Solved

Remove Bootkit.TDSS

Posted on 2011-03-21
61
777 Views
Last Modified: 2012-08-13
I am unable to update newly installed Malwarebytes and Hitman Pro was unable to delete Bootkit.TDSS due to firewall setting.  See attached screenshot.  Found this info to manually remove - http://www.2-spyware.com/remove-rootkit-tdss.html  I would appreciate assitance in this situation.  Thank you!!
0
Comment
Question by:MagsMcKinley14
  • 27
  • 16
  • 16
  • +1
61 Comments
 
LVL 9

Accepted Solution

by:
meko72 earned 278 total points
Comment Utility
Can you boot into safe mode and try system restore?

Have you ran Combofix if not here is the link. http://www.bleepingcomputer.com/download/anti-virus/combofix

  You can also go into command prompt and run
sfc /scannow and this will make sure all of your system files are right and if not they will  replace them
0
 
LVL 29

Assisted Solution

by:Sudeep Sharma
Sudeep Sharma earned 112 total points
Comment Utility
Hi , run TdssKiller

http://support.kaspersky.com/downloads/utils/tdsskiller.zip
or
http://support.kaspersky.com/downloads/utils/tdsskiller.exe

Tutorial on TDSSKiller:
http://support.kaspersky.com/viruses/solutions?qid=208280684

or you could also try FixTDSS.exe from Symantec

http://www.symantec.com/content/en/us/global/removal_tool/threat_writeups/FixTDSS.exe

If TDSSKiller doesn't fix the issue then you would need to Boot the computer using the Bootable Disc and re-create the MBR of the system.

How to fix the MBR on Windows XP could be found below. Please follow the steps and let us know of the result.

How to fix MBR in Windows XP and Vista
http://helpdeskgeek.com/how-to/fix-mbr-xp-vista/

I hope that would help

Sudeep
0
 

Author Comment

by:MagsMcKinley14
Comment Utility
Thanks guys!
Unable to perform system restore.
After reviews I decided to run TDSSKiller, which removed the Bootkit.TDSS.  Ran Hitman Pro...gone...it found another virus and would activate.  I will continue to do my thing...will let you know what else I find.
0
 

Author Comment

by:MagsMcKinley14
Comment Utility
I want to run sfc /scannow but have read -  You may need your Windows XP CD so have it ready.
If you have Service Pack 2 (SP2) or SP3 installed, you will need the SP2 or SP3 version of the versioof the CD. This can be done with a borrowed CD, if you don't have one. I have a XP disk and both SP on disk...will this cause a problem should I need the CD?

Also Windows update is not working...researching the error code now.  Error 0x80070424
0
 
LVL 29

Assisted Solution

by:Sudeep Sharma
Sudeep Sharma earned 112 total points
Comment Utility
Yes you would need the CD with SP in it. Further since you are running Windows XP system, could you run Combofix and post the logs here:

Download Combofix
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

Tutorial on how to use combofix:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Sudeep
0
 

Author Comment

by:MagsMcKinley14
Comment Utility
It's asking for Windows XP Professional Service Pack 3 CD...she has Windows XP Media Center Edition running, not Professional.  Can I simply quit sfc /scannow and run combofix?
0
 

Author Comment

by:MagsMcKinley14
Comment Utility
Running Combofix now.
0
 

Author Comment

by:MagsMcKinley14
Comment Utility
Get message PEV.cfxxe has encountered a problem and needs to close?????  Should I say don't send??  This happened during Stage 2 of Combofix.  Thanks
0
 

Author Comment

by:MagsMcKinley14
Comment Utility
closed message...Combofix continuing
0
 

Author Comment

by:MagsMcKinley14
Comment Utility
Here is the Combofix log
Combofix-log.txt
0
 

Author Comment

by:MagsMcKinley14
Comment Utility
Still having issues.
0
 
LVL 2

Expert Comment

by:Hapexamendios
Comment Utility
Hi Mags,

The situation with XP Media Centre Edition - is it 2005 version?
I have this running still on an old PC, and face the same issue on most occasions where OS fix-up is necessary.

The Media Centre Edition 2005 operationg system comes on two disks. The first disk contains the operating system, the second contains the Media Centre app and its gubbins.

So when it asks for Windows XP SP3 disk, you want to use disk 1. HOWEVER, if that disk doesn't include SP3 then sfc may reject it.

Is that what's happening - you tried disk 1 and got nowhere?

Thanks,
0
 

Author Comment

by:MagsMcKinley14
Comment Utility
yes...it rejected every disk I tried...no XP disk has SP3 that I know of...is there a work around??

Can anyone figure out the combofix files (see above)...still having issues.
0
 
LVL 9

Assisted Solution

by:meko72
meko72 earned 278 total points
Comment Utility
When your running Combofix are you running it in Safe Mode?  

Also Kaspersky  has a scanner that cleans Bootkit.TDSS and its variants. The link is below.

http://support.kaspersky.com/viruses/solutions?qid=208280684
0
 

Author Comment

by:MagsMcKinley14
Comment Utility
Ran combofix normal than just again in safe mode...attached is new log
Combofix-log-2.txt
0
 

Author Comment

by:MagsMcKinley14
Comment Utility
Already ran Kaspersky yesterday before combofix...found viruses
0
 
LVL 9

Expert Comment

by:meko72
Comment Utility
The reason you where having problems running combofix in regular mode is because of Microsoft Security Essentials.

Since your Ran combofix in safe mode are you still having problems?
0
 

Author Comment

by:MagsMcKinley14
Comment Utility
yes....still have the message
Windows Automatic updates are turned off.  Security Center shows they are off but Automatice updates show they are on.

Does anyone know anything about Norton Power Easer?  Norton wants to charge me $99 to resolve my issue.  Contacted them about question about Norton Ghost which my client has.
0
 
LVL 9

Assisted Solution

by:meko72
meko72 earned 278 total points
Comment Utility
Download and run Dial-A-Fix to help fix the Wu/Wuam .  I will be here with any questions about it.

 http://wiki.lunarsoft.net/wiki/Dial-a-fix
0
 
LVL 2

Assisted Solution

by:Hapexamendios
Hapexamendios earned 110 total points
Comment Utility
Hi MagsMcKinley14,

It sounds like a bit of a 'mare :)

If you are still getting nowhere with the main problem of removing the malware despite the advice of those who have already posted, then try this:

http://www.sophos.com/products/free-tools/sophos-anti-rootkit.html

I have had some success with this - the other specific anti-TDSS tools are very useful, but (apart from ComboFix) are unlikely to handle a "blended" threat well, which might be what you're seeing here.

To my knowledge the only way to get past this issue with sfc would be to use something like Microsoft Deployment Tooklit 2010 to "slipstream" the Service Pack needed. However it cannot be done with Windows MCE Edition 2005...  at all, according to Mcirosoft. :(

There are so many inter-dependencies in MCE 2005 that it is in practice an unreliable OS IMHO - I spent more time reinstalling the system running it than I did using it, sadly,  mostly due to MS updates for .Net and MSXML parsers whose dependencies were either not set correctly, or whose initial revision was broken and subsequently borked the entire system during install (the Media Centre app is very dependent on .Net).

Your best bet - and it's never entirely satisfactory - is to clean up this malware and confirm it is gone, then perform a "reinstall" (over the top) of the existing Windows install. Thatn will retain user accounts and settings (including Media Center channel listings etc.) but you will lose all patches to the OS, and need to re-do them (I suggest directly installing SP3 at this stage if you go this route).

If I can help further please post back.
0
 
LVL 2

Expert Comment

by:Hapexamendios
Comment Utility
Hi MagsMcKinley14,

It sounds like a bit of a 'mare :)

If you are still getting nowhere with the main problem of removing the malware despite the advice of those who have already posted, then try this:

http://www.sophos.com/products/free-tools/sophos-anti-rootkit.html

I have had some success with this - the other specific anti-TDSS tools are very useful, but (apart from ComboFix) are unlikely to handle a "blended" threat well, which might be what you're seeing here.

To my knowledge the only way to get past this issue with sfc would be to use something like Microsoft Deployment Tooklit 2010 to "slipstream" the Service Pack needed. However it cannot be done with Windows MCE Edition 2005...  at all, according to Mcirosoft. :(

There are so many inter-dependencies in MCE 2005 that it is in practice an unreliable OS IMHO - I spent more time reinstalling the system running it than I did using it, sadly,  mostly due to MS updates for .Net and MSXML parsers whose dependencies were either not set correctly, or whose initial revision was broken and subsequently borked the entire system during install (the Media Centre app is very dependent on .Net).

Your best bet - and it's never entirely satisfactory - is to clean up this malware and confirm it is gone, then perform a "reinstall" (over the top) of the existing Windows install. Thatn will retain user accounts and settings (including Media Center channel listings etc.) but you will lose all patches to the OS, and need to re-do them (I suggest directly installing SP3 at this stage if you go this route).

If I can help further please post back.
0
 
LVL 2

Expert Comment

by:Hapexamendios
Comment Utility
Hi MagsMcKinley14,

It sounds like a bit of a 'mare :)

If you are still getting nowhere with the main problem of removing the malware despite the advice of those who have already posted, then try this:

http://www.sophos.com/products/free-tools/sophos-anti-rootkit.html

I have had some success with this - the other specific anti-TDSS tools are very useful, but (apart from ComboFix) are unlikely to handle a "blended" threat well, which might be what you're seeing here.

To my knowledge the only way to get past this issue with sfc would be to use something like Microsoft Deployment Tooklit 2010 to "slipstream" the Service Pack needed. However it cannot be done with Windows MCE Edition 2005...  at all, according to Mcirosoft. :(

There are so many inter-dependencies in MCE 2005 that it is in practice an unreliable OS IMHO - I spent more time reinstalling the system running it than I did using it, sadly,  mostly due to MS updates for .Net and MSXML parsers whose dependencies were either not set correctly, or whose initial revision was broken and subsequently borked the entire system during install (the Media Centre app is very dependent on .Net).

Your best bet - and it's never entirely satisfactory - is to clean up this malware and confirm it is gone, then perform a "reinstall" (over the top) of the existing Windows install. Thatn will retain user accounts and settings (including Media Center channel listings etc.) but you will lose all patches to the OS, and need to re-do them (I suggest directly installing SP3 at this stage if you go this route).

If I can help further please post back.
0
 
LVL 2

Expert Comment

by:Hapexamendios
Comment Utility
Hi MagsMcKinley14,

It sounds like a bit of a 'mare :)

If you are still getting nowhere with the main problem of removing the malware despite the advice of those who have already posted, then try this:

http://www.sophos.com/products/free-tools/sophos-anti-rootkit.html

I have had some success with this - the other specific anti-TDSS tools are very useful, but (apart from ComboFix) are unlikely to handle a "blended" threat well, which might be what you're seeing here.

To my knowledge the only way to get past this issue with sfc would be to use something like Microsoft Deployment Tooklit 2010 to "slipstream" the Service Pack needed. However it cannot be done with Windows MCE Edition 2005...  at all, according to Mcirosoft. :(

There are so many inter-dependencies in MCE 2005 that it is in practice an unreliable OS IMHO - I spent more time reinstalling the system running it than I did using it, sadly,  mostly due to MS updates for .Net and MSXML parsers whose dependencies were either not set correctly, or whose initial revision was broken and subsequently borked the entire system during install (the Media Centre app is very dependent on .Net).

Your best bet - and it's never entirely satisfactory - is to clean up this malware and confirm it is gone, then perform a "reinstall" (over the top) of the existing Windows install. Thatn will retain user accounts and settings (including Media Center channel listings etc.) but you will lose all patches to the OS, and need to re-do them (I suggest directly installing SP3 at this stage if you go this route).

If I can help further please post back.
0
 
LVL 2

Expert Comment

by:Hapexamendios
Comment Utility
Hi MagsMcKinley14,

It sounds like a bit of a 'mare :)

If you are still getting nowhere with the main problem of removing the malware despite the advice of those who have already posted, then try this:

http://www.sophos.com/products/free-tools/sophos-anti-rootkit.html

I have had some success with this - the other specific anti-TDSS tools are very useful, but (apart from ComboFix) are unlikely to handle a "blended" threat well, which might be what you're seeing here.

To my knowledge the only way to get past this issue with sfc would be to use something like Microsoft Deployment Tooklit 2010 to "slipstream" the Service Pack needed. However it cannot be done with Windows MCE Edition 2005...  at all, according to Mcirosoft. :(

There are so many inter-dependencies in MCE 2005 that it is in practice an unreliable OS IMHO - I spent more time reinstalling the system running it than I did using it, sadly,  mostly due to MS updates for .Net and MSXML parsers whose dependencies were either not set correctly, or whose initial revision was broken and subsequently borked the entire system during install (the Media Centre app is very dependent on .Net).

Your best bet - and it's never entirely satisfactory - is to clean up this malware and confirm it is gone, then perform a "reinstall" (over the top) of the existing Windows install. Thatn will retain user accounts and settings (including Media Center channel listings etc.) but you will lose all patches to the OS, and need to re-do them (I suggest directly installing SP3 at this stage if you go this route).

If I can help further please post back.
0
 

Author Comment

by:MagsMcKinley14
Comment Utility
Should these scans be run in safemode?
0
 
LVL 9

Expert Comment

by:meko72
Comment Utility
I also wanted to let you know that In the past I have had to unistall all .net framework and reinstall to get rid of some bad infections.

0
 

Author Comment

by:MagsMcKinley14
Comment Utility
meko72:

Known issue with Dial-a-fix:

If you have a Documents folder in your C:\ drive (as C:\Documents) this folder and anything inside (such as C:\Documents\Reports) will be deleted due to a critical, unpatched bug. XP has C:\Documents and Settings...Should that all be backed up?
0
 
LVL 9

Expert Comment

by:meko72
Comment Utility
Yes back those Items up to be on the safe side.  I have used this utility for the last 2 yrs with out any problems.
0
 
LVL 2

Expert Comment

by:Hapexamendios
Comment Utility
[MODERATOR: Could you please remove the previous multiple duplicate posts attributed to me on this question? I believe our proxy serevr causes this, but we have never found the root cause. My apologies to anyone trying to follow the topic]

Hi MagsMacKinley14,

The advice is to run Sophos Anti-Rootkit in normal mode - it will find more if all Windows services are up and running, including those "boot-start" kernel-mode drivers which are responsible for "sentinel" operations on a rootkit.

Look forward to hearing how it goes...
0
 

Author Comment

by:MagsMcKinley14
Comment Utility
Hapexamendios:

Sophos is running now...in normal mode

meko72:

I will backup those files should Sophos not resolve the issue.

Thanks Guys!!
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 9

Expert Comment

by:meko72
Comment Utility
Not a problem, let us know of the outcome !

0
 
LVL 2

Expert Comment

by:Hapexamendios
Comment Utility
Happy to be of help, Mags - fingers crossed :)
0
 

Author Comment

by:MagsMcKinley14
Comment Utility
OK...sophos is finished...how can I tell what I should check.  Attached are screen shots for Sophos, as well as SuperAnti Spyware and TDSKiller.  Drive L is my Flash Drive.

My fingers are sooooo crossed!
Sophos-Scan-Results.bmp
SuperAnti-Spyware.bmp
TDSKiller-scan.bmp
0
 
LVL 2

Expert Comment

by:Hapexamendios
Comment Utility
Stating the obvious but I reckon you have to go with that last screenshot.

Will the software above allow you to remove the item it has detected, or does it ask for payment before doing so?
0
 
LVL 9

Expert Comment

by:meko72
Comment Utility
The Kaspersky utility that she used should not ask for a Fee.
0
 

Author Comment

by:MagsMcKinley14
Comment Utility
SuperAnti Spyware and Kaspersky were free and already dealt with what they could...just wanted to show you what they found.

Hapexamendios:  What do I do with what Sophos showed...what do I check to have it clean up?  I need to resolve that before I can backup her Document file and possibly run Dial-a-fix.

Thanks again guys!!
0
 
LVL 2

Expert Comment

by:Hapexamendios
Comment Utility
Hi Mags,

The output from Sophos Anti-Rootkit looks OK to me - the listing of files you see is its "err towards paranoia" approach to detection. Most if this looks like SAR doesn't like those files' hidden status. However we'd need to manually checksum each one individually against a known good, current version to be certain of its integrity.

I'd get rid of the setup_av_free.exe in the "_Downloads-Save" folder - whilst it's possibly AVAST! it's location in a non-standad folder is what makes me suspicious.
Also the multiple copies of the MS Message Queuing binary all pulling the same trigger - mqtgsvc.exe - is suspicious.

I'm gently urging you towards a rebuild Mags, as it's going to be difficult to verify the health of this machien to reasonable satisfaction. Assuming you want to continue though, and wish to verify each of these files, try this:

http://www.sunbeltsecurity.com/sandbox/

The above link is to SunBelt Labs Sofwtare's CWSandbox, which does malware profiling. You submit a sample of e.g. mqtgsvc.exe to the site, and it will send you a report of the processes, threads and registry entries created by the malware (if it is malware). You can then check for those processes/registry keys to see if the file is part of your infection.

Recommendation: when you come to use Dial-A-Fix, do your backup of Documents and Settings using another operating system if at all possible. This limits the chance of your backup media getting infected if the TDSS malware variant present includes worm-like behaviour.

Keep asking if you think I can still help!
0
 

Author Comment

by:MagsMcKinley14
Comment Utility
Thanks Hapexamendios: for your advice.  I ran Sophos on a couple of files that had Malware written all over them after researching them, the 2 WildTangents and got rid of the ones in "My Documents", manually deleted the Advast.exe then backed up her files to an external drive after I scanned it.  Is there a way to test it again to verify no virus or should I pull the drive and make another backup?

Also she has the primary drive mirrored but I would assume it would bring over the virus as well.  I see no real advantage to mirroring a drive if it continues to update and you get a virus...would you agree?

She has a backup on an external drive that I will check for viruses now.

I am starting to agree with you about a rebuild or she may want to upgrade her computer as it is getting old.

Let me know about the backup I did and then I'll run Dial-A-Fix.

Do you know anything about Norton Power Easer?
0
 
LVL 2

Expert Comment

by:Hapexamendios
Comment Utility
I confess not to knowing much abotu Norton Power Eraser - however I'm very wary of utilities that automate the deletion of things, especially registry entries (I believe it does these things?)

You're right about the RAID mirroring - undoubtedly a great facility, but adds an extra layer of complexity where a virus that utilies raw commands to access disks is involved...!

I'm thinking that scanning her backup (and any USB flash/pen drives she might have used with this system prior to your support work starting) is a must - do this either using a completely separate computer with up-to-date AV -OR- boot her computer into another non-Windows OS (which can't be infected by Win32 PE code). Once yo've verified those items are clean, you could optionally retain one of the disks from the mirror set (just for ultra-caution against some obscure piece of data you haven't yet backed up) and then you're in place to start again.

You mentioned maybe upgrading the PC - I'd say if nothing else, please oh please ensure new HDDs are used! If you ever need to access the old disk with the mirror on it, again slave it to anotehr machine or use another OS when accessing it.

How's this sounding so far Mags - have I missed any of the questions you asked?
0
 
LVL 9

Expert Comment

by:meko72
Comment Utility
I would suggest using raid 1 (Mirroring) because it provide redundancy. If one drive goes bad just pop out the bad drive and Install new one and let the raid controller rebuild the array.
0
 
LVL 2

Expert Comment

by:Hapexamendios
Comment Utility
meko72:
I would suggest using raid 1 (Mirroring) because it provide redundancy. If one drive goes bad just pop out the bad drive and Install new one and let the raid controller rebuild the array.

which would include any malware that was within the logical volumes in the mirror set... You see the difficulty? I wasn't "dissing" RAID 1 or 1+0 - it's brilliant - but not helpful here as it adds yet another thing to scan, and you can't easily slave said disk to another machine for scanning (though I know it's not impossible, just an extra hassle).
0
 

Author Comment

by:MagsMcKinley14
Comment Utility
Hapexamendios: and meko72: are you here...I'm really nervous about running Dial-A-Fix.
0
 
LVL 9

Expert Comment

by:meko72
Comment Utility
I am here!  what do you need?
0
 
LVL 9

Assisted Solution

by:meko72
meko72 earned 278 total points
Comment Utility
When you run Dial-a-fix Click the Green Check mark box, Then press GO

Once that is finished click on the hammer. Run the following one at a time.
1. Reinstall WMI/WBEM
2. Repair Permissions.
3. Reset Help and Support services.
4. Reset Networking Interface (This repairs any corrupt IP stack)
5. Reset WMI/WBEM
6. SFC purge
7.  SFC Scan ( IF this prompts you for CD just add the cd its asking. If you dont have the CD just cancel the process)

0
 

Author Comment

by:MagsMcKinley14
Comment Utility
Thanks meko72:
I backup up her Document folder but not all her app data...will that all go away?  Should I backup the entire Documents and Settings...I've pulled the drive so it would be easy.
0
 
LVL 9

Expert Comment

by:meko72
Comment Utility
Hapexamendios: Once the user cleans the Harddrive Both Hardrives (Mirrors) are clean.
0
 
LVL 9

Assisted Solution

by:meko72
meko72 earned 278 total points
Comment Utility
No, The document folder Should not go away. I have used this application umpteen times and have never lost anything. I would backup to just to make sure.
0
 

Author Comment

by:MagsMcKinley14
Comment Utility
Things are looking good, Dial-a-fix did a ton.  More scans to do to double check, autoupdate working...didn't lose Document folder...Yeah!!  You all are awesome!!!!!!!!!!!!!!!!!
0
 

Author Comment

by:MagsMcKinley14
Comment Utility
MSE did find an axxxxx (don't remember the actual name...I'm exhaused)  virus, UGGGGGHHH!  It says it has removed before?  The machine is running sooooooo much better, I'll look again with fresh eyes in the early morning (MST).  Thanks again for all your help.

Any sugguestions?  I will look at upon waking...sugguested scans??? Or is this the beginning of the end??  I hate to give up!!!!!!!!!!!!!!!!  Dial-a-fix was amazing!!

I just ran Rogue Killer on another machine...what do you think for this situation?
0
 
LVL 2

Assisted Solution

by:Hapexamendios
Hapexamendios earned 110 total points
Comment Utility
Nice work all :) (self excluded)

@Mags

I was doing some research recently, and noted that Skype users were prone to a recent deluge of FakeAV (which often wraps TDSS and other rootkits). The messages, with a Windows XP backdrop, advised that <insert currently installed AV software here> was being upgraded. If the user clicked OK, then BANG - pwn'd.

You'll want to keep scanning until you get clean results, just like with a disk integrity check. On the basis that tools suggested by other users have achieved better results, I defer to them on which to use :) But I can't stress enough that you probably want to patch everything on that machine not just MS products, particularly:

Adobe - any products on there, get to latest version (Reader, Shockwave and Flash in particular)
Apple - recent 40+ critical vulnerabilities fixed in iTunes
Skype - check it to be sure
Java - get to latest version, then check for and remove any older versions
Firefox - again go for latest

Thanks to the KanSecWest "Pwn 2 Own" hacker contest, lots of the providers patched long-outstanding vulnerabiliities, any of which might have been the point of entry.

Cheers!
0
 
LVL 2

Expert Comment

by:Hapexamendios
Comment Utility

@meko72:

Let's not spoil a good effort by arguing; I accept what you say at face value, but I think you might be underestimating the complexity of modern rootkits. They use kernel-mode, often undocumented API calls and other techniques to directly create a little portion of disk space especially for themselves on the physical disk. This is achieved by talking directly to the disk controller, lopping a tiny amount (1MB or less) off the free space on a disk.

It wouldn't take much to do this on "x" disks, where "x" is the number of disks, and adjust the array's byte count of each drive so that the volume(s) are never seen. Do you see what I mean? In effect the data involved is therefore not part of the mirroring. These tiny 1MB partitions are how this stuff survives a reboot - and when the compuiter comes up, the code removes the volume and all files on disks, heading into memory reserved for kernel-mode, and stealthing itself by constantly copying itself to new memory regions on a pseudo-random basis.

That's my understanding anyway, and makes me less likely to offer advice that it should be OK. And of course none of what I've said here applies to stuff that IS visible on your disks and in your partitions; that would of course work exactly as you have described it.

Peace... :)
0
 
LVL 9

Expert Comment

by:meko72
Comment Utility
Mags

  In the past I have had to Unistall all of the .Net Framework  and reboot to get a virus off of a machine.
I would go ahead and run SuperAnti Spyware and Malwarebytes..

There is another utillity called Rkill. When you run it it will find any Backdoors,Malware, Trojens and Rookits that might be running and kill them.
I use this application after I have cleaned a machine just to make sure.  The link is Below.
http://www.bleepingcomputer.com/forums/topic308364.html
0
 

Author Comment

by:MagsMcKinley14
Comment Utility
meko72:  Will uninstalling .Net Framework interfer with the running of any programs...I assume I would reinstall afterward.
0
 
LVL 2

Expert Comment

by:Hapexamendios
Comment Utility
@Mags

Removing .Net from an MCE 2005 Edition computer will sadly trash it completely. If others can say different I bow to their expertise and wait for their advice eagerly.

My MCE 2k5 machine is still offline after two years because I got tired of issues with .Net framework patches!

I'm curious as to why uninstalling it might be needed, though. I guess some of these things are .Net based naturally?

Not good in this specific case though :(

What's current status, Mags? Is MSE or other generating fresh alerts?
0
 

Author Comment

by:MagsMcKinley14
Comment Utility
No...things are running well.  I got a blue screen error related to a driver issue...with HPProductAssistant needing a disk????? I uninstalled and reinstalled the new printer software they just recently added.

They needed the computer back so I will run a couple more scans remotely.  I should have things completed by tomorrow…then will close the event.

They are still considering a clean reinstall or a new computer as a safety precaution.
0
 
LVL 2

Expert Comment

by:Hapexamendios
Comment Utility
Sounds good - accept what is a low risk in the short term, and maybe, for similar features, go up to Win 7?

wait to hear what comes, then.

Cheers,
0
 
LVL 9

Expert Comment

by:meko72
Comment Utility
If the Machines is running fine, Then I wouldnt unistall / reinstall net framework if you dont have to.
I have cleaned handfull of Infected machines in the past and the final steps for me towards success was to unistall and reinstall Netframework.
0
 

Author Comment

by:MagsMcKinley14
Comment Utility
SSharma:  in your post on 3/21 ID: 35183210 you sent instructions to run Windows Recovery Console.  When I ran Combofix did that do the same thing?
0
 
LVL 9

Expert Comment

by:meko72
Comment Utility
When you first run Combofix if the recovery console is not installed it will prompt you to install it.

Is the machine running better, when you run scans are they coming up clean??
0
 

Author Comment

by:MagsMcKinley14
Comment Utility
As far as I know...I wanted to rerun a couple scans but I will need to do that remotely...have not heard when that will be convenient.  Thanks everyone...I feel like I have been to Virus Removal Bootcamp!
0
 

Author Closing Comment

by:MagsMcKinley14
Comment Utility
After running futher scans everything is coming up clean, computer is running well and printer is reinstalled!
Thank you so much for all your assistance!!!  It is greatly appreciated!
Warm regards,
Mags
0

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Suggested Solutions

Transferring data across the virtual world became simpler but protecting it is becoming a real security challenge.  How to approach cyber security  in today's business world!
Today, still in the boom of Apple, PC's and products, nearly 50% of the computer users use Windows as graphical operating systems. If you are among those users who love windows, but are grappling to keep the system's hard drive optimized, then you s…
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now