Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

DDS.scr Wont run on XP 64 Bit


  • Please log in to reply
8 replies to this topic

#1 Nozyspy

Nozyspy

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:10 PM

Posted 29 August 2010 - 02:49 AM

Hey guys, im completely new here, so sorry if i get anything wrong. I recently got the desktoplayer.exe/Ramnit infection and saw that you guys had some success in removing it without reformatting. However, DDS.scr will not work with Win XP 64 Bit so i cant post any logs to start off with, are there any alternatives that i can use?

I really need to get this sorted asap, so any help or info would be much appreciated! :thumbsup:

Luke/Nozy

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,929 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:10 AM

Posted 29 August 2010 - 08:45 PM

If you cannot get DDS to work, please try this instead.

Please download RSIT by random/random and save it to your Desktop.
Note: You will need to run this tool while connected to the Internet so it can download HijackThis if it is not located on your system. If you get a warning from your firewall or other security programs regarding RSIT attempting to contact the Internet, please allow the connection.
  • Close all applications and windows so that you have nothing open and are at your Desktop.
  • Double-click on RSIT.exe to start the program.
  • If using Windows Vista, be sure to Run As Administrator.
  • Read the disclaimer and click Continue.
  • When the scan is complete, a text file named log.txt will automatically open in Notepad.
  • Another text file named info.txt will open minimized.
  • Save the log files to your desktop and copy/paste the contents of log.txt by highlighting everthing and pressing Ctrl+C.
  • After highlighting, right-click, choose Copy and then paste the contents into a new topic in the Virus, Trojan, Spyware, and Malware Removal Logs forum, NOT here.
  • Copies of both log files are automatically saved in the C:\RSIT folder which the tool creates during the scan.
Important: Be sure to mention that you tried to follow the Prep Guide but were unable to get DDS to run. If RSIT did not work, then reply back here.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 Nozyspy

Nozyspy
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:10 PM

Posted 30 August 2010 - 03:51 AM

Thanks for the help man.

Am i supposed to let the the desktoplayer.exe/virus run while i use these programs, or is it safe to delete it and close the process before hand (it just pops back up again after i restart anyways). Since i dont want to stop these programs from picking up any information which may be useful to you.

Edited by Nozyspy, 30 August 2010 - 03:51 AM.


#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,929 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:10 AM

Posted 30 August 2010 - 07:48 AM

If its not interfering with running the tool, you can leave it alone.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 Nozyspy

Nozyspy
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:10 PM

Posted 02 September 2010 - 12:16 PM

Ok thanks for the help man. At the moment i am just considering whether it might be more practical simply to get a new HDD and upgrade to Windows 7 instead and than transfer over any pictures/important files etc (since this virus only seems to attatch itself to .dlls and .exe files, from what i have read) and format the old hard drive.

Its a tough choice, i would rather not format, but i have had plenty of problems with Windows XP 64 bit. Despite most programs working with it, certain things, like iTunes and some older software has been a pain in the neck to try and get it to with with XP64 Bit. Maybe its time to upgrade?

It looks like either way is going to be a hassle. :thumbsup:

Edited by Nozyspy, 02 September 2010 - 12:16 PM.


#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,929 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:10 AM

Posted 02 September 2010 - 01:06 PM

Your decision as to what action to take should be made by reading and asking yourself the questions presented in these articles:In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned, repaired or trusted especially if you are dealing with rootkit components that can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. In some instances an infection may leave so many remnants behind that security tools cannot find them and your system cannot be completely cleaned, repaired or trusted. Wiping your drive, reformatting, and performing a clean install of the OS or doing a factory restore with a vendor-specific Recovery Disk or Recovery Partition removes everything and is the safest action but I cannot make that decision for you.

If you want to try disinfection, then you need to start a new topic in the Virus, Trojan, Spyware, and Malware Removal Logs forum and post your RSIT there. If RSIT is not working, we can try creating a different type of log for you to post.

If you decide to reformat or do a factory restore due to malware infection, you can back up all your important documents, personal data files, photos to a CD or DVD drive, not a flash drive or external hard drive as they may become compromised in the process. The safest practice is not to backup any executable files (*.exe), screensavers (*.scr), autorun (.ini) or script files (.php, .asp, .htm, .html, .xml ) files because they may be infected by malware. Avoid backing up compressed files (.zip, .cab, .rar) that have executables inside them as some types of malware can penetrate compressed files and infect the .exe files within them. Other types of malware may even disguise itself by hiding a file extension or adding to the existing extension as shown here (click Figure 1 to enlarge) so be sure you look closely at the full file name. If you cannot see the file extension, you may need to reconfigure Windows to show file name extensions. Then make sure you scan the backed up data with your anti-virus prior to to copying it back to your hard drive.

If your CD/DVD drive is unusable, another word of caution if you are considering backing up to an external usb hard drive as your only alternative. External drives are more susceptible to infection and can become compromised in the process of backing up data. I'm not saying you should not try using such devices but I want to make you aware of all your options and associated risks so you can make an informed decision if its worth that risk.Again, do not back up any files with the following file extensions: exe, .scr, .ini, .htm, .html, .php, .asp, .xml, .zip, .rar, .cab as they may be infected.

If you need additional assistance with reformatting or partitioning, you can start a new topic in the appropriate Windows Operating System Subforum.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 Nozyspy

Nozyspy
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:10 PM

Posted 07 September 2010 - 02:14 PM

Many thanks for the advice!

If the infection can jump to removable drives, could it also jump from one hard drive to the other, say if i had both the infected HDD and a new HDD connected at the same time, or if i tried to transfer pictures or other otherwise innocuous files from the infected HDD to the new HDD (internal HDDs i mean, not the external kind)?

Apologies for the late reply!

Edited by Nozyspy, 07 September 2010 - 02:16 PM.


#8 Nozyspy

Nozyspy
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:10 PM

Posted 16 September 2010 - 10:31 AM

Well in the end i ended up getting Win 7 and installing on a fresh HDD. I guess this is as good a time as any to upgrade, just a shame i didnt get more use out of Xp 64bit. But anyways, i think i found an interesting way of getting rid of this desktoplayer.exe virus. Adaware was regularly picking up 40-70 instances of this ramnit/desktoplayer virus, however, since it kept creating a folder called Microsoft and placing itself in there every time i restarted the computer (no matter how much cleaning i did with different anti vitus programs) i thought i would try something.

What i did was stop the virus process (it shows up as iexplore.exe in task manager, even when no internet explorer windows are open) then delete the Microsoft folder that it was in. Then i made a new folder myself and called it Microsoft, then put a .txt file in it and called it blah.txt, and put a random sentance inside. Then i made the folder read only and then made it hidden and then encrypted it...

Not only did desktoplayer.exe no longer appear in that folder, but after a couple of scans and deleting the rest of the infected files, the results on Prevx and AdAware went down to 0. Whether this got rid of the virus for sure, i cannot say. It would need an expert to tell if it had been eradicated instead of simply planting itself in another folder, but i can definitely say that after scanning the infected hard drive several times since, no more instances of the 'ramnit.a' virus not the desktoplayer.exe file have turned up on any of my anti virus programs.

The only problem is that since i have deleted all the infected files, it has kind of borked several programs since it deleted plenty of .dlls and other essential fiels for those programs. Mind you since i installed Win 7 on a fresh hard drive and simply transfered over pictures and documents, this hasnt been a problem.

I dunno if this is of any use to anyone, but i just thought i would share it incase it helps! :thumbsup:

Nozy/Luke

#9 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,929 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:10 AM

Posted 16 September 2010 - 12:11 PM

Glad to hear everything worked out for the best.

:thumbsup: Tips to protect yourself against malware and reduce the potential for re-infection:

Keep Windows and Internet Explorer current with all critical updates from Microsoft which will patch many of the security holes through which attackers can gain access to your computer. If you're not sure how to do this, see Microsoft Update helps keep your computer current.

Avoid gaming sites, porn sites, pirated software, cracking tools, keygens, and peer-to-peer (P2P) file sharing programs (i.e. Limewire, eMule, uTorrent). They are a security risk which can make your computer susceptible to a smörgåsbord of malware infections, remote attacks, exposure of personal information, and identity theft. Malicious worms, backdoor Trojans IRCBots, and rootkits spread across P2P file sharing networks, gaming, porn and underground sites. Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install viruses, Trojans, and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users. Porn sites can lead to the Trojan.Mebroot MBR rootkit and other dangerous malware. The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications.Beware of Rogue Security software as they are one of the most common sources of malware infection. They infect machines by using social engineering and scams to trick a user into spending money to buy a an application which claims to remove malware. For more specific information on how these types of rogue programs and infections install themselves, read How Malware Spreads - How did I get infected.

Keeping Autorun enabled on USB (pen, thumb, jump) and other removable drives has become a significant security risk as they are one of the most common infection vectors for malware which can transfer the infection to your computer. To learn more about this risk, please read:Many security experts recommend you disable Autorun asap as a method of prevention. Microsoft recommends doing the same.

...Disabling Autorun functionality can help protect customers from attack vectors that involve the execution of arbitrary code by Autorun when inserting a CD-ROM device, USB device, network shares, or other media containing a file system with an Autorun.inf file...

Microsoft Security Advisory (967940): Update for Windows Autorun
How to Maximize the Malware Protection of Your Removable Drives

Security Resources from Microsoft:Other Security Resources:Browser Security Resources:Finally, if you need to replace your anti-virus, firewall or need a reliable anti-malware scanner please refer to:
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users