Help Needed with READ & RUN ME FIRST. Malware Removal Guide

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by mady, Jan 5, 2009.

  1. mady

    mady Private E-2

    Hi I was following "READ & RUN ME FIRST. Malware Removal Guide"
    Completed till "... locate the DisableUAC.reg file in the C:\MGtools folder and double click on it."
    When double clicked Spybot – Search & Destroy poped and scaned "DisableUAC.reg" said nothing found and asked to close.
    How do I go about now.
     
  2. mady

    mady Private E-2

    XP-96943172.EXE hoping somebody would notice and help

    Unable to log into safe mode when tried to do so i was asked to Press Esc to to stop loading of Sptd.sys watever i do system reboots.
    Scaned with Malwarebytes there were 67 instances of malware removed them but still could not log into Safe mode.
    Found the following in Startup of MsConfig
    Startup Item-----Command ---------------------------------------Location
    XP-96943172 ----C:\windows\system32\XP-96943172.EXE----SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    iiiiii --------------- C:\windows\system32\XP-969~1.EXE -------SOFTWARE\Microsoft\Windows\CurrentVersion\Run

    Unchecked them but when ever i reboot i find them checked.
    Searched the Net and found its 278.EXE Trojan/malware....
    There is another Thread of mine here
    " Help Needed with READ & RUN ME FIRST. Malware Removal Guide " in Forum: Malware Removal
    I am struck at the Step 3 don't know how to go about, hoping somebody would notice and help
    I know i cant post a new thread but I am desperate :cry please help me
     
  3. mady

    mady Private E-2

    BSOD !!!! is formatting the only option left !!!!!

    This is my third thread sorry about that.
    But now i cant boot the system in any mode.
    BSOD happens whenever i start the system be it safe or normal.DO I've to format the c drive or is there a way with recovery console.
    this started happening when i tried to boot to safe mode by
    Msconfig-->Boot.Ini-->safemode start.
    Now i cannot login to system.
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16762)
    there are two other threads of mine here.
    try n go through them please.
     
  4. mady

    mady Private E-2

    BSOD !!! Is formating the only option left !!!

    Now cant login to any mode be it safe or normal, Only Bsod Happens.
    Was able to log into normal mode but had probs with malware or whatever it was so wanted to log into safe mode which i couldn't do till i did the following
    Msconfig--> Boot.Ini--> start Safemode (or some option which wud let me boot to safe mode)
    Now its only BSOD.
    is there any option other than formatting.
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16762)
    There are two other threads by me regarding my earlier problems.
    Didn't want to bump so doing this. Not sure if i could do this. But i Need help.
     
  5. mady

    mady Private E-2

    I know i cant do this BuMping but had to because i cant start a thread and i've the following prob now
    Now cant login to any mode be it safe or normal, Only Bsod Happens.
    Was able to log into normal mode but had probs with malware or whatever it was so wanted to log into safe mode which i couldn't do till i did the following
    Msconfig--> Boot.Ini--> start Safemode (or some option which wud let me boot to safe mode)
    Now its only BSOD.
    is there any option other than formatting.
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16762)
    There is one more thread by me regarding my earlier problems, did it avoid bumping.
     
  6. Lev

    Lev MajorGeek

  7. mady

    mady Private E-2

    Oh! i Read that, that's why i said, "I know i cant do this BuMping but had to because i cant start a thread and I've the following prob now".
    Actually what happened was i started a new thread, " BSOD !!!! is formatting the only option left !!!!! " and after pressing 'post thread' button I didn't find it in 'New Posts', thought I did Something wrong and tried it again the same thing happened so I thought i cant start so many threads and posted that reply, Please do go through them you would understand.
    Of coursed i solved the BSOD Problem through a post which suggested a solution to try Icrontic forum or something like that.
    Anyway thnaks for ur reply i'll see to it that i wont repeat it.
     
  8. mady

    mady Private E-2

    Spybot S&D and CCleaner are not working now everytime i start the system and try them a missing shortcut alert appears. And the following is omni present in process of task manager IMAGE NAME-->XP-96943172.EXE USER NAME--> Mady.
     
  9. mady

    mady Private E-2

    msqpdxserv.sys, msqpdxpxweoitu.sys Can Anyone Help

    Found them on my computer can anybody help getting rid of them.
     
  10. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Re: msqpdxserv.sys, msqpdxpxweoitu.sys Can Anyone Help

    Welcome to Major Geeks!


    Please follow the instructions in the READ & RUN ME FIRST link given futher down and attach the requested logs when you finish these instructions.

    • If you have problems where no tools seem to run, please try following the steps given in the below and then continue on no matter what you find. You only need to try the TDSSserv steps if having problems getting scans in the Read & Run Me First.
    • If something does not run, write down the info to explain to us later but keep on going.
    • Do not assume that because one step does not work that they all will not.
    READ & RUN ME FIRST. Malware Removal Guide


    Helpful Notes:


    1. If you run into problems trying to run the READ & RUN ME or any of the scans in normal boot mode. You can run steps in safe boot mode but make sure you tell us what you did later when you post logs. See the below if you do not know how to boot in safe mode:

    2. If you have problems downloading on the problem PC, download the tools and the manual updates for SUPERAntiSpyware, Malwarebytes and Spybot ( links are given in the READ & RUN ME) onto another PC and then burn to a CD. Then copy them to the problem PC. You will have to skip getting updates if (and only if) your internet connection does not work. Yes you could use a flash drive too but flash drives are writeable and infections can spread to them.
    3. To avoid addtional delay in getting a response, it is strongly advise that after completing the READ & RUN ME you also read this sticky Don't Bump! It Only Hurts You!!!. Any additional post is a bump which will add more delay. Once you attach the logs, your thread will be in the work queue and as stated our system works the oldest threads FIRST.
     
  11. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You are not supposed to be doing this because you are not running Vista. That step is for Vista. You need read the instructions carefully.

    Unless you attach the logs we requested in the READ & RUN ME, we cannot help you. You should have done this ealrier before continuing to do things on your own. If your PC is not bootable, there is not much we can suggest other than saying post in the Software Forum for help on trying to perform a Windows Repair. However if you have solved the inability to boot than you need to attach the logs we need that are requested in the instructions.
     
  12. mady

    mady Private E-2

    Here I am attaching the logs
     

    Attached Files:

  13. mady

    mady Private E-2

    Mgtools log
     

    Attached Files:

  14. mady

    mady Private E-2

    Re: msqpdxserv.sys, msqpdxpxweoitu.sys Can Anyone Help

    Thanks for the help i could complete the R & R Me first, Without the help of TDSSserv steps posted the logs in my other thread shell i post them here too.
     
  15. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Your threads were merged...please only respond in this thead!

    Why am I not seeing any anti-virus program installed?

    Run C:\MGtools\analyse.exe by double clicking on it. (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    After clicking Fix, exit HJT.

    Open notepad and copy and paste the following text in the quote box into the window:
    Save this as fix.bat
    Choose to save as all files.
    Doubleclick fix.bat and let the program run.
    A small black dos window will flash, this is normal.

    Now use windows explorer to find and delete:
    C:\WINDOWS\system32\XP-96943172.EXE
    C:\WINDOWS\system32\XP-D41D8CD9.EXE

    Now re-run MBAM, SAS and then run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file, MBAM and SAS logs.
     
  16. mady

    mady Private E-2

    Hi,
    I had ZoneAlarm Firewall, and BitDefender AntiVirus, they got disabled, thats how i knew the system was infected. I tried to install them again but couldn't do that.
    Completed the
    1.Run C:\MGtools\analyse.exe
    2.Doubleclick fix.bat
    3.delete:
    C:\WINDOWS\system32\XP-96943172.EXE
    C:\WINDOWS\system32\XP-D41D8CD9.EXE
    4.re-run MBAM, SAS and then run the C:\MGtools\GetLogs.bat
    tasks you asked and Iam attaching the fresh logs.
    Thank U
     

    Attached Files:

  17. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    I am not seeing any malware in your log....but you need to clean out the temp folder:

    Please download ATF Cleaner by Atribune. This program does not require an installation. The executable actually runs the program.

    NOTE: This program is for Windows XP and Windows 2000 only. ATF Cleaner will remove all files from the items that are checked so if you have some cookies you'd like to save. Please move them to a different directory first.

    * Double-click ATF-Cleaner.exe to run the program.
    * Under Main choose: Select All
    * Click the Empty Selected button.

    If you use Firefox browser

    * Click Firefox at the top and choose: Select All
    * Click the Empty Selected button.
    o NOTE: If you would like to keep your saved passwords, please click No at the prompt.

    If you use Opera browser

    * Click Opera at the top and choose: Select All
    * Click the Empty Selected button.
    o NOTE: If you would like to keep your saved passwords, please click No at the prompt.

    Click Exit on the Main ATF Cleaner menu to close the program.

    Now tell me what malware issues you are still having.
     
  18. mady

    mady Private E-2

    Hi
    Dont know what these programs are
    winylmo.exe
    winkqnm.exe
    its not the names they keep changing like win????.EXE - '?' cud be any letter
    they keep running from C:\Windows\Temp
    When i look in process Tab of Task Manager a number of 'notepad.exe' will be there.
    Ccleaner.exe and Spybot S&D shortcuts dont work missing file alert comes up when tried to run them.
    Unable to install ZoneAlarm Firewall and BitDefender Antivirus
    Cannot log into safemode tried once by Run-->Msconfig-->Boot.ini--->Safeboot result was BSOD at reboot till I fixed the boot.ini file using WinXP setup from cd--> repair...etc.
    ran Bitdefender online scan it says win32.Sality 2.0E infection it said it removed it but the system is still infected.
    Can i attach a log from different scanner which shows what I Am facing.
    Thank You.
     
  19. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Yes...attach logs that show where this is coming from ( and yes they are malware) and also ( if you have not uninstalled it) run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file.
     
  20. mady

    mady Private E-2

    Hi
    Sorry for the delay--> Installed OpenSuse Linux 11.0.
    Scared to log into WinXp all the .EXE files are infected there.
    So unable to run C:\MGtools\GetLogs, Hope its ok.
    But attaching two different logs.
    One more question can I try to clean the 'C:\' from linux I've mounted it here and accessible with read & write permissions. Looks like a good option if at all possible.
    ThankQ
     

    Attached Files:

  21. mady

    mady Private E-2

    Hey
    Here is the MGlogs.zip file mustered up the courage to log into XP jus ran it.
    Hope you could find a way to help me.
    ThankQ.
     

    Attached Files:

  22. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    The first two logs you attached ate unreadable. BitDefender online scan should be saved as a text file. I have no idea what the other logs is.

    Your MGLogs.zip do not show any malware.

    It appears as though you ran SAS and MBAM recently and they probably do not show any malware ( if the latest logs do, attach them so I know what you are refering to).
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds