Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Nasty XP Malware


  • Please log in to reply
17 replies to this topic

#1 tsimms1964

tsimms1964

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:16 PM

Posted 21 January 2012 - 01:25 AM

I have a winxp laptop that had a nasty malware that first hide all files, then even disabled task manager and my cdrom.
I have gotten back mostof the errors, but i still cannot access task manager, and keyboard shortcuts don't work either.

Edited by hamluis, 21 January 2012 - 07:59 AM.
Moved from XP to Am I Infected.


BC AdBot (Login to Remove)

 


#2 mark1956

mark1956

  • Security Colleague
  • 271 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Spain
  • Local time:04:16 AM

Posted 21 January 2012 - 06:34 AM

Have you got any System Restore points that will go back before the infection?

XP System Restore Guide

If that does not help, have you got an XP disc, if so what service pack does it include. What sevice pack is installed on the PC.

You could also try this as the infection may have simply disabled Task Manager.
Task Manager disabled

#3 ident

ident

  • Members
  • 109 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cambridge
  • Local time:11:16 PM

Posted 21 January 2012 - 07:43 AM

Any issue regarding Malware should be posted Here

Please note the message text in blue at the top of the Am I infected? What do I do? forum.

#4 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:10:16 PM

Posted 21 January 2012 - 09:52 AM

Hi

Press Windows+R key and type

cmd and click ok

Now copy this command and press ENTER

Echo y | reg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr

you should be able to launch task manager

Please post your malwarebytes clean log


Download

TDSSkiller

Launch it Click on "Scan".Please post the LOG report


Please download GMER from here

http://www2.gmer.net/download.php

Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.

GMER will open to the Rootkit/Malware tab and perform an automatic Full Scan when first run. (do not use the computer while the scan is in progress)

If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
Now click the Scan button. If you see a rootkit warning window, click OK.
When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
Click the Copy button and paste the results into your next reply.


Download

aswMBR

Launch it, allow it to download latest Avast! virus definitions
Click the "Scan" button to start scan.After scan finishes,click on Save log

Post the log results here

Edited by narenxp, 21 January 2012 - 09:52 AM.


#5 tsimms1964

tsimms1964
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:16 PM

Posted 21 January 2012 - 02:46 PM

I tried the registry fix, didn't help. Trying rkill followed by malware bytes, My work, but it may not. I will try the other 2 programs if this doesn't work. I have seen some nasty viruses and malware before, but nothing like this. It also killed my system restore. And most things in the start menu. I thought I had that fixed, but I guess what ever it is is still in my system. I will post more results as I get them.

Edited by tsimms1964, 21 January 2012 - 02:49 PM.


#6 tsimms1964

tsimms1964
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:16 PM

Posted 21 January 2012 - 02:51 PM

Ok Rkill didn't find anything, but Im running a full Malware Bytes scan now, which can take awhile. Malware found nothing this time. I ran Unhide and almost everything came back. The only problems nnow are Keyboard short cuts( I'm going to re-install the HP drivers) and Everytime I start any browser, I get a Dr.Watson warning saying "Firefox(or IE or Avant) has encountered a problem and needs to close. We are sorry for the Inconvenience." If I move the message out of the way, The browser opens up with no problems. I'm going to try re-installing fire fox and see if that helps.

Edited by tsimms1964, 21 January 2012 - 08:05 PM.


#7 tsimms1964

tsimms1964
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:16 PM

Posted 22 January 2012 - 11:31 AM

Here is the log:
GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-01-22 10:14:39
Windows 5.1.2600 Service Pack 3
Running: r4o55k05.exe; Driver: C:\DOCUME~1\SA\LOCALS~1\Temp\fxlcipow.sys


---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Classes\CLSID\{286D4131-3821-6CBF-08770360589374C2}\{48BEB065-0DEC-1314-6E019AD5B66531AE}\{E2D4EA90-E228-BF00-D20DE2AD05099BA2}
Reg HKLM\SOFTWARE\Classes\CLSID\{286D4131-3821-6CBF-08770360589374C2}\{48BEB065-0DEC-1314-6E019AD5B66531AE}\{E2D4EA90-E228-BF00-D20DE2AD05099BA2}@FQMPT1KSMEJKUNSPRRAXLOCP2B1 0x01 0x00 0x01 0x00 ...

---- EOF - GMER 1.0.15 ----

It also found 55 hidden processes.

#8 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:10:16 PM

Posted 22 January 2012 - 11:33 AM

TDSSkiller and aswmbr log?

#9 tsimms1964

tsimms1964
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:16 PM

Posted 22 January 2012 - 12:19 PM

Don't use Avast, I have clamwin, It was Clean. TDSS killer didn't want to run correctly, but rkill did . But now I'm thinking I may need to run it again.

#10 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:10:16 PM

Posted 22 January 2012 - 07:39 PM

Download

FixTDSS

Launch it,restart the PC if asked for

On boot up,it may find infections,let me know what it says

Regarding the aswmbr log,go ahead and scan it,post the results.

Good luck

#11 tsimms1964

tsimms1964
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:16 PM

Posted 22 January 2012 - 11:39 PM

Fixtdss found a boot record infection. fixed it.
aswMBR found a boot record problem also It wants to fix it.
Here is it's log:
aswMBR version 0.9.9.1297 Copyright© 2011 AVAST Software
Run date: 2012-01-22 22:14:38
-----------------------------
22:14:38.578 OS Version: Windows 5.1.2600 Service Pack 3
22:14:38.578 Number of processors: 2 586 0xF0D
22:14:38.578 ComputerName: SAIT000714 UserName: SA
22:14:39.578 Initialize success
22:17:32.250 AVAST engine defs: 12012201
22:17:40.265 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0
22:17:40.265 Disk 0 Vendor: Size: 0MB BusType: 0
22:17:40.281 Disk 0 MBR read successfully
22:17:40.281 Disk 0 MBR scan
22:17:40.390 Disk 0 Windows XP default MBR code
22:17:40.390 Disk 0 MBR hidden
22:17:40.406 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 76308 MB offset 16065
22:17:40.484 Disk 0 scanning C:\WINDOWS\system32\drivers
22:18:01.859 Service scanning
22:18:02.875 Service MpKslb43bd8e9 c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{1D65E3F2-E338-4A50-B653-BE8E00AF925D}\MpKslb43bd8e9.sys **LOCKED** 32
22:18:03.703 Modules scanning
22:18:14.218 Disk 0 trace - called modules:
22:18:14.250 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll iaStor.sys
22:18:14.265 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86d45ab8]
22:18:14.281 3 CLASSPNP.SYS[f7668fd7] -> nt!IofCallDriver -> \Device\0000008e[0x86d47030]
22:18:14.281 5 ACPI.sys[f74df620] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-0[0x86caf030]
22:18:15.406 AVAST engine scan C:\WINDOWS
22:18:22.468 AVAST engine scan C:\WINDOWS\system32
22:21:42.781 AVAST engine scan C:\WINDOWS\system32\drivers
22:22:03.281 AVAST engine scan C:\Documents and Settings\SA
22:36:21.546 Disk 0 MBR has been saved successfully to "C:\Program Files\Mozilla Firefox\MBR.dat"
22:36:21.703 The log file has been saved successfully to "C:\Program Files\Mozilla Firefox\aswMBR.txt"
22:36:39.031 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\SA\Desktop\MBR.dat"
22:36:39.062 The log file has been saved successfully to "C:\Documents and Settings\SA\Desktop\aswMBR.txt"

#12 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:10:16 PM

Posted 22 January 2012 - 11:52 PM

That looks good,do you still face redirects?

you should be able to run TDSSkiller now

Download

TDSSkiller

Launch it Click on "Scan".Please post the LOG report

Download

ESET online scanner

Install it

Click on START,it should download the virus definitions
When scan gets completed,click on LIST of found threats

Export the list to desktop,copy the contents of the text file in your reply

Good luck

Edited by narenxp, 22 January 2012 - 11:52 PM.


#13 tsimms1964

tsimms1964
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:16 PM

Posted 23 January 2012 - 12:09 AM

TDSSKiller came back clean.
Eset online couldn't download, probably becqause I have 3 firewalls activated now. but everything is back to normal now, I think
1 question, aswMBR wants to fix the MBR, should I let it?

#14 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:10:16 PM

Posted 23 January 2012 - 12:31 AM

Dont click on FIXMBR ,you dont have any mbr infection now

Download

TFC


Launch it,it will close all running programs

click on START,it should ask for reboot

Turn off your system restore,restart the PC,create a new restore point

http://support.microsoft.com/kb/310405


Update your antivirus frequently,do not click on suspicious links

Safe surfing :)

#15 tsimms1964

tsimms1964
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:16 PM

Posted 23 January 2012 - 12:41 AM

Done, all that is left now is fixing the keyboard shortcuts, like ctrl-c and ctrl-alt-delete. thats all that is missing now. Thanks for all your help.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users