Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Ran MBAM, killed computer


  • This topic is locked This topic is locked
2 replies to this topic

#1 forest bayou

forest bayou

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:10:57 PM

Posted 24 January 2012 - 06:43 PM

Hi there! So here's my story: Meet Bob. Bob is a Compaq Presario, AMD Athelon 64, running Windows XP. Bob is old and cranky. We ran mbam on Bob (who had a fake virus alert malware) and Bob went crazy. The main user lost everything on the desktop and all users lost access to the internet. read more about it here: http://www.bleepingcomputer.com/forums/topic436819.html The original mbam logs are there and some other stuff one of your guys had me run: Security Check, FSS, MiniToolBox and GMER. In trying to fix Bob, Bob told me to run chkdsk \f and I did. Now bob is stuck in safe mode. After I ran and posted the stuff from the diagnostics I was told to run, I was told to follow the Prep Guide for Posting and then to post here. There is no cd emulation software on this computer. I downloaded DSS.scr (by the way, the link I was taken to off of the Prep guide post was no good) and it began to run but got stuck about 20 "#" into it's run. So no reports from it. I tried running GMER again (just for fun) and got this message: LoadDriver( "C:\DOCUME~1\Seilina\LOCALS~1\Temp\kwecrfob.sys" ) error 0xC000010E: Cannot create a stable subkey under a volatile parent key. Wow, hope that makes sense to you! So, I click OK and get taken to the GMER main screen. The only things I can check/uncheck are: Services, Registry, Files, and ADS. I told it to check the main drive only and then clicked scan. I got this for my trouble:


GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-01-23 16:40:08
Windows 5.1.2600 Service Pack 3
Running: tztrkp9i.exe; Driver: C:\DOCUME~1\Seilina\LOCALS~1\Temp\kwecrfob.sys


---- Files - GMER 1.0.15 ----

File C:\WINDOWS\$NtUninstallKB14827$\219204356 0 bytes
File C:\WINDOWS\$NtUninstallKB14827$\219204356\@ 2048 bytes
File C:\WINDOWS\$NtUninstallKB14827$\219204356\L 0 bytes
File C:\WINDOWS\$NtUninstallKB14827$\219204356\L\lmakapzs 75264 bytes
File C:\WINDOWS\$NtUninstallKB14827$\219204356\loader.tlb 2632 bytes
File C:\WINDOWS\$NtUninstallKB14827$\219204356\U 0 bytes
File C:\WINDOWS\$NtUninstallKB14827$\219204356\U\@00000001 45968 bytes
File C:\WINDOWS\$NtUninstallKB14827$\219204356\U\@000000c0 3072 bytes
File C:\WINDOWS\$NtUninstallKB14827$\219204356\U\@000000cb 3072 bytes
File C:\WINDOWS\$NtUninstallKB14827$\219204356\U\@000000cf 1536 bytes
File C:\WINDOWS\$NtUninstallKB14827$\219204356\U\@80000000 26112 bytes
File C:\WINDOWS\$NtUninstallKB14827$\219204356\U\@800000c0 32768 bytes
File C:\WINDOWS\$NtUninstallKB14827$\219204356\U\@800000cb 24064 bytes
File C:\WINDOWS\$NtUninstallKB14827$\219204356\U\@800000cf 31744 bytes
File C:\WINDOWS\$NtUninstallKB14827$\4004617174 0 bytes
File C:\WINDOWS\$NtUninstallKB50708$\219204356 0 bytes
File C:\WINDOWS\$NtUninstallKB50708$\219204356\L 0 bytes
File C:\WINDOWS\$NtUninstallKB50708$\219204356\U 0 bytes
File C:\WINDOWS\$NtUninstallKB50708$\604225456 0 bytes

---- EOF - GMER 1.0.15 ----





Now the big question: Did I kill Bob? Is there a reasonably simple(ish) fix to this, or should I reformat and reinstall? We have already gotten all the files off that are needed. Thanks!

BC AdBot (Login to Remove)

 


#2 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:01:57 AM

Posted 28 January 2012 - 02:41 PM

This can be fixed but it it may be quicker and easier to reformat as there is a nasty rootkit on board, that's up to you.

Please run the following: It will run from safe mode, but it will not be able to install the recovery console as there is no connection, continue saying "OK" through that part.

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
  • Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

  • Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.



NEXT


re-run the farbar service scanner

type the following into the search window

ipsec.sys


now press the "search files" button > post the resulting log

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#3 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:01:57 AM

Posted 04 February 2012 - 07:40 PM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users