Link to home
Create AccountLog in
Avatar of hypercube
hypercubeFlag for United States of America

asked on

Infected Vista Home Premium

I'm usually pretty successful cleaning up infected computers.  Some methodical processes, some intuition, some repairs.  But I'm stumped on this one.

TdssKiller won't run.  It starts by asking permission but that's as far as it gets.
Have run it under command line and no report results.
Combofix runs.
Rkill runs.
Malwarebytes
Superantispyware
HiJackThis!
ESET online scanner removed 2 Trojans.
Trojan Remover .... have all been used and some removed things.
Microsoft Security Essentials is installed but, at first, wouldn't run .. now does.
So, I've made progress.  By now I'd be finished.

Presently the system gets site redirects in Internet Explorer - so it's clearly not clean yet.

I'm looking for suggestions re: how to methodically go at detection and removal - in view of the fact that none of the usual tools have done the job so far. Some good written material would be preferred as "try this / try that" approaches are fine but are usually a "project" rather than instructive.  But any suggestions will be appreciated.
SOLUTION
Avatar of ded_ch
ded_ch
Flag of United States of America image

Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
I have had good success with Windows Degfender Offline.  You can download it below and create a 32-bit or 64-bit CD on a clean computer that is fully updated.

http://windows.microsoft.com/en-US/windows/what-is-windows-defender-offline
If it is just site redirection, it may simply be 1. proxy settings in the browser or 2. DNS settings in the Network Adapter properties. If you haven't already done so, I would start there.
SOLUTION
Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
Thanks cmgibson for agreeing. But the Kaspersky rescue CD can be downloaded here for free:

(direct download link)
http://rescuedisk.kaspersky-labs.com/rescuedisk/updatable/kav_rescue_10.iso

(link to download site)
http://support.kaspersky.com/4162
Even easier :-)
SOLUTION
Avatar of Thomas Zucker-Scharff
Thomas Zucker-Scharff
Flag of United States of America image

Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
Hi tzucker:

I hear the argument of unprotected system files very often when people warn about the bootable CD's.

Here's my argument against that.
The bootable rescue CD will not (or highly unlikely) remove uninfected system files. If there is a system file infected, I'd rather have it deleted. It can afterwards be recovered easily through the rescue cd options (e.g. extracting it out of the Install medium).

But I also agree with your pointer to the host file, as this is a likely place where redirection stems from. It depends however wether only a certain set of pages is redirected, or all of them. If it is all of them, the host file is not the right place to look, but rather the DNS configuration.
SOLUTION
Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
Avatar of hypercube

ASKER

OK.  I built a SARDU disk with a number of AV programs on it and ran some of them.
Thank you all!

Even just before that, I managed to break the system (I think with HitManPro)

Safe Mode works.
Normal mode blue screeen with 0x00000008e shortly after logging on - sometimes before Explorer opens and sometimes after.
I have tried disabling startup things but still no resolution of this.

In view of the fact that Safe Mode works, I'd like to try to fix it instead of doing a repair or reinstall.
Ran sfc - no help.

Now looking for solutions to the BSOD
Some odd things about this system:
- I can't change the time that the boot selections stay up.  I set 4 seconds but it's still at 30.
- When Safe Mode starts, the System Properties dialog opens.  Very odd.
- "System Failure Automatic Restart" won't stay unchecked through a boot cycle.
I have turned off almost all services at boot and it still blue screens.
There are almost no entries in the startup list and I've turned all of them off - pretty benign things like Adobe, Apple, etc.  only 4 of them.
I don't see anything in a Startup folder.
If there are any logs from the antivirus' you ran, check to see if any core Windows files were deleted/quarantined.
The fact that TDSSKiller won't run makes me believe there is still something in there.  Have you tried it in safe mode and I always check the option to detect TDLFS File System?
I have also been having great success with the Microsoft Safety Scanner; try running it: http://www.microsoft.com/security/scanner/en-us/default.aspx
Stop 0x0000008E errors point to ram so you might want to run a memory test.  Get the free ISO image of http://www.memtest86.com/
Good ideas ...  Right now I have to get past the BSOD!!
That it works in Safe Mode is somewhat assuring but how to get there?
Can you give us a picture of the blue screen I would like to see the full error codes it presents, not just the main one.

Error 0x00000008e represents a kernel mode exception not handled by a driver. If I can see the *.dmp file it generated and also a picture of the dump screen it may show what exactly is crashing your system. The dump files should be located here: C:\Windows\Minidump\.
Care to share The latest hijack this log in safe mode first maybe ?
ASKER CERTIFIED SOLUTION
Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
Hard to extract things on a system that isn't working very well.
So, in the interest of time, reinstalled Windows as the BSOD issue wasn't ever fixed.  
Thanks for the help.
The suggestions are very good and will use for future reference!!