msiexec.exe, netdde.exe viruses
- Thread starter kartik1955
- Start date
- Mar 8, 2013
- 22,627
Hello, my name is THE, and I'll be working with you 
Before we start:
Because of this, I advise you to backup any personal files and folders before you start.
Please download Farbar Recovery Scan Tool and save it to your desktop.
Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them.
Only one of them will run on your system, that will be the right version.
Download TDSSkiller from here
Post the log after (usually C:\ folder in the form of TDSSKiller.[Version]_[Date]_[Time]_log.txt
Before we start:
- Note that the removal process is not immediate. Depending on the severity of your infection, it could take a long time.
- Malware removal can be dangerous. I cannot guarantee the safety of your system as malware can be unpredictable. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system. Therefore, I would advise you to backup all your important files before we start.
- Please be patient and stay with me until I give you the green lights and inform you that your PC is clean.
- Like everyone, I have a private life, so be patient with me. Sometimes I will respond immediately, sometimes it will take a coupe hours.
- Some tools may be flagged by your antivirus as harmful. Rest assure that ALL the tools we use are safe, the detections are false positives.
- The absence of symptoms does not mean your PC is fully disinfected.
- If you are unclear about the instructions, please stop and ask. Following the steps in the order that I post them in is vital.
- Lastly, if you have requested help on other sites, that will delay and hinder the removal process. Please only stick to one site.
Because of this, I advise you to backup any personal files and folders before you start.
Please download Farbar Recovery Scan Tool and save it to your desktop.
Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them.
Only one of them will run on your system, that will be the right version.
- Double-click to run it. When the tool opens click Yes to disclaimer.
- Press Scan button.
- It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
- The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.
Download TDSSkiller from here
- Double-Click on TDSSKiller.exe to run the application
- When TDSSkiller opens, click change parameters , check the box next to Loaded modules . A reboot will be required.
- After reboot, TDSSKiller will run again. Click Change parameters again and make sure everything is checked.
- click Start scan .
- If a suspicious object is detected, the default action will be Skip, click on Continue. (If it saids TDL4/TDSS file system, select delete)
- If malicious objects are found, ensure Cure (default) is selected, then click Continue and Reboot now to finish the cleaning process.
Post the log after (usually C:\ folder in the form of TDSSKiller.[Version]_[Date]_[Time]_log.txt
TwinHeadedEagle said:Hello, my name is THE, and I'll be working with you
Before we start:
- Note that the removal process is not immediate. Depending on the severity of your infection, it could take a long time.
- Malware removal can be dangerous. I cannot guarantee the safety of your system as malware can be unpredictable. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system. Therefore, I would advise you to backup all your important files before we start.
- Please be patient and stay with me until I give you the green lights and inform you that your PC is clean.
- Like everyone, I have a private life, so be patient with me. Sometimes I will respond immediately, sometimes it will take a coupe hours.
- Some tools may be flagged by your antivirus as harmful. Rest assure that ALL the tools we use are safe, the detections are false positives.
- The absence of symptoms does not mean your PC is fully disinfected.
- If you are unclear about the instructions, please stop and ask. Following the steps in the order that I post them in is vital.
- Lastly, if you have requested help on other sites, that will delay and hinder the removal process. Please only stick to one site.
Because of this, I advise you to backup any personal files and folders before you start.
Please download Farbar Recovery Scan Tool and save it to your desktop.
Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them.
Only one of them will run on your system, that will be the right version.
- Double-click to run it. When the tool opens click Yes to disclaimer.
- Press Scan button.
- It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
- The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.
Download TDSSkiller from here
- Double-Click on TDSSKiller.exe to run the application
- When TDSSkiller opens, click change parameters , check the box next to Loaded modules . A reboot will be required.
- After reboot, TDSSKiller will run again. Click Change parameters again and make sure everything is checked.
- click Start scan .
- If a suspicious object is detected, the default action will be Skip, click on Continue. (If it saids TDL4/TDSS file system, select delete)
- If malicious objects are found, ensure Cure (default) is selected, then click Continue and Reboot now to finish the cleaning process.
Post the log after (usually C:\ folder in the form of TDSSKiller.[Version]_[Date]_[Time]_log.txt
Did exactly as per direction. Two log files are attached. Only suspicious files were detected by TDSSKiller. No TDL4/TDSS or malicious files were detected.
- Mar 8, 2013
- 22,627
FRST didn't full produced the report. Rescan again and attach FRST.txt
Please download GMER, AntiRootkit tool from the link below and save it to your Desktop:
Gmer download link
Note: file will be random named
Double-clicking to run GMER.
> Attach here Gmer logreports.
Please download GMER, AntiRootkit tool from the link below and save it to your Desktop:
Gmer download link
Note: file will be random named
Double-clicking to run GMER.
- Wait for initial scan to finish - if there is any query, click No;
- Click Scan button and wait until the full scan is complete;
- Click Save ... - save the report to the Desktop (named Gmer );
> Attach here Gmer logreports.
- Mar 8, 2013
- 22,627
Attach me report from TDSS Killer, no matter than only suspicious files was found...
Download ComboFix from one of the following locations:
COMBOFIX DOWNLOAD LINK #1 (This link will automatically download Combofix on your computer)
COMBOFIX DOWNLOAD LINK #2 (This link will automatically download Combofix on your computer)
----------------------------------------------------------------
VERY IMPORTANT !!! Save ComboFix.exe to your Desktop
<ul>
<li>Close any open browsers.</li>
<li>Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
<>Very Important!</> Temporarily <>disable</> your <>anti-virus</>, <>script blocking</> and any <>anti-malware</> real-time protection <em><>before</></em> performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause <em>"unpredictable results"</em>.</li>
<li><>WARNING: Combofix will disconnect your machine from the Internet as soon as it starts</>.Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
If there is no internet connection after running Combofix, then restart your computer to restore back your connection.</li>
</ul>
-----------------------------------------------------------------
How to run the Combofix scan :
Additional notes:
<ol><li> Do not mouse-click Combofix's window while it is running. That may cause it to stall.</li>
<li> Do not "re-run" Combofix. If you have a problem, reply back for further instructions.</li>
<li> If after the reboot you get errors about programms being marked for deletion then reboot, that will cure it.</li></ol>
Download ComboFix from one of the following locations:
COMBOFIX DOWNLOAD LINK #1 (This link will automatically download Combofix on your computer)
COMBOFIX DOWNLOAD LINK #2 (This link will automatically download Combofix on your computer)
----------------------------------------------------------------
VERY IMPORTANT !!! Save ComboFix.exe to your Desktop
<ul>
<li>Close any open browsers.</li>
<li>Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
<>Very Important!</> Temporarily <>disable</> your <>anti-virus</>, <>script blocking</> and any <>anti-malware</> real-time protection <em><>before</></em> performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause <em>"unpredictable results"</em>.</li>
<li><>WARNING: Combofix will disconnect your machine from the Internet as soon as it starts</>.Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
If there is no internet connection after running Combofix, then restart your computer to restore back your connection.</li>
</ul>
-----------------------------------------------------------------
How to run the Combofix scan :
- Double click on ComboFix.exe & follow the prompts.
- Accept the disclaimer and allow to update if it asks
- When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.
Additional notes:
<ol><li> Do not mouse-click Combofix's window while it is running. That may cause it to stall.</li>
<li> Do not "re-run" Combofix. If you have a problem, reply back for further instructions.</li>
<li> If after the reboot you get errors about programms being marked for deletion then reboot, that will cure it.</li></ol>
Last edited by a moderator:
There isn't any option to save the log in TDSS Killer. Therefore I noted down the contents which is as follows:-
Four files were found to be "suspicious - Medium risk" and "Unsigned File.multigeneric".
Service : ALCXWDM
Service : NetDDE
Service : NetDDEdsdm
Service : Rpclocator
For Combofix, I disabled the antivirus before starting. No other window was open. After double clicking, one window was displayed to tell that it is backing up the registry. There after one message came to tell that it is not safe to run the file in (some) mode.(I don't exactly remember the wordings). There "OK" option was available. After that it kept quiet. I waited for nearly three to four minutes. There was no response. So I discontinued the process.
Four files were found to be "suspicious - Medium risk" and "Unsigned File.multigeneric".
Service : ALCXWDM
Service : NetDDE
Service : NetDDEdsdm
Service : Rpclocator
For Combofix, I disabled the antivirus before starting. No other window was open. After double clicking, one window was displayed to tell that it is backing up the registry. There after one message came to tell that it is not safe to run the file in (some) mode.(I don't exactly remember the wordings). There "OK" option was available. After that it kept quiet. I waited for nearly three to four minutes. There was no response. So I discontinued the process.
- Mar 8, 2013
- 22,627
We will have to go around the Windows to make needed scans? Tell me, which version of Windows is this?
It is Windows XP. The exact version is not possible to find out from control panel, since it is not allowing. However, when it boots, it displays Windows XP only. Whether it is professional or premium, nothing is displayed.
- Mar 8, 2013
- 22,627
Please print these instruction out so that you know what you are doing
- Download OTLPENet.exe to your desktop
- Download Farbar Recovery Scan Tool and save it to a flash drive.
- Ensure that you have a blank CD in the drive
- Double click OTLPENet.exe and this will then open imgburn to burn the file to CD
- Reboot your system using the boot CD you just created.
Note : If you do not know how to set your computer to boot from CD follow the steps here - Wait for the CD to detect your hardware and load the operating system
- Your system should now display a Reatogo desktop
Note : as you are running from CD it is not exactly speedy - Insert the USB with FRST
- Locate the flash drive with FRST and double click
- The tool will start to run.
- When the tool opens click Yes to disclaimer.
- Press Scan button.
- It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.
- Mar 8, 2013
- 22,627
Hello,
Your PC is infected with Sality file infector. Since deinfection is impossible from running Windows, you have three options:
1. To reinstall your system, and format system partition, making sure not to open other partitons after reinstall, until they are scanned
2. To try to desinfect your PC using Rescue Disk (it is possible, but damage is already done by virus)
3. To detach your HDD and to scan it on the other PC, without opening it...
Tell me which option is the best for you, so we can discuss throughly...
Your PC is infected with Sality file infector. Since deinfection is impossible from running Windows, you have three options:
1. To reinstall your system, and format system partition, making sure not to open other partitons after reinstall, until they are scanned
2. To try to desinfect your PC using Rescue Disk (it is possible, but damage is already done by virus)
3. To detach your HDD and to scan it on the other PC, without opening it...
Tell me which option is the best for you, so we can discuss throughly...
CD was successfully prepared. But system did not boot from CD. I tried with making modification in boot order of the BIOS as well as by giving option in the boot menu. During preparation of the CD, network connection was disconnected and antivirus was disabled. Then I browsed the CD and double clicked the "autorun". Message came "installation failed". There is an application file named "retogomenu". That is opening. Inside one table type menu window is there with certain features.
I once again ran the FRST without internet connection and deactivating antivirus and got the two text files frst.txt and addition.txt which are enclosed herewith.
Earlier also this problem was there that it was not booting from the CD.Earlier, in order to overcome the problem of not booting from CD and not booting from HDD, hard disk was formatted and OS reinstalled. But just after a day the virus came again or may be it did not go during formatting.
I once again ran the FRST without internet connection and deactivating antivirus and got the two text files frst.txt and addition.txt which are enclosed herewith.
Earlier also this problem was there that it was not booting from the CD.Earlier, in order to overcome the problem of not booting from CD and not booting from HDD, hard disk was formatted and OS reinstalled. But just after a day the virus came again or may be it did not go during formatting.
- Mar 8, 2013
- 22,627
1st option is suitable but system does not boot from CD as a consequence of virus infection. For 3rd option, I do not have another desktop. I have a laptop. Will it help?
Similar threads
