Can only get halfway through the cleaning process

[yelodoggie]

I am trying to help my husband clean off his computer. He was downloading the free trial of World of Warcraft, and now his system in infected with all kinds of malware and spyware.He was running an outdated version of McAfee, and his infection is so bad that he couldn't even download any software to help him clean his system.

He has a dell dimension 8400 running XP professional, and he uses Mozilla Firefox as his browser.

I downloaded the utilities on my laptop and burned them to a CD so he could install them on his system to use them.

He installed avast, and it found about a gazillion infections. Everything was quarantined in the chest.

Then he installed and ran ATF cleaner, and removed all the temp files.

Then he installed Malwarebytes, but it would not run at all. I downloaded it from a different site, and he tried again, but it still would not run.

He installed Super Anti-Spyware Plus, but it would not run either.

Now when he restarts, he gets a message that says:
error loading C:\WINDOWS\xccdf16_090131a.dll
when he clicks OK, windows finishes startup. When he tries to go online, his home page loads, but he cannot navigate away from that page.

Please help. What can we do? Should he just toss in the towel and take the tower in someplace to have it wiped clean and the system reinstalled?

UPDATE: Now he gets nothing but a black screen at startup.

 

[mflynn]

Wish you had come her first!

But lets see what we can do!

Try booting to Safe Mode.

Let me know if you can!

Mike

 

[yelodoggie]

through startup but...

ok, we're back to an actual Windows screen, but still unable to run malwarebytes or SAS. Did manage to run norman malware, which found and fixed 16 things, but was unable to scan 109 items. ?

Cannot browse anywhere. Think we're getting the home page screen only because it's saved in the temp files.

any advice?

 

[mflynn]

Do not do anything else on your own until I finish!

Do the below!

OK

Boot to Safe Mode with networking and do all below.

Left Drag mouse and Copy for Pasting all text in the box below. Make sure the slider bar goes to bottom from the @ to the end of the second exit.

Then paste to the black screen of an open command prompt. All may not apply so ignore errors.

@echo off
cd\
:: Fix associations
ftype exefile="%1" %*
ftype batfile="%1" %*
ftype cmdfile="%1" %*
ftype comfile="%1" %*
ftype scrfile="%1" /S
ftype regfile="regedit.exe" "%1"
ftype piffile="%1" %*
ftype inffile=%SystemRoot%\System32\NOTEPAD.EXE "%1"
ftype vbsfile=%SystemRoot%\System32\WScript.exe "%1" %*
ftype jsfile=%SystemRoot%\System32\WScript.exe "%1" %*

assoc .exe=exefile
assoc .bat=batfile
assoc .cmd=cmdfile
assoc .com=comfile
assoc .scr=scrfile
assoc .reg=regfile
assoc .pif=piffile
assoc .lnk=lnkfile
assoc .inf=inffile
assoc .vbs=VBSFile
assoc .js=JSFile

sc stop TDSSserv.sys
sc delete TDSSserv.sys
:: Above sc commands first stops then deletes service if it exists
::
reg unload "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata"
reg unload "HKEY_LOCAL_MACHINE\SOFTWARE\tdss"
::
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata" /f
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\tdss" /f
::The above reg commands first unloads the reg keys then deletes these keys.
::
Attrib -h -s -r tdss*.* /s
del  tdss*.* /f /q /s
:: The above two lines first clears protective attributes then 
:: deletes all files on Drive beginning with the name tdss

:: Remove AntiVirus2009
attrib -h -s -r "%UserProfile%\Desktop\Antivirus 2009.lnk"
attrib -h -s -r "%UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch\Antivirus 2009.lnk"
attrib -h -s -r "%UserProfile%\Local Settings\Temporary Internet Files\Content.IE5\S96PZM7V\winsrc[1].dll"
attrib -h -s -r "%UserProfile%\Start Menu\Antivirus 2009\*.*"

del "%UserProfile%\Desktop\Antivirus 2009.lnk" /f /q
del "%UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch\Antivirus 2009.lnk" /f /q
del "%UserProfile%\Local Settings\Temporary Internet Files\Content.IE5\S96PZM7V\winsrc[1].dll" /f /q
del "%UserProfile%\Start Menu\Antivirus 2009\*.*" /f /q

rd /s /q "%UserProfile%\Start Menu\Antivirus 2009"

attrib -h -s -r "c:\Program Files\Antivirus 2009\*.*"
rd /s/q "c:\Program Files\Antivirus 2009"

attrib -h -s -r c:\WINDOWS\system32\ieupdates.exe
attrib -h -s -r c:\WINDOWS\system32\scui.cpl
attrib -h -s -r c:\WINDOWS\system32\winsrc.dll

del c:\WINDOWS\system32\ieupdates.exe /f /q
del c:\WINDOWS\system32\scui.cpl /f /q
del c:\WINDOWS\system32\winsrc.dll /f /q

attrib -h -s -r c:\program files\xwdxqu.txt
attrib -h -s -r c:\windows\x
attrib -h -s -r c:\windows\SxsCaPendDel

del c:\program files\xwdxqu.txt  /f /q
del c:\windows\x  /f /q
del c:\windows\SxsCaPendDel  /f /q

reg delete HKLM\SOFTWARE\swearware /f
reg delete HKCU\Software\Wget /f
reg delete HKLM\Software\Classes\CLSID\{CD363BEC-7150-B887-530D-F3E2E0424EA} /f

:: rootkit gaopdxserv
attrib -h -s -r "c:\windows\system32\drivers\gaopdxqfotrruc.sys"
attrib -h -s -r "c:\windows\system32\gaopdxqpqjwmyc.dll"
attrib -h -s -r "\c:\windows\system32\drivers\gaopdxuigiphwm.sys"

sc stop gaopdxserv.sys.sys
sc delete gaopdxserv.sys.sys

del  /f /q "c:\windows\system32\drivers\gaopdxqfotrruc.sys"
del  /f /q  "c:\windows\system32\gaopdxqpqjwmyc.dll"
del  /f /q  "\c:\windows\system32\drivers\gaopdxuigiphwm.sys"

reg delete "HKEY_LOCAL_MACHINE\System\ControlSet001\Services\gaopdxserv.sys" /f
reg delete "HKEY_LOCAL_MACHINE\System\ControlSet001\Services\gaopdxserv.sys" /f
reg delete "HKEY_LOCAL_MACHINE\Software\Classes\gaopdxvx" /f

reg delete "HKEY_CURRENT_USER\Software\75319611769193918898704537500611" /f
reg delete "HKEY_CLASSES_ROOT\CLSID\{037C7B8A-151A-49E6-BAED-CC05FCB50328}" /f
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{037C7B8A-151A-49E6-BAED-CC05FCB50328}" /f
reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" "75319611769193918898704537500611" /f
reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" "ieupdate" /f
echo Finshed ripping out Antivirus 2008-9
:: Fix associations
ftype exefile="%1" %*
ftype batfile="%1" %*
ftype cmdfile="%1" %*
ftype comfile="%1" %*
ftype scrfile="%1" /S
ftype regfile="regedit.exe" "%1"
ftype piffile="%1" %*
ftype inffile=%SystemRoot%\System32\NOTEPAD.EXE "%1"
ftype vbsfile=%SystemRoot%\System32\WScript.exe "%1" %*
ftype jsfile=%SystemRoot%\System32\WScript.exe "%1" %*

assoc .exe=exefile
assoc .bat=batfile
assoc .cmd=cmdfile
assoc .com=comfile
assoc .scr=scrfile
assoc .reg=regfile
assoc .pif=piffile
assoc .lnk=lnkfile
assoc .inf=inffile
assoc .vbs=VBSFile
assoc .js=JSFile
exit
exit

This is a coverall and may give errors as it tries to delete/stop certain Malware files etc that you do not have. This is no problem. The process should run then exit back to desktop.

Reboot again into Safe Mode with Networking

Then...

Do the TechSpot 8 steps: https://www.techspot.com/community/...lware-removal-preliminary-instructions.58138/

Skip no steps (do not install another virus scanner if you already have one, ask me before installing a Firewall).

Most importantly update MalwareBytes and SuperAntiSpyware!

Mike

 

[yelodoggie]

How do we boot to safe mode with networking?

BTW here is his most recent hijack this logfile:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:30:04 PM, on 2/13/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18372)
Boot mode: Normal

Moderator Edit:
Pasted log removed
All logs, should be attached

can't post rest of logfile, getting this error

To be able to post links or images your post count must be 5 or greater.

redoing the logfile

please tell me how to restart in safe mode with networking.

 

[mflynn]

OK click edit at bottom rt and delete all of the log.

Then click the Go advanced button and then on top header click the Paperclip and attach the logs.

Mike

 

[kimsland]

I would say:

Uninstall your McAfee Antivirus
Then run the McAfee Removal Tool

Uninstall Avast

Run Startup Control Panel and remove any not required startups: (should be most!)

Install Avira free AntiVirus

Start up Malwarebytes again; Update it; then run a full scan (remove all found Malwares)
You need to run this multiple times, until all hidden Malwares are uncovered and removed

 

[mflynn]

To boot into Safe Mode!

Restart Windows the screen will go black begin tapping the F8 key every second until you get the Advanced Boot screen.

There are several entries here two of them are Safe Mode and Safe Mode with Networking.

Chose Safe mode with Networking. Answer approve the prompts to get to desktop. Screen will have large Icons.

Mike

EDIT: Install the Avira first then remove the others. If you uninstall all for a short time you have no Virus protection. Its like saying if I just leave the door open for 5 minutes the Rotwilers and Pit Bulls will not have time to get out and kill somebody! Hee hee, i crack myself up sometimes.:haha::grinthumb

Mike

 

[yelodoggie]

cannot restart in safe mode

his desktop will not restart in safe mode. We've tried half a dozen times now.

We can get it to start up, doing a regular restart, but with the error loading c:\\WINDOWS\xccdf16_09013a.dll

So, that's where we are. We're up, in Windows XP pro having received that error.

 

[kimsland]

Just do everything in Normal Mode (with the error issue)
We can repair Safe Mode after you're a bit cleaner
The steps above will take a few minutes (or hours) or so

 

[yelodoggie]

progress

OK, before we could start anything, Mr. Smartypants got the SAS to run and scanned the HD. Found 53 items which it removed. After that, we did this:

Installed Avira

Uninstalled McAfee Antivirus
Ran the McAfee Removal Tool

Uninstalled Avast (with all the cr*p that was in the chest. hope that won't hurt anything)

Ran Startup Control Panel to remove any not required startups: (but there wasn't really anything there but Quicktime and Avira)

Started up Malwarebytes again; Updated it; then began to run a full scan
HOWEVER: didn't disable Avira before doing this and a window popped up that said a virus was found. Windows\fenilulok.dll TR/Agent.jvl Trojan
No matter what we clicked: deny access, remove, quarantine...it did nothing. It bleeped and went back to the same window. At this point, we shut down and restarted. After restart, disabled the Avira and are currently running MalwareBytes full scan. It's finding stuff. After we remove it, we will run it again and post a new HJT logfile.

Thanks for helping us! The system is already running faster, though we are still getting the error loading C:\WINDOWS\xccdf16_090131a.dll at startup. Will you be able to help us figure that out, too?

 

[kimsland]

Being a "smartypants" and all
Those Avira (beeps) are different viruses it's finding (that's right different)

Therefore if you feel that the Malwarebytes or SuperAntiSpyware scan is being interrupted, just way too often
You can run an Avira scan (manually started on C drive), and when it picks up it's first Virus, you have the option to quaratine it, and then tick, Make this the default action
Therefore, you can walk away

Once completed, then do the Malwarebytes and SuperAntispyware scans

Done

 

[yelodoggie]

Hey, the Mr. Smartypants I was referring to, is my husband...
but if the socks fit...

Running avira now. Then will follow up with Malware Bytes and SAS. Will post new HJT log soon.

Finished all the scans. Everything is coming up clean...I am attaching log files.
Still curious about the error at startup. Just for fun, I searched my laptop for the file that the desktop is missing...but I don't have that .dll.

 

[kimsland]

Yes the missing Startups (actually stated in your HJT log) are not the concern just yet (ie they do nothing if missing)

Please do the following:

Download Combofix
Lots of info on its use h e r e
Direct download h e r e

Locate the downloaded Combofix. Double click on it to run, answering any prompts along the way
Note: during Combofix scan (lasting up to 10mins) your Desktop and clock may reset (all normal)
ComboFix will also restart your computer (eventually) and then (eventually) create a log

Save this log file to be attached to a new reply
Restart back to Normal mode, and attach the Combofix log

Also do another scan with HJT (scan and log file) and attach this to a new reply as well

Whilst waiting for my reply, you may want to re-open Malwarebytes; update it again; and then run another full scan (I'm thinking there may still be more uncovered malwares to remove) I would do this

 

[mflynn]

Good morning

You have been in very good hands while I was sleeping and things are looking very good.

Run HJT select and remove the below entries.
R3 - URLSearchHook: (no name) - - (no file)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)

After running the steps Kim advise you should be close to finished.

Post the last SAS log! And the new MBAM log from the new run advised by Kim.

Mike

 

[yelodoggie]

SAS log

Where are the SAS logs hiding?

 

[mflynn]

SAS-Preferences-Statistics logs!

Mike

 

[yelodoggie]

Update with logs

Kim and Mike...

Thanks for all your help last night. Just got around to following your latest instructions.

First: could not find the SAS logs. Couldn't find a preferences folder for SAS anywhere.

So, we proceeded as follows:

First, we ran HJT. and removed the below entries.
R3 - URLSearchHook: (no name) - - (no file)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)

Then we downloaded and ran Combofix. (log attached)

Then, we ran Malwarebytes (log attached)

If I'm not mistaken, it looks like all the mean stuff is gone. Now we just have that error code at bootup to fix. How should we proceed?

 

[kimsland]

Yes

We need the HJT log for that

ie

Also do another scan with HJT (scan and log file) and attach this to a new reply as well

 

[mflynn]

Yes it looks as tho we have passed the worst.

First the SAS logs are found by running SAS then clicking Preferences then clicking Statistics/Logs.

Get me the logs. I need to know what we are up against!

Second ComboFix had many bad found/removed entries so needs to be run again to confirm clean log.

So run ComboFix again attach log!

Mike

EDIT: For the error at boot.

Run MBAM click More Tools then Run tool.

C:\WINDOWS\xccdf16_090131a.dll

Then copy the text in the box and paste into the File Name box and click Ok to delete the file.

Reboot to confirm.

Mike

 

[boostjunkie92]

Im having the same original problem...i opened up an infected antispyware exe and got a whole but of nasty stuff....iv removed so much already but there seems to be more that i just cant get rid of.

I done most of the things that were said to do here in this thread, I got as far as running the ccc cleaner, and deepscans using both bitdefender antivirus and counterspy, i removed them and tried to use Malewarebytes and SuperAntiSpyware but couldnt get either of them to load up...Malewarebytes' process doesnt even show up when executed and SuperantiSpyware gives me a windows error when started. I even tried renaming the exe of Malewarebytes thinking that the virus is blocking the program from starting up but that didnt work either.

About 50% of the time my computer will freeze upon startup, and the other half my computer is greatly slowed down.

Iv discovered that my web access is being temporarily blocked...when I try to navigate to certain pages (i.e. anti** download pages) im automatically redirected to a "spam" page that is just blank. I was able to manually enter the URL's and download the necessary software thou (extremely annoying)

My next move is to burn a bootable cd with antivirus on it (avast BART CD)

any ideas?

 

[yelodoggie]

final log files

OK, my dear computer gurus...
We ran SAS and found the logs. (attached)
We ran Combofix again. (log attached)
We ran MBAM and deleted the errant startup file.
We ran full MBAM scan. (log attached)
We ran HJT (log attached)

You guys are amazing. :grinthumb

Everything is running smoothly.
Combofix is a little scary, can I uninstall it without worry?

Also, one more strangish thing...after the computer is on for a little while, all of a sudden there will be a windows tone (once) no matter what we are doing. Kind of like a " ! " Doesn't seem to affect anything, never opens an alert window, just the tone like something happened. Any idea what that could be?

 

[mflynn]

Good work!

Looks good!

Run HJT Scan only and fix the below
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

OK I am going to put you thu the closing. But you especially need to do the temp and registry cleanups therein. This hopefully ma get the Ding!

Thread closing-------------------------------------------------------------------

Some of these tools update so often they require downloading again later if needed. But keep and run MBAM and SAS to maintain.

Remove ComboFix
Start-Run
type
combofix /u
Hit enter or click OK.

Please download OTCleanIt http://download.bleepingcomputer.com/oldtimer/OTCleanIt.exe

Save to desktop.

This will remove all the tools we used to clean your computer.


Double-click OTCleanIt.exe. Click CleanUp. Yes to the "Begin cleanup Process?"

Approve all if prompted by Firewall. Approve Widows Defender or other guards or security programs while OTCleanIt attempting access to the Internet to allow all.

If prompted to Reboot click, Yes.
OTCleanit will delete itself when finished, If not delete it by yourself.

-------------------------------------------------------------------------------------
Run CCleaner again twice or more on Cleanup temps, then on left click Registry then Scan for issues also repeat till clean.

Run ATF-Cleaner http://majorgeeks.com/ATF_Cleaner_d4949.html Temp and Registry, repeatedly until no more found.

KCleaner ftp://ftp2.kcsoftwares.com/kcsoftwa/files/kcleaner.exe
Fantastic cleaner.
-------------------------------------------------------------------------------------
The issues can and are likely found is in System Restore so do the below

Start-Programs-Accessories-System Tools-Disk- System Restore and create a new Restore point. Name it "After cleanup at TechSpot".

Then Start-Programs-Accessories-System Tools-Disk Cleanup
Click OK to accept C:
Select all Boxes
Then click More Options
Here click System Restore and OK to "Are you sure" and the OK to Run.

As this runs it clears all but the most recent Restore Point but it does one other thing that can contain infested files and a huge amount of disk space.

It clears what is known as Shadow copies which are used by specialized back up programs.

This is if you have the Volume Shadow Copy running which is the default.
-------------------------------------------------------------------------------------

Every two weeks or so, run MBAM and SAS until clean.

They take a while, so leave scanning while you are sleeping working or watching TV. If not done under the gun they can be scheduled not to interfere with computer time.

If they find something they can not clean, then get back to us.

Additionally run CCleaner. ATF-Cleaner and KCleaner.
----------------------------------------------------------------------------------------
I have been using ThreatFire for more than a year, it just went from ver 3 to ver 4.

It was designed to be used with and to co-exist with other Virus scanners.

Additionally it uses a totally different process to protect. While conventional Virus scanners work from definitions ThreatFire works on recognizing Virus/Malware activity.

It's like looking at it with 2 sets of eyes and from a different angle.

It works like some Firewalls do to learn what is good/bad.

After install it will ask you about everything that could be a security issue. For example the first time you run IE or FireFox it will prompt you. You would answer to approve and remember the setting. From then on no more prompts about IE or FireFox unless the exe changes like in an update.

As it queries you about the prompt to help you determine to approve or not you can google it with one click.

http://www.threatfire.com/Download/
-------------------------------------------------------------------------------------
Look at http://www.javacoolsoftware.com/spywareblaster.html

Run SpyBot ocassionally and use the Immunize function.
http://www.safer-networking.org/en/download/

I highly reccomend Hostman: Hostman http://majorgeeks.com/HostsMan_d4592.html

Download install run and allow it to disable DNS Client and select all Host files and then Update and install all host files.

A Disk Scan (chkdsk) and Defrag are in order.

Mike

 

[mflynn]

boostjunkie92

We can fix you but make your own Thread and I will see you in the morning.

Mike

 

[yelodoggie]

finished

dear Gurus:

Ran HJT and fixed the two items you specified.

Removed combofix.

downloaded OTcleanit and ran.

downloaded CCleaner, ran it twice on temps, 5x on registry!!

ran ATF. (couldn't see a registry setting, but ran temps)

downloaded KCleaner, but didn't run it because there were a lot of choices and I wasn't sure what to check off.

Created a new system restore point.
Did the disk cleanup.

Did a system scan and defrag.

Saved MBAM and SAS and will run it weekly. Also saved Alvira to run live

You guys are the bomb.