Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Computer Got Virus, Now Won't Boot Up


  • This topic is locked This topic is locked
15 replies to this topic

#1 specialkman

specialkman

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:08:14 PM

Posted 21 October 2009 - 12:49 PM

Last week, my computer picked up a virus. This has happened before and I went through my normal steps to get rid of it (running clean-up programs, removing files, etc). As part of that clean-up process, I had to restart the computer. After restarting a couple of times over a couple of hours, the computer stopped booting up.

Now, when I turn on the computer, it starts up like it is going to load, but won't actually load. I've tried in regular mode, in safe mode, in last good configuration mode. Right now, I tried safe mode again. It gets as far as loading a black screen with the words "safe mode" in each corner...but that's it.

I'm running Windows XP, and if an actual Windows disk/CD came with my computer, I can't find it. I've never made a backup startup disk (which i know is a mistake, but in the past I've been able to clean up these problems).

I need to use my computer, and any help you can give me to get it back working would be much appreciated.

Thank you

BC AdBot (Login to Remove)

 


#2 specialkman

specialkman
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:08:14 PM

Posted 24 October 2009 - 01:50 AM

---update---
i've gotten a little help on another forum.

i've tested my hard drive, and it passed all the tests.

if i boot in safe mode and click on administrator, instead of my account, i can use ctrl+shift+esc to access task manager. however, it won't let me do much from there.

does any of that help? can anyone give me any advice?

#3 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:12:14 AM

Posted 25 October 2009 - 07:45 PM

:trumpet:
Please download to your Desktop

Rkill.scr
http://download.bleepingcomputer.com/grinler/rkill.scr

When you double-click on the Desktop icon, a small DOS window will open and the application will run on it's own
It should only take a few minutes and it will close by itself

Do not reboot the machine

==========================

:flowers:
Some types of malware will disable Malwarebytes Anti-Malware and other security tools. If MBAM will not install, try renaming it first.
  • Right-click on the mbam-setup.exe file file and rename it to mysetup.exe.
  • Double-click on mysetup.exe to start the installation.
  • If that did not work, then try renaming and changing the file extension. <- click this link if you do not see the file extension
  • Right-click on the mbam-setup.exe file, rename it to mysetup and change the .exe extension to .scr, .com, .pif, or .bat.
  • Then double-click on mysetup.scr (or whatever extension you renamed it) to begin installation.
If after installation, MBAM will not run, open the Malwarebytes' Anti-Malware folder in Program Files.
  • Right-click on mbam.exe, rename it to myscan.exe.
  • Double-click on myscan.exe to launch the program.
  • If that did not work, then try renaming and change the .exe extension in the same way as noted above.
  • Double-click on myscan.scr (or whatever extension you renamed it) to launch the program.
If using Windows Vista, refer to How to Change a File Extension in Windows Vista.

Be sure to update MBAM through the program's interface (preferable method) or manually download the definition updates and just double-click on mbam-rules.exe to install. Then perform a Quick Scan in normal mode and check all items found for removal. Don't forgot to reboot afterwards. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. When done, click the Logs tab and copy/paste the contents of the report in your next reply.

Note: MBAM uses Inno Setup instead of the Windows Installer Service to install the program. If installation fails in normal mode, try installing in safe mode. Doing this is usually not advised as MBAM is designed to be at full power when running in normal mode and loses some effectiveness for detection & removal when used in safe mode. For optimal removal, normal mode is recommended so it does not limit the abilities of MBAM. Therefore, after completing a scan it is recommended to uninstall MBAM, then reinstall it in normal mode and perform another Quick Scan.



------------------------------------

The process of cleaning your computer may require you to temporarily disable some security programs. If you are using SpyBot Search and Destroy, please refer to Note 2 at the bottom of this page.

Please download Malwarebytes Anti-Malware Free version and save it to your desktop.

NOTE: Before saving MBAM please rename it to zztoy.exe....now save it to your desktop.


alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note:
-- If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

Note 2:
-- MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes (like Spybot's Teatimer), they may interfere with the fix or alert you after scanning with MBAM. Please disable such programs until disinfection is complete or permit them to allow the changes. To disable these programs, please view this topic: How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs
---------------------------
Be sure to re-enable your AV and malware scan tools if they were disabled

=====================================

:thumbsup:
We Need to check for Rootkits with RootRepeal
  • Download RootRepeal from the following location and save it to your desktop.
  • Extract RootRepeal.exe from the archive (If you did not use the "Direct Download" mirror).
  • Open Posted Image on your desktop.
  • Click the Posted Image tab.
  • Click the Posted Image button.
  • Check all seven boxes: Posted Image
  • Push Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the Posted Image button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.

Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#4 specialkman

specialkman
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:08:14 PM

Posted 25 October 2009 - 09:31 PM

thank you for your suggestion. but i realized when i reread my last post that i wasnt real clear about the issue.

when i reboot in safe mode as an administrator, it still doesnt boot up all the way. however, i can access the task manager.

when i look at the task manager, there are no applications running.

there are a handful of processes running - taskmgr.exe, WRSSSDK.exe, svchost.exe (3 times), lsass.exe, services.exe, winlogon.exe, csrss.exe, smss.exe, System, System Idle Process SYSTEM

so, because of that, i cant access the internet to download those programs. but, if there's another way to do that, please let me know.

thanks!

#5 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:12:14 AM

Posted 26 October 2009 - 05:40 PM

In Task Manager, open the Applications window and end all tasks
Then start a new task and type explorer.exe and OK

Then try running the scans
You can copy them to a thumb drive or burn a CD

Edited by garmanma, 26 October 2009 - 05:42 PM.

Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#6 specialkman

specialkman
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:08:14 PM

Posted 27 October 2009 - 03:08 AM

I am in safe mode, logged in as an adminstrator. the only way i've gotten explorer to run (since typing in explorer.exe wont work), is to copy the program, paste it in the same folder, rename it aaa.exe, and force that to run.

i did that, then downloaded malwarebytes and rootrepeal to a usb drive on my laptop. i put them both on the infected desktop and tried to run them. each of them started...malwarebytes closed as soon as i hit scan, and rootrepeal went through about 30 seconds of a scan before it shut down

#7 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:12:14 AM

Posted 27 October 2009 - 07:00 PM

Try these

:trumpet:
Please download Win32kDiag.exe by AD and save it to your desktop.
alternate download 1
alternate download 2
  • This tool will create a diagnostic report
  • Double-click on Win32kDiag.exe to run and let it finish.
  • When it states Finished! Press any key to exit..., press any key on your keyboard to close the program.
  • A file called Win32kDiag.txt should be created on your Desktop.
  • Open that file in Notepad and copy/paste the entire contents (from Starting up... to Finished! Press any key to exit...) in your next reply.
--------------------------------------


:flowers: Go to Posted Image > Run..., then copy and paste this command into the open box: cmd
Click OK.
At the command prompt C:\>, copy and paste the following command and press Enter:
DIR /a/s %windir%\scecli.dll %windir%\netlogon.dll %windir%\eventlog.dll >Log.txt & START notepad Log.txt
A file called log.txt should be created on your Desktop.
Open that file and copy/paste the contents in your next reply.

=======================

:thumbsup:
Vista users can refer to these instructions to open a command prompt.

Alternatively you can do this:

Please download peek.bat and save it to your Desktop. Double-click on peek.bat to run it. A black Command Prompt window will appear indicating the program is running. Once it is finished, copy and paste the entire contents of the Log.txt file it creates in your next reply.

If you encounter a problem downloading or getting peek.bat to run, go to Posted Image > Run..., and in the open box, type: Notepad
  • Click OK.
  • Copy and paste everything in the code box below into the Untitled - Notepad.
@ECHO OFF
DIR /a/s C:\WINDOWS\scecli.dll C:\WINDOWS\netlogon.dll C:\WINDOWS\eventlog.dll C:\Windows\cngaudit.dll >Log.txt
START Log.txt
DEL %0
  • Go to File > Save As, click the drop-down box to change the Save As Type to *All Files and save it as "peek.bat" on your desktop.
  • Double-click peek.bat to run the script.
  • A window will open and close quickly, this is normal.
  • A file called log.txt should be created on your Desktop.
  • Open that file and copy/paste the contents in your next reply.
-- Vista users, users can refer to these instructions to Run a Batch File as an Administrator.
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#8 specialkman

specialkman
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:08:14 PM

Posted 27 October 2009 - 07:04 PM

i dont have a start menu to click on. when i force aaa.exe to run, it opens a windows explorer window...and from there i can access my files. but i can't download anything from the internet. and when i've downloaded to my laptop, then transferred the files to the desktop, they won run either (see earlier post about malwarebytes and rootrepeal). i'll try to download the win32diag.exe to my laptop, then transfer it to the desktop, when i get home.

#9 AustrAlien

AustrAlien

    Inquisitor


  • BC Advisor
  • 6,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cowra NSW Australia
  • Local time:02:14 PM

Posted 27 October 2009 - 09:03 PM

@ garmanma FYI: This is what has already transpired.
Computer Got Virus, Now Won't Boot Up
http://forums.majorgeeks.com/showthread.php?t=201397

@ specialkman: Please continue with garmanma in this thread only!
Please advise at MajorGeeks that you no longer require their assistance, so that their time is not wasted.

FYI specialkman:
1. The (your) Desktop is here (a combination of the two):
C:\Documents and Settings\All Users\Desktop ..... and here ...
C:\Documents and Settings\<your user name>\Desktop

2. The (your) Start Menu is here (a combination of the two):
C:\Documents and Settings\All Users\Start Menu ......... and here ....
C:\Documents and Settings\<your user name>\Start Menu

3. I understood that you could download tools using the internet on your afflicted system: That you were able to access the internet by choosing to load "Safe Mode with networking", etc. Is this still the case or not?

4. Re the problem of not being able to use the tools:
You are aware of what we had to do to get your Windows Explorer to run: We had to make a copy of explorer.exe and rename it aaa.exe. You need to do a similar thing to each of the tools in order to run them successfully: I will use Malwarebytes Antimalware (MBAM) as an example. You were earlier instructed by garmanma as follows: "Before saving MBAM please rename it to zztoy.exe". You then ran "zztoy.exe" to install MBAM on your system. That is fine: BUT .... You now need to do the same thing with the installed MBAM program (executable) file before running it. To do this, go to
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
and change the name of mbam.exe to something else, let's say zzztoy.exe. Then run MBAM by double-clicking on zzztoy.exe.

You should then be able to run MBAM (aka zzztoy.exe) successfully.

@ garmanma, if I am being a nuisance I am sorry: I am hoping this will help.
I will butt out now that you are fully aware of the situation.
AustrAlien
Google is my friend. Make Google your friend too.

Posted Image

#10 specialkman

specialkman
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:08:14 PM

Posted 28 October 2009 - 01:18 AM

I was able to access the internet using safe mode with networking...i could open pages, and read stories. but when i tried to download something, it wouldn't let me.

#11 specialkman

specialkman
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:08:14 PM

Posted 28 October 2009 - 03:48 AM

i was able to put Win32kDiag.exe on the infected computer. I ran it and got this report...

Running from: C:\Oct 2009 Cleaners\Win32kDiag.exe
Log file at : C:\Documents and Settings\Administrator\Desktop\Win32kDiag.txt
WARNING: Could not get backup privileges!
Searching 'C:\WINDOWS'...

Found mount point : C:\WINDOWS\$hf_mig$\KB904706\KB904706
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\$hf_mig$\KB932168\KB932168
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\$hf_mig$\KB933729\KB933729
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\$hf_mig$\KB941568\KB941568
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\$hf_mig$\KB943460\KB943460
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\assembly\temp\temp
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\assembly\tmp\tmp
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Config\Config
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Connection Wizard\Connection Wizard
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\CSC\d1\d1
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\CSC\d2\d2
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\CSC\d3\d3
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\CSC\d4\d4
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\CSC\d5\d5
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\CSC\d6\d6
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\CSC\d7\d7
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\CSC\d8\d8
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\ERDNT\Hiv-backup\Hiv-backup
Mount point destination : \Device\__max++>\^
Cannot access: C:\WINDOWS\explorer.exe
[1] 2007-06-13 04:26:03 1033216 C:\WINDOWS\$hf_mig$\KB938828\SP2QFE\explorer.exe (Microsoft Corporation)
[1] 2007-06-13 03:23:07 1033216 C:\WINDOWS\$NtServicePackUninstall$\explorer.exe (Microsoft Corporation)
[1] 2004-08-10 03:00:00 1032192 C:\WINDOWS\$NtUninstallKB938828$\explorer.exe (Microsoft Corporation)
[2] 2008-04-13 17:12:19 1033728 C:\WINDOWS\aaa.exe (Microsoft Corporation)
[1] 2008-04-13 17:12:19 1033728 C:\WINDOWS\explorer.exe ()
[1] 2008-04-13 17:12:19 1033728 C:\WINDOWS\ServicePackFiles\i386\explorer.exe (Microsoft Corporation)

Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPRO\Cbz\Cbz
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPRO\Lib\Lib
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPRO\Wave\Wave
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\ime\imejp\applets\applets
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\ime\imejp98\imejp98
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\D7314F9862C648A4DB8BE2A5B47BE100\1.0.0\1.0.0
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\java\classes\classes
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\java\trustlib\trustlib
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.0.3705\Temporary ASP.NET Files\Bind Logs\Bind Logs
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Minidump\Minidump
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\msapps\msinfo\msinfo
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\msdownld.tmp\msdownld.tmp
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\pchealth\ERRORREP\QHEADLES\QHEADLES
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\pchealth\ERRORREP\QSIGNOFF\QSIGNOFF
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\pchealth\helpctr\batch\batch
Mount point destination : \Device\__max++>\^
Cannot access: C:\WINDOWS\pchealth\helpctr\binaries\helpsvc.exe
[1] 2004-08-10 03:00:00 743936 C:\WINDOWS\$NtServicePackUninstall$\helpsvc.exe (Microsoft Corporation)
[1] 2008-04-13 17:12:21 744448 C:\WINDOWS\pchealth\helpctr\binaries\helpsvc.exe ()
[1] 2008-04-13 17:12:21 744448 C:\WINDOWS\ServicePackFiles\i386\helpsvc.exe (Microsoft Corporation)

Found mount point : C:\WINDOWS\pchealth\helpctr\Config\CheckPoint\CheckPoint
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\pchealth\helpctr\Config\News\News
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\InstalledSKUs
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\pchealth\helpctr\System\DFS\DFS
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\pchealth\helpctr\Temp\Temp
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\PIF\PIF
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Registration\CRMLog\CRMLog
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\Downloaded
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\SoftwareDistribution\Download\355f788b6de8a3ec79e9aa172e6317f1\backup\backup
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\SoftwareDistribution\SelfUpdate\Registered\Registered
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment
Mount point destination : \Device\__max++>\^
Cannot access: C:\WINDOWS\system32\eventlog.dll
[1] 2004-08-10 03:00:00 55808 C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll (Microsoft Corporation)
[1] 2008-04-13 17:11:53 56320 C:\WINDOWS\ServicePackFiles\i386\eventlog.dll (Microsoft Corporation)
[1] 1736-08-20 10:04:02 61952 C:\WINDOWS\system32\eventlog.dll ()
[2] 2008-04-13 17:11:53 56320 C:\WINDOWS\system32\logevent.dll (Microsoft Corporation)
[1] 2004-08-10 03:00:00 55808 C:\i386\eventlog.dll (Microsoft Corporation)

Found mount point : C:\WINDOWS\temp\7zS2.tmp\7zS2.tmp
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\temp\IXP001.TMP\IXP001.TMP
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\temp\_avast4_\_avast4_
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Web\Wallpaper\inc\inc
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp
Mount point destination : \Device\__max++>\^

Finished!



I'm still not sure how to get to "Run" from the start menu. I found the start menu in C:\documents and settings\all users...but I dont know how to find the run command.

I followed the directions for Malwarebytes as well (changed the name in the program files folder to zzztoy.exe). I clicked on quick scan, but again, it shut down. So that didn't work. I also tried renaming it mysetup.scr and it did the same thing (ran for 3 seconds then shut down).

I also tried running rootrepeal again. I clicked report, highlights all 7 boxes, then the c:. it started running...ran for probably 2 minutes...pulled up several .tmp files...then shut down.

so, thats where im at right now.

#12 AustrAlien

AustrAlien

    Inquisitor


  • BC Advisor
  • 6,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cowra NSW Australia
  • Local time:02:14 PM

Posted 28 October 2009 - 03:59 AM

but I dont know how to find the run command.

Of course you do: That's where you are typing aaa.exe to get Windows Explorer to run.
Task Manager > New Task > and the dialog box that opens is your Run dialog box.
AustrAlien
Google is my friend. Make Google your friend too.

Posted Image

#13 specialkman

specialkman
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:08:14 PM

Posted 28 October 2009 - 04:09 AM

its always the little things that trip me up...thank you for that help.

that allowed me to type "DIR /a/s %windir%\scecli.dll %windir%\netlogon.dll %windir%\eventlog.dll >Log.txt & START notepad Log.txt" into the c:

and here's the log.txt file...

Volume in drive C is YOUR_DRIVE
Volume Serial Number is 9C2D-5E0F

Directory of C:\WINDOWS\$NtServicePackUninstall$

08/10/2004 03:00 AM 180,224 scecli.dll

Directory of C:\WINDOWS\$NtServicePackUninstall$

08/10/2004 03:00 AM 407,040 netlogon.dll

Directory of C:\WINDOWS\$NtServicePackUninstall$

08/10/2004 03:00 AM 55,808 eventlog.dll
3 File(s) 643,072 bytes

Directory of C:\WINDOWS\ServicePackFiles\i386

04/13/2008 05:12 PM 181,248 scecli.dll

Directory of C:\WINDOWS\ServicePackFiles\i386

04/13/2008 05:12 PM 407,040 netlogon.dll

Directory of C:\WINDOWS\ServicePackFiles\i386

04/13/2008 05:11 PM 56,320 eventlog.dll
3 File(s) 644,608 bytes

Directory of C:\WINDOWS\system32

04/13/2008 05:12 PM 181,248 scecli.dll

Directory of C:\WINDOWS\system32

04/13/2008 05:12 PM 407,040 netlogon.dll

Directory of C:\WINDOWS\system32

08/20/1736 10:04 AM 61,952 eventlog.dll
3 File(s) 650,240 bytes

Total Files Listed:
9 File(s) 1,937,920 bytes
0 Dir(s) 98,754,322,432 bytes free

#14 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:12:14 AM

Posted 28 October 2009 - 06:49 PM

Found mount point : C:\WINDOWS\$hf_mig$\KB904706\KB904706
Mount point destination : \Device\__max++>\^


You have a rootkit infection. Using the logs that we had you run here, please follow these directions

====================================


Now that you were successful in creating those two logs you need to post them in our HJT forum There they will help you with the removal through some custom scripts and programs that we cannot run here in this forum

First, try to run a DDS / HJT log as outlined in our preparation guide:
http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/

If it won't run, don't worry, just give a brief description and tell them that these logs were all you could get to run successfully

Post them here:
http://www.bleepingcomputer.com/forums/f/22/virus-trojan-spyware-and-malware-removal-logs/

The HJT team is extremely busy, so be patient and good luck
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#15 specialkman

specialkman
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:08:14 PM

Posted 29 October 2009 - 03:24 AM

I put dds.scr on the infected computer, but as expected, it wouldn't run. When I double clicked it, it opened briefly, then shut down.

I've posted the logs and problems in the other forum - http://www.bleepingcomputer.com/forums/t/267809/rootkit-infection-cannot-boot-computer/

Thanks for your help...if there's anything else you can think of that would help, please let me know.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users