Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Major Illness


  • This topic is locked This topic is locked
9 replies to this topic

#1 sneal

sneal

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:11:03 AM

Posted 15 May 2010 - 04:29 PM

I changed ISP's last week due to a move. Left my current antivirus protection running while I waited for a security code to be snail-mailed to me. Needed security code to be able to download the ISP's "Security Suite."

Entered security code, and download started. During download, several popups that looked like part of the "security suite" announced that sections of my previous antivirus software were being removed. (Popups looked legit--same color shading, same size, etc.) I was concerned, but let the program run on. After restart, I received the "NT/Authority System" and "Remote Procedure Call (RPC)" error/shutdown message. So, down we went.

I've been able to restart in SafeMode (top of screen shows "Microsoft Windows XP (Build 2600.xpsp_sp3_gdr.100216: Service Pack 3)"--if that's to be trusted), and I've been able to do the "shutdown -a" command through DOS, but everything else I've attempted has not worked. All of my antivirus software seems to be gone. The "task bar" (?) at the bottom of the screen is visible, but I can't pull it up to be able to use it. I cannot get to the ''Start" button, and the Windows key does nothing. Any attempt to run antivirus software from a CD leads to a shutdown. I do not have access to an internet connection on the infected computer because it looks like Firefox and MS Explorer were both wiped off the computer.

Can anyone help me, please?

I need to know:
1) What do I have?
2) How do I fix it?

I'm running Windows XP.

Thanks!

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,572 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:03 AM

Posted 15 May 2010 - 11:12 PM

Hello appears you have picked up one of the new Rogue anti virus apps. It is telling you lies.

We need a deeper look. Please go here....
Preparation Guide ,do steps 6 - 9.

Create a DDS log and post it in the new topic explained in step 9,which is here Virus, Trojan, Spyware, and Malware Removal Logs and not in this topic,thanks.
If Gmer won't run,skip it and move on.
Let me know if that went well.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 sneal

sneal
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:11:03 AM

Posted 18 May 2010 - 05:44 AM

First, thanks for the reply. It's good to know that someone has an idea of what might be going on.

Now, a little advice please . . .

Still running in SAFEMODE , , , not sure how to shut that off. Can't remember where I went to turn it on, but it wasn't F8.

Copied files you suggested to CD and transferred to problem computer.

Defogger--ran, then received error message: "unable to create log." Due to SAFEMODE?

DDS--got the black screen, then nothing else happened, as far as I can tell.

Gmer--ran for several hours. Was able to save to desktop, but could not save to CD. Again, a safemode issue?

So, what do I need to do to be able to gather this information for you?

Thanks, again!

#4 roadclosed

roadclosed

  • Members
  • 138 posts
  • OFFLINE
  •  
  • Local time:12:03 PM

Posted 18 May 2010 - 07:06 AM

I changed ISP's last week due to a move. Left my current antivirus protection running while I waited for a security code to be snail-mailed to me. Needed security code to be able to download the ISP's "Security Suite."

Entered security code, and download started. During download, several popups that looked like part of the "security suite" announced that sections of my previous antivirus software were being removed. (Popups looked legit--same color shading, same size, etc.) I was concerned, but let the program run on. After restart, I received the "NT/Authority System" and "Remote Procedure Call (RPC)" error/shutdown message. So, down we went.



If I may add a comment...You say this code was passed to you via Snail-mail?

You may wish to let the individual who sent the Code plus the Company who is utilising the Snail- mail, that is it possible they have an infected computer system or at the very least an infected computer on their Network ..

#5 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,572 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:03 AM

Posted 18 May 2010 - 10:30 AM

Maybe we can sneak past the malware with one of these and then post that log in the new topic.
If you cannot get DDS to work, please try this instead.

Please download RSIT by random/random and save it to your Desktop.
Note: You will need to run this tool while connected to the Internet so it can download HijackThis if it is not located on your system. If you get a warning from your firewall or other security programs regarding RSIT attempting to contact the Internet, please allow the connection.
  • Close all applications and windows so that you have nothing open and are at your Desktop.
  • Double-click on RSIT.exe to start the program.
  • If using Windows Vista, be sure to Run As Administrator.
  • Click Continue after reading the disclaimer screen.
  • Leave the drop down box set to default: "List/folders created or modified in the last 1 month (30 days).
  • When the scan is complete, a text file named log.txt will automatically open in Notepad.
  • Save the log file to your desktop and copy/paste the contents into a new topic in the Virus, Trojan, Spyware, and Malware Removal Logs forum, NOT here.
Important: Be sure to mention that you tried to follow the Prep Guide but were unable to get DDS to run.
If RSIT did not work, then reply back here.



If you cannot get DDS to work, please try this instead.

Please download OTL by OldTimer and save it to your Desktop.
  • Close all other applications and windows so that you have nothing open and are at your Desktop.
  • Double click on the OTL Posted Image icon on your desktop.
  • Select 30 days from the File Age: drop down menu.
  • Click the "Scan All Users" checkbox.
  • Click the Posted Image button to start.
  • Do not use the computer while the scan is in progress.
  • When the scan is complete, two log files will open in Notepad:
    • OTL.txt <- (will be maximized)
    • Extras.txt <- (will be minimized in the Task Bar).
  • Both logs are automatically saved to the Desktop.
  • Please copy the contents of OTL.txt to the clipboard by highlighting everthing and pressing Ctrl+C or after highlighting, right-click and choose Copy and then paste it into a new topic in the Virus, Trojan, Spyware, and Malware Removal Logs forum, NOT here.
  • Also copy and paste the contents of Extras.Txt in your next reply as well. If the Extras.Txt log is too long, you may need to add a second reply to your thread.
  • Click the red X in the upper right corner to exit OTL.
Important: Be sure to mention that you tried to follow the Prep Guide but were unable to get DDS to run. If OTL did not work, then reply back here.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#6 sneal

sneal
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:11:03 AM

Posted 19 May 2010 - 12:02 AM

boopme, you've been extremely helpful . . . but i'll need more help if we're gonna be able to boot me.

NOTE #1: Tried to run DSS as per Prep Guide. It did not work.

NOTE #2: I do not have internet access through the offending computer, and I'm unable to transfer files from it. I'm able to transfer files to the problem computer, but I must run the files through "New Task" via the task manager.

Here's what happened on recent fix attempts:

Was able to get out of Safe Mode, and tried Defogger, DDS, and Gmer again.
Defogger: "can't create log"
DDS: nothing happened
Gmer: Created log file, but couldn't save to CD or transfer to working computer (one with internet access)

Attempted RSIT: the system stopped responding when "HijackThis" started to load/work/etc. Same result with 2 attempts.

Attempted OTL: Kept getting the RPC shutdown error message as OTL ran. Stopped shutdown twice with "shutdown -a" at the command prompt. When the scan completed, I received 2 error messages regarding the text files: "Cannot find the file . . . do you want to create a new one?" Responded with both "yes" and "no" on 2 different attempts. Couldn't locate files either time.

Other "actions":
Everytime I click on "My Computer," I lose my desktop, and only the background screen shows. No icons, taskbars, etc. are visible.

I can "save" files to CD, but I cannot make/don't know how to make the computer write them to a disk. No window ever appears that gives me the option to write to CD.

After OTL, a "boot.ini" file appeared on the desktop, along with several pictures of album art from an album I'd never seen before. Wondering if I've suddenly started buying music due to whatever's causing my computer to act this way.

So, I don't know what to do now. Considering loading Linux to see if I can get something going under that OS. If so, I could get you the info that you need.

Thank you. Further wisdom would be appreciated.

#7 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,572 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:03 AM

Posted 19 May 2010 - 09:58 AM

Hello again,

Have you ever run Combofix on that computer?
Do you have a Windows XP install disc?

Do this first please........

Let's now create a boot disc so that you can access your files and folders and so I can get a look at a log.....

*** Please print these instructions ***
  • Download Hiren's BootCD Iso to the desktop of a clean computer.
  • Extract the zipped HirensBootCD.zip to your desktop.
  • Open the extracted HirensBootCD folder and extract the zipped HirensBootCD.iso.
  • Double click the BurnToCD.cmd bat file contained in the HirensBootCD folder. This will launch BurnCDCC.
  • Insert a blank CD in your drive.
  • Press Start. This will burn the image to disc. After it has completed...
  • Restart your sick computer and boot from the HBCD you created.
    • If your PC is not booting from the CD, you need to change the boot order:
      • Restart your PC
      • As soon as you get an image, press the Setup key. This is usually F2, F10, F12 or Del. On some machines the key can also be a different one. It should, however, be stated on the screen which key is the setup key.
      • Once you enter the computer's BIOS, use the arrow keys and tab key to move between elements. Press enter to select an item to change.
      • Navigate to the tab, where you can set the boot order. It should be called Boot or Boot order
      • The tab should now show your current boot order.
      • If the CD-drive is not at the top, please navigate to the CD-Rom drive with the keys arrows. Then move it to the top of the list. The keys for switching boot position are usually + to move up and - to move down. However they can be different, but they should be stated in the help, so that you can find them easily.
      • Once the CD-drive is on top of the boot order, navigate to Exit and select Exit saving changes.
    • Your PC should now boot from your CD.
    • Click to select any options that are required to start the computer from the CD-ROM drive if you are prompted.
  • When the CD boots choose "Start MiniWindowsXP". Allow Windows to load. You will see a typical Windows Desktop.
  • You will be able to access your sick drive and save files/folders from here.
  • Create an ethernet (wired) Internet Connection
    • Double click the Network Support icon on the HBCD desktop
    • A computer screen will appear in the lower right corner system tray
    • Double click HBCD Menu on your HDCD desktop
    • Choose Menu
    • Then Browsers
    • Then Opera
    • Success?
  • You should now be connected to the internet.
  • Navigate here to the forum and click this link.
  • Download the program and save it to the desktop.
  • Once saved, close all other windows then double click the program to run it.
  • When completed, a log will open.
  • Save the log to the desktop using File>Save as, then post the log in a reply.

    Please note: If you are unable to connect to the internet then please download to a flash drive on a clean computer and transfer to the sick computer to run!

  • In addition you now have access to all your files and folders amoungst many other utilities that we might need to use later. :thumbsup:
  • If you double click your Windows Explorer icon on your desktop you will be able to access your hard drive.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#8 sneal

sneal
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:11:03 AM

Posted 19 May 2010 - 11:18 PM

Woohooooo! Actually geting somewhere! Stand up and take a bow!

Everything worked as indicated . . . except I wasn't able to connect to the internet: "Unable to locate server."

Combofix? Have never run.

Windows Startup disk? Just moved. Unable to locate. May have gotten tossed during the move.

Posting DDS log to correct section . . . 052010.

Edited by sneal, 20 May 2010 - 09:43 PM.


#9 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,572 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:03 AM

Posted 20 May 2010 - 09:41 AM

Hello sneal... i need you to repost that DDS log here Virus, Trojan, Spyware, and Malware Removal Logs ,thanks. I need and MRT to look at it.

Let me know if that went well.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#10 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:03 AM

Posted 20 May 2010 - 10:42 PM

Now that your log is properly posted (http://www.bleepingcomputer.com/forums/topic318092.html), you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a Malware Removal Team member, nor should you continue to ask for help elsewhere. Doing so can result in system changes which may not show it the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the Malware Removal Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the Malware Removal Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the Malware Removal Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another MR Team member is already assisting you and not open the thread to respond.

To avoid confusion, I am closing this topic.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users