Infected PC please help.

[Guest]

[comoder]

Hello peeps
i have this annoying problem. everytime i start windows comodo av finds an unclassified malware.(C:\WINDOWS\system32\drivers\lqpkgp.sys: UnclassifiedMalware[at]8553329) i've already submitted it to comodo for analysis. when i try to scan a file with comodo by right clicking it it says anti virus engine not initialized!
i guess i picked up this virus from a friends computer i'd connected my cell phone(Via USB) to transfer some photos to his computer a few days ago.
the computer is very slow and some security softwares(malwarebytes,Cc cleaner, spybot search and destroy) wont work at all. i also tried installing avira av but the set up wont run, it wont let me install mcafee site advisor either, the malware seems to delete their executables and other essential files or cause some registary modifications and conflicts. this seems like a virus activity to me.i ran a full system scan for malwares but comodo didnt find anything. the scan took exceptionally long time to finish.
i'd reformatted my C drive and did a clean windows install  in hope that it'd solve the problem but it persists. i guess the malware hide itself on my other drives as well and now has acess to C again.

Is there any online scanner i could use, what should i do to clean my computer?

specs.
windows XP SP 2
512 mb physical memory.
40 gb hdd.

i really need help guys.
any help will be greatly appreciated.
Regards.

[miketowninc]

Have you tried running a MalwareBytes scan in safemode?

[OmeletGuy]

You can try this guide.

What to do if you're infected - eXPerience Rev.3

If the programs dont work in normal mode you can try Safe mode, you can see how to start in safe mode here: To start the computer in safe mode

Please post back with the results, and good luck.

[comoder]

This is terrible, i tried booting in safe mode for running scans, but the computer wont boot in safe mode. it'd load some files and restart again and wont go to safe mode.
as if this was not enough, now i cant even run hijackthis. it crashes, explorer crashes randomly i also get a windows runtime error that says
"runtime error 217 at 400E9A9". i've blocked some suspicious files through D+ but its not much help. however i was able to run advanced windows care, iobit security 360 and comodo av(all with latest definitions) but they came up empty.( scans take exceptionally long to complete) windows is still sick and it seems to be getting worse.
help please.

[comoder]

You can try this guide.

What to do if you're infected - eXPerience Rev.3

If the programs dont work in normal mode you can try Safe mode, you can see how to start in safe mode here: To start the computer in safe mode

Please post back with the results, and good luck.

i'd love to use hijackthis and malwarebytes, only if it run. its not running in my pc. i uninstalled hijackthis and tried reinstalling but the installed crases.
windows wont run in safe mode. this seems very serious to me.

[OmeletGuy]

Ok then your going to need a second computer and a CD.

Also disconnect the infected computer from the internet, it could be downloading other Malware.

Go here: http://www.avira.com/en/support/support_downloads.html and download the first Avira AntiVir Rescue System, to your second PC

Then get a disk, run the exe and let it burn to the disk.

After that is done, put it in your infected computer's CD tray, and reboot the infected PC, see if it works. If it doesn't there should be a key that will let you select the Boot order, it usually is the "Delete", "F1" or "F10", it should say on screen at boot up what key it is, Select Boot from CD.

Good luck.

[comoder]

Ok then your going to need a second computer and a CD.

Also disconnect the infected computer from the internet, it could be downloading other Malware.

Go here: http://www.avira.com/en/support/support_downloads.html and download the first Avira AntiVir Rescue System, to your second PC

Then get a disk, run the exe and let it burn to the disk.

After that is done, put it in your infected computer's CD tray, and reboot the infected PC, see if it works. If it doesn't there should be a key that will let you select the Boot order, it usually is the "Delete", "F1" or "F10", it should say on screen at boot up what key it is, Select Boot from CD.

Good luck.

the other pc is running on windows vista so will it work? shall i try booting the infected pc with windows xp cd instead? even if it does boot in safe mode what will i scan it with?

[comoder]

sorry for the previous quote, it didnt make much sense.

Anyways I did what you said.i'd to configure the system to boot from the cd. i ran scans 2 times both in all files and smart scan mode, i'd set to repair the files found as malicious. it did seem to find some trojans and trojan doanloaders but was unable to fix/delete it.
i traced one of the malwares >>> "C:\WINDOWS\Temp\winroyfiq.exe" and tried to manually delete it but it said access denied. any idea how to remove it.


Basically avira was unable to remove the malwares from my system and it didn't work for me.

D+ often reports files with random names trying to modify a protected key, i block them.
another strange behavior, every time i turn on the computer comodo finds updates and asks to install the them once i do it and restart, it seems to have lost its updates and gives the messages updates for comodo available.the comodo av definition version is uptodate(2643)

However i was able to run hijackthis and here is the log it created.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:47:20 PM, on 10/18/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\IObit\IObit Security 360\IS360srv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdm2.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [COMODO Internet Security] "C:\Program Files\COMODO\COMODO Internet Security\cfp.exe" -h
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download video with Free Download Manager - file://C:\Program Files\Free Download Manager\dlfvideo.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O20 - AppInit_DLLs:     C:\WINDOWS\system32\guard32.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: McAfee Application Installer Cleanup (0027661255841221) (0027661255841221mcinstcleanup) - Unknown owner - C:\DOCUME~1\parot\LOCALS~1\Temp\002766~1.EXE (file missing)
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - COMODO - C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
O23 - Service: IS360service - IObit - C:\Program Files\IObit\IObit Security 360\IS360srv.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe

--
End of file - 3779 bytes

Your assistance would be deeply appreciated.
Regards.

[Jose_Lisbon]

Did you check the option "Rename files if they cannot be removed"?

      http://www.youtube.com/watch?v=N4lTAgDH9pw&feature=channel_page

[bulgroz]

There are many rescue CD's available form download, with different functions built in. Google "911 rescue cd" for some links. To delete the file, you could boot with the Windows XP cd, choose the Repair option and use the command prompt to delete the offending file.

You also could download a version of Linux that runs from the CD or USB like knoppix from ww.knoppix.net. Make sure it has NTFS support (if your XP is NTFS). If your XP runs on a FAt32 partition, download a win98 or ME boot disk from www.bootdisk.com.

Hope it helps

Cheers

[comoder]

Did you check the option "Rename files if they cannot be removed"?

      http://www.youtube.com/watch?v=N4lTAgDH9pw&feature=channel_page

no i didnt, is it necessary? and would renaming help?

[comoder]

i have windows xp on n NTFS file system. but what good is Linux over windows. im sorry if that sounds stupid but i don't have much knowledge about platforms other than windows.however I'll try to repair the installation and delete the Trojan file i tracked, but would it really help?? as i've already reformatted the whole C drive(windows) and did a clean windows reinstall but the problem still persists. may be the malware is on other drives of the system too. i got exams from tomorrow so i might not reply very promptly about the results, but Im eager to resolve this issue. CIS has missed it.

[Jose_Lisbon]

Watch the video (link on my post) and give it another try with the Avira CD.

When it cannot remove the infections it renames them and that neutralizes them.

[comoder]

thanks
i'll give avira another try with the renaming option enabled and let you know the results.
Regards.

[jay2007tech]

reformatted the whole C drive(windows) and did a clean windows reinstall but the problem still persists.

====================================================
comoder - This is not for you, but for a another expert about your computer problem

If reformatting the computer with a new reinstall fails   I was thinking maybe a MBR-Rootkit is a possibility.  What do you think of a ---{MBR repair kit}------??? like the one from here
http://www.free-av.com/en/tools/9/avira_boot_sector_repair_tool.html

I was also thinking a-squared free from download.com  Install, then change one of the options to add beta updates and then update then run in safe mode???
============================================================

[Tags:]