Virtumonde-New Thread-As Per request
- Thread starter TomZT
- Start date
Still No Joy
Hi Blade,
Thank you for your continuing assistance! Not only does my computer appear to be highly infected, but you must feel like you're leading a blind man!
From recovery console, I ran
cd erdnt\hiv-backup
batch erdnt.con
exit
SAME BLUE SCREEN
I don't know if this will help you but...
After the "exit", I'm automatically returned to the recovery console for the restart...
If I wait for the 30 sec countdown timer, or choose Start Windows Normally, I immediately get the same blue screen which consistently displays the following... TECHNICAL INFO
STOP: 0x0000007B (0xF79FA528, 0xC0000034, 0x00000000, 0x00000000)
If I choose Start in Safe Mode, it first starts loading a bunch of drivers before the Blue Screen... I've watched this carefully many times now and the Blue Screen appears just after loading ".... C\Windows\system32\Mup.sys
Is this info any help to you?
Hi Blade,
Thank you for your continuing assistance! Not only does my computer appear to be highly infected, but you must feel like you're leading a blind man!
From recovery console, I ran
cd erdnt\hiv-backup
batch erdnt.con
exit
SAME BLUE SCREEN
I don't know if this will help you but...
After the "exit", I'm automatically returned to the recovery console for the restart...
If I wait for the 30 sec countdown timer, or choose Start Windows Normally, I immediately get the same blue screen which consistently displays the following... TECHNICAL INFO
STOP: 0x0000007B (0xF79FA528, 0xC0000034, 0x00000000, 0x00000000)
If I choose Start in Safe Mode, it first starts loading a bunch of drivers before the Blue Screen... I've watched this carefully many times now and the Blue Screen appears just after loading ".... C\Windows\system32\Mup.sys
Is this info any help to you?
Hi,
Error code indicates problem with hard drive controller loading. Please enter recovery console mode again and run following commands:
cd\
cd c:\qoobox\quarantine\c\windows\system32\drivers
dir
You should see a list of items there. Check if pciide.sys.vir file (or any with ide in its name) is listed there and let me know about the results.
Error code indicates problem with hard drive controller loading. Please enter recovery console mode again and run following commands:
cd\
cd c:\qoobox\quarantine\c\windows\system32\drivers
dir
You should see a list of items there. Check if pciide.sys.vir file (or any with ide in its name) is listed there and let me know about the results.
A new problem
Now In trying to enter the Recovery Console... as I did before...
After entering the #1 to select the only recovery console option...
1: c\WINDOWS
Instead of going to the C|WINDOWS>_ prompt
I get "Type the administrator Password:__"
Simply pressing enter displays...
"The Password is Not Valid. Please retype the Password."
I've never setup an administrator password on this computer and this is the first time I've been asked for a password to get to the recovery console command prompt.
I still hope you can help!
Now In trying to enter the Recovery Console... as I did before...
After entering the #1 to select the only recovery console option...
1: c\WINDOWS
Instead of going to the C|WINDOWS>_ prompt
I get "Type the administrator Password:__"
Simply pressing enter displays...
"The Password is Not Valid. Please retype the Password."
I've never setup an administrator password on this computer and this is the first time I've been asked for a password to get to the recovery console command prompt.
I still hope you can help!
I've never seen similar case with recovery console first not asking and then on other attempt asking for admin password. See if administrator or admin (with first letter capitalized or not) works.
Do you have Windows XP Professional installation media around?
Do you have Windows XP Professional installation media around?
Password Required
Hi Blade,
Sorry for the delay in getting back to you. I had Sunday morning activities to attend. I did include you and my infected computer in my prayers.
I tried the passwords.. "Administrator, administrator, Admin, & admin"
All invalid!
Do you think the second set of ERDNT commands...
cd erdnt\hiv-backup
batch erdnt.con
exit
...might have set an administrator password? The password request appeared just after running these commands???
Or perhaps, the infection (after a set period of time or actions) took admin control? I'm just guessing here.
I do remember that way back in this process... before running any of the initial ERUNT OR HJT scans... when I could still boot to Windows XP SAFE mode... I was once asked... while starting up to SAFE MODE... "What user account to log on to": The choices were: ADMINISTRATOR or Tom McNeal (my name). This surprised me back then because I had never setup any Administrator Account or Passwords on this machine. AT that time I did try choosing Administrator and when prompted for a password... I simply pressed enter. This was invalid and so next selected my name as the User account and booted to safe mode.
I'm sure I have the Windows XP CD (that came with this computer from DELL) but i will have to do some digging to find it. Does your question mean we will need to re-format the hard drive and re-install XP??? OR, do you have other ideas to try with the XP CD?
I look forward to your reply.
Tom
Hi Blade,
Sorry for the delay in getting back to you. I had Sunday morning activities to attend. I did include you and my infected computer in my prayers.
I tried the passwords.. "Administrator, administrator, Admin, & admin"
All invalid!
Do you think the second set of ERDNT commands...
cd erdnt\hiv-backup
batch erdnt.con
exit
...might have set an administrator password? The password request appeared just after running these commands???
Or perhaps, the infection (after a set period of time or actions) took admin control? I'm just guessing here.
I do remember that way back in this process... before running any of the initial ERUNT OR HJT scans... when I could still boot to Windows XP SAFE mode... I was once asked... while starting up to SAFE MODE... "What user account to log on to": The choices were: ADMINISTRATOR or Tom McNeal (my name). This surprised me back then because I had never setup any Administrator Account or Passwords on this machine. AT that time I did try choosing Administrator and when prompted for a password... I simply pressed enter. This was invalid and so next selected my name as the User account and booted to safe mode.
I'm sure I have the Windows XP CD (that came with this computer from DELL) but i will have to do some digging to find it. Does your question mean we will need to re-format the hard drive and re-install XP??? OR, do you have other ideas to try with the XP CD?
I look forward to your reply.
Tom
Hi Tom,
That's something I was wondering too. But both this and the backup we restored earlier should be similar ones.
I was thinking about running recovery console from XP Professional media. It might be possible to run that way without password prompt.
Xp cd
That's something I was wondering too. But both this and the backup we restored earlier should be similar ones.
The first ERUNT BACK UP Copied 9 Files before returning to the prompt for EXIT.
The second time 10 Files were copied before the prompt for EXIT.
Maybe there was an administartor entry in the 10th file copied.
I was thinking about running recovery console from XP Professional media. It might be possible to run that way without password prompt.
Would this need to be the same XP CD that came with this particular machine? Or will any Win XP Pro CD work for this.
That's something I was wondering too. But both this and the backup we restored earlier should be similar ones.
The first ERUNT BACK UP Copied 9 Files before returning to the prompt for EXIT.
The second time 10 Files were copied before the prompt for EXIT.
Maybe there was an administartor entry in the 10th file copied.
I was thinking about running recovery console from XP Professional media. It might be possible to run that way without password prompt.
Would this need to be the same XP CD that came with this particular machine? Or will any Win XP Pro CD work for this.
Update
Hi Blade,
I have found my original Dell licensed Windows XP Pro Reinstall CD but I am not sure if this will help us if we can't get into the Recovery Console anyway without entering a correct Administrator Password.
Another problem might be that the original Dell XP install CD is XP Pro SP1. SP2 and then SP3 were later installed on the problem machine via Microsoft Updates. I remember reading in the ComboFix Instructions that it would install different versions of the Restore Console depending on whether it found SP1 or SP2 / SP3 on the machine.
I do have another newer Dell machine and also found the XP Pro SP3 install CD for that machine too. But even so, don't you think we'll still have the same problem getting to the Recovery Console Command Prompt without the correct Administrator password. I should also note that this newer Dell machine uses the NTFS file system whereas I think the problem machine uses the FAT32 file system. I don't know if this would cause a problem?
I do have another theory but cannot check it out until I can get into the Recovery Console or get to a command prompt some other way. Perhaps a Bootable CD? I'm thinking I may have specified a folder other than C:\Windows\erdnt for my ERUNT Registry backup. I think I may have specified c:\Windows\erdnt_A instead; thinking I may wish to create another backup later in C:\Windows\erdnt_B. But I can't remember for sure if I did this or not and cannot check without getting back in to the Recovery Console. If I did save my backup in C:\Windows\erdnt_A, and ran the restore mistakenly from C:\Windows\erdnt, could this have created the Password problem I'm having now?
I've re-read the ERUNT instructions and emailed Lars Hederer to ask if he might know what's going on. I will let you know what he thinks if and when he replies.
Any ideas or suggestions you may have will be much appreciated.
Tom
Hi Blade,
I have found my original Dell licensed Windows XP Pro Reinstall CD but I am not sure if this will help us if we can't get into the Recovery Console anyway without entering a correct Administrator Password.
Another problem might be that the original Dell XP install CD is XP Pro SP1. SP2 and then SP3 were later installed on the problem machine via Microsoft Updates. I remember reading in the ComboFix Instructions that it would install different versions of the Restore Console depending on whether it found SP1 or SP2 / SP3 on the machine.
I do have another newer Dell machine and also found the XP Pro SP3 install CD for that machine too. But even so, don't you think we'll still have the same problem getting to the Recovery Console Command Prompt without the correct Administrator password. I should also note that this newer Dell machine uses the NTFS file system whereas I think the problem machine uses the FAT32 file system. I don't know if this would cause a problem?
I do have another theory but cannot check it out until I can get into the Recovery Console or get to a command prompt some other way. Perhaps a Bootable CD? I'm thinking I may have specified a folder other than C:\Windows\erdnt for my ERUNT Registry backup. I think I may have specified c:\Windows\erdnt_A instead; thinking I may wish to create another backup later in C:\Windows\erdnt_B. But I can't remember for sure if I did this or not and cannot check without getting back in to the Recovery Console. If I did save my backup in C:\Windows\erdnt_A, and ran the restore mistakenly from C:\Windows\erdnt, could this have created the Password problem I'm having now?
I've re-read the ERUNT instructions and emailed Lars Hederer to ask if he might know what's going on. I will let you know what he thinks if and when he replies.
Any ideas or suggestions you may have will be much appreciated.
Tom
Hi,
1. Insert the Windows XP startup disk into the floppy disk drive, or insert the Windows XP CD-ROM into the CD-ROM drive, and then restart the computer.
Click to select any options that are required to start the computer from the CD-ROM drive if you are prompted.
2. When the "Welcome to Setup" screen appears, press R to start the Recovery Console.
3. If you have a dual-boot or multiple-boot computer, select the installation that you must access from the Recovery Console.
See if that lets you access command prompt of recovery console. If yes, try these commands here to check requested things.
That cd can be used assuming it's real install cd and not just for recovering.
1. Insert the Windows XP startup disk into the floppy disk drive, or insert the Windows XP CD-ROM into the CD-ROM drive, and then restart the computer.
Click to select any options that are required to start the computer from the CD-ROM drive if you are prompted.
2. When the "Welcome to Setup" screen appears, press R to start the Recovery Console.
3. If you have a dual-boot or multiple-boot computer, select the installation that you must access from the Recovery Console.
See if that lets you access command prompt of recovery console. If yes, try these commands here to check requested things.
Blade said...
That cd can be used assuming it's real install cd and not just for recovering.
1. Insert the Windows XP startup disk into the floppy disk drive, or insert the Windows XP CD-ROM into the CD-ROM drive, and then restart the computer.
This CD is labeled "Reinstallation CD, MS Windows XP Professional, SP3"
"This software id already installed on your computer. Use this media only to reinstall the operating system on a Dell computer."
Blade said...
Click to select any options that are required to start the computer from the CD-ROM drive if you are prompted.
I think I may have to do this first.... I.E. Hit F2 when first starting to enter the Dell System Setup. Then set up boot priority making the CD # 1 instead of floppy. Then restart machine with the CD in the machine. Do you agree?
Tom
That cd can be used assuming it's real install cd and not just for recovering.
1. Insert the Windows XP startup disk into the floppy disk drive, or insert the Windows XP CD-ROM into the CD-ROM drive, and then restart the computer.
This CD is labeled "Reinstallation CD, MS Windows XP Professional, SP3"
"This software id already installed on your computer. Use this media only to reinstall the operating system on a Dell computer."
Blade said...
Click to select any options that are required to start the computer from the CD-ROM drive if you are prompted.
I think I may have to do this first.... I.E. Hit F2 when first starting to enter the Dell System Setup. Then set up boot priority making the CD # 1 instead of floppy. Then restart machine with the CD in the machine. Do you agree?
Tom
tried the CD
I changed setup to boot from the CD, then restarted. The cd loaded a bunch of drivers and then asked to press R for Recovery console. That let me choose Recovery Console as before but PASSWORD STILL REQUIRED.
There was another option when booting from the CD... Press F2 for ASR (Dells?) Automatic system recovery. Do you think I should try that?
I changed setup to boot from the CD, then restarted. The cd loaded a bunch of drivers and then asked to press R for Recovery console. That let me choose Recovery Console as before but PASSWORD STILL REQUIRED.
There was another option when booting from the CD... Press F2 for ASR (Dells?) Automatic system recovery. Do you think I should try that?
That's fine Blade! I've had a long day... 12:30 AM here. I'll get a little sleep and check back in. When you have time, can you give me instructions or a link as to how to create a Bootable CD?
Hopefully one that will get us to a command prompt????
Thanks agin for sticking with me! I appreciate your help.
Tom
Ubcd
Hi Blade,
I hope you had a good day! Thanks again for your help!
I have downloaded the UBCD4Win tool and read the instructions. Before creating the UBCD, I have a couple of questions... to make sure I'm doing this right and cause no further problems!
1. The problem computer (Computer 1) is WIN XP PRO SP3 (came with SP1 then updated later with SP2 and SP3) The UBCD instructions require using a WINDOWS XP CD "with at least SP1 (SP2 highly recommended)". The UBCD instructions do not mention SP3 at all. Should I still use the Dell Windows XP PRO SP3 installation CD to build the UBCD?
2. As you know, I am using two other machines (Computer 2 & 3 - which still appear to healthy) to access the internet, post on the forum, and download these tools on. Since I've been on the MalwareForum trying to remove the infection, I have not had the problem machine connected to my home network at the same time as any of my other machines are connected to my network. I did however, immediately after the original infection, reach across the network from one of the other machines (Computer 3) to copy a folder with some important files on the infected computer. Repeated scans on Computers 2 & 3 with AVG 8.5 and SpyBot 1.6.2 reveal "No Threats Detected" except a few "Warnings" (identified as tracking cookies) which were all reported to be succesfully removed or healed.
Early this morning when using Computer 3 to copy my Dell Win XP PRO SP3 Installation CD to my hard drive as recommended in the UBCD instructions... When I removed the Win XP CD from the drive, I got the following warning...
TITLE BAR: DVD-RAM DRIVE (D
MESSAGE: M:\ refers to a location that is unavailable. It could be on a hard drive on this computer, or on a network. Check to make sure that the disk is properly inserted, or that you are connected to the internet or your network, and then try again. If it still cannot be located, the information might have been moved to a different location.
OK BUTTON
I saw a similar warning yesterday morning which apparently had popped up over the night before. Drive M: is the C: drive on the infected machine as mapped on Computer 3. I am now suspicious that "something bad" might be happening on Computer 3 because I never asked to access Drive M:. Also when I received the first of these warnings yesterday, I went into Windows Explorer and "Disconnected Network Drive M:. After refreshing the explorer screen, the mapped Drive M: disappeared from the folder tree. After this morning's warning, I looked again and Drive M: has re-appeared in the Explorer folder tree, but DOES NOT appear in the Tools> Disconnect Network Drive Window. Do you think there might be something bad on Computer 3 that is trying to access Drive M: and copy malware files from the infected computer?
Or, am I just getting too paranoid now and there's some other harmless explanation for these warnings?
I look forward to your reply.
Tom
Hi Blade,
I hope you had a good day! Thanks again for your help!
I have downloaded the UBCD4Win tool and read the instructions. Before creating the UBCD, I have a couple of questions... to make sure I'm doing this right and cause no further problems!
1. The problem computer (Computer 1) is WIN XP PRO SP3 (came with SP1 then updated later with SP2 and SP3) The UBCD instructions require using a WINDOWS XP CD "with at least SP1 (SP2 highly recommended)". The UBCD instructions do not mention SP3 at all. Should I still use the Dell Windows XP PRO SP3 installation CD to build the UBCD?
2. As you know, I am using two other machines (Computer 2 & 3 - which still appear to healthy) to access the internet, post on the forum, and download these tools on. Since I've been on the MalwareForum trying to remove the infection, I have not had the problem machine connected to my home network at the same time as any of my other machines are connected to my network. I did however, immediately after the original infection, reach across the network from one of the other machines (Computer 3) to copy a folder with some important files on the infected computer. Repeated scans on Computers 2 & 3 with AVG 8.5 and SpyBot 1.6.2 reveal "No Threats Detected" except a few "Warnings" (identified as tracking cookies) which were all reported to be succesfully removed or healed.
Early this morning when using Computer 3 to copy my Dell Win XP PRO SP3 Installation CD to my hard drive as recommended in the UBCD instructions... When I removed the Win XP CD from the drive, I got the following warning...
TITLE BAR: DVD-RAM DRIVE (D
MESSAGE: M:\ refers to a location that is unavailable. It could be on a hard drive on this computer, or on a network. Check to make sure that the disk is properly inserted, or that you are connected to the internet or your network, and then try again. If it still cannot be located, the information might have been moved to a different location.
OK BUTTON
I saw a similar warning yesterday morning which apparently had popped up over the night before. Drive M: is the C: drive on the infected machine as mapped on Computer 3. I am now suspicious that "something bad" might be happening on Computer 3 because I never asked to access Drive M:. Also when I received the first of these warnings yesterday, I went into Windows Explorer and "Disconnected Network Drive M:. After refreshing the explorer screen, the mapped Drive M: disappeared from the folder tree. After this morning's warning, I looked again and Drive M: has re-appeared in the Explorer folder tree, but DOES NOT appear in the Tools> Disconnect Network Drive Window. Do you think there might be something bad on Computer 3 that is trying to access Drive M: and copy malware files from the infected computer?
Or, am I just getting too paranoid now and there's some other harmless explanation for these warnings?
I look forward to your reply.
Tom