View Full Version : Help Fix My Computer
I have some kind of malware or something on my computer. I followed through the steps outlined and backed up using ERUNT. I also download both links of DDS, however, I'm getting errors that terminate the program each time.
Please help.
:snwelcome:
Please read Before You Post (http://forums.spybot.info/showthread.php?t=288)
While best efforts are made to assist in removing infections safely, unexpected stuff can happen. It is advisable that you back up your important data before starting any clean up procedure. Neither Safer Networking Forums nor the Analyst providing the advice may be held responsible for any loss.
Until we deem your system clean I am going to ask you not to install or uninstall any software or hardware except for the programs we may run.
What Windows Operating System are you using ?
Windows 7 Professional
Also no windows updates are able to be installed and no Norton updates.
Lets do this.
Please download rkill (Courtesy of Bleepingcomputer.com).
There are 5 different versions of this tool. If one of them will not run, please try the next one in the list.
Note: Vista and Windows 7 Users must right click and select "Run as Administrator" to run the tool.
Note: You only need to get one of the tools to run, not all of them.
1. rkill.exe (http://download.bleepingcomputer.com/grinler/rkill.exe)
2. rkill.com (http://download.bleepingcomputer.com/grinler/rkill.com)
3. rkill.scr (http://download.bleepingcomputer.com/grinler/rkill.scr)
4. WiNlOgOn.exe (http://download.bleepingcomputer.com/grinler/WiNlOgOn.exe)
5. uSeRiNiT.exe (http://download.bleepingcomputer.com/grinler/uSeRiNiT.exe)
Note: You will likely see a message from this rogue telling you the file is infected. Ignore the message. Leave the message OPEN, do not close the message.
Run rkill repeatedly until it's able to do it's job. This may take a few tries.
You'll be able to tell rkill has done it's job when your desktop (explorer.exe) cycles off and then on again.
Now lets see if DDS will run, drag your copy to the trash and lets start fresh
Download DDS from one of the links below to your desktop
Link 1 (http://download.bleepingcomputer.com/sUBs/dds.scr)
Link 2 (http://download.bleepingcomputer.com/sUBs/dds.com)
Double click the tool to run it.
A black Screen will open, just read the contents and do nothing.
When the tool finishes, it will open 2 reports, DDS.txt and attach.txt
Copy/Paste the contents of 'DDS.txt' into your post.
'attach.txt' should be zipped using Windows native zip utility and attached to your post. Compress and uncompress files (zip files) (http://windows.microsoft.com/en-us/windows-vista/Compress-and-uncompress-files-zip-files)
I have tried all 5 versions of the file and each time I get a pop up window that says:
Some installation files are corrupt. Please download a fresh copy and retry the installation.
If I leave that message up, nothing ever happens after 20 minutes. If I click OK, it takes me to a window titled, WinRAR self-extracting archive. This shows about 99% of the installation progress being complete, but never moves from there. The details in the window are as follows:
Extracting wl.txt
Extracting prep.bat
Extracting rkill.bat
Extracting h\iexplore.exe
Extracting nird\iexplore.exe
Extracting procs\iexplore.exe
CRC failed in procs\iexplore.exe
Extracting nircmd.exe
CRC failed in nircmd.exe
Extracting nircmdc.exe
CRC failed in nircmdc.exe
Extracting pev.exe
CRC failed in pev.exe
Extracting sed.exe
CRC failed in sed.exe
Extracting swreg.exe
CRC failed in swreg.exe
Extracting nircmd.chm
CRC failed in nircmd.chm
Extracting extra.dat
CRC failed in extra.dat
Extracting procs\proc.dat
Extracting serv.dat
Extracting rkill.reg
Extracting sh.vbs
CRC failed in sh.vbs
Extracting h
Extracting nird
Extracting procs
Good Morning,
Are you running the 32 bit or 64 bit version of Win 7 ? Not all but there are a lot of our tools are not written just yet to run on 64 bit version of windows so if you have 64 bit we will have to use some work arounds
Please download exeHelper (http://www.raktor.net/exeHelper/exeHelper.com) to your desktop.
Double-click on exeHelper.com to run the fix.
A black window should pop up, press any key to close once the fix is completed.
Post the contents of log.txt (Will be created in the directory where you ran exeHelper.com)
Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).
Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
http://i266.photobucket.com/albums/ii277/sUBs_/combofix/CF_download_FF.gif
http://i266.photobucket.com/albums/ii277/sUBs_/combofix/CF_download_rename.gif
* IMPORTANT !!! Save ComboFix.exe to your Desktop
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
See this Link (http://www.bleepingcomputer.com/forums/topic114351.html) for programs that need to be disabled and instruction on how to disable them.
Remember to re-enable them when we're done.
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
http://img.photobucket.com/albums/v706/ried7/RC1.png
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
http://img.photobucket.com/albums/v706/ried7/RC2-1.png
Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.
I'm running 32 bit.
Here is the log from exehelper:
exeHelper by Raktor
Build 20100414
Run at 06:14:09 on 01/27/11
Now searching...
Checking for numerical processes...
Checking for sysguard processes...
Checking for bad processes...
Checking for bad files...
Checking for bad registry entries...
Resetting filetype association for .exe
Resetting filetype association for .com
Resetting userinit and shell values...
Resetting policies...
--Finished--
I tried ComboFix multiple times and I kept getting the error about corrupt files and download a fresh copy. It never checked for the Microsoft Console either.
Also, I had uninstalled Norton prior to contacting you and before I noticed I had a virus, thinking that reinstalling it would fix the fact that updates weren't downloading.
Its the virus alerting you about corrupted files, but drag it to trash and try downloading it again and then do this, don't rename it this time
Now physically disconnect from the internet and STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields)
Click on your START button and choose Run. Then copy/paste the entire content of the following quotebox (Including the "" marks and the Symbols) into the run box.
Go to http://www.techsupportforum.com/sectools/tetonbob/StartBtn.gif -> Run -> copy/paste in the following single line command & click OK
"%userprofile%\desktop\combofix.exe" /killall
http://www.techsupportforum.com/sectools/tetonbob/killall.JPG
Click OK and this will start ComboFix in a special way.
When finished, it will produce a log. Please save that log to a Notepad File to post in your next reply along with a fresh HJT log.
Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.
* After you have saved the logs, restart your system to re-enable all the programs that were disabled during the running of ComboFix.
* Reconnect to the internet
* Post the following logs/Reports:
ComboFix.txt
That did not work either. I got another corrupt error again.
With Windows 7 you need to right click on the file and select run as adminstator.
Try downloading Combofix again renamed as the first time, but dont run it yet.
Make sure all your RKill files are still on your desktop
Download this program but dont use it yet
Download Inherit (http://download.bleepingcomputer.com/sUBs/MiniFixes/Inherit.exe) and save it to your desk top
Drag each of the exe files that you are unable to run into Inherit.exe (must be the exe - not the shortcut)
Then wait for it to say "OK"
Then boot to safemode , run RKill and then if it succeeds run CF in safemode also.
To Enter Safemode
Go to Start> Shut off your Computer> Restart
As the computer starts to boot-up, Tap the F8 KEY somewhat rapidly,
this will bring up a menu.
Use the Up and Down Arrow Keys to scroll up to Safemode with Networking
Then press the Enter Key on your Keyboard
Tutorial if you need it How to boot into Safemode (http://www.bleepingcomputer.com/tutorials/tutorial61.html)
You can do this in Safemode
If the above fails, try dragging RKill one at a time into Inherit until one runs and then try Combofix again.
If no luck try this program, normal windows first, then safemode and finally inherit if you need to
Download TDSSKiller (http://support.kaspersky.com/downloads/utils/tdsskiller.zip) and save it to your Desktop.
Extract the file and run it.
Once completed it will create a log in your C:\ drive called TDSSKiller_* (* denotes version & date)
Please post the content of the TDSSKiller log
This may sound confusing but what i need you to try is to first try running RKill in safemode followed by Combofix if Rkill is successful. If its not then try dragging CF into Inherit.
Do the same thing with TDSSKiller, dont run TDSSKiller right now if you could run Combofix successfully
Rkill ran successfully, however ComboFix would not in any of the 3 methods you described. I downloaded TDSKiller, however, it could not be extracted from the zip file. Is there a way to download it without it being in a zip format?
Lets try this.
Bring up Task Manage using CTRL+ALT+DELETE. See if any of these processes are running ... Kill Process on each one until CF will run.
findstr
sed
grep.
nircmd.exe
nircmd.cfexe
swsc.cfexe
* .. or any other process that has the .cfexe extension except for CFxxx.cfexe
If ComboFix is still 'hung', then kill process on CFxxx.cfexe
None of those processes were running, nor any .efexe processes.
You have to right click on Combofix and select RUN AS ADMINISTRATOR , then if it wont run end process on the ones that I posted
I did click run as administrator and it wouldn't run. And there are no files that you listed as processes.
I am going to post some programs for you to try and run.
First do this
Open NOTEPAD.exe and copy/paste the text in the codebox below:
(don't forget to copy and paste REGEDIT4)
REGEDIT4
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\Eventlog]
"Start"=dword:00000004
Save this as fix.reg Choose to "Save type as - All Files"
Double click on fix.reg & allow it to merge into the registry
Reboot the machine once this is done and run combofix again.
OTL by OldTimer
Download OTL (http://oldtimer.geekstogo.com/OTL.exe) to your desktop.
Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
When the window appears, underneath Output at the top change it to Minimal Output.
Check the boxes beside LOP Check and Purity Check.
Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt.
Note:These logs can be located in the OTL. folder on you C:\ drive if they fail to open automatically.
Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply. You may need two posts to fit them both in.
Reg change ran fine, rebooted, but neither ComboFix or OTL would run.
I posted another topic entitled, 2nd computer infected, however they told me to wait until we solve this one before posting another. Also, it said to inform you of this. After realizing we had something on our home laptop, I now realize it's on our desktop as well. However, they are not connected. The only similarity that I can think of is that my daughter was downloading music, at first on youtube, but I think she then started clicking on random links from Google searches. Thanks for your help. I'm sorry we haven't been able to come to a solution yet. Let me know what to do with the desktop. BTW, I was actually able to run DDS on that computer and posted the log in the previously mentioned thread.
Hi,
Its best to fix one , close the thread and then post for another as we are all volunteers and most times spread to thin..
Downloading music sometimes is the real culprit unless its purchased from a legit site like iTunes or Amazon , sites like that.
This one is a real stickler, I cant even see a report to see what your infected with.
When you run RKill and try to run a program, when you reboot you may have to run Rkill again.
Run RKill and see if Malwarebytes will run
Please download Malwarebytes from Here (http://www.malwarebytes.org/mbam-download.php) or Here (http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html)
Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform quick scan, then click Scan.
http://i24.photobucket.com/albums/c30/ken545/MBAMCapture.jpg
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected .
When completed, a log will open in Notepad. Please save it to a convenient location and post the results.
Note: If you receive a notice that some of the items couldn't be removed, that they have been added to the delete on reboot list, please reboot.
Post the report please
No go on the Malware bytes program, would not let me install it.
Did RKill run successfully prior to trying to install Malwarebytes ?
One last program to try, remember to run RKill first
Download OTS.exe (http://oldtimer.geekstogo.com/OTS.exe) by OldTimer to your Desktop.
Close any open browsers.
Double-click on OTS.exe to start the program.
Leave all settings as they appear as default, except for the following:
Under Drivers, select "All".
Under Additional Scans, click on the "Extra" button.
Now click the Run Scan button on the toolbar.
The program will be scanning huge amounts of data so depending on your system it could take a long time to complete. Let it run unhindered until it finishes.
When the scan is complete Notepad will open with the report file loaded in it.
Save that notepad file
Use the Reply button and attach the notepad file here (Do not copy and paste in a reply, Attach the file ).
If that wont run lets try to restore your computer to a previous state. I am going to link you to the instructions, if its malware causing all this method #1 may not work so I need you to try method #2
http://www.sevenforums.com/tutorials/700-system-restore.html
OTS would not run. I'm thinking I may need to reinstall windows?
Hi,
What I would do is a System Restore and then lets go from there. I am linking you to the instructions , they may be easier to follow. Malware may block Method # 1 so use Method # 2
http://www.sevenforums.com/tutorials/700-system-restore.html
With your Computer off, press the Power button, start tapping the F8 key until a menu comes up, use your arrow keys to move up to REPAIR YOUR COMPUTER and press enter on your keyboard. Then just follow the prompts, unless you set one there is no password. Then choose System Restore , make sure you pick a date about a week prior to your problems starting.
If it went well post back with a DDS log and lets take a look
None of the system restores will work.
Well, at this point I am afraid a reformat and reinstall of windows is the only way to go to get rid of what has ahold of this computer.
If you need help with this let me know and I can link you to a windows forum that can help you
No need, thanks so much for all your help!!
Your very welcome
When you reinstall windows, download and run DDS and lets take a look to make sure all is ok
OK, so I formatted and reinstalled Windows XP SP2 (the OS that came with my computer) and I still seem to be having the same issues. I cannot install any Windows Updates or Norton Antivirus updates. Actually I had alot of trouble and needed tech support to even install Norton. DDS would not run either. Since my computer was Windows 7 prior to my reinstallation, does that have any effect? Maybe I should follow your steps to reinstall again? I'm at a loss because I really thought that reinstalling Windows would fix any problems.
Not totally sure what you have done. There are infections going around that infect all your programs and files and if after reinstalling windows you copied some file and programs over you may have reinfected yourself, but I am not sure of this as I cant see any logs.
If your computer has been upgraded to Win 7, why did you install XP ?
Why dont you post here for help doing the reformat and reinstall correctly.
http://forums.whatthetech.com/index.php?showforum=119
This is a site we work closely with, link them to this thread if you wish so they can see what we have done , I will follow along and add some info if they need it. Once they have you up and running do not copy any backed up files or programs to the new install for a bit until we see how its running