Help removing malware

By Angel Blue01
in Microsoft (Windows)

 Share

Recommended Posts

Grand Master

Angel Blue01

Posted
Posted

I need help removing malware from my XP Pro machine.

I first noticed something was wrong when Web browsing was unuusally slow on that machine and sometimes wouldn't work at all. Windows Task manager showed a process called ns233.tmp running. Killing it would just restart itself.

Google results would point to go.google.com rather than the result when clicked.

Also when Windows loads NOD32 would display a message that it had blocked access to the URL in the attachment.

First thing I did was to run a virus scan. Although when I came back to check on it, the machine had locked up, NOD32's reports didn't seem to have anything.

Then I ran PC Tools Spyware Doctor, which removed some tracking cookiees and spyware that didn't match the symptoms at all.

I Googled ns233.tmp and found that it seems to be caused by known malware. Unlike that user however, I never installed "XP antivirus". I went to all the computer's user temp folders and cleared them out, deleting an instance of ns233.tmp in a Temp folder would create another instance with another random name xxx.tmp. On restarting however the xxxx.tmp files were back, suggesting rootkit-like activity.

I then Googled "tdss/crcmds/main" and found what seems like another threat. I searched my Windows\SYSTEM32 folder and the registry but found no traces of anything that matched TDSS.

I tried running Spybot but its process just sits there.

I tried installing Malwarebytes Anti-Malware, but it won't install. The installer process sits there but nothing appears.

I even tried booting into safe mode. However it locks up when getting to the logon screen, leaving me a black screen. The words "safe mode" appear in the corners with the build number but otherwise nothing works besides the mouse.

I really don't want to have to reformat. Can someone please help?

post-1865-1228077883.jpg

Link to comment
https://www.neowin.net/forum/topic/704300-help-removing-malware/
Share on other sites
Grand Master

episode

Posted
Posted

Do you have another machine you can put the drive in and run scans on?

That would be my first suggestion.

I've seen that problem in safe mode occur before. If you want to try it again, when it gets to the point where you think its locked up, try CAD. Then go to file -> new task and run c:\windows\explorer.exe

Another thing you can try is to go to c:\windows\system32\drivers\etc\hosts\ and add an entry to the hosts file of 72.233.114.123 to 127.0.0.1 so that your computer no longer tries to get out to the net and access that site.

Mentor

simsie

Posted
Posted
Another thing you can try is to go to c:\windows\system32\drivers\etc\hosts\ and add an entry to the hosts file of 72.233.114.123 to 127.0.0.1 so that your computer no longer tries to get out to the net and access that site.

Won't work as the hosts file is only used to resolve domains to IPs, not IPs to IPs. You can check for go.google.com in there though.

Grand Master

Angel Blue01

Posted
  • Author
Posted

What seems to be happening now is that sometimes some Web sites will be accessible and then randomly stop working in all browsers.

Thanks, but Malwarebytes Anti-Malware won't install

Grand Master

Sikh

Posted
Posted

Wow. Ironic. I just had this happen to me last week. Althou it was my fault opening a file i didnt trust. I got something like this that would stop browsing, avoided my antivirus(ZoneAlarm, then Kasper. Used a friends PC to use NOD all passed).

Funny thing is, I installed PC Tools and it found it, couldnt remove it. What I had was like this, but it masked as autorun. So all my autorun inf's were now being deleted and recreated with malcious code.

Dumb this is, I didnt notice until i turned on my 1st External, thats when zonealarm passed a popup saying autorun.inf on "drives a b c d" were infected.

I tried my best to remove it. I suceeded somewhat,t hen i got this EXACT tdss and main crap and tried my best and then reformated.

So my advice is, if you cnat get by it, backup stuff, DO NOT IMAGE, and reformat.

I was almost going to Ghost my drive when my friend went "em your gonna be carrying it again after you reformat" to which i facepalmed myself and backed up my stuff and reformatted.

Its been lovely since and I needed a reformat.

Veteran

sweetsam

Posted
Posted

I hope you imaged your clean install. If not this would be a good time to do it.

Wow. Ironic. I just had this happen to me last week. Althou it was my fault opening a file i didnt trust. I got something like this that would stop browsing, avoided my antivirus(ZoneAlarm, then Kasper. Used a friends PC to use NOD all passed).

Funny thing is, I installed PC Tools and it found it, couldnt remove it. What I had was like this, but it masked as autorun. So all my autorun inf's were now being deleted and recreated with malcious code.

Dumb this is, I didnt notice until i turned on my 1st External, thats when zonealarm passed a popup saying autorun.inf on "drives a b c d" were infected.

I tried my best to remove it. I suceeded somewhat,t hen i got this EXACT tdss and main crap and tried my best and then reformated.

So my advice is, if you cnat get by it, backup stuff, DO NOT IMAGE, and reformat.

I was almost going to Ghost my drive when my friend went "em your gonna be carrying it again after you reformat" to which i facepalmed myself and backed up my stuff and reformatted.

Its been lovely since and I needed a reformat.

Rising Star

VPuccetti

Posted
Posted

Angel,

PM me. I have a private FTP server with malware removing programs. I can either remote into your computer and help you out, or I can give you specific access to certain files I have for cleaning stuff up.

TDSS is normally followed by karna.dat and some other bad virus' pretending to be a real antivirus program, and other junk. Trojan Remover has almost ALWAYS fixed these problems (On 1 machine the registry become corrupt because of the removal of these files and I had to completely reformat (destructive))

  • 7 months later...
Neowinian

pradit

Posted
Posted

I hope this will solve your problem !!

http://pcrevolutions.blogspot.com/2009/05/...ayed-error.html

What seems to be happening now is that sometimes some Web sites will be accessible and then randomly stop working in all browsers.

Thanks, but Malwarebytes Anti-Malware won't install

Try renaming the file nd then try to execute it

This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.