Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Backdoor:Win32/IRCbot.gen!K


  • This topic is locked This topic is locked
45 replies to this topic

#16 kolibri

kolibri
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:10:49 AM

Posted 26 October 2011 - 07:41 AM

Help! :'(

Today, when I tried turning on my laptop, i just got a black screen. That is, it seemed to boot normally, I saw the "Acer" screen and the screen where it says Microsoft Corp. and you see this loading symbol. After that, only black. So i tried to shut it down and start again, same thing. But if I start the laptop again, it lets me choose between normal mode, "abgesicherter Modus", mit "Netzwerktreibern" or "Eingabeauffoderung".
What shall I do?

BC AdBot (Login to Remove)

 


#17 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 31,697 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:10:49 AM

Posted 26 October 2011 - 11:19 AM

Hi

please try hitting F8 twice when the menu appears you should get a greated choice of options. Among them "Letzte als funktionierend bekannte Konfiguration". Try that one.

regards myrti


If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM!
Please don't send help request via PM, unless I am already helping you. Use the forums!


sig3.png

Follow BleepingComputer on: Facebook | Twitter | Google+

#18 kolibri

kolibri
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:10:49 AM

Posted 26 October 2011 - 11:27 AM

No...F8 does not change the number of options :(

#19 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 31,697 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:10:49 AM

Posted 26 October 2011 - 11:42 AM

Do you see a prompt saying "do this to enter advanced boot menu" when you see that list? Please try pressing F8 as soon as the Acer logo disappears. Does the menu appear then?

What happens when you try to boot "abgesicherter modus"?

regards myrti


If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM!
Please don't send help request via PM, unless I am already helping you. Use the forums!


sig3.png

Follow BleepingComputer on: Facebook | Twitter | Google+

#20 kolibri

kolibri
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:10:49 AM

Posted 26 October 2011 - 11:55 AM

Ok, i am in that menu now. One option is "Letzte als funktionierend bekannte Konfiguration (erweitert)", is that the one?

#21 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 31,697 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:10:49 AM

Posted 26 October 2011 - 12:07 PM

Hi,

yes please. Try that one.

Can you please also list the other given options, just so I know what is available.

regards myrti


If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM!
Please don't send help request via PM, unless I am already helping you. Use the forums!


sig3.png

Follow BleepingComputer on: Facebook | Twitter | Google+

#22 kolibri

kolibri
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:10:49 AM

Posted 26 October 2011 - 12:09 PM

Computer reparieren (zeigt eine Liste von Systemwiederherstellungstools an)

Startprotokollierung aktivieren
Verzeichnisdienstwiederherstellung
Debugmodus
Aut. Neustart bei Systemfehler deaktivieren
Erzwinger der Treibersignatur deaktivieren

#23 kolibri

kolibri
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:10:49 AM

Posted 26 October 2011 - 12:13 PM

Ok, i was able to boot now and everything looks quite normal!! Shall i run that fix.reg now?

#24 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 31,697 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:10:49 AM

Posted 26 October 2011 - 12:16 PM

Hi,

now this should have already fixed what I was trying to fix yesterday evening. :)

Can you please repeat the instructions from post #13 to confirm that it's back to normal?


If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM!
Please don't send help request via PM, unless I am already helping you. Use the forums!


sig3.png

Follow BleepingComputer on: Facebook | Twitter | Google+

#25 kolibri

kolibri
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:10:49 AM

Posted 26 October 2011 - 12:23 PM

You said i have to run the script from the drive where my operating system is located...what does that mean, am i doing the right thing if i just open it from the desktop?

#26 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 31,697 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:10:49 AM

Posted 26 October 2011 - 12:25 PM

Hi,

it means that you need the file to be on the same partition as your operating system. Your operating systme is on Partition C:, your Desktop is as well. So running it from the desktop is fine :)

regards myrti


If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM!
Please don't send help request via PM, unless I am already helping you. Use the forums!


sig3.png

Follow BleepingComputer on: Facebook | Twitter | Google+

#27 kolibri

kolibri
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:10:49 AM

Posted 26 October 2011 - 12:29 PM

SteelWerX Registry Console Tool 2.0
Written by Bobbi Flekman 2006 ©

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
auditbaseobjects REG_DWORD 0 (0x0)
auditbasedirectories REG_DWORD 0 (0x0)
crashonauditfail REG_DWORD 0 (0x0)
fullprivilegeauditing REG_BINARY 00
Bounds REG_BINARY 0030000000200000
LimitBlankPasswordUse REG_DWORD 1 (0x1)
LmCompatibilityLevel REG_DWORD 3 (0x3)
NoLmHash REG_DWORD 1 (0x1)
Notification Packages REG_MULTI_SZ scecli\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0tspkg\0\0
Authentication Packages REG_MULTI_SZ msv1_0\0\0
LsaPid REG_DWORD 756 (0x2f4)
SecureBoot REG_DWORD 1 (0x1)
ProductType REG_DWORD 3 (0x3)
disabledomaincreds REG_DWORD 0 (0x0)
everyoneincludesanonymous REG_DWORD 0 (0x0)
forceguest REG_DWORD 0 (0x0)
restrictanonymous REG_DWORD 0 (0x0)
restrictanonymoussam REG_DWORD 1 (0x1)

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa\AccessProviders

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa\Audit

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa\Credssp

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa\Data

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa\FipsAlgorithmPolicy

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa\GBG

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa\JD

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa\Kerberos

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa\MSV1_0

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa\Skew1

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa\SSO

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa\SspiCache

#28 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 31,697 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:10:49 AM

Posted 26 October 2011 - 12:41 PM

Hi,

now it's looking the way it should. :thumbup2:

Have you been getting further notifications that you ar einfected? What have you done with your Facebook account so far?

regards myrti


If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM!
Please don't send help request via PM, unless I am already helping you. Use the forums!


sig3.png

Follow BleepingComputer on: Facebook | Twitter | Google+

#29 kolibri

kolibri
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:10:49 AM

Posted 26 October 2011 - 12:48 PM

Wow...great, i am happy to hear that! Until now, no notifications. Can we be sure that everything virus-related is gone?

I went into facebook from the second computer i have been using, right until the step where they asked me to download macAfee. Then i logged off again since i wanted to have it on my own (the infected) laptop ;) Can i try logging on now?

What about the external harddrive which i used for making the backup? Do you think it might be infected, and can we check together?

Cheers, kolibri

#30 kolibri

kolibri
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:10:49 AM

Posted 26 October 2011 - 01:33 PM

And another question: What do i do with comboFix and all the other programs + logs, is it ok to delete them?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users