Infected machine and cannot run anti-malware tools

Hi,

I have a Dell Diminsion E510 with Windows XP Media Center Edition 2006 installed. It recently started to generate tons of pop-ups and internet redirects. Most searches on Google are redirected to go.google.com with something completely different than the item selected from the search list was for. All requests for any malware sites (e.g. grisoft.com, majorgeeks.com, spybot.com, and many more) are redirected to 127.0.0.1.

Task Manager had been disabled, but I enabled it through the Registry.

No USB thumb drives or external harddrives are recognized by Windows, so I am limited on the ability to get data off of the system.

I downloaded the guides and tools listed in the Windows XP Malware Removal Guide from this site to a CD. I copied them to the C: drive and installed them, but they just hang there without displaying anything. I can tell I started them using Task Manager.

Is somewhat operational, because I can use the IP address to reach a site, but as soon as the site replaces the IP address with a name, DNS resolves it to 127.0.0.1.

I was successful at running MGTOOL and I have a HTJ log, but I don't know how to get it off that machine to somewhere you can see it.

Suggestions?

Thanks,
Dan

 

Welcome! to MajorGeeks.com!

Please follow the instructions in the READ & RUN ME FIRST link given further down and attach the requested logs when you finish these instructions.

• If you have problems where no tools seem to run, please try following the steps given in the below and then continue on no matter what you find. You only need to try the TDSSserv steps if having problems getting scans in the Read & Run Me First.
  • TDSSserv Non-Plug & Play Driver Disable
• If something does not run, write down the info to explain to us later but keep on going.
• Do not assume that because one step does not work that they all will not.

READ & RUN ME FIRST. Malware Removal Guide


Helpful Notes:

1. If you run into problems trying to run the READ & RUN ME or any of the scans in normal boot mode, you can run the steps in Safe Mode but make sure you tell us what you did later when you post logs. See the below if you do not know how to boot in safe mode:
   
   • Starting your computer in Safe mode
2. If you have problems downloading on the problem PC, download the tools and the manual updates for SUPERAntiSpyware, Malwarebytes and Spybot ( links are given in the READ & RUN ME) onto another PC and then burn to a CD. Then copy them to the problem PC. You will have to skip getting updates if (and only if) your internet connection does not work. Yes you could use a flash drive too but flash drives are writeable and infections can spread to them.
3. To avoid additional delay in getting a response, it is advised that after completing the READ & RUN ME you also read this sticky:
   • Don't Bump! It Only Hurts You!
4. Any additional post is a bump which will add more delay. Once you attach the logs, your thread will be in the work queue and as stated our system works the oldest threads FIRST.

 

Thanks bjgarrick,

Since my original post, I managed to get to a webmail page and I have been able to email the MGlogs.zip file to myself, so I’m attaching it to this post.

I followed your instructions and did find TDSSserv.sys. I disabled it and rebooted, but now I am in a worse position than I was before. When I rebooted, it stopped recognizing my keyboard and mouse, which are not the original equipment; they are Microsoft Intellimouse and Microsoft Natural Keyboard.

This system only accepts a USB mouse and keyboard; it does not have PS/2 ports. Booting to safe mode makes no difference; the mouse and keyboard are not active. I also have a generic USB, but that is not recognized either, although the light for the optics turns on, while the Microsoft Intellimouse does not even light up. I’ve tried all of the USB ports and that makes no difference either.

I didn’t mention it in my original post, but I was asked by a friend (Greg) to look at the machine and try to get it working again. He is going to bring me the keyboard and mouse that he received with the system to see if XP will still recognize them.

If that does not work, is there a bootable CD (iso file?) that I can use to get past this?

Here’s another tack I’m considering, but I don’t have enough expertise in the workings of the tools available to know if it will work or not. I have a new, unformatted 500GB SATA 3.0 Gbit hard drive that I think will work in this system. The motherboard specs say that it will support a SATA 3.0 Gbit drive, even though the existing drive is a 1.5 Gbit SATA drive. So, I would:
1) disconnect the existing, infected drive
2) install the new drive and install Windows XP, including virus/spyware protection
3) re-connect the existing, infected drive, as a D: drive
4) follow the instructions in the Malware Removal Guide
5) after the malware has been cleaned up, reverse the process to remove my 500 GB drive and make the existing, infected drive the primary boot drive again.
6) Boot from the existing drive and run scans again.

Would that help me? Or will that be a useless effort because it will not be booted from the drive I’m trying to clean up?

Another approach I have discussed with Greg is to try to burn a CD or DVD with everything that he wants to save and use his recovery disk to reinstall everything. This is not very attractive to either of us, because there are always things missed when backing-up for a rebuild, the rebuild process is long, and it is not a lot of fun.

Any help you can provide for this machine and Greg would be appreciated.

Thanks!!

Dan

 

Okay! At this point, are you saying the mouse/keyboard are not working? WinXP should reinstall the drivers at startup therefore allowing the USB mouse/keyboard to become usable.

Were you able to run MBAM & SAS from the READ ME?

 

That's right. At this point, I cannot run anything on the machine, because I don't have a working keyboard or mouse (the hardware is OK for each; I've checked them out on another system, but they don't work on this system).

No, I was not able to run MBAM or SAS after disabling TDSSserv.sys. XP insisted that I reboot immediately and that was "all she wrote" for the human interface. Unless the installation of the drivers is extremely slow, I don't think XP is going to get them installed. I let it sit there for about 30 minutes while I worked on another system.

I'm hoping that the original keyboard and mouse will work and I should have those in my possession on Tuesday.

What do you think of my idea of a fresh install of XP on another drive to run malware tools on the infected drive? Is that worthwhile to try or a waste of time?

Thanks.

 

Trying another keyboard/mouse would be the easiest solution at this point. Do you by chance have or can borrow a PS2/USB adapter?

Also, I assume you have tried a different USB port?

 

Hi bjgarrick,

I had already tried many combinations of keyboards, mice, adapters, and USB ports.

I had the mouse and keyboard working for about 30 minutes earlier tonight, but only because AVGFree ran via schedule and cleaned up some malware. PS2/USB adapters didn’t help at all.

While I was testing various combination of mouse and keyboard (different USB ports, different ps2/usb adapters, etc), I had just received the keyboard and mouse the owner was using (Logitech) and booted the PC. An AVGFree Complete Test was kicked off due to being scheduled. After it completed and cleared 96 virus/Trojan/other malware items, I rebooted and the mouse and keyboard stayed active after Windows started. I had control long enough to check out some things, but when I tried to run ccleaner, I got a bunch of windows popping up and something caused a “controlled shutdown” to be requested. When I rebooted, the mouse and keyboard were dead again.

I do have a mouse and keyboard until Windows starts to load, so I can access the bios, the boot menu, and I can even run the Recovery Console, but I cannot use the keyboard or mouse in Windows (normal or safe mode).

While I had a mouse and keyboard, I double-checked Device Manager to see that I actually had TDSSserv.sys disabled, which I do. I saw that a lot of other stuff also became disabled.

The optical drives had been working before, but they don’t work now, either.

I also tried to move the clock forward to late February, so AVG would run a new scan. That worked and found approx. 35 viruses to remove, but I still don’t have keyboard or mouse.

By the way, one of the malware items it thinks it cleaned was the Trojan horse VUNDO. The Trojan horse Agent.ATXX is there, too. There were a couple of backdoors and several other Trojan horses, too.

CURRENT STATUS:
No mouse
No keyboard

Device Manager shows the following devices with a yellow dot and black exclamation point.
Display Adapters
- Intel 82945G Express Chipset Family
- Intel 82945G Express Chipset Family
DVD/CD-ROM Drives
- HL-DT-ST DVD+-RW GWA4164B
- SONY DVD-ROM DDU1615
Jungo
- WinDriver
Modems
- Conexant D850 5K V.9x DFVc Modem
System devices
- Microsoft UAA Bus Driver for High Definition Audio
Non-Plug and Play Drivers
- HTTP
- IP Network Address Translator
- Remote Access IP ARP Driver
- TDSSserv.sys

I checked to see if the owner has a CD with this version of Windows and he does not. It is Windows Media Center and was pre-installed by Dell when he received it. I have several Dell drivers and utilities CD's, but none are the full recovery disk or installation disk.

What should I try next?
Is there anything we can do with the Recovery Console?

Thanks,
Dan

 

At this point, try to boot into Safe Mode and see if you can get the mouse/keyboard working. If you can, try to run MBAM & SAS attaching the log if completed.

 

A quick update on progress. I was unable to get mouse or keyboard control back using safe mode or any other normal way of booting the machine. I found "Ultimate Boot CD for Windows" (UBCD4WIN) and downloaded that material from the MajorGeeks site. I built a bootable CD with virus and spyware software on it. I ran several of the virus removal products from there, which eliminated nearly 500 instances of malware on the machine.

After having done that, I could boot the machine from the hard drive, but the keyboard and mouse were still INOP. I found that the UBCD4WIN system has a remote registry editor included, so I opened the registry for the system that is crippled and searched for "drivers". I found a few entries that looked like they might be the drivers for the keyboard and mouse, compared the registry to the hard drive, and found that those files did not exist. I found versions of those drivers on the UBCD4WIN system and on the web, placed them in the directory indicated by the registry, and booted the system again from the hard drive. I then had keyboard and mouse control on the crippled system... and it is not generating popups, etc. like crazy any more.

Unfortunately, it appears that the malware removal process has wiped out many of the drivers, because when I try to use peripherals and attached devices, they don't work. I checked Device Manager and discovered that all the USB controllers, the optical drives, and the network card are all showing a question mark, indicating that the drivers are damaged or missing.

At this point, I am questioning if this system can be salvaged through repair processes or if I should just reset to factory configuration using the DELL recovery process. Even if I do that, I would like to save about 5 GB of user data from this system. I tried to burn a DVD with about 3.5 GB, using the UBCD4WIN system, but even though it said it was burned cleanly, I cannot read the DVD on this system or another.

I think my next step is to find the drivers for some of the components to see if I can clean it up a bit more before "punting". Is there a better way to find and install the drivers from a system like UBCD4WIN?

 

If it were me, I would take out the HDD, put it into another system and copy the data I wanted to save and format the partition, reinstall a clean install of XP because you obviously have more issues than just malware.

 

Thanks for the affirmation.

After I posted my previous message, I found that I could attach an external USB drive, boot the UBCD4WIN disk, and copy the user data to the external drive. I was trying to boot, then attach the external drive, but UBCD4WIN can only handle USB devices that are there at boot.

I'm going to reset the primary partition of the HDD to factory configuration, add some malware protection, run updates on the installed software (Windows, etc.), confirm it is working, and get it back to the owner.

Thanks, much, for your insight in this matter. You can close the thread after reading this post.

Best regards,
Dan

 

You're Welcome!:major