Test your skill and impress me with this one...

Status
Not open for further replies.
M

meglamb

New member
Hi there. I'm going to apologize in advance for my lack of technical lingo.

I have an older model HP laptop, and I recently acquired a virus that is meant to look like it's some sort of windows security feature, only I'm smarter than that! and I've seen 'em before, so what I would normally do is reboot in safe mode and do a system restore or run spybot to get rid of it.

well, not this time. I can reboot the computer fine normally, except nothing works except for this fake windows security.

I reboot in safe mode, and it goes fine until I open up system restore or spybot - the computer shuts off.

I'm trying to see if there's anything I can do before having to wipe it clean.

Thank you! this is a tricky little bugger - at least I think so!!
 
Hello meglamb and :welcome:

My name is JonTom

  • Malware Logs can sometimes take a lot of time to research and interpret.
  • Please be patient while I try to assist with your problem. If at any time you do not understand what is required, please ask for further explanation.
  • Please note that there is no "Quick Fix" to modern malware infections and we may need to use several different approaches to get your system clean.
  • Read every reply you receive carefully and thoroughly before carrying out the instructions. You may also find it helpful to print out the instructions you receive, as in some instances you may have to disconnect your computer from the Internet.
  • PLEASE NOTE: If you do not reply after 5 days your thread will be closed.

I'm trying to see if there's anything I can do before having to wipe it clean
Click to expand...
Lets take a look and see what we can do :)

Are you able to connect to the Internet using the infected machine?

Also, please let me know what operating system you are running (XP, Vista, Win 7 - 32 or 64 bit) and we'll take it from there :)
 
Hi! thanks for your help -

no, I cannot connect to the internet, or run any programs at all.

and it's XP.
 
Hello meglamb

Thanks for letting me know.

If you are unable to connect to the net with the infected machine you will need to copy the required tools to a flash drive and transfer them to the infected system. Lets try the following to begin with:

If the machine you use to download the tools runs on XP, please run the following tool first to reduce the chance of cross-infection.

  1. Please download Flash Disinfector

    • Click here to download Flash Disinfector and save the file (called Flash_Disinfector.exe) to your desktop.
    • Double click on the Flash_Disinfector.exe icon to run the program and follow any prompts that may appear.
    • The program may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so if prompted.
    • Wait until Flash disinfector has finished scanning and then exit the program.
    • Reboot your computer.

    If it runs on Vista/Win 7, use this one:

  2. AutoRun Eater

    • Download Autorun Eater and save it to your desktop.
    • Plug all of your removable storage devices into the machine (USB sticks etc) and run the tool.


    Once you have done that, download the following tools and transfer them to the infected machine:

  3. Please perform the following scan

    • Please download DDS from here and save it to your desktop.
    • Disable any script blocking protection (How to Disable your Security Programs)
    • Double click on the DDS icon to run the tool (may take up to 3 minutes to run).
    • When done, DDS.txt will open.
    • After a few moments, attach.txt will open in a second window.
    • Save both reports to your desktop.
    • Please post the contents of the DDS.txt and Attach.txt logs in your next reply.

  4. Please scan your system with GMER


    gmer_zip.gif

    Download GMER Rootkit Scanner from here or here.
    • Extract the contents of the zipped file to desktop.
    • Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent.
    • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.
    • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
      • IAT/EAT
      • Drives/Partition other than Systemdrive (typically C:\)
      • Show All (don't miss this one)
    • Then click the Scan button & wait for it to finish.
    • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
    • Save it where you can easily find it, such as your desktop, and post it in your reply.

    **Caution**
    Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOTKIT" entries

    Please post the DDS logs and the GMER log in your next reply. If you encounter any problems with the scans, just come back and let me know.
 
I downloaded both of those things and put the .exe files on a disc to bring over to my infected computer - but my computer will not open the files, it says that they are infected by a w32/blaster.worm, and that I have to activate security protection to get rid of it.

so, no programs can be opened.
 
Hello meglamb

Are you able to run the tools from Safe Mode?


  1. Reboot Your System in Safe Mode

    • Restart your computer.
    • As soon as BIOS is loaded begin tapping the F8 key until the "Advanced Options" menu appears.
    • Use the arrow keys to select the Safe mode menu item.
    • Press Enter.

    If you are able to scan the system from safe mode, please make sure to save the logs created, then boot back into Normal mode to transfer the logs back to flash drive to post back here.

    Let me know how you get on :)
 
Nope - when I go to run the anti virus from safe mode, the computer shuts off. it's a tricky devil, I'm telling you!
 
Hello meglamb

Nope - when I go to run the anti virus from safe mode, the computer shuts off.
Click to expand...
I am a little confused here. What anti virus are you trying to run? All we need at the moment are the diagnostic system scans provided by DDS and GMER.

If the infection is interfering with our tools (and it certainly sounds as though it is) lets try the following:


  1. rkill

    • You will need to download each of these versions and transfer them to the infected machine.
    • Please download rkill (Courtesy of Bleepingcomputer.com).
    • There are 5 different versions of this tool. If one of them will not run, please try the next one in the list.
    • Note: You only need to get one of the tools to run, not all of them.


    • Note: You will likely see a message from the infection telling you the file is infected. Ignore the message. Leave the message OPEN, do not close the message.

      Run rkill repeatedly until it's able to do it's job. This may take a few tries.

      You'll be able to tell rkill has done it's job when your desktop (explorer.exe) cycles off and then on again.

    Once rkill has been run try running DDS and GMER again.
 
I can't get that far - no .exe files will run, the virus says they are all infected files, when I go into safe mode and try and run anything the computer shuts off.
 
Hello meglamb

I can't get that far
Click to expand...
Okay, thanks for letting me know. I realise that this is frustrating for you but there are still a few things we can try :)

no .exe files will run
Click to expand...
Did you try all of the rkill files I provided? The reason I ask is that two of them are not executable files (rkill.com and rkill.scr).

Please let me know in your next reply.
 
Okay - I did the flash disinfector, attempted to run DDS, it didn't seem to do anything - unless it was doing something, there was a line of pound signs at the bottom and they were blinking.

tried to run rkill and the computer shut off. haven't gotten to gmer yet. it seems like it's over heating, but it stays on as long as I'm not doing any activity on it.
 
Hello meglamb

there was a line of pound signs at the bottom and they were blinking
Click to expand...
That does'nt sound right at all. Can you tell me if you are still receiving the "this file is infected" message when you try to run DDS?


This infection changes settings on your computer so that when you launch an executable, it will instead launch the infection rather than the desired program.

To fix this we must first download a Registry file that will fix these changes.


Please work your way through the following steps in the order that they appear:


  1. FixNCR

    • From a clean computer, please download the following file and save it to a removable media such as a CD/DVD, external Drive, or USB flash drive.
    • Once that file is downloaded and saved on a removable device, insert the removable device into the infected computer and open the folder the drive letter associated with it.
    • You should now see the FixNCR.reg file that you had downloaded onto it.
    • Double click on the FixNCR.reg file to fix the Registry on your infected computer.
    • You should now be able to run your normal executable programs and can proceed to the next step.

  2. rKill

    • Once you have run FixNCR, I would like you to run rKill again (just as you did before).

  3. DDS

    • After rKill has been run, please try to scan with DDS again. If DDS is able to complete its scan and you can save the log, move on to the GMER scan.


    If DDS is unable to complete its scan, forget about GMER and try the following scanner instead:

  4. Download and run OTL by Oldtimer

    • Please download OTL by Oldtimer by clicking here and save the file (called OTL.com) to your desktop.
    • Close all open windows on your computer then Double click on the OTL.com icon to run the program.
    • Check the boxes beside "LOP Check" and "Purity Check".
    • Under Custom Scan paste this in:

    netsvcs
    %SYSTEMDRIVE%\*.*
    %systemroot%\Fonts\*.com
    %systemroot%\Fonts\*.dll
    %systemroot%\Fonts\*.ini
    %systemroot%\Fonts\*.ini2
    %systemroot%\Fonts\*.exe
    %systemroot%\system32\spool\prtprocs\w32x86\*.*
    %systemroot%\REPAIR\*.bak1
    %systemroot%\REPAIR\*.ini
    %systemroot%\system32\*.jpg
    %systemroot%\*.jpg
    %systemroot%\*.png
    %systemroot%\*.scr
    %systemroot%\*._sy
    %APPDATA%\Adobe\Update\*.*
    %ALLUSERSPROFILE%\Favorites\*.*
    %APPDATA%\Microsoft\*.*
    %PROGRAMFILES%\*.*
    %APPDATA%\Update\*.*
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
    %systemroot%\System32\config\*.sav
    %PROGRAMFILES%\bak. /s
    %systemroot%\system32\bak. /s
    %ALLUSERSPROFILE%\Start Menu\*.lîk /x
    %systemroot%\system32\config\systemprofile\*.dat /x
    %systemroot%\*.config
    %systemroot%\system32\*.db
    %PROGRAMFILES%\Internet Explorer\*.dat
    %APPDATA%\Mikzosoft\Internet Explorer\Quick Launch\*.lnk /x
    %USERPROFILE%\Deskuop\*.exe
    %PROGRAMFILES%\Common Files\*.*
    %systemroot%\*.src
    %systemroot%\install\*.*
    %systemroot%\system32\DLL\*.*
    %systemroot%\system32\HelpFiles\*.*
    %systemroot%\system32\rundll\*.*
    %systemroot%\winn32\*.*
    %systemroot%\Java\*.*
    %systemroot%\system32\test\*.*
    %systemroot%\system32\Rundll32\*.*
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
    /md5start
    iexplore.*
    explorer.*
    winlogon.*
    dll
    zx.dll
    hlp.dat
    /md5stop

    • Click the "Run Scan" button. Do not change any settings unless specifically told to do so. The scan will not take long.
    • When the scan completes, it will open two notepad windows: OTL.Txt and Extras.Txt.
    • Note: These logs can be located in the OTL. folder on you C:\ drive if they fail to open automatically.
    • Please Copy and Paste the contents of both files in your next reply. You may need two posts to fit them both in.

    If DDS is able to complete its scan please post the log in your next reply (likewise with GMER). If you are still having trouble with DDS please try OTL and let me know how it goes.

 
when I double clicked DDS, the black box popped up, nothing happened, so I hit enter, and after I hit enter, a row of pound signs appeared and the cursor kept blinking.

I put rkill.scr on the laptop and clicked it and the computer shut off.

I'm sorry this must be incredibly frustrating for you both because I don't know dick about computers, and because nothing seems to be working because the computer turns off.
 
Hello meglamb

I'm sorry this must be incredibly frustrating for you
Click to expand...
You're doing fine Meg, and there is no need to apologise. Sometimes malware is easy to clean, sometime it is'nt. I'm not giving up just yet :boxing:

Did you try to run OTL?

If you tried and it did not run for you, let me know and we'll move on to a different approach.
 
Hello meglamb

Lets give the following a try:

Please re-name DDS/OTL to either explorer.exe or iexplore.exe and see if they will run when re-named :)
 
Okay! I've got a scan, but I've got an issue - my USB ports don't work on the infected computer, and I cannot get it to connect to the internet, even if I jam a hardwire into it - so how do I get the scan to you?
 
Hello meglamb

First of all, you did a really great job getting that scan :yes: I know it was'nt easy - very well done indeed :bigthumb:

so how do I get the scan to you?
Click to expand...
This is what we have to deal with next.

Without active USB ports we are unable to use a flash drive for the transfer. Are you able to burn the log file to disk and then use a different machine to paste it here?
 
welp! I got the scan by booting the computer from a disk, so I don't think I can take the disk out and put another one in to burn it can I?

I know for a fact that a cd burning program won't open from my normal desktop.
 
Hello meglamb

I got the scan by booting the computer from a disk
Click to expand...
You did not mention this to me before. Are you telling me that you are now unable to boot the machine at all without the use of the boot disk?
 
nope, I can boot it without a disk, but from a disk is the only way that I could run that scan. I suppose I could try exchange the scan file from safemode, but I looked for the scan on my normal desktop and could not locate it. naw mean?
 
Status
Not open for further replies.
Back
Top