Free Malware Removal Forum

[Lothar]

Hello. Mothers laptop is going nuts.

Dell Inspiron 1525
Windows XP Service pack 3

I noticed the problems this morning. Internet explorer would not pull up any webpages even though I had a good connection via ethernet cable (tested by successfully pinging yahoo.com through the CMD prompt).

Tried to run the installed anti-virus program Norton Internet Security. (Not sure what version. I'll try to find out). The program repeatedly failed to launch.

Rebooted labtop. Microsoft Application Error Reporting window pops up. Lists a program called 'Google Installer'. Also upon every reboot there is a Windows Genuine Advantage window. I cancel both.

Try to run internet explorer, norton, etc. System freezes.

Reboot, but no Windows. Just a black screen with mouse pointer stuck in the middle.

Reboot in safe mode.

So I do some Googling with a working computer and copy SpyBot and Malwarebytes anti-malware to a disc to use on the laptop. After installation both programs fail to launch.

I change the names of the .exe files of said programs and they finally launch. Both programs find problems which I delete.

Reboot normally into windows and it works. But still freezes up if I try to run any anti-malware/virus programs, which now run but freeze in the middle of their searches.

So it seems I have cleared some of the syptoms but haven't killed the bug yet. Any suggestions?


Here is the log from the Malwarebytes anti-malware program:


Malwarebytes' Anti-Malware 1.43
Database version: 3460
Windows 5.1.2600 Service Pack 3 (Safe Mode)
Internet Explorer 8.0.6001.18702

12/30/2009 7:56:59 PM
mbam-log-2009-12-30 (19-56-59).txt

Scan type: Full Scan (C:\|)
Objects scanned: 184370
Time elapsed: 18 minute(s), 14 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 3
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Malware Defense (Rogue.MalwareDefense) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\H8SRT (Rootkit.TDSS) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\settdebugx.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\23094848483939484 (Rogue.GreenAV) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\21098746521098765 (Rogue.GreenAV) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\malware Defense (Rogue.MalwareDefense) -> Quarantined and deleted successfully.

Files Infected:
C:\Documents and Settings\Marilyn\Local Settings\Temp\settdebugx.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\BASH\Clone\BHCD9C.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\BASH\Clone\BHCD9D.tmp (Rogue.Installer) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\BASH\Clone\BHCD9E.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\krl32mainweq.dll (Trojan.DNSChanger) -> Quarantined and deleted successfully.

[NonSuch]

We understand that you are having difficulty running certain programs, and that may include HijackThis. However, in order for us to help you it is necessary that you provide us with a HijackThis log, and it is possible you may be able to trick the malware into letting you do this. First, download HijackThis to a clean computer, then rename it from HijackThis.exe to any other name you want, using an .exe extension, for example... YourLastName.exe. Once you have done that, burn it to a CD (preferable to using a flash drive that may easily become infected) then transfer the renamed file to the infected computer and run a scan, then start a new topic and include your HijackThis log.

Please follow the guideline at the link below to start a new topic and post your HijackThis log, along with your Malwarebytes Anti-Malware log all in the same post. If you are unable to create and post a HijackThis log, then your only option may be to reformat your computer and reinstall the operating system. Please be aware, however, that a reformat is probably your best option as your system is infected with a particularly pernicious rootkit.

This topic is now closed. Please start a new topic by following the HijackThis Guideline posted here, just be certain you rename HijackThis: >Guideline for posting your HijackThis log<