infected XP PC - can't get to security sites or run security tools

  • Thread starter Thread starter rankind15
  • Start date Start date
R

rankind15

Hi - I a looking for help to clean my infected XP system. I am actually on a
different computer now as my infected system (desktop - wireless) can't
access security sites.

The problem started Dec 2nd, 2008. I'm running XP SP 3. The system was set
up to autodownload MS updates once per day, and AV every three hours. Somehow
it got infected with a nasty malware program - I'm guessing via human
interaction of a family member clicking something they shouldn't have. The
system has TendMicro Internet Security 2008 running on it and had it running
at the time of infection too. I've spent about 10 hours trying to clean it so
far with little luck. I'd appreciate any help anyone can provide.

Symptoms:
-Running a little slow, to very slow at times, especially when downloading
files. Not consistent though.

-Originally it wouldn't boot past the loading windows screen, but that has
stopped now

-Trendmicro found GetModule, Adload, and Generic12.KAO but couldn't clean
them. Adload and Generic aren't found anymore, and I cleaned GetModule via
instructions on the TrendMicro site

-I cannot surf to any security sites (including this one) nor can I get to
windowsupdate, but I can surf to msn, yahoo, etc

-tried loading AVGFree AV by downloading it to my clean laptop, burning it
to cd, and then transfering it to the desktop, but it runs with errors and
ends up doing nothing

-Also transferred over mbam-setup, HJTInstall, spybot, but they won't run. I
click on them, get the waiting cursor for a short moment, then nothing.

-Found dihjmevt and hsfxpeqgkaukg in the startup, I've since disabled them
from starting and deleted their dlls and registry entries

-/etc/hosts file is normal

-Finally opened a chat session with TrendMicro,but they couldn't help
(session ID: 584407 if interested)

-TrendMicro had me turn off my system restore, and now I can't restore to a
previous date as none exist anymore

-Tried gmer (www.gmer.net) but it also wouldn't execute

-Checked (known to me) registry keys for disabling my ability to run
programs without any success

-
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
- HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System

-Ran RootkitRevealer from sysinternals and found the results listed below,
but can't find them in my registry to delete/modify

-
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\DelegateFolders\{E211B736-43FD-11D1-9EFB-0000F8757FCD}\ -dated 2/25/2007
- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\tdssdata -dated 12/2/2008
- HKLM\SOFTWARE\TDDS -dated 12/5/2008
- HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys -dated 12/6/2008
- HKLM\SYSTEM\ControlSet002\Services\TDSSserv.sys -dated 12/6/2008
- HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys -dated 12/6/2008

-ran ccleaner and cleaned everything found - ran every option and fixed
everything it suggested with success

-Ran AntiVir Removal Tool 3.0c but it didn't find anything

-Ran windowsdefender but didn't find anything

I've tried all of the above items in normal mode, safe mode, and safe mode
with network support with no difference in results. I've also tried booting
to last known good state without any luck (boots to state I used this AM).
I'm a few years removed from my old sys admin days, but "back in the day" I
could create an av recovery disk to boot from to clean up the disk drive
without the OS running, but can't find a way to do that now when I don't have
a floppy drive. Also, my laptop has vista and trend doesn't have (that I can
find or the chat person knew of) a vista version to sw to make a boot cdrom

Any suggestions/help would be greatly, greatly, greatly appreciated!

Thanks,
Dave
 
For a start, don't have 2 AVs on your computer at once.
Have you tried installing Spybot search & destroy and Malwarebytes in
SafeMode with Networking.
Download to the Laptop, copy to Flash Drive. Then install on XP one.
And scan with Trend in that Mode as well.
I'll include links for you, even though you say you have them.
The Programs get updated all the time.
And update them in SM with Networking before scanning.

http://www.spybot.info/en/index.html

Spybot Search & Destroy 1.6 is a very good, FREE Anti-Spyware Program.
Download, install, update, and immunize your System with it.
Then SCAN with it.
Update it, and scan your System once a fortnight.

http://www.malwarebytes.org/mbam.php

Malwarebytes is as the name says, a Malware Remover!
For the Free version scroll down their page to either download from
Download.com, or Major Geeks.com

Download, install, and update.

Important re: Safe Mode
If you happen to find a problem that you can’t uninstall / delete, reboot
the computer, and go into Safe Mode.
To get into Safe mode, tap F8 right at Power On / Startup, and use UP arrow
key to get to Safe Mode from list of options, then hit ENTER.
RESCAN your computer with your Anti-Virus, Malwarebytes and Spybot S & D
while in Safe Mode.

If unable to install above Programs in Normal Mode:
Sometimes Trojans, Viruses, Malware, etc stop you installing and/or updating
Programs to remove them.
If that happens, reboot into Safe Mode with Networking, and install, update
and scan from there.
 
Thanks Mike. I only ran one AV at a time to see if another one could solve
the problem.

I tried spybot and malwarebytes in normal mode, safe mode, and safe mode
with networking, but they did not install. The same with hijackthis and gmer.

Ant other ideas?

thanks
 
rankind15 said:
Thanks Mike. I only ran one AV at a time to see if another one could
solve the problem.

I tried spybot and malwarebytes in normal mode, safe mode, and safe mode
with networking, but they did not install. The same with hijackthis and
gmer.

At this point either get guided help at one of the specialty forums below OR
back up your data and do a clean install of Windows. It is your choice. If
you are unsure how to back up your data or how to do a clean install, you
can take your machine to a local computer professional. I don't recommend
using BigComputerStore/GeekSquad types of places.

PLEASE DO NOT POST LOGS IN THE MS NEWSGROUPS.

http://aumha.org/downloads/hijackthis.zip
http://aumha.net/ - Click on the HijackThis forum. Read the announcement and
the stickies *first*.
http://www.atribune.org/forums/index.php?showforum=9
http://aumha.net/viewforum.php?f=30
http://www.bleepingcomputer.com/forums/forum22.html
http://www.dslreports.com/forum/cleanup
http://www.cybertechhelp.com/forums/forumdisplay.php?f=25
http://www.geekstogo.com/forum/Malware_Removal_HiJackThis_Logs_Go_Here-f37.html
http://www.malwarebytes.org/forums/index.php?showforum=7
http://gladiator-antivirus.com/forum/index.php?showforum=170
http://spywarewarrior.com/viewforum.php?f=5
http://forums.techguy.org/54-security/
http://forums.tomcoyote.org/
http://www.thespykiller.co.uk/index.php?board=3.0
http://forums.subratam.org/index.php?showforum=7

Malke
 
You're infected with the very nasty TDSSserv trojan, dude. You need to go
into the device manager, down to non plug and play devices and DISABLE
tdssserv. Then you won't be redirected to bogus sites. Rename all .exe files
from malwarebytes and then run it, you'll be able to eliminate it with
malwarebytes.
 
Back
Top