Inactive Can't even get to step 2 of 8-step process - TFC just hangs

Status
Not open for further replies.
I

ItchyDog

Posts: 16   +0
I'm having problems similar to the google hijack reported by others, but it's seemingly even worse - lucky me.

Started with an email (I think) from an address we thought we recognized, subject "My terrible experience". Deleted email immediately after opening it. McAfee reported finding/quarantine 2 trojans. Later that day, something called "Antivirus 2010" tried to download and install - I killed the connection immediately (Verizon broadband) and un-installed the program, and ran a McAfee scan. No issues found. Restarted connection, updated McAfee, no issues found.

Then I noticed all my google searches were being hijacked. Then McAfee real-time scanning told me it was off, and when I tried to turn it on, it turned back off immediately. I went to McAfee's help website and tried to run the steps they said to do, but it didn't work. I constantly updated McAfee and ran scans, but the real-time scanner wouldn't stay on. Then my internet explorer started displaying "cannot display page" even though my broadband connection was good. I tried to run McAfee's Stinger, but it just hangs on explorer.exe. It also hangs in Safe Mode with Networking.

So, based on a McAfee board suggestion, I came to Malwarebytes (on a different computer), and tried to run the 8-step process. TFC just hangs - I get the screen saver and nothing else, then after a couple of minutes, the McAfee popup comes up and tells me I have a problem (real time scanning off). So, I restarted with Task Mgr and tried again - now TFC won't load from the desktop, so I ran it from my USB drive, same results. Also tried to run it in Safe Mode with Networking, but no joy.

Ideas?
 
Welcome aboard
yahooo.gif


Skip TFC for now....
 
Still no go

I tried to run Malwarebytes, but in Safe Mode w/Networking and Safe Mode it starts and then just disapears! There's nothing but the screen save or the Safe Mode black screen. And I have to run it from the USB stick - it gives me a path unavailable error when I try to run it from the desktop.

Sorry about the delay in replying - I'm out of town for a couple of days and won't be able to try anything else until Wed or Thurs. But thanks so much for your help so far!
 
No problem :)

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  1. Please, never rename Combofix unless instructed.
  2. Close any open browsers.
  3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    NOTE1. If Combofix asks you to install Recovery Console, please allow it.
    NOTE 2. If Combofix asks you to update the program, always do so.
    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
  4. Double click on combofix.exe & follow the prompts.
  5. When finished, it will produce a report for you.
  6. Please post the "C:\ComboFix.txt"
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Make sure, you re-enable your security programs, when you're done with Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
 
Still nothing....

I tried to run Combofix (from the desktop) and a small box with "Combofix" at the top appears, runs a bar across (like it's loading) and then it disapears and the whole computer locks. So, to Safe Mode w/Networking - comboxfix didn't make it as part of the desktop (interesting!), so I re-loaded it from the USB and it did the same thing. Restart again, Safe Mode - combofix made it as part of the desktop, but same result running it.

Sigh.

Would I be better off just wiping the whole thing and starting over? A friend keeps asking when I'm switching to Linux...

Thanks again for your help/time - I do appreciate it!
 
Delete your Combofix file, download fresh one, but rename combofix.exe to broni.exe BEFORE saving it to your desktop.
Do NOT run it yet.


Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

There are 4 different versions. If one of them won't run then download and try to run the other one.

Vista and Win7 users need to right click Rkill and choose Run as Administrator

You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

* Rkill.com
* Rkill.scr
* Rkill.pif
* Rkill.exe


  • * Double-click on the Rkill desktop icon to run the tool.
    * If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    * A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    * If not, delete the file, then download and use the one provided in Link 2.
    * If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
    * Do not reboot until instructed.
    * If the tool does not run from any of the links provided, please let me know.

Once you've gotten one of them to run then try to immediately run the following.

Now download and run exeHelper.


  • * Please download exeHelper from Raktor to your desktop.
    * Double-click on exeHelper.com to run the fix.
    * A black window should pop up, press any key to close once the fix is completed.
    * A log file named log.txt will be created in the directory where you ran exeHelper.com
    * Attach the log.txt file to your next message.

Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).

If still a problem, try running ALL 3 tools from Safe Mode.
 
File questions

Broni,
I tried to download
Rkill.pif
but the link is broken. Perhaps they are updating the tool?

Also, when I downloaded
exeHelper
McAfee told me it removed a Trojan called Generic.dx!sbo from it - should I have temporarily disabled McAfee while downloading these tools? I'm doing the downloads on another computer (to a USB stick) since the infected computer can't connect to the internet.

Thanks again!
 
ItchyDog said:
Also, when I downloaded
exeHelper
McAfee told me it removed a Trojan called Generic.dx!sbo from it - should I have temporarily disabled McAfee while downloading these tools? I'm doing the downloads on another computer (to a USB stick) since the infected computer can't connect to the internet.

Thanks again!
Click to expand...

OK, I'm an ***** - read your directions again, turned off realtime scanning, downloaded exehelper. Will run per directions and post results!

BTW, if these won't run in normal mode, should I assume the copies on the stick are now corrupted and download new copies before running in safe mode?
Thanks!
 
Some ran, some didn't

First try in Normal mode, rkill.com ran and exeHelper ran, broni loads and then disapears, logs below:

This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.
Ran as Anne Scott on 10/29/2010 at 11:16:09.


Services Stopped:


Processes terminated by Rkill or while it was running:


\\.\globalroot\Device\svchost.exe\svchost.exe
C:\Documents and Settings\xxx\Desktop\rkill.com


Rkill completed on 10/29/2010 at 11:16:16.

exeHelper by Raktor
Build 20100414
Run at 11:17:33 on 10/29/10
Now searching...
Checking for numerical processes...
Checking for sysguard processes...
Checking for bad processes...
Checking for bad files...
Checking for bad registry entries...
Resetting filetype association for .exe
Resetting filetype association for .com
Resetting userinit and shell values...
Resetting policies...
--Finished--

Second try, in Safe Mode
Ran rkill.com, seemed to run, saved log (below), then screen went black and hung, tried to restart, got "explorer.exe" won't stop. Stopped explorer.exe, and restarted. Rkill log:
This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.
Ran as Administrator on 10/29/2010 at 11:30:21.


Services Stopped:


Processes terminated by Rkill or while it was running:


\\.\globalroot\Device\svchost.exe\svchost.exe
C:\Documents and Settings\Administrator\Desktop\rkill.com


Rkill completed on 10/29/2010 at 11:30:27.

Third try, safe mode, ran rkill.scr, then exeHelper (logs below) tried to run broni, appeared to load, screen flickered, and nothing appears to be happening. rkillscr and exehelper logs:
This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.
Ran as Administrator on 10/29/2010 at 11:46:14.


Services Stopped:


Processes terminated by Rkill or while it was running:


\\.\globalroot\Device\svchost.exe\svchost.exe
C:\Documents and Settings\Administrator\Desktop\rkill.scr


Rkill completed on 10/29/2010 at 11:46:20.

exeHelper by Raktor
Build 20100414
Run at 11:47:29 on 10/29/10
Now searching...
Checking for numerical processes...
Checking for sysguard processes...
Checking for bad processes...
Checking for bad files...
Checking for bad registry entries...
Resetting filetype association for .exe
Resetting filetype association for .com
Resetting userinit and shell values...
Resetting policies...

Next step please?
 
Let's try again...

Delete your Combofix file, download fresh one, but rename combofix.exe to broni.exe BEFORE saving it to your desktop.
Do NOT run it yet.
Click to expand...

Run rKill and exehelper and then broni.exe right away.
 
?

That is what I did. I renamed combifix when it was on the USB stick in my laptop. I then loaded each program in turn from the USB stick and ran them sequentially. Broni.exe appeared to load, the screen flickered a couple of times, and nothing more happened.
 
I'm puzzled - not trying to be obnoxious or *****ic, but evidently I am...it's certainly not intentional.

When I attempted to run broni.exe, it did almost the same thing it had done before as combi.exe - a small box appeared, a bar went across indicating it had loaded, the screen flickered a few times, and then nothing else happened with broni.exe. The computer did not lock up this time.

I'm not sure what else to say about it?
 
Download OTL to your Desktop.

  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • Under the Custom Scan box paste this in:


netsvcs
drivers32
%SYSTEMDRIVE%\*.*
%systemroot%\Fonts\*.com
%systemroot%\Fonts\*.dll
%systemroot%\Fonts\*.ini
%systemroot%\Fonts\*.ini2
%systemroot%\Fonts\*.exe
%systemroot%\system32\spool\prtprocs\w32x86\*.*
%systemroot%\REPAIR\*.bak1
%systemroot%\REPAIR\*.ini
%systemroot%\system32\*.jpg
%systemroot%\*.jpg
%systemroot%\*.png
%systemroot%\*.scr
%systemroot%\*._sy
%APPDATA%\Adobe\Update\*.*
%ALLUSERSPROFILE%\Favorites\*.*
%APPDATA%\Microsoft\*.*
%PROGRAMFILES%\*.*
%APPDATA%\Update\*.*
%systemroot%\*. /mp /s
CREATERESTOREPOINT
%systemroot%\System32\config\*.sav
%PROGRAMFILES%\bak. /s
%systemroot%\system32\bak. /s
%ALLUSERSPROFILE%\Start Menu\*.lnk /x
%systemroot%\system32\config\systemprofile\*.dat /x
%systemroot%\*.config
%systemroot%\system32\*.db
%APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x
%USERPROFILE%\Desktop\*.exe
%PROGRAMFILES%\Common Files\*.*
%systemroot%\*.src
%systemroot%\install\*.*
%systemroot%\system32\DLL\*.*
%systemroot%\system32\HelpFiles\*.*
%systemroot%\system32\rundll\*.*
%systemroot%\winn32\*.*
%systemroot%\Java\*.*
%systemroot%\system32\test\*.*
%systemroot%\system32\Rundll32\*.*
%systemroot%\AppPatch\Custom\*.*
%APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x
%PROGRAMFILES%\PC-Doctor\Downloads\*.*
%PROGRAMFILES%\Internet Explorer\*.tmp
%PROGRAMFILES%\Internet Explorer\*.dat
%USERPROFILE%\My Documents\*.exe
%USERPROFILE%\*.exe
%systemroot%\ADDINS\*.*
%systemroot%\assembly\*.bak2
%systemroot%\Config\*.*
%systemroot%\REPAIR\*.bak2
%systemroot%\SECURITY\Database\*.sdb /x
%systemroot%\SYSTEM\*.bak2
%systemroot%\Web\*.bak2
%systemroot%\Driver Cache\*.*
%PROGRAMFILES%\Mozilla Firefox\0*.exe
%ProgramFiles%\Microsoft Common\*.*
%ProgramFiles%\TinyProxy.
%USERPROFILE%\Favorites\*.url /x
%systemroot%\system32\*.bk
%systemroot%\*.te
%systemroot%\system32\system32\*.*
%ALLUSERSPROFILE%\*.dat /x
%systemroot%\system32\drivers\*.rmv
dir /b "%systemroot%\system32\*.exe" | find /i " " /c
dir /b "%systemroot%\*.exe" | find /i " " /c
%PROGRAMFILES%\Microsoft\*.*
%systemroot%\System32\Wbem\proquota.exe
%PROGRAMFILES%\Mozilla Firefox\*.dat
%USERPROFILE%\Cookies\*.txt /x
%SystemRoot%\system32\fonts\*.*
%systemroot%\system32\winlog\*.*
%systemroot%\system32\Language\*.*
%systemroot%\system32\Settings\*.*
%systemroot%\system32\*.quo
%SYSTEMROOT%\AppPatch\*.exe
%SYSTEMROOT%\inf\*.exe
%SYSTEMROOT%\Installer\*.exe
%systemroot%\system32\config\*.bak2
%systemroot%\system32\Computers\*.*
%SystemRoot%\system32\Sound\*.*
%SystemRoot%\system32\SpecialImg\*.*
%SystemRoot%\system32\code\*.*
%SystemRoot%\system32\draft\*.*
%SystemRoot%\system32\MSSSys\*.*
%ProgramFiles%\Javascript\*.*
%systemroot%\pchealth\helpctr\System\*.exe /s
%systemroot%\Web\*.exe
%systemroot%\system32\msn\*.*
%systemroot%\system32\*.tro
%AppData%\Microsoft\Installer\msupdates\*.*
%ProgramFiles%\Messenger\*.*
%systemroot%\system32\systhem32\*.*
%systemroot%\system\*.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
/md5start
/md5stop


  • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
 
"Scan won't take long" - any idea of how long? Here's what I've done:

Left infected computer in last config, which was Safe Mode
Downloaded OTL to USB drive on laptop
Opened Notepad, copied your script, downloaded to USB drive on laptop
Transferred USB drive to infected computer
Dragged both OTL and otl_script.txt to desktop
Opened otl_script.txt, CNTL A, CNTL C
Opened OTL, pasted script
Closed Notepad
Clicked Quick Scan button
window disapeared, nothing else happened, computer appears to be running normally, but haven't tried anything but moving mouse. Has been 11 min since pushing Quick Scan button as of this post.

Thanks again for your help - I'm really puzzled.
 
Let's see, if we can look at your computer booting from an external source.

Please download OTLPE (filesize 120,9 MB)

  • When downloaded double click on OTLPENet.exe and make sure there is a blank CD in your CD drive. This will automatically create a bootable CD.
  • Reboot your system using the boot CD you just created.
    • Note : If you do not know how to set your computer to boot from CD follow the steps here
  • Your system should now display a REATOGO-X-PE desktop.
  • Depending on your type of internet connection, you should be able to get online as well so you can access this topic more easily.
  • Double-click on the OTLPE icon.
  • When asked Do you wish to load the remote registry, select Yes
  • When asked Do you wish to load remote user profile(s) for scanning, select Yes
  • Ensure the box Automatically Load All Remaining Users" is checked and press OK
  • OTL should now start.
  • Press Run Scan to start the scan.
  • When finished, the file will be saved in drive C:\OTL.txt
  • Copy this file to your USB drive if you do not have internet connection on this system
  • Please post the contents of the OTL.txt file in your reply.
 
Bsod!

Broni,
I have a Dell, so hit F12 to enter setup, and 5 to load from CD. Windows appeared to be loading correctly, then when I clicked on my user name, I got the blue screen of death with:
INVALID_WORK_QUEUE_ITEM

Tech info:
STOP: 0x00000096 (0xA49A8D5C, 0x805622FC, 0x805622C0, 0xADE1FAA6)

tfsinifs.sys - address A49A8D5C base at A4997000, datestamp 3f313057
ssrtln.sys - address ADE1FAA6 base at ADE1D000, datestamp 3f12f645

I will try it again, but if that doesn't work, should I try to enter safe mode as it boot from the CD?
Thanks!
 
Yup, that's what it looks like to me. I think it's because I have a CD and DVD drive, and loaded the CD in the DVD accidently.
 
Well, fixed that, but still getting XP - I went back to F2, set the priority to CD as number 1, still loads XP. I can try disabling boot from C:
 
It shouldn't matter.
Make sure, your BIOS settings are correct.
Read a Note in my reply #16.
 
Actually, I did follow the directions. F2, set CD to priority 1, saved changes and it's still booting to XP. So, shall I disable the boot from C or ?
 
I assume, you used CD-R, not CD-RW, or DVD?

Possibly, bad download, or bad burn.
 
Yes, a CD-R
Must be a bad download/burn because I disable the boot from C, and it wouldn't boot from the CD. I only have a broadband connection, so will go to my local high-speed source and download/reburn a new one. Will take a while - got a church commitment this afternoon/evening.

Thanks again for all your help - I really appreciate it.
 
Status
Not open for further replies.

Similar threads

C
Facebook stubbornly refuses to load pictures
Replies
0
Views
1K
catc01
C
Bob O'Donnell
Software-defined vehicles get a push from Arm and Cadence
Replies
0
Views
138
Bob O'Donnell
Bob O'Donnell
E
Linux could have been brought down by backdoor found in widely used utility
2
Replies
31
Views
565
ZedRM
ZedRM

Latest posts

Back