Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help me with my next step in Malware removal


  • Please log in to reply
9 replies to this topic

#1 P1atinum

P1atinum

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:09 PM

Posted 21 February 2009 - 11:47 PM

I found this site today after getting a Malware/Virus today.

I was getting redirects and pop ups, I could not restore settings, and when I ran Superanti virus, Spybot S&D and AD-aware my system would reboot part way through the scan with no warnings.

After reading a little on this site, I have Ran ATF cleaner and MBAM.
MBAM found 19 objects infected, when attempting to remove I am promted to reboot becuase MBAM could not remove several files. after reboot I re-ran MBAM and this time if found 28 objects infected, clicked removed infected and had only 3 items that could not be removed and I am asked to reboot again.

Do I continue this process or is there another action I should be taking at this time.

OS is XP pro

Thanks in advance

Edited by P1atinum, 21 February 2009 - 11:53 PM.


BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,329 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:09 PM

Posted 22 February 2009 - 12:13 AM

Hi yes continue with updates and rescans and boots. Without knowing what was found we can only go with that.
Did you rn=un SUPER from safe mode and MBAM from normal?
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 P1atinum

P1atinum
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:09 PM

Posted 22 February 2009 - 01:00 AM

Thanks for the quick responce.

I was doing SUPER from normal, and was succesful in re-running the scan in Safe mode.

MBAM was ran in normal, Here is the latest log, this was after the Super Scan and Quarintine.

Malwarebytes' Anti-Malware 1.34
Database version: 1790
Windows 5.1.2600 Service Pack 2

2/22/2009 12:50:53 AM
mbam-log-2009-02-22 (00-50-53).txt

Scan type: Quick Scan
Objects scanned: 68012
Time elapsed: 2 minute(s), 29 second(s)

Memory Processes Infected: 4
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 4
Registry Data Items Infected: 4
Folders Infected: 0
Files Infected: 16

Memory Processes Infected:
C:\WINDOWS\services.exe (Trojan.Agent) -> Unloaded process successfully.
C:\WINDOWS\system32\reader_s.exe (Trojan.Agent) -> Unloaded process successfully.
C:\Documents and Settings\curtis\reader_s.exe (Trojan.Agent) -> Unloaded process successfully.
C:\WINDOWS\Temp\BN3.tmp (Trojan.Agent) -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\restore (Rootkit.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services (Trojan.FakeAlert.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\reader_s (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\reader_s (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\reader_s (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\codeblocks.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: system32\codeblocks.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\undname.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: system32\undname.exe -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\services.exe (Trojan.FakeAlert.H) -> Delete on reboot.
C:\WINDOWS\system32\drivers\protect.sys (Trojan.NtRootkit.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\reader_s.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\codeblocks.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\undname.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\3.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\4.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\5.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\6.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\8.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\9.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\B.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\curtis\reader_s.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\BN1.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\BN2.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\BN3.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

I still had files that MBAM said it could not delet and to reboot.

Edited by P1atinum, 22 February 2009 - 01:01 AM.


#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,329 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:09 PM

Posted 22 February 2009 - 01:09 AM

Hi now run a Full MBAM scan then SDFix; I'll look back in the morning as it's late here.
Rerun MBAM

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select FULL scan and scan.
After scan click Remove Selected, Post new scan log and Reboot into normal mode.


Please print out and follow these instructions: "How to use SDFix". <- This program is for Windows 2000/XP ONLY.
When using this tool, you must use the Administrator's account or an account with "Administrative rights"
  • Disconnect from the Internet and temporarily disable your anti-virus, script blocking and any real time protection programs before performing a scan.
  • When done, the SDFix report log will open in notepad and automatically be saved in the SDFix folder as Report.txt.
  • If SDFix is unable to run after rebooting from Safe Mode, run SDFix in either Mode, and type F, then press Enter for it to finish the final stage and produce the report.
  • Please copy and paste the contents of Report.txt in your next reply.
  • Be sure to renable you anti-virus and and other security programs before connecting to the Internet.
-- If the computer has been infected with the VirusAlert! malware warning from the clock and the Start Menu icons or drives are not visible, open the SDFix folder, right-click on either the XP_VirusAlert_Repair.inf or W2K VirusAlert_Repair.inf (depending on your version of Windows) and select Install from the Context menu. Then reboot to apply the changes.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 P1atinum

P1atinum
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:09 PM

Posted 22 February 2009 - 04:58 PM

I ran the full scan of MBAM, restarted in Safe mode and attempted to run SDFix. I was able to start SDfix and to the screen that says

"starting repairs
Checking running processes and Services"

This screen would be present from 15 to 30 seconds and then the computer would reboot with no Error or warning.

Attempted to post the MBAM log but was not able to get internet connection on first attempt.

Re-booted and began to get "data execution prevention" message that shut down on Windows Explorer and DLL apps, on this these boot attempts i was not able to get to the loaded Desk Top icons.

After three attempts to reboot system in normal mode I attempted to reboot in Safe Mode. Once I attempted to reboot in Save Mode it would get part way through booting and reboot.

I am now in a Reboot Loop.

Looks like things have gotten worse for me.

Attempted to recover using Windows CD. still reboots when loading windows.

Any suggestions?

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,329 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:09 PM

Posted 22 February 2009 - 06:31 PM

This is not fun
First of all stop the loop and get the STOP or the error message:

Disable automatic restart, to do that:

During the rebooting process, repeatedly press the F8 key to enter Windows Advance Options Menu.
Use the up and down arrow keys to select Disable automatic restart on system failure and then press the Enter key.
Use up and down arrow keys to select the operating system to start (if more than one OS is installed).
Press the Enter key.
Windows should start.

Write down the error message and post it to your next reply.

Also tell us if you have access to another computer to download to burn a Microsoft Recovery Console.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 P1atinum

P1atinum
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:09 PM

Posted 22 February 2009 - 10:39 PM

The error is saying "Unmountable_Boot_Volume"

Technical Information
***Stop: 0x000000ED (0x8A211900,0xC0000006,0x00000000,0x00000000)

I do have a laptop I can DL and burn MS Recovery Console

#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,329 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:09 PM

Posted 23 February 2009 - 03:18 PM

Hello unfortunately the infection is the winner here .

Reader_s.exe = virut in all the cases I have seen so far .
Bruce Harrison
Malwarebytes Lead Researcher


Since Virut is a polymorphic file infector I tend to agree with Fatdcuk: Reformat & Reinstall
Reinstalling Windows without first wiping the entire hard drive with a repartition and/or format will not remove the infection.

When Should I Format, How Should I Reinstall

In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired. Wiping your drive, reformatting, and performing a clean install of the OS or doing a factory restore removes everything and is the safest action but I cannot make that decision for you.

Reformatting a hard disk deletes all data. If you decide to reformat, you can back up all your important documents, data files and photos. The safest practice is not to backup any autorun.ini or .exe files because they may be infected. Some types of malware may disguise itself by adding and hiding its extension to the existing extension of files so be sure you take a close look at the full name. After reformatting, as a precaution, make sure you scan these files with your anti-virus prior to copying them back to your hard drive.

The best proceedure is a low level format. This completely wipes the drive. Then reinstall the OS.
Use the free version of Active@ KillDisk.

The best sources of Information on this are
Reformatting Windows XP
Michael Stevens Tech

Of course also feel free to ask anything on this.

EDIT: got another suggestion from the Staff as an option.
Quick "fix" for STOP 0xED:

Get into Recovery Console and run 3 commands: FIXMBR, FIXBOOT, CHKDSK /R
Also run a hard drive diagnostic (bootable) from the manufacturer of the drive.

Edited by boopme, 23 February 2009 - 06:44 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#9 P1atinum

P1atinum
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:09 PM

Posted 24 February 2009 - 10:09 PM

I guess the virus has to win some times.

Since I have several Files I would like to recover on the infected drive, would it be better if I remove infected Master Drive "C:" then take My secondary (slave Drive) and use that as the Master drive, install the OS, then DL the files I need to save from the infected drive to a external drive, scan for Virus's at that time.
I could then low level wipe and reformat the infected drive, install back in the PC and transfer saved files.

Would the above work? and how high of a propability is it that the Slave drive was also infected?

I hope this all made since.

#10 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,329 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:09 PM

Posted 01 March 2009 - 01:19 PM

Reformatting a hard disk deletes all data. If you decide to reformat, you can back up all your important documents, data files and photos. The safest practice is not to backup any autorun.ini or .exe files because they may be infected. Some types of malware may disguise itself by adding and hiding its extension to the existing extension of files so be sure you take a close look at the full name. After reformatting, as a precaution, make sure you scan these files with your anti-virus prior to copying them back to your hard drive.

The best proceedure is a low level format. This completely wipes the drive. Then reinstall the OS.
Use the free version of Active@ KillDisk.

The best sources of Information on this are
Reformatting Windows XP
Michael Stevens Tech

Of course also feel free to ask anything on this in the XP forum. They'd be glad to help.

2 guidelines/rules when backing up

1) Backup all your important data files, pictures, music, work etc... and save it onto an external hard-drive. These files usually include .doc, .txt, .mp3, .jpg etc...
2) Do not backup any executables files or any window files. These include .exe's, .scr, .com, .pif etc... as they may contain traces of malware. Also, .html or .htm files that are webpages should also be avoided.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users