Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

TD4, whitesmoke, google redirect


  • This topic is locked This topic is locked
14 replies to this topic

#1 dorky667

dorky667

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:50 PM

Posted 11 January 2011 - 10:31 PM

Greetings Computer Gods!


I have tried to not bother you guys with my problems!
I have read other posts and tried many things on my own but to no avail!

I have tried:

combofix-it said i had a TD4 rootkit
kapersky tdssrootkiller - it found the td4 and removed it
malwarebytes - it found whitesmoke virus and removed it

But after all of this, i know i still have a virus because the comp is running very slowly again@
As per requested, attached and listed is : attach and ark.txt
Thank you in advance!!
Attached File  ark.log   100.29KB   1 downloadsAttached File  Attach.txt   9.83KB   1 downloads
2nd rate hack
doing my best!

BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:01:50 AM

Posted 12 January 2011 - 09:07 PM

Hello dorky667 ,

Posted Image

Well silly....that's what we're here for! :wink: You are no bother whatsoever, I can assure you. :)

Can I please see the reports from both ComboFix and MBAM? :)

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 dorky667

dorky667
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:50 PM

Posted 12 January 2011 - 10:17 PM

Dear Tea (Computer Goddess),

Attached are :

latest mbam log
latest combofix log
and the tdss log when it found tdl4!

anything i am missing? will be on for a few more hours, ready to fix this!
I have been battling this for over a month!
A thousand thanks

-paul

Attached Files


2nd rate hack
doing my best!

#4 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:01:50 AM

Posted 12 January 2011 - 10:36 PM

Hi Paul,

Since that report is several days old, let's uninstall it and get an updated one so we can work with it. :) Incidentally, that report does not show tdl present any longer....you ran it after running tdss killer, yes?

Uninstall ComboFix by doing the following :

Click Start>Run>Type in, or copy and paste ComboFix /Uninstall > click OK

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply please.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.

If you have trouble running it the first time, then rename ComboFix.exe to paul.exe and try again.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#5 dorky667

dorky667
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:50 PM

Posted 13 January 2011 - 12:45 AM

Tea,

Here is the latest combo log!
also thought you would want to know:
1. uninstall didnt work, it just tried to run combofix
so i erased it off my desktop - right-click>erase
2. i ran defogger a few days ago and have cd emul off!

hope all this helps
so many thanks!

=paul

Attached Files


2nd rate hack
doing my best!

#6 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:01:50 AM

Posted 13 January 2011 - 08:06 AM

Hello there,

Is the slowness the only remaining problem?

Please download ATF Cleaner by Atribune & save it to your desktop. alternate download link
  • Close all open browsers before using, especially FireFox. <-Important!!!
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose: Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
Notes: On Vista, "Windows Temp" is disabled. To empty Temp, ATF-Cleaner must be Run As Administrator.
The Prefetch cleaning feature has been disabled for Vista Users. Tabs for applications that are not installed are grayed out.


Your version of Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Those old versions also take up a ton of space! Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Look for "JDK 6 Update 23 (JDK or JRE)".
  • Click the "Download JRE" button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u23-windows-i586.exe to install the newest version.
  • If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
  • When the Java Setup - Welcome window opens, click the Install > button.
  • If offered to install a Toolbar, just uncheck the box before continuing unless you want it.
-- Starting with Java 6u10, the uninstaller incorporated in each new release uses Enhanced Auto update to automatically remove the previous version when updating to a later update release. It will not remove older versions, so they will need to be removed manually.
-- Java is updated frequently. If you want to be automatically notified of future updates, just turn on the Java Automatic Update feature and you will not have to remember to update when Java releases a new version.


Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click Ok and reboot your computer.


Can I please see a new DDS log?

Let me know how it's running as well, please. :)

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#7 dorky667

dorky667
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:50 PM

Posted 13 January 2011 - 11:43 PM

Dear Ms Tea,


Sorry for the delay! long day at work....

Here's what i have done:
1. Updated Java per the instructions
2. Deleted temp files w/ ATF per instructions
3. Restarted
4. Enabled avast
5. Reran DDS per instructions (see attached)

everything (windows, programs, internet etc) still running pretty slow, even for my dinosaur of a comp!

a thousand more thanks,

-paul

Attached Files


2nd rate hack
doing my best!

#8 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:01:50 AM

Posted 13 January 2011 - 11:58 PM

Hi Paul,

Not a problem at all. :)

I see you've used Eset scanner recently.....would you mind having another scan with it and post me the report, please?

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#9 dorky667

dorky667
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:50 PM

Posted 15 January 2011 - 10:45 AM

Dear Tea,

Sorry I took so long!
Eset took over 24 hours to run!
I did the "scan archives" as well
But my comp locked up and gave me the following error:

"Windows delay write fail
Window was unable to save all the data for the file D:\system volume information. The data
has been lost. this error has been caused by a failure of your computer hardware or network connection.
Please try to save this file elsewhere."

it just gave me the same error, except path D:\$mft

But Eset did finish and said no threats found
And I am still running very slowly..

-paul
2nd rate hack
doing my best!

#10 dorky667

dorky667
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:50 PM

Posted 15 January 2011 - 12:10 PM

Tea,

Im on the wifes laptop!
I restarted my computer and now it is hanging on a black screen and wont even bootup to any screen?
I am starting to think I have major hardware problems??
Thoughts?

-paul
2nd rate hack
doing my best!

#11 dorky667

dorky667
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:50 PM

Posted 15 January 2011 - 01:34 PM

Tea,

Upon further restarts, a phoenix motherboard bios screen comes up and says:

"Hard drive failure is immenent! Backup and replace!"
The screen lists the processor, IDE listings of hard drives and some other info

This screen looks legit, as in not a virus, and would explain the hanging up, freezing and slowness
and ultimate non functioning.
Too bad this harddrive is the boot drive and not the storage one!

Could these viruses that i have been dealing with have actually physically damaged the hard drive?
Or is it wierd coincidence that the harddrive took a dump at the same time as the virus?
Or am i just missing something else entirely?

Thoughts?

-paul
2nd rate hack
doing my best!

#12 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:01:50 AM

Posted 15 January 2011 - 01:42 PM

Oh dear! Better backup what you can right away! :o No, I'm sure Phoenix wouldn't lie to you. It seems to be a good program. I think it's coincidence really. To have such catastrophic hardware failures after even an infection like this is not common at all.

I'm so sorry....we worked hard on this. But at least you know you can save your stuff and it isn't in danger when you put it on a new/clean hard drive. ;)

tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#13 dorky667

dorky667
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:50 PM

Posted 15 January 2011 - 03:03 PM

Tea,

I'm not sure i can get into this hard drive at all!
What i will do is put in another hard drive and set it up as the new master and then try to retrieve my important stuff that way.
Even if not i would only lose about a months worth of stuff, i back up to an external 1tera routinely

So...thank you so much for your help!!
paypal donation coming at next paycheck!

peace
paul

(i guess we can close the thread?)

Edited by dorky667, 15 January 2011 - 03:04 PM.

2nd rate hack
doing my best!

#14 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:01:50 AM

Posted 15 January 2011 - 03:36 PM

Hi Paul,

I'm glad to know you have a plan. There have been a couple of times even I've been caught out, and it isn't fun. So good on you. :thumbup2:

I'll leave the thread open for a couple of days, just in case.

Take care!
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#15 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:01:50 AM

Posted 19 January 2011 - 08:27 PM

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users