Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

super frustrated


  • Please log in to reply
15 replies to this topic

#1 MadAsHell83

MadAsHell83

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:22601
  • Local time:11:48 PM

Posted 08 January 2010 - 12:29 PM

Hello, im a newbie to these forums as far as posts go, but ive been using your site and forums for the last six months or so to help me fix several computers for friends. if im posting this in the wrong place i do appoligize, let me know where to put it, hopefully not where the sun doesnt shine. ha.

It seems this time all efforts to clear this last computer of an attack associated with the installation of windows police pro, internet security 2010 (or IS2010), and whatever else kind of garbage that was found that i dont remember while scanning the computer for viruses. a little history on this, the computer is a dell inspirion 1501 laptop running xp home version 2002 service pack 3 2gb of ram

So the beginning issues with this thing, well the reason it was brought to me was not being able to connect to the internet. upon receiving the computer i noticed the usual fake warnings about viruses and such from internet security 2010, also no internet connectivity in any form, dial up, wired or wireless. next i noticed that task manager wasnt working, no form of trying to start it would work, so on to trouble shooting i went, deleting obvious infection files associated with the above fake antivirus programs and trying to boot into safe mode, wich i should have figured wouldnt happen due to the past experience that ive had with these type of infections, trying to boot into safe mode would result on a hangup when or after loading the mup.sys drive/file so i would have to reboot back into normal windows, then on to using several scanners that i have used in the past. ive scanned the computer , and still have installed, with malewarebytes, superantispyware, ccleaner, smitfraudfix (i figured this work in the past on windows police pro), i also used a drweb bootcd scanner that i used in the very beginning and it removed some things, i also have avast antivirus installed on the computer as well and have scanned in normal mode and a boot time scan as well, i apoligize for not remembering all the crap i have cleaned out of this thing thus far, although some has been quaranteened in some of the programs. after doing all of these scans and such ive remove most of what has been found to be problem software,registry entries and files. so heres the problems that remain: Still cannot boot into safe mode, the closest thing i can get to safe mode is using msconfig to boot into a diagnostic mode in wich i have used all the scanners mentioned above, and had more success finding more files and such but this and other problems remain. ive run hijackthis and looked through the file at the end at some of the stuff thats in it and some things may be a bit questionable but if and when its requested ill provide that. also any of my searches on any of the search engines are redirected, suprise suprise, wich is another major pain in the rear. also the computer was having a problem with cli.exe eating 99% of the cpu so this thing was super slow, i used ccleaner to disable the start of that as its apparently related to ati hardware and doesnt seem to be criticaly needed. and last but not least in taskmanager iexplore.exe is running multiple times only when ie explorer is open, mainly its running twice, but i have seen as many as six with only one window open. but anywho and help with this would be appreciated, im at a dead end it seems.

so a recap of the remaining issues:

cant boot into safe mode, in any way shape or form.
searches are redirected on any search engine, can search on the site but when clicking on anything that is searched its redirected 99% of the time to add sites or another oddball search engine.
any insghte into the cli.exe problem.

also just remember, this computer had, limewire,bearshare,and frostwire installed on it at some point in time, i know these prorams are serious gateways to this sort of thing, again any help with all of this would be greatly appreciated.

thanks,

matt :thumbsup:

BC AdBot (Login to Remove)

 


#2 hamluis

hamluis

    Moderator


  • Moderator
  • 55,254 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Killeen, TX
  • Local time:10:48 PM

Posted 08 January 2010 - 12:40 PM

Clean install is what I would do.

Even if one is to assume that ALL malware items have been removed/nullified...the damage done' by such and by removal efforts...is untold.

To assume that system is capable of reliable function without a clean install...is not one premise I would build upon.

Louis

#3 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,759 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:48 PM

Posted 08 January 2010 - 12:41 PM

EDIT: I see we were posting at the same time.. If you deecide to attempt a clean then....

Hello and welcome.
A few things to try first..
You will need to run RKill first and as this infection deletes a core executable of Malwarebytes' we will need to download a new copy of it and put it in the C:\program files\Malwarebytes' Anti-Malware\ folder.

See the BC Guide here http://www.bleepingcomputer.com/virus-remo...t-security-2010
Follow the Automated Removal Instructions for Internet Security 2010 using Malwarebytes' Anti-Malware:

After you have finished post the scan log and tell me how it's doing.

The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.

Edited by boopme, 08 January 2010 - 12:43 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#4 MadAsHell83

MadAsHell83
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:22601
  • Local time:11:48 PM

Posted 08 January 2010 - 12:46 PM

oh yea thats the other thing i had forgot to tell you about all of this, as far as the clean install, theres now recovery partition on the computer and as well they dont have any of ther original installation or recovery cds that came with the computer.

also ive done everything previously in the guide to remvoing is2010 in that article, including using rkill but i will due rkill agian and post the mbam log as soon as possible, thanks for such a quick response from the both of you.

matt

#5 MadAsHell83

MadAsHell83
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:22601
  • Local time:11:48 PM

Posted 08 January 2010 - 01:03 PM

alright ive done as youve requested, ran rkill, and did a quick scan in malwarebytes, heres the log, the computer is sill having the same issues as before.

Malwarebytes' Anti-Malware 1.44
Database version: 3519
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

1/8/2010 12:56:21 PM
mbam-log-2010-01-08 (12-56-21).txt

Scan type: Quick Scan
Objects scanned: 136880
Time elapsed: 7 minute(s), 17 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

thanks again for any help,
matt

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,759 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:48 PM

Posted 08 January 2010 - 01:19 PM

OK I am moving this to Am I Infected from XP now..
Since you have SAS istalled ,do this next.

SUPERAntiSypware has a built in "Repairs" feature to fix policy restrictions and certain Windows settings which are sometimes targeted by malware infection. To use this feature, launch SUPERAntiSypware.
  • Click the Repairs tab.
  • Click on (highlight) "Repair broken SafeBoot key" and then click the Repair button.
  • You may be asked to reboot your computer for the changes to take effect.
Run a safe mode scan and post the log

To retrieve the removal information after reboot, launch SUPERAntispyware again.
Click Preferences, then click the Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
If there are several logs, click the current dated log and press View log.
A text file will open in your default text editor.
Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.


Please ask any needed questions,post logs and Let us know how the PC is running now.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 MadAsHell83

MadAsHell83
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:22601
  • Local time:11:48 PM

Posted 08 January 2010 - 02:28 PM

so everything is still acting the same, also the time has changed to a 24hr clock, heres the sas log you requested

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 01/07/2010 at 08:57 PM

Application Version : 4.32.1000

Core Rules Database Version : 4379
Trace Rules Database Version: 0

Scan type : Quick Scan
Total Scan Time : 00:12:07

Memory items scanned : 222
Memory threats detected : 0
Registry items scanned : 573
Registry threats detected : 1
File items scanned : 8358
File threats detected : 20

Adware.Tracking Cookie
C:\Documents and Settings\Morgan Huff\Cookies\morgan_huff@ads.gmodules[2].txt
C:\Documents and Settings\Morgan Huff\Cookies\morgan_huff@overture[2].txt
C:\Documents and Settings\Morgan Huff\Cookies\morgan_huff@collective-media[1].txt
C:\Documents and Settings\Morgan Huff\Cookies\morgan_huff@atdmt[1].txt
C:\Documents and Settings\Morgan Huff\Cookies\morgan_huff@track.getjiggie[1].txt
C:\Documents and Settings\Megan Huff\Cookies\megan_huff@bridge1.admarketplace[1].txt
C:\Documents and Settings\Megan Huff\Cookies\megan_huff@advertising[1].txt
C:\Documents and Settings\Megan Huff\Cookies\megan_huff@ad.yieldmanager[1].txt
C:\Documents and Settings\Megan Huff\Cookies\megan_huff@revsci[1].txt
C:\Documents and Settings\Megan Huff\Cookies\megan_huff@collective-media[1].txt
C:\Documents and Settings\Megan Huff\Cookies\megan_huff@atdmt[1].txt
C:\Documents and Settings\Megan Huff\Cookies\megan_huff@content.yieldmanager[1].txt
C:\Documents and Settings\Megan Huff\Cookies\megan_huff@ads.bleepingcomputer[1].txt
C:\Documents and Settings\Megan Huff\Cookies\megan_huff@admarketplace[1].txt
C:\Documents and Settings\Megan Huff\Cookies\megan_huff@kontera[2].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@atdmt[2].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@bridge2.admarketplace[1].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@admarketplace[1].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@invitemedia[2].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@ad.yieldmanager[1].txt

Rogue.WindowsPolicePro
HKU\S-1-5-21-2111422745-2286333047-3807227390-1008\Software\Softimer


the windows police pro entry has shown up and been removed in this scan before but i see its still here.

thanks again,
matt

#8 michah2007

michah2007

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:48 PM

Posted 08 January 2010 - 02:45 PM

real simple.. Reinstall windows w backup soo u dont lose everything.. The money and headache to fix it wouldnt be worth it.. I would totally reinstall windows and everythign will work again fine,

#9 MadAsHell83

MadAsHell83
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:22601
  • Local time:11:48 PM

Posted 08 January 2010 - 02:59 PM

yea i would have already done that if i had a recovery partition or the actual discs that came with the computer, trust me i dont want to go through this headache.

#10 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,759 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:48 PM

Posted 08 January 2010 - 03:19 PM

To fix the clock display:

Go toStart >> Control Panel.
Select Regional and Language Options.
In the Standards and Formats section... next to the language you are using... click the Customize...button
Press the Time...tab.
In the Time Format...box, for 12 hour time display... change the format to:

h mm ss tt
or
hh mm ss tt


Select the other display options you want... separator, AM, PM...
When done...click Apply and OK as needed.


We may move to the HiJack This forum...
If cli.exe is located in the folder C:\Windows\System32 then the security rating is 100% dangerous.


While we have safe mode we'll run DrWeb

Before we start fixing anything you should print out these instructions or copy them to a NotePad file so they will be accessible. Some steps will require you to disconnect from the Internet or use Safe Mode and you will not have access to this page.

Please download Dr.Web CureIt and save it to your desktop. DO NOT perform a scan yet.
alternate download link
Note: The file will be randomly named (i.e. 5mkuvc4z.exe).

Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with Dr.Web CureIt as follows:
  • Double-click on the randomly named file to open the program and click Start. (There is no need to update if you just downloaded the most current version
  • Read the Virus check by DrWeb scanner prompt and click Ok where asked to Start scan now? Allow the setup.exe to load if asked by any of your security programs.
  • The Express scan will automatically begin.
    (This is a short scan of files currently running in memory, boot sectors, and targeted folders).
  • If prompted to dowload the Full version Free Trial, ignore and click the X to close the window.
  • If an infected object is found, you will be prompted to move anything that cannot be cured. Click Yes to All. (This will move any detected files to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if they can't be cured)
  • After the Express Scan is finished, put a check next to Complete scan to scan all local disks and removable media.
  • In the top menu, click Settings > Change settings, and uncheck "Heuristic analysis" under the "Scanning" tab, then click Apply, Ok.
  • Back at the main window, click the green arrow "Start Scanning" button on the right under the Dr.Web logo.
  • Please be patient as this scan could take a long time to complete.
  • When the scan has finished, a message will be displayed at the bottom indicating if any viruses were found.
  • Click Select All, then choose Cure > Move incurable.
  • In the top menu, click file and choose save report list.
  • Save the DrWeb.csv report to your desktop.
  • Exit Dr.Web Cureit when done.
  • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#11 MadAsHell83

MadAsHell83
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:22601
  • Local time:11:48 PM

Posted 08 January 2010 - 04:38 PM

well it seems that safe mode has taken a dump again, im trying to get it working again using the method described earlier, if unsuccessful, do you have any more ideas for repairing safe mode or should we run the drweb scanner in normal mode. also i looked for cli.exe in the system32 folder and it wasnt there, i had it selected to show hidden files also, so i dont know if that was a bit of good news there or not, well back to trying to get safe mode back online, let me know if you have any more ideas. thanks again for all your help thus far and in the future!!

matt

#12 MadAsHell83

MadAsHell83
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:22601
  • Local time:11:48 PM

Posted 08 January 2010 - 04:43 PM

spoke too soon about safemode, got it working again, post the scan results as soon as possible

#13 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,759 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:48 PM

Posted 08 January 2010 - 04:51 PM

If we have to run in normal do so it will still remove some things... When we have Safe bach we can rerun.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#14 MadAsHell83

MadAsHell83
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:22601
  • Local time:11:48 PM

Posted 08 January 2010 - 07:07 PM

well it appears that ive been hit with some bad luck, i made it 75% through the scan, it detected a backdoor trojan through svchosts.exe 404 and another virus, i sat the computer down on the edge of the couch, like and idiot and stood up and the thing fell in the floor, go me, anywho, in doing so everything froze, and i tried to reboot the computer, the bios screen loads after a couple seconds and then nothing. so i figure i have trashed the hardrive, so if this is the case, in goes another hard drive, wich would benifit this thing anyways seeing as how the old ones only 60gb, and on to purchase a full copy of windows, so in helping somone out ive screwed my self, SSDD. anyways i will see what happens after i mess with this thing for a few, if its busted i shall let you know, unless you have any ideas. thanks for you help and the outlook isnt good i dont suppose.

matt

#15 MadAsHell83

MadAsHell83
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:22601
  • Local time:11:48 PM

Posted 09 January 2010 - 05:18 PM

well ive gotten the hard drive to start reading again, but it gets to the windows spash screen and then goes to a BSOD, says unmountable boot device or drive or whatever, got the recovery console to run from a disc and tried to do chkdsk and it froze at 0%, just wondering if you think the thing is trashed from the fall or something eles resulting from the scan that we were doing with dr web cure it?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users