Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

backdoor.Tidservlinf


  • This topic is locked This topic is locked

#16
maliprog

maliprog

    Trusted Helper

  • Malware Removal
  • 6,172 posts
Hi AlRussell,

There is new infection and we need to remove it first.

Run OTL in Safe mode or Safe mode with networking
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    :OTL
    O4 - HKLM..\Run: [cgvanqfw] C:\Documents and Settings\Owner\Local Settings\Application Data\ouswoydss\rduepkntssd.exe ()
    O4 - HKLM..\Run: [jilaciaj] C:\Documents and Settings\Owner\Local Settings\Application Data\fgbxofpaa\rvaakovtssd.exe ()
    [2010/06/28 15:11:24 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Local Settings\Application Data\ouswoydss
    [2010/06/28 15:11:17 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Local Settings\Application Data\fgbxofpaa
    
    :Commands
    [purity]
    [emptytemp]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • Post the fix log it produces in your next reply.

Please try to boot in Normal mode or try Last Known Good Configuration if normal mode fails.
  • 0

Advertisements


#17
AlRussell

AlRussell

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts
Hi maliprog
Upon initiation of OTL as requested, the same apparent "60sec. shutdown mode" takes control; yet the OTL offered a screen prompt to OK a reboot. I selected OK yet the uncontrolled shutdown routine was in control.

Also, had no luck in starting in normal mode.

I did capture two OTL runs in logs as follows:

[in notepad file 07012010_154604]
All processes killed
========== OTL ==========
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\cgvanqfw deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Application Data\ouswoydss\rduepkntssd.exe moved successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\jilaciaj deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Application Data\fgbxofpaa\rvaakovtssd.exe moved successfully.
C:\Documents and Settings\Owner\Local Settings\Application Data\ouswoydss folder moved successfully.
C:\Documents and Settings\Owner\Local Settings\Application Data\fgbxofpaa folder moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: All Users

User: Chelsea
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Christine
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

[from a 2nd run notepad file 07012010_155316]
All processes killed
========== OTL ==========
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\cgvanqfw not found.
File C:\Documents and Settings\Owner\Local Settings\Application Data\ouswoydss\rduepkntssd.exe not found.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\jilaciaj not found.
File C:\Documents and Settings\Owner\Local Settings\Application Data\fgbxofpaa\rvaakovtssd.exe not found.
Folder C:\Documents and Settings\Owner\Local Settings\Application Data\ouswoydss\ not found.
Folder C:\Documents and Settings\Owner\Local Settings\Application Data\fgbxofpaa\ not found.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: All Users

User: Chelsea
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Christine
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Eric
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Guest

User: Guest.OWNER-98695221A
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: KayLynn

User: KayLynn.OWNER-98695221A
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Kim
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Kim.OWNER-98695221A
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Owner
->Temp folder emptied: 3395 bytes
->Temporary Internet Files folder emptied: 872301 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Visitor

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 16867 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 59084 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 1.00 mb


OTL by OldTimer - Version 3.2.7.0 log created on 07012010_155316

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...


Let me know how things are looking. Thanks, AlRussell
  • 0

#18
AlRussell

AlRussell

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts
Hi maliprog
Sorry, I wish I could be more of a help--I appreciate your help.

You mentioned a "new infection" needed help first.

Does this unwanted "60 second shutdown routine" have a least disruptive fix? I find the issue odd that even in a safe mode an infection still has control.

Also, when attempting the normal mode startup the computer ends up within a do-loop [between the XP (color) and systems checks (black and white) screens]. And I reported the "last known good startup" did not help either.

AlRussell
  • 0

#19
maliprog

maliprog

    Trusted Helper

  • Malware Removal
  • 6,172 posts
Hi AlRussell,

We will get to the bottom of this infection. Just stick with me :). Please restart in Safe mode.

  • double click My Computer
  • right mouse click on C: and chose Properties
  • click on Tools tab
  • click Check now... button
  • New window will pop up. Check Automatically fix file system errors check box
  • Click Start button
  • Message will pop up and ask you do you want to schedule disk check. Click Yes button.
  • Restart system now and let disk check to run.

After that try to boot in normal mode.


NOTE: If you ever experience 60s Shutdown please do this within this 60s to stop shutdown process:

  • click Start and Run...
  • When dialog box appears type

    shutdown -a

  • click OK button

This will abort shutdown routine.

Edited by maliprog, 02 July 2010 - 02:15 PM.

  • 0

#20
AlRussell

AlRussell

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts
Hello maliprog
:) I'm with you. Tried, but no improvement--wish I had better news....
Did what you requested...then attempted booting in normal mode but that yielded the do loop from XP (color) screen to BIOS system check (B&w) screen--similar.
I noted when in the C: properties, tools, Autofix file syst. errors, checked box and selected START, YES and OKAY, yet [the selection appeared vacated and] no auto check was run; so I did differently, I checked the box, selected START, but kept screens open and directly choose restart--that initiated the chkdsk routine. Then, well, you know what the normal boot resulted with.
I'm with you--if I did or did not do something let me know. I do appreciate your time.
Thx, AlRussell
  • 0

#21
maliprog

maliprog

    Trusted Helper

  • Malware Removal
  • 6,172 posts
Hi AlRussell,

OK. We have a few more tricks.

Step 1

  • Click Start and then to All Programs
  • Scroll to Accessories and then System Tools
  • Click on System Restore
  • A Welcome screen will come up and you need to click on Restore My Computer To A Earlier Date
  • Then click on Next
  • Now you will see in the window Select A Restore Point. From here select a date a couple of days before the problem started.
  • Then click Next
  • On the Confirm Restore Point Selection window verify the Restore Point you chose is correct.
  • Close all open programs and click Next
  • The computer will now automatically shut down and reboot. When it restarts you will see "Restoration Complete" page and then click OK
  • Once you have made sure that everything is now running correctly then please reply back with the results.

Step 2

Do you have Windows XP SP3 installation CD? Maybe we will need it to repair your windows installation.
  • 0

#22
AlRussell

AlRussell

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts
hello maliprog
selected a restore point of 15 Jun and the computer did not rspond except with the familiar BIOS and XP sreen do-loop. Yes I have an XP cd. That's what I see. It seems a repair of the windows files as you suggest may be the next needed step. Thanks.
  • 0

#23
maliprog

maliprog

    Trusted Helper

  • Malware Removal
  • 6,172 posts
Hi AlRussell,

We need to repair your windows installation. Please read this two times to get familiar with procedure. Please insert your Windows XP SP3 installation CD and make sure you have your Windows XP SP3 key by your self.

Step 1

Make sure CD ROM is your primary boot device.

Configuring Your Computer to Boot from CD

Many computers are not configured to boot from the CDROM. If you cannot boot from the CDROM, this is probably due to the boot order of your devices being incorrect. You can change this in the BIOS.

You enter the BIOS from the first screen you see when you turn your computer on. To enter your BIOS, most users here will press the DEL key. The BIOS will usually display which button to press to "enter setup" during POST (if it flashes by too fast, press the Pause key).

When you enter the BIOS setup, you need to change the boot order. The CDROM should be setup before the Hard Drive. Each BIOS is different, but here is an example:

Posted Image

Note: If you need assistance with a repair installation, please start a new topic in our Windows XP Forum. This topic is also open for comments, but not all will receive a reply.

Step 2

Let's get started!

Step 1: Rule out hardware issues. Windows Repair will only fix software problems. Hardware issues can also cause boot problems (i.e. bad hard drive, memory, CPU, or power supply).

Step 2: Backup. It's always a good idea to backup your important data before making changes to Windows XP. Relax, if you follow these instructions your data will be perfectly safe.

Step 3: Boot from your Windows XP CD. Insert the Windows XP CD into your computer's CD-ROM or DVD-ROM drive, and then restart your computer. When the "Press any key to boot from CD" message appears on the screen, press a key to start your computer from the Windows XP CD. Can't boot from your CD? Please see the note at the bottom of this page (Configuring Your Computer to Boot from CD).

Step 4: A blue screen will appear and begin loading Windows XP Setup from the CD.

Note: RAID/SCSI/Unsupported UDMA users:
You will be prompted to "press F6 to install any third party SCSI or RAID drivers". Most users will not have to press F6, but if you are running RAID, SCSI or unsupported UDMA controllers, then you will have to have your controller drivers on a floppy disk. If you are unsure whether you have RAID/SCSI, then simply let the CD load without pressing F6.

When completed loading files, you will be presented with the following "Windows Setup" screen, and your first option. Select "To set up Windows XP now, press ENTER". DO NOT select Recovery Console.

Posted Image




When presented with the screen below. press the F8 key to continue.

Posted Image




Next, Windows Setup will find existing Windows XP installations. You will be asked to repair an existing XP installation, or install a fresh copy of Windows XP.

If no installations are found, then you will not be given the option to repair. This may happen if the data or partition on your drive is too corrupted.

Note: If you install a fresh copy, all data on that partition will be lost!

Posted Image




Your almost finished! Windows XP will appear to be installing itself for the first time, but it will retain all of your data and settings. Just follow the prompts, and have your CD-KEY ready if needed.

Do you have more than one system, or lost your CD-KEY? Visit the keyfinder page to retrieve your CD-KEY.
  • 0

#24
AlRussell

AlRussell

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts
hello maliprog :) :)

looks like a successful windows repair. besides replacing a keyboard [where the F8 failed to function of all things] all repair and updates appear to have taken and logon and apps work as expected. Was there anything else needed with this fix?

The root cause seems to have been an errant email planting the virus or malware in this case--the family and I take the lesson.

Your time and facilitating of this fix has help my family save the cost--however, there must be some options we can do for your time and efforts.

Thank you so much. :) AlRussell
  • 0

#25
AlRussell

AlRussell

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts
hello maliprog
Having slowness of shutdown and startup now--maybe more than previous--may be another issue. thanks, AlRussell
  • 0

Advertisements


#26
maliprog

maliprog

    Trusted Helper

  • Malware Removal
  • 6,172 posts
Hi AlRussell,

We did not remove main infection yet.

Please download MBRCheck.exe to your desktop.

  • Double click to run it
  • It will prompt you with some text
  • Left click on title bar (where program name and path is written)
  • From menu chose Edit -> Select All
  • Now just click Enter key on keyboard to copy selected text
  • Now paste that text here for me.

  • 0

#27
AlRussell

AlRussell

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts
from mbrchek.exe,

MBRCheck, version 1.0.0
© 2010, AD

\\.\C: --> \\.\PhysicalDrive0
\\.\F: --> \\.\PhysicalDrive1

Size Device Name MBR Status
--------------------------------------------
74 GB \\.\PhysicalDrive0 Unknown MBR code
232 GB \\.\PhysicalDrive1 Unknown MBR code


Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:
  • 0

#28
maliprog

maliprog

    Trusted Helper

  • Malware Removal
  • 6,172 posts
Hi AlRussell,

Step 1

Please run MBRCheck.exe again

  • Wait until program writes this line Enter 'Y' and hit ENTER for more options, or 'N' to exit:
  • Please enter y key and press Enter
  • When program ask you Enter your choice: enter 1 and press Enter key
  • Now the program will ask you "Enter the physical disk number to dump (0-99, -1 to cancel):"
  • Enter 0 and press Enter key
  • Now the program will ask you where to dump MBR. Enter
    C:\mbrdump.dmp
    and press Enter

Please atach C:\mbrdump.dmp here for me.

To attach a file, do the following:
  • Click Add Reply
  • Under the reply panel is the Attachments Panel
  • Browse for the attachment file you want to upload, then click the green Upload button
  • Once it has uploaded, click the Manage Current Attachments drop down box
  • Click on Posted Image to insert the attachment into your post


Step 2

Please go to: VirusTotal
  • Posted Image
  • Click the Browse button and search for the following file:


    C:\mbrdump.dmp

  • Click Open
  • Then click Send File
  • Please be patient while the file is scanned.
  • Once the scan results appear, please provide them in your next reply.

NOTE: If it says already scanned -- click Reanalyze now button
  • 0

#29
AlRussell

AlRussell

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts
maliprog, attaching .dmp file as requested required permission to do so. with zero attachments uploaded I could not proceed. please advise further--I'm with you.

AlRussell
  • 0

#30
maliprog

maliprog

    Trusted Helper

  • Malware Removal
  • 6,172 posts
Hi AlRussell,

Please rename mbrdump.dmp to mbrdump.txt. To do so please follow these steps:

  • Right mouse click on mbrdump.dmp and chose Rename
  • Type new name mbrdump.txt

You should be able to uploat it now.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP