TechSpot

[Pirated OS] System Check malware

Inactive
By Donjohnny
Mar 27, 2012
  1. I have Windows Xp and am running AVG for anti-virus. At the time I had failed to update AVG for 5 days s my database was out of date.

    When i would start my computer I would have a black screen and then warnings would start appearing stating "Failed to save all the componants for the File \\system32\\0000291c This file is currupted or unreadable. This error may be caused by a PC Hardware problem." about 10 or so of these would pop up with different file names.

    I ran UnHide and it got me my desktop back Then I updated and ram Malwarebytes Anti Malware. Then I ran GMER then reran Malwarebytes.

    What concerns me is there is a icon on my desktop and on my tool bar with the path ""C:\Documents and Settings\All Users\Application Data\1gKeUlddAhu4pq.exe""
     
  2. Donjohnny

    Donjohnny TS Rookie Topic Starter Posts: 37

    UnHide log

    Unhide by Lawrence Abrams (Grinler)
    http://www.bleepingcomputer.com/
    Copyright 2008-2012 BleepingComputer.com
    More Information about Unhide.exe can be found at this link:
    http://www.bleepingcomputer.com/forums/topic405109.html

    Program started at: 03/26/2012 04:41:40 PM
    Windows Version: Windows XP

    Please be patient while your files are made visible again.

    Processing the C:\ drive
    Finished processing the C:\ drive. 264623 files processed.

    Restoring the Start Menu.
    * 256 Shortcuts and Desktop items were restored.


    Searching for Windows Registry changes made by FakeHDD rogues.
    - Checking HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
    - Checking HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
    * NoDesktop policy was found and deleted!
    - Checking HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
    * HideIcons policy was found and deleted!

    Program finished at: 03/26/2012 04:54:11 PM
    Execution time: 0 hours(s), 12 minute(s), and 48 seconds(s)
    Unhide by Lawrence Abrams (Grinler)
    http://www.bleepingcomputer.com/
    Copyright 2008-2012 BleepingComputer.com
    More Information about Unhide.exe can be found at this link:
    http://www.bleepingcomputer.com/forums/topic405109.html

    Program started at: 03/26/2012 04:57:57 PM
    Windows Version: Windows XP

    Please be patient while your files are made visible again.

    Processing the C:\ drive
    Finished processing the C:\ drive. 264961 files processed.

    Restoring the Start Menu.
    * 256 Shortcuts and Desktop items were restored.


    Searching for Windows Registry changes made by FakeHDD rogues.
    - Checking HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
    - Checking HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
    * NoDesktop policy was found and deleted!
    - Checking HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced

    Program finished at: 03/26/2012 05:06:53 PM
    Execution time: 0 hours(s), 8 minute(s), and 55 seconds(s)
     
  3. Donjohnny

    Donjohnny TS Rookie Topic Starter Posts: 37

    logs

    Database version: v2012.03.26.08

    Windows XP Service Pack 3 x86 NTFS
    Internet Explorer 8.0.6001.18702
    TimH :: TOSHIBA_P35-S60 [administrator]

    3/26/2012 5:10:37 PM
    mbam-log-2012-03-26 (17-10-37).txt

    Scan type: Full scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 466389
    Time elapsed: 1 hour(s), 46 minute(s), 26 second(s)

    Memory Processes Detected: 2
    C:\Documents and Settings\All Users\Application Data\rSkVSbFvavfCaY.exe (Rogue.FakeHDD) -> 548 -> Delete on reboot.
    C:\Documents and Settings\All Users\Application Data\1gKeUlddAhu4pq.exe (Backdoor.Agent.RCGen) -> 2496 -> Delete on reboot.

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 0
    (No malicious items detected)

    Registry Values Detected: 1
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|rSkVSbFvavfCaY.exe (Rogue.FakeHDD) -> Data: C:\Documents and Settings\All Users\Application Data\rSkVSbFvavfCaY.exe -> Quarantined and deleted successfully.

    Registry Data Items Detected: 9
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowControlPanel (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and repaired successfully.
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowHelp (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and repaired successfully.
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowMyComputer (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and repaired successfully.
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowMyDocs (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and repaired successfully.
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowRun (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and repaired successfully.
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowSearch (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and repaired successfully.
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer|NoDesktop (PUM.Hidden.Desktop) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System|DisableTaskMgr (PUM.Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System|DisableTaskMgr (PUM.Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 3
    C:\Documents and Settings\All Users\Application Data\rSkVSbFvavfCaY.exe (Rogue.FakeHDD) -> Delete on reboot.
    C:\Documents and Settings\All Users\Application Data\1gKeUlddAhu4pq.exe (Backdoor.Agent.RCGen) -> Delete on reboot.
    C:\RECYCLER\S-1-5-21-1482476501-1606980848-725345543-1003\Dc201.exe (PUP.BundleInstaller.VG) -> Quarantined and deleted successfully.

    (end)


    Second Log
    Malwarebytes Anti-Malware 1.60.1.1000
    www.malwarebytes.org

    Database version: v2012.03.26.08

    Windows XP Service Pack 3 x86 NTFS
    Internet Explorer 8.0.6001.18702
    TimH :: TOSHIBA_P35-S60 [administrator]

    3/26/2012 7:44:36 PM
    mbam-log-2012-03-26 (19-44-36).txt

    Scan type: Full scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 466189
    Time elapsed: 1 hour(s), 44 minute(s), 8 second(s)

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 0
    (No malicious items detected)

    Registry Values Detected: 0
    (No malicious items detected)

    Registry Data Items Detected: 0
    (No malicious items detected)

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 0
    (No malicious items detected)

    (end)
    GMER log
    GMER 1.0.15.15641 - http://www.gmer.net
    Rootkit scan 2012-03-26 19:43:24
    Windows 5.1.2600 Service Pack 3
    Running: h94rnms4.exe; Driver: C:\DOCUME~1\TimH\LOCALS~1\Temp\fwaorkod.sys


    ---- Registry - GMER 1.0.15 ----

    Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\877570FF05E6de7499D1B370DFE42305\Usage@TrayApp 1081760814

    ---- EOF - GMER 1.0.15 ----
     
  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Welcome to TechSpot! The symptoms you describe are all being generated by the malware. Do not click on any of the fake messages. Please do the following:

    Go back to the Preliminary Virus and Malware Removal thread and follow the directions for DDS. It will generate 2 logs. Please include in next reply.

    Follow the next scans in the order I have given the,. If you have any problem with any of the scans, please stop and let me know- don't try to work around it.
    ========================================
    I'd like you to run Combofix- but it won't run with AVG. You will need to temporarily uninstall AVG as follows:
    Download AppRemover and save to the desktop
    1. Double click the setup on the desktop> click Next
    2. Select “Remove Security Application”
    3. Let scan finish to determine security apps
    4. A screen like below will appear:
      [​IMG]
    5. Click on Next after choice has been made
    6. Check the AVG program you want to uninstall
    7. After uninstall shows complete, follow online prompts to Exit the program.

    Temporary AV: Use one:
    Microsoft Security Essentials
    Comodo AV
    Avast! Free Antivirus
    =============================
    Please note: If you have previously run Combofix and it's still on the system, please uninstall it. Then download the current version and do the scan: Uninstall directions, if needed
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    --------------------------------------
    Before you run the Combofix scan, please disable any security software you have running.

    Download Combofix from HERE or HERE and save to the desktop
    • Double click combofix.exe [​IMG]& follow the prompts.
    • If prompted for Recovery Console, please allow.
    • Once installed, you should see a blue screen prompt that says:
      • The Recovery Console was successfully installed.[/b]
      • Note: If Combofix was downloaded to a flash drive, the Recovery Console will not install- just bypass and go on.[/b]
      • Note: No query will be made if the Recovery Console is already on the system.
    • .Close/disable all anti virus and anti malware programs
      (If you need help with this, please see HERE)
    • .Close any open browsers.
    • .Click on Yes, to continue scanning for malware
    • .If Combofix asks you to update the program, allow
    • When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..
    Re-enable your Antivirus software.
    Note 1:Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    Note 2:If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion", restart the computer.
    Note 3:CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
    =================================
    You have one of the rogue programs, but I don't think it's System Check:
    This malware is a fake computer analysis and optimization program that displays fake information in order to scare you into believing that there is an issue with your computer and you need their program to fix it.
    • It will display numerous error messages when you attempt to launch programs or delete files.
    • It will scan your computer, which will then find a variety of errors that it states it cannot fix until you purchase the program. so-called defragment tool.
    • Folder, icons, programs may appear to be missing their content.
    • It may terminate a program you launch stating that "the program or hard drive is corrupted".
    • The messages that you will see when you attempt run a program are:
      [o]Hard Drive Failure
      [o]System or Critical Error
      [o]Closing these messages will then bring 'notice' of Windows Recovery Diagnostics and/or Fix Disk
    • When running it will also display fake alerts from your Windows taskbar of various "Critical Errors" and other fake warnings.
    • . The malware may prevent downloads directly to the infected computer. In that case, programs can be loaded onto a flash drive, then transferred to the problem system to run.

    (Note: If programs, icons, files, etc. appear to be missing, you can run #3 first, then continue with RKill)
    1. . Kill Malware process: Run RKill> Download from iExplore.exe download link and save to the desktop.
      [o] Double click the iExplore.exe icon to run
      [o] If you cannot find the icon, do as follows:
      [o]Win XP: Click on Start> Run> type in %userprofile%\deskt\iexplore.exe> OK
      [o]Win Vista/Win 7: Click on Start> type in Search Field %userprofile%\desktop\iexplore.exe> Enter
      [o] Be patient> a black windows will automatically close when finished
      [o] If you get a message that RKill is an infection, [leave the warning and run RKill again.
      Important: Do not reboot your computer after running RKill as the malware programs will start again.
    2. . If you were able to run Malwarebytes, update it and rescan using Perform Full Scan
    3. . If you have missing icons, Programs, files, run the following:
      Download Unhide.exe and save to the desktop.
      [o] Double-click on Unhide.exe icon to run the program.
      [o] This program will remove the +H, or hidden, attribute from all the files on your hard drives.
      Note 1: This does not remove the malware- only the attribute causing the 'missing' problem.So it is important for you to continue.
    4. Make sure programs are updated to the most current version. This malware frequently uses an exploit in and outdated program:
      Please update the following:
      Note: Check each download screen for any pre-checked Toolbars or BHOs. Uncheck them before the download.
      [o]Adobe Reader:Adobe Reader Update
      [o]Java(TM):Java Updates .
      Uninstall any earlier versions in of both as they are vulnerabilities for the system.
    ==========================================
    Please do not run any other scans unless I direct you to. Don't leave logs from any other programs unless I ask for them. (Unhide does not give a log to leave.) Leave the 2 logs from DDS, Combofix, RKill in next reply. Please read ALL directions carefully and follow them.
    ========================================
    My Guidelines: please read and follow:
    • Be patient. Malware cleaning takes time. I am also working with other members while I am helping you.
    • Read my instructions carefully. If you don't understand or have a problem, ask me. Follow the order of the tasks I give you. Order is crucial in cleaning process.
    • If you have questions, or if a program doesn't work, stop and tell me about it. Don't try to get around it yourself.
    • File sharing programs should be uninstalled or disabled during the cleaning process..
    • Observe these:
      [o] Don't follow directions given to someone else
      [o] Don't use any other cleaning programs or scans while I'm helping you.
      [o] Don't use a Registry cleaner or make any changes in the Registry.
      [o] Don't download and install new programs- except those I give you.
    Threads are closed after 5 days if there is no reply.
     
  5. Donjohnny

    Donjohnny TS Rookie Topic Starter Posts: 37

    I tried to to run dds however it just opens up in note pad as a random assortment of characters
    MZ   ÿÿ ¸ @
    What is the next step I should take?
     
  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Try either of these to see if you get the correct log for DDS;

    1. Right click on the program> Run as Administrator
    or
    2. Right click and select Save Target in new window
     
  7. Donjohnny

    Donjohnny TS Rookie Topic Starter Posts: 37

    I had to change dds.scr to dds.exe and it would run. However it would only get 3/4 of the way through and no matter how long I waited It would not finish. I tried to run as an administrator however it still would not run completely.
     
  8. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Do you now have DDS downloaded? If so, please see if it will run in Safe Mode:

    Boot into Safe Mode with Networking
    • Restart your computer and start pressing the F8 key on your keyboard.
    • Select the Safe Mode with Networking option when the Windows Advanced Options menu appears, and then press ENTER.
    ==========================================
    If it will still not run, please go on with the rest of the directions.
     
  9. Donjohnny

    Donjohnny TS Rookie Topic Starter Posts: 37

    I tried running dds in safe mode and it would still not finish.

    I uninstalled AVG and installed Comodo after Avast would not install.

    I downloaded combo fix and ran it, however it would quit early. I would double click on it the program would open and start scanning. After scanning for about a minute it would just shut down. It never prompted me to do anything.
    I tried to run it in safe mode with no change.

    IE's toolbar is now black and i tried to use Google however i get redirected.

    I ran Malbytes to see if it could find a virus to no avail.

    I do not have the full start menu back and am missing Recent Documents.
    I can access all of my files just fine and all of the programs seem to work. I have only connected to the internet to post results and download the necessary software.
     
  10. Donjohnny

    Donjohnny TS Rookie Topic Starter Posts: 37

    I ran comodo and it found no virus (just the exe file for Avast)
     
  11. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Please follow the directions I gave you in the order I gave them. Don't do any other scan unless I instruct you to.

    3. If programs, icons, files, desktop are 'missing: Download Unhide.exe and save to the desktop.
    • Double-click on Unhide.exe icon to run the program.
    • This program will remove the +H, or hidden, attribute from all the files on your hard drives.
    Note: This does not remove the malware- only the attribute that hides icons and programs. It is important that you continue.

    4. Boot into Safe Mode with Networking
    • Restart your computer and start pressing the F8 key on your keyboard.
    • Select the Safe Mode with Networking option when the Windows Advanced Options menu appears, using your up/down arrows to reach it and then press ENTER.
    =======================================
    5. To end the processes that belong to the rogue program:
    Please click on RKill
    • At the download page, click on Download now button for iExplore.exe download link and save to the desktop
    • Double click on the iExplore.exe icon
    • Please be patient- it may take a bit.
    • The black Window will close when through and you can continue.
    Note: If you get a message that RKilll is malware, ignore it> it's from the malware.
    =======================================
    Do not reboot your computer after runningRKilll as the malware programs will start again.
    ================================
    6. This malware frequently comes with the TDSSrootkit, so do the following:
    • Download the file TDSSKiller.zip and save to the desktop.
      (If you are unable to download the file for some reason, then TDSS may be blocking it. You would then need to download it first to a clean computer and then transfer it to the infected one using an external drive or USB flash drive.)
    • Right-click the tdsskiller.zip file> Select Extract All into a folder on the infected (or potentially infected) PC.
    • Double click on TDSSKiller.exe. to run the scan
    • When the scan is over, the utility outputs a list of detected objects with description.
      The utility automatically selects an action (Cure or Delete) for malicious objects.
      The utility prompts the user to select an action to apply to suspicious objects (Skip, by default).
    • Select the action Quarantine to quarantine detected objects.
      The default quarantine folder is in the system disk root folder, e.g.: C:\TDSSKiller_Quarantine\23.07.2010_15.31.43 Save log and post in next reply.
    • After clicking Next, the utility applies selected actions and outputs the result.
    • A reboot is required after disinfection.
    ====================================
    If TDSSKiller requires you to reboot, please allow it to do so. After you reboot, reboot back into Safe Mode with Networking again
    ====================================
    7. Update and rescan with Malwarebytes:
    • Select Perform Full Scan on the Scanner tab
    • Click on the Scan button.
    • When scan has finished, you will see this image:
      [​IMG]
    • Click on OK to close box and continue.
    • Click on the Show Results button.
    • Click on the Remove Selected button to remove all the listed malware.
    • At end of malware removal, the scan log opens and displays in Notepad. Be sure to click on Format>Uncheck Word Wrap before copying the log to paste in your next reply.
    ==============================
    Note: If #8 and/or #9 don't apply, you can skip those steps.
    8.Correct Display Changes if needed:
    If the desktop background is black or if the theme has been removed:
    • Click on Start> Control Panel> Appearance & Personalization
    • Select Change Theme or Change Desktop Background
    =====================================
    9.Some items may not show on the Start menu. To add them back:
    • Right click on Start> Properties
    • Taskbar and Start Menu Properties screen appears
    • choose Start Menu tab> Click on Customize
    • For Windows XP> Choose Advanced tab
    • Check the items you want back on the Start Menu
    • When finished> click on OK> Apply and close.
    =====================================
    You can now reboot back into Normal Mode.

    See how this goes in the order given. The we will go back to the other scans if needed.
     
     
  12. Donjohnny

    Donjohnny TS Rookie Topic Starter Posts: 37

    When I double click TDSSKiller.exe nothing happens. I right clicked and run as administrator and it comes up with a notice "C:\Documents and Settings\Tim\desktop\TDSKiller.exe This service can not be started in Safe Mode.
    I then downloaded it on a safe computer and transferred it to the infected one and received the same message.

    When I had started the machine up the theme on my computer had changed from windows classic to windows XP. This was my first time starting it connected to the internet. I had always connected the internet after the computer was running.
     
  13. Donjohnny

    Donjohnny TS Rookie Topic Starter Posts: 37

    I restarted the computer with the internet disconnected and it started in windows classic.
     
  14. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    All the things you are telling me are caused by the malware. Please reread my directions carefully and go down my list of steps in the order I have them.

    The change in the display is a 'normal' result. We can fix it. But the scans need to be run and they must be in the order I listed. Please also understand that just plain 'safe mode' is NOT the same as Safe Mode with Networking,
     
  15. Donjohnny

    Donjohnny TS Rookie Topic Starter Posts: 37

    When I did step 3 I did it in normal windows. When I started the computer to perform this it went into windows XP theme. I then performed step 3.
    After downloading UnHide I ran it, then restarted in Safe Mode with Networking where I performed step 5. After attempting and failing to perform step 6 I restarted the computer this time it started in windows classic theme (I had the internet disconnected). I understand I will most likely have to repeat steps 4-6 depending on your instructions. Sorry for my poorly written posts earlier.
     
  16. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    As explained, the theme change is common and is easy to fix when the malware has been removed. As long as the programs, desktop, files, etc. aren't hidden and you can get to them, the theme is not a big issue.we can do the cosmetic fixes.
    -----------------------
    Step 3 Unhide- ran in successfully in Normal Mode> Win XP theme
    Step 4> booted into Safe Mode with Networking
    Step 5> Ran RKill? Results
    Step 6> TDSSKiller> failed> Win Classic
    Kaspersky support for running TDSSKiller> The utility can be run in Normal Mode and Safe Mode.
    Uninstall the TDSSKiller program you now have. Reboot.
    Download the .zip file again. Extract the TDSSKiller.exe file. Double click to run
    Step 7> full scan mbam
    Step 8> Correct Display
    Although it may not stay until the malware is removed, if the theme bothers you, all you have to do to change it back is:
    Right click on Properties> Start Menu tab> there are 2 choices> check one:
    Start Menu for Win XP
    Classic Start Menu
    Step 9> Correct Startup
    Each choice has a 'Customize' button to the right. After making the choices> click on Apply> OK
    ----------------------------------
    Additional display changes an be made later using Control Panel> Display.
    ===========================================
     
  17. Donjohnny

    Donjohnny TS Rookie Topic Starter Posts: 37

    The windows theme changes do not bother me I just wanted to make sure that they were not important.
    I removed RKill and TDSS Killer in normal windows then rebooted.
    Step3> I ran unhide it worked just fine.
    Step4>Booted into safe mode with networking logged in as administrator
    Step5>I downloaded and ran RKill. This produced a log I have attached below
    Step6>I downloaded and unpacked TDSS Killer. When I double clicked on the icon nothing happened. I then right clicked and run as administrator, only to get "C:\Documents and Settings\Administrator\desktop\TDSKiller.exe This service can not be started in Safe Mode."
    At this point I have stopped and not carried out Step 7.
     
  18. Donjohnny

    Donjohnny TS Rookie Topic Starter Posts: 37

    This log file is located at C:\rkill.log.
    Please post this only if requested to by the person helping you.
    Otherwise you can close this log when you wish.

    Rkill was run on 04/01/2012 at 14:23:51.
    Operating System: Microsoft Windows XP


    Processes terminated by Rkill or while it was running:



    Rkill completed on 04/01/2012 at 14:25:07.
     
  19. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    The log file for RKill will show any malware processes it stops from running in order to do a scan. Once RKill has been run, you should not boot before running the next scan.

    Please do a search in your system. Copy any TDSS directories, files, logs,etc. in Notepad and paste them here. Are you following this exactly?
    If you're in Safe Mode with Networking, this should run. You can get in to Normal Mode you? If do, try running the scan in Normal Mode.

    Did you have any problem with any other .exe files?

    If it fails again, then give this a try:

    Download TDSSKiller. Extract the zipped file to your desktop.

    Go to Start ->Run. Type/Copy and Paste the following text into the prompt:
    Code:
    "%userprofile%\Desktop\TDSSKiller.exe" -l C:\report.txt -v
    
    • This will have the program write a detailed log
    • The screen will resemble this black screen:
    [​IMG]
    • If malicious services or files have been detected, the utility will prompt to reboot the PC in order to complete the disinfection procedure. Please reboot when prompted.
    • After reboot, the driver will delete malicious registry keys and files as well as remove itself from the services list..
    • A log file named report.txt should have been created and saved to the root directory (usually C:\report.txt).
    • Follow the prompts and attach the report to your next reply.
     
  20. Donjohnny

    Donjohnny TS Rookie Topic Starter Posts: 37

    I also did your steps in normal windows and tdss would not open there either. I never get the option to select scan and I do not get a screen like the one you show. I was also unable to run combofix or dds. However all other .exe files that i have run work just fine to the best of my knowledge.
    I could not run tdss.exe this time even with your code put into the run box.
     
  21. Donjohnny

    Donjohnny TS Rookie Topic Starter Posts: 37

    TDSSKILLER.EXE-2D95C78E.PF
    C:\WINDOWS\Prefetch

    Edit: garbled TDSSKiller in Windows Prefetch has been deleted by Bobbye
     
  22. Donjohnny

    Donjohnny TS Rookie Topic Starter Posts: 37

    Do you want me to open the Zip and EXE file in notepad and post them also?
    TDSSKiller.exe C:\Documents and Settings\Administrator\Desktop
    tdsskiller C:\Documents and Settings\Administrator\Desktop
    tdskiller C:\Documents and Settings\Administrator\Recent
     
  23. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Please empty the contents of the Prefetch folder:

    Open and Empty the Prefetch Folder

    Right click on Start> Explore> Double click the C Drive> Click on Windows> Prefetch> Click on Edit> Select All> Click on Edit> Delete.

    You do not have to select anything> delete the entire contents.
    Reboot the Computer

    Try TDSSKiller again.
    ===================================
    Edit: If TDSSKiller still won't run, please go ahead with the following:

    Download aswMBR to your desktop.
    • Double click the aswMBR.exe to run it.
    • Click the "Scan" button to start scan:
      [​IMG]
    • On completion of the scan click "Save log", save it to your desktop
    • Post in your next reply:
    [​IMG]
     
  24. Donjohnny

    Donjohnny TS Rookie Topic Starter Posts: 37

    I deleted the prefetch as instructed then rebooted into safe mode with networking.
    I ran Rkill then attempted to run TDSSKiller. TDSSKiller failed to run.
    I then downloaded aswMBR
    I double clicked to run and nothing happened I waited 15-20 minutes.
    I restarted the computer ran RKill; then attempted to run aswMBR as admin, it failed to run.
     
  25. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    When you say "nothing happened", do you mean that literally? No movement, no message, nothing?

    Does any program on your system run? Can you boot into Normal Mode?
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.