Jump to content

Recommended Posts

Hello!!

I have here a Windows XP Machine that is severely damaged from attacks of malware and possibly rootkits. I cannot boot into ANY safe mode, the computer just loads back to the DELL screen, when i boot normally, its slower than ever, and I get overloaded with Rough anti-virus programs. Right now, i see REGCURE and PERSONAL SECURITY.

When i put my Windows XP re-install cd in, i can navigate to the SETUP file, but it will NOT open. Cant run it as ADMINISTRATOR or anything, and im really at a loss here. If you could help me AT ALL, I'd really really appreciate it. I cant even copy MALWAREBYTES onto the desktop. It says i DO copy it, however i see 0 icons.

Help!?!?!?!?!?!

Link to post
Share on other sites

Hello,

I will be helping you on removing malwares on your computer. Log research takes time, so please be patient and I'd be grateful if you would note the following:

  • The fixes are specific to your problem and should only be used for the issues on this machine.
  • Do not install/uninstall anything on your computer unless advised.
  • Do not run any other scanning tools other than those instructed for you to use.
  • Follow the instructions on the order they are given.
  • Stay with this thread until advised when your computer is clean. Absence of symptoms does not necessarily mean a clean computer.
  • If you are being helped regarding this problem on another forum please advice us so that we can close this thread.
  • If you do not reply within 3 days after my last response, I will be asking you whether you still need assistance and if you still don't reply within 24 hours then the topic will be closed.
  • And lastly, if you have any questions, please ask before proceeding with any of the advised fixes.

_________________________________________________

Let's start with these:

Let's disable your CD emulation drivers, if any.

Please download DeFogger to your desktop.

Double click DeFogger to run the tool.

  • The application window will appear
  • Click the Disable button to disable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK

IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.

Do not re-enable these drivers until otherwise instructed.

--Next--

Please download DDS by sUBs from one of the following links and save it to your desktop.

[*]Disable any script blocking protection (How to Disable your Security Programs)

[*]Double click DDS icon to run the tool (may take up to 3 minutes to run)

[*]When done, DDS.txt will open.

[*]After a few moments, attach.txt will open in a second window.

[*]Save both reports to your desktop.

---------------------------------------------------

  • Post the contents of the DDS.txt report in your next reply
  • Attach the Attach.txt report to your post by scroling down to the Attachments area and then clicking Browse. Browse to where you saved the file, and click Open and then click UPLOAD.

---------------------------------------------------

Please include the contents of the following in your next reply:

DDS.txt

Please attach the second file; Attach.txt. To attach a file, do the following:

  • Under the reply panel is the Attachments Panel.
  • Browse for the attachment file you want to upload, then click the green Upload button.
  • Once it has uploaded, click the Manage Current Attachments drop down box.
  • Click on to insert the attachment into your post

Please post both DDS logs in your next reply.

--Next--

gmer_zip.gif

Download the GMER Rootkit Scanner. Unzip it to your Desktop.

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

  • Double click GMER.exe.
    gmer_zip.gif
  • If it gives you a warning about rootkit activity and asks if you want to run a full scan...click on NO, then use the following settings for a more complete scan..
  • In the right panel, you will see several boxes that have been checked. Ensure the following are UNCHECKED ...
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
      GMER_thumb.jpg
      Click the image to enlarge it

    [*] Then click the Scan button & wait for it to finish.

    [*] Once done click on the [save..] button, and in the File name area, type in "ark.txt"

    [*]Save the log where you can easily find it, such as your desktop.

**Caution**

Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

Please copy and paste the report into your Post.

To post in your next reply:

1. Defogger log.

2. DDS logs.

3. GMER log.

Link to post
Share on other sites

Hey Inzanity, This seems to be worse than we thought. When my pc is on for no longer than a minute all my icons dissapear and i see a fake microsoft 'security center' pop up. It looks exactly like the WinXP Security Center, except its a rogue program, no doubt about that. I cannot run any of the progs you gave me so far, and when i try and boot into safe mode, when it gets to the MVP file, it stops and reboots to the DELL screen. No 'safe mode' works at all.

I even try to tell it to boot from cd so i can wipe the pc, and it still does NOT boot from cd. If i navigate to the cd in the pc, it wont run the setup, saying i dont have permission to run it.

:)

Link to post
Share on other sites

Hi,

You intend to reformat the pc? If not then let's try this:

Please download exeHelper to your desktop.

Double-click on exeHelper.com to run the fix.

A black window should pop up, press any key to close once the fix is completed.

Post the contents of log.txt (Will be created in the directory where you ran exeHelper.com)

Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).

--Next--

If you have an active internet connection, copy/paste the links below into your browser, don't click them or the rogue might redirect. If you don't have an active internet connection, download the tools from another machine, and transfer them to the affected machine via USB flash drive.

Please download and run the following tool to help allow other programs to run. (courtesy of BleepingComputer.com)

There are 4 different versions. If one of them won't run then download and try to run the other one.

Vista and Win7 users need to right click and choose Run as Admin

You only need to get one of them to run, not all of them.

http://download.bleepingcomputer.com/grinler/rkill.exe

http://download.bleepingcomputer.com/grinler/rkill.com

http://download.bleepingcomputer.com/grinler/rkill.scr

http://download.bleepingcomputer.com/grinler/rkill.pif

Note:

You will likely see a message from this rogue telling you the file is infected. Ignore the message. Leave the message OPEN, do not close the message. Run rkill repeatedly until it's able to do it's job. This may take a few tries. You'll be able to tell rkill has done it's job when your desktop (explorer.exe) cycles off and then on again.

At this point, you should now be able to run analysis tools.

Once the tool has run, do NOT reboot the machine, and then try once again to run DDS and GMER.

If for some reason the machine reboots, repeat the process. Again, try not to restart the machine.

--Next--

If the above steps successfully run then please do the steps again in post #2

To post in your next reply:

1. exeHelper log.

2. RKill log.

3. Defogger/DDS/GMER logs.

Link to post
Share on other sites

Exe Helper Log:

exeHelper by Raktor

Build 20100414

Run at 23:30:38 on 05/15/10

Now searching...

Checking for numerical processes...

Checking for sysguard processes...

Checking for bad processes...

Killed process psecurity.exe

Checking for bad files...

Deleting file C:\WINDOWS\system32\win32extension.dll

Error deleting C:\WINDOWS\system32\win32extension.dll - Set for removal on reboot - PLEASE REBOOT

Deleting file C:\Documents and Settings\Owner\Desktop\Personal Security.lnk

Deleting file C:\Documents and Settings\Owner\Start Menu\Programs\Startup\scandisk.dll

Checking for bad registry entries...

Removing HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{35A5B43B-CB8A-49CA-A9F4-D3B308D2E3CC}

Resetting filetype association for .exe

Resetting filetype association for .com

Resetting userinit and shell values...

Resetting policies...

--Finished--

Working on getting on the internet at the moment. Thank you for your update so far.

Link to post
Share on other sites

Thanks to your EXE HElper, i was able to kill the nasty processes and run the xp chkdsk, then just re-formatted. Took the easy way out, hahaha.

Again, thank you for your timely response, but i just re-installed this time around. Thanks for all your help!

So long!!!

Link to post
Share on other sites

Hi,

Thanks for informing us. Glad we could be of assistance.

Here are some tips to keep your system up to date:

Here are some tips to reduce the potential for spyware infection in the future:

1. It is good security practice to change your passwords to all your online accounts on a fairly regular basis, this is especially true after an infection. Refer to this Microsoft article

Strong passwords: How to create and use them

Then consider a password keeper, to keep all your passwords safe.

2. Make your Internet Explorer More Secure

  • From within Internet Explorer click on the Tools menu and then click on Options.
  • Click once on the Security tab.
  • Click once on the Internet icon so it becomes highlighted.
  • Click once on the Custom Level button.
    • Change the Download signed ActiveX controls to Prompt.
    • Change the Download unsigned ActiveX controls to Disable.
    • Change the Initialise and script ActiveX controls not marked as safe to Disable.
    • Change the Installation of desktop items to Prompt.
    • Change the Launching programs and files in an IFRAME to Prompt.
    • Change the Navigate sub-frames across different domains to Prompt.
    • When all these settings have been made, click on the OK button.
    • If it prompts you as to whether or not you want to save the settings, press the Yes button.

    [*]Next press the Apply button and then the OK to exit the Internet Properties page.

3. Update your Anti-Virus Software - I can not overemphasize the need for you to update your Anti-virus application on a regular basis. With the ever increasing number of new variants of malware arriving on the scene daily, you become very susceptible to an attack without updated protection.

4. Make sure you keep your Windows OS current by visiting Windows update regularly to download and install any critical updates and service packs. Without these you are leaving the back door open.

5. Consider a custom hosts file such as MVPS HOSTS. This custom hosts file effectively blocks a wide range of unwanted ads, banners, 3rd party Cookies, 3rd party page counters, web bugs, and many hijackers.

For information on how to download and install, please read this tutorial by WinHelp2002

Note: Be sure to follow the instructions to disable the DNS Client service before installing a custom hosts file.

6. Download and install the free version of WinPatrol. This program protects your computer in a variety of ways and will work well with your existing security software. Have a look at this tutorial to help you get started with the program.

7. SpywareBlaster - Download and install SpywareBlaster. This program prevents the installation of ActiveX-based spyware and other potentially unwanted programs.

8. Protect your computer from internet threats with SandboxIE. This program isolates Internet Explorer from the rest of your operating system, 'sandboxing' it away - so malicious websites can't do damage to the rest of your system. There is a Getting Started guide on their website.

9. Some excellent free firewalls. Note: Use only one firewall at a time.

Agnitum Outpost Firewall

Comodo Firewall - If you are installing this and already have an anti spyware then please do not install Comodo's anti spyware program.

Online Armor Personal Firewall

10. And finally, please read these excellent articles:

Malware: Help prevent the Infection by Sandi Hardmeier,

Preventing Malware - Tools and Practices for Safe Computing

For more safe computing tips please read the guide by Rorschach112 on how to prevent malware and about safe computing here.

Good luck, happy computing and stay clean! :)

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.