tuckeroo

don't know what happened

Recommended Posts

Dell latitude d600 laptop, won't perform shut down procedure at all, and therefore cannot system restore either. When I run the scanners they all find something, but will not let me quarantine or delete, and proceeds to shut the program down. Seems the file then somehow gets corrupted or damaged, as I have to load the whole scanner from scratch in order to get it to come back up(namely emsi and malwarebytes), and that is only after i shut it off manually to "reset" it and have the rest of my programs functional (i.e. internet access etc)

Share this post


Link to post
Share on other sites

The logs look OK to me. Lets get a scan from TDSSKiller, just to see if there's a rootkit infection. Here are the instructions:

  • Download TDSSKiller from this link and save it on your desktop.

  • Run the TDSSKiller download that you saved.

  • Click on Change parameters as it shows in the following screenshot:

    tdsskiller_report_001.png

  • Make sure that Verify digital signatures and Detect TDLFS file system are checked as in the following screenshot, and then click OK:

    tdsskiller_report_002.png

  • Click the Start scan button as in the following screenshot:

    tdsskiller_report_003.png

  • You will see the following as the scan runs:

    tdsskiller_report_004.png

  • If there are any threats or malicious items detected, then make sure the option to the right of each item is set to Skip as in the following screenshot (it is very important that TDSSKiller not be allowed to Cure, Quarantine, or Delete these detections!), note that you can click on the selection action to open a list and change it if it is not set to Skip automatically, and then click Continue at the bottom when everything is set to Skip:

    tdsskiller_report_005.png

  • Click on Report in the upper-right corner, as in the following screenshot:

    tdsskiller_report_006.png

  • You will see a report similar to the one in the following screenshot. Please click in the report somewhere, then hold down the Ctrl key on your keyboard and tap the A key to select the entire report.

    tdsskiller_report_007.png

  • Once everything is selected, then it should look similar to the following screenshot, and you will be able to hold down the Ctrl key on your keyboard and tap the C key to copy the entire report.

    tdsskiller_report_008.png

  • Open Notepad by clicking on the Start button, going to All Programs (or just Programs in Windows 7 and Vista), then Accessories, and clicking on Notepad in the list.

  • Once Notepad has opened, click on Edit to open the Edit menu, and then click Paste, as in the following screenshot:

    tdsskiller_report_009.png

  • Once the report has been pasted into Notepad, click File to open the File menu, and then click Save as, as in the following screenshot. Please save the report on your desktop and attach it to a reply by using the More Reply Options button to the lower-right of where you type in your reply.

    tdsskiller_report_010.png

Share this post


Link to post
Share on other sites

OK, there's no rootkit detection in that log. Lets run ComboFix and see if it can take care of the infection.

Please download ComboFix from this link and follow the instructions below to run it. Note that some infections will block it from running if you save it as ComboFix so you may wish to rename it in order to prevent this. Make sure you remember what you changed the name to.

* IMPORTANT !!! Save ComboFix to your Desktop

  • Disable your AntiVirus, AntiSpyware, and Firewall applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

    See HERE for help

  • Double click on the ComboFix icon on your desktop (it has a red and white icon that looks like a white cat's head in a red circle) and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: (This applies to Windows XP systems only) If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

whatnext.png

Click on Yes, to continue scanning for malware.

When finished, ComboFix will produce a log.

Note:

1. Do not click in ComboFix's window while it's running. That may cause it to stall!

2. Remember to re-enable your anti-virus and anti-spyware before reconnecting to the Internet.

Attach logs for: (USE THE "MORE REPLY OPTIONS" BUTTON TO BE ABLE TO DO THIS)

  • ComboFix (C:\combofix.txt)
Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!

Share this post


Link to post
Share on other sites

i did as instructed, turned off firewall and MSE (am posting from another computer now), started scan (after installing recovery window), and it has been "scanning" since 1:00, with still no results...window is still open, i did not click on it, and cursor is still blinking...still just let it go on?

Share this post


Link to post
Share on other sites

Something is blocking ComboFix from running, so lets try running it in Safe Mode With Networking instead. Please follow the instructions at this link to start your computer in Safe Mode With Networking, and then try running ComboFix again.

Share this post


Link to post
Share on other sites

I was finally able to get IE and combofix when in safe mode, however, combo would still not run (at least it still had not seemed to do anything after an hour). I was able to try a system restore in safe mode as well, but not sure it did any good. It seems like this all started after trying to get some micorsoft updates, and wonder if that may be the issue. when in add and remove programs, i see 3 things i don't recall having seen before, something to the effect of MXMSL parser 4.0, could this be my issue?

Share this post


Link to post
Share on other sites

There were some bad Windows Updates in August, however I would believe they were pulled from the Windows Update service after a week or two, and they should no longer be available.

Microsoft Security Essentials and SUPERAntiSpyware are the only softwares I am seeing in your log that could prevent ComboFix from running, so as long as neither of them have real-time protection enabled then ComboFix should run just fine.

Lets try using Rkill before using ComboFix, and see if it allows you to run ComboFix. Please download Rkill from one of the links below:

The reason why there are 7 of them, each with a different name (and some of them with very funny names), is because some infections like to block security software from running. Start with the first one, and if it doesn't work then try the next one, and so on until you find one that works.

Once you get one of the Rkill downloads to work, please run it a second time to make sure that it is no longer able to find any malicious processes still running. If it finds more, run it again to make sure that Rkill was able to stop any malicious processes still running on your computer.

After running Rkill, please proceed with my previous instructions to run ComboFix (making sure to disable anti-virus and anti-spyware software first), and if everything works OK then attach the log to a reply when it is done.

Share this post


Link to post
Share on other sites

i also forgot to add that while i have IE back, i no longer have a functional or complete menu bar, microsoft fixit, didn't, and do not know what i may be able to do about that (aside from getting used to chrome)

Share this post


Link to post
Share on other sites

was finally able to fix IE, reran kill, and tried again to run combo...still would not run, would lock up computer in regular mode, and when in safe mode still nothing happened after an hour(but it did not lock up)

Share this post


Link to post
Share on other sites

Lets get an OTL log. Please run OTL by following the instructions below:

  • Click this link to save OTL onto your desktop (please make sure to click 'Save' instead of 'Run').
  • Double click on the OTL icon on your desktop to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan will take a few minutes.
  • When the scan completes, it will open two Notepad windows. OTL.Txt and Extras.Txt. The first one (OTL.txt) will be automatically saved on your desktop next to OTL, and the second one will need to be saved manually.
  • Please make sure that both OTL.txt and Extras.txt are saved on your desktop, and then attach both of them to a reply so that we can take a look at them.

Share this post


Link to post
Share on other sites

I still can't see anything that would be causing issues, other than perhaps "SpeedUpMyPC". It looks like there are a couple of remnants of what appear to be partially removed toolbars, but they shouldn't cause any serious issues. Lets try the following two things, and then go from there:

1. Uninstall ComboFix

  • Hold down the Windows key on your keyboard (it has the little Windows logo on it, next to the Ctrl key) and press R to open the Run dialog.
  • Type ComboFix /Uninstall in the field (make sure to leave a space just before the /) and then click OK
  • ComboFix should take care of the rest.

2. Run AdwCleaner and Junkware Removal Tool

Please download AdwCleaner and save it on your desktop.

  • Close all open programs and internet browsers (you may want to print our or write down these instructions first).
  • Double click on adwcleaner.exe to run the tool.
  • Click on Delete.
  • Confirm each time with Ok.
  • You will be prompted to restart your computer. A text file will open n Notepad after the restart (this is the log of what was removed), which you can save on your desktop.
  • Please attach that log file to a reply by clicking the More Reply Options button to the lower-right of where you type in your reply.
  • If you lose that log file for any reason, you can find it at C:\AdwCleaner[s1] on your computer.
Please download Junkware Removal Tool and save it on your desktop.
  • Shut down your anti-virus, anti-spyware, and firewall software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista or Windows 7, right-click it and select Run as administrator.
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log is saved to your desktop and will automatically open.
  • Please attach the JRT log file to a reply by clicking the More Reply Options button to the lower-right of where you type in your reply.

Share this post


Link to post
Share on other sites

i have tried several ways to do the uninstall...attached is a pic of the message i get...should i continue with the rest of the instructions? and,  just to double check, i did not want to check anything like the purity or the like when running OTL correct?(i didn't, just want to be sure i did not need to)

Share this post


Link to post
Share on other sites

ComboFix probably can't be found because it wasn't able to finish running. It creates a couple of folders in the C: drive on a computer when it is run, one is called "Qoobox" and the other is randomly named (it will be a long string of letters and numbers). If you find those folders, you can delete them, but be certain that they are indeed the folders from ComboFix before you actually permanently remove them.

The AdwCleaner and Junkware Removal Tool logs look good. How is everything running now?

Share this post


Link to post
Share on other sites

Well, we can try Malwarebytes Anti-Malware and see if it finds anything. If you want to try it then please follow the instructions below:

  • Please download and install Malwarebytes' Anti-Malware from one of the three mirrors listed below (beware of excessive advertising on some of the download pages):
  • When first running Malwarebytes' Anti-Malware, it will ask you if you want to operate it in a free trial mode. You can say no to this (the trial can be unlocked again at a later time if you want to try it).
  • Make sure to go to the Update tab and click the Check for Updates button to get the latest database.
  • Switch back to the Scanner tab and run a Quick Scan.
  • When it is done, remove anything it finds.
  • Whether or not it finds anything, you should be presented with a log in Notepad, which you should save to your desktop.
  • Attach the log you saved on your desktop to a reply for me to take a look at. You can attach files to a reply by clicking the More Reply Options to the lower-right of where you type in your reply. When the page loads, there will be a button right below the box to type in (on the left side) that says Choose Files... which will allow you to select the log file to attach it.

Share this post


Link to post
Share on other sites

i have always had Malwarebytes, however, downloaded it directly from the .org site...is one of your download locations any different? Also regarding that, i had a lof from a scan that had showed some items (this was before your last posting) but cannot seem to find it now. I did not thinks i had deleted the log, but in advertently may have I guess. I also have a log from their root kit scanner, which i have attached...will re-run the regular scanner and post that lof when done

Share this post


Link to post
Share on other sites

i have always had Malwarebytes, however, downloaded it directly from the .org site...is one of your download locations any different?

No, I just list the mirrors like that directly since the download link at Malwarebytes.org sends you to a random download mirror.

Also regarding that, i had a lof from a scan that had showed some items (this was before your last posting) but cannot seem to find it now. I did not thinks i had deleted the log, but in advertently may have I guess. I also have a log from their root kit scanner, which i have attached...will re-run the regular scanner and post that lof when done

The Malwarebytes Anti-Rootkit scan log shows some things were removed. Lets get a GMER log as well, just to be sure that a rootkit that was not detected by TDSSKiller isn't the issue. Please download GMER from this link. Note that the file will have a random name, so make note of the file's name and save it to the root of your C: drive.

  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security program drivers will not conflict with this file.
  • Click on this link to see a list of programs that should be disabled while running GMER (please try to avoid the advertisements on that page).
  • Double-click on the downloaded file to start the program. (If running Vista, right click on it and select "Run as an Administrator")
  • Allow the driver to load if asked.
  • You may be prompted to scan immediately if it detects rootkit activity.
  • If you are prompted to scan your system click "No", save the log and post back the results.
  • If not prompted, click the "Rootkit/Malware" tab.
  • On the right-side, all items to be scanned should be checked by default except for "Show All". Leave that box unchecked.
  • Select all drives that are connected to your system to be scanned.
  • Click the Scan button to begin. (Please be patient as it can take some time to complete)
  • When the scan is finished, click Save to save the scan results to your Desktop.
  • Save the file as Results.log and please attach it to a reply by using the More Reply Options button to the lower-right of where you type in your reply (you may need to ZIP the log by right-clicking on it, going to Send to, and clicking on Compressed (zipped) folder before you can attach it).
  • Exit the program and re-enable all active protection when done.

Share this post


Link to post
Share on other sites

That log seems abnormally short to me. Maybe I need to review my instructions for GMER.

Lets try this set of instructions that I borrowed from BleepingComputer:

Please download GMER from one of the following locations and save it to your desktop:

Main Mirror which will download a randomly named file

Zipped Mirror - Unzip the file to its own folder such as C:\gmer

  • Disconnect from the Internet and close all running programs
  • Temporarily disable any real-time active protection

    (It is very important you do not use your computer while GMER is running)

  • Double-click on the randomly named GMER gmericon_zps951fd5aa.jpg icon
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan
  • If you receive a warning about rootkit activity and are asked to fully scan your system click NO
  • Please check in the Quick scan box
  • Please uncheck the following:
    • IAT/EAT
    • Show All <<< Important

      GMER2new_zpsdd936679.jpg

  • Click Scan
  • If you see a rootkit warning window click OK
  • When the scan is finished, Save the results to your desktop as gmer.log
  • Click Copy then paste the results in your reply
  • Exit GMER and be sure to re-enable your Antivirus, Firewall and any other security programs you had disabled
Note:

If you encounter any problems, try running GMER in Safe Mode

If GMER crashes or keeps resulting in a Blue Screen of Death, uncheck Devices on the right side before scanning

Share this post


Link to post
Share on other sites

That is a little odd. Lets see if RogueKiller finds anything. Please post a RogueKiller log by following the instructions below:

  • Download RogueKiller from this link, and save it on your desktop.
  • Run RogueKiller (please note that if it doesn't work the first time, you can try it again several times and it may start to work):
    • On Windows XP make sure you are logged in as an administrator and double-click on the RogueKiller icon.
    • On Windows 7 and Vista simply right-click on the RogueKiller icon, and select to Run as administrator.
  • Click the Scan button in the upper-right corner (don't worry about the rest of the options for now).
  • In the middle, on the left, it will tell you the status. When it says Scan Finished, then please close RogueKiller. It will warn you that nothing has been deleted and ask you if you want to quit, so be sure to click the Yes button.
  • There will be a new file and folder saved on your desktop. The folder (usually named RK_Quarantine) can be deleted. The file (usually named RKreport or RKreport[1]) contains the log.
  • Please attach the RKreport file to a reply by using the More Reply options button to the lower-right of where you type in your reply.

Share this post


Link to post
Share on other sites

So far everything is checking out. The logs are giving no indication that there is still an infection, so I have to assume at this point that an infection is not the cause of your performance issues.

Before we begin any more advanced troubleshooting, could you try uninstalling Microsoft Security Essentials and let me know if that resolves the issue?

Share this post


Link to post
Share on other sites

still does not shut down normally, and freezes after a few hours requiring a restart-removed MSE through add and remove rpograms function, and even though it is no longer listed, it seems like it is still there, and i now get an error message on startup ...i tried to attach screen shot, but it won't let me, even after sending to a compressed folder

Share this post


Link to post
Share on other sites

Try saving the screenshot as a PNG (Portable Network Graphics) image. The forums should allow most image file types, and PNG tends to be one of the better ones for web graphics.

You can also get me a fresh OTL log so that I can take a look at the startup and the services to see if MSE is still partially there.

Share this post


Link to post
Share on other sites

The default options are fine for most things, however you can set the Extra Registry option to Use SafeList in order to generate an Extras log.

Share this post


Link to post
Share on other sites

OK, lets try this. First, uninstall Windows Defender (it doesn't come with Windows XP, and may have been damaged when uninstalling Microsoft Security Essentials).

After that, try running this tool to ensure that Microsoft Security Essentials is completely removed from your computer.

Let me know if that helps at all.

Share this post


Link to post
Share on other sites

still does not shut down normally. The error message no longer appears after restart, however, th e icon on the task bar still says MSE is turned off, click balloon to fix. The fix it appears to have been successful, and I was able to remove defender (at one point, i thought I had tried to remove it before we started, and it would not let me)

Share this post


Link to post
Share on other sites

Microsoft Security Essentials is probably still registered with the Action Center, even though it isn't installed. The Action Center uses a weird database to store its data, and it isn't easy to edit. The best solution is to try and reinstall and uninstall MSE to see if that removes the Action Center entry that was left behind.

Share this post


Link to post
Share on other sites

have done as instructed...everything remains the same. It did seem however, that this time when I went to uninstall it, a different uninstall program came up for the removal...the message still appears in the tray though.

Share this post


Link to post
Share on other sites

Well, you can try the instructions posted on the BleepingComputer forums at this link (be careful to avoid the advertising though). That should force the Security Center to rebuild its data, since the Security Center uses WMI to store its data.

If those steps do not help, then you may have to ask on the Microsoft forums as to why you are seeing messages from the Security Center about Microsoft Security Essentials even after uninstalling it.

Share this post


Link to post
Share on other sites

You're welcome.

In addition to that, here's my "final instructions" to be performed after malware removal is finished. You may want to hold off on performing that last step (the System Restore step) until after you get the MSE issue resolved.

1. Make Sure Java is Updated:

  • Click on the Start button.
  • Click on Control Panel.
  • Click Add or Remove Programs.
  • Look for Java in the list (should be alphabetical), and uninstall all versions of Java that you find listed.
  • Click on this link and download and install the latest Java (the Windows Online download will be faster).

2. Make Sure Adobe Flash is Updated:

  • Click on this link and download the latest version of Adobe Flash Player for your web browser.
  • You will need to close your web browser when installing Flash.

3. Make Sure Adobe Acrobat Reader is Updated:

  • Click on the Start button.
  • Click on Control Panel.
  • Click Add or Remove Programs.
  • Look for any versions of Adobe Reader or Adobe Acrobat Reader in the list (should be alphabetical), and uninstall all of them (if you have Adobe Acrobat, which is the premium software from Adobe, then you do not need to uninstall it).
  • Click on this link to go to the Adobe Reader download page, make sure to unselect any offers for toolbars or other free software, and download and install the latest version of Adobe Reader.

(please note that some people do prefer to use third-party PDF viewers such as PDF X-Change Viewer and Foxit Reader which are not as commonly exploited as Adobe Reader, so if you would prefer to use one of those then you do not need to download and install Adobe Reader)

4. Make Sure Your Computer Has The Latest Windows Updates:

  • Click on the Start button.
  • Go to All Programs.
  • Click on Windows Update.
  • If you have never run Windows Update, then it will probably need to install an ActiveX control and update the Windows Update software before it can continue, so make sure you keep an eye out for that pale-yellow bar that pops up at the top of the page when Windows Update needs to install a new component, and click on the yellow bar and select to allow it.
  • Once it is loaded, click on the Express button.
  • It will check for available updates, and once it is done you can click the Install Updates button.
  • It may ask you to accept a license agreement before it installs, so make sure you say Yes.
  • When it is done installing updates, it may ask you to restart your computer, so close anything you are working on and allow it to restart.
  • Note that the update process can take a while, and you may need to run it several times before all of the updates get installed.

5. Web Of Trust Extension:

While this is not a requirement, I highly recommend that you click this link and check out the Web Of Trust extension for your web browser. It will add an extra layer of protection to your web browsing for free, and it is especially helpful when doing searches on Google, Yahoo!, Bing, etc. as it will point out what sites are considered trustworthy and what sites are not by drawing a colored circle to the right of each search result. Green means trusted, red means not trusted, yellow is in between, and white means it is not in Web Of Trust's database.

6. Empty The System Restore:

  • Click on the Start button.
  • Right-click on My Computer
  • Select Properties from the list.
  • In the window that pops up, click on the System Restore tab.
  • Click the check box to Turn off System Restore.
  • Click the Apply button at the bottom-right, and answer Yes to the question.
  • Depending on how much data is saved in the System Restore, it could take more than a few minutes to empty it.
  • Click the check box to Turn off System Restore again and click OK to turn the System Restore back on.
  • Click on the Start button again.
  • Go to All Programs.
  • Go to Accessories.
  • Go to System Tools.
  • Click on System Restore.
  • Select Create a restore point on the right, and click Next at the bottom.
  • Enter a description for the restore point, and click Create.
  • Click Close to finish the process.

Share this post


Link to post
Share on other sites

You're quite welcome. ;)

Since everything seems OK (or at least everything that I was able to help you with), I am going to go ahead and close this topic. If you need it reopened, then please send me a private message.

Note: The instructions in this forum topic have been customized based on the logs posted by the person asking for assistance. Please do not attempt to follow any of the instructions in this forum topic, as they could cause damage to your computer. If you require assistance, please start here if you believe your computer is infected, and one of our experts will be happy to assist you by analyzing your logs.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.