Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infection That Has Gone Out of Control


  • Please log in to reply
5 replies to this topic

#1 sdchap00

sdchap00

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:18 AM

Posted 16 February 2009 - 04:19 AM

Yesterday, my antivirus (McAfee) began giving a bunch of warnings that I was infected with trojans, etc. I'd had some about a month ago, so I already had Malwarebytes and SUPERAntiSpyWare and some other sofware and had luck with them previously.

The infection messages were coming pretty quickly, so I restarted my comp (running WinXP) and loaded into safe mode with networking, where I updated Malwarebytes and SAS. I intended to upload some logs here when I was done, since I figured I simply hadn't caught everything the last time. I didn't post the logs last time, assuming I'd caught it all.

So anyway, once I was in safe mode, I ran Malwarebytes it found a bunch of items and indicated that it needed to reboot to finish removing some of the items. I rebooted.

I again booted into safe mode and ran SAS, which also found several items and needed to reboot, which I did.

On reboot, I went into normal mode and ran Malwarebytes again, having seen several posts here saying that it runs better in normal mode. While it was running, my background wallpaper disappeared (and was replaced with bright fuscia color); Firefox loaded up on its own several times and tried to go to www.antivirusxp-pro2009.com/code=, and I had a new icon in the lower right corner (a red circle with a white plus sign) that having a bubble come up saying I was infected by a virus. This time Malwarebytes found only 4 items and needed to reboot to fix some of them.

I rebooted and ran Malwarebytes again. It found the same four items (or at least appeared to be the same). The Antivirus2009 stuff was gone, and I my background was back as a normal color (though not my usual wallpaper).

At this point, I figured I should post my logs, etc. for the experts here. I was still having some odd behavior -- McAfee wouldn't load up, and I was getting some error messages when Windows booted (one about TransferAgent not loading and one saying UTool would need to shut down and asking to send in an error report). I could not, however, get online to submit my logs. Both Firefox and IE would load, but neither would connect to any websites.

At this point, I decided to try a couple more things. I booted into safe mode and ran ATF-Cleaner. I also ran SDFix and Smithfraudfix.

I still couldn't get online, and McAfee was not working right. When I'd open the security center, most of the interface appeared as Xs (as though the pics that were supposed to load couldn't be found). I was able to click on the "fix" button to start the AV back up, but the Xs remained.

I thought at this point, I'd give SAS one more try, so I booted into safe mode. SAS found about 9 items. I rebooted and I thought I'd give Malwarebytes another try. It found several items and said it needed to reboot. However, while the scan was running, I kept having pop-ups from McAfee saying I was infected with "New Win32" and giving me the option to restart and rescan or close the pop-up, or saying that an infection had been cleaned from various places (one of these "places" looked like the notepad app).

At this point, I tried to reboot, but it would not start back up completely. The Windows startup sound would play, my background would come up and the login/password box comes up. After that, it says loading personal settings, and McAfee appears to load, but then no task bar, no icons, nothing. I did have another of the McAfee pop-ups at this point. I couldn't do anything and had to do a hard reboot with the power button. On reboot, the same thing happened.

It won't load into safe mode either now. It load to the same extent as in Normal mode (login box, McAfee appears to load etc.). Then it just sits there with the safe mode background (black with "safe mode" written in the corners) and no toolbar, start menu, or icons.

Am I hosed? Any help would be appreciated.

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,969 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:18 AM

Posted 16 February 2009 - 09:11 AM

If you cannot boot up in Normal or Safe mode, see:Important Note: If this is a virus/Trojan related issue, you should know that some types of malware can result in a system so badly damaged that a Repair Install will NOT help!. Reinstalling Windows without first wiping the entire hard drive with a repartition and/or format will not remove the infection. The reinstall will only overwrite the Windows files. Any malware on the system will still be there afterwards. Starting over by wiping your drive, reformatting, and performing a clean install of the OS removes everything and is the safest action. Please read:These are links to Antivirus vendors that offer free LiveCD or Rescue CD files that are used to boot from for repair of unbootable and damaged systems, rescue data, scan the system for virus infections. All (except Avira) are in the ISO Image[ file format. Avira uses an EXE that has built-in CD burning capability.If you are not sure how to burn an image, please read How to write a CD/DVD image or ISO. If you need a FREE utility to burn the ISO image, download and use ImgBurn.

Other options you can try:
  • BugHunter. This is a DOS based malware scanner that can detect and remove common malware. It is designed as a tool of last resort, to be used if your computer is so badly infected with spyware that you are unable to access your desktop or install a full featured malware removal tool...Instructions can be found in the BugHunt.txt readme file.
  • VIPRE PC Rescue. This is a is a command-line utility that will scan and clean a computer which is so badly infected that programs cannot be easily run. Be sure to print out and follow the instructions provided on the same page.

Edited by quietman7, 16 February 2009 - 09:13 AM.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 sdchap00

sdchap00
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:18 AM

Posted 16 February 2009 - 10:02 AM

Thanks for the quick response. I will try some of this when I get home today. I have one other question related to repair/reinstallation. The Dell I have did not come with a restore disk or a copy of WinXP. Instead, it has the "hidden" partition that can be accessed by hitting ctrl + f11 when booting; the partition includes a version of the Symantec Ghost app that will write an image onto the main partition that should essentially reset everything to the factory original. I am not totally familiar with this process, having not had to use this particular approach before, and my only other experience with ghosting machines was about 8-10 years ago. Will this include a wipe/format? Or will I need to do that separately?

Thanks.

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,969 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:18 AM

Posted 16 February 2009 - 01:18 PM

A Recovery Partition is used by some OEM manufacturers (Dell, HP, IBM, Gateway) instead of a recovery disk to store a complete copy of the hard disk's factory default contents for easy restoration. This consists of a hidden bootable partition containing various system recovery tools, including full recovery of the preinstalled Windows XP partition that will allow you to restore the computer to the state it was in when you first purchased it. The recovery software will then re-hide its own partition after creating a new partition and installing the software to it. You will lose all data and have to reinstall all programs that you added afterwards. This includes all security updates from Microsoft so you will need to download/install them again.

Recovery partitions may only work with a start-up floppy disk or the user may be prompted immediately after the "Out Of Box Experience" (OOBE) to create backup CD-R disks for the software on the hard drive image for future use. Once the CD's are made, the Operating System, Drivers, or Applications can be reinstalled using the files on the hard drive or the backup CDs. Before using a recovery partition make sure you back up all your data, photos, etc to another source such as a CD or external hard drive.

Some built in recovery partitions can be accessed by hitting Ctrl+F11, just F11 or F10 during bios startup. Others like those used by IBM Thinkpads will display a message at bootup instructing you to press F11 to boot from the recovery partition. For more information, see Understanding Partition recovery.

If you have a Dell computer, see:
Inside the Dell PC Restore Partition: DSR.
Restoring Your Computer's Software to the Factory Settings.
Dell Support.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 sdchap00

sdchap00
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:18 AM

Posted 17 February 2009 - 08:11 PM

I went with the recovery route. It reset the system to the factory out of the box condition. I'm downloading windows updates, etc. now. Should I run Malwarebytes or SAS or anything else (and post a log) to make sure?

Thanks for the help.

#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,969 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:18 AM

Posted 18 February 2009 - 11:33 AM

That's the decision I would have made if this were my system.

Tips to protect yourself against malware and reduce the potential for re-infection:Avoid gaming sites, pirated software, cracking tools, keygens, and peer-to-peer (P2P) file sharing programs. They are a security risk which can make your computer susceptible to a smörgåsbord of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites. Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users. The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications. Read P2P Software User Advisories and Risks of File-Sharing Technology.

Keeping Autorun enabled on USB and other removable drives has become a significant security risk due to the increasing number of malware variants that can infect them and transfer the infection to your computer. To learn more about this risk, please read:If using Windows Vista, please refer to:
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users