Jump to content

Problems--Need Help


Recommended Posts

My Malware scan took 11 hours to run and found nothing, so I know something's wrong. I went to the "I'm infected--what do I do now?" thread and took the necessary steps.

MBAM Log:

Malwarebytes' Anti-Malware 1.51.0.1200

www.malwarebytes.org

Database version: 6705

Windows 5.1.2600 Service Pack 3 (Safe Mode)

Internet Explorer 8.0.6001.18702

6/22/2011 7:28:55 AM

mbam-log-2011-06-22 (07-28-55).txt

Scan type: Full scan (C:\|D:\|F:\|)

Objects scanned: 217958

Time elapsed: 11 hour(s), 26 minute(s), 8 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

DDS.scr wouldn't complete. I never got a notification that it was completed, no log files opened.

GMER Rootkit Scanner Log:

GMER 1.0.15.15640 - http://www.gmer.net

Rootkit scan 2011-06-22 13:24:00

Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdePort0 IC25N030ATDA04-0 rev.DA4OA70A

Running: jrlfpqds.exe; Driver: C:\DOCUME~1\user\LOCALS~1\Temp\fwryypow.sys

---- Kernel code sections - GMER 1.0.15 ----

LCODE C:\WINDOWS\System32\DRIVERS\PCX504.sys entry point in "LCODE" section [0xF71E20EC]

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Tcp aswRdr.SYS (avast! TDI RDR Driver/AVAST Software)

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----

What should I do next?

Link to post
Share on other sites

  • Replies 51
  • Created
  • Last Reply

Top Posters In This Topic

Hi Sarah

:welcome:

I ran the quick scan and the full scan, and both came up empty. But I know something is still wrong because it took 11 hours to run the full scan. My regular antivirus software is disabled and won't come back on. I can't access the internet. It takes my computer forever to boot up, even in safe mode. Obviously something is wrong. Help!

Can you acess the internet with the PC that is infected?

Link to post
Share on other sites

We need to look at some information about what is going on in your computer:

Please perform the following scan:

  • Download DDS by sUBs from one of the following links. Save it to your desktop.

    [*]Double click on the DDS icon, allow it to run.

    [*]A small box will open, with an explanation about the tool.

    [*]When done, DDS will open two (2) logs

    1. DDS.txt

    2. Attach.txt

    [*] Save both reports to your desktop.

    [*] The instructions here ask you to attach the Attach.txt.

    DDS.jpg

    [*]Instead of attaching, please copy/past both logs into your Thread

    [*]Close the program window, and delete the program from your desktop.

Please note: You may have to disable any script protection running if the scan fails to run.

After downloading the tool, disconnect from the internet and disable all antivirus protection.

Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HEREThen post your DDS (DDS.txt and Attach.txt

Link to post
Share on other sites

Using a different computer now. DDS is running, but it's taking WAY longer than the three minutes it promises. It has a line of # signs across the screen, with a cursor blinking underneath it at the left, and that's where it's been for the last twenty minutes or so.

Link to post
Share on other sites

Cancel DDS for now.

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Stay with me until given the 'all clear' even if symptoms diminish. Lack of symptoms does not always mean the job is complete.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by me or another helper.

---------------------------------------------------------------------------------------------

  1. Download ComboFix from below:
    Combofix download
    * IMPORTANT !!! Place combofix.exe on your Desktop
  2. Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
    You can get help on disabling your protection programs here
  3. Double click on combofix.exe & follow the prompts.
  4. As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
    cfRC_screen_1.png
    The Windows recovery console will allow you to boot up into a special recovery mode that allows us to help you in the case that your computer has a problem after an attempted removal of malware.
    With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.
    Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement.
    ComboFix will now automatically install the Microsoft Windows Recovery Console onto your computer, which will show up as a new option when booting up your computer. Do not select the Microsoft Windows Recovery Console option when you start your computer unless requested to by a helper.
    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see a message that says:
    The Recovery Console was successfully installed.
    cfRC_screen_2.png
    Click on Yes, to continue scanning for malware.
  5. Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
  6. When finished, it shall produce a log for you. Post that log (C:\ComboFix.txt) in your next reply.
    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
    ---------------------------------------------------------------------------------------------
  7. Ensure your AntiVirus and AntiSpyware applications are re-enabled.
    ---------------------------------------------------------------------------------------------

Link to post
Share on other sites

I think it stalled. I didn't see the part about not mouse-clicking until afterward. So I started it again. It's been running for about fifteen or twenty minutes. Still scanning, I assume.

Not being impatient--just updating you on the status.

Link to post
Share on other sites

ComboFix shouldn't take no longer that 20 minutes.

Click on Start, click Run, and then copy/paste the following bolded text into the Run box and click OK

"%userprofile%\desktop\ComboFix.exe" /killall

followed by Enter.

When finished, it will produce a log.

Link to post
Share on other sites

ComboFix shouldn't take no longer that 20 minutes.

Click on Start, click Run, and then copy/paste the following bolded text into the Run box and click OK

"%userprofile%\desktop\ComboFix.exe" /killall

followed by Enter.

When finished, it will produce a log.

I entered the bold text exactly as above, and I got an error message: Windows cannot find 'C:\Documents and Settings\user\desktop\ComboFix.exe'. Make sure you typed the name correctly, and then try again. To search for a file, click the Start button, and then click Search.

Link to post
Share on other sites

Please reboot your computer in Safe Mode by doing the following :

  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select Safe Mode with Networking and press Enter.
  • Login as the same user you were previously logged in at.
  • safe-mode-with-networking.jpg

Double click on combofix.exe & follow the prompts. Be Sure to save the Combofix log. Please post the ComboFix.txt.

Link to post
Share on other sites

Please reboot your computer in Safe Mode by doing the following :

  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select Safe Mode with Networking and press Enter.
  • Login as the same user you were previously logged in at.
  • safe-mode-with-networking.jpg

Double click on combofix.exe & follow the prompts. Be Sure to save the Combofix log. Please post the ComboFix.txt.

Did the above. It's been running for over half an hour now. Still at the same point as before.

Link to post
Share on other sites

It’s amazing, these “malware” programs are released to cause problems. That's alright we'll fix your PC... :)

Please download ATF Cleaner by Atribune.

This program is for XP and Windows 2000 only


  • Double-click ATF-Cleaner.exe to run the program.
    Under Main choose: Select All
    Click the Empty Selected button.

If you use Firefox browser

  • Click Firefox at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

  • Click Opera at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

Next

You may have corrupted files on your disk. Please try running the following.

First close ALL Applications as this routine will automatically restart your computer.

Click on START - RUN and copy / paste the following entry into the box and click OK

CMD /C ECHO Y|CHKDSK C: /F | SHUTDOWN /R /T 30

Next

DeFogger

Download DeFogger by jpshortstuff from here & save it to your desktop.

  • Right click DeFogger then choose Run as Administrator Or you can double-click to run the tool
  • The application window will appear
  • Click the Disable button to disable your CD Emulation drivers
  • Click Yes to continue
  • A Finished! message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK. If not reboot your PC

IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.

Do not re-enable these drivers until otherwise instructed.

Then Double click on combofix icon (in normal mode) & follow the prompts. Please post the ComboFix.txt

Link to post
Share on other sites

Defogger did not ask me to reboot. I had to do it myself. Then I couldn't get it to restart in normal mode. I'd get a blue screen that said Fatal System Error, among other things I didn't catch. I had to restart it in safe mode with networking. So I did that, and then I tried Combofix again. It's been running for over twenty minutes with no change.

Link to post
Share on other sites

Defogger did not ask me to reboot. I had to do it myself. Then I couldn't get it to restart in normal mode. I'd get a blue screen that said Fatal System Error, among other things I didn't catch. I had to restart it in safe mode with networking. So I did that, and then I tried Combofix again. It's been running for over twenty minutes with no change.

Thanks for all your help today. It's 2 a.m. my time, and I need to get some sleep. But I'll be back here later to see what I need to do next.

Link to post
Share on other sites

Hi,

HijackThis should run, to give me some ideal what is installed in your PC.

Click here to download HJTInstall.exe

  • Save HJTInstall.exe to your desktop.
  • Doubleclick on the HJTInstall.exe icon on your desktop.
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed, it will launch Hijackthis.
  • Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

Also, I would like you to generate a "Add/Remove Software list" log using the HijackThis application. Here is how you can do this:

To get an Uninstall List from HijackThis:

  • Open HijackThis, click Config, click Misc Tools
  • Click "Open Uninstall Manager"
  • Click "Save List" (generates uninstall_list.txt)
  • Click Save, copy and paste the results in your next post.

In your next reply, please include these log(s):

* HijackThis Uninstall List

* HijackThis log (new)

Link to post
Share on other sites

in normal mode do the following:

  1. Download Win32kDiag from any of the following locations and save it to your Desktop.

[*] Double-click Win32kDiag.exe to run Win32kDiag and let it finish.

[*] When it states "Finished! Press any key to exit...", press any key on your keyboard to close the program.

[*] Double-click on the Win32kDiag.txt file that is located on your Desktop and post the entire contents of that log as a reply to this topic.

Link to post
Share on other sites

I'm completely unable to boot up the computer in normal mode. It takes a long time, and then I get a blue screen that says Fatal System Error and some other stuff, and then it shuts itself down immediately. Should I try it in safe mode with networking?

Link to post
Share on other sites

Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Now Use your arrow keys to move to "Last Known Good Configuration" and press your Enter key. This will enables the system to go back to a date before you had this problem. Then try to download Win32kDiag in normal mode.

Link to post
Share on other sites

It took around 30 min. to completely boot up with Last Known Configuration and run Win32kDiag.exe.

Right now, I have the black C:\ window, and this is what it says: Starting up . . . Running from: C:\Documents and Settings\user\Desktop\Win32kDiag.exe Log file at: C:\Documents and Settings\user\Desktop\Win32kDiag.txt WARNING: Could not get backup privileges! Searching 'C:\WINDOWS' . . .

Then there is a cursor blinking at the left a couple of lines down. It's been like that for about 10 minutes (I'm using another computer to post this). I do see the Win32kDiag.txt on my desktop.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.