Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Windows XP Repair - tdsskiller would not run


  • This topic is locked This topic is locked
54 replies to this topic

#1 dpaxson2

dpaxson2

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:07:03 AM

Posted 05 July 2011 - 01:40 PM

Hello - Have computed infect with Windows XP Repair. All symptoms and screen shots match the description of the infection. I followed the steps to remove and ran Rkill. Steps listed here: http://www.bleepingcomputer.com/virus-removal/remove-windows-xp-repair

I got to step 5 and then moved on to the instructions found here:
http://www.bleepingcomputer.com/virus-removal/remove-tdss-tdl3-alureon-rootkit-using-tdsskiller

I downloaded the .exe to a clean computer and transferred to infected using thumb drive. After changing name to 123.com as instructed the program does nothing. At first I forgot the '.com' in the title so I started over by downloading again and moving through the steps, but program still will not run. I'm not sure what I am doing incorrectly or why it will not run. The name I am using is '123.com', but does the extension of the file need to be .com as well? Right now that proper logo still appears with 123.com listed under it. Any advice on how to proceed will be very helpful.

In addition, I had XP Anti-Software infection one month ago. I followed instructions on this site and was able to clean (thanks for instructions!). I still have Malwarebytes installed on the computer. Once the tsddkiller is figured out, will I still have to download Malwarebytes or skip to running the program? I have not run it yet because I did not want to impact running tdsskiller.

My web browsers (Firefox, IE Explorer) are not connecting to the internet. Initially I had turned my radio off to stop in case virus was trying to communicate, but I have now turned it back on since I have identified what is happening (I think). Initially MSN Messager connected to internet properly and was working, but now I cannot get out to web. My PC Illin software (which failed me on both infections) had a message that said 'The TmProcy module experience a critical error. Please try again to reinstall the program. Internal Error: [-8/PH3/ENG00020000]" I followed the steps in order to post topic and turned my Windows Firewall back on and now I do not receive that message, but still can't get to internet.

Finally, this infection hides all of my files. I saw in the instructions what to download to unhide. Can I download that on a clean computer, transfer to infected using thumb drive, and then use that program to unhide all? I would like to unhide so I can find Malwarebytes and run program. Right now I can search and find Malwarebytes on my computer, but it is difficult to navigate.

Thank you so much for your help and I absolutely love this site. Please let me know any other needed information. The instructions are clear and I recommend checking this site to all of my friends.

.
DDS (Ver_2011-06-23.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_20
Run by Doug at 11:21:57 on 2011-07-05
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.459 [GMT -5:00]
.
AV: PC-cillin Internet Security - Virus Protection *Enabled/Updated* {7D2296BC-32CC-4519-917E-52E652474AF5}
FW: PC-cillin Internet Security - Firewall *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\Program Files\Trend Micro\Internet Security 14\pccguide.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Kodak\KODAK Share Button App\Listener.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Trend Micro\Internet Security 14\TMAS_OE\TMAS_OEMon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://bl143w.blu143.mail.live.com/mail/TodayLight.aspx?n=459868904&wa=wsignin1.0&n=533408899
uSearch Page = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us
uSearch Bar = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us
uDefault_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=0061026
uInternet Connection Wizard,ShellNext = hxxp://127.0.0.1:4664/first_usage&s=MkUmPJgYlY86C2kmbt0Ueunj9es
mSearchAssistant = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\bae\BAE.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [OE_OEM] "c:\program files\trend micro\internet security 14\tmas_oe\TMAS_OEMon.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [Aim] "c:\program files\aim\aim.exe" /d locale=en-US
uRun: [TomTomHOME.exe] "c:\program files\tomtom home 2\TomTomHOMERunner.exe"
uRun: [HgOlESJJrnKDyMI] c:\documents and settings\all users\application data\HgOlESJJrnKDyMI.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [PCMService] "c:\program files\dell\mediadirect\PCMService.exe"
mRun: [pccguide.exe] "c:\program files\trend micro\internet security 14\pccguide.exe"
mRun: [jswmidin] c:\program files\jswmidin.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [<NO NAME>]
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [ArcSoft Connection Service] c:\program files\common files\arcsoft\connection service\bin\ACDaemon.exe
mRun: [KodakShareButtonApp] c:\program files\kodak\kodak share button app\Listener.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mPolicies-system: DisableTaskMgr = 1 (0x1)
IE: &Google Search - c:\program files\google\GoogleToolbar1.dll/cmsearch.html
IE: &Translate English Word - c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: Backward Links - c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\google\GoogleToolbar1.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate Page into English - c:\program files\google\GoogleToolbar1.dll/cmtrans.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
Trusted Zone: musicmatch.com\online
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {474F00F5-3853-492C-AC3A-476512BBC336} - hxxp://picasaweb.google.com/s/v/47.12/uploader2.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1231034347750
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
TCP: DhcpNameServer = 192.168.0.1
TCP: Interfaces\{BE854C2E-8E46-4E74-9B20-4973086863B1} : DhcpNameServer = 192.168.0.1
Filter: text/html - {8e0485be-c29c-4075-b098-b8f96f0decca} -
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: c:\progra~1\google\google~1\GOEC62~1.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\doug\application data\mozilla\firefox\profiles\t7ynnf98.default\
FF - prefs.js: browser.startup.homepage - hxxp://bl138w.blu138.mail.live.com/mail/InboxLight.aspx?FolderID=00000000-0000-0000-0000-000000000001&InboxSortAscending=False&InboxSortBy=Date&n=1221627617
FF - plugin: c:\documents and settings\doug\application data\facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\documents and settings\doug\application data\move networks\plugins\npqmp071502000008.dll
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60310.0\npctrlui.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npatgpc.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnupdater2.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
.
---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, false
============= SERVICES / DRIVERS ===============
.
R1 iMSPCLOj;iMSPCLOj;c:\windows\system32\drivers\iMSPCLOj.sys [2005-11-4 43008]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2006-11-16 36368]
R2 TomTomHOMEService;TomTomHOMEService;c:\program files\tomtom home 2\TomTomHOMEService.exe [2011-3-9 92592]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2009-1-3 24652]
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [2006-11-9 280392]
S2 Tmntsrv;Trend Micro Real-time Service;c:\progra~1\trendm~1\intern~1\Tmntsrv.exe [2006-12-15 345696]
S2 TmPfw;Trend Micro Personal Firewall;c:\progra~1\trendm~1\intern~1\TmPfw.exe [2006-11-9 923216]
S2 tmproxy;Trend Micro Proxy Service;c:\progra~1\trendm~1\intern~1\tmproxy.exe [2006-11-9 566872]
.
=============== Created Last 30 ================
.
2011-07-05 02:53:03 385024 -c-ha-w- c:\documents and settings\all users\application data\17424164.exe
2011-07-05 02:43:35 464896 -c-ha-w- c:\documents and settings\all users\application data\HgOlESJJrnKDyMI.exe
2011-06-22 20:50:18 2106216 ---ha-w- c:\program files\mozilla firefox\D3DCompiler_43.dll
2011-06-22 20:50:18 1998168 ---ha-w- c:\program files\mozilla firefox\d3dx9_43.dll
2011-06-22 14:42:10 -------- d--h--w- c:\documents and settings\doug\application data\KodakCredentialStore
2011-06-12 01:03:01 -------- d--h--w- c:\program files\iPod
2011-06-12 01:02:50 -------- d--h--w- c:\program files\iTunes
2011-06-07 19:34:04 86016 ---ha-w- c:\windows\unvise32.exe
2011-06-07 19:34:01 -------- d--h--w- c:\program files\Savings Bond Wizard
2011-06-06 19:13:45 -------- d--h--w- c:\documents and settings\doug\application data\Malwarebytes
2011-06-06 19:13:40 38224 ---ha-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-06-06 19:13:39 -------- dc-h--w- c:\documents and settings\all users\application data\Malwarebytes
2011-06-06 19:13:36 20952 ---ha-w- c:\windows\system32\drivers\mbam.sys
2011-06-06 19:13:35 -------- d--h--w- c:\program files\Malwarebytes' Anti-Malware
2011-06-06 17:55:30 183696 ---ha-w- c:\program files\mozilla firefox\plugins\nppdf32.dll
2011-06-06 17:55:30 183696 ---ha-w- c:\program files\internet explorer\plugins\nppdf32.dll
.
==================== Find3M ====================
.
2011-06-22 20:53:41 404640 ---ha-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-05-10 13:06:08 4517664 ---ha-w- c:\windows\system32\usbaaplrc.dll
2011-05-10 13:06:08 42496 ---ha-w- c:\windows\system32\drivers\usbaapl.sys
2011-04-06 21:20:16 91424 ---ha-w- c:\windows\system32\dnssd.dll
2011-04-06 21:20:16 107808 ---ha-w- c:\windows\system32\dns-sd.exe
2005-04-21 08:22:51 180224 ---ha-w- c:\program files\jswmidin.exe
.
============= FINISH: 11:28:43.14 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Shannon2012

Shannon2012

  • Security Colleague
  • 3,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:09:03 AM

Posted 12 July 2011 - 07:54 AM

Hi,

Welcome to Bleeping Computer.

My name is Shannon and I will be working with you to remove the malware that is on your machine.

I apologize for the delay in replying to your post, but this forum is extremely busy.

Please Track this topic - On the top right on this tread, click on the Watch Topic button, click on 'Immediate Email Notification', and then click on the Proceed button at the bottom.

Do Not make any changes on your own to the infected computer.

Please set your system to show all files.
Click Start, open My Computer, select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.

Now, let's look more thoroughly at the infected computer -

We need to see some information about what is happening in your machine. Please perform the following scan:
  • We need to create an OTL Report
  • Please download OTL from here:
  • Main Mirror
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Change the "Extra Registry" option to "Use SafeList"
  • Push the Posted Image button.
  • Two reports will open, copy and paste them into your reply:
  • OTL.txt <-- Will be opened
  • Extra.txt <-- Will be minimized
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

Next, please download Rootkit Unhooker from one of the following links and save it to your desktop.
Link 1 (.exe file)
Link 2 (zipped file)
Link 3 (.rar file)
In order to use this tool if you downloaded from either of the second two links, you will need to extract the RKUnhookerLE.exe file using a program capable of extracing ZIP and RAR compressed files. If you don't have an extraction program, you can downlaod, install and use the free 7-zip utility.

  • Double-click on RKUnhookerLE.exe to start the program.
  • Click the Report tab, then click Scan.
  • Check Drivers, Stealth, and uncheck the rest.
  • Click OK.
  • Wait until it's finished and then go to File > Save Report.
  • Save the report to your Desktop.
  • Copy and paste the contents of the report into your next reply.
-- Note: You may get this warning...just ignore it, click OK and continue: "Rootkit Unhooker has detected a parasite inside itself! It is recommended to remove parasite, okay?".

Once you have the above logs, click on the Add Reply button below, copy in the contents of the two OTL logs and the RKU log. Also include any comments that you might have concerning the infection(s) and the infected computer.
Shannon

#3 dpaxson2

dpaxson2
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:07:03 AM

Posted 12 July 2011 - 11:22 AM

Thanks for the reply Shannon! I'm not going to be in front of that machine until Wednesday night, but when I do get to it, I'll work through your instructions and post a reply before I go to sleep. I've left my machine in the same state as when I posted this topic and have kept it on the entire time. It looks like the activity has stopped, but the malware is still on the machine.

Thanks again for the help and I'll respond Wednesday night.

#4 Shannon2012

Shannon2012

  • Security Colleague
  • 3,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:09:03 AM

Posted 13 July 2011 - 09:23 AM

Hi-

Let's change the order of doing things. Run the following (ComboFix) first and follow that with the OTL and RKU. You can pull ComboFix down to a thumb drive and transfer it the the desktop of the sick machine.

Download Combofix from either of the links below, and save it to your desktop. For information regarding this download, please visit this webpage: how-to-use-combofix

Link 1
Link 2

**Note: It is important that it is saved directly to your desktop**

1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

How to Temporarily Disable your Anti-virusl


Double click on combofix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please copy the "C:\ComboFix.txt" into your reply.
Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall


In your reply, please copy in the ComboFix report, the two OTL reports, and the RKU report. How is your machine doing now?
Shannon

#5 dpaxson2

dpaxson2
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:07:03 AM

Posted 13 July 2011 - 11:23 PM

Hi Shannon -

I'm running the Combofix now. It's Completed through Stage 5 and still working. I tried to download the OTL from the Main Mirror link provided above but I got a 403 Forbidden error and cannot download. Can you direct me to another link so I can download OTL and continue with instructions?

Thanks for the help!

#6 dpaxson2

dpaxson2
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:07:03 AM

Posted 13 July 2011 - 11:44 PM

Another update - Combofix got up around Stage 25 and was working (about 20 mins) and then I got a blue screen that said:

"A problem has been detected and windows has been shut down to prevent damage to your computer. Plug and Play detected an error most likely caused by a faulty driver.

If this is the first time you've seen this Stop error screren, restart your computer. If this screen appears again, follow these steps:

Check to make sure any new hardware or software is properly installed. If this is a new installation, ask your hardware or software manufacturer for any windows updates you might need.

If problems continue, disable or remove any newly installed hardware or software. Disable BIOS memory options such as caching or shadowing. If you need to use Sage Mode to remove or disable components, restart your computer, press F8 to select Advanced Startup Options, and then select Safe Mode.

Technical information:
*** STOP: 0x000000CA (0x00000004, 0x86829d48, 0x00000000, 0x00000000)

Beginning dump of physical memory
Physical memory dump complete.
Contact your system administrator or technical support group for further assistance."


I shut down my computer and restarted. Computer came back up but the malware (Windows XP Repair) is active again (pop ups are occurring again) and hasn't been removed. There was an error message that said 'Generic Host Process for Win32 Services has encountered a problem and needs to close. We are sorry for inconvenience.

What should I do next? No Combofix report so I assume it didn't finish. Thanks for the help!

#7 Shannon2012

Shannon2012

  • Security Colleague
  • 3,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:09:03 AM

Posted 14 July 2011 - 08:25 AM

Hi-

Make sure PC-cillin AV is fully disabled.
Double-click on the 'Trend Micro PC-cillin™ Internet Security icon in the System Tray area.
Click on 'Exit'.
Click on the 'Yes' button.
After a few moments, the Trend Micro PC-cillin™ Internet Security icon should disappear from the System Tray area.
Try to run ComboFix again. If it aborts again, try it in safe mode (f8 key on reboot).
Hold off on doing anything with OTL or RKU.
Copy the contents of the log into your reply. If you can't get ComboFix to finish, check to see if it created a log at C:\ComboFix.txt.
Shannon

#8 dpaxson2

dpaxson2
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:07:03 AM

Posted 14 July 2011 - 08:54 AM

I tried to run Combofix but the computer keeps rebooting. Getting errors about hard drive error and need to shut down, then it reboots automatically. Any thoughts?

#9 dpaxson2

dpaxson2
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:07:03 AM

Posted 14 July 2011 - 08:59 AM

Just got another blue screen with this reboot. Message says check for viruses on your computer or run CHKDSK/F to check for hard drive corrpution.

I made sure PC Illin was turned off last time. When I ran it last night I disabled real time protection, but didn't 'exit' the program (sorry, should have tried that last night).

It's booting again, so I'll attempt to shut down PC Illin then run the Combofix. Can Combofix be run when the malware is active?

#10 dpaxson2

dpaxson2
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:07:03 AM

Posted 14 July 2011 - 09:08 AM

Specific message I am getting "Hard Drive Failure - The system had detected a problem with one or more installed IDE / SATA hard disks. It is recommended that you restart the system."

Not sure if that is the virus or not.

I got combo fix running again and now I get a pop up message that says "Are you sure you want to remove the folder 'ComboFix' and move all it's contents to the Recycle Bin?"

Should I run RKill first and then run ComboFix?

#11 Shannon2012

Shannon2012

  • Security Colleague
  • 3,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:09:03 AM

Posted 14 July 2011 - 09:44 AM

Try it in safe mode - tapping the F8 key as soon as you start your computer.
Shannon

#12 dpaxson2

dpaxson2
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:07:03 AM

Posted 14 July 2011 - 10:55 AM

I got the computer into safemode and started ComboFix, but the program stalled when it got to "Output folder: C:\32788r22fwjfw" as the status. It never got to the command prompt where it went through stages. It's been sitting for 30 mins and looks frozen, although I can navigate to the desktop folder so the computer is not frozen.

#13 Shannon2012

Shannon2012

  • Security Colleague
  • 3,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:09:03 AM

Posted 14 July 2011 - 11:26 AM

If it still looks hung, go ahead and kill it. Delete the ComboFix exe from the desktop, download a fresh copy, and try it in safe mode.
Shannon

#14 dpaxson2

dpaxson2
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:07:03 AM

Posted 14 July 2011 - 11:35 AM

I started over with a clean copy and got an error message that said:

Error opening file for writing:
C:\32788r22fwjfw\iexplore.exe

Click Abort to stop the installation, Retry to try again, or Ignore to skip this file.

I tried Retry and it brought the error message back up. Should I go Abort or Ignore?

BTW - Thanks for all the help. This is a pain and I apologize for all the back and forth.

#15 Shannon2012

Shannon2012

  • Security Colleague
  • 3,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:09:03 AM

Posted 14 July 2011 - 11:48 AM

Abort it.

Let's take a different approach -

Please download aswMBR ( 511KB ) to your desktop.
  • Double click the aswMBR.exe icon to run it
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

Shannon




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users