TechSpot

Can only get halfway through the cleaning process

By yelodoggie
Feb 13, 2009
  1. I am trying to help my husband clean off his computer. He was downloading the free trial of World of Warcraft, and now his system in infected with all kinds of malware and spyware.He was running an outdated version of McAfee, and his infection is so bad that he couldn't even download any software to help him clean his system.

    He has a dell dimension 8400 running XP professional, and he uses Mozilla Firefox as his browser.

    I downloaded the utilities on my laptop and burned them to a CD so he could install them on his system to use them.

    He installed avast, and it found about a gazillion infections. Everything was quarantined in the chest.

    Then he installed and ran ATF cleaner, and removed all the temp files.

    Then he installed Malwarebytes, but it would not run at all. I downloaded it from a different site, and he tried again, but it still would not run.

    He installed Super Anti-Spyware Plus, but it would not run either.

    Now when he restarts, he gets a message that says:
    error loading C:\WINDOWS\xccdf16_090131a.dll
    when he clicks OK, windows finishes startup. When he tries to go online, his home page loads, but he cannot navigate away from that page.

    Please help. What can we do? Should he just toss in the towel and take the tower in someplace to have it wiped clean and the system reinstalled?

    UPDATE: Now he gets nothing but a black screen at startup.
     
  2. mflynn

    mflynn TS Rookie Posts: 2,655

    Wish you had come her first!

    But lets see what we can do!

    Try booting to Safe Mode.

    Let me know if you can!

    Mike
     
  3. yelodoggie

    yelodoggie TS Rookie Topic Starter

    through startup but...

    ok, we're back to an actual Windows screen, but still unable to run malwarebytes or SAS. Did manage to run norman malware, which found and fixed 16 things, but was unable to scan 109 items. ?

    Cannot browse anywhere. Think we're getting the home page screen only because it's saved in the temp files.

    any advice?
     
  4. mflynn

    mflynn TS Rookie Posts: 2,655

    Do not do anything else on your own until I finish!

    Do the below!

    OK

    Boot to Safe Mode with networking and do all below.

    Left Drag mouse and Copy for Pasting all text in the box below. Make sure the slider bar goes to bottom from the @ to the end of the second exit.

    Then paste to the black screen of an open command prompt. All may not apply so ignore errors.
    Code:
    @echo off
    cd\
    :: Fix associations
    ftype exefile="%1" %*
    ftype batfile="%1" %*
    ftype cmdfile="%1" %*
    ftype comfile="%1" %*
    ftype scrfile="%1" /S
    ftype regfile="regedit.exe" "%1"
    ftype piffile="%1" %*
    ftype inffile=%SystemRoot%\System32\NOTEPAD.EXE "%1"
    ftype vbsfile=%SystemRoot%\System32\WScript.exe "%1" %*
    ftype jsfile=%SystemRoot%\System32\WScript.exe "%1" %*
    
    assoc .exe=exefile
    assoc .bat=batfile
    assoc .cmd=cmdfile
    assoc .com=comfile
    assoc .scr=scrfile
    assoc .reg=regfile
    assoc .pif=piffile
    assoc .lnk=lnkfile
    assoc .inf=inffile
    assoc .vbs=VBSFile
    assoc .js=JSFile
    
    sc stop TDSSserv.sys
    sc delete TDSSserv.sys
    :: Above sc commands first stops then deletes service if it exists
    ::
    reg unload "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata"
    reg unload "HKEY_LOCAL_MACHINE\SOFTWARE\tdss"
    ::
    reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata" /f
    reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\tdss" /f
    ::The above reg commands first unloads the reg keys then deletes these keys.
    ::
    Attrib -h -s -r tdss*.* /s
    del  tdss*.* /f /q /s
    :: The above two lines first clears protective attributes then 
    :: deletes all files on Drive beginning with the name tdss
    
    :: Remove AntiVirus2009
    attrib -h -s -r "%UserProfile%\Desktop\Antivirus 2009.lnk"
    attrib -h -s -r "%UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch\Antivirus 2009.lnk"
    attrib -h -s -r "%UserProfile%\Local Settings\Temporary Internet Files\Content.IE5\S96PZM7V\winsrc[1].dll"
    attrib -h -s -r "%UserProfile%\Start Menu\Antivirus 2009\*.*"
    
    del "%UserProfile%\Desktop\Antivirus 2009.lnk" /f /q
    del "%UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch\Antivirus 2009.lnk" /f /q
    del "%UserProfile%\Local Settings\Temporary Internet Files\Content.IE5\S96PZM7V\winsrc[1].dll" /f /q
    del "%UserProfile%\Start Menu\Antivirus 2009\*.*" /f /q
    
    rd /s /q "%UserProfile%\Start Menu\Antivirus 2009"
    
    attrib -h -s -r "c:\Program Files\Antivirus 2009\*.*"
    rd /s/q "c:\Program Files\Antivirus 2009"
    
    attrib -h -s -r c:\WINDOWS\system32\ieupdates.exe
    attrib -h -s -r c:\WINDOWS\system32\scui.cpl
    attrib -h -s -r c:\WINDOWS\system32\winsrc.dll
    
    del c:\WINDOWS\system32\ieupdates.exe /f /q
    del c:\WINDOWS\system32\scui.cpl /f /q
    del c:\WINDOWS\system32\winsrc.dll /f /q
    
    attrib -h -s -r c:\program files\xwdxqu.txt
    attrib -h -s -r c:\windows\x
    attrib -h -s -r c:\windows\SxsCaPendDel
    
    del c:\program files\xwdxqu.txt  /f /q
    del c:\windows\x  /f /q
    del c:\windows\SxsCaPendDel  /f /q
    
    reg delete HKLM\SOFTWARE\swearware /f
    reg delete HKCU\Software\Wget /f
    reg delete HKLM\Software\Classes\CLSID\{CD363BEC-7150-B887-530D-F3E2E0424EA} /f
    
    :: rootkit gaopdxserv
    attrib -h -s -r "c:\windows\system32\drivers\gaopdxqfotrruc.sys"
    attrib -h -s -r "c:\windows\system32\gaopdxqpqjwmyc.dll"
    attrib -h -s -r "\c:\windows\system32\drivers\gaopdxuigiphwm.sys"
    
    sc stop gaopdxserv.sys.sys
    sc delete gaopdxserv.sys.sys
    
    del  /f /q "c:\windows\system32\drivers\gaopdxqfotrruc.sys"
    del  /f /q  "c:\windows\system32\gaopdxqpqjwmyc.dll"
    del  /f /q  "\c:\windows\system32\drivers\gaopdxuigiphwm.sys"
    
    reg delete "HKEY_LOCAL_MACHINE\System\ControlSet001\Services\gaopdxserv.sys" /f
    reg delete "HKEY_LOCAL_MACHINE\System\ControlSet001\Services\gaopdxserv.sys" /f
    reg delete "HKEY_LOCAL_MACHINE\Software\Classes\gaopdxvx" /f
    
    reg delete "HKEY_CURRENT_USER\Software\75319611769193918898704537500611" /f
    reg delete "HKEY_CLASSES_ROOT\CLSID\{037C7B8A-151A-49E6-BAED-CC05FCB50328}" /f
    reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{037C7B8A-151A-49E6-BAED-CC05FCB50328}" /f
    reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" "75319611769193918898704537500611" /f
    reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" "ieupdate" /f
    echo Finshed ripping out Antivirus 2008-9
    :: Fix associations
    ftype exefile="%1" %*
    ftype batfile="%1" %*
    ftype cmdfile="%1" %*
    ftype comfile="%1" %*
    ftype scrfile="%1" /S
    ftype regfile="regedit.exe" "%1"
    ftype piffile="%1" %*
    ftype inffile=%SystemRoot%\System32\NOTEPAD.EXE "%1"
    ftype vbsfile=%SystemRoot%\System32\WScript.exe "%1" %*
    ftype jsfile=%SystemRoot%\System32\WScript.exe "%1" %*
    
    assoc .exe=exefile
    assoc .bat=batfile
    assoc .cmd=cmdfile
    assoc .com=comfile
    assoc .scr=scrfile
    assoc .reg=regfile
    assoc .pif=piffile
    assoc .lnk=lnkfile
    assoc .inf=inffile
    assoc .vbs=VBSFile
    assoc .js=JSFile
    exit
    exit
    This is a coverall and may give errors as it tries to delete/stop certain Malware files etc that you do not have. This is no problem. The process should run then exit back to desktop.

    Reboot again into Safe Mode with Networking

    Then...

    Do the TechSpot 8 steps: http://www.techspot.com/vb/topic58138.html

    Skip no steps (do not install another virus scanner if you already have one, ask me before installing a Firewall).

    Most importantly update MalwareBytes and SuperAntiSpyware!

    Mike
     
  5. yelodoggie

    yelodoggie TS Rookie Topic Starter

    How do we boot to safe mode with networking?

    BTW here is his most recent hijack this logfile:

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 8:30:04 PM, on 2/13/2009
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18372)
    Boot mode: Normal

    Moderator Edit:

    Pasted log removed
    All logs, should be attached

    can't post rest of logfile, getting this error

    To be able to post links or images your post count must be 5 or greater.

    redoing the logfile

    please tell me how to restart in safe mode with networking.
     
  6. mflynn

    mflynn TS Rookie Posts: 2,655

    OK click edit at bottom rt and delete all of the log.

    Then click the Go advanced button and then on top header click the Paperclip and attach the logs.

    Mike
     
  7. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    I would say:

    Uninstall your McAfee Antivirus
    Then run the McAfee Removal Tool

    Uninstall Avast

    Run Startup Control Panel and remove any not required startups: (should be most!)

    Install Avira free AntiVirus

    Start up Malwarebytes again; Update it; then run a full scan (remove all found Malwares)
    You need to run this multiple times, until all hidden Malwares are uncovered and removed
     
  8. mflynn

    mflynn TS Rookie Posts: 2,655

    To boot into Safe Mode!

    Restart Windows the screen will go black begin tapping the F8 key every second until you get the Advanced Boot screen.

    There are several entries here two of them are Safe Mode and Safe Mode with Networking.

    Chose Safe mode with Networking. Answer approve the prompts to get to desktop. Screen will have large Icons.

    Mike

    EDIT: Install the Avira first then remove the others. If you uninstall all for a short time you have no Virus protection. Its like saying if I just leave the door open for 5 minutes the Rotwilers and Pit Bulls will not have time to get out and kill somebody! Hee hee, i crack myself up sometimes.:haha::grinthumb

    Mike
     
  9. yelodoggie

    yelodoggie TS Rookie Topic Starter

    cannot restart in safe mode

    his desktop will not restart in safe mode. We've tried half a dozen times now.

    We can get it to start up, doing a regular restart, but with the error loading c:\\WINDOWS\xccdf16_09013a.dll

    So, that's where we are. We're up, in Windows XP pro having received that error.
     
  10. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    Just do everything in Normal Mode (with the error issue)
    We can repair Safe Mode after you're a bit cleaner ;)
    The steps above will take a few minutes (or hours) or so ;)
     
  11. yelodoggie

    yelodoggie TS Rookie Topic Starter

    progress

    OK, before we could start anything, Mr. Smartypants got the SAS to run and scanned the HD. Found 53 items which it removed. After that, we did this:

    Installed Avira

    Uninstalled McAfee Antivirus
    Ran the McAfee Removal Tool

    Uninstalled Avast (with all the cr*p that was in the chest. hope that won't hurt anything)

    Ran Startup Control Panel to remove any not required startups: (but there wasn't really anything there but Quicktime and Avira)

    Started up Malwarebytes again; Updated it; then began to run a full scan
    HOWEVER: didn't disable Avira before doing this and a window popped up that said a virus was found. Windows\fenilulok.dll TR/Agent.jvl Trojan
    No matter what we clicked: deny access, remove, quarantine...it did nothing. It bleeped and went back to the same window. At this point, we shut down and restarted. After restart, disabled the Avira and are currently running MalwareBytes full scan. It's finding stuff. After we remove it, we will run it again and post a new HJT logfile.

    Thanks for helping us! The system is already running faster, though we are still getting the error loading C:\WINDOWS\xccdf16_090131a.dll at startup. Will you be able to help us figure that out, too?
     
  12. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    Being a "smartypants" and all
    Those Avira (beeps) are different viruses it's finding (that's right different)

    Therefore if you feel that the Malwarebytes or SuperAntiSpyware scan is being interrupted, just way too often
    You can run an Avira scan (manually started on C drive), and when it picks up it's first Virus, you have the option to quaratine it, and then tick, Make this the default action
    Therefore, you can walk away ;)

    Once completed, then do the Malwarebytes and SuperAntispyware scans

    Done ;)
     
  13. yelodoggie

    yelodoggie TS Rookie Topic Starter

    Hey, the Mr. Smartypants I was referring to, is my husband...
    but if the socks fit... :)

    Running avira now. Then will follow up with Malware Bytes and SAS. Will post new HJT log soon.

    Finished all the scans. Everything is coming up clean...I am attaching log files.
    Still curious about the error at startup. Just for fun, I searched my laptop for the file that the desktop is missing...but I don't have that .dll.
     
  14. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    Yes the missing Startups (actually stated in your HJT log) are not the concern just yet (ie they do nothing if missing)

    Please do the following:

    Download Combofix
    Lots of info on its use h e r e
    Direct download h e r e

    Locate the downloaded Combofix. Double click on it to run, answering any prompts along the way
    Note: during Combofix scan (lasting up to 10mins) your Desktop and clock may reset (all normal)
    ComboFix will also restart your computer (eventually) and then (eventually) create a log

    Save this log file to be attached to a new reply
    Restart back to Normal mode, and attach the Combofix log

    Also do another scan with HJT (scan and log file) and attach this to a new reply as well

    Whilst waiting for my reply, you may want to re-open Malwarebytes; update it again; and then run another full scan (I'm thinking there may still be more uncovered malwares to remove) I would do this ;)
     
  15. mflynn

    mflynn TS Rookie Posts: 2,655

    Good morning

    You have been in very good hands while I was sleeping and things are looking very good.

    Run HJT select and remove the below entries.
    R3 - URLSearchHook: (no name) - - (no file)
    O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)

    After running the steps Kim advise you should be close to finished.

    Post the last SAS log! And the new MBAM log from the new run advised by Kim.

    Mike
     
  16. yelodoggie

    yelodoggie TS Rookie Topic Starter

    SAS log

    Where are the SAS logs hiding?
     
  17. mflynn

    mflynn TS Rookie Posts: 2,655

    SAS-Preferences-Statistics logs!

    Mike
     
  18. yelodoggie

    yelodoggie TS Rookie Topic Starter

    Update with logs

    Kim and Mike...

    Thanks for all your help last night. Just got around to following your latest instructions.

    First: could not find the SAS logs. Couldn't find a preferences folder for SAS anywhere. :confused:

    So, we proceeded as follows:

    First, we ran HJT. and removed the below entries.
    R3 - URLSearchHook: (no name) - - (no file)
    O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)

    Then we downloaded and ran Combofix. (log attached)

    Then, we ran Malwarebytes (log attached)

    If I'm not mistaken, it looks like all the mean stuff is gone. Now we just have that error code at bootup to fix. How should we proceed?
     
  19. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    Yes

    We need the HJT log for that ;)

    ie
     
  20. mflynn

    mflynn TS Rookie Posts: 2,655

    Yes it looks as tho we have passed the worst.

    First the SAS logs are found by running SAS then clicking Preferences then clicking Statistics/Logs.

    Get me the logs. I need to know what we are up against!

    Second ComboFix had many bad found/removed entries so needs to be run again to confirm clean log.

    So run ComboFix again attach log!

    Mike

    EDIT: For the error at boot.

    Run MBAM click More Tools then Run tool.

    Code:
    C:\WINDOWS\xccdf16_090131a.dll
    Then copy the text in the box and paste into the File Name box and click Ok to delete the file.

    Reboot to confirm.

    Mike
     
  21. boostjunkie92

    boostjunkie92 TS Rookie

    Im having the same original problem...i opened up an infected antispyware exe and got a whole but of nasty stuff....iv removed so much already but there seems to be more that i just cant get rid of.

    I done most of the things that were said to do here in this thread, I got as far as running the ccc cleaner, and deepscans using both bitdefender antivirus and counterspy, i removed them and tried to use Malewarebytes and SuperAntiSpyware but couldnt get either of them to load up...Malewarebytes' process doesnt even show up when executed and SuperantiSpyware gives me a windows error when started. I even tried renaming the exe of Malewarebytes thinking that the virus is blocking the program from starting up but that didnt work either.

    About 50% of the time my computer will freeze upon startup, and the other half my computer is greatly slowed down.

    Iv discovered that my web access is being temporarily blocked...when I try to navigate to certain pages (i.e. anti** download pages) im automatically redirected to a "spam" page that is just blank. I was able to manually enter the URL's and download the necessary software thou (extremely annoying)

    My next move is to burn a bootable cd with antivirus on it (avast BART CD)

    any ideas?
     
  22. yelodoggie

    yelodoggie TS Rookie Topic Starter

    final log files

    OK, my dear computer gurus...
    We ran SAS and found the logs. (attached)
    We ran Combofix again. (log attached)
    We ran MBAM and deleted the errant startup file.
    We ran full MBAM scan. (log attached)
    We ran HJT (log attached)

    You guys are amazing. :grinthumb

    Everything is running smoothly.
    Combofix is a little scary, can I uninstall it without worry?

    Also, one more strangish thing...after the computer is on for a little while, all of a sudden there will be a windows tone (once) no matter what we are doing. Kind of like a " ! " Doesn't seem to affect anything, never opens an alert window, just the tone like something happened. Any idea what that could be? :confused:
     
  23. mflynn

    mflynn TS Rookie Posts: 2,655

    Good work!

    Looks good!

    Run HJT Scan only and fix the below
    O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

    OK I am going to put you thu the closing. But you especially need to do the temp and registry cleanups therein. This hopefully ma get the Ding!

    Thread closing-------------------------------------------------------------------

    Some of these tools update so often they require downloading again later if needed. But keep and run MBAM and SAS to maintain.

    Remove ComboFix
    Start-Run
    type
    combofix /u
    Hit enter or click OK.

    Please download OTCleanIt http://download.bleepingcomputer.com/oldtimer/OTCleanIt.exe

    Save to desktop.

    This will remove all the tools we used to clean your computer.


    Double-click OTCleanIt.exe. Click CleanUp. Yes to the "Begin cleanup Process?"

    Approve all if prompted by Firewall. Approve Widows Defender or other guards or security programs while OTCleanIt attempting access to the Internet to allow all.

    If prompted to Reboot click, Yes.
    OTCleanit will delete itself when finished, If not delete it by yourself.

    -------------------------------------------------------------------------------------
    Run CCleaner again twice or more on Cleanup temps, then on left click Registry then Scan for issues also repeat till clean.

    Run ATF-Cleaner http://majorgeeks.com/ATF_Cleaner_d4949.html Temp and Registry, repeatedly until no more found.

    KCleaner ftp://ftp2.kcsoftwares.com/kcsoftwa/files/kcleaner.exe
    Fantastic cleaner.
    -------------------------------------------------------------------------------------
    The issues can and are likely found is in System Restore so do the below

    Start-Programs-Accessories-System Tools-Disk- System Restore and create a new Restore point. Name it "After cleanup at TechSpot".

    Then Start-Programs-Accessories-System Tools-Disk Cleanup
    Click OK to accept C:
    Select all Boxes
    Then click More Options
    Here click System Restore and OK to "Are you sure" and the OK to Run.

    As this runs it clears all but the most recent Restore Point but it does one other thing that can contain infested files and a huge amount of disk space.

    It clears what is known as Shadow copies which are used by specialized back up programs.

    This is if you have the Volume Shadow Copy running which is the default.
    -------------------------------------------------------------------------------------

    Every two weeks or so, run MBAM and SAS until clean.

    They take a while, so leave scanning while you are sleeping working or watching TV. If not done under the gun they can be scheduled not to interfere with computer time.

    If they find something they can not clean, then get back to us.

    Additionally run CCleaner. ATF-Cleaner and KCleaner.
    ----------------------------------------------------------------------------------------
    I have been using ThreatFire for more than a year, it just went from ver 3 to ver 4.

    It was designed to be used with and to co-exist with other Virus scanners.

    Additionally it uses a totally different process to protect. While conventional Virus scanners work from definitions ThreatFire works on recognizing Virus/Malware activity.

    It's like looking at it with 2 sets of eyes and from a different angle.

    It works like some Firewalls do to learn what is good/bad.

    After install it will ask you about everything that could be a security issue. For example the first time you run IE or FireFox it will prompt you. You would answer to approve and remember the setting. From then on no more prompts about IE or FireFox unless the exe changes like in an update.

    As it queries you about the prompt to help you determine to approve or not you can google it with one click.

    http://www.threatfire.com/Download/
    -------------------------------------------------------------------------------------
    Look at http://www.javacoolsoftware.com/spywareblaster.html

    Run SpyBot ocassionally and use the Immunize function.
    http://www.safer-networking.org/en/download/

    I highly reccomend Hostman: Hostman http://majorgeeks.com/HostsMan_d4592.html

    Download install run and allow it to disable DNS Client and select all Host files and then Update and install all host files.

    A Disk Scan (chkdsk) and Defrag are in order.

    Mike
     
  24. mflynn

    mflynn TS Rookie Posts: 2,655

    boostjunkie92

    We can fix you but make your own Thread and I will see you in the morning.

    Mike
     
  25. yelodoggie

    yelodoggie TS Rookie Topic Starter

    finished

    dear Gurus:

    Ran HJT and fixed the two items you specified.

    Removed combofix.

    downloaded OTcleanit and ran.

    downloaded CCleaner, ran it twice on temps, 5x on registry!!

    ran ATF. (couldn't see a registry setting, but ran temps)

    downloaded KCleaner, but didn't run it because there were a lot of choices and I wasn't sure what to check off.

    Created a new system restore point.
    Did the disk cleanup.

    Did a system scan and defrag.

    Saved MBAM and SAS and will run it weekly. Also saved Alvira to run live

    You guys are the bomb.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...