Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible Infection And Crash From Kernel32.dll.vbs


  • Please log in to reply
9 replies to this topic

#1 boogerjedi

boogerjedi

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:11:59 AM

Posted 29 December 2007 - 03:44 PM

Hello BC,

I have found the internet explorer titling "Hacked by 8bits" worm infected on 3 of my computers, likely because of flash drive infection.

This post will be focused on the pc in the most dire situation


I was moving a .dll plugin into an audio editing program on my xp pro pc, and that was immediately followed by a system crash, with the message:

STOP: C0000221 unknown hard error
\systemroot\system32\ntdll.dll
and When attempting to reboot, the screen shows "NTLDR is missing. Press any key to restart"


I am wondering if this crash was my mistake of messing with program files, or if it was because of the kernel32.dll.vbs infections, because I found on the symantec site that this infection attempts to delete these files:

* %SystemDrive%\boot.ini
* %SystemDrive%\IO.SYS
* %SystemDrive%\MSDOS.SYS
* %SystemDrive%\NTDETECT.COM
* %SystemDrive%\ntldr

and recursively delete all files, folders and subfolders on all available drives excluding the following:

* %Windir%
* %ProgramFiles%
* %SystemDrive%\Documents and Settings

(quoted from this site)
http://www.symantec.com/security_response/...-99&tabid=3

I basically only have windows recovery console capability on this computer. Is there any hope left for her?

I hope it is okay that I am removing the worm on the other computers with the advice given by quietman7 on topic 121323
http://www.bleepingcomputer.com/forums/t/121323/hacked-by-8bit-on-internet-explorer-title-bar/ (I am the one who accidently passed this virus onto my RL friend dudeman6788)

Thanks so much!

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,047 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:59 AM

Posted 29 December 2007 - 03:54 PM

If you get "NTLDR is missing, press any key to restart" what's most likely going on is the BIOS either didn't look for the right drive, didn't find the right partition, didn't find the MBR, the MBR didn't list NTLDR in the right place, a misconfiguration with the boot.ini file or the location of NTLDR changed. NTLDR should be in the root of C: (Boot) drive.

NTLDR is Missing: Fix Solutions
NTLDR Missing - fix using fdisk, Recovery Console
How to fix: NTLDR is missing...

Access/Enter Motherboard BIOS
How to enter the BIOS
Access to BIOS Setup -- instructions for most models
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 boogerjedi

boogerjedi
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:11:59 AM

Posted 30 December 2007 - 12:52 AM

Hello,
Thanks for the lightning fast reply.


I attempted windows rec. console efforts, such as mbrfix, fixboot, and also copying NTLDR and ntdetect.com from an xp OS setup cd. No change in progress.


I attempted a boot assisting cd made from the maker of( http://tinyempire.com/notes/ntldrismissing.htm ). I was able to boot, but it seems as though many programs are deleted. practically all that are visible are unopenable, saying that windows cannot open the program, and suggests to reinstall the program(except for the Etrust antivirus program and some others). My "documents and settings" seem intact, although it is hard to tell, since i cannot open the files.

almost all icon images are gone, and even the windows "start" button is invisible.


Can I recover the hard drive data, even though it seems that the worm deleted it?

Thanks so much!

Edited by boogerjedi, 30 December 2007 - 12:54 AM.


#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,047 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:59 AM

Posted 30 December 2007 - 12:55 AM

Since you can boot up now, try using System Restore or System Restore from a command prompt in "Safe Mode" to return to a previous state before your problems began?
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 boogerjedi

boogerjedi
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:11:59 AM

Posted 30 December 2007 - 02:03 AM

Nope sorry, to my knowledge I could not go to any restore point before today. I accessed system restore through the system tools access. I believe I had system restore activated before this incident, however. I didnt try to get into safe mode yet, but perhaps i can try safe mode with cmd.

could that have hope in finding a earlier restore point, or are both routes basically the same?


Thanks again for the quick response!

#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,047 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:59 AM

Posted 30 December 2007 - 08:22 AM

The Windows operating system protects files when they are being accessed by an application or a program. Malware writers create programs that can insert itself and hide in these protected areas when the files are being used. Using "Safe Mode" reduces the number of modules requesting files to only the essentials to make your computer functional. This in turn, reduces the number of malware variants that may be interfering with the normal functions of your computer.

If you still can't get System Restore to work, then you may have to do a Repair Install.
"Langa Letter: XP's No-Reformat, Nondestructive Total-Rebuild Option"
"How to perform a Repair Install".

However, some types of malware can result in a system so badly damaged that a Repair Install will NOT help!. Reinstalling Windows without first wiping the entire hard drive with a repartition and/or format will not remove the infection. The reinstall will only overwrite the Windows files. Any malware on the system will still be there afterwards. Starting over, reformatting the drive and performing a clean install removes everything. Please read "When should I re-format?".
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 boogerjedi

boogerjedi
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:11:59 AM

Posted 03 January 2008 - 05:47 PM

Hello!

THanks for the tip. I was able to start the Windows repair job, but I got these error messages:


--------------
Sxs.dll syntax error in manifest or policy file d:\i386\asms\60\msft\windows\common\controls\controls.main on line 5


Installation failed: d:\i386\asms. Error message: Data error (cyclic redundancy check)


Sxs.dll syntax error in manifest or policy file d:\i386\asms\1000\msft\windows\gdiplus\gdiplus.man
On line 4
------------

I am repairing with my xp pro sp2 cd (from other pc)

Is my XP pro SP2 cd too unreadable?

#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,047 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:59 AM

Posted 03 January 2008 - 06:07 PM

When doing a search on the net for Sxs.dll syntax error in manifest or policy file, you will find many such reports. I'm not familiar with this error so you will have to read some of those discussions unless someone else posts back here.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#9 boogerjedi

boogerjedi
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:11:59 AM

Posted 07 January 2008 - 02:03 PM

Okay, I believe I have given up hope on repairing, and I will now work towards reformatting.

What is a good guide to reformatting windows xp professional with the best security? I have the fat32 files sytem format, but should i use ntfs?

Thanks,

#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,047 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:59 AM

Posted 07 January 2008 - 02:15 PM

"Why Use The NTFS File System"
"FAT32 or NTFS: Making the Choice"

"How to partition and format a hard disk in Windows XP"
"How to reformat and reinstall Windows XP - Method #1"
"How to reformat and reinstall Windows XP - Method #2"

These links include step by step instructions:
"Clean Install Windows XP".
"XP Clean Install Interactive Setup".
"Clean Install Procedure with Illustrative Screen Captures".
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users