R
rankind15
Hi - I a looking for help to clean my infected XP system. I am actually on a
different computer now as my infected system (desktop - wireless) can't
access security sites.
The problem started Dec 2nd, 2008. I'm running XP SP 3. The system was set
up to autodownload MS updates once per day, and AV every three hours. Somehow
it got infected with a nasty malware program - I'm guessing via human
interaction of a family member clicking something they shouldn't have. The
system has TendMicro Internet Security 2008 running on it and had it running
at the time of infection too. I've spent about 10 hours trying to clean it so
far with little luck. I'd appreciate any help anyone can provide.
Symptoms:
-Running a little slow, to very slow at times, especially when downloading
files. Not consistent though.
-Originally it wouldn't boot past the loading windows screen, but that has
stopped now
-Trendmicro found GetModule, Adload, and Generic12.KAO but couldn't clean
them. Adload and Generic aren't found anymore, and I cleaned GetModule via
instructions on the TrendMicro site
-I cannot surf to any security sites (including this one) nor can I get to
windowsupdate, but I can surf to msn, yahoo, etc
-tried loading AVGFree AV by downloading it to my clean laptop, burning it
to cd, and then transfering it to the desktop, but it runs with errors and
ends up doing nothing
-Also transferred over mbam-setup, HJTInstall, spybot, but they won't run. I
click on them, get the waiting cursor for a short moment, then nothing.
-Found dihjmevt and hsfxpeqgkaukg in the startup, I've since disabled them
from starting and deleted their dlls and registry entries
-/etc/hosts file is normal
-Finally opened a chat session with TrendMicro,but they couldn't help
(session ID: 584407 if interested)
-TrendMicro had me turn off my system restore, and now I can't restore to a
previous date as none exist anymore
-Tried gmer (www.gmer.net) but it also wouldn't execute
-Checked (known to me) registry keys for disabling my ability to run
programs without any success
-
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
- HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System
-Ran RootkitRevealer from sysinternals and found the results listed below,
but can't find them in my registry to delete/modify
-
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\DelegateFolders\{E211B736-43FD-11D1-9EFB-0000F8757FCD}\ -dated 2/25/2007
- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\tdssdata -dated 12/2/2008
- HKLM\SOFTWARE\TDDS -dated 12/5/2008
- HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys -dated 12/6/2008
- HKLM\SYSTEM\ControlSet002\Services\TDSSserv.sys -dated 12/6/2008
- HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys -dated 12/6/2008
-ran ccleaner and cleaned everything found - ran every option and fixed
everything it suggested with success
-Ran AntiVir Removal Tool 3.0c but it didn't find anything
-Ran windowsdefender but didn't find anything
I've tried all of the above items in normal mode, safe mode, and safe mode
with network support with no difference in results. I've also tried booting
to last known good state without any luck (boots to state I used this AM).
I'm a few years removed from my old sys admin days, but "back in the day" I
could create an av recovery disk to boot from to clean up the disk drive
without the OS running, but can't find a way to do that now when I don't have
a floppy drive. Also, my laptop has vista and trend doesn't have (that I can
find or the chat person knew of) a vista version to sw to make a boot cdrom
Any suggestions/help would be greatly, greatly, greatly appreciated!
Thanks,
Dave
different computer now as my infected system (desktop - wireless) can't
access security sites.
The problem started Dec 2nd, 2008. I'm running XP SP 3. The system was set
up to autodownload MS updates once per day, and AV every three hours. Somehow
it got infected with a nasty malware program - I'm guessing via human
interaction of a family member clicking something they shouldn't have. The
system has TendMicro Internet Security 2008 running on it and had it running
at the time of infection too. I've spent about 10 hours trying to clean it so
far with little luck. I'd appreciate any help anyone can provide.
Symptoms:
-Running a little slow, to very slow at times, especially when downloading
files. Not consistent though.
-Originally it wouldn't boot past the loading windows screen, but that has
stopped now
-Trendmicro found GetModule, Adload, and Generic12.KAO but couldn't clean
them. Adload and Generic aren't found anymore, and I cleaned GetModule via
instructions on the TrendMicro site
-I cannot surf to any security sites (including this one) nor can I get to
windowsupdate, but I can surf to msn, yahoo, etc
-tried loading AVGFree AV by downloading it to my clean laptop, burning it
to cd, and then transfering it to the desktop, but it runs with errors and
ends up doing nothing
-Also transferred over mbam-setup, HJTInstall, spybot, but they won't run. I
click on them, get the waiting cursor for a short moment, then nothing.
-Found dihjmevt and hsfxpeqgkaukg in the startup, I've since disabled them
from starting and deleted their dlls and registry entries
-/etc/hosts file is normal
-Finally opened a chat session with TrendMicro,but they couldn't help
(session ID: 584407 if interested)
-TrendMicro had me turn off my system restore, and now I can't restore to a
previous date as none exist anymore
-Tried gmer (www.gmer.net) but it also wouldn't execute
-Checked (known to me) registry keys for disabling my ability to run
programs without any success
-
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
- HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System
-Ran RootkitRevealer from sysinternals and found the results listed below,
but can't find them in my registry to delete/modify
-
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\DelegateFolders\{E211B736-43FD-11D1-9EFB-0000F8757FCD}\ -dated 2/25/2007
- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\tdssdata -dated 12/2/2008
- HKLM\SOFTWARE\TDDS -dated 12/5/2008
- HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys -dated 12/6/2008
- HKLM\SYSTEM\ControlSet002\Services\TDSSserv.sys -dated 12/6/2008
- HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys -dated 12/6/2008
-ran ccleaner and cleaned everything found - ran every option and fixed
everything it suggested with success
-Ran AntiVir Removal Tool 3.0c but it didn't find anything
-Ran windowsdefender but didn't find anything
I've tried all of the above items in normal mode, safe mode, and safe mode
with network support with no difference in results. I've also tried booting
to last known good state without any luck (boots to state I used this AM).
I'm a few years removed from my old sys admin days, but "back in the day" I
could create an av recovery disk to boot from to clean up the disk drive
without the OS running, but can't find a way to do that now when I don't have
a floppy drive. Also, my laptop has vista and trend doesn't have (that I can
find or the chat person knew of) a vista version to sw to make a boot cdrom
Any suggestions/help would be greatly, greatly, greatly appreciated!
Thanks,
Dave