Jump to content

Really bad trojan (rootkit?)


Recommended Posts

I apologize for creating an account to get help. My computer knowledge is slightly above average and I'm able to normally figure things on my own. But I have encountered a problem that I cannot fix and hope to find some kind of solution.

First, I have followed the instructions on the "I'm infected - What do I do now?" thread. I am not able to complete any of the steps.

STEP 1 - Run Malwarebytes - I can download it but cannot run it as my problem is that I cannot run .exe files

STEP 2 - Run defogger - same as Step 1

STEP 3 - Run DDS - Same as Step 1

STEP 4 - Run GMER Rootkit Scanner - Same as Step 1

Here is a detailed explanation of what is going on...

I accidently clicked on an image in Google images and was taken to a website which I believe downloaded a Trojan or virus of some sort since my PC resarted on it's own. I am now unable to open any .exe files. I cannot run anything...Malwarebytes, ComboFix, Ad-Aware, RKill, Firefox, Adobe...nothing. The only exception are programs located in the 64-bit Programs Folder (the one without x86). However, the only thing really worth running in that folder, at least to combat this problem, is Internet Explorer (64-Bit) which I did to post this.

I run Windows 7 64-Bit. I am able to get to the registry and have tried several .exe fixes. I've even scanned the registry after to make sure all fixes were made....everything was correct but .exe's still do not run. I have used system restore to go to a good previous restore point but no help. I have changed the names of the .exe's, also with no help. I cannot reformat since the Windows 7 installation disc application is an .exe. When I do click on programs, the loading reticule appears for a second, disappears and nothing happens. I have tried right-click to "Run as Administrator" and "start", also with no help. I only have one PC so I am really trying to avoid slaving my drive on another system due to the inconvenience.

I also used a Windows 7 Rescue Disc. It detects a "virus" in a really old and reliable keygen that is not currently in use, it's just a backup on one of the partitions, not the partition with the OS, by the way...but I've had that file for about 7 years on 4 different Windows versions and never encountered a problem with it so I'm sure it has nothing to do with this. Still, I went ahead and renamed it and two other related files just incase (as recommended by the rescue disk). No help. I also used AVG's USB boot application but it just freezes up after loading up during boot. I have no choice but to restart. Not sure if this is related to the problem or just another coincidental error. I will keep looking into that.

Besides just .exe files not working some Control Panel functions do not work. For example, I can't create a new user account to troubleshoot since the "Add or remove user accounts" button is now dead. I also tried uninstalling Java because I know some vulnerabilities may exist with it (going off of one Trojan I combated and defeated in the past). Unfortunately, I receive the "1719 Error" which will not let remove it from my system. And again, I can't run any Java uninstaller .exe's.

And just to note, I do not receive any of fake virus software pop-up. Exe files to not bring up the "open with" prompt, nor is there any sluggish behavior of my system. Also, I have not encountered any blue screens and there are no TDSserver drivers present in the hidden files in my Device Manager. Everything apears normal except that none of my program files work.

Also, all the above things happen during normal boot up, Safe Mode, and Safe Mode with Networking.

So as you can tell, I am really screwed right now. If you have any other suggestions, I would be most grateful! I really hope it is something simple I am overlooking! Please help!

Joe

Link to post
Share on other sites

LDTate,

I tried fixAssociation but it did not help. During normal bootup...when I double-click on the file, the command prompt briefly appears but then quickly disappears. Clicking on .exe's yields the same results as before.

I also tried in Safe Mode. After clicking on it, the commad prompt appears for about 10 seconds however, nothing happens. No inputs are entered, the reticule just blinks and the command prompt stays blank until it automatically closes.

Please advice. I appreciate the reply!!!!

Joe

Link to post
Share on other sites

Download Combofix from any of the links below but rename it to Iexplorer.com before saving it to your desktop.

Download the tools needed to a flash drive or other USB device, and transfer them to the infected computer.

* IMPORTANT !!! Save Iexplorer.com to your Desktop

Link 1

Link 2<--Right Click and use Save As if using this link.

Double click on the Iexplorer.com ComboFix.exe & follow the prompts.

  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt so we can continue cleaning the system.

Note:

If combofix (ABCD) won't run from the desktop, try running it from the USB device.

Link to post
Share on other sites

Not sure either of these will work, but nothing to loose.

http://www.eset.eu/online-scanner

Go here to run an online scannner from ESET.

Click the green ESET Online Scanner button.

Read the End User License Agreement and check the box: YES, I accept the Terms of Use.

Click on the Start button next to it.

You may receive an alert on the address bar that "This site might require the following ActiveX control...Click here to install...". Click on that alert and then click Insall ActiveX component.

A new window will appear asking "Do you want to install this software?"".

Answer Yes to download and install the ActiveX controls that allows the scan to run.

Click Start.

Check Remove found threats and Scan potentially unwanted applications.

Click Scan to begin.

If offered the option to get information or buy software. Just close the window.

Wait for the scan to finish

Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt

Copy and paste that log as a reply to this topic.

Next:

Download AVPTool from Here to your desktop

Run the programme you have just downloaded to your desktop (it will be randomly named )

First we will run a virus scan

Click the cog in the upper right

AVPfront.gif

Select down to and including your main drive, once done select the Automatic scan tab and press Start Scan

avpsettings.gif

Allow AVP to delete all infections found

Once it has finished select report tab (last tab)

Select Detected threads report from the left and press Save button

Save it to your desktop and attach to your next post

Now the Analysis

Rerun AVP and select the Manual Disinfection tab and press Start Gathering System Information

AVPAnalysis.gif

On completion click the link to locate the zip file to upload and attach to your next post

AVPZiplocation.gif

Link to post
Share on other sites

LDTate,

Again, I appreciate all you are doing! Unfortunately, none of the new steps work. After d-loading Active X, all I get is a red x in the window opened by ESET.

Also, AVPTool just acts like any other exe file.

Would you happen to know of a better bootable scanner other than AVG?

If you have any other ideas, please, I am all ears.

Joe

Link to post
Share on other sites

My guess is you have a RootKit infection that infects the Master Boot Record.

Fix MBR in Vista / Win7

To fix the master boot record, You have to start up in the Recovery Environment and then run the bootrec command. Here’s how.

1. First, load up the Windows disc in your drive and press any key to boot from the disc.

Note: If you already have the Recovery Console installed, select the Recovery Console at the startup screen.

2. Choose the language, time, currency, etc and click Next. Now click on Repair Your Computer.

3. Choose the operating system to repair and click Next. When the System Recovery Options dialog comes up, choose the Command Prompt.

4. Now type bootrec.exe and press Enter. This will rebuild the boot configuration data and hopefully fix your problem. You can also run the command with switches to fix just the master boot record (/fixmbr), the boot sector (/fixboot), or rebuild the entire BCD (/rebuildbcd).

Link to post
Share on other sites

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.