Help needed - Infection even preventing DDS from running

[lather]

Once again, one of my family's computers has picked up an infection that has defeated me!

This morning, when my dad booted up his laptop to check out something online, he got a whole load of virus warning messages from "XP Home Security 2011". It didn't take me long to realise it was a scareware-type infection, and a quick online search seemed to offer the solution at the McAfee website. Following the instructions there seemed to get rid of it, and after a couple of scans, MBAM showed no trace of the infection. However, Windows Security Centre was still reporting that Auto Update and the Firewall were both disabled (and yes, I know he should have a better firewall than that, but he's in his 70s and struggles a bit with the technical aspects of computing!). AVG showed and removed a trojan, and another online search seemed to offer a solution to the firewall issue. However, the solution that seemed to work for others to restore the firewall hasn't worked in this case.

So here's the situation as it currently stands:

When the computer boots up, the firewall shows as being on, but after a few seconds switches to "Not Monitored", and any attempts to change the settings just brings up the "Windows Firewall settings cannot be displayed because the associated service is not running" message. Also, all attempts to turn on auto updates are being blocked. Both MBAM and AVG show clean, so that makes me think the infection is buried deep somewhere.

I've used Erunt to back up the registry, and tried running DDS. However, DDS starts to run, but then the whole system seems to just hang - Even the clock stops, the whole system becomes unresponsive, and I have to do a hard reboot to get it back. So I'm unable to post a DDS log here at the moment, but am hoping that someone can help out just the same.

System details:
IBM Thinkpad T41 running XP Pro SP3 with all the latest updates.


If it comes to it, I do have a full set of system restore disks, as that's what I had to do with the last infection I had on my similar machine.....

[shelf life]

hi lather,

We can see what combofix can dig up. I assume you do not have a 64bit OS. There is a guide to read first. Read through the guide then apply the directions on your own machine. Post the log:

Guide to using Combofix

[lather]

Thanks for getting back to me. Unfortunately, I've hit a brick wall with ComboFix too!

I downloaded it OK, but for some reason can't deactivate the copy of AVG 9.0 that's installed on the computer, and that's stopping ComboFix from running. I followed all of the instructions on temporarily deactivating AVG to the letter, and that didn't work, so I then tried uninstalling it, and that failed too. I even tried booting in safe mode to see if that helped, but it didn't. According to the AVG user interface, both Anti-Virus and Anti-Spyware are showing as active, although Resident Shield is shown as disabled.

Currently, when I run ComboFix, the installer starts to launch, and then comes up with a pop-up warning that it can't run when AVG is installed, and asking that AVG be uninstalled - Which of course I can't, because the uninstall always fails!!

So it seems like I'm a bit stuck at the moment, and can't seem to get anywhere at all with running any of the programs that could help sort the problem out. It's got me stumped, but hopefully you'll have some idea of where to go from here!

[shelf life]

AVG had a uninstaller you can try. See if that will remove it then try running combofix.

AVG remover

[lather]

OK, the AVG remover worked fine and deleted it from the system. However, I'm still having problems with ComboFix.

With AVG gone, the ComboFix installer ran OK and installed the Windows Recovery Console. ComboFix then created the new restore point and started to prepare to scan. However, once it got to the line about how scan times can double for badly infected machines, it then froze and the whole machine locked up in a similar way to how it locks up when trying to run DDS - The only difference this time is that with ComboFix, the on-screen clock carries on running. With the machine locked up, the only option is another hard reboot. I've tried several times, and each time I try to run ComboFix, the result is exactly the same.

So it seems like whatever is lurking on the machine is stopping both DDS and ComboFix from running their scans and making the machine lock up. So is there anything else I can try, or is it looking more like a complete wipe and reinstall of Windows?

[shelf life]

Try running combofix in safe mode. To reach safe mode you would tap the f8 key during a computer restart, chose the first option on the list: safe mode. Log into your usual account. Once at the safe mode desktop try running combofix.

[lather]

Hadn't thought of trying to run it in Safe Mode, but have done so now. Unfortunately, even in Safe Mode, exactly the same happened again, with ComboFix freezing at the same point as before, followed by the machine locking up and requiring a hard reboot. So it seems that ComboFix, like DDS, won't run in either normal or safe modes...

So, at the moment, it seems like the only scan I can probably run is Mbam, which is still installed and ran OK last time I tried it before my first post in this thread. AVG also ran OK the last time I ran it (again before starting this thread, and its now deleted from the system). But I just can't get either DDS or ComboFix to run, even in Safe Mode, and any attempt to do so causes the machine to lock up.

[shelf life]

Sometimes malware tricks can cause apps not to run. In my experience they wont run from the start. Yours just seem to stop in the middle after starting.
Try this;

Please download rkill.com by Grinler and save it to your desktop:

Double-click on the Rkill desktop icon to run the tool.

A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
After its finished try running DDS. If DDS runs post its log, if not continue:

If DDS dosnt run download rkill.scr
Double-click on the Rkill.scr desktop icon to run the tool.

A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
After its finished try running DDS

If DDS dosnt run download eXplorer.exe
Double-click on the eXplorer.exe desktop icon to run the tool.

A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
After its finished try running DDS

If DDS dosnt run download iExplore.exe
Double-click on the iExplorer.exe desktop icon to run the tool.

A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
After its finished try running DDS

If DDS dosnt run download uSeRinit.exe

Double-click on the uSeRiNiT.exe desktop icon to run the tool.

A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
After its finished try running DDS

These tools do not delete any malware. They only terminate malware related processes that may be running-allowing you to run DDS or other tools. If you can get DDS to run that will be a start.

[lather]

Tried all of those versions of Rkill (most of which were already on the machine from previous efforts to get rid of XP Home Security 2011). Unfortunately, none of them have had any effect, and DDS still stalls at the same point as before, followed by the machine locking up and requiring a hard reboot via the power switch.

Each version of Rkill did find and stop one process, C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe, but that's all...

[shelf life]

ok yet another download;


Download OTL to your desktop or other convenient location.
OTL does not need to be installed, simply click OTL.exe to run.
Click the Quick Scan button.
A log will open in notepad, and OTL.txt will be saved to the same location as OTL.exe (i.e.: desktop)
Please post both logs.