Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Severe infection even after wiping dive and reformatting. HELP!


  • This topic is locked This topic is locked
9 replies to this topic

#1 nbdl

nbdl

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:57 PM

Posted 25 June 2009 - 08:35 PM

Hello,
I'm in urgent need of help, I can't do anything with my laptop.
About 20 days ago, while helping my son do research on gambling and addiction for his final, I was infected by visiting one of the gambling sites. The infection would not let me run adaware, spybot sd, ccleaner, it wouldn't even allow me to use System Restore. If I tried to search using Google, Yahoo or Bing on IE or Firefox, I was automatically redirected to whatever it wanted to send me to. I happened to also have Opera, and luckily that was immune to the redirects, so I searched for and downloaded Malwarebytes.
It would not allow me to install it though. So I downlaoded it again and changed the name. By doing that, I was able to install and run it. It found 30 or so things, and I removed them. But there were 2 that it could not remove, it said that it would remove them on reboot. One was iexplore and the other might have been userinit(or a shorter name that started with a U) So I rebooted, and ran Malwarebytes again, but the one infection that started with the U was still there.
It didn't bother me too much.
But after a few google searches using Firefox(I couldn't use IE at all withut being redirected), the redirects would start again, but all I had to do was run Malwarebytes, it deleted all by that one infection and then I'd be sort of okay again. But then yesterday, suddenly Opera was affected by the infection and I couldn't search when using it without being redirected. I ran Malwarebytes again, but I couldn't search on Opera or IE without being redirected, but Firefox was okay for the moment. I closed my windows, set my laptop down, went and got a drink and came back to a black desktop with big red letters warning me I had been infected and System Security 2009 was "scaning" my laptop. I tried to open taskmanager to close it, but got a little balloon telling me I couldn't run it cuz it was infected.

I then tried spybot sd, adaware, ccleaner, malwarebytes, System restore, add/remove program, all got that stupid little bubble in the lower right corner telling me that they were infected and couldn't run. I even tried to run msconfig, but it said it was infected. I couldn't launch IE, it immediately closed. I couldn't launch Firefox, because it said that Firefox had crashed and would attempt to restore my tabs, but everytime I tried, it failed to launch. But I could use Opera, it was a litle slow, but I could use it. Using search engines was out though, when I tried, I got redirected.

I happened to have malwarebytes, adaware and spybot sd on a usb drive, so I thought I'd try running them from there, but it didn't work. So when I tried to "safely remove" my usb, I got a windows XP error notice popup and and suddenly the infection stopped "scanning" and shutdown. I was now able to run malwarebytes...or so I thought. It would run for awhile, find issues, then it would become unresponsive. I tried it 5 or 6 times, but it never finished running so I could remove the issues. So I thought I'd shutdown and try again later....big mistake. When I did try and start the laptop, it would turn on, launch XP, then it would flash quickly on a blue screen that said something like windows was shutting down to protect my computer and it was beginning dump. It kept doing that over and over. I tried to launch safemode, but I couldn't. It would start to launch, the screen would fill with a bunch of win 32 messages, then it would flash quickly to the blue screen that said something like windows was shutting down to protect my computer and it was beginning dump. I was never able to load XP again.

So I decided to run dban, reformat the drive and reinstall XP. Once XP finished installing, I updated to sp 2 and suddenly while it was updating, the black desktop with big red letters warning me I had been infected and System Security 2009 was "scannng" again. I ran msconfig and disabled all but the systray on startup, rebooted and when it came back, the black screen and red letters were gone, but System Security 2009 started "scanning". I no longer have malware bytes on the laptop and can't run anything without getting that stupid little bubble in the lower right corner telling me that whatever I was trying to run was infected and couldn't run it.

I'm really stuck. Being infected was bad enough, but to wipe the drive clean, only to have the virus/infection return is unbelievable. Especially since I can't install any type of removal tool, and since I can't install anything, I can't give you a HJT log or anything else.
I'd hate to have to wipe the drive again, mainly because it didn't work the first time I wiped it.

I don't know how you can do it, but any help that you can provide is greatly apprciated.

I'm running win XP Pro sp2

*edit...I just found my notes, the one infection that could not be removed at all by Malwarebytes was uacinit.dll (not userinit.exe as mentioned above)
Thanks,
Don

Edited by nbdl, 25 June 2009 - 09:55 PM.


BC AdBot (Login to Remove)

 


#2 garmanma

garmanma

    Computer Masochist


  • Members
  • 27,809 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cleveland, Ohio
  • Local time:03:57 PM

Posted 25 June 2009 - 09:05 PM

Keep in mind that any portable hard drive or flash drive that was attached to the computer might also be infected. So you should not save documents and whatnot
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#3 garmanma

garmanma

    Computer Masochist


  • Members
  • 27,809 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cleveland, Ohio
  • Local time:03:57 PM

Posted 25 June 2009 - 09:39 PM

Can you get into safe mode w/networking or can you open Task Manager?
If you can open Task Manager, end all tasks in the Applications window. Then start a new task and type explorer.exe
See if you can download Mbam that way and also SAS or if you prefer, the DDS download from the preparation guide link
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#4 nbdl

nbdl
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:57 PM

Posted 25 June 2009 - 09:53 PM

Unfortunately, as I said above "I tried to open taskmanager to close it, but got a little balloon telling me I couldn't run it cuz it was infected."
As for safemode, before I reinstalled xp I had this issue that I noted above "I tried to launch safemode, but I couldn't. It would start to launch, the screen would fill with a bunch of win 32 messages, then it would flash quickly to the blue screen that said something like windows was shutting down to protect my computer and it was beginning dump."
And now that I have reinstalled XP and the garbage has returned, I have the same issue when trying to start in safemode.

Don

Edited by nbdl, 25 June 2009 - 09:56 PM.


#5 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,561 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:02:57 PM

Posted 26 June 2009 - 10:25 AM

hello it appears you may stil have a rootkit on here.. Did you fully wipe the drive first?

IMPORTANT NOTE: uacinit.dll is related to a nasty variant of the TDSSSERV rootkit component. Rootkits, backdoor Trojans, Botnets, and IRC Bots are very dangerous because they compromise system integrity by making changes that allow it to by used by the attacker for malicious purposes. Rootkits are used by Trojans to conceal its presence (hide from view) in order to prevent detection of an attacker's software and make removal more difficult. Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. They can disable your anti-virus and security tools to prevent detection and removal. Remote attackers use backdoors as a means of accessing and taking control of a computer that bypasses security mechanisms. This type of exploit allows them to steal sensitive information like passwords, personal and financial data which is send back to the hacker. To learn more about these types of infections, you can refer to:

What danger is presented by rootkits?
Rootkits and how to combat them
r00tkit Analysis: What Is A Rootkit

If your computer was used for online banking, has credit card information or other sensitive data on it, you should disconnect from the Internet until your system is cleaned. All passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised and change each password using a clean computer, not the infected one. If not, an attacker may get the new passwords and transaction information. If using a router, you need to reset it with a strong logon/password so the malware cannot gain control before connect again. Banking and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
What Should I Do If I've Become A Victim Of Identity Theft?
Identity Theft Victims Guide - What to do


Although the infection has been identified and may be removed, your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume the computer is secure even if the malware appears to have been removed. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired so you can never be sure that you have completely removed a rootkit. The malware may leave so many remnants behind that security tools cannot find them. Tools that claim to be able to remove rootkits cannot guarantee that all traces of it will be removed. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:

When should I re-format? How should I reinstall?
Help: I Got Hacked. Now What Do I Do?
Where to draw the line? When to recommend a format and reinstall?


Should you decide not to follow that advice, we will do our best to help clean the computer of any infections but we cannot guarantee it to be trustworthy or that the removal will be successful. Some infections are difficult to remove completely because of their morphing characteristics which allows the malware to regenerate itself. Sometimes there is another hidden piece of malware which has not been detected by your security tools that protects malicious files and registry keys (which have been detected) so they cannot be permanently deleted. Disinfection will probably require the use of more powerful tools than we recommend in this forum. Before that can be done you will need you to create and post a DDS/HijackThis log for further investigation. Let me know how you wish to proceed.



Next Please install RootRepeal

Go HERE, and download RootRepeal.zip to your Desktop.
Tutorial with images ,if needed >> L@@K.
Unzip that,(7-zip tool if needed) and then click RootRepeal.exe to open the scanner.
Next click on the Report tab, now click on Scan. A Window will open asking what to include in the scan. Check all of the below and then click OK.

Drivers
Files
Processes
SSDT
Stealth Objects
Hidden Services


Now you'll be asked which drive to scan. Check C: and click OK again and the scan will start. Please be patient as the scan runs. When the scan has finished, click on Save Report.
Name the log RootRepeal.txt and save it to your Documents folder (it should automatically save it there).
Please copy and paste that into your next reply.

Edited by boopme, 26 June 2009 - 10:51 AM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#6 nbdl

nbdl
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:57 PM

Posted 29 June 2009 - 02:18 PM

Hi boopme,

I did wipe it fully. I used dban (boot and nuke) then formatted the drive and reinstalled XP. I was finally able to get Malwarebytes to run and once it completed, I ran it in safemode and it found several more infections. According to Malwarebytes, I am clean, but now the laptop is running very slowly. My CPU usage is quite often at 100% and can only assume there is something still infecting me. At this point, I will be able to follow steps and guidelines for posting HJT logs and attempt to fully clean the laptop. Should I start another thread in the HJT board and allow this one to close, or should I install RootRepeal first and post the results on this thread?

Don

Edited by nbdl, 29 June 2009 - 02:22 PM.


#7 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,561 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:02:57 PM

Posted 29 June 2009 - 02:22 PM

Ok I guess you were unlucky enough to just reinfect.
Please follow this guide. go and do steps 6 and 7 ,, Preparation Guide For Use Before Using Hijackthis. Then go here HijackThis Logs and Virus/Trojan/Spyware/Malware Removal ,click New Topic,give it a relevant Title and post that complete log.

Let me know if it went OK.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#8 nbdl

nbdl
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:57 PM

Posted 29 June 2009 - 03:56 PM

I'm not able to run DDS. I downloaded, doubleclicked, it opened and I get the message that ends with "Dispose after use"
and then "The batch file cannot be found" pops up.

Any suggestions?

Edited by nbdl, 29 June 2009 - 04:02 PM.


#9 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,561 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:02:57 PM

Posted 29 June 2009 - 04:11 PM

If you cannot get DDS to work, please try this instead.

Please download RSIT by random/random and save it to your Desktop.
Note: You will need to run this tool while connected to the Internet so it can download HijackThis if it is not located on your system. If you get a warning from your firewall or other security programs regarding Rist attempting to contact the Internet, please allow the connection.
  • Close all applications and windows so that you have nothing open and are at your Desktop.
  • Double-click on RSIT.exe to start the program.
  • If using Windows Vista, be sure to Run As Administrator.
  • Click Continue after reading the disclaimer screen.
  • Leave the drop down box set to default: "List/folders created or modified in the last 1 month (30 days).
  • When the scan is complete, a text file named log.txt will automatically open in Notepad.
  • Save the log file to your desktop and copy/paste the contents into a new topic in the HijackThis Logs and Malware Removal forum, NOT here.
Important: Be sure to mention that you tried to follow the Prep Guide but were unable to get DDS to run.
If RSIT did not work, then reply back here.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#10 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 37,106 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:02:57 PM

Posted 29 June 2009 - 11:11 PM

Hello,

Now that you have posted a log here: http://www.bleepingcomputer.com/forums/t/237623/had-severe-infection-now-laptop-runs-slow-rsit-inside/ you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a HJT Team member, nor should you ask for help elsewhere. Doing so can result in system changes which may not show in the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the HJT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the HJT Team members are EXTREMELY busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond. Please be patient. It may take a while to get a response but your log will be reviewed and answered as soon as possible

To avoid confusion, I am closing this topic. Good luck with your log.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Internet Security, NoScript Firefox ext.


animinionsmalltext.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users