Please Help with Malware removal

Have run malware removal instructions

The only one that failed was ComboFix. It has been a problem as it hangs up.
The recovery module that ComboFix installs also hangs up. Computer freezes.

I also still seem to have redirection by malware on my browser.

Original source of problem was a file titled Facebook_Password.zip that came in an e-mail.

I have attached the logs.

 

Hi Tim:

The two things I still notice are:

My browser gets redirected to other webpages. Example, if I do a Bing Search on IE, for "ad-aware". I get the Bing results page, then when I click on the lavasoft link, the tab says "redirected" on it and I end up on a page called infomash.

http//infomash.org/100/10653/search.php?etc...

The other thing is that some programs are running much slower than before.
It takes a long time to open the control panel and the security center. It also takes a really long time for the remove software list to display.

Also, the internet is sluggish.

 

Kestrel13

It is not letting me run TDS Killer. I will try MBRCheck next.

I renamed it as suggested in the how to you sent. I do get the "Open File - Security Warning" promt but when I say yes nothing happens

Paul

 

Kestrel13!

Please also download MBRCheck

Bad news, here is the log...

Paul

 

Kestrel13!

I have several, but I believe that my CD RW has been disabled.

I do not think it boots anymore.

Paul

 

TimW:

I am in windows setup from the boot disk. Deleting the driver worked.

Paul

 

I cannot get g-parted to boot on this system. Even thought it boots on my laptop. I leave for work at 6 AM EST, so I will will have to call it quits for tonight.

I also think that will call it quits for tonight and attempt it again tomorrow.

Paul

 

TimW & Kestrel13!

I cannot G-Parted. I tried two more times today and it does not boot on the infected PC. Same disk boots on my laptop.

Not sure why, but after 4 tries I need to try something else.

The XP CD does alow me to boot the recovery console

Paul

 

G-parted

Steps I have taken
I have made 3 G-Parted disks:
1) gparted-live-0.10.0-3.iso (@ Kestrel13!’s suggestion) burned on a laptop running Vista.
Would not boot on the infected PC. Re-booted several times. Deleted driver of drive so that Windows XP would reinstall (Worked when booting the XP recovery disk. Would not work on G-Parted disk)

2) gparted-live-0.11.0-7.iso (@TimW’s suggestion) burned on laptop running Vista.
Would not boot on the infected PC. Re-booted several times. Deleted driver of drive so that Windows XP would reinstall (Worked when booting the XP recovery disk. Would not work on G-Parted disk)

3) gparted-live-0.11.0-7.iso burned on a laptop running Windows7
Would not boot on the infected PC. Re-booted several times. Deleted driver of drive so that Windows XP would reinstall (Worked when booting the XP recovery disk. Would not work on G-Parted disk)

4) tried to burn gparted-live-0.11.0-7.iso from infected computer running Windows XP.
Would not allow me to to burn the CD ImgBurn reported “Medium not present”. Inserted several different blank disks and re-booted several times. Deleted driver of drive so Windows XP would reinstall driver to no avail.

What next? :-D

 

TimW:

I deleted it twice and go the following error message...

An unexpected error has occurred. Check the System Event Log for more information on the error. Close the Disk Management console, then restart Disk Management or restart the computer.

The system even log says:

Type date Time Source Category Event User Computer
Error 01/07/2012 3:31:57 PM LDM None 2 N/A LARISTONDO
Error 01/07/2012 3:31:42 PM LDM None 2 N/A LARISTONDO
Error 01/07/2012 3:30:39 PM disk None 11 N/A LARISTONDO
Error 01/07/2012 3:30:38 PM disk None 11 N/A LARISTONDO
Error 01/07/2012 3:30:38 PM disk None 11 N/A LARISTONDO
Error 01/07/2012 3:30:37 PM disk None 11 N/A LARISTONDO
Error 01/07/2012 3:30:57 PM disk None 11 N/A LARISTONDO

Do you still want me to reboot into the Recovery Console?

 

I deleted the partition. Checked to see if it was gone, and it was gone.

Then I rebooted into the Recovery Console and ran the fixboot/fixmbr commands.

When I rebooted my computer I got the following message:

"A disk read error occurred
Press Ctrl+Alt+Del to restart"

I did this twice and got the same error two more times...

Paul

 

Followed your instructions, still getting error.

Paul

 

Hi quiltro,

What happens if you go back into the Recovery Console and type in (and press ENTER after each command):

• c:
• dir

What is listed (if anything)?

 

thisisu:

I get a directory listing.

When I load the Recovery Console, I am asked to pick windows installation.

There is only one choice.

1) C:\WINNT

When I pick one, I get the C:\WINNT> prompt

I can use the "DIR .." command to get back to root.

All recovery console commands seem to work.

Paul

 

Ok good.

Go back into the Recovery Console and type out this command (and press ENTER):

• bootcfg /rebuild

When it's finished, it should say something like:
Total Identified Windows Installs: [X]

Let me how many Windows Installs were found here and list each one (if more than 1)

 

thisisu:

Total identified Windows installs: 1
[1]: C:\WINNT

Add installation to boot list? (Yes/No/All):

Paul

 

Let's try creating another boot entry.

Note: The purple bold letters below are what you will be typing. The Black text is what will be presented to you.

Type in Y (for yes)

Enter Load Identifier: windows xp test
Enter OS Load Options: /fastdetect

exit

Now reboot and try booting from windows xp test (the entry we just created)

 

If that does not work, verify that your OS partition (111.78 GB) is marked as Active in GParted.

 

When I rebooted my computer I got the following message:

"A disk read error occurred
Press Ctrl+Alt+Del to restart"

I did this twice and got the same error two more times...


> Now reboot and try booting from windows xp test

How do you pick which installation to boot from?

Paul

 

Sorry did notice you were getting that message before boot loader.

At this point I would like you to verify that your OS is marked as active (has a checkmark in Managed flags) while in GParted.

 

I have not been able to get G-Parted to boot on my PC. I am going to try and make a copy at work, and see if I am able to boot.

Thanks,

Paul

 

Ah I did not realize you were unable to use GParted, but yes this is the problem. The TDL4 partition was marked active, and you deleted it. This is why we need to reassign the correct OS partition as Active/Boot. Once you do this, you should be able to boot properly again.

Code:

[B][COLOR="Indigo"]Bootable[/COLOR][/B]  Name                   Size          Type                     
          Disk #0, Partition #0  120023253504  Installable File System  [COLOR="DarkRed"]<-- OS partition[/COLOR]
[B][COLOR="Red"]TRUE[/COLOR][/B]      Disk #0, Partition #1  10829824      Unknown  [COLOR="DarkRed"]<-- TDL4 partition[/COLOR]  

There are some other tools that you can edit the partition table if GParted isn't working for you. I will try to gather some instructions on how to use them whenever I get a chance. ( still at work )

 

I am creating a USB G-Parted boot to see if it works... Should be done in a few minutes.

 

I got an error message that it needs an operating system to load when I booted G-Parted from a usb drive.

I have a USB Ubuntu boot-able USB that loads on the PC.

Can I run G-Parted from it?

pL

 

While I waited,


From a gnome-terminal in Ubuntu, I executed the sudo fdisk -l command

The results were as follows

Disk /dev/sda: 8074 MB, 8074035200 bytes
39 heads, 31 sectors/track, 13043 cylinders, total 15769600 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes /512 bytes
Disk identifier: 0x04030201

Device Boot Start End Blocks Id System
/dev/sda1 * 2056 15769599 7883772 c W95 FAT32 (LBA)

Disk /dev/sdb: 120.0 GB, 120034123776 bytes
255 heads, 63 sectors/track, 14593 cylinders, total 234441648 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes /512 bytes
Disk identifier: 0x09100910

Device Boot Start End Blocks Id System
/dev/sdb1 63 2344020479 117210208+ 7 HPFS/NTFS/exFAT
/dev/sdb2 * 23442048234441631 10576 17 Hidden HPFS/NTFS

I thought this might be useful
pL

 

Can you let me know if you are able to toggle "Active" on your OS partition using this boot CD (Super Fdisk)?

See the attachment below:

 

thisisu

I could not get the Super F disk to boot.

I have to believe that there is something wrong with my CD ROM drive. The only disk that boots from it is the Windows XP recovery CD.

All other CDs that I have burned on my other machines (all laptops) do not boot.

If I burn something to a thumb drive, it seems to boot just fine.

Paul

 

My booting options on the infected PC are:

Hard Drive: PM-ST3120026A
Not booting at the moment

SS-SONY CD-RW CRX215E5
Boots Windows XP recovery, but does not boot disks burned on my other machines

Kingston DataTr (Or other USB thumb drives I own)
Boots Ubuntu Linux and seems to boot other software I write to it as long as I have an operating system loading.

SM-IDE-DVD ROM
I am not able to open this drive

1st Floppy drive
Only floppy drive in the house

I have 3 laptops.
1 runs Ubuntu Linux
1 runs Windows 7
1 runs Windows Vista Home Premium

 

I was afraid of that.

What software are you using to burn the .ISO files. And what speed are you burning at (4x, 8x, 48x, etc) ??

 

I am using ImgBurn. I used the slowest setting. Can't remember what it was.

Super F Disk was an .exe file that burned the image that I downloaded. It did not give me an option to burn to USB thumb drive.