Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

rkill crashes Vista computer


  • Please log in to reply
5 replies to this topic

#1 lanrat

lanrat

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:09:15 AM

Posted 04 January 2011 - 02:04 PM

Hi,

I have a VISTA computer that redirects various URLS to (http://siteblacklistms.com/block.php?url=http://www.original_url.com/...)

I have dealt with a this or a similar trojan in the past on an XP computer and so I am attempting to run 'rkill' prior to installing and running Malwarebytes.

I downloaded the .exe and .com vesions of 'rkill' and have run both 'As Administrator' - computer either freezes or crashes and reboots.

Anyone with some advice please. Thnks

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,399 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:15 PM

Posted 04 January 2011 - 02:53 PM

If you are you able to run Malwarebytes Anti-Malware and other security tools without them terminating, there is no need to run Rkill. Using RKill is only necessary to fix the most common malware processes that stop us from using security tools and completing scans so its not required in all situations.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 lanrat

lanrat
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:09:15 AM

Posted 04 January 2011 - 04:30 PM

Thanks for the prompt reply 'Quietman7' - Malwarebytes found and removed 3 infections, 2 id'd as trojans (see log below)

After reboot I re-scanned (Quick Scan) - Malwarebytes reported no errors. Launched IE and went to www.bleepingcomputer.com - BLAM!! redirected with the same garbage splash screen.

All of the above done from regular login - will running from 'Safe Mode' make any difference in your opinion or do you have another suggestion.

Thnks

----- Log START ------
Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5460

Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18999

04/01/2011 12:58:54 PM
mbam-log-2011-01-04 (12-58-54).txt

Scan type: Full scan (C:\|)
Objects scanned: 642542
Time elapsed: 1 hour(s), 19 minute(s), 18 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
c:\Windows\$ntuninstallmtf197$ (Adware.Adrotator) -> Quarantined and deleted successfully.

Files Infected:
c:\programdata\6535UIHm.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Users\Ray\AppData\Local\Temp\hki7492.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Windows\$ntuninstallmtf197$\zrpt.xml (Adware.Adrotator) -> Quarantined and deleted successfully.
----- Log END -----

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,399 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:15 PM

Posted 04 January 2011 - 07:00 PM

Scanning with Malwarebytes Anti-Malware in safe or normal mode will work but removal functions are not as powerful in safe mode. Why? MBAM is designed to be at full power when malware is running so safe mode is not necessary when using it. In fact, MBAM loses some effectiveness for detection & removal when used in safe mode because the program includes a special driver which does not work in safe mode. Further, scanning in safe mode prevents some types of malware from running so it may be missed during the detection process. Additionally, there are various types of malware infections which target the safeboot keyset so booting into safe mode is not always possible. For optimal removal, normal mode is recommended so it does not limit the abilities of MBAM. Doing a safe mode scan should only be done when a regular mode scan fails or you cannot boot up normally.


Please download the TDSS Rootkit Removing Tool (TDSSKiller.zip) and save it to your Desktop. <-Important!!!
Be sure to print out and follow all instructions for performing a scan or refer to these instructions with screenshots.

  • Extract (unzip) the file to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the Desktop. Vista/Windows 7 users refer to these instructions if you're unsure how to unzip a file.
  • If you don't have an extracting program, you can download TDSSKiller.exe and use that instead.
  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • When the program opens, click the Start Scan button.
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Cure is selected, then click Continue > Reboot now to finish the cleaning process.<- Important!!
    Note: If 'Suspicious' objects are detected, you will be given the option to Skip or Quarantine. Skip will be the default selection.
  • A log file named TDSSKiller_version_date_time_log.txt will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.
-- If TDSSKiller does not run, try renaming it. To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to these instructions. In some cases it may be necessary to redownload TDSSKiller and randomly rename it before downloading and saving to the computer.

-- For any files detected as 'Suspicious' (except those identified as Forged to be cured after reboot) get a second opinion by submitting to Jotti's virusscan or VirusTotal. In the "File to upload & scan" box, browse to the location of the suspicious file and submit (upload) it for scanning/analysis.


Please download Norman Malware Cleaner and save to your desktop.
alternate download link
If you previously used Norman, delete that version and download it again as the tool is frequently updated!
  • Be sure to read all the information Norman provides on that same page.
  • Double-click on Norman_Malware_Cleaner.exe to start. Vista/Windows 7 users right-click and select Run As Administrator.
    The tool is very slow to load as it uses a special driver. This is normal so please be patient.
  • Read the End User License Agreement and click the Accept button to open the scanning window.
  • Click Start Scan to begin.
  • In some cases Norman Malware Cleaner may require that you restart the computer to completely remove an infection. If prompted, reboot to ensure that all infections are removed.
  • After the scan has finished, a log file a log file named NFix_date_time (i.e. NFix_2009-06-22_07-08-56.log) will be created on your desktop with the results.
  • Copy and paste the contents of that file in your next reply.
-- Note: If you need to scan a usb flash drives or other removable drives not listed, use the Add button to browse to the drives location, click on the drive to highlight and choose Ok.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 lanrat

lanrat
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:09:15 AM

Posted 04 January 2011 - 08:34 PM

Thanks Again.. TDSSKiller finally did it :^) (see extract from log below)

After the reboot I re-ran TDSKiller and it found nothing more - tested each of the links previously redirected and all is good. I presume it is not neccessary to run 'Norman Malware Cleaner' as well now that the problem appears to be eradicated - right?

Appreciate the help - cheers.

==== Log START ====
......
2011/01/04 16:48:29.0695 WUDFRd (ac13cb789d93412106b0fb6c7eb2bcb6) C:\Windows\system32\DRIVERS\WUDFRd.sys
2011/01/04 16:48:29.0724 \HardDisk0 - detected Rootkit.Win32.TDSS.tdl4 (0)
2011/01/04 16:48:29.0727 ================================================================================
2011/01/04 16:48:29.0727 Scan finished
2011/01/04 16:48:29.0727 ================================================================================
2011/01/04 16:48:29.0738 Detected object count: 1
2011/01/04 16:49:22.0654 \HardDisk0 - will be cured after reboot
2011/01/04 16:49:22.0655 Rootkit.Win32.TDSS.tdl4(\HardDisk0) - User select action: Cure
2011/01/04 16:49:27.0857 Deinitialize success

==== Log END ====

#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,399 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:15 PM

Posted 04 January 2011 - 08:52 PM

Run the Norman scan.

The problem with these types of infections is that they can download other malicious files and it sometimes takes various scans with different tools to find them.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users