Infection prevents read & run me execution

Discussion in 'Malware Help (A Specialist Will Reply)' started by dstern, Apr 28, 2009.

  1. dstern

    dstern Private E-2

    My wife's computer is infected with malware so bad I can't even work through the steps in the "read and run me first" sequence. The computer is nearly halted, taking many minutes to respond even to a single click of the mouse. She's running XP Professional. Is getting an error message "xnev.exe - application error" message that can't be closed. Buttons are "OK" terminate or "cancel" to debug, but neither works.

    I'll summarize progress in trying to follow the "read me" steps:

    1. used add/delete programs, but no malware programs found
    2. uninstalled all old Java installations. May have uninstalled the current version too.
    3. Ran MSCONFIG, already set to "normal startup" and "apply" greyed out. Toggled to "diagnostic startup" and then back to "normal startup," clicked "apply" and then "close" as there was no "ok" option. then rebooted.
    4. When closing down, got a box for "end Program" for NetWareProviderIcons was closing, and DDE Server Window. Don't know what either one is. Also an "lsass.exe - DLL Initialization Failed" error message while closing down. Plus repeated boxes for "End Program - explorer.exe The program is not responding." Also "End Program - Connections Tray."
    4. confirmed that all quarantine files were removed
    5. ran CC Cleaner (already installed)
    6. When i try to view hidden system files and folders, the tools menu does not even show "folder options"
    7. Cannot get a browser to open. Normally use Firefox 3, but have also tried IE Explorer. Get an error message that says "Proxy Server Refused Connection. Firefox is configured to use a proxy serve that is refusing connections." Thus cannot download the anti-malware software.

    Please, any advice on what I should do?
     
    dstern, Apr 28, 2009
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Yes. Use the tips/notes in the below to help you hopefully get further along. As stated, try ALL steps. Use another PC to download tools if necessary.


    Please follow the instructions in the READ & RUN ME FIRST link given futher down and attach the requested logs when you finish these instructions.
    • If you have problems where no tools seem to run, please try following the steps given in the below and then continue on no matter what you find. You only need to try the TDSSserv steps if having problems getting scans in the Read & Run Me First.
    • If something does not run, write down the info to explain to us later but keep on going.
    • Do not assume that because one step does not work that they all will not.
    READ & RUN ME FIRST. Malware Removal Guide
    • After completing the READ & RUN ME and attaching your logs, make sure that you tell us what problems still remain ( if any still do )!
    Helpful Notes:


    1. If you run into problems trying to run the READ & RUN ME or any of the scans in normal boot mode, you can run the steps in safe boot mode but make sure you tell us what you did later when you post logs. See the below if you do not know how to boot in safe mode:
    2. If you have problems downloading on the problem PC, download the tools and the manual updates for SUPERAntiSpyware, Malwarebytes and Spybot ( links are given in the READ & RUN ME) onto another PC and then burn to a CD. Then copy them to the problem PC. You will have to skip getting updates if (and only if) your internet connection does not work. Yes you could use a flash drive too but flash drives are writeable and infections can spread to them.
    3. To avoid additional delay in getting a response, it is strongly advised that after completing the READ & RUN ME you also read this sticky:
    Any additional post is a bump which will add more delay. Once you attach the logs, your thread will be in the work queue and as stated our system works the oldest threads FIRST.
     
    chaslang, May 2, 2009
    #2
  3. dstern

    dstern Private E-2

    Ran through all the steps possible. Here is a list of problems encountered:

    1. Superantispyware gave a blue screen crash. Reconfigured as directed, ran, and log attached.
    2. Unable to update balwarebytes.
    3. during re-starts required by the "read and run me" directions, experienced the following errors: RUNDLL error loading c:\windows\system32\NONOWODA.DLL; JUPOZIFE.DLL;
    3. Unable to install and run Combofix. Received error: "Alert! It is not safe to continue. Download a fresh copy. Note. You may be infected with a file patching virus (virut)." Downloaded a fresh copy, but same result.
    4. While zippingthe hijackthis.log, received error: "error ProcessDLL.exe - Application error (0xc000007b)
    5. Tried to install Microsoft.NET Framework 1. Could not install.

    Logs attached.

    P.S. I know this computer is running without antivirus software. When the problem began, I began to install Avira, but have not been able to complete the installation after deleting previously used Sophos software.
     

    Attached Files:

    Last edited: May 2, 2009
    dstern, May 2, 2009
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Yes and due to this, the PC is very very badly infected. Even though a lot of malware has already been removed from many different types of infections, the bad news is that at least one of the remaining infections is very serious. Read on below.

    I can see the reason for your problems. Your logs show that your Windows Operating system files have become infected and there is no known reliable fix for this. In addition there are many many other infected files. We could spend a lot of time trying to remove this infection, but odds are that it will not work because the nature of the infection has so many executable system files infected that as soon as we fix one file, other files that are infected will almost immediately or upon the next reboot, just reinfect the files. In addition, your PC would still basically be unreliable/untrustworthy even if we manage to fix the infected files that we can see since there could be many more that we are not seeing.

    The safest thing for you to do is backup your personal data immediately since your PC could possible become unbootable at any point in time. Do not back up any executable files. This includes programs that you have downloaded since any of them could be infected.

    Once you backup, you need to perform a total reinstall of Windows and all other necessary software. DO NOT reinstall from any executable files you backed up because they are most likely infected.
     
    chaslang, May 5, 2009
    #4

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds