Infected PC please help.

Hello peeps
i have this annoying problem. everytime i start windows comodo av finds an unclassified malware.(C:\WINDOWS\system32\drivers\lqpkgp.sys: UnclassifiedMalware@8553329) i’ve already submitted it to comodo for analysis. when i try to scan a file with comodo by right clicking it it says anti virus engine not initialized!
i guess i picked up this virus from a friends computer i’d connected my cell phone(Via USB) to transfer some photos to his computer a few days ago.
the computer is very slow and some security softwares(malwarebytes,Cc cleaner, spybot search and destroy) wont work at all. i also tried installing avira av but the set up wont run, it wont let me install mcafee site advisor either, the malware seems to delete their executables and other essential files or cause some registary modifications and conflicts. this seems like a virus activity to me.i ran a full system scan for malwares but comodo didnt find anything. the scan took exceptionally long time to finish.
i’d reformatted my C drive and did a clean windows install in hope that it’d solve the problem but it persists. i guess the malware hide itself on my other drives as well and now has acess to C again.

Is there any online scanner i could use, what should i do to clean my computer?

specs.
windows XP SP 2
512 mb physical memory.
40 gb hdd.

i really need help guys.
any help will be greatly appreciated.
Regards.

Have you tried running a MalwareBytes scan in safemode?

You can try this guide.

What to do if you’re infected - eXPerience Rev.3

If the programs dont work in normal mode you can try Safe mode, you can see how to start in safe mode here: To start the computer in safe mode

Please post back with the results, and good luck.

This is terrible, i tried booting in safe mode for running scans, but the computer wont boot in safe mode. it’d load some files and restart again and wont go to safe mode. :frowning:
as if this was not enough, now i cant even run hijackthis. it crashes, explorer crashes randomly i also get a windows runtime error that says
“runtime error 217 at 400E9A9”. i’ve blocked some suspicious files through D+ but its not much help. however i was able to run advanced windows care, iobit security 360 and comodo av(all with latest definitions) but they came up empty.( scans take exceptionally long to complete) windows is still sick and it seems to be getting worse. :cry:
help please.

Ok then your going to need a second computer and a CD.

Also disconnect the infected computer from the internet, it could be downloading other Malware.

Go here: http://www.avira.com/en/support/support_downloads.html and download the first Avira AntiVir Rescue System, to your second PC

Then get a disk, run the exe and let it burn to the disk.

After that is done, put it in your infected computer’s CD tray, and reboot the infected PC, see if it works. If it doesn’t there should be a key that will let you select the Boot order, it usually is the “Delete”, “F1” or “F10”, it should say on screen at boot up what key it is, Select Boot from CD.

Good luck.

the other pc is running on windows vista so will it work? shall i try booting the infected pc with windows xp cd instead? even if it does boot in safe mode what will i scan it with?

sorry for the previous quote, it didnt make much sense. :-[

Anyways I did what you said.i’d to configure the system to boot from the cd. i ran scans 2 times both in all files and smart scan mode, i’d set to repair the files found as malicious. it did seem to find some trojans and trojan doanloaders but was unable to fix/delete it.
i traced one of the malwares >>> “C:\WINDOWS\Temp\winroyfiq.exe” and tried to manually delete it but it said access denied. any idea how to remove it.

Basically avira was unable to remove the malwares from my system and it didn’t work for me.

D+ often reports files with random names trying to modify a protected key, i block them.
another strange behavior, every time i turn on the computer comodo finds updates and asks to install the them once i do it and restart, it seems to have lost its updates and gives the messages updates for comodo available.the comodo av definition version is uptodate(2643)

However i was able to run hijackthis and here is the log it created.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:47:20 PM, on 10/18/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\IObit\IObit Security 360\IS360srv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdm2.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM..\Run: [COMODO Internet Security] “C:\Program Files\COMODO\COMODO Internet Security\cfp.exe” -h
O4 - HKLM..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download video with Free Download Manager - file://C:\Program Files\Free Download Manager\dlfvideo.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: McAfee Application Installer Cleanup (0027661255841221) (0027661255841221mcinstcleanup) - Unknown owner - C:\DOCUME~1\parot\LOCALS~1\Temp\002766~1.EXE (file missing)
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - COMODO - C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
O23 - Service: IS360service - IObit - C:\Program Files\IObit\IObit Security 360\IS360srv.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe


End of file - 3779 bytes

Your assistance would be deeply appreciated.
Regards.

Did you check the option “Rename files if they cannot be removed”?

  http://www.youtube.com/watch?v=N4lTAgDH9pw&feature=channel_page

There are many rescue CD’s available form download, with different functions built in. Google “911 rescue cd” for some links. To delete the file, you could boot with the Windows XP cd, choose the Repair option and use the command prompt to delete the offending file.

You also could download a version of Linux that runs from the CD or USB like knoppix from ww.knoppix.net. Make sure it has NTFS support (if your XP is NTFS). If your XP runs on a FAt32 partition, download a win98 or ME boot disk from www.bootdisk.com.

Hope it helps

Cheers

no i didnt, is it necessary? and would renaming help?

i have windows xp on n NTFS file system. but what good is Linux over windows. im sorry if that sounds stupid but i don’t have much knowledge about platforms other than windows.however I’ll try to repair the installation and delete the Trojan file i tracked, but would it really help?? ??? as i’ve already reformatted the whole C drive(windows) and did a clean windows reinstall but the problem still persists. may be the malware is on other drives of the system too. i got exams from tomorrow so i might not reply very promptly about the results, but Im eager to resolve this issue. CIS has missed it. :-\

Watch the video (link on my post) and give it another try with the Avira CD.

When it cannot remove the infections it renames them and that neutralizes them.

thanks
i’ll give avira another try with the renaming option enabled and let you know the results.
Regards.

reformatted the whole C drive(windows) and did a clean windows reinstall but the problem still persists.

====================================================
comoder - This is not for you, but for a another expert about your computer problem

If reformatting the computer with a new reinstall fails :cry: I was thinking maybe a MBR-Rootkit is a possibility. What do you think of a —{MBR repair kit}------??? like the one from here

I was also thinking a-squared free from download.com Install, then change one of the options to add beta updates and then update then run in safe mode???

Does anybody know if Dr. Web’s Live CD is capable of removing a MBR rootkit?

Hi EricJh,

As far as I know Dr. Web CurIt! is capable of fighting and removing MBR rootkit. (so can Gmer)

Have a look at their site/forum - that would be the best place to ask.
Here is English Forum http://forum.drweb.com/index.php?showforum=27
I know that there is “Live CD” section in the Russian Section http://forum.drweb.com/
(if there are any questions with translation I can help)

At the same time there is no way to guaranty unless all required information is provided and the certified professional review and analyze that information.

I am very surprised that it is not a 1st time users are posting HiJackThis report and they are not stopped doing that ???

It is a big mistake to consider that HiJackThis (HJT) is a malware removal Tool.
No! by all means. It does what it does and basically is used for identifying browser hijackers … no more than that. It can show some presence of malware which is different to the above, but you cannot fight it with HJT alone.

The respective site for removal of the suspected infection has to be visited and user has to supply all needed preliminary reports. HJT or HiJackFree by a-squared log files may be just a part of investigation.

But again answering your question - Yes - Dr. Web can help with MBR rootkit.

My regards

thanks J I’d tried that tool and it found no rootkit infections. I’ll explain more in my next post.

hi people, sorry for not keeping up . i got a bit busy, ;D
i have quite a little story about the problem I’d mentioned.

that day i booted the computer again in from the avira rescue disk and scanned for malwares with the rename option on. it found hundreds of viruses and one Trojan horse which had created/downloaded all the viruses. i scanned with housecall after boot, i did this several times alternatively to get the system free from those malwares. the system was found to be infected with windows sality virus. more than 350 executables were corrupt.all applications had the virus code even CIS. however during this process of deletion of virus my CIS died. cmdagent was not running.

i thought going to safe mode might give me some insight and option and i tried to boot in safe mode, but it showed the same problem, it wont boot in safe mode. Then i opened msconfig tool and selected the computer to boot in safe mode. i restarted but the system wont boot, it said windows cant run in safe mode and would take me back to the OS choice menu, the bad part is that no matter what option i selected i’d be returned to that page again and again. the system wont boot in any mode. may be my mistake was to force the safe boot. :-\

i inserted the windows xp disk and did a windows installation repair, but it was no use. it didnt work and windows wont start. so i reformatted(windows partition only), i didn’t had much to lose so i did it… now im reinstalling everything again and the nightmare seems to have ended.(fingers crossed) however im still running a housecall online scan just to make sure no malware escaped hidden in any other drives.

i think its a good idea to keep your windows installation in a small partition, it could limit the growth of malwares and would prevent massive data loss in case you got in a situation with no way out but formatting.

the 2 things that really helped me were the Avira AntiVir Rescue System(burned on a cd)(thanks to omelet guy) :)and trend micros housecall, both work great.
these are a couple of very powerful tools to get a sick pc up and working again.

however sigh what i feel bad about the whole thing is that CIS missed the virus. Sality inst a very new virus. The realtime scanner didn’t catch the malware when it got transferred to my pc from the phone i’d connectd it to. It makes me wonder would i still have to go with this pain had i been using Avira.

I thank everyone who reviewed my posts and once again im impressed with the forums prompt response system and the nice helping guys who hang here. ;D

Sincere regards for your time and help. :slight_smile: :-TU

Glad you solved it.

Just out of curiosity, was your CIS in Proactive Security Configuration? And was it the latest 3.12xxxxx560?

Jose.