Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Please help - can't even get past Welcome screen!


  • This topic is locked This topic is locked
11 replies to this topic

#1 Kandi55

Kandi55

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:51 PM

Posted 23 May 2009 - 01:10 AM

I need help! My laptop was fine up until a couple nights ago - all of a sudden I was getting pop-up after pop-up about having a trojan and how I should do a scan. So I did a Trend Micro Housecall scan. It found a trojan, but after clicking quarantine, which didn't work, I clicked delete and then froze. Ever since then I have been crashing and freezing like crazy (blue screen of death or I freeze up and get a loud beep) and have been forced to shut down by holding down the power key (I know that can't be good for my computer).

Long story short, it's so bad now I can barely get past the Welcome screen on Windows XP without freezing, or half of my desktop will load and then freeze. I don't know if this was stupid, but I installed the Avira virus scanner and then went into Safe mode to avoid crashing - it found 2 instances of the TR.crypt.zpack.gen. I quarantined them, but it didn't help. The IT guy at my work gave me a flash drive with 2 other programs to try, so I installed them but wasn't able to run them. By default I had McAffee which was useless - did nothing for me.

Can someone please, please help? My laptop is in complete lockdown. I am lucky to have another desktop at home I can use temporarily, but I need my laptop urgently for work. My laptop is a Dell Inspiron 1520 and unfortunately my warranty has expired. I would really appreciate some advice. Thanks.

BC AdBot (Login to Remove)

 


#2 xblindx

xblindx

  • Banned
  • 1,923 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:51 PM

Posted 23 May 2009 - 08:58 AM

Can you use Safe Mode with Networking? If so,

Some types of malware will disable MBAM and other security tools. If MBAM will not install, try renaming it.

  • Before saving any of your security programs, rename them first. For example, before you save Malwarebytes', rename it to something like MBblah.exe and then click on Save and save it to your desktop. Same thing after you install it. Before running it, rename the main executable file first

    Right-click on the mbam-setup.exe file and change the .exe extension to .bat, .com, .pif, or .scr and then double-click on it to run.

    If after installation, MBAM will not run, open the Malwarebytes' Anti-Malware folder in Program Files, right-click on mbam.exe and change the .exe as noted above. Then double-click on it to run..
  • Another work around is by not using the mouse to install it, Just use the arrow keys, tab, and enter keys.

~ Courtesy of boopme

Please download Malwarebytes Anti-Malware and save it to your desktop.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here or here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes, they may alert you after scanning with MBAM. Please permit the program to allow the changes.

Please include the following in your reply:
MBAM log

#3 Kandi55

Kandi55
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:51 PM

Posted 23 May 2009 - 05:10 PM

Thanks for your help xblindx. I tried Safe Mode with Networking but couldn't get Internet access - I have wireless, is that why? Do I need to plug in my network cable from my desktop, or by doing that do I risk the infection spreading to the desktop? It's my dad's computer, so I'm not sure if I want to chance it.

My IT guy at work gave me a flash drive that actually has the Malwarebytes' program. In Safe Mode I tried double-clicking on it to install it, I get the hourglass and nothing happens. I tried changing it to MBblah.bat like you suggested, but still nothing happens.

The flash drive he gave me had Avira (that installed and worked, quarantined & deleted the 2 trojans in safe mode), CC Cleaner (installed and opened, but I have no clue what it does? I saw "delete all files", panicked and closed it lol), Malwarebytes (won't run) and Spybot - Search and Destroy which I believe I installed, but also won't run. I tried re-installing and it says "Error sending request. The server name or address could not be resolved"

So, I'm basically still stuck. I tried several times last night to get past the Welcome screen in normal mode, and I did once and was even able to open a Second Life window. But I can't open Internet Explorer - anytime I try I freeze.

What else can I try? Thanks again.

#4 xblindx

xblindx

  • Banned
  • 1,923 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:51 PM

Posted 23 May 2009 - 08:06 PM

Is Malwarebytes installed to the flash drive, or is the setup program just on the flash drive? Try installing it to the flash drive using a clean machine, then updating it, and then try running it from the flash drive on the infected machine.

#5 Kandi55

Kandi55
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:51 PM

Posted 23 May 2009 - 11:57 PM

The setup program is on the flash drive, which has been in and out of my laptop - is it risky to plug it into this desktop? I'm worried the trojan will transfer to the desktop.

#6 xblindx

xblindx

  • Banned
  • 1,923 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:51 PM

Posted 24 May 2009 - 06:36 AM

If you are worried about that, do this before you transfer programs:

Download and Run FlashDisinfector

You may have a flash drive infection. These worms travel through your portable drives. If they have been connected to other machines, they may now be infected.
  • Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
    Note: Some security programs will flag Flash_Disinfector as being some sort of malware, you can safely ignore these warnings
  • The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder. It will help protect your drives from future infection.

#7 Kandi55

Kandi55
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:51 PM

Posted 24 May 2009 - 08:17 PM

Thanks a lot for your help, I really do appreciate it... I feel like I'm in way over my head and this has basically ruined my entire weekend, so I think I'll just take my laptop to work tomorrow and ask our IT guy to take a look at it. Thanks again, you've been so helpful.

#8 xblindx

xblindx

  • Banned
  • 1,923 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:51 PM

Posted 24 May 2009 - 09:09 PM

Ok, I hope all goes well, and good luck with your laptop :thumbsup:
Any other questions you have may be asked here.

#9 Kandi55

Kandi55
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:51 PM

Posted 25 May 2009 - 10:48 AM

Guess what... I'm back. Please don't run away lol

At someone else's suggestion, I uninstalled McAffee last night in safe mode - they said it can cause problems and sounded like I had too many anti-virus programs running, so I took that off. Once I did that, I was able to boot in normal mode all the way to my desktop. I copied the Malwarebytes install application from the flash drive and pasted it on my desktop and renamed it Eric.exe I also did the same with the program and was finally able to install it and do a full scan (in safe mode). It found 10 items, mostly Pop Cap Ad_Aware I think?? Anyway, I quarantined and deleted them. I rebooted, got to my desktop and was finally able to open an IE browser. I even tried to go to Google and it worked - then it froze! Several more times, it froze at the Windows welcome screen. So I'm really, really not sure what else to try at this rate. I have the MB log - on my laptop :thumbsup: So there's no way to transfer it here. It was pretty short anyway...

#10 Kandi55

Kandi55
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:51 PM

Posted 25 May 2009 - 12:55 PM

Here is the MB log:

Malwarebytes' Anti-Malware 1.30
Database version: 1306
Windows 5.1.2600 Service Pack 3

5/24/2009 10:28:25 PM
mbam-log-2009-05-24 (22-28-25).txt

Scan type: Full Scan (C:\|)
Objects scanned: 118589
Time elapsed: 1 hour(s), 47 minute(s), 10 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 8
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2 (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\c:/windows/downloaded program files/popcaploader.dll (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{c9c5deaf-0a1f-4660-8279-9edfad6fefe1} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{e4e3e0f8-cd30-4380-8ce9-b96904bdefca} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{fe8a736f-4124-4d9c-b4b1-3b12381efabe} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2.1 (Adware.PopCap) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\WINDOWS\Downloaded Program Files\popcaploader.dll (Adware.PopCap) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\Downloaded Program Files\popcaploader.dll (Adware.PopCap) -> Quarantined and deleted successfully.

#11 xblindx

xblindx

  • Banned
  • 1,923 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:51 PM

Posted 25 May 2009 - 04:21 PM

Your MBAM version is way outdated. The current version is 1.36.

Please uninstall your current version and download a fresh copy from here. Update the definitions and then run a quick scan.

#12 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 37,111 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:08:51 PM

Posted 26 May 2009 - 01:32 AM

Hello,

I see that you have an HiJack This log posted here: http://www.bleepingcomputer.com/forums/t/229345/hijackthis-log/ Because you have this log posted, you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a HJT Team member, nor should you continue to ask for help elsewhere. Doing so can result in system changes which may not show in the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the HJT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the HJT Team members are EXTREMELY busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond. Please be patient. It may take a while to get a response but your log will be reviewed and answered as soon as possible

To avoid confusion, I am closing this topic. Good luck with your log.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Internet Security, NoScript Firefox ext.


animinionsmalltext.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users