• Welcome Guest, to the Spybot Forums! It's 2025, and we just upgraded our forum software.

    Today is Safer Internet Day, and with our new forum, you can finally use passkeys to login. That was about time!

    Of course, you could ask if a forum is still useful, with so many social media networks out there where you might already have an account, and met a lot of users. You can now use your login from some of those networks to log in here. And by posting here, your question and data is stored on our servers and not automatically shared with a whole social media network.

    We'll also start using the forum for small bits of information, announcements and more again.

Help Fix My Computer

T

Tjp772

New member
I have some kind of malware or something on my computer. I followed through the steps outlined and backed up using ERUNT. I also download both links of DDS, however, I'm getting errors that terminate the program each time.

Please help.
 
:snwelcome:


Please read Before You Post
While best efforts are made to assist in removing infections safely, unexpected stuff can happen. It is advisable that you back up your important data before starting any clean up procedure. Neither Safer Networking Forums nor the Analyst providing the advice may be held responsible for any loss.

Until we deem your system clean I am going to ask you not to install or uninstall any software or hardware except for the programs we may run.


What Windows Operating System are you using ?
 
Lets do this.


  • Please download rkill (Courtesy of Bleepingcomputer.com).
  • There are 5 different versions of this tool. If one of them will not run, please try the next one in the list.
  • Note: Vista and Windows 7 Users must right click and select "Run as Administrator" to run the tool.
  • Note: You only need to get one of the tools to run, not all of them.



  • Note: You will likely see a message from this rogue telling you the file is infected. Ignore the message. Leave the message OPEN, do not close the message.

    Run rkill repeatedly until it's able to do it's job. This may take a few tries.

    You'll be able to tell rkill has done it's job when your desktop (explorer.exe) cycles off and then on again.




Now lets see if DDS will run, drag your copy to the trash and lets start fresh

Download DDS from one of the links below to your desktop

Link 1
Link 2

  • Double click the tool to run it.
  • A black Screen will open, just read the contents and do nothing.
  • When the tool finishes, it will open 2 reports, DDS.txt and attach.txt
  • Copy/Paste the contents of 'DDS.txt' into your post.
  • 'attach.txt' should be zipped using Windows native zip utility and attached to your post. Compress and uncompress files (zip files)
 
I have tried all 5 versions of the file and each time I get a pop up window that says:

Some installation files are corrupt. Please download a fresh copy and retry the installation.

If I leave that message up, nothing ever happens after 20 minutes. If I click OK, it takes me to a window titled, WinRAR self-extracting archive. This shows about 99% of the installation progress being complete, but never moves from there. The details in the window are as follows:

Extracting wl.txt
Extracting prep.bat
Extracting rkill.bat
Extracting h\iexplore.exe
Extracting nird\iexplore.exe
Extracting procs\iexplore.exe
CRC failed in procs\iexplore.exe
Extracting nircmd.exe
CRC failed in nircmd.exe
Extracting nircmdc.exe
CRC failed in nircmdc.exe
Extracting pev.exe
CRC failed in pev.exe
Extracting sed.exe
CRC failed in sed.exe
Extracting swreg.exe
CRC failed in swreg.exe
Extracting nircmd.chm
CRC failed in nircmd.chm
Extracting extra.dat
CRC failed in extra.dat
Extracting procs\proc.dat
Extracting serv.dat
Extracting rkill.reg
Extracting sh.vbs
CRC failed in sh.vbs
Extracting h
Extracting nird
Extracting procs
 
Good Morning,

Are you running the 32 bit or 64 bit version of Win 7 ? Not all but there are a lot of our tools are not written just yet to run on 64 bit version of windows so if you have 64 bit we will have to use some work arounds


Please download exeHelper to your desktop.

Double-click on exeHelper.com to run the fix.
A black window should pop up, press any key to close once the fix is completed.
Post the contents of log.txt (Will be created in the directory where you ran exeHelper.com)
Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).






Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

Link 1
Link 2


CF_download_FF.gif



CF_download_rename.gif


* IMPORTANT !!! Save ComboFix.exe to your Desktop


  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • See this Link for programs that need to be disabled and instruction on how to disable them.
  • Remember to re-enable them when we're done.

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


RC1.png


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
RC2-1.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.
 
I'm running 32 bit.

Here is the log from exehelper:

exeHelper by Raktor
Build 20100414
Run at 06:14:09 on 01/27/11
Now searching...
Checking for numerical processes...
Checking for sysguard processes...
Checking for bad processes...
Checking for bad files...
Checking for bad registry entries...
Resetting filetype association for .exe
Resetting filetype association for .com
Resetting userinit and shell values...
Resetting policies...
--Finished--

I tried ComboFix multiple times and I kept getting the error about corrupt files and download a fresh copy. It never checked for the Microsoft Console either.

Also, I had uninstalled Norton prior to contacting you and before I noticed I had a virus, thinking that reinstalling it would fix the fact that updates weren't downloading.
 
Its the virus alerting you about corrupted files, but drag it to trash and try downloading it again and then do this, don't rename it this time

  • Now physically disconnect from the internet and STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields)
  • Click on your START button and choose Run. Then copy/paste the entire content of the following quotebox (Including the "" marks and the Symbols) into the run box.

    Go to
    StartBtn.gif
    -> Run -> copy/paste in the following single line command & click OK

    "%userprofile%\desktop\combofix.exe" /killall

    killall.JPG

  • Click OK and this will start ComboFix in a special way.
  • When finished, it will produce a log. Please save that log to a Notepad File to post in your next reply along with a fresh HJT log.

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.

* After you have saved the logs, restart your system to re-enable all the programs that were disabled during the running of ComboFix.

* Reconnect to the internet

* Post the following logs/Reports:
  • ComboFix.txt
 
With Windows 7 you need to right click on the file and select run as adminstator.

Try downloading Combofix again renamed as the first time, but dont run it yet.

Make sure all your RKill files are still on your desktop

Download this program but dont use it yet
Download Inherit and save it to your desk top
Drag each of the exe files that you are unable to run into Inherit.exe (must be the exe - not the shortcut)
Then wait for it to say "OK"


Then boot to safemode , run RKill and then if it succeeds run CF in safemode also.

To Enter Safemode
  • Go to Start> Shut off your Computer> Restart
  • As the computer starts to boot-up, Tap the F8 KEY somewhat rapidly,
    this will bring up a menu.
  • Use the Up and Down Arrow Keys to scroll up to Safemode with Networking
  • Then press the Enter Key on your Keyboard
Tutorial if you need it How to boot into Safemode



You can do this in Safemode

If the above fails, try dragging RKill one at a time into Inherit until one runs and then try Combofix again.



If no luck try this program, normal windows first, then safemode and finally inherit if you need to

  • Download TDSSKiller and save it to your Desktop.
  • Extract the file and run it.
  • Once completed it will create a log in your C:\ drive called TDSSKiller_* (* denotes version & date)
  • Please post the content of the TDSSKiller log


This may sound confusing but what i need you to try is to first try running RKill in safemode followed by Combofix if Rkill is successful. If its not then try dragging CF into Inherit.


Do the same thing with TDSSKiller, dont run TDSSKiller right now if you could run Combofix successfully
 
Rkill ran successfully, however ComboFix would not in any of the 3 methods you described. I downloaded TDSKiller, however, it could not be extracted from the zip file. Is there a way to download it without it being in a zip format?
 
Lets try this.


Bring up Task Manage using CTRL+ALT+DELETE. See if any of these processes are running ... Kill Process on each one until CF will run.

findstr
sed
grep.
nircmd.exe
nircmd.cfexe
swsc.cfexe
* .. or any other process that has the .cfexe extension except for CFxxx.cfexe

If ComboFix is still 'hung', then kill process on CFxxx.cfexe
 
You have to right click on Combofix and select RUN AS ADMINISTRATOR , then if it wont run end process on the ones that I posted
 
I am going to post some programs for you to try and run.

First do this

Open NOTEPAD.exe and copy/paste the text in the codebox below:
(don't forget to copy and paste REGEDIT4)

Code: 
REGEDIT4

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\Eventlog]
"Start"=dword:00000004
Save this as fix.reg Choose to "Save type as - All Files"

Double click on fix.reg & allow it to merge into the registry

Reboot the machine once this is done and run combofix again.






OTL by OldTimer
  • Download OTL to your desktop.
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • Check the boxes beside LOP Check and Purity Check.
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt.
      Note:These logs can be located in the OTL. folder on you C:\ drive if they fail to open automatically.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply. You may need two posts to fit them both in.
 
I posted another topic entitled, 2nd computer infected, however they told me to wait until we solve this one before posting another. Also, it said to inform you of this. After realizing we had something on our home laptop, I now realize it's on our desktop as well. However, they are not connected. The only similarity that I can think of is that my daughter was downloading music, at first on youtube, but I think she then started clicking on random links from Google searches. Thanks for your help. I'm sorry we haven't been able to come to a solution yet. Let me know what to do with the desktop. BTW, I was actually able to run DDS on that computer and posted the log in the previously mentioned thread.
 
Hi,

Its best to fix one , close the thread and then post for another as we are all volunteers and most times spread to thin..

Downloading music sometimes is the real culprit unless its purchased from a legit site like iTunes or Amazon , sites like that.

This one is a real stickler, I cant even see a report to see what your infected with.


When you run RKill and try to run a program, when you reboot you may have to run Rkill again.

Run RKill and see if Malwarebytes will run

Please download Malwarebytes from Here or Here

  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
    MBAMCapture.jpg
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected .
  • When completed, a log will open in Notepad. Please save it to a convenient location and post the results.
  • Note: If you receive a notice that some of the items couldn't be removed, that they have been added to the delete on reboot list, please reboot.
Post the report please
 
You must log in or register to reply here.
Back
Top