Page 5 of 8 FirstFirst 12345678 LastLast
Results 41 to 50 of 71

Thread: Badly Infected

  1. #41
    Senior Member
    Join Date
    Sep 2010
    Posts
    631

    Default

    Hi e28ct17m,

    Reboot to windows. Reboot the computer a couple of times then try xPUD. You're doing fine.
    Member of UNITE and ASAP

  2. #42
    Member
    Join Date
    Jan 2012
    Posts
    36

    Default

    When I input 2 I received the warning message about no bootloader, so I input 3 and it worked. Below are the logs you requested

    2012-01-28-14:37:36

    The following drives were found
    sda
    sdg
    User has chosen drive sda
    tdl_mbr_sda.bin exists
    backing up mbr to tdl_mbr_sda.2012-01-28-14:37:56


    Disk /dev/sda: 1000.2 GB, 1000204886016 bytes
    255 heads, 63 sectors/track, 121601 cylinders, total 1953525168 sectors
    Units = sectors of 1 * 512 = 512 bytes

    Device Boot Start End Blocks Id System
    /dev/sda1 2048 31459327 15728640 27 Unknown
    /dev/sda2 31459328 31664127 102400 1a Unknown
    /dev/sda3 31664128 1953521663 960928768 7 HPFS/NTFS
    /dev/sda4 * 1953521664 1953525151 1744 17 Hidden HPFS/NTFS

    Model: ATA WDC WD10EADS-22M (scsi)
    Disk /dev/sda: 1000GB
    Sector size (logical/physical): 512B/512B
    Partition Table: msdos

    Number Start End Size Type File system Flags
    1 1049kB 16.1GB 16.1GB primary ntfs
    2 16.1GB 16.2GB 105MB primary ntfs
    3 16.2GB 1000GB 984GB primary ntfs
    4 1000GB 1000GB 1786kB primary ntfs boot, hidden


    User has chosen to make partition 2 active
    Warning! No bootloader found on partition 2
    User rejected making partition 2 active

    User has chosen to make partition 3 active

    Model: ATA WDC WD10EADS-22M (scsi)
    Disk /dev/sda: 1000GB
    Sector size (logical/physical): 512B/512B
    Partition Table: msdos

    Number Start End Size Type File system Flags
    1 1049kB 16.1GB 16.1GB primary ntfs
    2 16.1GB 16.2GB 105MB primary ntfs
    3 16.2GB 1000GB 984GB primary ntfs boot
    4 1000GB 1000GB 1786kB primary ntfs hidden


    User has accepted changes



    Windows Boot Manager
    --------------------
    identifier {bootmgr}
    device partition=C:
    description Windows Boot Manager
    locale en-US
    inherit {globalsettings}
    default {current}
    resumeobject {36350f4e-934d-11de-b33d-b7495bee80d8}
    displayorder {current}
    toolsdisplayorder {memdiag}
    timeout 30

    Windows Boot Loader
    -------------------
    identifier {current}
    device partition=C:
    path \Windows\system32\winload.exe
    description Windows 7
    locale en-US
    inherit {bootloadersettings}
    recoverysequence {36350f50-934d-11de-b33d-b7495bee80d8}
    recoveryenabled Yes
    osdevice partition=C:
    systemroot \Windows
    resumeobject {36350f4e-934d-11de-b33d-b7495bee80d8}
    nx OptIn

    Windows Boot Loader
    -------------------
    identifier {36350f50-934d-11de-b33d-b7495bee80d8}
    device ramdisk=[C:]\Recovery\36350f50-934d-11de-b33d-b7495bee80d8\Winre.wim,{36350f51-934d-11de-b33d-b7495bee80d8}
    path \windows\system32\winload.exe
    description Windows Recovery Environment
    inherit {bootloadersettings}
    osdevice ramdisk=[C:]\Recovery\36350f50-934d-11de-b33d-b7495bee80d8\Winre.wim,{36350f51-934d-11de-b33d-b7495bee80d8}
    systemroot \windows
    nx OptIn
    winpe Yes

    Resume from Hibernate
    ---------------------
    identifier {36350f4e-934d-11de-b33d-b7495bee80d8}
    device partition=C:
    path \Windows\system32\winresume.exe
    description Windows Resume Application
    locale en-US
    inherit {resumeloadersettings}
    filedevice partition=C:
    filepath \hiberfil.sys
    debugoptionenabled No

    Windows Memory Tester
    ---------------------
    identifier {memdiag}
    device partition=C:
    path \boot\memtest.exe
    description Windows Memory Diagnostic
    locale en-US
    inherit {globalsettings}
    badmemoryaccess Yes

    EMS Settings
    ------------
    identifier {emssettings}
    bootems Yes

    Debugger Settings
    -----------------
    identifier {dbgsettings}
    debugtype Serial
    debugport 1
    baudrate 115200

    RAM Defects
    -----------
    identifier {badmemory}

    Global Settings
    ---------------
    identifier {globalsettings}
    inherit {dbgsettings}
    {emssettings}
    {badmemory}

    Boot Loader Settings
    --------------------
    identifier {bootloadersettings}
    inherit {globalsettings}
    {hypervisorsettings}

    Hypervisor Settings
    -------------------
    identifier {hypervisorsettings}
    hypervisordebugtype Serial
    hypervisordebugport 1
    hypervisorbaudrate 115200

    Resume Loader Settings
    ----------------------
    identifier {resumeloadersettings}
    inherit {globalsettings}

    Device options
    --------------
    identifier {36350f51-934d-11de-b33d-b7495bee80d8}
    description Ramdisk Options
    ramdisksdidevice partition=C:
    ramdisksdipath \Recovery\36350f50-934d-11de-b33d-b7495bee80d8\boot.sdi

  3. #43
    Senior Member
    Join Date
    Sep 2010
    Posts
    631

    Default

    Hi e28ct17,

    Good job.

    Before we finish cleaning this for you a couple of questions. After rebooting did the computer boot normally or did you need to edit the line again?

    Are you still getting redirects?

    RogueKiller has been updated. Please delete the copy you have and download a new one. The interface is different in the new version. Double click to run it. Once it's open and has done it's prescan click the scan button. After the scan has completed click the report button and post the log.

    You can get a new copy from HERE
    Member of UNITE and ASAP

  4. #44
    Member
    Join Date
    Jan 2012
    Posts
    36

    Default

    The computer booted normally....I did not have to edit the line. The redirects have stopped. Looks like things are back to normal, thanks to you!!

    RogueKiller V7.0.1 [01/28/2012] by Tigzy
    mail: tigzyRK<at>gmail<dot>com
    Feedback: http://www.geekstogo.com/forum/files...3-roguekiller/
    Blog: http://tigzyrk.blogspot.com

    Operating System: Windows 7 (6.1.7601 Service Pack 1) 64 bits version
    Started in : Normal mode
    User: Janice [Admin rights]
    Mode: Scan -- Date : 01/28/2012 15:25:51

    ¤¤¤ Bad processes: 1 ¤¤¤
    [SUSP PATH] ReminderHelper.exe -- C:\ProgramData\WeCareReminder\ReminderHelper.exe -> KILLED [TermProc]

    ¤¤¤ Registry Entries: 4 ¤¤¤
    [SUSP PATH] winupd.job : C:\Users\Janice\AppData\Local\Temp:winupd.exe -> FOUND
    [WallPP] HKCU\[...]\Desktop : Wallpaper () -> FOUND
    [HJ] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
    [HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

    ¤¤¤ Particular Files / Folders: ¤¤¤

    ¤¤¤ Driver: [NOT LOADED] ¤¤¤

    ¤¤¤ Infection : ¤¤¤

    ¤¤¤ HOSTS File: ¤¤¤
    127.0.0.1 localhost




    ¤¤¤ MBR Check: ¤¤¤


    +++++ PhysicalDrive0: +++++
    --- User ---
    [MBR] 862d43404943f43730948c81ebbefce0
    [BSP] 62f35c68ca4bceaeae08b6f8c4f7e488 : Windows 7 MBR Code
    Partition table:
    0 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 16106 Mo

    1 - [XXXXXX] UNKNOWN (0x1a) [VISIBLE] Offset (sectors): 31459328 | Size: 104 Mo

    2 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 31664128 | Size: 983991 Mo

    3 - [XXXXXX] NTFS (0x17) [HIDDEN!] Offset (sectors): 1953521664 | Size: 1 Mo

    User = LL1 ... OK!
    User = LL2 ... OK!

    Finished : << RKreport[3].txt >>
    RKreport[1].txt ; RKreport[2].txt ; RKreport[3].txt

  5. #45
    Senior Member
    Join Date
    Sep 2010
    Posts
    631

    Default

    Hi e28ct17,

    Sorry this is taking so long. Your computer is a bit of an oddity so I wanted to make sure it was the computer and not something new this malware was doing.

    Next, Right click on OTL.exe and chose Run as Administrator to run it
    • Under the Custom Scans/Fixes box at the bottom, paste in the following
    • Do Not copy the word CODE
    • please note the fix starts with the :

    Code:
    :Services
    
    :Reg
    
    :Files
    c:\users\Janice\AppData\Roaming\Yfhym
    c:\users\Janice\AppData\Roaming\Inuro
    c:\users\Janice\AppData\Roaming\Adodn
    c:\users\Janice\AppData\Roaming\Elday
    c:\users\Janice\AppData\Roaming\Urubn
    c:\users\Janice\AppData\Roaming\Goaci
    c:\users\Janice\AppData\Roaming\Ofgaub
    c:\users\Janice\AppData\Roaming\Sie 
    
    :Commands
    [createrestorepoint]
    [purity]
    [emptytemp]
    Then click the Run Fix button at the top
    • Let the program run unhindered
    • Please save the resulting log to be posted in your next reply.
    Please post the OTL fix log.

    One more trip with xPUD

    • Boot into xPUD then click the File tab.
    • Press File
    • Expand mnt
    • Click on the folder under mnt that represents your USB drive (sdb1 ?)
    • You should see the tdl_fix.sh file in the main window.
    • Select Tool from the Menu
    • Choose Open Terminal
    • Type bash tdl_fix.sh -delete then press Enter.
    • ** Make sure to leave a space to either side of tdl_fix.sh in the command.
    • You should be notified of a hidden partition found and prompted to delete it.
    • Type y then press Enter.
    • The script will complete and prompt you to reboot the computer.
    • Close the Terminal window and restart back into Windows.
    • Post the contents of the tdl_delete.txt file that was created on your flash drive.


    The computer should boot normally. If for some reason it doesn't use the F10 method first. If you still have problems follow the steps below.

    Note - in the event there is a problem booting the computer normally after running the script, run the tdl_fix.sh script again using the following command.

    bash tdl_fix.sh -restore

    Make sure to leave a space to either side of tdl_fix.sh in the command.
    This will prompt you to use the file tdl_mbr_sda.bin on drive sda.
    Ok the procedure then restart when complete.

    Computer still behaving?

    Thanks
    Last edited by oldman960; 2012-01-29 at 06:55.
    Member of UNITE and ASAP

  6. #46
    Member
    Join Date
    Jan 2012
    Posts
    36

    Default

    Microsoft Security Essentials found the following on my computer (I have not taken any action on them)

    DOS/Aluteon.E and Win32/Arcadeweb

    I ran OTL and below is my log. I will wait to do xPUD until I hear back from you.

    All processes killed
    ========== SERVICES/DRIVERS ==========
    ========== REGISTRY ==========
    ========== FILES ==========
    c:\users\Janice\AppData\Roaming\Yfhym folder moved successfully.
    c:\users\Janice\AppData\Roaming\Inuro folder moved successfully.
    c:\users\Janice\AppData\Roaming\Adodn folder moved successfully.
    c:\users\Janice\AppData\Roaming\Elday folder moved successfully.
    c:\users\Janice\AppData\Roaming\Urubn folder moved successfully.
    c:\users\Janice\AppData\Roaming\Goaci folder moved successfully.
    c:\users\Janice\AppData\Roaming\Ofgaub folder moved successfully.
    c:\users\Janice\AppData\Roaming\Sie folder moved successfully.
    ========== COMMANDS ==========
    Restore point Set: OTL Restore Point

    [EMPTYTEMP]

    User: All Users

    User: Default
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 67 bytes

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: Janice
    ->Temp folder emptied: 499906 bytes
    ->Temporary Internet Files folder emptied: 39799349 bytes
    ->Java cache emptied: 186882690 bytes
    ->FireFox cache emptied: 172457852 bytes
    ->Flash cache emptied: 70005 bytes

    User: Public
    ->Temp folder emptied: 0 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32 (64bit) .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 193586 bytes
    %systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 50400 bytes
    RecycleBin emptied: 2381032 bytes

    Total Files Cleaned = 384.00 mb


    OTL by OldTimer - Version 3.2.31.0 log created on 01292012_115543

    Files\Folders moved on Reboot...
    C:\Users\Janice\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.
    C:\Users\Janice\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\QDMOXURH\27[1].png moved successfully.
    C:\Users\Janice\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\QDMOXURH\27[2].png moved successfully.
    C:\Users\Janice\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\M0EJLRQW\32[1].png moved successfully.
    C:\Users\Janice\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\533CW1BO\26[1].png moved successfully.
    C:\Users\Janice\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\533CW1BO\30[1].png moved successfully.
    C:\Users\Janice\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\03AWZWF0\31[2].png moved successfully.

    Registry entries deleted on Reboot...

  7. #47
    Senior Member
    Join Date
    Sep 2010
    Posts
    631

    Default

    Hi e28ct17,

    DOS/Aluteon.E and Win32/Arcadeweb
    Do you know where the detection was? I'm pretty sure it finaly detected the rogue partition which is now inactive.

    Go ahead with xPUD.
    Member of UNITE and ASAP

  8. #48
    Member
    Join Date
    Jan 2012
    Posts
    36

    Default

    No, I don't know where the detection was...i don't think it said. Here is the log you requested

    2012-01-30-21:09:16

    using tdl_delete_sda.bin

    Model: ATA WDC WD10EADS-22M (scsi)
    Disk /dev/sda: 1000GB
    Sector size (logical/physical): 512B/512B
    Partition Table: msdos

    Number Start End Size Type File system Flags
    1 1049kB 16.1GB 16.1GB primary ntfs
    2 16.1GB 16.2GB 105MB primary ntfs
    3 16.2GB 1000GB 984GB primary ntfs boot
    4 1000GB 1000GB 1786kB primary ntfs hidden

    Hidden partition found on sda
    sda4 is hidden
    Deleting partition 4 on drive sda

    Model: ATA WDC WD10EADS-22M (scsi)
    Disk /dev/sda: 1000GB
    Sector size (logical/physical): 512B/512B
    Partition Table: msdos

    Number Start End Size Type File system Flags
    1 1049kB 16.1GB 16.1GB primary ntfs
    2 16.1GB 16.2GB 105MB primary ntfs
    3 16.2GB 1000GB 984GB primary ntfs boot

    No hidden partition on sdg

  9. #49
    Senior Member
    Join Date
    Sep 2010
    Posts
    631

    Default

    Hi e28ct17,

    That should have taken care of the MSE detections. Any problems?
    Member of UNITE and ASAP

  10. #50
    Member
    Join Date
    Jan 2012
    Posts
    36

    Default

    Yes, my browser home page keeps resetting to mywebsearch.com. Everything else seems to work ok.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •