TechSpot

Can't even get to step 2 of 8-step process - TFC just hangs

Inactive
By ItchyDog
Oct 21, 2010
  1. I'm having problems similar to the google hijack reported by others, but it's seemingly even worse - lucky me.

    Started with an email (I think) from an address we thought we recognized, subject "My terrible experience". Deleted email immediately after opening it. McAfee reported finding/quarantine 2 trojans. Later that day, something called "Antivirus 2010" tried to download and install - I killed the connection immediately (Verizon broadband) and un-installed the program, and ran a McAfee scan. No issues found. Restarted connection, updated McAfee, no issues found.

    Then I noticed all my google searches were being hijacked. Then McAfee real-time scanning told me it was off, and when I tried to turn it on, it turned back off immediately. I went to McAfee's help website and tried to run the steps they said to do, but it didn't work. I constantly updated McAfee and ran scans, but the real-time scanner wouldn't stay on. Then my internet explorer started displaying "cannot display page" even though my broadband connection was good. I tried to run McAfee's Stinger, but it just hangs on explorer.exe. It also hangs in Safe Mode with Networking.

    So, based on a McAfee board suggestion, I came to Malwarebytes (on a different computer), and tried to run the 8-step process. TFC just hangs - I get the screen saver and nothing else, then after a couple of minutes, the McAfee popup comes up and tells me I have a problem (real time scanning off). So, I restarted with Task Mgr and tried again - now TFC won't load from the desktop, so I ran it from my USB drive, same results. Also tried to run it in Safe Mode with Networking, but no joy.

    Ideas?
     
  2. Broni

    Broni Malware Annihilator Posts: 47,719   +268

    Welcome aboard [​IMG]

    Skip TFC for now....
     
  3. ItchyDog

    ItchyDog TS Rookie Topic Starter Posts: 16

    Still no go

    I tried to run Malwarebytes, but in Safe Mode w/Networking and Safe Mode it starts and then just disapears! There's nothing but the screen save or the Safe Mode black screen. And I have to run it from the USB stick - it gives me a path unavailable error when I try to run it from the desktop.

    Sorry about the delay in replying - I'm out of town for a couple of days and won't be able to try anything else until Wed or Thurs. But thanks so much for your help so far!
     
  4. Broni

    Broni Malware Annihilator Posts: 47,719   +268

    No problem :)

    Please download ComboFix from Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    1. Please, never rename Combofix unless instructed.
    2. Close any open browsers.
    3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
      • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
      • Close any open browsers.
      • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
      • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    4. Double click on combofix.exe & follow the prompts.
    5. When finished, it will produce a report for you.
    6. Please post the "C:\ComboFix.txt"
    **Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

    Make sure, you re-enable your security programs, when you're done with Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     
  5. ItchyDog

    ItchyDog TS Rookie Topic Starter Posts: 16

    Still nothing....

    I tried to run Combofix (from the desktop) and a small box with "Combofix" at the top appears, runs a bar across (like it's loading) and then it disapears and the whole computer locks. So, to Safe Mode w/Networking - comboxfix didn't make it as part of the desktop (interesting!), so I re-loaded it from the USB and it did the same thing. Restart again, Safe Mode - combofix made it as part of the desktop, but same result running it.

    Sigh.

    Would I be better off just wiping the whole thing and starting over? A friend keeps asking when I'm switching to Linux...

    Thanks again for your help/time - I do appreciate it!
     
  6. Broni

    Broni Malware Annihilator Posts: 47,719   +268

    Delete your Combofix file, download fresh one, but rename combofix.exe to broni.exe BEFORE saving it to your desktop.
    Do NOT run it yet.


    Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

    There are 4 different versions. If one of them won't run then download and try to run the other one.

    Vista and Win7 users need to right click Rkill and choose Run as Administrator

    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

    * Rkill.com
    * Rkill.scr
    * Rkill.pif
    * Rkill.exe


    • * Double-click on the Rkill desktop icon to run the tool.
      * If using Vista or Windows 7 right-click on it and choose Run As Administrator.
      * A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
      * If not, delete the file, then download and use the one provided in Link 2.
      * If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
      * Do not reboot until instructed.
      * If the tool does not run from any of the links provided, please let me know.

    Once you've gotten one of them to run then try to immediately run the following.

    Now download and run exeHelper.


    • * Please download exeHelper from Raktor to your desktop.
      * Double-click on exeHelper.com to run the fix.
      * A black window should pop up, press any key to close once the fix is completed.
      * A log file named log.txt will be created in the directory where you ran exeHelper.com
      * Attach the log.txt file to your next message.

    Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).

    If still a problem, try running ALL 3 tools from Safe Mode.
     
  7. ItchyDog

    ItchyDog TS Rookie Topic Starter Posts: 16

    File questions

    Broni,
    I tried to download
    Rkill.pif
    but the link is broken. Perhaps they are updating the tool?

    Also, when I downloaded
    exeHelper
    McAfee told me it removed a Trojan called Generic.dx!sbo from it - should I have temporarily disabled McAfee while downloading these tools? I'm doing the downloads on another computer (to a USB stick) since the infected computer can't connect to the internet.

    Thanks again!
     
  8. ItchyDog

    ItchyDog TS Rookie Topic Starter Posts: 16

    OK, I'm an ***** - read your directions again, turned off realtime scanning, downloaded exehelper. Will run per directions and post results!

    BTW, if these won't run in normal mode, should I assume the copies on the stick are now corrupted and download new copies before running in safe mode?
    Thanks!
     
  9. ItchyDog

    ItchyDog TS Rookie Topic Starter Posts: 16

    Some ran, some didn't

    First try in Normal mode, rkill.com ran and exeHelper ran, broni loads and then disapears, logs below:

    This log file is located at C:\rkill.log.
    Please post this only if requested to by the person helping you.
    Otherwise you can close this log when you wish.
    Ran as Anne Scott on 10/29/2010 at 11:16:09.


    Services Stopped:


    Processes terminated by Rkill or while it was running:


    \\.\globalroot\Device\svchost.exe\svchost.exe
    C:\Documents and Settings\xxx\Desktop\rkill.com


    Rkill completed on 10/29/2010 at 11:16:16.

    exeHelper by Raktor
    Build 20100414
    Run at 11:17:33 on 10/29/10
    Now searching...
    Checking for numerical processes...
    Checking for sysguard processes...
    Checking for bad processes...
    Checking for bad files...
    Checking for bad registry entries...
    Resetting filetype association for .exe
    Resetting filetype association for .com
    Resetting userinit and shell values...
    Resetting policies...
    --Finished--

    Second try, in Safe Mode
    Ran rkill.com, seemed to run, saved log (below), then screen went black and hung, tried to restart, got "explorer.exe" won't stop. Stopped explorer.exe, and restarted. Rkill log:
    This log file is located at C:\rkill.log.
    Please post this only if requested to by the person helping you.
    Otherwise you can close this log when you wish.
    Ran as Administrator on 10/29/2010 at 11:30:21.


    Services Stopped:


    Processes terminated by Rkill or while it was running:


    \\.\globalroot\Device\svchost.exe\svchost.exe
    C:\Documents and Settings\Administrator\Desktop\rkill.com


    Rkill completed on 10/29/2010 at 11:30:27.

    Third try, safe mode, ran rkill.scr, then exeHelper (logs below) tried to run broni, appeared to load, screen flickered, and nothing appears to be happening. rkillscr and exehelper logs:
    This log file is located at C:\rkill.log.
    Please post this only if requested to by the person helping you.
    Otherwise you can close this log when you wish.
    Ran as Administrator on 10/29/2010 at 11:46:14.


    Services Stopped:


    Processes terminated by Rkill or while it was running:


    \\.\globalroot\Device\svchost.exe\svchost.exe
    C:\Documents and Settings\Administrator\Desktop\rkill.scr


    Rkill completed on 10/29/2010 at 11:46:20.

    exeHelper by Raktor
    Build 20100414
    Run at 11:47:29 on 10/29/10
    Now searching...
    Checking for numerical processes...
    Checking for sysguard processes...
    Checking for bad processes...
    Checking for bad files...
    Checking for bad registry entries...
    Resetting filetype association for .exe
    Resetting filetype association for .com
    Resetting userinit and shell values...
    Resetting policies...

    Next step please?
     
  10. Broni

    Broni Malware Annihilator Posts: 47,719   +268

    Let's try again...

    Run rKill and exehelper and then broni.exe right away.
     
  11. ItchyDog

    ItchyDog TS Rookie Topic Starter Posts: 16

    ?

    That is what I did. I renamed combifix when it was on the USB stick in my laptop. I then loaded each program in turn from the USB stick and ran them sequentially. Broni.exe appeared to load, the screen flickered a couple of times, and nothing more happened.
     
     
  12. Broni

    Broni Malware Annihilator Posts: 47,719   +268

    ..and what happened, when you tried to run it?
     
  13. ItchyDog

    ItchyDog TS Rookie Topic Starter Posts: 16

    I'm puzzled - not trying to be obnoxious or *****ic, but evidently I am...it's certainly not intentional.

    When I attempted to run broni.exe, it did almost the same thing it had done before as combi.exe - a small box appeared, a bar went across indicating it had loaded, the screen flickered a few times, and then nothing else happened with broni.exe. The computer did not lock up this time.

    I'm not sure what else to say about it?
     
  14. Broni

    Broni Malware Annihilator Posts: 47,719   +268

    Download OTL to your Desktop.

    • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    • Under the Custom Scan box paste this in:


    netsvcs
    drivers32
    %SYSTEMDRIVE%\*.*
    %systemroot%\Fonts\*.com
    %systemroot%\Fonts\*.dll
    %systemroot%\Fonts\*.ini
    %systemroot%\Fonts\*.ini2
    %systemroot%\Fonts\*.exe
    %systemroot%\system32\spool\prtprocs\w32x86\*.*
    %systemroot%\REPAIR\*.bak1
    %systemroot%\REPAIR\*.ini
    %systemroot%\system32\*.jpg
    %systemroot%\*.jpg
    %systemroot%\*.png
    %systemroot%\*.scr
    %systemroot%\*._sy
    %APPDATA%\Adobe\Update\*.*
    %ALLUSERSPROFILE%\Favorites\*.*
    %APPDATA%\Microsoft\*.*
    %PROGRAMFILES%\*.*
    %APPDATA%\Update\*.*
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
    %systemroot%\System32\config\*.sav
    %PROGRAMFILES%\bak. /s
    %systemroot%\system32\bak. /s
    %ALLUSERSPROFILE%\Start Menu\*.lnk /x
    %systemroot%\system32\config\systemprofile\*.dat /x
    %systemroot%\*.config
    %systemroot%\system32\*.db
    %APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x
    %USERPROFILE%\Desktop\*.exe
    %PROGRAMFILES%\Common Files\*.*
    %systemroot%\*.src
    %systemroot%\install\*.*
    %systemroot%\system32\DLL\*.*
    %systemroot%\system32\HelpFiles\*.*
    %systemroot%\system32\rundll\*.*
    %systemroot%\winn32\*.*
    %systemroot%\Java\*.*
    %systemroot%\system32\test\*.*
    %systemroot%\system32\Rundll32\*.*
    %systemroot%\AppPatch\Custom\*.*
    %APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x
    %PROGRAMFILES%\PC-Doctor\Downloads\*.*
    %PROGRAMFILES%\Internet Explorer\*.tmp
    %PROGRAMFILES%\Internet Explorer\*.dat
    %USERPROFILE%\My Documents\*.exe
    %USERPROFILE%\*.exe
    %systemroot%\ADDINS\*.*
    %systemroot%\assembly\*.bak2
    %systemroot%\Config\*.*
    %systemroot%\REPAIR\*.bak2
    %systemroot%\SECURITY\Database\*.sdb /x
    %systemroot%\SYSTEM\*.bak2
    %systemroot%\Web\*.bak2
    %systemroot%\Driver Cache\*.*
    %PROGRAMFILES%\Mozilla Firefox\0*.exe
    %ProgramFiles%\Microsoft Common\*.*
    %ProgramFiles%\TinyProxy.
    %USERPROFILE%\Favorites\*.url /x
    %systemroot%\system32\*.bk
    %systemroot%\*.te
    %systemroot%\system32\system32\*.*
    %ALLUSERSPROFILE%\*.dat /x
    %systemroot%\system32\drivers\*.rmv
    dir /b "%systemroot%\system32\*.exe" | find /i " " /c
    dir /b "%systemroot%\*.exe" | find /i " " /c
    %PROGRAMFILES%\Microsoft\*.*
    %systemroot%\System32\Wbem\proquota.exe
    %PROGRAMFILES%\Mozilla Firefox\*.dat
    %USERPROFILE%\Cookies\*.txt /x
    %SystemRoot%\system32\fonts\*.*
    %systemroot%\system32\winlog\*.*
    %systemroot%\system32\Language\*.*
    %systemroot%\system32\Settings\*.*
    %systemroot%\system32\*.quo
    %SYSTEMROOT%\AppPatch\*.exe
    %SYSTEMROOT%\inf\*.exe
    %SYSTEMROOT%\Installer\*.exe
    %systemroot%\system32\config\*.bak2
    %systemroot%\system32\Computers\*.*
    %SystemRoot%\system32\Sound\*.*
    %SystemRoot%\system32\SpecialImg\*.*
    %SystemRoot%\system32\code\*.*
    %SystemRoot%\system32\draft\*.*
    %SystemRoot%\system32\MSSSys\*.*
    %ProgramFiles%\Javascript\*.*
    %systemroot%\pchealth\helpctr\System\*.exe /s
    %systemroot%\Web\*.exe
    %systemroot%\system32\msn\*.*
    %systemroot%\system32\*.tro
    %AppData%\Microsoft\Installer\msupdates\*.*
    %ProgramFiles%\Messenger\*.*
    %systemroot%\system32\systhem32\*.*
    %systemroot%\system\*.exe
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
    /md5start
    /md5stop


    • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
     
  15. ItchyDog

    ItchyDog TS Rookie Topic Starter Posts: 16

    "Scan won't take long" - any idea of how long? Here's what I've done:

    Left infected computer in last config, which was Safe Mode
    Downloaded OTL to USB drive on laptop
    Opened Notepad, copied your script, downloaded to USB drive on laptop
    Transferred USB drive to infected computer
    Dragged both OTL and otl_script.txt to desktop
    Opened otl_script.txt, CNTL A, CNTL C
    Opened OTL, pasted script
    Closed Notepad
    Clicked Quick Scan button
    window disapeared, nothing else happened, computer appears to be running normally, but haven't tried anything but moving mouse. Has been 11 min since pushing Quick Scan button as of this post.

    Thanks again for your help - I'm really puzzled.
     
  16. Broni

    Broni Malware Annihilator Posts: 47,719   +268

    Let's see, if we can look at your computer booting from an external source.

    Please download OTLPE (filesize 120,9 MB)

    • When downloaded double click on OTLPENet.exe and make sure there is a blank CD in your CD drive. This will automatically create a bootable CD.
    • Reboot your system using the boot CD you just created.
      • Note : If you do not know how to set your computer to boot from CD follow the steps here
    • Your system should now display a REATOGO-X-PE desktop.
    • Depending on your type of internet connection, you should be able to get online as well so you can access this topic more easily.
    • Double-click on the OTLPE icon.
    • When asked Do you wish to load the remote registry, select Yes
    • When asked Do you wish to load remote user profile(s) for scanning, select Yes
    • Ensure the box Automatically Load All Remaining Users" is checked and press OK
    • OTL should now start.
    • Press Run Scan to start the scan.
    • When finished, the file will be saved in drive C:\OTL.txt
    • Copy this file to your USB drive if you do not have internet connection on this system
    • Please post the contents of the OTL.txt file in your reply.
     
  17. ItchyDog

    ItchyDog TS Rookie Topic Starter Posts: 16

    Bsod!

    Broni,
    I have a Dell, so hit F12 to enter setup, and 5 to load from CD. Windows appeared to be loading correctly, then when I clicked on my user name, I got the blue screen of death with:
    INVALID_WORK_QUEUE_ITEM

    Tech info:
    STOP: 0x00000096 (0xA49A8D5C, 0x805622FC, 0x805622C0, 0xADE1FAA6)

    tfsinifs.sys - address A49A8D5C base at A4997000, datestamp 3f313057
    ssrtln.sys - address ADE1FAA6 base at ADE1D000, datestamp 3f12f645

    I will try it again, but if that doesn't work, should I try to enter safe mode as it boot from the CD?
    Thanks!
     
  18. Broni

    Broni Malware Annihilator Posts: 47,719   +268

    Then, you didn't really boot from a CD.
     
  19. ItchyDog

    ItchyDog TS Rookie Topic Starter Posts: 16

    Yup, that's what it looks like to me. I think it's because I have a CD and DVD drive, and loaded the CD in the DVD accidently.
     
  20. ItchyDog

    ItchyDog TS Rookie Topic Starter Posts: 16

    Well, fixed that, but still getting XP - I went back to F2, set the priority to CD as number 1, still loads XP. I can try disabling boot from C:
     
  21. Broni

    Broni Malware Annihilator Posts: 47,719   +268

    It shouldn't matter.
    Make sure, your BIOS settings are correct.
    Read a Note in my reply #16.
     
  22. ItchyDog

    ItchyDog TS Rookie Topic Starter Posts: 16

    Actually, I did follow the directions. F2, set CD to priority 1, saved changes and it's still booting to XP. So, shall I disable the boot from C or ?
     
  23. Broni

    Broni Malware Annihilator Posts: 47,719   +268

    I assume, you used CD-R, not CD-RW, or DVD?

    Possibly, bad download, or bad burn.
     
  24. ItchyDog

    ItchyDog TS Rookie Topic Starter Posts: 16

    Yes, a CD-R
    Must be a bad download/burn because I disable the boot from C, and it wouldn't boot from the CD. I only have a broadband connection, so will go to my local high-speed source and download/reburn a new one. Will take a while - got a church commitment this afternoon/evening.

    Thanks again for all your help - I really appreciate it.
     
  25. Broni

    Broni Malware Annihilator Posts: 47,719   +268

    No problem :)
    We have to boot somehow.
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.