Not getting far with Malware Removal

Welcome to Major Geeks!

Are you saying you fixed your problems?

 

This infection can be quite annoying to remove since there are many components to it that can cause it to come back. Do you have a bootable copy of your Windows XP CD? The easiest removal method may be to use your CD to boot to the Recovery Console and remove the associated files.

 

I will try to give you some steps to follow, but they may not work due to the nature of this infection. It is worth a try though because your other option would be total reinstall and you will need your CD for that too. However before I create a fix for you, I want you to try the below.

• First I want you to run SUPERAntiSpyware again and first please check for an update. (at the time of writing this the Definition Database Versions are Core: 3467 and Trace: 1458 ) I was speaking with them about this malware and they expected to have an update today, this may help. Attach this new log right now before moving on to the next bullet list item below.
• Then boot into safe mode and run Malwarebytes again and save a new log to attach later.
• While still in safe boot mode, run another scan with SUPERAntispyware and safe a new log to attach later.
• While still in safe boot mode, please see if ComboFix will run.
• Now reboot in normal mode and come back here and tell me how these steps went.
• Also attach
  • the new Malwarebytes log
  • the second of the two SUPERAntispyware logs
  • and the C:\combofix.txt log if it ran.

 

You will not need the key to boot to the Recovery Console.

You need to be more descriptive. What do you mean by not functioning? If it does not work at all then there is nothing I can do to help you.

We are only going to be working on one PC in this thread. Please focus on the one you started this thread for.

Why didn't you allow Malwarebytes to fix what it found? Your log shows that you ignored everything.


See if you can use your CD on the problem PC to do the below. This is just a practice run to see if you can follow these steps.

If you have this CD, I want you to read thru the below to familiarize yourself with it and print it so you can refer to it while offline since you will not be able to browser once starting the below.

1. Put the Windows XP CD into the CD ROM tray and close the tray. You may get a popup window asking about installing Windows XP. If you do, just close that window.
2. Then restart your computer
3. This should cause your computer to boot from the CD instead of the hard drive..(if not your you'll need to enter the BIOS and set the boot order so the CD ROM is first in the list.)
4. You should get a "Press any key to boot from CD" message! Press a key to do that otherwise it will by pass the CD boot.
5. After it boots up, you will see it load a bunch of files (be patient it can take a little while) and eventually you will see a menu where you can select the "Recovery Console" by pressing R It is normally the middle item in the list. Press R
6. You will see a list of possible Windows partitions with numbers next to them. Select your Windows Installation (which is C:\Windows) by typing the number next to it (which should be 1) and press enter.
7. It will ask you for the Administrator password is next (so make sure you know it). It you never gave it a password it is probably blank. If it is blank, just press enter. If you have set one then type it in and hit enter. It will tell you if you enter the wrong password.
8. When you enter the correct password you will get a prompt that looks like this: C:\WINDOWS>

After you get to this point, I just want you to take your CD out of the drive and type exit and then hit the Enter key. This should reboot your PC back into normal Windows. Then come here and tell me if you were able to do all of the above without any problem. The above will not fix anything. This steps will come next. First I just want to know that you can successfully accomplish booting into the command prompt of the Recovery Console.

 

Until we get your malware removed, it is going to have strange issues. I'm going to work up a fix and post it my next message. This will be a fixed based on using the Recovery Console.

You just need to wait for it to start the reboot, then you shoud be able to press the button to remove the CD.

 

Now read thru the below to familiarize yourself with it and print it so you can refer to it while offline since you will not be able to browser once starting the below.

1. Put the Windows XP CD into the CD ROM tray and close the tray. You may get a popup window asking about installing Windows XP. If you do, just close that window.
2. Then restart your computer
3. This should cause your computer to boot from the CD instead of the hard drive..(if not your you'll need to enter the BIOS and set the boot order so the CD ROM is first in the list.)
4. You should get a "Press any key to boot from CD" message! Press a key to do that otherwise it will by pass the CD boot.
5. After it boots up, you will see it load a bunch of files (be patient it can take a little while) and eventually you will see a menu where you can select the "Recovery Console" by pressing R It is normally the middle item in the list. Press R
6. You will see a list of possible Windows partitions with numbers next to them. Select your Windows Installation (which is C:\Windows) by typing the number next to it (which should be 1) and press enter.
7. It will ask you for the Administrator password is next (so make sure you know it). It you never gave it a password it is probably blank. If it is blank, just press enter. If you have set one then type it in and hit enter. It will tell you if you enter the wrong password.
8. When you enter the correct password you will get a prompt that looks like this: C:\WINDOWS>

Now from this command prompt window, here are some things I want you to do. Enter the below commands (the commands are in bold black) in the order given. I will add comments in purple. In the below commands there are spaces after commands like cd, attrib, del, and rd

cd system32 <-- the prompt should change to C:\WINDOWS\SYSTEM32>
attrib -r-s-h mdelk.exe <-- there is a space after the attrib and after the -r-s-h
attrib -r-s-h WINTEMS.EXE
del mdelk.exe
del WINTEMS.EXE

cd system32\drivers <-- the prompt should change to C:\WINDOWS\SYSTEM32\DRIVERS>
attrib -r-s-h hldrrr.exe
attrib -r-s-h srosa.sys
del hldrrr.exe
del srosa.sys
cd downld <-- the prompt should change to C:\WINDOWS\SYSTEM32\DRIVERS/downld>
dir <-- this will give you a list of all files in the downld folder. For each file in this folder you need to execute the below del command and replace the file.bat or file1.exe with the real file names.
del file1.bat
del file1.exe
etc

There are going to be quite a few EXE files. Last count I saw about 31 but the spread all the time. Be patient and take your time and make sure you delete ALL of the files in this downld folder. After you get all of the files deleted (keep double check by executing the dir command as often as necessary) then continue with the below.

cd .. <-- the prompt should change back to C:\WINDOWS\SYSTEM32\DRIVERS>
rd downld

If the del commands do not work just type exit to leave the Recovery Console and boot into Windows and just come back here and tell me exactly what happened. Do not do any of the below!

If the above worked then continue with the below.

• Make sure your cable that connects you to the internet is unplugged
• Take the CD out of your drive (if may not let you until you type exit and reboot begins) and type Exit to reboot; however, reboot into safe boot mode.
• In safe boot mode run SUPERAntiSpyware and save a log if it runs.
• In safe boot mode run Malwarebytes Anti-Malware and save a log if it runs. MAKE SURE THAT YOU FIX WHAT IT FINDS. DO NOT IGNORE!!!!!
• While in safe mode look for the below folders and delete them if found:
  • C:\Documents and Settings\Damian Greene\Application Data\m
  • C:\Program Files\Common Files\mzmu
  • C:\WINDOWS\system32\drivers\downld
• Now reboot into normal boot mode, and run C:\MGtools\GetLogs.bat by double clicking on it.

Now plug your cable back in and come here and attach the below 3 logs

• SUPERAntiSpyware
• Malwarebytes
• C:\MGlogs.zip

Also tell me how things are currently working?

 

Sorry about that. Since you are already in the system32 folder at that point due to the previous steps, you just needed to use cd drivers if you start from the prompt showing C:\Windows then you would need to type cd system32\drivers

 

Yes that is what this infection does. It keeps adding more and more files to the downld (or sometimes a down folder) folder to keep the infection alive and difficult to remove.

The cd .. changes back one folder level to

and then the rd downld should remove the downld folder but it will only work if the folder was empty. Did you get any error messages?

What happens exactly? Please try to explain the exact details. Also can you boot in normal mode at all and run the scans?

If you can boot in any mode you should try looking for any of the below and deleting them:
C:\Documents and Settings\Damian Greene\Application Data\m <-- the folder
C:\Program Files\Common Files\mzmu <-- the folder
C:\WINDOWS\system32\drivers\downld <-- the folder
C:\WINDOWS\system32\drivers\srosa.sys
C:\WINDOWS\system32\mdelk.exe
C:\WINDOWS\system32\wintems.exe
C:\WINDOWS\system32\drivers\hldrrr.exe

 

Hmmm! Either your infection has corrupted necessary boot files or your BIOS is not finding your hard disk.



Enter into your BIOS when you startup.

• Make sure the hard disk drive with the Windows installed on it is correctly set as the primary boot device.
• Choose the HDD as primary boot device, followed by CD-ROM/Floppy. Also make sure that the HDD is set to auto-detect within the BIOS utility.

If you still have the CD in your CD-ROM then please remove remove it as you are in the BIOS by pressing the eject button.

Normally the above is the problem as the message you gave is typically a hardware related problem like Microsoft states here: http://support.microsoft.com/kb/287553

Any luck?

 

This can cause major problems!

What setup are you referring too? Are you talking about the BIOS?

How many physical hard disks do you have in the computer and how many partitions did you have created.

Note: It is really looking like your only alternative may be a reinstall.

 

The BIOS would not indicate this. It should however indicate information about your hard disk especially if you have it set to auto detect. Please tell me what you are seeing for your hard disk.

I have a feeling when you made changes to your BIOS you cause this problem that is resulting in the 'Verifying DMI pool data' message. Either that or when you shut off the power. I may have to send you to the Software or Hardware Forum to try and work thru this problem. Once you can access/boot your hard disk again we would then continue with malware removal.

Since you don't know what it is, you probably don't have multiple partitions. A hard disk can be broken down and formatted into multiple chunks called partitions. Sometimes people will install a different OS into each partition.

 

I don't see any problem with that. It appears that you hard disk is being detected. I'm not sure exactly what happened to your PC when you changed the BIOS to defaults and also what may have happened when you shut off the power.

Do you have information of this hard disk that you need? If yes, it may be a good idea to see if you can hook up the hard disk as a slave drive in another PC and copy what you need from it before anything else is done that may make data unrecoverable (assuming the hard disk is not already damaged).

I don't know of any real true solutions for the 'Verifying DMI pool data' problem. Some people had success by phyically disconnected the hard disks (unplugging the cables) and boot there PCs into the BIOS and saving a setup with no hard disks. Then they shutdown, reconnect the hard disk and allow it to be automatically configures and then try booting into Windows.

It may be worth your time to post a message in the Software Forum about this issue and reference this thread. It could be helpful to get other opinions on this. Someone may have personally experienced it and could have a real solution rather than guess work which is all you may find on the internet.

 

Yes that is what it means! There is also no guarantee that that procedure I gave will help. It has worked for some people but not for others.