Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

No internet, can't copy/paste/move files, no peripherals


  • This topic is locked This topic is locked
20 replies to this topic

#1 L.Edwards

L.Edwards

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:04:40 AM

Posted 13 November 2009 - 08:43 AM

Posted under advisement of garmanma

Original post: 10/30/2009

I'm running Windows XP Professional SP2 with AVG 8.5 as my antivirus. A few weeks ago, I had some pop-ups, random audio ads with no visible windows, and a weird process showing up in Task Manager (svchasts.exe). Then AVG said my E-Mail Scanner wasn't running. Then it stopped updating, then it stopped scanning on schedule. I reported the problem to AVG; they sent me a repair installation that I was able to run and it found and healed a couple of viruses, but there was one that it found and couldn't get rid of: a trojan named Cryptor.

So I searched for help on Cryptor (that's how I found you guys smile.gif ) and I got some info about MBAM and SUPERAntiSpyware. However I couldn't install or run either program (even after renaming). I was able to get a bit of a reprieve when I downloaded and ran the Sophos anti-rootkit; it got rid of the pop-ups and ads, but I was still running slow and some of my links were being intercepted by Google searches, i.e. if I opened nfl.com, I'd end up with a Google search for nfl.com.

Last weekend, I booted up and was unable to start IE or Firefox; said I couldn't connect to the server. Funny thing is that both my modem and router are showing a full connection to the web (I can still browse on my PS3). In addition, None of my peripherals are recognized: the computer says I have no printers installed, it says I have no access to the Network Connections folder, it says I have no scanner installed, it says I have no CD/DVD drives installed. When I try to move files from one folder to another folder or drive via cut/copy/paste, the Paste and Paste Shortcut options are grayed out.

I have no idea what to do (I'm sure I've already done some damage in my desperation). I would truly appreciate any help you all can offer. Thanks.
***

So far, we've tried Rkill (no change) and RootRepeal (won't run), then we got Win32kdiag to run. Tried DDS last night, but it was a no go. I'll attach the Win32 log.

Thanks for all your help!

Attached Files



BC AdBot (Login to Remove)

 


#2 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,695 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:06:40 AM

Posted 13 November 2009 - 09:58 AM

Hi, L.Edwards :(

Welcome.

Hopefully restoring permissions to svchost.exe you may be able to connect.

Please follow these steps:

Step 1

Open a command prompt. (Start->Run, type CMD and click OK) At the prompt copy and paste the following and press Enter after each line:

Copy C:\WINDOWS\ServicePackFiles\i386\eventlog.dll C:\
Copy C:\WINDOWS\ServicePackFiles\i386\svchost.exe C:\
Exit


Step 2

Although Win32Diag.exe should be saved on your desktop, we will try this running it from the location you ran it before. If the G:\ drive is a removable drive, insert the media containing the Win32Diag.exe file.

Click on Start->Run, copy and paste the following command into the "Run" box (including the quotation marks), and click OK. When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with notepad and post the contents here in your next reply. (Please allow the application to finish. You will know as the last sentence in the report will be "Finished".)

G:\Win32kDiag.exe -f -r

Step 3

1. Please download The Avenger by Swandog46 to your Desktop.
  • Right click on the Avenger.zip folder and select "Extract All..."
  • Follow the prompts and extract the avenger folder to your desktop
2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Begin copying here:
Files to move:
C:\eventlog.dll | C:\WINDOWS\system32\eventlog.dll
C:\svchost.exe | C:\WINDOWS\system32\svchost.exe

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


3. Now, open the avenger folder and start The Avenger program by clicking on its icon.
  • Right click on the window under Input script here:, and select Paste.
  • You can also click on this window and press (Ctrl+V) to paste the contents of the clipboard.
  • Click on Execute
  • Answer "Yes" twice when prompted.
4. The Avenger will automatically do the following:
  • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete", The Avenger will actually restart your system twice.)
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avengerís actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt into your reply.

Step 4

Posted Image Please download Malwarebytes' Anti-Malware from Here.

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediatly.

Step 5

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**
  • If you are using Firefox, make sure that your download settings are as follows:
    • Tools->Options->Main tab
    • Set to "Always ask me where to Save the files".
  • During the download, rename Combofix to Combo-Fix as follows:

    Posted Image

    Posted Image

  • It is important you rename Combofix during the download, but not after.
  • Please do not rename Combofix to other names, but only to the one indicated.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    -----------------------------------------------------------

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      -----------------------------------------------------------

    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

    -----------------------------------------------------------

  • Double click on combo-Fix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\Combo-Fix.txt" .
**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**


Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security.

Please do not install any new programs or update anything unless told to do so while we are fixing your problem.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#3 L.Edwards

L.Edwards
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:04:40 AM

Posted 14 November 2009 - 10:14 AM

Hi J!

Thanks so much for your help.

I tried the command prompt lines, but they were a no go. Still no internet connection. I have Win32diag running right now. When its done, I'll post the log.

#4 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,695 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:06:40 AM

Posted 14 November 2009 - 10:37 AM

Hi J!

Thanks so much for your help.

I tried the command prompt lines, but they were a no go. Still no internet connection. I have Win32diag running right now. When its done, I'll post the log.

Did you receive an error message? Can you post the contents of the error message, if any? If the command prompt lines are not successful, then you must skip Step 3. Restarting the computer will create those mountpoints again and the permissions borked.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#5 L.Edwards

L.Edwards
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:04:40 AM

Posted 16 November 2009 - 08:02 AM

No, no error message. After I entered each line, I got "1 file copied successfully" but when I tried to start my browsers, I still got "Page cannot be displayed".

Win32diag ran just fine (from what I can tell), and I've attached the log.

Attached Files



#6 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,695 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:06:40 AM

Posted 16 November 2009 - 10:40 AM

Hi, L.Edwards :(

If you receive 1 file copied on each on those lines, that is what we are seeking. The commands only copy these files to the root directory so we can run Avenger to move them to the right location. If the files were successfully copied, please proceed with the instructions beginning with Step 2. You wont have a connection but until these files are moved to the right location and the computer is restarted. That will happen after you have ran Avenger and the process is completed successfully.

Edited by JSntgRvr, 16 November 2009 - 10:42 AM.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#7 L.Edwards

L.Edwards
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:04:40 AM

Posted 16 November 2009 - 02:42 PM

Ah, I gotcha now. I'll get on it as soon as I get home.

Thanks!

#8 L.Edwards

L.Edwards
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:04:40 AM

Posted 17 November 2009 - 08:19 AM

Nope; still can't move or paste files to the desktop (or anywhere else, for that matter). All folders are set to "Read Only" and cannot be unchecked. But since the eventlog and svchost copied successfully, should I download Avenger to my jump and try to extract to the Desktop? Should I run Win32diag again? Please advise.

#9 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,695 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:06:40 AM

Posted 17 November 2009 - 10:44 AM

Hi, L.Edwards :(

Why are you moving files to the desktop? As I see it, your Jump drive (Flash drive) is being recognized as the G:\ drive in your computer containing the Win32kDiag.exe file. All you have to do is to go to Start->Run, type the following in the run box and click OK:

G:\Win32kDiag.exe -f -r

There is a space between .exe and -f and another between -f and -r. Those need to be there. Allow the application to finish. Once done, attempt to run the Avenger (anywhichway possible). I am sure things will start to improve afterward.

If you are unable to do this, then lets try an alternate way.

Right click his link -> and select Save as or save link as in order to download the enclosed file. Save it in your Jump (Flash) drive. It is a text file.
  • Please download BurnAtOnce and save it to your desktop. Click on Downloads, then on burnatonce 0.99.5
    • Install it by double-clicking on the file bao0995.exe that you downloaded.
    • Click Next, accept the license agreement, and click Next until the button says "Install". Click "Install" to finish.
  • Download the rc.iso file.
  • Save it to your desktop.
  • Put a blank CD in your computerís burner.
  • Right-click on the file rc.iso, and select "burnatonce" from the menu.
  • Confirm that the box under the menu at the top says "rc.iso".
  • Click the "Write" button.
  • When the disk finishes, eject the CD.
  • Insert the Jupmp (Flash) drive with the text file into the sick computer.
  • Configure the computer to start from the CD-ROM or DVD-ROM drive. For information about how to do this, see your computer documentation, or contact your computer manufacturer.
  • Insert the Image of rc.iso that you copied to CD into your CD-ROM or DVD-ROM drive, and then restart your computer.
  • When you receive the "Press any key to boot from CD" message, press a key to start your computer from the Windows XP CD-ROM.
  • You will be prompted with the following options:

    A. To setup Windows XP, press Enter.
    B. To repair Windows XP installation using recovery console, press R.

    Choose the option, "To repair the Windows XP installation using recovery console", press R. If an Administrator Password have been established, you will be prompted to type it in. If no Administrator Password exists, just press ENTER.

  • You will be presented with the following:


    Microsoft Windows® Recovery Console

    The Recovery Console provides system repair and recovery functionality.
    Type EXIT to quit the Recovery Console and restart the computer.

    1: C:\WINDOWS

    Which Windows Installation would you like to log onto
    (To cancel, press ENTER)?

  • Press the number 1 on your keyboard and hit Enter.
  • At the command prompt, type the following command and press Enter:

    MAP
  • Note the drive letter assigned to the Jump (Flash) drive by the Recovery Console (If detected). If the Jump (Flash) drive is not detected by the Recovery Console the fix wont work. If it does, however, at the command prompt type the following command and press Enter:

    Batch X:\Fix.txt (Replace the X by the letter assigned to the Jump (Flash) drive by the Recovery Console)
The computer will restart. Remove the CD and allow it to boot to Windows. If successful, you will be able to connect and download and run Malwarebytes and Combofix as instructed above. No need to go throughout the rest of steps.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#10 L.Edwards

L.Edwards
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:04:40 AM

Posted 18 November 2009 - 08:06 AM

Hi, L.Edwards :(

Why are you moving files to the desktop?


Sorry; misunderstood an earlier instruction. I think I'm clear now.

Win32 -f -r has been run, and I'll run Avenger when I get home this afternoon. One concern: in the event that I'm unable to copy and paste the code, is it possible to enter the lines manually?

#11 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,695 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:06:40 AM

Posted 18 November 2009 - 12:40 PM

Hi, L.Edwards :(

Why are you moving files to the desktop?


Sorry; misunderstood an earlier instruction. I think I'm clear now.

Win32 -f -r has been run, and I'll run Avenger when I get home this afternoon. One concern: in the event that I'm unable to copy and paste the code, is it possible to enter the lines manually?

Yes. There is also another way, loading the script from a file.
  • Download the attached file and save it to your Jump (Flash) drive
  • When having saved it, the file path should be G:\remove.txt (G: being the Jump (flash) drive letter).
  • Open the Avenger.
  • Select Load Script from the menu, then From File .
  • Browse to G:\remove.txt and click open.
  • Then click the Execute button.
  • This will begin the execution of the script currently in memory.
  • The Avenger will set itself up to run the next time you reboot your computer, and then will prompt you to restart immediately.
  • After your system restarts, a log file should open with the results of Avenger‚Äôs actions. This log file is located at C:\avenger.txt. The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backups.zip.
Post the contents of the C:\avenger.txt file.

You must run Win32kDiag.exe -f -r again. The infection tends to re-spawn during a restart.

Keep me posted.

Edited by JSntgRvr, 18 November 2009 - 12:40 PM.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#12 L.Edwards

L.Edwards
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:04:40 AM

Posted 18 November 2009 - 10:34 PM

Okay, I was able to run Avenger, and it's gotten me back to basic working order; I'm posting this reply on my home computer (not at work or on the PS3 :( ). I've attached Avenger's logfile; should I await your analysis of the log, or continue with Step 4 (MBAM)?

Attached Files



#13 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,695 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:06:40 AM

Posted 19 November 2009 - 08:50 AM

Outstanding, L.Edwards, unfortunately, svchost.exe is white listed in Avenger and its replacement failed. This application has safety features that prevents users to move or remove system's files. Please attempt Step 5 above and let me know the outcome.

Edited by JSntgRvr, 19 November 2009 - 08:55 AM.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#14 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,695 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:06:40 AM

Posted 19 November 2009 - 08:53 AM

Are you able to boot to the Recovery Console? See this tutorial for information about the Recovery Console:

http://www.bleepingcomputer.com/tutorials/how-to-install-the-windows-xp-recovery-console/

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#15 L.Edwards

L.Edwards
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:04:40 AM

Posted 19 November 2009 - 09:03 PM

Hi J!

Ran Combofix; log attached. During operation, Combofix downloaded and installed the Recovery Console, but I haven't used it yet.

NOTE: can't upload ComboFix.txt; file size too large. Should I post the contents in a new reply (or series of replies)?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users