Inundated XP Box. Cleaning Procedures Followed.

Hello all. This is my first post, but I have relied heavily on MG.com in the past to help me clean up infected machines.

The machine I am toiling with right now is one of the worst I have encountered, if it were for pure curiosity, I would have wiped it by now.

Here is the run down of what is happening:

1. XP Pro Box running Kaspersky. AV was fully updated, as was the Java and other plugins. Machine has all of the latest patches.

2. User called to tell me he had some "virus popops". I went through the Kaspersky logs, and sure enough there were Trojans and Worms galore. BACKDOOR.WIN32.CETORP.P and VIRUS.WIN32.Sality.K are just some examples, there were a lot.

3. I disconnected the machine, and began to do the Windows XP Cleaning prodecures. Here is the gist. I can run CCClean. Initially removed about 50mb of junk.

4. I could run and clean the findings with SuperAntiSpyware. I attached that log. It found one Trojan, and about 100+ tracking cookies.

5. Attempting to install MalwareBytes causes a BSOD. I changed the file name and installation locations, no joy.

6. ComboFix will not run. I double-click the icon, and get the little green status bar go from right to left, and it disappears. No prompts after. Waited about four hours the first time, no joy.

7. RootRepeal. I can start the program, but whatever is on the machine kills the process before I an initiate a scan.

8. MGTools. I ran from the root, but during the scan process, the machine through a BSOD.

9. I can not boot to Safe Mode. Only the standard mode. During boot into Safe Mode (any derivative) during the driver portion, it gets to TDI.SYS and reboots. Checked system32\drivers nothing that looks out of place, no files of 0kb, etc.

10. I could run HiJackThis. I have attached the log.


Is it time to wave the white flag on this one? I am beginning to think so. Thoughts? As always, any help is greatly appreciated.

 

Tim,
Thanks for the reply.

I attempted to follow the instructions, however whatever is on the box is now killing HJT before the scan can complete. Attempting a second time will throw a BSoD. It's very, very frustrating.

I attempted to go on to the Avenger portion, and I was able to successfully accomplish it, upon reboot Avenger stated it was able to delete best.exe, but the other were not found. BEST.EXE has apparently rebuilt itself, as I can see it again in the recovery console.

I ran the HJT as analyse.exe and nabbed the log before it went to a blue screen. It's attached.

If you can help me pull this off Tim, you'll have to pass an address to where I can have a case of beer delivered to you. Thanks much.

 

Tim,
I couldn't get any of the scans to run, it would just cause a BSOD repeatedly. I setup a laptop with a fully patched version of XP, and fully updated version of Symantec Endpoint, and MalwareBytes installed. I set the infected drive in a dock, and set it to read only. I ran scans against the drive, changed the write block to allow writes to the drive, and deleted tons of Trojans, worms and various malware. If you are interested to know what they were exactly, I can post the scan and deletion results here. My problem now is that drive now scans clean, but I still am dealing with the damage caused, the machine still will not boot into safe mode, it hangs at TDI.SYS and reboots, and I will still get a BSoD when trying to install a fresh copy of MalwareBytes. I'll keep plugging away at it this morning, and post a fresh HJT this log and the scan results in a bit. Thanks again for your help.

EDIT: Scans are still being killed when I boot the drive. MB, RootRepeal, and HJT get their processes killed, and second attempts cause I BSoD. Because it happening slower, I was able to get another good scan out of HJT. It's attached.

 

Tim,
What do you mean by online scans? I ran the MalwareBytes and a Symantec scan on the drive in the dock. It now comes up clean. At the moment I have the drive back in the original machine, and got ComboFix to run with the recovery console by renaming the file to svchost.exe. At the moment, it's still going through the scan. I'm hoping it's an improvement. If you could give me a run down on the online scans you referred to, I'll jump in with both feet as soon as the ComboFix completes.

Many thanks,
-Drew

 

Tim,
ComboFix did wonders. I ran RootRepeal, it found a file, and kicked out a log. I can also now run MalwareBytes, which is still in progress, it's already got nine hits. I'll go through the rest of the XP cleaning process now and post all of the logs up to make sure everything is running clean once I am done.


Again, thanks for all the responses and helping me run this to ground!


-Drew

 

Hey Tim,
Just an update. Time ran out on figuring out all of what went wrong on this machine. It was to the point were repeated scans with a variety of products yielded no results, but the damage that was wrought was considerable. Multiple services wouldn't start, corrupt and missing drivers, damaged registry, etc. The decision was made to simply pull off the user data and baseline the machine. It's back in service now, and I have the feeling of being defeated, but at least the user data was saved. Thanks for all of your help with this Tim, it was truly appreciated.