Jump to content

Need help with infection

wonder_son
 Share

Recommended Posts

MrCharlie

MrCharlie

Posted
Posted

@wonder_son...

Welcome to the forum.

Please remove any usb or external drives from the computer before you run this scan!

Please download and run RogueKiller to your desktop.

For Windows XP, double-click to start.

For Vista or Windows 7, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

Click Scan to scan the system.

When the scan completes > Close out the program > Don't Fix anything!

Don't run any other options, they're not all bad!!!!!!!

Post back the report which should be located on your desktop.

MrC

Link to post
Share on other sites
wonder_son

wonder_son

Posted
  • Author
Posted

I followed your instructions and removed any memory sticks.

So I tried to run rougeKiller and it did not complete. I ran for a while then windows popup told me that it had stopped working and I had no choice but to close it.

FYI : I haved taken the infected PC off the Inet and am using a memory stick to copy exceutables/logs back and forth. THe PC is considerably slower and more unstable when connected to the Inet.

I am helping a friend with their computer and have limited times to access it. In order to speed things up I wanted to try to get rougkiller to work by stopping the virus with rkill.exe long enough to run it; which I did.

rkill inidicated their was a virus and I have attached its log.

I tried to run rouge killer after rkill, but it failed to complete with the same message above.

Rkill.txt

Link to post
Share on other sites
MrCharlie

MrCharlie

Posted
Posted

Please do this instead...............

Please download and run TDSSKiller to your desktop as outlined below:

Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.

tdss_1.jpg

-------------------------

Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.

tdss_2.jpg

------------------------

Click the Start Scan button.

tdss_3.jpg

-----------------------

If a suspicious object is detected, the default action will be Skip, click on Continue

If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose

Skip and click on Continue

tdss_4.jpg

----------------------

If malicious objects are found, they will show in the Scan results and offer three (3) options.

Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.

Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

tdss_5.jpg

--------------------

A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste its contents on your next reply.

MrC

============================================

Please download and run TDSSKiller to your desktop as outlined below:

Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.

tdss_1.jpg

-------------------------

Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.

tdss_2.jpg

------------------------

Click the Start Scan button.

tdss_3.jpg

-----------------------

If a suspicious object is detected, the default action will be Skip, click on Continue

If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose

Skip and click on Continue

tdss_4.jpg

----------------------

If malicious objects are found, they will show in the Scan results and offer three (3) options.

Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.

Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

tdss_5.jpg

--------------------

A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste its contents on your next reply.

MrC

Link to post
Share on other sites
wonder_son

wonder_son

Posted
  • Author
Posted

I have followed your instructions, and run TDSSKiller. There was a rootkit found that it "cured" and then rebooted.

I have attached the log files.

I am still worried tough. After logging into windows after reboot there is still a "System Error: Hard disk failure detected" message box and many "System message: write fault error" pop ups.

I can close the write fault error message pop ups to clean up the desktop, but if I close the hard disk falure dialog (or chose scan and repair) the pc imeadiatly reboots.

These message boxes existed before the TDSSKiller and still exist. I think they where part of the virus because clicking the scan option never actually scaned, it just rebooted the PC.

TDSSKiller.2.7.48.0_07.08.2012_18.03.14_log.txt

Link to post
Share on other sites
MrCharlie

MrCharlie

Posted
Posted
18:06:09.0655 0900 \Device\Harddisk0\DR0 ( TDSS File System ) - skipped by user

18:06:09.0655 0900 \Device\Harddisk0\DR0 ( TDSS File System ) - User select action: Skip

Run it again and just choose Delete for this one only.

-------------------------

Then................

Please download and run ComboFix.

The most important things to remember when running it is to disable all your malware programs and run Combofix from your desktop.

Please visit this webpage for download links, and instructions for running ComboFix

http://www.bleepingc...to-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Information on disabling your malware programs can be found Here.

Make sure you run ComboFix from your desktop.

Give it at least 30-45 minutes to finish if needed.

Please include the C:\ComboFix.txt in your next reply for further review.

---------->NOTE<----------

If you get the message Illegal operation attempted on registry key that has been marked for deletion after you run ComboFix....please reboot the computer, this should resolve the problem. You may have to do this several times if needed.

MrC

Link to post
Share on other sites
Maurice Naggar

Maurice Naggar

Posted
Posted

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.