Computer Virus - help needed please! - HotUKDeals
We use cookie files to improve site functionality and personalisation. By continuing to use HUKD, you accept our cookie and privacy policy.
Get the HUKD app free at Google Play

Search Error

An error occurred when searching, please try again!

Login / Sign UpSubmit

Computer Virus - help needed please!

loulou Avatar
5y, 8m agoPosted 5 years, 8 months ago
Im after some help please!
Im trying to fix my dads netbook. Its running XP, service pack 3.
We have recently had windows 2010 virus and removed it.
Now though, on start up my anti virus is disabled. I have to open MSE and start it manually.
Also, on internet explorer, in tools, internet options, security all my settings are on custom. I have to go in and restore to default.
This appears to work, but every now and again, web pages redirect to pages offering antivirus packs etc.
This happens every time i boot up. And now, it seems the system maybe unsecure, as it doesnt always boot up.
Any advice???
I have run spybot, malwarebytes and have MSE running. I have run scans in safe and normal but whatever it is i cannot shift it!!
Many thanks if you are able to offer advice.
loulou Avatar
5y, 8m agoPosted 5 years, 8 months ago
Options

All Comments

(11) Jump to unreadPost a comment
Comments/page:
#1
format c: 8)


maybe try a restore

Edited By: davver99 on Mar 27, 2011 19:32
#2
Can you tell me how i do this please!
#3
start in safe mode with networking f8 on start up keep on hitting f8 until you get the option to start in safe mode with networking

run malwarebytes clean any infected files

then download combifix run after malwarebytes

let it clean out the registry restart in normal mode hopefully you should be sorted

let me know if it works



Edited By: shedboy66 on Mar 27, 2011 19:39
#4
If in doubt theres always a how to on youtube ;)
#5
shedboy, im trying your suggestion!!!
I run the combofix i safe - it says detects a rootkit and needs to reboot. However, when it reboots nothing loads up!!!
Any advice?
#6
progress!! Completed 3 stages so far whoop!
Hopefully on my way to clearing this thing before it goes out the window!
#7
ComboFix 11-03-26.02 - sid 27/03/2011 20:52:45.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1015.616 [GMT 1:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\NetworkService\Local Settings\Application Data\ttm.exe
C:\ksdfghk.Bin
c:\ksdfghk.bin\config.bin
c:\ksdfghk.bin\ksdfghk.Bin.exe
c:\program files\Internet Explorer\complete.dat
c:\program files\Internet Explorer\dmlconf.dat
c:\windows\system32\Thumbs.db
.
.
\\.\PhysicalDrive0 - Bootkit TDL4 was found and disinfected
.
((((((((((((((((((((((((( Files Created from 2011-02-27 to 2011-03-27 )))))))))))))))))))))))))))))))
.
.
2011-03-27 20:09 . 2011-03-27 20:09 28752 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{AE2BE23F-CF5B-456A-B28F-2A3FF77A6A8D}\MpKsl5015cd83.sys
2011-03-27 19:05 . 2011-03-27 19:05 28752 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{AE2BE23F-CF5B-456A-B28F-2A3FF77A6A8D}\MpKsl62c02861.sys
2011-03-27 19:02 . 2011-03-27 19:02 28752 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{AE2BE23F-CF5B-456A-B28F-2A3FF77A6A8D}\MpKslb669e428.sys
2011-03-27 18:55 . 2011-03-27 18:55 28752 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{AE2BE23F-CF5B-456A-B28F-2A3FF77A6A8D}\MpKsld9dc4360.sys
2011-03-27 17:58 . 2011-03-27 17:58 28752 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{AE2BE23F-CF5B-456A-B28F-2A3FF77A6A8D}\MpKsld0db18f0.sys
2011-03-27 17:55 . 2011-03-27 17:55 28752 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{AE2BE23F-CF5B-456A-B28F-2A3FF77A6A8D}\MpKsld7b635b6.sys
2011-03-27 16:48 . 2011-03-27 16:48 -------- d-----w- c:\documents and settings\sid\Application Data\DriverCure
2011-03-27 16:48 . 2011-03-27 16:48 -------- d-----w- c:\documents and settings\sid\Application Data\ParetoLogic
2011-03-27 16:47 . 2011-03-27 16:52 -------- d-----w- c:\documents and settings\All Users\Application Data\ParetoLogic
2011-03-27 16:02 . 2011-03-27 20:09 -------- d-----w- c:\windows\system32\CatRoot2
2011-03-27 15:09 . 2011-03-27 15:09 28752 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{AE2BE23F-CF5B-456A-B28F-2A3FF77A6A8D}\MpKsl8099200c.sys
2011-03-26 20:07 . 2011-03-23 10:11 6792528 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{AE2BE23F-CF5B-456A-B28F-2A3FF77A6A8D}\mpengine.dll
2011-03-26 20:07 . 2011-02-02 18:11 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-03-26 19:02 . 2011-03-26 19:02 -------- d-----w- c:\program files\Microsoft Security Client
2011-03-26 17:47 . 2011-03-27 15:04 -------- d-----w- c:\documents and settings\sid\Application Data\gsp3odhbhvdts2exdxzozq3zuwhxbcz2
2011-03-26 17:47 . 2011-03-26 17:49 -------- d-----w- c:\documents and settings\sid\Application Data\Hoycy
2011-03-22 20:00 . 2011-03-22 20:00 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2011-03-22 19:17 . 2011-03-26 14:01 -------- d-----w- c:\program files\tmprer
2011-03-13 19:10 . 2011-03-13 19:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2011-03-13 19:10 . 2011-03-13 19:10 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-03-13 18:16 . 2011-03-13 18:16 -------- d--h--w- c:\windows\PIF
2011-03-13 18:12 . 2011-03-13 18:13 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
2011-03-13 17:20 . 2011-03-13 17:21 -------- d-----w- c:\documents and settings\Administrator
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-02-09 13:53 . 2009-08-11 13:03 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53 . 2009-08-11 13:03 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-02 07:58 . 2009-08-11 13:13 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57 . 2009-08-11 13:13 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-01-21 14:44 . 2009-08-11 13:03 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-07 14:09 . 2009-08-11 13:03 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 13:10 . 2009-08-11 13:03 1854976 ----a-w- c:\windows\system32\win32k.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Eee Docking"="c:\program files\ASUS\Eee Docking\Eee Docking.exe" [2009-07-27 397312]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-02-07 3885408]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-12-19 135168]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-12-19 159744]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-12-19 131072]
"RTHDCPL"="RTHDCPL.EXE" [2009-04-27 17881088]
"AsusACPIServer"="c:\program files\EeePC\ACPI\AsAcpiSvr.exe" [2009-04-17 630784]
"AsusEPCMonitor"="c:\program files\EeePC\ACPI\AsEPCMon.exe" [2009-03-13 98304]
"AsusTray"="c:\program files\EeePC\ACPI\AsTray.exe" [2009-04-17 118784]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-04-09 1512744]
"SynAsusAcpi"="c:\program files\Synaptics\SynTP\SynAsusAcpi.exe" [2009-04-09 79144]
"LiveUpdate"="c:\program files\Asus\LiveUpdate\LiveUpdate.exe" [2009-06-25 712704]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-14 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2008-04-14 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2010-11-30 997408]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
.
c:\documents and settings\sid\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
SuperHybridEngine.lnk - c:\program files\ASUS\EeePC\Super Hybrid Engine\SuperHybridEngine.exe [2009-8-11 376832]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2007-10-11 02:51 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
2009-02-07 01:51 3885408 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
.
R1 MpKsl5015cd83;MpKsl5015cd83;c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{AE2BE23F-CF5B-456A-B28F-2A3FF77A6A8D}\MpKsl5015cd83.sys [27/03/2011 21:09 28752]
R3 L1c;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller;c:\windows\system32\drivers\l1c51x86.sys [28/04/2009 02:59 38912]
R3 RT80x86;Ralink 802.11n Wireless Driver;c:\windows\system32\drivers\rt2860.sys [20/08/2009 13:24 1015424]
S1 piiwijgq;piiwijgq;\??\c:\windows\system32\drivers\piiwijgq.sys --> c:\windows\system32\drivers\piiwijgq.sys [?]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [11/08/2009 20:00 1684736]
S3 AmUStor;AM USB Stroage Driver;c:\windows\system32\drivers\AmUStor.SYS --> c:\windows\system32\drivers\AmUStor.SYS [?]
S3 uvclf;uvclf;c:\windows\system32\drivers\uvclf.sys [28/04/2009 06:47 39040]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - MPKSL5015CD83
.
Contents of the 'Scheduled Tasks' folder
.
2011-03-27 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2010-11-11 12:26]
.
2011-03-27 c:\windows\Tasks\MpIdleTask.job
- c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2010-11-11 12:26]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.wanadoo.co.uk/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btse [snipped by DBA for length]
#8
Any ideas now anyone???
Cheers!!
#9
Its normally the rootkit infection that keeps reloading everything you clean out with malwarebytes
so hopefully if this has been carried out with crossed fingers no more problems.
The proof will be if the redirects start up again or not

8)
#10
Hopefully!
Saw this on the scan results:

Warning: possible TDL4 rootkit infection !
TDL4 rootkit infection detected ! Use: "mbr.exe -f" to fix.

Could it be this - i dont know what it all means!!!
#11
Prolly should ask for help at specialist forum in case get stuck (like now) eg. this problem looks similar to yours and wasn't exactly straightforward :
http://forums.techguy.org/virus-other-malware-removal/962607-possible-tdl4-rootkit-infection.html

Post a Comment

You don't need an account to leave a comment. Just enter your email address. We'll keep it private.

...OR log in with your social account

...OR comment using your social account

Thanks for your comment! Keep it up!
We just need to have a quick look and it will be live soon.
The community is happy to hear your opinion! Keep contributing!