Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malware persists? Logs attached


  • This topic is locked This topic is locked
11 replies to this topic

#1 slb1952

slb1952

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:12:42 AM

Posted 29 December 2009 - 01:53 PM

HI,
I was infected with IS2010 and I think I removed it by following the instructions on the site and using Malwarebytes and using the other steps indicated. I reinstalled Malwarebytes as instructed (because I had to do a "go around" to get it installed the first time) and Adware. The first scan with Malware detected 92 infected files which I removed. After reinstalling it properly, I found 4. Adaware was clear. But there still seem to be lingering issues. I am getting error messages on start up still and I can't seem to delete some start up programs or processes that I think may be the culprits. I ran something that told me what my startup process are (I think this is one of the attached files, but I am so confused at this point that I am not sure it is included) but couldn't figure out what to do with the info.
I have gone through all the steps required in creating various logs. Here they are. My apologies if I have messed up in what I am supposed to post. Let me know if I need to redo something. I hope someone might be able to help. Thank you so very much.

Attached Files



BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:04:42 AM

Posted 08 January 2010 - 10:11 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below I will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


And

We Need to check for Rootkits with RootRepeal
  • Download RootRepeal from the following location and save it to your desktop.

    First Location
    Second Location
    Third Location

  • Open Posted Image on your desktop.
  • Click the Posted Image tab.
  • Click the Posted Image button.
  • Check all seven boxes: Posted Image
  • Push Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the Posted Image button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.

Posted Image
m0le is a proud member of UNITE

#3 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:04:42 AM

Posted 14 January 2010 - 05:33 PM

Since this issue appears to be resolved ... this topic has been closed. Glad we could help. :(

If you're the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.
Posted Image
m0le is a proud member of UNITE

#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:04:42 AM

Posted 16 January 2010 - 06:00 PM

Reopened at user's request

--------------------------------------------------------

I understand that you now cannot boot the PC.

Before we try a recovery boot using the XP disk it might be an idea to try this first. If at any point you are not understanding or are not sure then post back first. This is quite a complicated procedure and involves some reading - I, and other BC advisors, are here to try and save your machine.


Download and burn Dr.Web LiveCD from another clean computer first..

From another clean computer, go to this website for instruction on how to create a bootable Dr.Web LiveCD

GO HERE and download the Dr.Web LiveCD .iso file from the most below link option. Then burn the .iso file into a blank CD/DVD.. Refer HERE for "Free ISO Burner" page and tutorial..



After you successfully create the CD, simply put the CD into your infected computer CD/DVD ROM and proceed with below step..

First, we need to get into BIOS first to configure boot priority.. Visit this website for tutorial on how to set first Boot Device to CD/DVD ROM


After that, reboot into Normal Mode and do below,

Download and Run RKill

Please download RKill by Grinler from one of the 4 links below and save it to your desktop.

Link 1
Link 2
Link 3
Link 4
  • Before we begin, you should disable your anti-malware softwares you have installed so they do not interfere RKill running as some anti-malware softwares detect RKill as malicious. Please refer to this page if you are not sure how.
  • Double-click on Rkill on your desktop to run it. (If you are using Windows Vista, please right-click on it and select Run As Administrator)
  • A black screen will appear and then disappear. Please do not worry, that is normal. This means that the tool has been successfully executed.
  • If nothing happens or if the tool does not run, please let me know in your next reply

Then

Please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop making sure you rename it comfix.exe
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Thanks :(
Posted Image
m0le is a proud member of UNITE

#5 slb1952

slb1952
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:12:42 AM

Posted 16 January 2010 - 07:07 PM

First difficulty: the Dr. Web link is in Russian. AND the other computer in this house is a Mac (horrors! lol)

Plus the ISO burner instruction page--- says it is a page that may harm my computer-- It says

Malicious software includes 204 scripting exploit(s), 12 trojan(s).
This site was hosted on 2 network(s) including AS47142 (STEEPHOST), AS17439 (NETMAGIC).
Over the past 90 days, 4safe.in appeared to function as an intermediary for the infection of 204 site(s) including azaleagolf.com/, andrewfbaker.com/, euromechanical.net/.
Yes, this site has hosted malicious software over the past 90 days. It infected 193 domain(s), including azaleagolf.com/, andrewfbaker.com/, euromechanical.net/.

So...
is there an english version AND
does it matter that i am not using a windows OS for the Clean Computer and what to do about the "bad" page

TY

Edited by slb1952, 16 January 2010 - 07:13 PM.


#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:04:42 AM

Posted 16 January 2010 - 08:32 PM

The DrWeb link you want is actually: LiveCD-en.pdf

The ISO link seems to have been attacked so use these instructions


does it matter that i am not using a windows OS for the Clean Computer


What are you using, Linux? File downloads and transfers should be no problem.
Posted Image
m0le is a proud member of UNITE

#7 slb1952

slb1952
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:12:42 AM

Posted 17 January 2010 - 01:20 PM

I am on a Mac using Snow Leopard--so is that okay in terms of writing to the cd etc.. The computer we are trying to fix is/was running Windows XP home (I am pretty sure it is Home).
I will proceed with your suggestions. Thanks,
Susan

#8 slb1952

slb1952
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:12:42 AM

Posted 17 January 2010 - 02:28 PM

UPDATE ON STEPS SO FAR and failure

I download and burned the ISO file and put it in the computer. Then booted and selected the CD rom configure boot priority in BIOS. All good and then the computer boots and I get the Dr. Web screen. According to the instructions I am supposed to reboot in normal mode:

So, in the wird green screen I pick shut down, and then there is loud constant pitch and to get rid of that I have to force shut down the computer using the power button. So I did that and removed the CD from the CD drive. Then I turned the cmputer back on and select "start in normal mode" It goes to the windows start up screen and gets hung up there.

So I didn't get to rkill or any further steps.

#9 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:04:42 AM

Posted 17 January 2010 - 06:29 PM

Hmmm, okay this may not be workable. We can try and boot into the recovery console and fix the boot problem and allow us to boot into normal mode.

Please download the Recovery Console Bootable CD iso
Unzip the file and user your favourite burning application to burn the iso to a CD. Note, this is not the same as just burning the iso file on a CD.
  • Insert the CD-ROM into the CD-ROM drive, and then restart the computer.

    You can use this with the XP disk

  • If your PC is not booting from the CD, you need to change the boot order:
    • Restart your PC
    • As soon as you get an image, press the Setup key. This is usually F2, or Del. On some machines the key can also be a different one. It should, however, be stated on the screen which key is the setup key.
    • Once you enter the computer's BIOS, use the arrow keys and tab key to move between elements. Press enter to select an item to change.
    • Navigate to the tab, where you can set the boot order. It should be called Boot or Boot order
    • The tab should now show your current boot order.
      If the CD-drive is not at the top, please navigate to the CD-Rom drive with the keys arrows. Then move it to the top of the list. The keys for switching boot position are usually + to move up and - to move down. However they can be different, but they should be stated in the help, so that you can find them easily.
    • Once the CD-drive is on top of the boot order, navigate to Exit and select Exit saving changes.
  • Your PC should now boot from your CD.
    Click to select any options that are required to start the computer from the CD-ROM drive if you are prompted.

  • When the "Welcome to Setup" screen appears, press R to start the Recovery Console.

  • When you are prompted, type the Administrator password. If the administrator password is blank, just press ENTER.

  • A command prompt will open
Once in Recovery Console, please type fixboot and hit enter.

Type exit to exit and restart your PC.
Posted Image
m0le is a proud member of UNITE

#10 slb1952

slb1952
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:12:42 AM

Posted 18 January 2010 - 09:56 AM

Burned the disc.
Put in the cd drive and booted computer. Hit F2 and it then tells me to hit any key to boot from CD which I do. It then goes to windows set up and starts loading files. (By the way if I don’t hit the key to boot from cd it then goes to start up and asks me if I want to start in safe mode, normal, etc. And then it goes to the windows screen and then is hung up) But I did boot from the CD and this is what happened (several times)

Then get a blue screen that says:
A problem has been detected and windows has been shut down to prevent damage to your computer…..Check with your hardware vendor for any BIOS updates. Disable BIOS memory options...select safe mode...etc. then...

technical information
***stop: 0x0000007E (0xc0000005, 0x748e0bf, 0xf78da208, 0xf78d9f08)

*** pci.sys - address f748E0bf base at f7487000. Datestamp 3b7d855c

By the way---I don't understand what you mean when you say: you can use this with your XP disc

Edited by slb1952, 18 January 2010 - 10:06 AM.


#11 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:04:42 AM

Posted 21 January 2010 - 08:53 PM

I think we've reached the point where we can't continue. There seems to be a hardware issue and from what I understand this involves a number of processes which I am not familiar with.

I would suggest you try the XP forum as without an operating system that operates at all we can do nothing further with malware removal and that moves this problem out of this forum.

If you would prefer to reinstall and reformat then you should do that now.

Full instructions are here, if you need them.

Sorry I can't fix the problem this time but feel free to PM me if you need any further help at any stage. :(
Posted Image
m0le is a proud member of UNITE

#12 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:04:42 AM

Posted 27 January 2010 - 03:14 PM

Since this issue appears to be resolved ... this topic has been closed. Glad we could help. :(

If you're the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users