Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malware removed (I think...) but now nothing works.


  • This topic is locked This topic is locked
7 replies to this topic

#1 JTCBrown

JTCBrown

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:08 AM

Posted 11 March 2015 - 01:25 PM

It had a ton of malware / viruses.  LaFlurla, among others.

 

Scanned and cleaned with Comodo CCE, and MBAM.  

 

After three or four passes all came up clean.

 

But now...  nothing works.  IE opens, to MSN.com or whatever the first page is, but then won't go to any other pages.  It just spins with two iexplore.exe processes in taskmgr.  One taking up 50k+ RAM, the other 4k~6k.  Closing either closes both.  

 

Can't do windows updates - it downloads, installs, and reboots, then notes "failure" and reverts.  I can do one or two at a time fine, but the system needs some 120+ updates as it had not been updated in a long time.

 

Won't install SCEP.  0x80004002 error when it gets to the update part.

 

All sorts of WMI and DCOM errors in event logs.  I got the DCOM errors sorted, mostly, and followed various support articles on the WMI errors. 

 

But I have hit a wall :(

Attaching full logs of MBAM, and Farbar Recovery Scan.

Any help appreciated.

 

Attached Files



BC AdBot (Login to Remove)

 


#2 JTCBrown

JTCBrown
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:08 AM

Posted 11 March 2015 - 05:17 PM

Well, those MBAM logs are pointless - I swear each time it was finding tons of stuff, and I exported the log and then cleaned.  Great.  That will help this process so much.  :(



#3 JTCBrown

JTCBrown
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:08 AM

Posted 13 March 2015 - 04:13 PM

I have a ton of logs from various things to post here, but will not pre-empt the request for such, for now.  Been digging through the error logs and trying various things to no avail.

 

It will install some programs / updates, but will not install SCEP or MS Office 2010, and most windows updates and security patches result in the system reverting changes after reboot.



#4 nasdaq

nasdaq

  • Malware Response Team
  • 40,246 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:08 AM

Posted 15 March 2015 - 08:57 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below.


start

CloseProcesses:

HKLM Group Policy restriction on software: %AppData%\*\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %Temp%\7z*\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %Temp%\Rar*\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %localAppData%\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %Temp%\*.zip\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %localAppData%\*\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %AppData%\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %Temp%\wz*\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot% <====== ATTENTION
HKLM Group Policy restriction on software: %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir% <====== ATTENTION
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\S-1-5-21-2525485275-104411231-1386194670-48378\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
FF Plugin: @microsoft.com/GENUINE -> disabled No File
S3 Smcinst; C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.1000.157.105\Bin\SmcLU\Setup\smcinst.exe [X]
S3 catchme; \??\C:\Users\admin.jdt\AppData\Local\Temp\catchme.sys [X]
S3 EraserUtilDrv11312; \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv11312.sys [X]
S3 VGPU; System32\drivers\rdvgkmd.sys [X]

End
Save the files as fixlist.txt into the same folder as FRST

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

How is the computer running now?

#5 JTCBrown

JTCBrown
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:08 AM

Posted 17 March 2015 - 11:51 AM

Can I ask what exactly that file is going to do?  I see a reference to Symantec Endpoint Protection, which has been uninstalled, for instance.

 

As of right now, prior to doing as you advise, the system is in the same condition - runs more or less fine, no real delays or anything, but we cannot re-install missing or broken apps, and still cannot use IE for anything, under any user profile.



#6 JTCBrown

JTCBrown
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:08 AM

Posted 17 March 2015 - 12:13 PM

Well, I ran this...  and now it will not let me log on remotely with any of our admin passwords...



#7 JTCBrown

JTCBrown
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:08 AM

Posted 17 March 2015 - 12:41 PM

Nevermind, another tech found a PC we can use to replace this.  Thank you for the help nonetheless.



#8 nasdaq

nasdaq

  • Malware Response Team
  • 40,246 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:08 AM

Posted 17 March 2015 - 12:58 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users