Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Your computer is infected on the desktop


  • Please log in to reply
19 replies to this topic

#1 lethalaffairs

lethalaffairs

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Local time:12:47 PM

Posted 03 January 2010 - 08:00 PM

I recently opened a file with turned my desktop green and in the background it said "your computer is infected" or something like that. There was also a small red circle with an X on it in the taskbar that it kept trying to get me to click on.
I figured something was wrong so I opened MBAM and tried to run a scan. While the scan was running the computer restarted itself. Now all it does is make it to the windows splash screen and then it restarts. I tried safe mode but it does the same thing.

I had a similar virus before and this same thing happened where the computer just kept restarting. I hooked it up to another computer and ran MBAM and SAS. Then Grinler had me replace the atapi.sys file which was missing and it booted right up.

This time when I hooked it up as a secondary drive to the other drive to another computer and tried to run MBAM it must have infected the other computer. That computer restarted in the middle of scanning the infected drive with MBAM and also keeps restarting when it gets to the windows splash screen. I can't enter safe mode on that computer either.

I have a BartPE cd that I tried to run on the second computer and MBAM and SAS did find a few things. I didn't save the log files though. The computer still won't boot and I checked to see if the atapi.sys file was deleted and it wasn't. What do I do now? It must have deleted or changed something on both computers. This is a really bad one.

They are both running Windows XP Pro SP3.

BC AdBot (Login to Remove)

 


#2 AustrAlien

AustrAlien

    Inquisitor


  • BC Advisor
  • 6,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cowra NSW Australia
  • Local time:04:47 AM

Posted 06 January 2010 - 08:15 PM

when I hooked it up as a secondary drive to the other drive to another computer .......... also keeps restarting when it gets to the windows splash screen. I can't enter safe mode on that computer either.

Remove that secondary hard drive from the system and try starting the "good" computer.

I am hoping that one will start without the "infected" drive connected.
Let us know.

PS I have been following your progess with Grinler ...
AustrAlien
Google is my friend. Make Google your friend too.

Posted Image

#3 lethalaffairs

lethalaffairs
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Local time:12:47 PM

Posted 06 January 2010 - 08:30 PM

I tried disconnecting the bad drive. The good computer that I hooked it up to is still restarting over and over again.
Last time that is how I was able to clean it up and replace the missing atapi.sys file. This time it infected the good computer that I hooked it up to. Either that or it just changed or deleted something.

This must be a similar but different virus because both computers are not missing the atapi.sys file.

#4 AustrAlien

AustrAlien

    Inquisitor


  • BC Advisor
  • 6,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cowra NSW Australia
  • Local time:04:47 AM

Posted 06 January 2010 - 08:50 PM

The good computer ......... is still restarting over and over again.

Ah ... bother: Now you are in a pickle! How many more spare computers do you have to play with ???

:flowers: Get a look at the error message presented by the BSOD (blue screen of death) ....
  • Start tapping the F8 key after you press the ON button, and continue tapping until you are presented with the "Windows Advanced Options Menu" screen.
  • Use the UP/DOWN arrow keys to select "Disable automatic restart on system failure" and press the <ENTER> key.
  • Your system will attempt to restart normally, but when it crashes, it will not re-start: Instead, you will see a BSOD with error message.
  • Record the error message details, and post in this thread.
Posted Image


:thumbsup: Try the following ...
  • Start tapping the F8 key after you press the ON button, and continue tapping until you are presented with the "Windows Advanced Options Menu" screen.
  • Use the UP/DOWN arrow keys to select "Last known good configuration", and press the <ENTER> key.
  • The computer will attempt to load Windows.
  • If Windows does not start, try the same thing again .... and continue trying for at least 10 times, before you rule that option out as a means of getting your OS up and running again, normally.
Why 10 times? Based on past experience, a successful result is sometimes achieved after several consecutive failed attempts.
--------------------------------

Edit: I am a bit confused.
You are talking about 2 computers; one with "infected" HDD, and a "good" one (also now not starting).
Is one of these computers the same as the one you are working on with Grinler? Which one?
Is one of them the same one I was working on with you?

Edited by AustrAlien, 06 January 2010 - 10:32 PM.

AustrAlien
Google is my friend. Make Google your friend too.

Posted Image

#5 lethalaffairs

lethalaffairs
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Local time:12:47 PM

Posted 06 January 2010 - 10:35 PM

No, this is not the same one that Grinler is working on with me. This it the one that he started work on with me before and you help me clean it up the rest of the way in this posting.

http://www.bleepingcomputer.com/forums/ind...t&p=1532397

#6 lethalaffairs

lethalaffairs
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Local time:12:47 PM

Posted 07 January 2010 - 02:00 AM

This is the error message. I tried the last know good configuration 10 times like you said to but it restarted every time at the windows splash screen. This is the computer that was in good working condition before I hooked up the infected drive to it.

*** STOP: 0x00000024 (0x001902FE, 0xF7C650A0, 0xF7C64D9C, 0x872837B1)


I tried to boot up the infected drive which was the one you helped me clean before. I figured that you would want to know what the error message was on that one too. This is the error message that I got from that one.

PAGE_FAULT_IN_NONPAGED_AREA

*** STOP: 0x00000050 (0xEC6B738D, 0x00000000, 0x866FE08C, 0x00000000)

#7 AustrAlien

AustrAlien

    Inquisitor


  • BC Advisor
  • 6,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cowra NSW Australia
  • Local time:04:47 AM

Posted 07 January 2010 - 07:45 AM

turned my desktop green and in the background it said "your computer is infected" or something like that. There was also a small red circle with an X on it in the taskbar

Is this the little varmint?
http://www.bleepingcomputer.com/virus-remo...t-security-2010

If you have some spare time, do a search of this "Am I Infected?" forum for it, and you will find a range of issues: Here's one ...
http://www.bleepingcomputer.com/forums/t/284913/multitude-of-trojanscant-get-rid-of-them-even-with-malwarebytes/

You wrote: "I have a BartPE cd"
Good: That will come in handy!

If you want something to do, boot up with Bart and remove the files listed in the
Remove Internet Security 2010 (Uninstall Guide)
Posted by Grinler on December 10, 2009


Associated Internet Security 2010 Files:
  • c:\s
  • c:\Program Files\InternetSecurity2010
  • c:\Program Files\InternetSecurity2010\IS2010.exe
  • c:\WINDOWS\system32\41.exe
  • c:\WINDOWS\system32\winhelper86.dll
  • c:\WINDOWS\system32\winlogon86.exe
  • c:\WINDOWS\system32\winupdate86.exe
  • %UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Security 2010.lnk
  • %UserProfile%\Desktop\Internet Security 2010.lnk
  • %UserProfile%\Start Menu\Internet Security 2010.lnk
But for now, I must hit the sack. Will get back to you later tomorrow.
AustrAlien
Google is my friend. Make Google your friend too.

Posted Image

#8 lethalaffairs

lethalaffairs
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Local time:12:47 PM

Posted 07 January 2010 - 02:00 PM

No, its not Internet Security 2010. All it said was that my computer was infected in a black box and the desktop turned green. That is when I started to run MBAM and during the scan it rebooted by itself.

The computer Grinler is working on now is a friend's computer that had Internet Security 2010 but it didn't keep rebooting.

I have been looking in the forums on here like you said and I can't find anyone that has had this same problem and solved it without doing a repair install of windows or something like that.

I was very surprised when I sent that stop message the first time and Grinler had me replace the missing atapi.sys file.
I knew right there that he was very good. It booted right up and that is when you helped me clean the rest of it off there. This is the same one now that got infected again but only with something different.

I booted it up using the BartPE cd and none of the files associated with Internet Security 2010 that you listed are there.

I did check to see if the atapi.sys file was there along with userinit.exe and winlogon. I didn't check for logonui.exe but I kind of doubt that is missing. I could check that too though.

What do I do now?

#9 AustrAlien

AustrAlien

    Inquisitor


  • BC Advisor
  • 6,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cowra NSW Australia
  • Local time:04:47 AM

Posted 07 January 2010 - 11:10 PM

Try this on both your non-working computers.

Start the Recovery Console using a Windows XP CD (or an XP Recovery Console .ISO image that has been burned to CD).
  • Insert the CD in the computer's optical disk drive tray.
  • Start or re-start the computer so that it boots from the CD. You may be prompted to "Press any key". (If the system does not appear to be booting from the CD, you may need to enter the BIOS Setup Menu and change the boot order, so that the CD-ROM/optical disk drive is set to boot before the hard disk drive.)
  • When the Welcome to Setup screen appears, press the R key on your keyboard to start the Recovery Console.
  • The Recovery Console will ask which Windows installation you would like to log on to. If you have multiple Windows installations, it will list each one, and you would type the number associated with the installation you would like to work on and press the <ENTER> key. If you have just one Windows installation, type 1 and press <ENTER>.
  • You will be prompted for the Administrator's password. If there is no password, (and this is most likely), simply press <ENTER>.
  • You will be presented with a C:\Windows> prompt. (Please advise if you are not seeing a C:\WINDOWS> prompt.)
At the C:\Windows> prompt, type chkdsk /r and press <ENTER> (Note: There is a space between "chkdsk" and "/r")
  • This test will take some time to run and at times may appear stalled but just let it run.
  • If any errors are found/repairs made, run chkdsk /r again, and repeat if necessary.
Type "exit" at the prompt and press <ENTER> to close the Recovery Console and restart your system.

Does Windows start normally now?
AustrAlien
Google is my friend. Make Google your friend too.

Posted Image

#10 hooke

hooke

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:01:47 PM

Posted 08 January 2010 - 04:47 PM

I was infected by the same virus. When I try to start the recovery console, the computer boots in safe mode, and recovery won't run in safe mode. Any ideas?

#11 AustrAlien

AustrAlien

    Inquisitor


  • BC Advisor
  • 6,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cowra NSW Australia
  • Local time:04:47 AM

Posted 08 January 2010 - 05:37 PM

I was infected by the same virus. When I try to start the recovery console, the computer boots in safe mode, and recovery won't run in safe mode. Any ideas?

Welcome to BC, hooke :thumbsup:

We really need you to create your own new thread (click on "New Topic"): It is too confusing to help different people in the one thread. Please describe your problem, and how it came about (what caused the problem, the name of the malware infection or what was happening when the problem arose and also what you have done so far), and then someone will assist you.

Thank you.
AustrAlien
Google is my friend. Make Google your friend too.

Posted Image

#12 lethalaffairs

lethalaffairs
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Local time:12:47 PM

Posted 09 January 2010 - 07:00 AM

I ran chkdsk /r on both drives. They still restart at the windows splash screen.

#13 AustrAlien

AustrAlien

    Inquisitor


  • BC Advisor
  • 6,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cowra NSW Australia
  • Local time:04:47 AM

Posted 10 January 2010 - 05:13 AM

lethalaffairs

Re: the "good" one with STOP: 0x00000024
You have run chkdsk /r and that has not fixed the issue. I don't have any other "simple" tricks up my sleeve for this one.
What is the chance of you being willing to do a "repair install" at this stage?

0x00000024: NTFS_FILE_SYSTEM
A problem occurred within NTFS.SYS, the driver file that allows the system to read and write to NTFS file system drives. There may be a physical problem with the disk, or an Interrupt Request Packet (IRP) may be corrupted. Other common causes include heavy hard drive fragmentation, heavy file I/O, problems with some types of drive-mirroring software, or some antivirus software. I suggest running ChkDsk or ScanDisk as a first step; then disable all file system filters such as virus scanners, firewall software, or backup utilities. Check the file properties of NTFS.SYS to ensure it matches the current OS or SP version. Update all disk, tape backup, CD-ROM, or removable device drivers to the most current versions.

http://aumha.org/a/stop.htm

How about you boot with BartPE and have a look at NTFS.SYS in the following location ...
C:\WINDOWS\system32\drivers <<< folder
Check to make sure it is present, and check the properties, and let me know what you see (date, version, size etc).

Important! Strip this system bare for the purpose of troubleshooting: Disconnect and remove all unnecessary attached devices, especially any type of hard drive/flashdrive, and all USB devices.

Please watch this thread and perform the same steps
suggested by Elise on post #4 using your BartPE. Looking for a pattern here?

Edited by AustrAlien, 10 January 2010 - 07:47 AM.

AustrAlien
Google is my friend. Make Google your friend too.

Posted Image

#14 AustrAlien

AustrAlien

    Inquisitor


  • BC Advisor
  • 6,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cowra NSW Australia
  • Local time:04:47 AM

Posted 10 January 2010 - 05:51 AM

lethalaffairs

Re: the "infected" one

0x00000050: PAGE_FAULT_IN_NONPAGED_AREA
Requested data was not in memory. An invalid system memory address was referenced. Defective memory (including main memory, L2 RAM cache, video RAM) or incompatible software (including remote control and antivirus software) might cause this Stop message, as may other hardware problems (e.g., incorrect SCSI termination or a flawed PCI card).

Source: http://aumha.org/a/stop.htm

This error message is indeed commonly the result of defective memory (RAM).
But it also seems to often show up somehow related to the presence of malware.

So, what to do? I would suggest testing the memory first to rule out that possibility.

Test the memory (RAM).

To make a bootable CD with memtest86+
Direct download: Pre-Compiled Bootable ISO (.zip)
http://www.memtest.org/download/4.00/memtest86+-4.00.iso.zip

Extract the zip file, burn the .ISO image to CD and boot from it. Allow it to run.

There MUST be NO errors what-so-ever.
If you see an error, stop the test: Test each stick of RAM separately to sort the good from the bad.

A minimum test for some confidence in the result, should be 7 full passes (each "pass" is a series of different types of tests), with NO errors.
Allow memtest86+ to run for 24 hours for maximum confidence in the test result.
------------------------
To make a bootable floppy ...
Download - Pre-Compiled package for Floppy (DOS - Win)
http://www.memtest.org/download/4.00/memte...4.00.floppy.zip
AustrAlien
Google is my friend. Make Google your friend too.

Posted Image

#15 lethalaffairs

lethalaffairs
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Local time:12:47 PM

Posted 11 January 2010 - 08:00 PM

I know that the memory is not bad. I am using this hard drive I am on now on the same computer and it works flawlessly.
I hooked up the good drive and took a look at that ntfs.sys file that you wanted. While I was doing that I think I found something even better. I started to look at the files by date and the last ones modified.
On the second drive that got infected from the first one I found a file called updater.exe in the C:\ directory. I also found in the C:\WINDOWS folder a file called system.exe which I looked up and sure enough its a virus. In the C:\WINDOWS\system32 folder I found a file called DROPPEDFILEOKAllsyn.tmp. All of these files have a added user in the security tab.
I then hooked up the originally infected drive and it was even worse.
It had those same files along with a few more in the C:\WINDOWS\system32 folder. They were AVR10.exe, winhepler86.dll, critical_warning.html, winupdate86.exe, winlogon86.exe.
I did a search for DROPPEDFILEOKAllsyn.tmp on google and it found something interesting. It said that it puts a registry key in to start this system.exe file every time Windows starts. I booted up with the BartPE cd and checked it and it was there.
I ran a full scan using the BartPE cd with MBAM, SAS and AntiVir. Not one of them found any of these files. I think I know why though. I made the cd on Nov 15th and I can't update any of the virus definitions because my wireless adapter is not working when I boot using the cd.

I said hell with it last night and downloaded Kaspersky Internet Security 2010 and put it on this computer. I set everything to the highest setting and hooked up the 2nd good drive.
I updated MBAM and ran a full scan. It only found 2 things but Kaspersky blocked updater.exe and said that the C:\Windows\system32\atapi.sys file was infected.

That must have been the same type of virus that the computer that you help me clean up the first time had. When I cleaned it with SAS, and MBAM maybe SAS found the atapi.sys file and deleted it. Thats why that was missing and Grinler had me replace it. Then when that was replaced the drive booted up fine and that is when you had me run TDSSKiller, TFC, Eset Online Scanner, F-Secure Online Scanner, and Bitdefender Online Scanner on it. Remember that? All of those must have cleaned up the rest of the drive last time.

I am currently running SAS on the drive now and then when I am finished I am going to scan it with Kaspersky since I have it on here. Should I then try to run Dr Webb Cure It and see if I can disinfect that atapi.sys file?

I didn't have to repair safe mode last time but I think I am going to have to this time. I looked and couldn't find the registry key for it. I think that was deleted by this virus.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users