Ran Malwarebytes and now computer won't boot

[MrCharlie]

Don't push it.....

Do this:

Download TDSSKiller to your Desktop.

Doubleclick on TDSSKiller.exe to run the application, then click on Start Scan.

Don't Change These Settings:

If an infected file is detected, the default action will be Cure, click on Continue.

If a suspicious file is detected, the default action will be Skip, click on Continue.

You may be asked you to reboot the computer to complete the process. Click on Reboot Now

To view the report:

Click the Report button and copy/paste the contents of it into your next reply.

Note:It will also create a log in the C:\ directory.

MrC

[binovc]

I ran TDSSKiller, it found no infections. Log is attached.

Is there some reasonable amount of time I should expect MBAM scanner to complete? Interesting that one of the recent scans only took 30 or so minutes (the one I didn't get a log of, of course), and all others are taking hours (and I have resorted to aborting).

TDSSKiller.2.4.16.0_07.02.2011_16.56.23_log.txt

[MrCharlie]

A quick scan takes about 15-20 minutes

Full scan takes longer...an hour or so.

Does system restore work now?

I have another scan I want to run.

Let me know, MrC

[binovc]

System restore is still "turned off by group policy".

[MrCharlie]

To fix that.......

1. Click Start, Run and type GPEDIT.MSC

2. Navigate to this path:

-> Computer Configuration

--> Administrative Templates

---> System

----> System Restore

3. Set Turn off System Restore to Not Configured

4. Set Turn off Configuration to Not Configured

MrC

[binovc]

Easy-schmeezy. You'd think they might have considered putting that little nugget in the Windows "Help and Support" section. Thanks.

[MrCharlie]

So system restore works now...right?

We have to run ComboFix.

The main thing is to disable your anti-virus and anti-malware programs.

here's how it goes:

Please download and run ComboFix:

A few notes first:

[*]ComboFix is compatible exclusively with W2K, XP, Vista, and Windows 7

[*]ComboFix must be run from an Administrative account.

[*]Vista and W7 users - Right click, choose "Run as Administrator"

[*]It must be downloaded to and run from your desktop.

[*]Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can and will interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results". (see below)

[*]ComboFix Guide <---please read!

Download ComboFix from one of these locations: (you may have to use right click > save target as)

[*]Link 1

[*]Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

[*]Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon and choose disable/exit.

More info HERE<-------

They may interfere with the running of ComboFix.

Note: If you have AVG or CA Internet Security Suite installed, due to recent changes in how these AV's target the tool's internal files, they must be uninstalled before running ComboFix. If you have difficulty uninstalling the AV, download and run Opswat AppRemover

[*]Double click on ComboFix.exe & follow the prompts.

[*]Note: Combofix will run without the Recovery Console installed. Skip the Recovery Console part if you're running Vista or Windows 7.

[*] Note: If you have SP3, use the SP2 package.

If Vista or Windows 7, skip the Recovery Console part

[*]ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

[*]Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

[*]**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt using Copy / Paste in your next reply.

Notes:

[*]1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.

[*]2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.

[*]3. Combofix permanently prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security.

Keeping Autorun enabled on USB and other removable drives has become a significant security risk due to the increasing number of malware variants that can infect them and transfer the infection to your computer. Read USB-Based Malware Attacks and Please disable Autorun ASAP!.

[*]4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

If a reboot doesn't restore your connection, please try this:

Check HERE

For XP systems download and run WinSockFix and Here

Vista users: Check HERE

Windows 7 systems: Download and run this Winsockfix.bat

[*]5.Give ComboFix at least 20-30 minutes to finish if needed.

MrC

[binovc]

Yes, system restore now works. I created a restore point.

Combo fix is going to require more focus than I can give tonight, and I won't have time again until Thursday. I'll report back then.

[MrCharlie]

OK, don't be intimidated by the instructions for ComboFix. I just list all the information available for ComboFix so someone can't come back to me and say "you didn't tell me....", it's all there in black and white.

The main things are:

Download and run ComboFix from your desktop

Disable your anti-virus, anti-malware programs before running it......ComboFix will warn you if you missed something

ComboFix will create a new restore point and backup the registry before it runs

You already have the recovery console installed, so you should be all set.

MrC

[binovc]

Here's the combo fix log attached. Seemed to run smoothly, in about 10 minutes.

ComboFix.txt

[MrCharlie]

You have 6 corrupt system files that ComboFix spotted, I have to figure out a easy way to replace them.

I'll get back to you asap, MrC

[MrCharlie]

I've uploaded all those files Here

They're zipped up in a folder called Files.zip

Download and unzip the Files.zip

Move the Files folder into C:

So the path to the new files is C:\Files\regedit.exe <-----example

Now run OTL and.....

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following

  
  :Files
  c:\windows\system32\drivers\tcpip.sys|C:\files\tcpip.sys /replace
  C:\WINDOWS\system32\dllcache\tcpip.sys|C:\files\tcpip.sys /replace
  
  C:\WINDOWS\system32\comres.dll|C:\files\comres.dll /replace	
  C:\WINDOWS\system32\dllcache\comres.dll|C:\files\comres.dll /replace
  
  C:\WINDOWS\system32\user32.dll|C:\files\user32.dll /replace
  C:\WINDOWS\system32\dllcache\user32.dll|C:\files\user32.dll /replace
  
  C:\WINDOWS\system32\sfcfiles.dll|C:\files\sfcfiles.dll /replace
  C:\WINDOWS\system32\dllcache\sfcfiles.dll|C:\files\sfcfiles.dll /replace
  
  C:\WINDOWS\system32\termsrv.dll|C:\files\termsrv.dll /replace	
  C:\WINDOWS\system32\dllcache\termsrv.dll|C:\files\termsrv.dll /replace
  c:\windows\system32\syscache\termsrv.dll|C:\files\termsrv.dll /replace
  
  C:\WINDOWS\regedit.exe|C:\files\regedit.exe /replace
  C:\WINDOWS\system32\dllcache\regedit.exe|C:\files\regedit.exe /replace
  
  
  :Commands
  [emptytemp]

  
  

• Then click the Run Fix button at the top
  
• Let the program run unhindered, when done it will say "Fix Complete press ok to open the log"
  
• Please post that log in your next reply. Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTL\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.
  

--------------------------------

Reboot the computer and run ComboFix again.

Post the logs from ComboFix and OTL

MrC

[binovc]

Logs attached.

ComboFix.txt

02132011_095106.log

[MrCharlie]

I messed up

I put the wrong command in the fix, I used :OTL instead of :Files

You have to run the fix again, I corrected the mistake in the post.

Sorry, MrC

[binovc]

Well, we'll let it go... THis time.

Here's the new logs.

02132011_190634.log

ComboFix.txt

[shadowwar]

Slightly off topic here but Ultimate edition by johnny is a pirated windows xp. Not sure if you aware of that. If someone sold it to you it was not a genuine copy of windows.

Glad you got it booting though.

[MrCharlie]

These weren't replaced last time because the computer wasn't rebooted:

Run OTL again with this code and make sure you reboot the computer:

:Files

c:\windows\system32\comres.dll|c:\windows\system32\dllcache\comres.dll /replace

c:\windows\system32\user32.dll|c:\windows\system32\dllcache\user32.dll /replace

c:\windows\system32\termsrv.dll|c:\windows\system32\dllcache\termsrv.dll /replace

Then run another ComboFix scan.

MrC

[binovc]

I did sorta wonder about the Ultimate Edition by Johnny - but I'd never have thought that an OS was something you could pirate. You'd think MS would have that shut down within a day. But I paid $150 for the computer and didn't ask too many questions.

I'll re-run the OTL and Combofix procedures this evening. I did reboot after running the OTL fix previously though (it messaged that I had to reboot). I'll reboot twice next time.

Slightly off topic here but Ultimate edition by johnny is a pirated windows xp. Not sure if you aware of that. If someone sold it to you it was not a genuine copy of windows.

Glad you got it booting though.

[MrCharlie]

I missed the "XP Ultimate by Johnny" part.

----------------------

This is what was in the OTL report log:

Unable to replace file: C:\WINDOWS\system32\comres.dll with C:\files\comres.dll without a reboot.

Unable to replace file: C:\WINDOWS\system32\user32.dll with C:\files\user32.dll without a reboot.

Unable to replace file: C:\WINDOWS\system32\termsrv.dll with C:\files\termsrv.dll without a reboot.

Hopefully it will work this time.

MrC

[binovc]

I ran the OTL fix, re-booted twice, then ran combofix. Logs attached.

I tried to follow the link you posted, but it said I had to take a survey. I decided not to risk any more possibilities of infection (don't know if there was any), so I don't know where it would've taken me. Is it possible this "Johnny" version is inhibiting the fix?

ComboFix.txt

02142011_200731.log

[MrCharlie]

I see you do get alot of pop-ups when you click on that link, it's safe but I took it down just in case.

OTL failed to replace those files, lets use ComboFix.....

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

4. If ComboFix wants to update.....please allow it to.

FCopy::
c:\windows\system32\dllcache\comres.dll | c:\windows\system32\comres.dll 
c:\windows\system32\dllcache\user32.dll | c:\windows\system32\user32.dll 
c:\windows\system32\dllcache\termsrv.dll | c:\windows\system32\termsrv.dll 

Save this as CFScript.txt, in the same location as ComboFix.exe

Refering to the picture above, drag CFScript into ComboFix.exe

CAUTION: Do not mouse-click ComboFix while it is running. It may cause it to stall.

After reboot, (in case it asks to reboot)......

Please provide the contents of the ComboFix log (C:\ComboFix.txt) in your next reply.

MrC

[binovc]

(Doing this over the phone with my wife at the helm...)

We created the txt file and dragged it into Combofix. We turned off Spybot and Adaware, and disabled the Mcafee on-access scanner (as I have done each previous time prior to running Combofix). However, this time Combofix reports that Mcafee is still on. Combofix says turn Mcafee off before selecting "OK". I don't know how else to turn Mcafee off, and Combofix has never given this warning previously. So currently the combofix warning is on, and I don't know how to cancel out of combofix, or how to turn off mcafee (VirusScan Enterprise 8.5.0i).

[MrCharlie]

ComboFix should run anyway regardless, if you turned off Mcafee just continue and let CF run.

Shouldn't be a problem.

MrC

[binovc]

here is the lastest combo fix log.

ComboFix.txt

[MrCharlie]

Same results, do you still have that folder in C: with all the files in it?

MrC

EDIT: see post below also.