Infected computer, w/ questions on XP cleaning

[ahurwich]

Hello,

I followed a link to an NSFW site the other day and soon afterwards got a popup notification along the lines of "Windows system inspection has found an error" and then my browser started randomly opening windows to "anti-virus" purchase sites and redirecting google links to them as well.

I've been running through the Windows XP cleaning procedure, but seem to have gotten stuck on running combofix. I think it's because I'm not properly disabling my AV, but here's what's happening, anyway: I run combofix, it says "McAfee VirusScan Enterprise is still active, disable it". I thought I had disabled it, so doubled-checked (and found on-access scanning, and all other 'disable'-able options set to "disabled") and clicked OK. Combofix runs until it gets to this screen: http://www.bleepstatic.com/combofix/en/autoscan.jpg and then just sits there for 30 minutes at which point I manually close it. I tried running MGtools, hoping it was just something with Combofix, but MGtools also froze after about a minute of scanning through my files.

Logs from Superantispyware and Malwarebytes' attached. Should I just uninstall McAfee at this point and start over, is there a better way to disable than described above, or something else? The "How to Disable your AV" section on MajorGeek doesn't seem to cover my version of AV.

Thanks for your help!

[TimW]

Yes, try uninstalling McAfee. Did you try running Combo and MGTools in safe mode? Have you tried renaming them?

[Kestrel13!]

Also I think this might help you, give it a go.

Go to TDSSKiller and Download TDSSKiller.zip to your Desktop

• Extract its contents to your Desktop so that you have TDSSKiller.exe directly on your Desktop and not in any subfolder of the Desktop.
• Now double click the TDSSkiller.exe file to run it ( if using Vista or Windows 7 do not double click on it but rather, right click and select Run As Administrartor.
• Allow the application to run and a window will open showing that it is TDSSkiller from Kaspersky
• Click Start scan
• It will run rather quickly and will notify you of whether anything is found or not.
• Follow the instructions to delete/quarantine if asks you what to do when if finds something.

Whether an infection is found or not, a log file should be created on your C: drive ( or whatever drive you boot from) in the root folder named something like TDSSKiller.2.1.1_27.12.2009_14.17.04_log.txt which is based on the program version # and date and time run. Please attach this log to your next reply. (See: HOW TO: Attach Items To Your Post )

[ahurwich]

Thanks guys. I figured out how to disable my AV to the point where combofix doesn't complain about it running and Windows security center complains about it being turned off.

However, still haven't gotten combofix or MGtools to run successfully--same issue as earlier. I tried renaming it, running it in safe mode, and re-downloading it saved as a different name, with no effect. I didn't uninstall my AV because I thought that might not be the problem, although can if you still think it may be worth doing.

I did successfully run rootrepeal and TDSSKiller--logs attached. Thanks again for the help thus far, and let me know how'd you like me to proceed.

[Kestrel13!]

We could still uninstall Mcafee and then try running Combofix /MGTools again, however TDSSKiller found something that should have solved your problem. Describe to us how things are running at this point please.

But we still need to see if any malware remains, so either uninstall Mcafee and run Combofix and MGTools... or...

Download OTL to your desktop.

• Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
• Vista and Windows 7 users Right-click OTL and choose Run as Administrator)
• When the window appears, underneath Output at the top change it to Minimal Output.
• Check the boxes beside LOP Check and Purity Check.
• Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.

Attach both of these logs into your next reply.

[ahurwich]

OTL run, logs attached.

[Kestrel13!]

Download HostsXpert and then follow the below steps.

• Unzip HostsXpert.zip
• It will create a folder named HostsXpert in whatever folder you extract it to.
• Run HostsXpert.exe by double clicking on it.
• Click the Make Writeable? button. (if you only see a Make Read-Only selection, it is already writeable so skip this button).
• Click Restore Microsoft's Hosts File and then click OK.
• Click the X to exit the program

Now try and run Combofix and MGTools (without uninstalling mcafee) Any luck?

[ahurwich]

DL and ran HostsXpert successfully, but still error on combofix.

Also, noticed that the clock on my computer freezes during combofix running along with all icons/start menu when I try to open task manager, or use other misc. windows things.

[Kestrel13!]

Uninstall Mcafee and try again?

[ahurwich]

Uninstalled, but no change on combofix

[Kestrel13!]

Run OTL again as instructed in post #5 (no need to redownload of course)

Run this and attach the results.

Using ESET's Online Scanner

Tell me how things are running?

[ahurwich]

Things are running better--the computer was noticably slower before I started with a few of these scans, but now seems to be more on par with its usual speed. Haven't had the popup windows recently and a cursory google search/link clicking doesn't redirect me to "AV" sites. Of course, I've only been online for a few minutes since the scan finished.

Logs attached--ESET did find some stuff. OTL didn't produce an Extras.txt file this time--normal?

[TimW]

OTL reports that MGTools did run so please attach this log:
C:\MGlogs.zip

[chaslang]

Quote:

Originally Posted by TimW

OTL reports that MGTools did run

It also reports that the log will be incomplete. MGtools should be rerun since TDSSkiller likely fixed the reason why it could not run properly.

[ahurwich]

Hmm. MGtools still seems to just sit there. Log attached in case it's at all useful.

[TimW]

Yes, it only had the one log. Let's see if we can get it to run properly:

Please click Start, Run, and enter cmd and click OK. This will open a command prompt window. Enter the below commands at the command prompt each followed by the enter key. The bold black are commands. The purple is merely informational.

cd \MGtools <-- this changes to the MGtools folder and the prompt should change to C:\MGtools>
GetRunKey <-- this will try to run all one scan from MGtools. Tell me what error messages, if any, you see.
ShowNew <-- this will try to run all another scan from MGtools. Tell me what error messages, if any, you see.

[ahurwich]

Ran GetRunKey command, and MGtools booted up, sat there and froze the computer as it's been doing previously.

Ran ShowNew, it ran seemingly ok with no error messages and left me at the C:\MGtools> prompt.

[chaslang]

Quote:

Originally Posted by ahurwich

Hmm. MGtools still seems to just sit there.

Yes because you have no available free disk space. Your logs from OTL showed the below:

Code:

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37.26 Gb Total Space | 1.83 Gb Free Space | 4.91% Space Free | Partition Type: NTFS
Drive D: | 542.65 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

You have ZERO space on drive D and the 1.83 GB of space on drive C is too small for many things to run possibly including MGtools and even many things that Windows needs to do. You need to free up disk space.

[ahurwich]

I can do that--how much free space will it need to run successfully?

[chaslang]

Quote:

Originally Posted by TimW

Then it should have added the newfiles log to the C:\MGLogs.zip. Check to see if it is there and if so, attach the log.

Don't bother with any of this. The problem is free disk space as I mentioned below.