Malware problem after removal procedure - Win XP SP1

chaussman · Oct 22, 2009

May I begin by saying I have made progress and been helped however indirectly by the posts here on your fine forum. I respect and appreciate your help in solving my and other users' problems. Thank you very much!

I am in Kenya and have been trying to solve some of the malware problems at a computer lab at a college. Much of the software has been corrupted or infected with whatever and I am beginning by working on this machine. After reinstalling a copy of windows given to me by the school, I have noticed that the task manager and regedit have been "disabled by administrator".

I have followed the full process listed at the Windows XP Cleaning Procedure topic and have also tried to use Spybot to no avail and have used Ad-Aware to some minor success.

After renaming a copy of regedit.exe I was able to gain partial access to the task manager - that is, it closes right after it opens - and regedit.exe - same problem.

I have run all of the malware detection and deletion programs multiple times and keep getting detected problems, which I (theoretically) delete, to find that more are to come next time I run SAS or Ad-Aware or Malwarebytes. I have posted the logs requested plus the log of Ad-Aware, AVP, and exehelper in an attempt to find some benevolent soul on majorgeeks to help.

I will try to answer back in a timely manner, but I may not be able to due to network outages that happen here every other day. Sorry about that, you can't ask much for rural East Africa!

chaussman · Oct 22, 2009

And the other logs I did not include:

Thank you once more!

TimW · Oct 24, 2009

You are in desperate need of more ram....you should be using 1 gig.
Total Physical Memory 256.00 MB
Available Physical Memory 72.70 MB

Let's start with this:

Download this Win32kDiag(If on your desktop - Right click and choose copy / then Open my computer, click on the C drive and in the window paste it there) and save to C:\Win32kDiag.exe. You must save it here!!!!
Click on Start->Run, and copy-paste the following command (the bolded text) into the "Open" box, and click OK. When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please attach this log.
C:\win32kdiag.exe -f -r

Now lets use ComboFix>

* Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
If it is not on your Desktop, the below will not work.
* Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
* If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
* Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):
Code:
KILLALL::

File::
C:\Documents and Settings\Administrator\Local Settings\temp\000ED722_Rar
C:\Documents and Settings\Administrator\Local Settings\temp\gsnm.exe     
C:\Documents and Settings\Administrator\Local Settings\temp\lfacvk.exe  
C:\Documents and Settings\Administrator\Local Settings\temp\rclws.exe    
C:\Documents and Settings\Administrator\Local Settings\temp\w61c16.exe   
* Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
* At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
* You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
If it asks you to overide the prvevious file with the same name, click YES.
* Now use your mouse to drag CFscript.txt on top of ComboFix.exe
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
* Follow the prompts.
* When it finishes, a log will be produced named c:\combofix.txt
* I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

Now go to start / run / and type:
sfc /scannow
It may ask for your xp cd. Run it twice.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

Then attach the below logs:
* Win32kDiag.txt
* C:\ComboFix.txt
* C:\MGlogs.zip

chaussman · Oct 27, 2009

Hello again and thank you for replying to my query.

Unfortunately I have been unable to locate the copy of windows installed some months ago by a government official - he has taken the CD with him after the install for some reason or another. Based on the efficiency of the government here, we will never see him (or his windows XP cd) again. So I was not able to sfc /scannow.

However, I was able to accomplish all the rest of your instruction and you will find the attached logs below. Thank you again for all your help.

Respectfully,
Chausse

TimW · Oct 30, 2009

Why is there no AV program on this system now?

Once you are clean you will need to install either SP2 or SP3 to this machine. Though having such little RAM may prove to be an issue along with the fact that you have very little room left on your hard drives.

Now let's use ComboFix to remove a bunch of malware files.

* Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
If it is not on your Desktop, the below will not work.
* Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
* If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
* Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):
Code:
KILLALL::

Driver::
mmmnni

File::
c:\windows\system32\drivers\mmmnni.sys
c:\documents and settings\tazebama.dll
C:\WINDOWS\system32\a7.ini
C:\Documents and Settings\Administrator\Local Settings\temp\winxuwqj.exe
C:\Documents and Settings\Administrator\Local Settings\temp\winigdd.exe
* Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
* At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
* You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
If it asks you to overide the prvevious file with the same name, click YES.
* Now use your mouse to drag CFscript.txt on top of ComboFix.exe
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
* Follow the prompts.
* When it finishes, a log will be produced named c:\combofix.txt
* I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

* C:\ComboFix.txt
* C:\MGlogs.zip

Make sure you tell me how things are working now!

Log in or Sign up

Malware problem after removal procedure - Win XP SP1

chaussman Private E-2

Attached Files:

ComboFix.txt

mbam-log.txt

RRlog.txt

saslog.txt

chaussman Private E-2

Attached Files:

avplog.txt

exehelperlog.txt

MGlogs.zip

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

chaussman Private E-2

Attached Files:

MGlogs.zip

Win32kDiag.txt

ComboFix.txt

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member