Infected computer, w/ questions on XP cleaning

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by ahurwich, Dec 17, 2010.

  1. ahurwich

    ahurwich Private E-2

    Hello,

    I followed a link to an NSFW site the other day and soon afterwards got a popup notification along the lines of "Windows system inspection has found an error" and then my browser started randomly opening windows to "anti-virus" purchase sites and redirecting google links to them as well.

    I've been running through the Windows XP cleaning procedure, but seem to have gotten stuck on running combofix. I think it's because I'm not properly disabling my AV, but here's what's happening, anyway: I run combofix, it says "McAfee VirusScan Enterprise is still active, disable it". I thought I had disabled it, so doubled-checked (and found on-access scanning, and all other 'disable'-able options set to "disabled") and clicked OK. Combofix runs until it gets to this screen: http://www.bleepstatic.com/combofix/en/autoscan.jpg and then just sits there for 30 minutes at which point I manually close it. I tried running MGtools, hoping it was just something with Combofix, but MGtools also froze after about a minute of scanning through my files.

    Logs from Superantispyware and Malwarebytes' attached. Should I just uninstall McAfee at this point and start over, is there a better way to disable than described above, or something else? The "How to Disable your AV" section on MajorGeek doesn't seem to cover my version of AV.

    Thanks for your help!
     

    Attached Files:

  2. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Yes, try uninstalling McAfee. Did you try running Combo and MGTools in safe mode? Have you tried renaming them?
     
  3. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Also I think this might help you, give it a go.

    Go to TDSSKiller and Download TDSSKiller.zip to your Desktop

    • Extract its contents to your Desktop so that you have TDSSKiller.exe directly on your Desktop and not in any subfolder of the Desktop.
    • Now double click the TDSSkiller.exe file to run it ( if using Vista or Windows 7 do not double click on it but rather, right click and select Run As Administrartor.
    • Allow the application to run and a window will open showing that it is TDSSkiller from Kaspersky
    • Click Start scan
    • It will run rather quickly and will notify you of whether anything is found or not.
    • Follow the instructions to delete/quarantine if asks you what to do when if finds something.
    Whether an infection is found or not, a log file should be created on your C: drive ( or whatever drive you boot from) in the root folder named something like TDSSKiller.2.1.1_27.12.2009_14.17.04_log.txt which is based on the program version # and date and time run. Please attach this log to your next reply. (See: HOW TO: Attach Items To Your Post )
     
  4. ahurwich

    ahurwich Private E-2

    Thanks guys. I figured out how to disable my AV to the point where combofix doesn't complain about it running and Windows security center complains about it being turned off.

    However, still haven't gotten combofix or MGtools to run successfully--same issue as earlier. I tried renaming it, running it in safe mode, and re-downloading it saved as a different name, with no effect. I didn't uninstall my AV because I thought that might not be the problem, although can if you still think it may be worth doing.

    I did successfully run rootrepeal and TDSSKiller--logs attached. Thanks again for the help thus far, and let me know how'd you like me to proceed.
     

    Attached Files:

  5. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    We could still uninstall Mcafee and then try running Combofix /MGTools again, however TDSSKiller found something that should have solved your problem. Describe to us how things are running at this point please.

    But we still need to see if any malware remains, so either uninstall Mcafee and run Combofix and MGTools... or...

    Download OTL to your desktop.

    • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    • Vista and Windows 7 users Right-click OTL and choose Run as Administrator)
    • When the window appears, underneath Output at the top change it to Minimal Output.
    • Check the boxes beside LOP Check and Purity Check.
    • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

    When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.

    Attach both of these logs into your next reply.
     
  6. ahurwich

    ahurwich Private E-2

    OTL run, logs attached.
     

    Attached Files:

  7. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Download HostsXpert and then follow the below steps.
    • Unzip HostsXpert.zip
    • It will create a folder named HostsXpert in whatever folder you extract it to.
    • Run HostsXpert.exe by double clicking on it.
    • Click the Make Writeable? button. (if you only see a Make Read-Only selection, it is already writeable so skip this button).
    • Click Restore Microsoft's Hosts File and then click OK.
    • Click the X to exit the program

    Now try and run Combofix and MGTools (without uninstalling mcafee) Any luck? :confused
     
  8. ahurwich

    ahurwich Private E-2

    DL and ran HostsXpert successfully, but still error on combofix.

    Also, noticed that the clock on my computer freezes during combofix running along with all icons/start menu when I try to open task manager, or use other misc. windows things.
     
  9. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Uninstall Mcafee and try again?
     
  10. ahurwich

    ahurwich Private E-2

    Uninstalled, but no change on combofix :(
     
  11. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Run OTL again as instructed in post #5 (no need to redownload of course)

    Run this and attach the results.

    Using ESET's Online Scanner

    Tell me how things are running?
     
  12. ahurwich

    ahurwich Private E-2

    Things are running better--the computer was noticably slower before I started with a few of these scans, but now seems to be more on par with its usual speed. Haven't had the popup windows recently and a cursory google search/link clicking doesn't redirect me to "AV" sites. Of course, I've only been online for a few minutes since the scan finished.

    Logs attached--ESET did find some stuff. OTL didn't produce an Extras.txt file this time--normal?
     

    Attached Files:

  13. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    OTL reports that MGTools did run so please attach this log:
    C:\MGlogs.zip
     
  14. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    It also reports that the log will be incomplete. ;) MGtools should be rerun since TDSSkiller likely fixed the reason why it could not run properly.
     
  15. ahurwich

    ahurwich Private E-2

    Hmm. MGtools still seems to just sit there. Log attached in case it's at all useful.
     

    Attached Files:

  16. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Yes, it only had the one log. Let's see if we can get it to run properly:

    Please click Start, Run, and enter cmd and click OK. This will open a command prompt window. Enter the below commands at the command prompt each followed by the enter key. The bold black are commands. The purple is merely informational.

    cd \MGtools <-- this changes to the MGtools folder and the prompt should change to C:\MGtools>
    GetRunKey <-- this will try to run all one scan from MGtools. Tell me what error messages, if any, you see.
    ShowNew <-- this will try to run all another scan from MGtools. Tell me what error messages, if any, you see.
     
  17. ahurwich

    ahurwich Private E-2

    Ran GetRunKey command, and MGtools booted up, sat there and froze the computer as it's been doing previously.

    Ran ShowNew, it ran seemingly ok with no error messages and left me at the C:\MGtools> prompt.
     
  18. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Yes because you have no available free disk space. Your logs from OTL showed the below:
    Code:
    %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
    Drive C: | 37.26 Gb Total Space | 1.83 Gb Free Space | 4.91% Space Free | Partition Type: NTFS
    Drive D: | 542.65 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
    You have ZERO space on drive D and the 1.83 GB of space on drive C is too small for many things to run possibly including MGtools and even many things that Windows needs to do. You need to free up disk space.
     
    Last edited: Dec 18, 2010
  19. ahurwich

    ahurwich Private E-2

    I can do that--how much free space will it need to run successfully?
     
  20. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Don't bother with any of this. The problem is free disk space as I mentioned below.
     
  21. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You need to be more concerned with having enough disk space for Windows to run properly/efficiently not MGtools. I suggest that you figure out why you have filled up both drives C and D and remove unnecessary files and programs. I would suggest that you don't let drive C get under 4 GB. Drive D is currently unavailable for any other storage.
     
  22. ahurwich

    ahurwich Private E-2

    I've never really had issues with Windows running poorly with the current setup. Drive D is my CD drive, and Drive C has only 40GB to begin with...mostly pictures and a few programs I use from time to time.

    Anyway, cleared up another couple gigs (3.5 total free on C), re-ran GetRunKey with no change in outcome.

    Also not sure if it's worth mentioning, but I installed PC Tools Antivirus free, just to have something easy to turn on/off while we're doing this, and now I need to toggle my wireless connection off/on to get it to connect to the internet everytime I reboot the computer. Unsure if this is related to the AV or not, or if it's useful information. I uninstalled the AV after realizing internet wasn't working, after assuming it was the reason for the interruption.
     
  23. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Whether you are noticing it or not, with so little space left, windows will be slowing down and you could have a variety of unexplained issues.

    Sorry! I misread that. I was thinking it was a filled up hard disk.

    Yes a extremely small drive by todays standards.


    When you ran it from the command prompt, what was the last thing you saw on the screen? And how long did you wait? Since your drive is filled and it appears that you may have many many files and folders and also you may have lots of registry keys due to all the NI Labview stuff and games. It could take longer to run then usual.

    Did you install their firewall too? It is the only thing that I would expect to potentially cause a problem with the internet connection.
     
  24. ahurwich

    ahurwich Private E-2

    That's a good question--it was something along the lines of "Gathering registry keys, ignore any error messages, be patient!!" The first time I ran it, I waited maybe 20, 30 minutes? Now I'm only waiting a few minutes each time, as I don't see anything different happening. Also I don't hear any noise coming out of the hard drive that I usually associate with activity. I can see if I can screen-grab what it looks like for you, although trying to do anything while it's running has caused the system to freeze up every other time I've tried it.

    I've had the firewall for a while now, just added the AV to cover the uninstalled McAfee. I still have the firewall installed.

    It's 6 years old...IBM T42 that I can't bear to part with 'cause nothing else is quite as nice to use.
     
  25. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Download and save the below to the C:\MGtools folder

    GRK.bat


    Then go back to the command prompt and get back into the C:\MGtools folder ( like previously requested ) but this time run GRK.bat. Now tell me what happens.
     
  26. ahurwich

    ahurwich Private E-2

    404'd on that GRK.bat link--typo?
     
  27. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    No, it works for me. :confused
     
  28. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Try again after clicking refresh.
     
  29. ahurwich

    ahurwich Private E-2

    Yep, tried it immediately after posting the 404 message and got it. Ran GRK.bat from the MGtools command line, it said (not entirely exact on my transcription here):

    Running Scan GRK.Bat version 0.01 05/04/2010

    Ignore error messages about not finding registry keys!
    Just wait for the program to finish running!!

    32 bit Windows OS found
    _


    I left it at that screen (didn't touch keyboard, mouse) for 10 minutes, then tried clicking out and computer froze up again.

    Also, I tried turning off the firewall instead of resetting internet connection to fix the connection problem, and that was successful. Maybe reinstalling firewall will fix problem?
     
  30. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay seems you may have some Windows OS issues of some type. Not sure what. Try the below.

    Download and save the below to the C:\MGtools folder

    GL.bat

    Then go back to the command prompt and get back into the C:\MGtools folder ( like previously requested ) but this time run GL.bat. Now tell me what happens. This should try to run a bunch of scans from MGtools but will skip running the GetRunKey/GRK one that has been hanging.

    Worth a try!
     
  31. ahurwich

    ahurwich Private E-2

    It did indeed--logs attached.
     

    Attached Files:

  32. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    These are clean. Are you having any malware problems?
     
  33. ahurwich

    ahurwich Private E-2

    Haven't noticed any since running TDSSKiller. Next step?
     
  34. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /uninstall
        • Notes: The space between the combofix" and the /uninstall, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
    3. Go back to step 6 oof the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
    4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    7. Go to add/remove programs and uninstall HijackThis.
    8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
      related to MGtools and some other items from our cleaning procedures.
    9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures pointed to by step 7 of the READ ME
        for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    10. After doing the above, you should work thru the below link:
     
  35. ahurwich

    ahurwich Private E-2

    Done and done. Thanks for all your help!
     
  36. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome. Surf safely!
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds