Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Crippling Virus


  • Please log in to reply
1 reply to this topic

#1 WPB

WPB

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:02:32 AM

Posted 05 June 2008 - 01:10 PM

Ive got quite a predicament here, I would truly appreciate help as I had unbacked files on my PC that are important for me to recover (I work with digital music) and i would like to avoid a clean wipe of my drive until last resort because my computer ridiculously did not come with a windows cd nor authentication key.

Its a pentium 4 sony vaio VGC-RB50(G) with Windows XP

I picked up a brutal virus (or viruses) of that im sure.
At first, McAfee blocked a string of buffer overflows, and some programs were unable to run; simply nothing would happen when i clicked for them. I was unable to use McAfees scan as a result, and what did anti adware programs i had were insufficient for this.
I attempted a system restore and found that all my restore points were wiped out, all that was left was one for "last known good system settings" which was set at the time of infection. Restoring to this did nothing that I could see.
I then started searching for alternative antivirus programs to use, in safe mode. Firefox was a program that wouldnt run so I used Internet Explorer, and soon got browser hijacked by a lowlife scamming "antivirus" company that blocked my access to the websites with the software I really needed. I downloaded opera but that was another non-operational program for me.
After trying the system restore again to nullify this, i came to my current situation:

Every program (except Picture and Fax Viewer and Notepad) will give me a "Open with.." prompt when i try to run it. Even cmd!! (Booting "Safe mode with command console" allows me to get to it at least, a single good sign in this whole mess)
On the open with prompt for internet explorer, I tried selecting itself from the list, It briefly opened and closed, then gave me the "Do you want to run or save?" prompt, followed by "Publisher cannot be verified, do you still want to run?" prompt, and brought me back to "open with.."

Im able to move around files or delete them, as well as reach the properties menu for files, and taskbar/start menu properties.

Attempting to open anything in the control panel (except Administrative tool) results in the error, "C:\WINDOWS\system32\rundll32.exe application not found"

On a normal boot, McAfee immediately pops up stating it blocked a buffer overflow with "Detection File: C:\WINDOWS\system32\services.exe"
and does this multiple times before the error "Services and Controller app has encountered a problem and needs to close." and following that "System shutdown initiated by NT AUTHORITY\SYSTEM"

The Event Viewer lists errors from "Service Control Manager" and "DCOM"

I believe some of the malicious processes are
wscntfy.exe
cftmon.exe
spools.exe

I found corresponding files of these names in the WINDOWS/Prefetch folder. I deleted them and they just came back on next boot.

In safe mode with command console, I tried the "regsvr32 /i shell.dll" thing ive seen. No effects.

also from console, I found some odd named files on C:\ that had were marked with the time of infection. I deleted them and these didnt regenerate:
208037996
d.exe
nnjtmld.exe
ptgttunq.exe

I also found quite a lot of .pf in the prefetch marked with time of infection but i avoided touching these for now as i dont know if i could potentially make anything worse by this.


Thats all i was able to gather with my limited computer knowledge. Im willing to take steps to gather more information if needed and told how.
If theres a solution involving a program or file needs to be introduced, i have a USB storage drive to get it on there.
If the system is unsalvagable, I would like to know how to go about transferring my personal files off of it if possible.

I would be grateful for any help on this, thanks

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,924 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:32 AM

Posted 05 June 2008 - 08:11 PM

Helo WPB and welcome to BC.
Please try to run these first
Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on Download_mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

Doing this may fix{the error, "C:\WINDOWS\system32\rundll32.exe application not found"}
generally caused by a broken registry path,the result of certain malware removal. Hopefully this will provide some funtionality and the ability to scan.

To resolve this, download Autoruns, search for the related entry and then delete it.
Create a new folder on your hard drive called AutoRuns (C:\AutoRuns) and extract (unzip) the file there. (click HERE if you're not sure how to do this.)
Open the folder and double-click on autoruns.exe to launch it.
Please be patient as it scans and populates the entries.
When done scanning, it will say Ready at the bottom.
Scroll through the list and look for a startup entry related to the file(s) in the error message.
Right-click on the entry and choose delete.
Reboot your computer and see if the startup error returns
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users