Help malware

Hi,

A friend downloaded from a 3rd party (not Apple) iTunes, an immediate problems: XP Home

The LAN (notification area) says connected, no access to internet

a) tried several MrFix it no luck
b) tried repair winsock no luck

Some malware scanners will work if they don't require internet:

TDSSkiller 0 found, Emsisoft Emergency kit removed two items, did not delete 3rd item (did not write it down)

HJT 4items removed 2 R1's, 1 O3, 1 09

RougeKillder removed one item.

At this point very slow, or no improvement period

Run chkdsk c: /R no problems still very slow.

KAV 10 rescue CD - update gets 20% done, then want's to start update process over, or revert to old database. Try again update completes, the big traffic like light turns green. Scan scans approx 500 files & freeze, several hours KAV rescue still frozen.

Boot to Avira rescue CD, "system does not meet min. system requirements to prevent data loss..." press ok to close aVIRA RESCUE

Next boot to mem test 4.20 3 passes no errors.

Safe mode with net no internet.

Try oldest Restore point, tries but fails

Try bitdefender bootkit 0, TdssKiller again 0

Dr Web Live CD frozen at 2029 files scanned , approx 1 hr, clock & mouse nothing

Combofix fails

Checked dev mgr no errors

_____________


Any ideas, or what kills the network windows, but allows kind of internet from rescue disk. Checked for proxies none. Also if I wait long enough, for IE to connect, it won't, but eventually a Win Zip window opens. Also tried all the aboe with Rkill run first.

 

Have you done any additional hardware tests?: Hard Drive Diagnostics, etc.

Have you used a bootable hard drive partitioning tool such as GParted (Linux), BootIt Bare Metal, etc. to check what partitions exist? I am wondering if there is a chance that Malware may have created another partition and set it as "Active".

 

Hi

Tried fresh download of MSERT, thought it would be updated upon download. Took forever, scanned completed, 0 found bad guys. Upon completion much snappier performance. Used Auslogics disk defrag found 18% frag,

Funny with auslogic map you normally see little white squares, as free space, but on this machine, not one single white square. Looked at c:\ properties, reports 37 GB free space, approx. half used, un-used.

No hidden partitions are on this machine.

Not sure what I did to make this machine 100% faster??

Now! Focus on internet:

System tray icon for connection, reports connected!!!!

Winsock repair, reboot no internet

IE diagnose no help.....

ipconfig /all returned request

also

ping 127.0.0.1 responded with packets

now what to get internet?

 

You can try this to repair your computer/internet I have used it like 4 times on one pc and one laptop and it repaired alot of error's I was getting and it repaired my internet and system restore it is free and it is very good.
Windows Repair(All In One)- http://www.tweaking.com/content/page/windows_repair_all_in_one.html

PS: Good luck hope you get your PC fixed!!

 

What to do if you are infected:
https://www.wilderssecurity.com/showthread.php?t=252253

 

try SysRestoreCalendar

 

Might try over at MalwareTips if you haven't already.

 

If this site provides malware removal assistance, please point to a URL where it can be found.

Regards,

 

Why don't you try malwarebytes anti malware and rootkit. The latter has a fixdamage tool to restore damaged services ( firewall/internet )
MBAM has a tool called chameleon but this will require a connection to update

 

http://malwaretips.com/Forum-Malware-Removal-Assistance

 

I would use a bootable OS, copy any critical data to backup media, wipe the entire hard drive, format, install the OS, install required Windows Service Packs/Updateds and then install any required Software.

It is not worth the time and trouble to attempt to clean Malware from the PC.

 

Hi Guys,

Thanks for the help: Loose ends.

System restore, post #1 failed
MBAM or MBAR - I do not see repair internet/firewall feature.

Tried slipstreaming XPSP2 to XPSP3 in hopes of installing windows recovery console, so as to clear a hurdle for running combofix -Fail

Older version of Avira Rescue, I got this to update, but it reported in the scanning window "killed" & stopped working.

a) The new avira rescue is now 583 MB wow.
b) If a bug can kill a linux type AV, perhaps that's hardware related bug, or much earlier than windows. I thought it was going to be an MBR bug. But nothing could be found with several scanners regarding MBR.

TheKid7 - Your spot on about the format. re-install! I will show my friend how to do the factory reset, with the caveat should it be a bios or hardware related infection, probably nothing will help.

I enjoyed the challenge of trying to find a solution, but now it's time to move on. The bad guys got a win here.

Take Care
Rico

 

Have you tried unhide, rkill, fixtdss, tdsskiller, and actualy run updated malwarebytes?

 

It is in the MBAR plugin folder
Although it's possible the problem is not even malware related

 

i have malwarebytes PRO and do not show a plugin folder either.

 

Hi controler, it's in the anti rootkit ( mbar ) program not the anti malware program

 

controler - did try rkill no luck.

ran unhide found unnamed 31 mb partition, r-click offered only help

ran fixtdss it said found backdoor.tidserv, click OK, then fixtdss said process completed, clicked cancel, are you sure you want to quit, without completing scan. Wait all it said was process completed. Reboot try again found same thing, when process completed, wait wait wait nothing. Cancel

Try TDSSkiller > load modules > reboot > found just suspicious items. exit.

This bug seems to install partition (small), FAT16, 31 MB boot to Gparted. Deleted the 31 MB partition. Windows won't boot due to bad or corrupt

hal.dll

I'll try to replace this file, I suspect many more will be required.

Mick - Thanks would have never though to look at pluggins

Used windows disk to eneter repair, fresh copy of hal.dll on flash drive, copied hal.dll to c:\windows\system32 chose overwrite existing. Reboot still does not like hal.dll

 

I would have used a bootable Partition management tool such as BooIt Bare Metal to identify and delete that unnamed partition.

The malware may be regenerating itself using that unnamed partition. Also that unnamed Partition may possibly be bootable and set to Active so that every time you start or restart the bootup is made from the unnamed partition.

I would make sure that the normal boot Partition is set to Active. I would also install Standard MBR code to the normal boot Partition to overwrite any infected/corrupted MBR code.

 

Is it Dell computer ?

 

The Kid - I used G-parted boot to delete the partition. I guess its back to G parted & see if C: is active partition?

So if the machine was booting from un-named deleting this partion must have contained hal.dll, therefore it won't boot, caus the former partition is missing that file.


C:\ would be the active partition, so how do I get the std MBR

 

I think that the GParted term for 'Active' is 'boot flag'.

You can run the Fixmbr command from the Windows XP Recover Console. You may also install Standard Windows XP MBR using BootIt Bare Metal (Note: I am not sure if your PC has a MBR that is different from Standard MBR, so it may be best to use the Windows XP Recovery Console.). I think that you can just run Fixmbr from the Windows XP installation CD's Command Prompt, but I do not remember the exact details.

http://www.microsoft.com/resources/.../proddocs/en-us/bootcons_fixmbr.mspx?mfr=true

 

Hi,
fixmbr fail <hal dll> gparted says c: boot, or boot flagged checked
fixboot - fail hal.dll
Bootcfg /rebuild fail

XPSP3 disk ignore 1st R select 2nd R for repair, entered lic #, continues.
1745 hrs. Windows Xp logo screen, please wait... Mouse moveable, with hour glass

 

How to fix hal.dll is missing or corrupt:

-http://www.youtube.com/watch?v=jvMkt9fkHCI

 

I am sorry but I should have said to not reboot after running the other programs. and run malwarebytes first. The crap just keeps reinstalling when you reboot. This seems to work. after malewarebytes finishes its scan, removes what it has found, reboot and run a deep scan.

 

Hi Guys,

Not sure which order, I did this but results the same (vice a versa)

XPSP3 disk did second "R" repair all went smooth, Windows prompted that verification (words to that effect) were required, saying yes, I was greeted with wallpaper only, no icons, or any means of, making contact with the mothership in Redmond. Also wait wait wait for icons to appear. Reboot Safe Mode+Net. fail to enter, Safe Mode showed all, worked fine.

The hal.dll was very informative (Took notes, for next time), I did most of what the video said, I eventually got to the point upon boot two, Win XP Home's, one would boot to wallpaper only the other, returned hal.dll error.

Next a mentor in the club, specialty in OS's, owed me a favor, so I copied documents & settings to CD & gave him this "devil box" format & put the guys junk back on. Honestly if you want music pay the 99 cents to iTunes, is the message, for the user of the devil box

Case Closed,

Learned a bunch here!