Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Must KILL @*$&%+^ c:\windows\TEMP\pdk-SYSTEM!!!


  • This topic is locked This topic is locked
93 replies to this topic

#1 Buzz1cy

Buzz1cy

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Local time:10:47 AM

Posted 27 August 2010 - 12:48 PM

Need help!!!

Have run Malwarebytes, AVG, and ComboFix, all up to date, and cannot kill off the damn pdk-SYSTEM malware!

ComboFix reports deletion, but pdk-SYSTEM folder is present immediately after ComboFix presents report after reboot.

Not sure what detail is needed to expunge this garbage; willing to work under the direction of an experienced user, providing necessary detail and execute all necessary steps.

If rebuilding system is the best option, please advise.

Win XP, SP3, all updates applied.

Thanx.

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,567 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:47 PM

Posted 27 August 2010 - 10:53 PM

Having already run comboFix. we need you to move and get personalised help.
Please go here....
Preparation Guide ,do steps 6 - 9.

Create a DDS log and post it in the new topic explained in step 9,which is here Virus, Trojan, Spyware, and Malware Removal Logs and not in this topic,thanks.
If Gmer won't run,skip it and move on.
Include your ComboFix log.

Let me know if that went well.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 Buzz1cy

Buzz1cy
  • Topic Starter

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Local time:10:47 AM

Posted 28 August 2010 - 12:36 AM

Thanx for your assistance!

I will perform the steps as directed, post to "Virus, Trojan, Spyware, and Malware Removal Logs", and add a reply back as this post to let you know.

#4 Buzz1cy

Buzz1cy
  • Topic Starter

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Local time:10:47 AM

Posted 02 September 2010 - 03:57 AM

Hello,

I was following your directions, as posted, when the machine became sluggish and then unresponsive after starting gmer.exe but before setting the following options:
•IAT/EAT
•Drives/Partition other than Systemdrive, which is typically C:\
•Show All (This is important, so do not miss it.)
When done, the screen should look similar to Figure 13 below.

The machine now boots to a blank screen in normal mode (not even a flashing cursor), and hangs at:
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS\system32\DRIVERS \isapnp.sys
when booting into all safe modes.

Have attempted removing all addin cards, including video, and disconnecting all peripherals; to no effect.

I have another machine available; if putting the infected drive into such would be advantageous.

Please advise.

Thank you.

#5 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,603 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:07:47 PM

Posted 03 September 2010 - 08:52 AM

Hi, do you have your XP CD at hand. If not, it is not a problem, but I want to know in order to decide which tools best to use here. smile.gif

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif


#6 Buzz1cy

Buzz1cy
  • Topic Starter

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Local time:10:47 AM

Posted 03 September 2010 - 01:27 PM

Hi Elise,

I do have an XP CD. One concern, the HP dc7700 does not appear to have a boot from CD option in the BIOS.

Thanx.

#7 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,603 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:07:47 PM

Posted 03 September 2010 - 01:42 PM

Don't you have an option to change boot order on startup (like pressing the DEL or F12 key)?

Let's try to boot your computer using a Boot CD.

Please print this guide for future reference!

You will need a blank CD, your Windows XP install disc, a clean computer and a flash drive.

Please follow the steps below and let me know if you were successful. Please tell me what error messages you got and/or what steps you got hung up on.

1. Download the PE Builder to your desktop

http://www.nu2.nu/download.php?sFile=pebuilder3110a.exe
  • Double-Click on the PE Builder that you just downloaded to your desktop.
  • Follow all of the instructions/prompts that come up.
2. Insert your XP CD with SP1/SP2/SP3 into a CD Rom drive
  • Double-Click on PE Builder.exe located on your desktop.
  • Click NO to Search for Windows Installation Files
  • Make the following selections from the Main Screen that pops up:
    • Builder
      • Source:(path to Windows installation files)[list]
      • Enter the path to the drive where your XP CD is located.
      • You can click on the "..." button on the right to navigate to the path as well.
    • Custom: (include files and folders from this directory)
      • No information is necessary, leave blank.
    • Output:
      • Keep the default
  • Media output
    • Choose Create ISO image
    • Do not choose Burn to CD/DVD
      • Download the RunScanner plugin and save it to your desktop

      http://www.paraglidernc.com/Files/RunScanner10025.cab

      Please note: You will be prompted for the folder that it shall be saved. By default it appears as runscanner10025. It should be modified to just runscanner <--- Important!!!

      • Press the Plugin button on the PE Builder interface
      • Press the Add button and navigate to the location of the RunScanner plugin to install
      • Please note: If you are using a Windows XP disc with sp2 then highlight RpsSS needs to launch DComLaunch and then press Enable
    • When your done press Close and the PE Builder interface will re-appear
3. Click on the "Build" button
  • You will see the Windows EULA message. Click on I Agree
  • You will now see the Build Screen. Let it run it's course
  • When the Build is finished you can click close, then exit
4. Burn your ISO file to CD==========

Next........

From your clean computer..

Please download OTLPE.zip and save it to a flash drive.
http://oldtimer.geekstogo.com/OTLPE.zip
http://www.itxassociates.com/OT-Tools/OTLPE.zip

Double click and unzip OTLPE.zip to its own folder on your flash drive. Name it OTLPE <-- Important!!

==========

Plug your flash drive into your sick computer now and do as instructed below..

==========

1. Restart Your sick Computer Using the PE Builder ISO CD That You Have Created
  • Insert the CD in to one of your CD/DVD drives.
  • Restart your computer.
    • The computer should choose to boot from the CD automatically. If it doesn't and you are asked if you want to boot from CD, then choose that option.
  • Once the desktop appears, you will receive a message asking: Do you want to start Network support?
    • Click on No
  • After it loads press the Go button in the lower left and do this....
    • Go
    • System
    • Display
    • Screen Resolution
    • 1024x768
    Next choose....
    • Go
    • Programs
    • A43 File Management Utility

==========

In A43File Management you should see your flash drive
Navigate to the OTLPE folder that you saved to your flash drive.

Open the OTLPE folder and double click Start.bat.
  • When asked "Do you wish to load remote user profile(s) for scanning", select Yes
  • Ensure the box "Automatically Load All Remaining Users" is checked and press OK
  • OTLPE should now start

    Change the following settings
    • Change Services, Drivers, Standard and Extra Registry to All
    • Uncheck LOP and Purity check

    Please note: Stay with your computer during the course of the scan. If "Entry Point Errors" are encountered simply press "ok" and allow the program to continue. <-- Important!!
  • Push
  • A report will open named "OTL.tx"t and another will be minimized to the system tray named "Extra.txt". Save both log's to your flash drive. Copy and Paste them in your next reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif


#8 Buzz1cy

Buzz1cy
  • Topic Starter

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Local time:10:47 AM

Posted 03 September 2010 - 02:39 PM

Hi Elise,

Boot from CD restored; in my efforts for troubleshoot, one end of the SATA cable was not fully plugged in. Thus the option did not appear in the BIOS.

Please pardon my error.

Does this latest procedure still apply? If not, sorry to waste your time.

Thanx.

#9 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,603 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:07:47 PM

Posted 03 September 2010 - 02:51 PM

Don't worry about it, I'm glad to hear you got it straightened out. smile.gif

Yes, you can follow the steps from my last post.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif


#10 Buzz1cy

Buzz1cy
  • Topic Starter

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Local time:10:47 AM

Posted 03 September 2010 - 03:28 PM

Hi Elise,

Excellent. I probably will not complete this until tomorrow; will post results then.

I perused the posted procedure and have a quick question: is the .ISO file integrity assured, via MD5 or other method?

Thanx.

#11 Buzz1cy

Buzz1cy
  • Topic Starter

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Local time:10:47 AM

Posted 04 September 2010 - 02:58 AM

Hi Elise,

At the following:
1. Restart Your sick Computer Using the PE Builder ISO CD That You Have Created
•Insert the CD in to one of your CD/DVD drives.
•Restart your computer.
◦The computer should choose to boot from the CD automatically.

BartPE loads off the CD, the XP splash screen appears for a few seconds, and then a BSD with the following error:
*** STOP: 0x0000007B (0xF78D6528, 0XC0000034, 0x00000000, 0x00000000)

Windows XP crashed.
I am the Blue Screen of Death.
No one hears your screams.

AAAARRRRRRRRGGGGGGHHHHHH!

smile.gif Have to laugh ...

Thanx for the continued help.



#12 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,603 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:07:47 PM

Posted 04 September 2010 - 08:51 AM

Since this is a PE builder, there is no way to verify MD5 checksum integrity afaik.

This sounds as if your computer didn't boot from the CD. Did it attempt to boot from the CD (i.e., did you hear a spinning noise and so on).

Did you create the CD exactly as instructed (it happens sometimes people burn the PE builder to the CD, which is not what needs to be done).

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif


#13 Buzz1cy

Buzz1cy
  • Topic Starter

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Local time:10:47 AM

Posted 04 September 2010 - 12:36 PM

Hi Elise,

Boot from hard disk is disabled in BIOS.

Repeated the create cd process with another XP disk (SP2 - enabled RpsSS needs to launch DComLaunch), first disk was with SP3.
Image Name: pebuilder.iso; Size: 158,152,704 bytes; Size on disk: 158,154,752 bytes.

Now have two CD's, two flash drives: 4 combinations. All result in the following sequence (verbatim via digital camera):
-------
Attempting Boot From CD-ROM
-------
CD drive spins up
-------
Setup is inspecting your computer's hardware configuration...
-------
Starting BartPE...
Text Progress Bar 0 % progress
Press F6 if you need to install a third party SCSI or RAID driver...
-------
Starting BartPE...
Text Progress Bar 0 through 100 % progress
-------
Please Wait...
Text Progress Bar 100 % progress
-------
Microsoft Windows XP splash screen with processing bar
processing bar completes one and a half times
-------
BSD

Thanx.

#14 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,603 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:07:47 PM

Posted 04 September 2010 - 12:43 PM

Can you try the CD('s) on a working computer to see if they work there?

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif


#15 Buzz1cy

Buzz1cy
  • Topic Starter

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Local time:10:47 AM

Posted 04 September 2010 - 12:54 PM

Will attempting such change any of the existing filesystem or registry? I assume not, just need to ask. What will success look like?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users