Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with unknown


  • This topic is locked This topic is locked
16 replies to this topic

#1 Fumunda

Fumunda

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:05:08 PM

Posted 23 May 2010 - 11:11 AM

Hi,
I was trying to do this the right way, following your instructions in the "what to do" section,, but my computer would not cooperate. I am now on our other computer.

Here's the low down. I have an XP system.
A few weeks ago, my whole hard drive crashed, so I took it to the shop and they said they could not repair it.
So,I had a catastrophic crash. Had to replace the whole hard drive with a new one. Luckily I had Mozy and I was able to recover 99% of my stuff including email.
So, I have been loading on discs to set the programs back up, etc.
I also loaded MBAM, and AVG

Well, about a week ago i was running my computer when right in the middle of some video, the screen went black and it said it was in analog power saving mode. Nothing could make it cooperate, so I pushed the off button and the machine would not turn off. I hald down the button and it finally turned off. After a few attempted re-starts, I figured out that I could hold down the esc key and it woud re-boot by selecting the right boot selection.
I updated all the virus and anti-malware programs and ran them. Nothing the first time, so I loaded and ran Super Anti-spyware. This caught something in my registry. I quaranteened and removed it thinking it was gone, but knowing in the back of my mind that I should work on a better fix. I can only remember the two items that showed up said "security" or "security threat" somewhere in the title line.

I went to Bleepingcomputer after deleting these and began the process of finding out what I had.
I could not get the DDS link to open, so I proceeded to download GMER
I got this running and didn't realize how long it would take. It was going for about 8 hrs and I left it on when I went to bed figuring when I got up it would be done analyizing things and a log would be there in it's place. When I got up, my computer was on and everything was closed down. No log.
I figured I would re-run it, but before I did, I checked my email. In the middle of reading my email looking at a vid clip someone sent me, the screen went black again. I re-sarted the machine and went to the internet to start the removal process and didn't get very far before it went black again.
I re-started again and now it is at a point where it boots up and is on for a second or two and goes black.
I think at this point I am screwed. Is there anything that can be done at this point, or am I going to have to start over?
I think the data is all there, but I think possibly leaving the computer on all night allowed this thing to replicate somehow in the background.
Thanks for any help you can provide, I will check this forum topic regularly as I can't get to my email on this computer.
Fumunda

Edited by Fumunda, 23 May 2010 - 12:09 PM.


BC AdBot (Login to Remove)

 


#2 Fumunda

Fumunda
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:05:08 PM

Posted 25 May 2010 - 10:23 AM

Hi guys,
I know you are all busy. Is there something I can do with this like put it in safe mode and then work on something to get it fixed?
I can start the process if you can give me some direction (provided I have not let this go to far).
Thanks,
Fumnda

#3 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,993 posts
  • ONLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:08:08 PM

Posted 25 May 2010 - 08:50 PM

Are you able to get into Safe Mode?

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#4 Fumunda

Fumunda
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:05:08 PM

Posted 25 May 2010 - 11:31 PM

Hello Orange Blossom,
Yes, I can fully access safe mode.
I have it up right now.
Since I can't hook up with you directly in real time, can you give me a list of things to do in safe mode.
I am at work during the day, but can print out what needs to be done and get back with you after 6:30, or I can complete whatever task you can give me and certainly work with you on this other computer till I can communicate fully on the other one.

Thanks,
Fumunda

Edited by Fumunda, 26 May 2010 - 12:06 AM.


#5 Fumunda

Fumunda
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:05:08 PM

Posted 27 May 2010 - 01:12 PM

I'm kinda bummed. I thought you all would respond quicker than 1 week.
Perhaps an automatic number assignment for this site as far as what place in line you are would be a good idea.
I soooo need to get my computer running and I know you are all busy, but all I am asking for is some direction. If I can get the process started, it would be a great help.
Please... is there a bone that you can throw me?? I can run some things if you can give me some instructions.

Thanks,
Sorry, but I have visited this so many times now, waiting. I just want anything to happen.

Fumunda

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,416 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:08:08 PM

Posted 27 May 2010 - 02:12 PM

Hello sorry you got hung. I saw 4 replies and thought someone was working this..
from safe Mode run these 3. These Wll take long.

Next run ATF and SAS: If you cannot access Safe Mode,run in normal ,but let me know.

Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

From your regular user account..
Download Attribune's ATF Cleaner and then SUPERAntiSpyware , Free Home Version. Save both to desktop ..
DO NOT run yet.
Open SUPER from icon and install and Update it
Under Scanner Options make sure the following are checked (leave all others unchecked):
Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining
.
Click the "Close" button to leave the control center screen and exit the program. DO NOT run yet.

Now reboot into Safe Mode: How to enter safe mode(XP)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode
.

Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.

If you use Firefox or Opera browser click that browser at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program
.

NOW Scan with SUPER
Open from the desktop icon or the program Files list
On the left, make sure you check C:\Fixed Drive.
Perform a Complete scan. After scan,Verify they are all checked.
Click OK on the summary screen to quarantine all found items.
If asked if you want to reboot, click "Yes" and reboot normally.

To retrieve the removal information after reboot, launch SUPERAntispyware again.
Click Preferences, then click the Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
If there are several logs, click the current dated log and press View log.
A text file will open in your default text editor.
Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.



Now Drweb-cureit

Before we start fixing anything you should print out these instructions or copy them to a NotePad file so they will be accessible. Some steps will require you to disconnect from the Internet or use Safe Mode and you will not have access to this page.

Please download Dr.Web CureIt and save it to your desktop. DO NOT perform a scan yet.
alternate download link
Note: The file will be randomly named (i.e. 5mkuvc4z.exe).

Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with Dr.Web CureIt as follows:
  • Double-click on the randomly named file to open the program and click Start. (There is no need to update if you just downloaded the most current version
  • Read the Virus check by DrWeb scanner prompt and click Ok where asked to Start scan now? Allow the setup.exe to load if asked by any of your security programs.
  • The Express scan will automatically begin.
    (This is a short scan of files currently running in memory, boot sectors, and targeted folders).
  • If prompted to dowload the Full version Free Trial, ignore and click the X to close the window.
  • If an infected object is found, you will be prompted to move anything that cannot be cured. Click Yes to All. (This will move any detected files to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if they can't be cured)
  • After the Express Scan is finished, put a check next to Complete scan to scan all local disks and removable media.
  • In the top menu, click Settings > Change settings, and uncheck "Heuristic analysis" under the "Scanning" tab, then click Apply, Ok.
  • Back at the main window, click the green arrow "Start Scanning" button on the right under the Dr.Web logo.
  • Please be patient as this scan could take a long time to complete.
  • When the scan has finished, a message will be displayed at the bottom indicating if any viruses were found.
  • Click Select All, then choose Cure > Move incurable.
  • In the top menu, click file and choose save report list.
  • Save the DrWeb.csv report to your desktop.
  • Exit Dr.Web Cureit when done.
  • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)
Please ask any needed questions,post logs and Let us know how the PC is running now.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 Fumunda

Fumunda
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:05:08 PM

Posted 27 May 2010 - 04:47 PM

Thanks so much,
I'll get to it tonight when I get home from work.
I appreciate your help!
I have an XP system if this makes any difference (I saw something about Vista in there when quickly looking it over)
Fumunda

#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,416 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:08:08 PM

Posted 27 May 2010 - 06:24 PM

No problem. We add the If Vista stuff when the poster tries to keep their OS a secret from us :thumbsup:
You can post the logs as you complete them.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#9 Fumunda

Fumunda
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:05:08 PM

Posted 27 May 2010 - 09:42 PM

Hi boopme,
I was confused by your initial statement

from safe Mode run these 3.

You are talking about ATF Cleaner first,
SAS second and
Dr. Web CureIt third, right?

I already have SAS loaded on the computer that needs fixing.

Here's the problem though.
Last time I tried to start it out of safe mode it kept getting worse and worse until the screen would go black within a minute of starting it up.
I went in after this and did get it to run in safe mode.

Please take a minute and read my first post it will explain where I'm at now.
I can get into safe mode, but only left it up for a short time for fear more things might replicate.
Is there a route we can go through safe mode first?
I did run a log that caught this stuff. I could perhaps retrieve it from SAS (while in safe mode) for the last one or two logs and post this first if this would be of help.

Edited by Fumunda, 27 May 2010 - 11:36 PM.


#10 Fumunda

Fumunda
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:05:08 PM

Posted 27 May 2010 - 11:06 PM

Hi boopme,
Managed to get ATF cleaner loaded while in regular mode and ran that.
Updated SAS (in regular mode) which was already on my computer.
Then switched to Safe Mode and I am now running this. Then onto
Dr. WebCUreIT.
Will update when done.

#11 Fumunda

Fumunda
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:05:08 PM

Posted 27 May 2010 - 11:35 PM

Guess I need to take some other approach. The screen went black on me as I was running the scan.
As far as I could tell, it had gone through the complete registry with nothing caught and had scanned at least 4500 files with nothing. I left the room and when I came back it was a black screen. No mouse activity can be done.
Nothing.
It seems like if I leave it off for a while it will allow me to maneuver around a bit before it crashes.
Perhaps I can find the logs I did manage to get completed in SAS and post those. I know it did pick up some stuff in the registry before I quaranteened it and deleted it.

Grrrrr. I hope it's not too late to fix this. I can see all my stuff sitting there on the desktop, but can't use any of it for fear I will screw things up worse.

Could this be some kind of malware where the screensaver kicks in and instead of going to a screensaver they've manipulated it to go black and stay black?

Edited by Fumunda, 27 May 2010 - 11:40 PM.


#12 Fumunda

Fumunda
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:05:08 PM

Posted 28 May 2010 - 01:32 AM

Here's the logs I can pull up.



SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 05/14/2010 at 10:14 PM

Application Version : 4.37.1000

Core Rules Database Version : 4939
Trace Rules Database Version: 2751

Scan type : Complete Scan
Total Scan Time : 00:17:43

Memory items scanned : 441
Memory threats detected : 0
Registry items scanned : 4439
Registry threats detected : 0
File items scanned : 21834
File threats detected : 26

Adware.Tracking Cookie
C:\Documents and Settings\User\Cookies\user@coxhsi.112.2o7[1].txt
C:\Documents and Settings\User\Cookies\user@statcounter[1].txt
C:\Documents and Settings\User\Cookies\user@invitemedia[1].txt
C:\Documents and Settings\User\Cookies\user@fastclick[2].txt
C:\Documents and Settings\User\Cookies\user@cdn4.specificclick[2].txt
C:\Documents and Settings\User\Cookies\user@paypal.112.2o7[1].txt
C:\Documents and Settings\User\Cookies\user@ru4[2].txt
C:\Documents and Settings\User\Cookies\user@apmebf[2].txt
C:\Documents and Settings\User\Cookies\user@ad.yieldmanager[2].txt
C:\Documents and Settings\User\Cookies\user@eas.apm.emediate[2].txt
C:\Documents and Settings\User\Cookies\user@clickbank[1].txt
C:\Documents and Settings\User\Cookies\user@tribalfusion[1].txt
C:\Documents and Settings\User\Cookies\user@content.yieldmanager[1].txt
C:\Documents and Settings\User\Cookies\user@media6degrees[2].txt
C:\Documents and Settings\User\Cookies\user@casalemedia[2].txt
C:\Documents and Settings\User\Cookies\user@atdmt[1].txt
C:\Documents and Settings\User\Cookies\user@collective-media[1].txt
C:\Documents and Settings\User\Cookies\user@stats.paypal[2].txt
C:\Documents and Settings\User\Cookies\user@tacoda[2].txt
C:\Documents and Settings\User\Cookies\user@at.atwola[2].txt
C:\Documents and Settings\User\Cookies\user@specificmedia[1].txt
C:\Documents and Settings\User\Cookies\user@doubleclick[2].txt
C:\Documents and Settings\User\Cookies\user@mediaplex[2].txt
C:\Documents and Settings\User\Cookies\user@specificclick[2].txt
C:\Documents and Settings\User\Cookies\user@ads.webkinz[1].txt
C:\Documents and Settings\User\Cookies\user@advertising[1].txt
SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 05/20/2010 at 08:05 AM

Application Version : 4.37.1000

Core Rules Database Version : 4960
Trace Rules Database Version: 2772

Scan type : Complete Scan
Total Scan Time : 00:16:20

Memory items scanned : 409
Memory threats detected : 0
Registry items scanned : 4500
Registry threats detected : 0
File items scanned : 21018
File threats detected : 1

Adware.Tracking Cookie
C:\Documents and Settings\User\Cookies\user@doubleclick[1].txt


SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 05/22/2010 at 01:25 PM

Application Version : 4.37.1000

Core Rules Database Version : 4970
Trace Rules Database Version: 2782

Scan type : Complete Scan
Total Scan Time : 00:16:00

Memory items scanned : 401
Memory threats detected : 0
Registry items scanned : 4554
Registry threats detected : 0
File items scanned : 21466
File threats detected : 12

Adware.Tracking Cookie
C:\Documents and Settings\User\Cookies\user@coxhsi.112.2o7[1].txt
C:\Documents and Settings\User\Cookies\user@imrworldwide[2].txt
C:\Documents and Settings\User\Cookies\user@pointroll[2].txt
C:\Documents and Settings\User\Cookies\user@e-2dj6wjnyopdpagp.stats.esomniture[2].txt
C:\Documents and Settings\User\Cookies\user@ad.yieldmanager[1].txt
C:\Documents and Settings\User\Cookies\user@content.yieldmanager[1].txt
C:\Documents and Settings\User\Cookies\user@atdmt[1].txt
C:\Documents and Settings\User\Cookies\user@tacoda[2].txt
C:\Documents and Settings\User\Cookies\user@ads.pointroll[1].txt
C:\Documents and Settings\User\Cookies\user@at.atwola[2].txt
C:\Documents and Settings\User\Cookies\user@doubleclick[1].txt
C:\Documents and Settings\User\Cookies\user@advertising[2].txt

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 05/22/2010 at 01:35 PM

Application Version : 4.37.1000

Core Rules Database Version : 4970
Trace Rules Database Version: 2782

Scan type : Quick Scan
Total Scan Time : 00:04:19

Memory items scanned : 413
Memory threats detected : 0
Registry items scanned : 401
Registry threats detected : 0
File items scanned : 5328
File threats detected : 0

Edited by Fumunda, 28 May 2010 - 01:33 AM.


#13 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,416 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:08:08 PM

Posted 28 May 2010 - 10:06 AM

This looks clean,, how is it running now?
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#14 Fumunda

Fumunda
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:05:08 PM

Posted 28 May 2010 - 03:46 PM

Hi boopme,
those are old scans, unfortunately I did not save the scan where the bad stuff showed up.
I noticed that after I posted.
It will run fine for anywhere from 5-10 minutes when it first starts up (cold), but if it has been on for longer than that, it will go to black screen with no control.
You have to hold down the on/off button to get it to turn off.
When powering back up, if it just had gone to black screen and you try and get it to re-boot, it usually returns to black screen within a few seconds after you see the windows logo.
If I leave it off until it cools, I usually can manipulate some stuff for a short time period before it crashes (black screen).
Sad part is, I can see all my data is still there, but I want to fix the thing before I open email, etc.
I was in email when this thing first crashed, but subsequent crashes have been while on the internet at no particular place.
Last time I got half way through the SAS scan and it crashed while reviewing the files.
BTW, the first things that were found by SAS were found in the registry, I removed these and the last scan I did before it crashed showed no issues with it (nothing was found anyway).
Any relatively short scans we can start with that might help?
I also disable my CD Emulation Software a while ago, but never got a chance to re-enable it. Hope that doesn't make a difference.

Edited by Fumunda, 28 May 2010 - 03:49 PM.


#15 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,416 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:08:08 PM

Posted 28 May 2010 - 06:37 PM

We need a deeper look. Please go here....
Preparation Guide ,do steps 6 - 9.

Create a DDS log and post it in the new topic explained in step 9,which is here Virus, Trojan, Spyware, and Malware Removal Logs and not in this topic,thanks.
Skip the Gmer scan ,, let;s just try to get a DDS log posted.

Let me know if that went well.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users