View Full Version : Test your skill and impress me with this one...
Hi there. I'm going to apologize in advance for my lack of technical lingo.
I have an older model HP laptop, and I recently acquired a virus that is meant to look like it's some sort of windows security feature, only I'm smarter than that! and I've seen 'em before, so what I would normally do is reboot in safe mode and do a system restore or run spybot to get rid of it.
well, not this time. I can reboot the computer fine normally, except nothing works except for this fake windows security.
I reboot in safe mode, and it goes fine until I open up system restore or spybot - the computer shuts off.
I'm trying to see if there's anything I can do before having to wipe it clean.
Thank you! this is a tricky little bugger - at least I think so!!
Hello meglamb and :welcome:
My name is JonTom
Malware Logs can sometimes take a lot of time to research and interpret.
Please be patient while I try to assist with your problem. If at any time you do not understand what is required, please ask for further explanation.
Please note that there is no "Quick Fix" to modern malware infections and we may need to use several different approaches to get your system clean.
Read every reply you receive carefully and thoroughly before carrying out the instructions. You may also find it helpful to print out the instructions you receive, as in some instances you may have to disconnect your computer from the Internet.
PLEASE NOTE: If you do not reply after 5 days your thread will be closed.
I'm trying to see if there's anything I can do before having to wipe it clean Lets take a look and see what we can do :)
Are you able to connect to the Internet using the infected machine?
Also, please let me know what operating system you are running (XP, Vista, Win 7 - 32 or 64 bit) and we'll take it from there :)
Hi! thanks for your help -
no, I cannot connect to the internet, or run any programs at all.
and it's XP.
Hello meglamb
Thanks for letting me know.
If you are unable to connect to the net with the infected machine you will need to copy the required tools to a flash drive and transfer them to the infected system. Lets try the following to begin with:
If the machine you use to download the tools runs on XP, please run the following tool first to reduce the chance of cross-infection.
Please download Flash Disinfector
Click here (http://download.bleepingcomputer.com/sUBs/Flash_Disinfector.exe) to download Flash Disinfector and save the file (called Flash_Disinfector.exe) to your desktop.
Double click on the Flash_Disinfector.exe icon to run the program and follow any prompts that may appear.
The program may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so if prompted.
Wait until Flash disinfector has finished scanning and then exit the program.
Reboot your computer.
If it runs on Vista/Win 7, use this one:
AutoRun Eater
Download Autorun Eater (http://www.softpedia.com/get/Security/Secure-cleaning/Autorun-Eater.shtml) and save it to your desktop.
Plug all of your removable storage devices into the machine (USB sticks etc) and run the tool.
Once you have done that, download the following tools and transfer them to the infected machine:
Please perform the following scan
Please download DDS from here (http://download.bleepingcomputer.com/sUBs/dds.scr) and save it to your desktop.
Disable any script blocking protection (How to Disable your Security Programs (http://forums.whatthetech.com/How_Disable_your_Security_Programs_t96260.html))
Double click on the DDS icon to run the tool (may take up to 3 minutes to run).
When done, DDS.txt will open.
After a few moments, attach.txt will open in a second window.
Save both reports to your desktop.
Please post the contents of the DDS.txt and Attach.txt logs in your next reply.
Please scan your system with GMER
http://img.photobucket.com/albums/v666/sUBs/gmer_zip.gif
Download GMER Rootkit Scanner from here (http://www.gmer.net/gmer.zip) or here (http://www.majorgeeks.com/download.php?det=5198).
Extract the contents of the zipped file to desktop.
Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent.
If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.
In the right panel, you will see several boxes that have been checked. Uncheck the following ...
IAT/EAT
Drives/Partition other than Systemdrive (typically C:\)
Show All (don't miss this one)
Then click the Scan button & wait for it to finish.
Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
Save it where you can easily find it, such as your desktop, and post it in your reply.
**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOTKIT" entries
Please post the DDS logs and the GMER log in your next reply. If you encounter any problems with the scans, just come back and let me know.
I downloaded both of those things and put the .exe files on a disc to bring over to my infected computer - but my computer will not open the files, it says that they are infected by a w32/blaster.worm, and that I have to activate security protection to get rid of it.
so, no programs can be opened.
Hello meglamb
Are you able to run the tools from Safe Mode?
Reboot Your System in Safe Mode
Restart your computer.
As soon as BIOS is loaded begin tapping the F8 key until the "Advanced Options" menu appears.
Use the arrow keys to select the Safe mode menu item.
Press Enter.
If you are able to scan the system from safe mode, please make sure to save the logs created, then boot back into Normal mode to transfer the logs back to flash drive to post back here.
Let me know how you get on :)
Nope - when I go to run the anti virus from safe mode, the computer shuts off. it's a tricky devil, I'm telling you!
Hello meglamb
Nope - when I go to run the anti virus from safe mode, the computer shuts off. I am a little confused here. What anti virus are you trying to run? All we need at the moment are the diagnostic system scans provided by DDS and GMER.
If the infection is interfering with our tools (and it certainly sounds as though it is) lets try the following:
rkill
You will need to download each of these versions and transfer them to the infected machine.
Please download rkill (Courtesy of Bleepingcomputer.com).
There are 5 different versions of this tool. If one of them will not run, please try the next one in the list.
Note: You only need to get one of the tools to run, not all of them.
1. rkill.exe (http://download.bleepingcomputer.com/grinler/rkill.exe)
2. rkill.com (http://download.bleepingcomputer.com/grinler/rkill.com)
3. rkill.scr (http://download.bleepingcomputer.com/grinler/rkill.scr)
4. WiNlOgOn.exe (http://download.bleepingcomputer.com/grinler/WiNlOgOn.exe)
5. uSeRiNiT.exe (http://download.bleepingcomputer.com/grinler/uSeRiNiT.exe)
Note: You will likely see a message from the infection telling you the file is infected. Ignore the message. Leave the message OPEN, do not close the message.
Run rkill repeatedly until it's able to do it's job. This may take a few tries.
You'll be able to tell rkill has done it's job when your desktop (explorer.exe) cycles off and then on again.
Once rkill has been run try running DDS and GMER again.
I can't get that far - no .exe files will run, the virus says they are all infected files, when I go into safe mode and try and run anything the computer shuts off.
Hello meglamb
I can't get that far Okay, thanks for letting me know. I realise that this is frustrating for you but there are still a few things we can try :)
no .exe files will run Did you try all of the rkill files I provided? The reason I ask is that two of them are not executable files (rkill.com and rkill.scr).
Please let me know in your next reply.
Okay - I did the flash disinfector, attempted to run DDS, it didn't seem to do anything - unless it was doing something, there was a line of pound signs at the bottom and they were blinking.
tried to run rkill and the computer shut off. haven't gotten to gmer yet. it seems like it's over heating, but it stays on as long as I'm not doing any activity on it.
Hello meglamb
there was a line of pound signs at the bottom and they were blinking That does'nt sound right at all. Can you tell me if you are still receiving the "this file is infected" message when you try to run DDS?
This infection changes settings on your computer so that when you launch an executable, it will instead launch the infection rather than the desired program.
To fix this we must first download a Registry file that will fix these changes.
Please work your way through the following steps in the order that they appear:
FixNCR
From a clean computer, please download the following file (http://download.bleepingcomputer.com/reg/FixNCR.reg) and save it to a removable media such as a CD/DVD, external Drive, or USB flash drive.
Once that file is downloaded and saved on a removable device, insert the removable device into the infected computer and open the folder the drive letter associated with it.
You should now see the FixNCR.reg file that you had downloaded onto it.
Double click on the FixNCR.reg file to fix the Registry on your infected computer.
You should now be able to run your normal executable programs and can proceed to the next step.
rKill
Once you have run FixNCR, I would like you to run rKill again (just as you did before).
DDS
After rKill has been run, please try to scan with DDS again. If DDS is able to complete its scan and you can save the log, move on to the GMER scan.
If DDS is unable to complete its scan, forget about GMER and try the following scanner instead:
Download and run OTL by Oldtimer
Please download OTL by Oldtimer by clicking here (http://oldtimer.geekstogo.com/OTL.com) and save the file (called OTL.com) to your desktop.
Close all open windows on your computer then Double click on the OTL.com icon to run the program.
Check the boxes beside "LOP Check" and "Purity Check".
Under Custom Scan paste this in:
netsvcs
%SYSTEMDRIVE%\*.*
%systemroot%\Fonts\*.com
%systemroot%\Fonts\*.dll
%systemroot%\Fonts\*.ini
%systemroot%\Fonts\*.ini2
%systemroot%\Fonts\*.exe
%systemroot%\system32\spool\prtprocs\w32x86\*.*
%systemroot%\REPAIR\*.bak1
%systemroot%\REPAIR\*.ini
%systemroot%\system32\*.jpg
%systemroot%\*.jpg
%systemroot%\*.png
%systemroot%\*.scr
%systemroot%\*._sy
%APPDATA%\Adobe\Update\*.*
%ALLUSERSPROFILE%\Favorites\*.*
%APPDATA%\Microsoft\*.*
%PROGRAMFILES%\*.*
%APPDATA%\Update\*.*
%systemroot%\*. /mp /s
CREATERESTOREPOINT
%systemroot%\System32\config\*.sav
%PROGRAMFILES%\bak. /s
%systemroot%\system32\bak. /s
%ALLUSERSPROFILE%\Start Menu\*.līk /x
%systemroot%\system32\config\systemprofile\*.dat /x
%systemroot%\*.config
%systemroot%\system32\*.db
%PROGRAMFILES%\Internet Explorer\*.dat
%APPDATA%\Mikzosoft\Internet Explorer\Quick Launch\*.lnk /x
%USERPROFILE%\Deskuop\*.exe
%PROGRAMFILES%\Common Files\*.*
%systemroot%\*.src
%systemroot%\install\*.*
%systemroot%\system32\DLL\*.*
%systemroot%\system32\HelpFiles\*.*
%systemroot%\system32\rundll\*.*
%systemroot%\winn32\*.*
%systemroot%\Java\*.*
%systemroot%\system32\test\*.*
%systemroot%\system32\Rundll32\*.*
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
/md5start
iexplore.*
explorer.*
winlogon.*
dll
zx.dll
hlp.dat
/md5stop
Click the "Run Scan" button. Do not change any settings unless specifically told to do so. The scan will not take long.
When the scan completes, it will open two notepad windows: OTL.Txt and Extras.Txt.
Note: These logs can be located in the OTL. folder on you C:\ drive if they fail to open automatically.
Please Copy and Paste the contents of both files in your next reply. You may need two posts to fit them both in.
If DDS is able to complete its scan please post the log in your next reply (likewise with GMER). If you are still having trouble with DDS please try OTL and let me know how it goes.
when I double clicked DDS, the black box popped up, nothing happened, so I hit enter, and after I hit enter, a row of pound signs appeared and the cursor kept blinking.
I put rkill.scr on the laptop and clicked it and the computer shut off.
I'm sorry this must be incredibly frustrating for you both because I don't know dick about computers, and because nothing seems to be working because the computer turns off.
Hello meglamb
I'm sorry this must be incredibly frustrating for you You're doing fine Meg, and there is no need to apologise. Sometimes malware is easy to clean, sometime it is'nt. I'm not giving up just yet :boxing:
Did you try to run OTL?
If you tried and it did not run for you, let me know and we'll move on to a different approach.
Hello meglamb
Lets give the following a try:
Please re-name DDS/OTL to either explorer.exe or iexplore.exe and see if they will run when re-named :)
Okay! I've got a scan, but I've got an issue - my USB ports don't work on the infected computer, and I cannot get it to connect to the internet, even if I jam a hardwire into it - so how do I get the scan to you?
Hello meglamb
First of all, you did a really great job getting that scan :yes: I know it was'nt easy - very well done indeed :bigthumb:
so how do I get the scan to you? This is what we have to deal with next.
Without active USB ports we are unable to use a flash drive for the transfer. Are you able to burn the log file to disk and then use a different machine to paste it here?
welp! I got the scan by booting the computer from a disk, so I don't think I can take the disk out and put another one in to burn it can I?
I know for a fact that a cd burning program won't open from my normal desktop.
Hello meglamb
I got the scan by booting the computer from a disk You did not mention this to me before. Are you telling me that you are now unable to boot the machine at all without the use of the boot disk?
nope, I can boot it without a disk, but from a disk is the only way that I could run that scan. I suppose I could try exchange the scan file from safemode, but I looked for the scan on my normal desktop and could not locate it. naw mean?
Hello meglamb
nope, I can boot it without a disk, but from a disk is the only way that I could run that scan Aha, I see what you mean now. Runnng the scan from a disk is fine - all we need to do now is locate the log that would have been produced after the scan completed.
If you ran DDS, the log should open directly after the scan, allowing you to save them to your desktop.
For OTL, the logs produced can be found by navigating to C:\OTL
If you are unable to locate the DDS log you may have to run the scan again, but if you ran OTL please navigate to C:\OTL and try to locate the logs that would have been saved there.
If you are able to locate the required logs, burn them to disk. If the infection interferes with the burn let me know and we will can try something else.
Yes - I've got the scan located, but when I go to burn a disk in safe mode, the computer tells me that my hard drives are disabled.
I'm going to owe you some cocktails after this nonsense.
Hello maglamb
Do you have the option to boot into Safe Mode with Networking?
See if you can, and then try to connect to the net to post the logs from the infected machine.
If it does not work out let me know :)
something bad happened.. I tried to restart in safe mode and it says
mbr error
operating system not found
welp. I'ma throw in the towel on this one. I appreciate all of your help and patience!
Hello meglamb
The outlook does not look good I'm afraid :sad:
Two quick questions for you:
Are you still able to boot into Normal Mode or do you get an error message?
When you tried to boot into safe Mode (at the point where you selected Safe Mode from the Advanced Options Menu), did you see an option to select "Last Known Good Configuration"?
any time I try to reboot unless I put a disk in -
and I think the right before it happened, I was rebooting it and it asked if I wanted to continue the restart without doing something I can't really remember.
so, I bet that was what did it. bah.
Hello meglamb
I am going to assume that you do not have the option to select Last Known good Configuration at this time.
HP machines usually have an option to restore the machine back to the original factory settings.
This can usually be achieved in one of two ways; either through the use of the recovery partition that is sometimes installed on HP machines (designated D drive), or through the use of a set of HP recovery disks.
When you first got your machine did it come with a set of (or did you manually create) a set of HP recovery disks?
Hello meglamb
Lets give this a try:
xPUD
We will need a USB stick and access to an uninfected machine.
We need to prepare the USB stick. It is not absolutely essential that it is formatted, but it may help if it is:
Insert your USB drive ino the uninfected machine.
Click on Start > My Computer > right click your USB drive > choose Format > Quick format.
Next
Download both http://sourceforge.net/projects/unetbootin/files/UNetbootin/Custom/unetbootin-xpud-windows-387.exe/download and http://noahdfear.net/downloads/bootable/xPUD/xpud-0.9.2.iso to the desktop of the uninfected machine.
Make sure you have the formatted USB stick in the uninfected system.
Double click on the unetbootin-xpud-windows-387.exe that you just downloaded.
Press Run and then OK.
Select the DiskImage option then click the browse button located on the right side of the textbox field.
Browse to and select the xpud-0.9.2.iso file you downloaded.
Verify the correct drive letter is selected for your USB device then click OK.
It will install a little bootable OS on your USB device
After it has completed do not choose to reboot the clean computer, simply close the installer.
Please note:
If you need to create a bootable CD using xPUD (rather than a USB stick), you may download the ISO image found here (http://www.xpud.org/download.en.html) and burn it to a CD.
Next
Use the clean computer to download dumpit from the following link: http://noahdfear.net/downloads/dumpit
Once dumpit is downloaded save it to the USB stick.
Next
Take the USB to the infected computer and boot with it.
The computer must be set to boot from the USB (as soon as BIOS is loaded tap F12 and choose to boot from the USB drive).
A Welcome to xPUD screen will appear.
Press File.
Expand mnt.
sda1,2...usually corresponds to your HDD.
sdb1 is likely your USB drive.
Click on the folder that represents your USB drive (sdb1 ?).
Confirm that you see dumpit that you downloaded there.
Double click on dumpit.
Once completed, a file called mbr.zip will be saved to the USB drive.
Take the USB drive back to the uninfected system and attach the mbr.zip in your next reply.
Due to lack of reply this thread is now closed.