 7 users can refer to these links: Create a New Restore Point in Vista or Windows 7 and Disk Cleanup in Vista.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users