Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

infected with UPS virus. Cannot log on even in safe mode


  • Please log in to reply
81 replies to this topic

#1 nathaliuk

nathaliuk

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:12:49 AM

Posted 19 January 2010 - 12:23 AM

Hi,
last fri I received an email via my yahoo account from UPS ( which I now now is not). I think this is a nasty virus has worms too.

Avira scanned the file before I unzipped it, I did not get any warning, even though I had updated avira files before, then it went spirling downhill!!

I had so many windows opening up, I immediately disconnected from the net then proceded to virus scan with Avira. At the end of the scan, it could not help as it was infected. I could not open the report, even though there were warnings.

I tried Spybot scan which found a majority of problems which I allowed the fix. I did not think it wise to go on the net as I kept getting Internet Explorer pages opening up.

All during this time I was getting Norton virus updates and warnings - I dont have nortons so ignored them and did not open any of the files. Just closed at the X them and made sure i was disconnected from net.

After spybot cleaned up, I used ATF to clean my temp files and then turned off and re-started.

Since then I can not log on to windows, even in safe mode and adminstrator. I tried and logging on a number of times in a variety of ways but it keeps logging me out. I am not getting past the log on page.

I cannot seem to get into windows and think I must have messed up somewhere. I have my external drive plugged in and was about to back up my monthly documents but decided to reply to my emails before! Hence now cannot access anything.

I have spent the weekend reading forums and pages and pages of advise. I read this forum thread as well as thread:
http://thinkinginpixels.com/quick-fixes/fi...onlog-off-loop/

I do recall there was an error about Windows Defender but cant confirm if it was genuine or a malware. I also had to do a restore point on thurs, I was getting log on problems with my screen, it was logging on in large fonts after I had updated Ndvia video. After the restore point, things were ok.

I update my spybot and avira daily. I already use malwarebytes and its on the computer. I just hope someone can assist on a way forward. I really need my documents and cannot afford to loose them as there are files I need to send to my mortgage lender asap.

I think I am capable to follow instructions but bit scary as its quite daunting. Not an expert, not a savvy, just know bits and can follow a routine so long as its explained.

Look forward to your reply and any assistance you can provide.

mandy nathali

BC AdBot (Login to Remove)

 


#2 AustrAlien

AustrAlien

    Inquisitor


  • Members
  • 6,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cowra NSW Australia
  • Local time:02:49 AM

Posted 19 January 2010 - 12:36 AM

I tried ... logging on a number of times in a variety of ways but it keeps logging me out. I am not getting past the log on page.

I have spent the weekend reading forums and pages and pages of advise. I read this forum thread as well as thread:
http://thinkinginpixels.com/quick-fixes/fi...onlog-off-loop/

I really need my documents and cannot afford to loose them as there are files I need to send to my mortgage lender asap.

mandy

Re: LogOn/LogOff Loop

Go ahead with the thinkinginpixels instructions: That is your best chance to get back in to Windows. It will take several hours to complete, and you should then be able to use Windows and retrieve the documents that you need. The instructions provide a series of logical steps that are relatively easy to follow and should lead to a positive result. Any problems, let us know

Should that fail (unlikely) we can help you get those documents by another means.
Let us know how you are getting on.
'Alien

Edited by AustrAlien, 19 January 2010 - 12:46 AM.

AustrAlien
Google is my friend. Make Google your friend too.

Posted Image

#3 nathaliuk

nathaliuk
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:12:49 AM

Posted 19 January 2010 - 12:46 AM

Hi AustrAlien

many thanks for replying back

Ok here goes, i will attempt the thinkinginpixels instructions. Wish me luck and I will be in touch either way once done.

kind regards

mandy from hong kong

#4 AustrAlien

AustrAlien

    Inquisitor


  • Members
  • 6,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cowra NSW Australia
  • Local time:02:49 AM

Posted 19 January 2010 - 12:49 AM

Hey, you don't need me to wish you luck: It is foolproof, 100% guaranteed.

Don't be shy about posting with any questions or problems.
Have fun!
AustrAlien
Google is my friend. Make Google your friend too.

Posted Image

#5 nathaliuk

nathaliuk
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:12:49 AM

Posted 19 January 2010 - 02:59 AM

amen, I read the instructions, all seems to be going to plan and reaching the end of the installation - going through the scan now. I even received an email from Dan wishing me luck :thumbsup:) The points were easy to run through and I can recommend Dans ease of instructions.

I await for the scan to finish then to download via safe mode AVast to see how bad it is. Which i hope wont be too bad.....

When is a good time to back up or copy all my documents and pictures? before Avast in safe mode?? Just need to check as my back up hard drive is still in the back of the computer. Should I before installing Avast just copy my documents onto a usb stick and then scan that stick later??

I need to uninstall everything he says and then reinstall as the virus has embeded in my anti malware and anti spyware programs? Right??

I will most definately recommend dans thread and will most certaining donating some cash, if that a small amount, what I can afford.

very grateful I am half way through.

Kind regards

mandy

#6 AustrAlien

AustrAlien

    Inquisitor


  • Members
  • 6,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cowra NSW Australia
  • Local time:02:49 AM

Posted 19 January 2010 - 04:08 AM

When is a good time to back up or copy all my documents and pictures? before Avast in safe mode?? Just need to check as my back up hard drive is still in the back of the computer. Should I before installing Avast just copy my documents onto a usb stick and then scan that stick later??

Thanks a lot for the feedback on what you thought of Dan's instructions: That is very reassuring for us to know.

Re: your important documents that you do not yet have a backup copy
Do it as soon as practical. I would be backing up to your external USB hard drive: At this stage you would assume that it also is infected to some degree and will also need to be scanned for malware. Likewise, if you connect a USB flashdrive, you would have to assume that also will get infected. The safest method would be to burn to CD/DVD, but at this late stage, that is possibly unwarranted effort?

Files with the following extensions should not be backed up:
  • .exe
  • .scr
  • .htm
  • .html
  • .xml
  • .zip
  • .rar
  • .asp
  • .php

I need to uninstall everything he says and then reinstall as the virus has embeded in my anti malware and anti spyware programs? Right??

I will have to defer to Dan on that recommendation, assuming that he has more experience than I do. It is not something that I would have recommended, nor have I seen it recommended as a first step: Certainly, if those applications are not functioning correctly, then that would be necessary.

I will post the next steps for you to continue your work here in this thread, when you have completed Dan's instructions and have access to your Windows system. We will clean up any remaining malware.
'Alien

Edited by AustrAlien, 19 January 2010 - 04:11 AM.

AustrAlien
Google is my friend. Make Google your friend too.

Posted Image

#7 AustrAlien

AustrAlien

    Inquisitor


  • Members
  • 6,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cowra NSW Australia
  • Local time:02:49 AM

Posted 19 January 2010 - 04:25 AM

mandy

Since one of the first steps in these instructions is to disable any real-time protection to stop it interfering with the malware removal process, I suggest that you do not uninstall, download, or install a new version of your anti-virus at this time. See Note 2 below the MBAM instructions for instructions on disabling Spybot's Teatimer and your antivirus application, before you start. You may not need to download and install a new copy of MBAM: Instead, try simply updating it, and then running the scan per the instructions. If that doesn't work, then you may need to download a new copy and install it.


:huh: Please download TFC by Old Timer and save it to your desktop.
alternate download link
  • Save any unsaved work. (TFC will close ALL open programs including your browser!)
  • Double-click on TFC.exe to run it. (If you are using Vista, right-click on the file and choose "Run As Administrator".)
  • Click the Start button to begin the cleaning process and let it run uninterrupted to completion.
  • Important! If TFC prompts you to reboot, please do so immediately. If not prompted, manually reboot the machine anyway to ensure a complete clean.
:trumpet: Please download Malwarebytes' Anti-Malware and save it to your Desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected. <<< Note: Select Quick Scan (not Full Scan)
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note 1: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless of whether you are prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

Note 2: MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes (like Spybot's Teatimer), they may interfere with the fix or alert you after scanning with MBAM. Please disable such programs until disinfection is complete or permit them to allow the changes. To disable these programs, please view this topic: How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs


:flowers: Please download SUPERAntiSpyware
  • Double-click SUPERAntiSpyware.exe and use the default settings for installation.
  • An icon will be created on your Desktop. Double-click that icon to launch the program.
  • If it will not start, go to Start > All Prgrams > SUPERAntiSpyware and click on Alternate Start.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
  • In the Main Menu, click the Preferences... button.
  • Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen and exit the program.
  • Do not run a scan just yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with SUPERAntiSpyware as follows:
  • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes" and reboot normally.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and click View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.
:inlove: Please download Dr.Web CureIt! and save it to your desktop. DO NOT perform a scan yet.
alternate download link
Note: The file will be randomly named (something like this ... 5mkuvc4z.exe).
(Or download drweb-cureit.exe from here )

Print these instructions (or copy them to a Notepad file) so they will be accessible: Some steps will require you to disconnect from the Internet or use Safe Mode and you will not have access to this page.

Now, reboot your computer in "Safe Mode" using the F8 method. (To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows logo splashscreen appears) press the F8 key repeatedly. The "Windows Advanced Options Menu" will appear with several options. Use the Up/Down arrow keys to navigate and select the option to run Windows in "Safe Mode".)

Scan with Dr.Web CureIt! as follows:
  • Double-click on <the randomly named file that you downloaded> to open the program and click Start.
  • If you see a message, warning that Dr.Web CureIt! is available free only for personal use, click Cancel to continue.
  • Click Start. (There is no need to update if you just downloaded the most current version.)
  • Read the "Dr.Web scanner anti-virus check" prompt and click Ok where asked to "Start scan now?"
    Allow the setup.exe to load if asked by any of your security programs.
  • The Express scan will automatically begin.
    (This is a short scan of files currently running in memory, boot sectors, and targeted folders.)
  • If prompted to download the "Full version / FREE trial", ignore it, and click the X to close the window.
  • If you see a message, warning that your HOSTS file has been modified and asking if you would like to restore it, click Yes.
  • If an infected object is found, you will be prompted to move anything that cannot be cured. Click Yes to All.
    (This will move any detected files to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if they can't be cured.)
  • After the Express Scan is finished, put a check next to Complete scan to scan all local disks and removable media.
  • In the top menu, click Settings > Change settings, and uncheck "Heuristic analysis" under the "Scanning" tab, then click Apply > Ok.
  • Back at the main window, click the green arrow Posted Image ("Start Scanning") button on the right, under the Dr.Web logo.
    (Please be patient as this scan could take a long time to complete.)
  • When the scan has finished, a message will be displayed at the bottom indicating if any viruses were found.
  • Click Select All, then choose Cure > Move incurable.
  • In the top menu, click File and choose Save report list.
  • Save the DrWeb.csv report to your Desktop. :thumbsup: <<< Important!
  • Exit Dr.Web CureIt! when done.
Important! Reboot your computer normally (not to Safe Mode) because it could be possible that files in use will be moved/deleted during reboot.

After rebooting, post the contents of the log from Dr.Web.
  • On your Desktop, right-click on DrWeb.csv and choose Open with > Notepad
  • Copy and paste the entire file contents in your next reply.
    *******************************************
:huh: Now, please run a Full Scan this time with MBAM after again updating. Remove what it finds and then post the log from that too.
AustrAlien
Google is my friend. Make Google your friend too.

Posted Image

#8 nathaliuk

nathaliuk
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:12:49 AM

Posted 19 January 2010 - 09:42 AM

Ok ok
the scan and spybot have completed. Took most of the day. I am actually going send the report to dan as spybot did find stuff.
I will attempt to boot up in safe mode tomorrow. Fingers crossed.
Thanks for your response on my query, 1st thing I will do once I am logged on is to print your email, it's very detailed and will action. Will take some time so if I am not in touch for a while, please do not close my thread

many thanks again
Mandy

#9 AustrAlien

AustrAlien

    Inquisitor


  • Members
  • 6,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cowra NSW Australia
  • Local time:02:49 AM

Posted 19 January 2010 - 01:58 PM

I will attempt to boot up in safe mode tomorrow. Fingers crossed.

Malware often disables the ability to boot in to Safe Mode, so don't be too concerned if it doesn't work.

Take your time: The thread will remain open for you and I will receive notification when you next post.
Good luck.
'Alien
AustrAlien
Google is my friend. Make Google your friend too.

Posted Image

#10 nathaliuk

nathaliuk
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:12:49 AM

Posted 19 January 2010 - 09:33 PM

Morning

I have managed to log on in safe mode with networking without any problems :thumbsup:) Good to be in windows again.

I am waiting to hear back from Dan as the last scan did not save my file... before i action anything as spybot did find some stuff

..."For your other question regarding the antispyware/virus programs, if they've been infected, then yes, you would need to uninstall them and use the links I gave you to download clean copies"... reply from Dan

I do know 100% that Avira was infected during the scan I did when I was getting all the pop ups. I also know spybot could have caused more issues by showing a false negative, so yes I believe both would need to be un-installed.

I am going to install avast first then update you after the scan...

regards

mandy

The rest, well what should I do?? as your advise and Dan's are similar but quite different.

#11 nathaliuk

nathaliuk
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:12:49 AM

Posted 19 January 2010 - 11:30 PM

update

I can log on in safe mode but cannot get online.
Cannot load remote access connection manager service. Error code E711

Dan sent me this link which I actioned:
http://support.microsoft.com/kb/330163

...but now keep getting error codes 1084 and 1068 when I try to start them

awaiting an update from Dan to see what the next step will be...

#12 nathaliuk

nathaliuk
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:12:49 AM

Posted 20 January 2010 - 03:39 AM

hi again

update now...

we managed to log on under safe mode after some registry changes that Dan kindly emailed me and I used fix.reg. But no chance of connecting to the net... device manager would not allow these function under safe mode... see below

safe mode networking…

NO Error code in device manager……. HSP56 World MicroModen - right click properties….I try to enable… then it comes up… Status not avaialalbe for the device… when windows running in safe mode…..



When I use my internet provider… says opening port…. Then error 797… connection not established…. Modem not found or busy….


So NOW had to log on under NORMAL mode, loaded up and the virus interent security 2010 booted up straight away, got the red circle in my desktop shorcuts, green background and tons of pop ups.

I cannot close the pop ups, dare not connect to the net. So I have now decided to use the already-installed malwarebytes software on the computer, doing a quick scan now
and will send the log below Via usb... but of course will scan the text file before i use it on the laptop

BTW AVAST on my laptop has found tons of stuff on it and my external hard drive... cleaned up... I think I will stick with this anti virus. Still cannot load up from the net to my infected computer.

Please update me on next step after malewarebytes log


see below the results:


Malwarebytes' Anti-Malware 1.40
Database version: 2728
Windows 5.1.2600 Service Pack 3

20/01/2010 16:26:53
mbam-log-2010-01-20 (16-26-41).txt

Scan type: Quick Scan
Objects scanned: 131995
Time elapsed: 14 minute(s), 7 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 7
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\activedesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#13 nathaliuk

nathaliuk
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:12:49 AM

Posted 20 January 2010 - 04:07 AM

.......and no I have not click remove on malwarebytes just yet... will do once i get your ok...
not touched spybot (pre-installed) yet as i think it may be infected as is avira anti viurs.

How can I get TFC to load up on my infected computer without the net... tfr by usb stick??

kind regards

mandy

#14 AustrAlien

AustrAlien

    Inquisitor


  • Members
  • 6,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cowra NSW Australia
  • Local time:02:49 AM

Posted 20 January 2010 - 05:31 AM

Please try to follow the instructions in the following link ...
Remove Internet Security 2010 (Uninstall Guide)
Posted by Grinler on December 10, 2009

Edit: I think you will be safe to remove what MBAM has found already.
The version of MBAM is way out of date now and you need to ensure that you update it.

Edited by AustrAlien, 20 January 2010 - 05:33 AM.

AustrAlien
Google is my friend. Make Google your friend too.

Posted Image

#15 nathaliuk

nathaliuk
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:12:49 AM

Posted 20 January 2010 - 05:38 AM

thnks... yes it killed the pop ups. Should I allow malwarebytes to nowe execute what it found or start a new scan??
...waiting online




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users