Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malicious Software Removal Tool


  • Please log in to reply
25 replies to this topic

#1 RangerBob52O

RangerBob52O

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:12:30 AM

Posted 04 November 2009 - 02:36 PM

Hello,

I need help with my laptop. I have downloaded something awful into it. It redirects, puts porn shortcuts on my desktop, etc. I read some of the recent similar posts and started to try and take care of it myself. I didn't have much luck. I had Malwarebytes and Combofix on from the Windows Police Pro problem. This new thing rendered them useless. I was able to get Malwarebytes to run by renaming it to wuauclt.exe and it removed some stuff but not enough to where I could get Combofix to reload.

I tried to get a DDS log but could not get it to load either from the download link or from a jump drive. I was able to get Root Repeal to run and here is the log:


ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/11/04 12:46
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_iaStor.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_iaStor.sys
Address: 0xA5E44000 Size: 876544 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xF0B72000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: c:\windows\system32\install.txt
Status: Size mismatch (API: 272, Raw: 271)

Path: C:\Documents and Settings\Administrator\Cookies\ad[1].htm
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Cookies\iframe3[1].htm
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Cookies\system@swarovski[1].txt
Status: Visible to the Windows API, but not on disk.

Path: c:\documents and settings\administrator\local settings\temp\~dfd4ab.tmp
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: c:\documents and settings\administrator\local settings\temporary internet files\content.ie5\tu8a6fow\st[2]
Status: Size mismatch (API: 4490, Raw: 4493)

Path: C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\TU8A6FOW\st[3]
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\TU8A6FOW\iframe3[1].htm
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\TU8A6FOW\impCAYH065A
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\WQQ7PRW4\impCA0QQ2WO
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\WQQ7PRW4\st[2]
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\ZWZT6A7K\344a8f76701e76e723a74e27bc2ab9e3[1].jpg
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\FJAWCWBS\wmvembed[1].js
Status: Could not get file information (Error 0xc0000008)

Path: C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\FJAWCWBS\documentwrite[1].js
Status: Could not get file information (Error 0xc0000008)

Path: C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\FJAWCWBS\239671_thumb[1].jpg
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\FJAWCWBS\241149_thumb[1].jpg
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\FJAWCWBS\crossdomain[1].xml
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\FJAWCWBS\crossdomain[2].xml
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\FJAWCWBS\Electronics[1].html
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\FJAWCWBS\howcast_logo[1].jpg
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\FJAWCWBS\pixel[1].swf
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\FJAWCWBS\pixel[2].swf
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\FJAWCWBS\v2[1].txt
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\J45ZGQ8I\239673_thumb[1].jpg
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\J45ZGQ8I\269431_thumb[1].jpg
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\J45ZGQ8I\adimage[1].aspx
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\J45ZGQ8I\adimage[1].gif
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\J45ZGQ8I\ad[3].htm
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\J45ZGQ8I\crossdomain[1].xml
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\J45ZGQ8I\crossdomain[2].xml
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\J45ZGQ8I\crossdomain[3].xml
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\J45ZGQ8I\GetInvite[1].aspx
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\J45ZGQ8I\imp[1]
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\J45ZGQ8I\JS[1].htm
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\J45ZGQ8I\nb[1].js
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\J45ZGQ8I\quant[1].swf
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\J45ZGQ8I\rc[1].pli
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\J45ZGQ8I\RLfoot03[1].png
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\J45ZGQ8I\RLhead02[1].png
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\J45ZGQ8I\RLt1[1].png
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\J45ZGQ8I\spacer[1].gif
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\J45ZGQ8I\svc[1].htm
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\J45ZGQ8I\v2[1].txt
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\J45ZGQ8I\vox_420x600[1].xml
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\J45ZGQ8I\x[1].gif
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\MQBQN23K\document[1].js
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\MQBQN23K\st[4]
Status: Locked to the Windows API!

Path: C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\MQBQN23K\028243[1].htm
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\MQBQN23K\239657_thumb[1].jpg
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\MQBQN23K\239661_thumb[1].jpg
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\MQBQN23K\241159_thumb[1].jpg
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\MQBQN23K\269431_preview[1].jpg
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\MQBQN23K\3ColumnGradientResults.css[1].css
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\MQBQN23K\advertisement[1].xml
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\MQBQN23K\beacon.js[1].jsp
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\MQBQN23K\commons[1].js
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\MQBQN23K\crossdomain[1].xml
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\MQBQN23K\Holiday_Capabilities-Layaway-BHPTools_300x250_YR[1].swf
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\MQBQN23K\html;tile=1;ord=37250[1].htm
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\MQBQN23K\PC_Cents_SFWD1_728x90[1].js
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\MQBQN23K\PC_Cents_SFWD1_728x90[1].swf
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\MQBQN23K\pushv[1].js
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\MQBQN23K\RLfoot02[1].png
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\MQBQN23K\RLhead01[1].png
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\MQBQN23K\test[1].js
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\NL9LTFZJ\standard[1].swf
Status: Could not get file information (Error 0xc0000008)

Path: C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\NL9LTFZJ\content_thenewsroom_com[1].xml
Status: Could not get file information (Error 0xc0000008)

Path: C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\NL9LTFZJ\239407_thumb[1].jpg
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\NL9LTFZJ\239660_thumb[1].jpg
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\NL9LTFZJ\268664_thumb[1].jpg
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\NL9LTFZJ\beacons[1].txt
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\NL9LTFZJ\howcast_logo[1].jpg
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\NL9LTFZJ\u[1].gif
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\NL9LTFZJ\v2[1].txt
Status: Visible to the Windows API, but not on disk.

Stealth Objects
-------------------
Object: Hidden Handle [Index: 2740, Type: Thread]
Process: csrss.exe (PID: 480) Address: 0x85265020 Size: -

Object: Hidden Handle [Index: 1100, Type: Thread]
Process: svchost.exe (PID: 1136) Address: 0x84d564b8 Size: -

Object: Hidden Handle [Index: 904, Type: Thread]
Process: svchost.exe (PID: 4928) Address: 0x85589d40 Size: -

==EOF==

I will attach this as well. Thanks in advance for your help.

Attached Files



BC AdBot (Login to Remove)

 


#2 Net_Surfer

Net_Surfer

  • Banned
  • 2,154 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:30 PM

Posted 09 November 2009 - 03:27 PM

Hello and :( to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here
.

*If you have since resolved the original problem you were having, we would appreciate you letting us know.

*If not please perform the following steps below so we can have a look at the current condition of your machine.

*If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.


Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

**If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay
.


You may want to keep the link to this topic in your favorites. Alternatively, you can click the Posted Image button at the top bar of this topic and Track this Topic, where you can choose email notifications.
In order to be notified via email when your topic has a reply you need to enable topic notifications. To enable topic notifications you should do the following:

1. Click on the My Controls link at the top of the page to enter your control panel.

2. Scroll down to the Options category in the left hand side menu bar and click on the Email Settings link.

3. Put a checkmark in the checkbox labeled Enable 'Email Notification' by default?.

4. Set the If ticked, choose default type: menu option to Immediate Email Notification to have an email sent immediately when someone replied

The topics you are tracking are shown Here.
Because the e-mail notification system is not completely reliable, please check your topic once a day for responses.

----------------------------*-------------------------------

We need to see some information about what is happening in your machine.

Please perform the following scan:


Posted Image
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.

Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


Kind regards
Net_Surfer

:(

#3 RangerBob52O

RangerBob52O
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:12:30 AM

Posted 10 November 2009 - 11:00 AM

Net Surfer,

Thank you for responding. Things have changed since I posted originally. Based on what I read on some of the other posts, I decided to try a Bit Defender rescue disk. First time through it found about 1200 infected items. After removing them,
I rebooted and still had malware / bogus removal tools popping up. I ran the disk again and it found another 1300 or so. It looked like everything with an .exe had to be removed. After doing this, I can't get back to my desktop. I get a blue screen at startup and when I do come up in safe mode I'm just showing a blank screen with my wallpaper. I did a Cobian backup before I started, but I can't even get back to it now. What should I do? Thanks, Bob.

#4 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:07:30 AM

Posted 11 November 2009 - 07:50 AM

Hi,

this sounds like you caught a file infector. Most probably virut. Could you please tell me how the malware was named that was removed by Bitdefender?
The only right solution to this is a reformat I am sorry to say. I will give you some more information on virut and the cleaning, if you confirm, that this is indeed what you contracted.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#5 RangerBob52O

RangerBob52O
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:12:30 AM

Posted 11 November 2009 - 02:41 PM

Myrti,

Thanks in advance for your help. Before Combofix was removed by the virus, it gave me a message that I had some type of file patching virus - probably virut was what it said. When I ran Bit Defender 2010, it gave me a huge list. I guess the log is on my laptop somewhere. I obviously can't get to it. I do remember gen's, trojans, keyloggers and vundo. I don't remember seeing one named virut - although I'm sure it was there. There were 2500 total.

In the interest of saving your valuable time, here are the latest symptoms. I have tried booting up in every mode possible. One of two things are happening - my blank wallpaper will come up and it will immediately begin logging back off or I'll get the BSOD. Here are the messages I'm getting:

1. STOP: c000021a Fatal System Error 0xc0000034 0x0000000, 0x0000000

2. PAGE_FAULT_IN_NONPAGED_AREA

3. STOP: 0x0000007B (0xF7A57524, 0x0000034, 0x00000000, 0x000000000)


I can get the computer to respond to f2(setup), f10(boot menu) and f8(advanced options). However, I can't seem to get to a spot where I can actually give commands like chkdsk.

I do have a Gateway XP Operating System Disk and when I put it in I get an option to press R. It tells me it will boot from the disk if a recovery partition can't be found. The Gateway screen comes up, then it begins system recovery followed by error number 1 listed above. I don't think I'm ever getting an opportunity to actually boot from the disk.

I hope this isn't too much information. I'm just trying to save wasted replies. By the way, the Bit Defender disk had a Memtest86 on it and I ran that for 52 passes with no errors. Thanks again, Bob.

#6 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:07:30 AM

Posted 11 November 2009 - 06:15 PM

Hi,

there really is no repair for Virut. As you have seen: Even removing all infected files will still bring it back next boot.

Your system is infected with a nasty variant of Virut, a polymorphic file infector with IRCBot functionality which infects .exe, .scr files, downloads more malicious files to your system, and opens a back door that compromises your computer. According to this Norman White Paper Assessment of W32/Virut, some variants can infect the HOSTS file and block access to security related web sites. Virux is an even more complex file infector which can embed an iframe into the body of web-related files and infect script files (.php, .asp, and .html). When Virut creates infected files, it also creates non-functional files that are corrupted beyond repair. In many cases the infected files cannot be disinfected properly by your anti-virus. When disinfection is attempted, the files become corrupted and the system may become irreparable.

The virus has a number of bugs in its code, and as a result it may misinfect a proportion of executable files....some W32/Virut.h infections are corrupted beyond repair.

McAfee Risk Assessment and Overview of W32/Virut

There are bugs in the viral code. When the virus produces infected files, it also creates non-functional files that also contain the virus...Due to the damaged caused to files by virut it's possible to find repaired but corrupted files. They became corrupted by the incorrect writing of the viral code during the process of infection. undetected, corrupted files (possibly still containing part of the viral code) can also be found. this is caused by incorrectly written and non-function viral code present in these files.

AVG Overview of W32/VirutThis kind of infection is contracted and spread by visiting remote, crack and keygen sites. These type of sites are infested with a smörgåsbord of malware and an increasing source of system infection. However, the CA Security Advisor Research Blog says they have found MySpace user pages carrying the malicious Virut URL. Either way you can end up with a computer system so badly damaged that recovery is not possible and it cannot be repaired. When that happens there is nothing you can do besides reformatting and reinstalling the OS.

...warez and crack web pages are being used by cybercriminals as download sites for malware related to VIRUT and VIRUX. Searches for serial numbers, cracks, and even antivirus products like Trend Micro yield malcodes that come in the form of executables or self-extracting files...quick links in these sites also lead to malicious files. Ads and banners are also infection vectors...

Keygen and Crack Sites Distribute VIRUX and FakeAV

If your computer was used for online banking, has credit card information or other sensitive data on it, you should disconnect from the Internet until your system is cleaned. All passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised. You should change each password using a clean computer and not the infected one. If not, an attacker may get the new passwords and transaction information. If using a router, you need to reset it with a strong logon/password so the malware cannot gain control before connect again. Banking and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read:There is no guarantee this infection can be completely removed. In some instances it may have caused so much damage to your system that it cannot be completely cleaned or repaired. The malware may leave so many remnants behind that security tools cannot find them. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Reinstalling Windows without first wiping the entire hard drive with a repartition and/or format will not remove the infection. The reinstall will only overwrite the Windows files. Any malware on the system will still be there afterwards. Please read:
regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#7 RangerBob52O

RangerBob52O
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:12:30 AM

Posted 13 November 2009 - 10:31 AM

Myrti,

Thanks for your reply. I am ready to reformat and reinstall. Can you help me? I have the issues I listed in my previous post and can't get to that point. Thanks, Bob.

Edited by RangerBob52O, 13 November 2009 - 10:31 AM.


#8 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:07:30 AM

Posted 13 November 2009 - 06:52 PM

Hi,

what is it you do want to do in recovery console (RC)? Do you really only want to run chkdsk on your system or would you like to save some data as well?

If you only want to run a chkdsk before formatting, I would suggest you follow these steps to create a RC:
You can also go here and create a Recovery Console CD. Just click the link provided there to download the recovery_console_cd.zip and unzip that to your desktop.

Then inside the recovery_console_cd folder that created locate and click on the IE icon titled Readme. This will open a webpage, which will provide the simple steps you will need to follow, as well as a clickable link to go to the MS download page where you can select the BootDisk file download appropriate for your operating system. For example, for an XP SP2 Home Edition you would be downloading WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe.

For emergency boot disk uses, as well as to access the Recovery Console, the SP2 version can also be used on systems that have the SP3 upgrade.

If you want to save your data I would suggest using a live-cd of your choice instead. (I can give you more info on that if you want me to)

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#9 RangerBob52O

RangerBob52O
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:12:30 AM

Posted 16 November 2009 - 01:41 PM

Myrti,

Yes, I would like to save as much data as I safely can. Then I would like to reformat and reinstall. Please walk me through what I need to do.
Please keep in mind that I can't get to a prompt or my desktop in my current condition. The only things that seem to operate are CD's like the Bit Defender disk. Thanks so much. Bob.

Edited by RangerBob52O, 16 November 2009 - 01:44 PM.


#10 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:07:30 AM

Posted 16 November 2009 - 03:04 PM

Hi,

please let me know if the following instructions work for you:

Let's try to boot your computer using an Ultimate Boot CD (UBCD). First we have to make one. Please follow the steps below and let me know if you were successful. If you were unable to create the UBCD, please tell me what error messages you got and/or what steps you got hung up on. Once the PC booted from that CD you should have access to your hard disks and you can copy your files onto a flash-drive or similar.
Please make sure that you only save documents such as music, movie, word, excel and so on, but no executable files (files with extensions like .exe, .scr, .com) or zipped files (.rar or .zip), as well as no html or php files.

1. Download and Run Ultimate Boot CD for Windows Version 3.50
  • Save it to your Desktop.
  • Double-Click on the UBCD4Win.EXE that you just downloaded to your desktop.
  • Follow all of the instructions/prompts that come up.
    NOTES:
  • Do not install to a folder with spaces in it's name.
  • Your Anti-Virus may report viruses or trojans when you extract UBCD4Win, these are most probably "False-Positives." Read HERE for information regarding the files that normally trigger AV software.
2. Insert your XP CD with SP1/SP2 into a CD Rom drive
  • Double-Click on UBCD4WinBuilder.exe located in your C:\ubcd4win folder.
  • If this is the first time you have run UBCD4Win PE Builder you will see this message, please read it:

    Posted Image

  • You will then see the following message, click NO:

    Posted Image

  • Another window will open:

    Posted Image

  • Make the following selections:
    • Builder
    • Source:(path to Windows installation files)
    • Enter the path to the drive where your XP CD is located.
    • You can click on the "..." button on the right to navigate to the path as well.
  • Custom: (include files and folders from this directory)
    • No information is necessary, leave blank.
  • Output: (C:\ubcd4win\BartPE)
    • Keep the default BartPE
  • Media output
  • Place a tick next to Create ISO image:(enter filename)
  • The path and file name will be created if they do not exist.
    NOTE: The filename MUST have an .iso extension or it will not be created
  • Place a tick next to Burn to CD/DVD
  • Use this option if you have 2 CD/DVD drives. Your XP CD will be in one drive already. Just place a blank CD in the empty drive.
  • If you only have 1 CD/DVD drive, then DO NOT place a tick next to Burn to CD/DVD.
[/list][*]Now click on the Build button
  • If you have built the project previously, you will see this screen (you will want to click Yes):

    Posted Image

  • If this is the first time building, you will see the Windows EULA message. Click on I Agree:

    Posted Image

  • You will now see the Build Screen. Let it run it's course:

    Posted Image

  • When the Build is finished, you will see the following "finished" screen:

    Posted Image

  • You can now click close, then exit
  • If you chose the option Burn to CD/DVD from above, then your CD will also be ready for use.
  • If you did not choose the option Burn to CD/DVD from above, then you will now have burn your ISO file to CD
  • Please see HERE on how to burn an ISO to CD.
[/list]Please let me know how this went (successful/unsuccessful) in a Reply to this topic.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#11 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:07:30 AM

Posted 24 November 2009 - 04:14 PM

Due to lack of feedback, this topic is now Closed

If you need this topic reopened, please send me a PM.
Please include the address of this thread in your request.
This applies only to the original topic starter.

Everyone else please start a new topic.

With Regards,
myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#12 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:07:30 AM

Posted 12 December 2009 - 07:16 AM

topic reopened, please post your problem.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#13 RangerBob52O

RangerBob52O
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:12:30 AM

Posted 12 December 2009 - 07:58 AM

Myrti,

Yhank you for reopening. I have created a UBCD4Win CD with XP slipstreamed with Service Pack 3. I have already tried to go to the Recovery Console and repair or do the Windows setup. It says that it doesn't detect a harddrive and stops. I will await further instructions. Thanks again, Bob.

#14 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:07:30 AM

Posted 12 December 2009 - 10:23 AM

Hi,

it seems your PC is still trying to boot from the hard disk. Please make sure that the following settings in the bios are applied so it will boot from CD:
  • Restart your PC
  • As soon as you get an image, press the Setup key. This is usually F2, or Del. On some machines the key can also be a different one. It should, however, be stated on the screen which key is the setup key.
  • Once you enter the computer's BIOS, use the arrow keys and tab key to move between elements. Press enter to select an item to change.
  • Navigate to the tab, where you can set the boot order. It should be called Boot or Boot order
  • The tab should now show your current boot order.
    If the CD-drive is not at the top, please navigate to the CD-Rom drive with the keys arrows. Then move it to the top of the list. The keys for switching boot position are usually + to move up and - to move down. However they can be different, but they should be stated in the help, so that you can find them easily.
  • Once the CD-drive is on top of the boot order, navigate to Exit and select Exit saving changes.
Your PC should now boot from CD.

Let me know if that works.
regards myrti

Edited by myrti, 12 December 2009 - 10:24 AM.

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#15 RangerBob52O

RangerBob52O
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:12:30 AM

Posted 14 December 2009 - 09:41 AM

Myrti,

The boot order is set to CDROM. When it boots up the UBCD4Win menu comes up. I should be ready to proceed. Thanks, Bob.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users