IE8, Chrome and FireFox won't display

I had a file remover virus. Still have remnants of it and am not positive it is gone. Started the procedure to run RogueKiller, TSKiller, mbam, etc. but have a major problem since I cannot get IE8 or Chrome or FireFox to run. I get a memory access error, and Avast hits me with a malicious url warning, and then nothing. Tried to run in safe mode, regular mode, with no add-ons and every way I can think of. No removal option of IE8 because SP3 is loaded (running XP). I downloaded all of the recommended programs to my computer, burned them to CD, and ran them on the infected machine. No problem. TSKiller would not run but the rest did. Got the logs but don't want to copy them and then forward them with my clean machine. I have internet access on the infected machine and programs update and I show good connectivity. Just none of the browsers will run. I know there is probably some kind of proxy redirect, but you can't change this without being able to open up the browser. I know IE and Chrome use the same functionality, so I thought loading up Firefox may work. No dice. Makes me believe the virus is still active.
Help.
David

 

Can you open IE if you uninstall Avast?

Also, see if you access Internet Properties by doing the below:

Click the http://www.techsupportforum.com/forums/sectools/tetonbob/StartBtn.gif button => Run - Type this in the command box: inetcpl.cpl then click OK.

Are you unable to transfer the logs from the Read and Run Me and attach them here? As many as you can since you said you were able to run some of the tools.

 

I ran inetcpl.cpl. Got a rundll32.exe Application Error. It read

The instruction at "0x01001bdd" referenced memory at
"0x00000000", The memory could not be read

I have removed Avast. Makes not difference. Avast does not seem to be finding the trojan. I ran SuperAntiSpyware in safe mode from a CD, so it was a clean install, and it found some things but did not solve the problem. However, I found a program called "Default Tab Chrome" which I did not recognize. When I delete it, I get an immediate reaction from SuperAntispyware that it found a trojan. File it references does not exist.

I am trying to figure out how to attach the logs, but as I mentioned in my earlier post, I do not want to move anything off that infected computer over to my clean machine.

Thanks,
David

 

Do the following while in Normal Mode:

Click the http://www.techsupportforum.com/forums/sectools/tetonbob/StartBtn.gif button => Run - Type this in the command box: sfc /scannow then click OK.

Let me know what message(s) are displayed.
Try to let the process finish, it can take a while.

 

I have run sfc scannow several times. It completes with no problems, but right when it starts, I get a message that it ran into a problem. However, it does not shut down sfc but just continues on to the end with no other messages.

Another update. Since my last email, I removed SuperAntiSpyware and reinstalled it again from a CD while in safe mode. I then ran the full Deep Root scan. It has been running for over 7 hours and is still going. Found two trojans so far.
Trojan.Agent/Gen-FraudPack
Trojan.Dropper/SFDBee-A
I will post back when it is done. I doubt removing these will fix the browser issue but will see.
Thanks,
David

 

I tried to run sfc /scannow in safe mode and got the error message:

Windows File Protection could not initiate a scan of protected system files.
The specific error code is 0x000006ba [The RPC server is unavailable].

I'll try running it again in normal mode when the AntiSpyWare scan has completed.

David

 

I have a feeling you have some type of bootkit which is preventing TDSSKiller from running but I don't want to tell you fix what HitmanPro may be finding without seeing a log.

Since you don't want to transfer files from the clean computer to the infected computer, then you will need to type it out for me.

 

I will try to get you the data tomorrow.

David

 

I have attached a log from RogueKiller and from Hitman Pro. I could never get TDSKiller to run. The little hourglass would show for just a second or two and then nothing. Task Master did not show the program as running. The exact same way IE8, Chrome and FireFox respond when you try to run them.
I also had Avast print out a summary report and it is attached.
Thanks,
David

 

You do have a bootkit commonly referred to as SST.

Code:

    > G Data . . . . . . : MBR:SST [Rtk]
    > Ikarus . . . . . . : Rootkit.Boot.Sst!IK
    > HitmanPro  . . . . : Win32/Bootkit

http://3.bp.blogspot.com/-tH5H1icUyOc/T1XP6r4puoI/AAAAAAAAAQE/jLwmqQECjCg/s1600/hitmanpro.gif - Repair items with HitmanPro
Rescan with HitmanPro
When the scan is finished, allow HitmanPro to take the default action (don't customize them yourself!) on the items it has found by pressing the Next button.
HitmanPro should require a boot - Allow the reboot.

--

http://3.bp.blogspot.com/-tH5H1icUyOc/T1XP6r4puoI/AAAAAAAAAQE/jLwmqQECjCg/s1600/hitmanpro.gif Upon reboot, rescan ONLY with HitmanPro
Attach the latest HitmanPro log here.

__

http://img196.imageshack.us/img196/3557/tdsskiller.gif Now attempt to scan with TDSSKiller.
Attach the TDSSKiller log if successful.

 

Here are the logs from MalwareBytes and from MGTools. There were several logs, so I attached all of them.

Still cannot get TDSSKiller to run.

Thanks,

 

Please follow the instructions I provided in my previous post.

 

Sorry, was on a different machine and did not see your post. I have a slight problem. I downloaded HitmanPro and it did the scan, but it won't let me remove the things it found because it says I am past the trial period. Don't know how since I just downloaded it yesterday, but apparently someone else must have tried to use it on this machine. I even tried to buy it, but since the browsers don't work on that machine, the "buy" button does not work. I'll figure out how to do this and get back to you.

I can't thank you enough. Your tools and advice have been right on.

Thanks,

 

No problem.

We can also do this if you have your Windows XP Install CD or a standalone Recovery Console CD.

 

No problem. Figured out how to do it. Went to the TDSSKiller website and downloaded the iso for their recovery disc. Booted up with the disc, ran TDSSKiller, and it found the rootkit infection immediately and removed it. Rebooted and it was like a whole new machine. Everything worked perfectly. Surprisingly, although I could not open a browser, during the whole process Windows had continued to obtain its automatic updates. When I checked, it was fully up to date. I ran the HitmanPro scan and it showed nothing but some remnants which I removed.

If you ever need a reference, you have my wholehearted support and thanks. The friend I was helping had over 80 gigs of personal pictures and videos on the computer, with no backups. Years and years of his family pictures. He is thrilled.

I am a Nuclear Engineer, with a law degree and several CompTIA certifications, so I'm no dummy when it comes to computers. This one had me absolutely stumped. You were great.

Thanks,

 

Thanks for the compliment and I'm glad to hear that all is well now

If you are not having any other malware related problems, it is time to do our final steps:

• Any programs we had you download and/or install can be removed at this time.
• If we had you download and run ComboFix, here is how to uninstall it:
  • Press and hold the Windows key http://i1106.photobucket.com/albums/h363/debojyotidas/Windows_Logo_key.gif and then press the letter R on your keyboard.
  • This opens the Run dialog box.
  • Copy and paste the below text inside the text-field:
    • "%userprofile%\desktop\ComboFix" /uninstall
  • Now press ENTER
  • ComboFix will extract its files one last time and you should receive a notification that ComboFix has been uninstalled shortly after.
• You can re-enable your Disk Emulation software at this time via DeFogger.
• If we had you create or download a registry patch or "fix" script, these can be deleted at this time.
• Go into the C:\MGtools folder and run the MGclean.bat file to remove additional traces of our tools.
• Now we will toggle System Restore to remove any infected system restore points.
  • Read this: How to Disable And Enable System Restore
• Lastly, here is a guide to protect you from future infections: How to Protect yourself from malware!
• Be safe