Farm computer problem - 1 of 2

Howdy, Major Geeks,

I have had great luck following your removal instructions in the past, but this one finally got me.

My father-in-law is a farmer and was looking to buy a good used truck. He got an email advertising trucks for sale a month or two ago, clicked on a link, and has been having problems ever since.

I was enlisted for help, and I discovered the computer locked up a few minutes after accessing the Internet. In fact, it locked up after trying to run Super Anti Spyware the first time. I ran SAS in safe mode, and then I was able to run the rest of the programs without any problems.

Unfortunately, RootRepeal seems to have found an MBR rootkit on his external drive, and the machine is back to garbling text on the screen and locking up. I have attached the logs to this post.

We greatly appreciate your help.

Many thanks,

Howard

 

Part 2:

Here is the last log - MGlog.zip.

Thanks again!

-Howard

 

Hi Howard,

I will be reviewing your logs. Please be patient as there is a lot of information to review

 

Are you having any issues with your personal documents/programs appearing to be missing or hidden?

Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

127.0.0.1:50667 Did you set this proxy? If not, please include the following line when running the next step (analyse.exe/HiJackThis!):

Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

After clicking Fix, exit HJT.


Now we need to use ComboFix

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
• If ComboFix tells you it has expired or need to be updated to a new version, make sure you allow it to update.
• Open Notepad and copy/paste the text in the below quote box into it:

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
  http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

If after running Combofix you discover none of your programs will open up because you recieve the following error: Illegal operation attempted on a registry key that has been marked for deletion then you will need to reboot your computer which will normally fix this problem.

Goto the below link and follow the instructions for running TDSSKiller from Kaspersky

• TDSSkiller - How to run

Be sure to attach your log from TDSSKiller

Also please also download MBRCheck to your desktop

• Double click MBRCheck.exe to run (vista and Win 7 right click and select Run as Administrator)
• It will show a Black screen with some information that will contain either the below line if no problem is found:
  • Done! Press ENTER to exit...
• Or you will see more information like below if a problem is found:
  • Found non-standard or infected MBR.
  • Enter 'Y' and hit ENTER for more options, or 'N' to exit:
• Either way, just choose to exit the program at this point since we want to see only the scan results to begin with.
• MBRCheck will create a log named similar to MBRCheck_07.16.10_00.32.33.txt which is random based on date and time.
• Attach this log to your next message. (See: HOW TO: Attach Items To Your Post )

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

• C:\MGlogs.zip

 

Sorry about the delay. We were out of town on vacation, and my father-in-law is not comfortable with technical computer stuff.

I ran the tools, but I started getting black screens of death again, so I ran MGTools in Safe Mode. The log files are attached.

Let me know if you need me to do anything different. Thanks again!

 

Please answer the following:

• Are you having any issues with your personal documents/programs appearing to be missing or hidden?
• 127.0.0.1:50667 Did you set this proxy? You were supposed to include it in your HiJackThis / analyze.exe fix if you weren't familiar with it.

You have an MBR infection, which is most likely the cause of your blue screens of death. I will help you fix this in the next fix I'm preparing for you.

 

Apologies. Answers below:

No, my in-laws have not reported any missing or hidden documents. They're not sure if they would notice if anything was missing, but so far, so good.

Yes, I included it in my HiJackthis / analyze.exe fix list. Sorry I left out that detail. My in-laws don't know what a proxy is, so I figured removing it was a good idea.

I am looking forward to the next fix. Thanks again for your help!

By the way, in case it helps, I am not seeing any blue screens of death, but I am seeing the following:

• Starting an Internet connection after cleaning infections and rebooting once causes text on the screen to garble.
  • Sometimes colored, flashing pixels appear around the mouse pointer and around the borders of the active window.
  • The computer slows down quite drastically.
• Starting an Internet connection after another reboot then simply causes the screen to go black after a few moments :cry (I have had to do a lot of posting in Safe Mode).
• Actually, now that I think about it, I did see a BlueSOD a couple of times when I ran Root Repeal a couple of times after I sent you my first logs.
  • I changed a setting, tried to run Root Repeal, and ZOINK! BlueSOD.
  • After the second time I quit doing that and decided to stick to following orders. :major

Hopefully the additional detail is helpful. Thanks again for your help!

 

I got an email with your response, but for some reason the response is not showing up in the forums. Here it is from the email:

Unfortunately I get a "The oldmaster boot record cannot be read,' error when I run the "fixmbr \device\harddisk1* command, and I don't even get the warning message. :-(

Help?

 

One more thing - we cannot find my inlaws' XP Pro CD, so we're using an old XP Home CD to boot the recovery console. I hope that isn't the problem....

If that is the problem, should I just use the recover console that was installed when we installed Combofix?

 

Good news! I used the recovery console that was installed with Combofix, and I got fixmbr to work!

I ran MBRCheck.exe, and I have attached the log.

 

Good job, the MBR infection is gone.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

• C:\MGlogs.zip

What malware problems (if any) are you still having?

 

So, the computer still locks up soon after starting an Internet connection. I have booted up in safe mode, though, and I have attached the MGlogs.zip file.

Should I restart the cleaning process now that the MBR problem is fixed, or do have something else you want me to try?

Thanks,

hcoons

 

These are programs in your Add/Remove Programs. If you don't use these/do not know what they are for, please uninstall them.

Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

After clicking Fix, exit HJT.

Now we need to use ComboFix

• Make sure that ComboFix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
• If ComboFix tells you it has expired or need to be updated to a new version, make sure you allow it to update.
• Open Notepad and copy/paste the text in the below quote box into it:

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
  http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
• Follow the prompts.
• When it finishes, a log will be produced named C:\ComboFix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

If after running ComboFix you discover none of your programs will open up because you recieve the following error: Illegal operation attempted on a registry key that has been marked for deletion then you will need to reboot your computer which will normally fix this problem.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

• C:\MGlogs.zip

Let me know if you are still experiencing problems after you've run these steps

 

So, long time no see! It's been a crazy couple of weeks:

Personal:
1. I had to go home to start a new job, and since my father-in-law lives 400 miles away technical support is a bit complicated.

2. The day I was supposed to start a new job I got a call (several, actually), from my brother telling me my father had passed away. So, off we went in the opposite direction as before to take care of some serious family business. Fortunately my new job let me postpone my start date, so I am very grateful for that. Now we can finally getting caught up on some less pressing business.

Technical:
1. Part of the problem with the screen locking up may have had something to do with the video card. After checking the card I discovered that three of the capacitors had ruptured, so my father-in-law got a new card. The freezing problems have not repeated since the card was installed (now their printer won't connect wirelessly, but that's a separate issue and one I am going to try to tackle at another time).

2. We didn't see the three programs you mentioned on the add/remove programs menu. I did some research on one, and it seems to be associated with their Kodak Easy Share program, so we're going to let those be.

3. The logs are attached.

By the way, my in-laws and I are very grateful for your help and support. I think we're going to be doing some Major Geeks merchandise shopping once we get this malware finally put to bed! If you spy anything else suspicious in the logs please let us know.

 

Always glad to help
By the way, you forgot to attach the logs

 

Sheesh! :-o I guess that's what I get for working late and forgetting to click the upload button.

Okay, logs are attached for sure this time. Thanks again!

 

Your logs are looking much better. A few more things...

From Add/Remove, Uninstall:

• Java(TM) 6 Update 26

Please download Disable/Remove Windows Messenger to your Desktop.
See the download links under this icon http://forums.majorgeeks.com/chaslang/images/MGDownloadLoc.gif

1. Double-click MessengerDisable.exe
2. Place a check-mark in Uninstall Windows Messenger
3. Click Apply
4. Click Exit

Now download and install Sun Java Runtime Environment 7
See the download links under this icon http://forums.majorgeeks.com/chaslang/images/MGDownloadLoc.gif

Let me know how the PC is running after you've completed these steps!

 

So, this is way, way overdue. For that I apologize. :-o

But thank you anyway. My in-laws' computer has been problem free (to the best of my knowledge) for over four months. :cloud9

And I finally bought us some Major Geeks merchandise (which is on sale right now, by the way). :drool

So thank you very, very much! :dancer

Go, Major Geeks! :major

 

Thank yous are always welcome no matter how late

Glad to hear everything is still working well for you.

Thanks for buying some MajorGeeks merchandise! It is appreciated.

Take care and have a Happy New Year! :celebrate