Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virus injured computer


  • Please log in to reply
7 replies to this topic

#1 TheAndy500

TheAndy500

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:12:28 PM

Posted 21 September 2009 - 07:41 PM

So my friend left me her laptop and it's pretty awful. I would like to try to save it for her, but it is in rough shape. When you try to open ANY file, it gives you the "open with" dialog box. This includes regedit. This would be the most important thing to fix first, so that I can actually run something to fix everything else. It also has all this porn on the desktop, and police pro and other similar fake anti-virus stuff. It kept blue-screening until I started it up with the most recent settings that worked. But first thing's first, how do I get files to open without the "open with" dialog?

BC AdBot (Login to Remove)

 


#2 garmanma

garmanma

    Computer Masochist


  • Members
  • 27,809 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cleveland, Ohio
  • Local time:12:28 PM

Posted 22 September 2009 - 11:09 AM

Can you get into safe mode w/networking or open Task Manager?

Did you try following this guide?

http://www.bleepingcomputer.com/virus-remo...dows-police-pro
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#3 TheAndy500

TheAndy500
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:12:28 PM

Posted 22 September 2009 - 03:47 PM

I can get into safe mode with networking, but it can't find the wireless connection. I can use my flash drive though to put stuff on it. Neither of the reg fixes in that guide helped. It still opens the "open with" dialog whenever I try to open something, like the install for malawarebytes.

#4 garmanma

garmanma

    Computer Masochist


  • Members
  • 27,809 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cleveland, Ohio
  • Local time:12:28 PM

Posted 22 September 2009 - 07:26 PM

Before attaching your flash drive to the infected machine, run this

Please download
Flash_Disinfector.exe by sUBs and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives. Please do so and allow the utility to clean up those drives as well.
  • Hold down the Shift key when inserting the drive until Windows detects it to keep autorun.inf from executing if it is present.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: As part of its routine, Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive that was plugged in when you ran it. Do not delete this folder...it will help protect your drives from future infection by keeping the autorun file from being installed on the root drive and running other malicious files.
------------------------------------

Download this and run it on the infected machine



We Need to check for Rootkits with RootRepeal
  • Download RootRepeal from the following location and save it to your desktop.
  • Direct Download (Recommended)
  • Zip Mirrors (Recommended if you have a slower connection or if the Direct Download mirror is down)

  • Extract RootRepeal.exe from the archive (If you did not use the "Direct Download" mirror).
  • Riight-click on rootrepeal.exe and rename it to tatertot.scr
  • Open Posted Image on your desktop.
  • Click the Posted Image tab.
  • Click the Posted Image button.
  • Check all seven boxes: Posted Image
  • Push Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the Posted Image button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.

----------------------------------
Please note: If Rootrepeal fails to run, try this steps:
Click Settings - Options. Set the Disk Access slider to High

Right-click on rootrepeal.exe and rename it tatertot.scr

Select to scan only Drivers
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#5 TheAndy500

TheAndy500
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:12:28 PM

Posted 23 September 2009 - 09:09 AM

Do I do the flash disinfector on my computer or the infected one?

#6 garmanma

garmanma

    Computer Masochist


  • Members
  • 27,809 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cleveland, Ohio
  • Local time:12:28 PM

Posted 23 September 2009 - 04:45 PM

Both. Yours first
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#7 TheAndy500

TheAndy500
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:12:28 PM

Posted 24 September 2009 - 03:31 PM

The flash disinfector didn't actually run on the infected computer (gave me the open with dialog). But whatever.

ROOTREPEAL © AD, 2007-2009

==================================================

Scan Start Time: 2009/09/24 16:18

Program Version: Version 1.3.5.0

Windows Version: Windows XP SP3

==================================================



Drivers

-------------------

Name: dump_atapi.sys

Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys

Address: 0xAA756000 Size: 98304 File Visible: No Signed: -

Status: -



Name: dump_WMILIB.SYS

Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS

Address: 0xF7AA0000 Size: 8192 File Visible: No Signed: -

Status: -



Name: tatertot.scr.sys

Image Path: C:\WINDOWS\system32\drivers\tatertot.scr.sys

Address: 0xA9F07000 Size: 49152 File Visible: No Signed: -

Status: -



Hidden/Locked Files

-------------------

Path: C:\HIBERFIL.SYS

Status: Locked to the Windows API!



Path: C:\RootRepeal report 09-24-09 (16-18-03).txt

Status: Visible to the Windows API, but not on disk.



Path: c:\windows\system32\uactmp.db

Status: Allocation size mismatch (API: 1409024, Raw: 0)



Path: C:\WINDOWS\SYSTEM32\rotscxqlldymex.dll

Status: Invisible to the Windows API!



Path: C:\WINDOWS\SYSTEM32\rotscxmphesiaw.dat

Status: Invisible to the Windows API!



Path: C:\WINDOWS\SYSTEM32\rotscxbdqbnylt.dll

Status: Invisible to the Windows API!



Path: C:\WINDOWS\SYSTEM32\rotscxepaepasr.dat

Status: Invisible to the Windows API!



Path: C:\WINDOWS\SYSTEM32\rotscxevxbnmdi.dll

Status: Invisible to the Windows API!



Path: C:\WINDOWS\Temp\rotscxssjbbmxxsr.tmp

Status: Invisible to the Windows API!



Path: C:\WINDOWS\Temp\rotscxouqdwpcvkp.tmp

Status: Invisible to the Windows API!



Path: C:\WINDOWS\Temp\rotscxwiwasspdsx.tmp

Status: Invisible to the Windows API!



Path: C:\WINDOWS\Temp\rotscxiqqvnmsbco.tmp

Status: Invisible to the Windows API!



Path: C:\WINDOWS\Temp\rotscxpfwbdywbde.tmp

Status: Invisible to the Windows API!



Path: C:\WINDOWS\Temp\rotscxecdarplaxl.tmp

Status: Invisible to the Windows API!



Path: C:\WINDOWS\Temp\rotscxnsesvjuycv.tmp

Status: Invisible to the Windows API!



Path: C:\WINDOWS\SYSTEM32\DRIVERS\rotscxpuyqxsiw.sys

Status: Invisible to the Windows API!



Stealth Objects

-------------------

Object: Hidden Module [Name: ROTSCXQLLDYMEX.DLL]

Process: svchost.exe (PID: 1064) Address: 0x10000000 Size: 53248



Object: Hidden Module [Name: ROTSCXEVXBNMDI.DLL]

Process: Explorer.EXE (PID: 1948) Address: 0x10000000 Size: 32768



Hidden Services

-------------------

Service Name: rotscxsbfpmnvs

Image Path: C:\WINDOWS\system32\drivers\rotscxpuyqxsiw.sys



==EOF==

#8 garmanma

garmanma

    Computer Masochist


  • Members
  • 27,809 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cleveland, Ohio
  • Local time:12:28 PM

Posted 24 September 2009 - 07:03 PM

Now that you were successful in creating a log you need to post it in our HJT forum:
http://www.bleepingcomputer.com/forums/f/22/virus-trojan-spyware-and-malware-removal-logs/
Give a brief description and tell them that this log was all you could get to run successfully
The HJT team is extremely busy, so be patient and good luck
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users