my computer is totally effed man!!!

Discussion in 'Malware Help (A Specialist Will Reply)' started by codman, Apr 3, 2010.

  1. codman

    codman Private E-2

    So it all started when I somehow got infected with the windows xp security tool. Actually both of my comuters got infected within hours of each other. This computer has been cleared of issues with a simple malwarebytes scan (atleast up to this point). The other computer has just been getting worse and worse and now I am unable to get into either normal or safe operating modes.
    When it was "working" after I got infected I was unable to install any programs. Unable to access anything from the control panel. Unable to make any registry changes due to not having administrative access (though I was set as the administrator). After a few hours I was only able to operate in safe mode and even safe mode with networking. I could get to the welcome screen in normal mode but it would just freeze or fail to launch. Now I get nothing. It will begin to load into SAFE mode but then seems to freeze at the midway point.

    I would have gone to the sticky posts first and followed those but now, since I cant even access the computer, I am looking for some help to see if I can salvage any files before I do a fresh install.

    Thanks
     
    codman, Apr 3, 2010
    #1
  2. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    If you cannot boot in any mode ( safe or normal mode ) and you cannot run any of the READ & RUN ME there is not much we can do for you except suggest what is in the below quote box
     
    TimW, Apr 3, 2010
    #2
  3. codman

    codman Private E-2

    Re: my computer is totally effed man!!! updated

    After running diagnostics I learned that my computer was failing the DST SHORT STATUS TEST with error code 1000-0146 which, after googling, sounded as if my hard drive had failed. However I was able to recover my computer by inserting windows dvd, booting from dvd, and choosing to repair. Since then it has been working but I am still infected with malware. Gone are the popups and the xp security program that started the whole mess but malwarebytes still detects trojans (specifically trojan.dropper). I quarantine the infections but they keep coming back. (dont know if this would have anything to do with the malware altering malwarebytes so that I was not able to run the program and I am still not able to update the program other than doing it manually from my other computer) I was able to perform the tasks in the run and read me sticky and therefore I am now posting those logs and am looking for some help.
     

    Attached Files:

    codman, Apr 5, 2010
    #3
  4. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Good, let's continue on:

    * Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
    If it is not on your Desktop, the below will not work.
    * Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    * If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
    * Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):
    Code:
    KILLALL::

AtJob::

RenV::
c:\program files\Adobe\Reader 9.0\Reader\reader_sl .exe
c:\program files\Common Files\Adobe\ARM\1.0\adobearm .exe
c:\program files\Common Files\InstallShield\UpdateService\issch .exe
c:\program files\Common Files\InstallShield\UpdateService\isuspm    .exe
c:\program files\Common Files\InstallShield\UpdateService\isuspm  .exe
c:\program files\Common Files\InstallShield\UpdateService\isuspm .exe
c:\program files\Common Files\Java\Java Update\jusched .exe
c:\program files\Creative\Sync Manager Unicode\ctsyncu .exe
c:\program files\CyberLink\PowerDVD\dvdlauncher .exe
c:\program files\Dell\QuickSet\quickset             .exe
c:\program files\Dell\QuickSet\quickset            .exe
c:\program files\Dell\QuickSet\quickset           .exe
c:\program files\Dell\QuickSet\quickset          .exe
c:\program files\Dell\QuickSet\quickset         .exe
c:\program files\Dell\QuickSet\quickset        .exe
c:\program files\Dell\QuickSet\quickset       .exe
c:\program files\Dell\QuickSet\quickset      .exe
c:\program files\Dell\QuickSet\quickset     .exe
c:\program files\Dell\QuickSet\quickset    .exe
c:\program files\Dell\QuickSet\quickset   .exe
c:\program files\Dell\QuickSet\quickset  .exe
c:\program files\Dell AIO 810\dlcgmon .exe
c:\program files\Dell Support\dsagnt .exe
c:\program files\Intel\Wireless\Bin\ifrmewrk .exe
c:\program files\Intel\Wireless\Bin\zcfgsvc .exe
c:\program files\iTunes\ituneshelper .exe
c:\program files\Malwarebytes' Anti-Malware\mbam .exe
c:\program files\Malwarebytes' Anti-Malware\vvvvbaljn  .exe
c:\program files\McAfee\SpamKiller\mskdetct .exe
c:\program files\Messenger\msmsgs .exe
c:\program files\QuickTime\qttask        .exe
c:\program files\QuickTime\qttask      .exe
c:\program files\QuickTime\qttask     .exe
c:\program files\QuickTime\qttask    .exe
c:\program files\QuickTime\qttask   .exe
c:\program files\QuickTime\qttask  .exe
c:\program files\QuickTime\qttask .exe
c:\program files\SUPERAntiSpyware\superantispyware .exe
c:\program files\Synaptics\SynTP\syntpenh .exe
c:\windows\ehome\ehtray .exe
c:\windows\pchealth\helpctr\binaries\msconfig .exe
c:\windows\system32\dla\tfswctrl .exe
c:\program files\dell\quickset\quickset             .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe

File::
C:\Documents and Settings\Kristine\Local Settings\Application Data\1360466830.dll
C:\Documents and Settings\Kristine\Local Settings\Application Data\8Cq4r
C:\Documents and Settings\All Users\Application Data\8cq4r
C:\Documents and Settings\Kristine\Templates\8cq4r
C:\Program Files\284296.dat
C:\WINDOWS\system32\lupomuli

Folder::
C:\Documents and Settings\Kristine\Local Settings\Application Data\8Cq4r
C:\Documents and Settings\All Users\Application Data\8cq4r
C:\Documents and Settings\Kristine\Templates\8cq4r

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\Run]
"Dell QuickSet"=-
    * Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    * At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    * You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    If it asks you to overide the prvevious file with the same name, click YES.
    * Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
    * Follow the prompts.
    * When it finishes, a log will be produced named c:\combofix.txt
    * I will ask for this log below

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:

    * C:\ComboFix.txt
    * C:\MGlogs.zip

    Make sure you tell me how things are working now!
     
    TimW, Apr 5, 2010
    #4
  5. codman

    codman Private E-2

    OK done.

    Computer has been running fine since I was able to recover the system and able to run malwarebytes which detected and removed 53 or so infections. That was yesterday and no issues since other than antivirus software still detects trojans and infected files or bad registry entries. They really dont seem to be affecting my computers performance at all.
     

    Attached Files:

    codman, Apr 5, 2010
    #5
  6. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Looks like I missed one file. You can use windows explorer to find and delete it. Make sure you delete the correct one --> note the extra space between quickset and the exe.

    Code:
    c:\program files\Dell\QuickSet\quickset              .exe


    You should tell me exactly what is being reported.

    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /uninstall
        • Notes: The space between the combofix" and the /uninstall, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
    3. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    4. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    5. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    6. Go to add/remove programs and uninstall HijackThis.
    7. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
    8. If you are running Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures pointed to by step 6 of the READ ME for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    9. After doing the above, you should work thru the below link:
     
    TimW, Apr 5, 2010
    #6
  7. codman

    codman Private E-2

    So by deleting that one quickset .exe in file I assume you just mean to simply go into that folder and right-click, delete and send it to recycle bin and then clear recycle bin? Thats what I did by right-click start, explore and navigating to that file.

    However, I ran malwarebytes and performed a quick scan after deleting quickset .exe and received notification that there was one file infected with trojan.agent which was a registry value for adobe reader . I will attach the log for you to view


    Also, my only other issue is that when I repaired the system I used a windows xp dvd that came with my girlfriends computer (which has a different xp version since my software is long gone (this being a hand me down computer). So from time to time I will get a notification that I need to insert the xp pro cd/dvd because some files are not associated with current version. Atleast, thats how I remembered it. I doubt this is a malware related issue since it only happened after using the windows dvd but the window does come up from time to time.
     

    Attached Files:

    codman, Apr 5, 2010
    #7
  8. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Are you saying you used an XP Pro dvd to do the repair on a system that had XP Home? If so, you may well be getting pop ups, but in any case, it is a software issue and should be addressed in that forum.

    Keep both SAS and MBAM updated and run them on a semi-regular basis. Let me know if there is any other malware issue that you are having.
     
    TimW, Apr 6, 2010
    #8
  9. codman

    codman Private E-2

    well, Im looking at the operating system reinstallation dvd I used. Both computers run windows xp media center which is what the reinstallation dvd is. However my computer was the 2002 version while the reinstall dvd was the 2005 version. Regardless, I havent gotten any further pop ups telling me to insert windows xp pro dvd. If I have further issues with that I will go to the software section.

    I ran some online virus scans. One in particular seemed to help my cause which was windows live Onecare safety scanner. Since I ran that nothing else has also popped up in malwarebytes scan or SAS scan (I am not running these at the same time) so thats good. I will follow the steps you listed now that I appear to be symptom free.

    Thanks
     
    codman, Apr 6, 2010
    #9
  10. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    You are most welcome. Safe surfing. :)
     
    TimW, Apr 6, 2010
    #10

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds