Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Computer is essentially disabled


  • This topic is locked This topic is locked
6 replies to this topic

#1 rabbi79

rabbi79

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:12:32 AM

Posted 11 September 2010 - 03:11 PM

Hi all,

I've had a lot of success with this website in the past (twice from Syler, who is awesome) so

I thought I would come to you with this problem. This time it is my wife's computer. (After

my last problem, I have primarily been using either firefox with script & ad blockers, or a

linux machine. No more problems!) At about 1PM today, she entered her yahoo email account and

opened an email from a known individual. There was no link or anything in the email, just

expected text. An antivirus popup soon appeared and said she was not protected and did she

want to buy this new antivirus protection. It was for "http://antivircat.com". She doesn't

remember if she clicked on "No" or the x in the corner. She did not close it with the

TaskBar. There is now a green shield icon in the lower right corner for antivircat. It

consistently provides a balloon saying she is infected, would she like to activate or remain

unprotected, etc. The only website that opens is the antivircat.com scam website. She has

AVG, which won't open. She has Malwarebytes Antimalware on the desktop, but that won't open.

Even Snood and Word files won't open. Every time we try opening a file, we get messages that

specific (but usually different) files are corrupted (usually *.exe files for the program).

We also cannot get into task manager. A box will sometimes show up in the lower right corner,

(not sure if it is AVG symbol or not...) saying:
Infiltration Alert
Your computer is being attacked by an internet virus. It could be a password-stealing attack,

a trojan-dropper, or similar.
Details:
Attack from: 188.216.17.88, port 4210
Attacked port: 25722
Win32/Nuqel.E
(although the numbers are different each time it appears)
I used my computer to put HijackThis and DDS on a flash drive and plugged it into her

computer. I moved the files to her desktop, but they won't open (same message: Application

cannot be executed. The file *.exe is infected. Do you want to activate your antivirus

software now?) I tried to open them from the flash drive, same message. I renamed them on

the flash drive, saved to desktop, still won't open.
In addition, when restarting the computer from stand-by or hibernation, Internet Explorer will

start, with a different website appearing, but not opening (porno.org, adult.com were two).

She has Vista and uses Internet Explorer. I believe she has the original CDs/DVDs that came

with the laptop, and I have student disk with Windows 7 that I loaded onto a different laptop.

What can she do, considering the laptop is essentially disabled?

Thank you for reading.

BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:04:32 AM

Posted 16 September 2010 - 06:48 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks thumbup2.gif
Posted Image
m0le is a proud member of UNITE

#3 rabbi79

rabbi79
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:12:32 AM

Posted 17 September 2010 - 12:29 AM

Hi mOle,

Thanks for coming to help!
I haven't touched her computer since I last posted.
I did find a post on this forum that had the same problem: http://www.bleepingcomputer.com/forums/topic342658.html
However, as I said in the original post, I wasn't able to run the programs to check the logs.



#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:04:32 AM

Posted 17 September 2010 - 06:24 PM

Yes, the link shows a much lighter attack than here. Our key is to boot the CD outside of the controlled operating system.

This is not always easy.

Let's try to boot your computer using the Ultimate Boot CD for Windows (UBCD4win).

Please print this guide for future reference!

You will need a blank CD, a clean computer and a flash drive.

Please follow the steps below and let me know if you were successful. If you were unable to create the UBCD4win, please tell me what error messages you got and/or what steps you got hung up on.

1. Download and Run Ultimate Boot CD for Windows
  • Save it to your Desktop.
  • Double-Click on the UBCD4Win.EXE that you just downloaded to your desktop.
  • Follow all of the instructions/prompts that come up.
    NOTES:
    • Do not install to a folder with spaces in it's name.
    • Your Anti-Virus may report viruses or trojans when you extract UBCD4Win, these are "False-Positives." Read HERE for information regarding the files that normally trigger AV software.
2. Insert your XP CD with SP1/SP2/SP3 into a CD Rom drive
  • Double-Click on UBCD4WinBuilder.exe located in your C:\ubcd4win folder.
  • Click "I agree" to the Builders License.
  • Click NO to Search for Windows Installation Files
  • Make the following selections from the Main Screen that pops up:
    • Builder
      • Source:(path to Windows installation files)
        • Enter the path to the drive where your XP CD is located.
        • You can click on the "..." button on the right to navigate to the path as well.
      • Custom: (include files and folders from this directory)
        • No information is necessary, leave blank.
      • Output: (C:\ubcd4win\BartPE)
        • Keep the default BartPE
    • Media output
      • Choose Create ISO image
      • Do not choose Burn to CD/DVD


        Please note: If your XP install disc is SP1 then please .....
        1. Disable- DComLaunch Service
        2. Enable- LargeIDE Fix

          This can be done by pressing the "Plugin" button and checking or unchecking the appropriate selections

      Also note: If you have a Dell XP install disc you will need to follow the instructions here
      http://www.ubcd4win.com/faq.htm#dell

    3. Click on the "Build" button
    • You will see the Windows EULA message. Click on I Agree
    • You will now see the Build Screen. Let it run it's course
    • When the Build is finished you can click close, then exit


    4. Burn your ISO file to CD
    • Please see HERE on how to burn an ISO to CD.

    ==========

    Next........

    From your clean computer..

    Please download OTLPE.zip and save it to a flash drive.
    http://oldtimer.geekstogo.com/OTLPE.zip
    http://www.itxassociates.com/OT-Tools/OTLPE.zip

    Double click and unzip OTLPE.zip to its own folder on your flash drive. Name it OTLPE <-- Important!!

    ==========

    Plug your flash drive into your sick computer now and do as instructed below..

    ==========

    1. Restart Your sick Computer Using the UBCD4Win Disc That You Have Created
    • Insert the UBCD4Win disc in to one of your CD/DVD drives.
    • Restart your computer.
      • The computer should choose to boot from the UBCD4Win CD automatically. If it doesn't and you are asked if you want to boot from CD, then choose that option.
    • In the window that pops up select Launch The Ultimate Boot CD For Windows and press Enter.
      • It may take a little longer for the Desktop to appear than it does when you start your computer normally. Just let the process run itself until the desktop appears.
    • Once the desktop appears, you will receive a message asking: Do you want to start Network support?
      • Click on Yes if you want to use the PE environment to get online post your log and reply by way of an Ethernet connection.
    • You should now have a desktop that looks like this:

    ==========

    Single click My computer from your UBCD4W desktop to navigate to the OTLPE folder that you saved to your flash drive.

    Open the OTLPE folder and double click Start.bat.
    • When asked "Do you wish to load remote user profile(s) for scanning", select Yes
    • Ensure the box "Automatically Load All Remaining Users" is checked and press OK
    • OTLPE should now start

      Change the following settings
      • Change Services, Drivers, Standard and Extra Registry to All

    • Copy and Paste the following code into the textbox. Do not include the word "Code"

      CODE
      netsvcs
      msconfig
      safebootminimal
      safebootnetwork
      activex
      drivers32
      %ALLUSERSPROFILE%\Application Data\*.
      %ALLUSERSPROFILE%\Application Data\*.exe /s
      %APPDATA%\*.
      %APPDATA%\*.exe /s
      %SYSTEMDRIVE%\*.exe
      /md5start
      userinit.exe
      eventlog.dll
      scecli.dll
      netlogon.dll
      cngaudit.dll
      sceclt.dll
      ntelogon.dll
      logevent.dll
      iaStor.sys
      nvstor.sys
      atapi.sys
      IdeChnDr.sys
      viasraid.sys
      AGP440.sys
      vaxscsi.sys
      nvatabus.sys
      viamraid.sys
      nvata.sys
      nvgts.sys
      iastorv.sys
      ViPrt.sys
      eNetHook.dll
      ahcix86.sys
      KR10N.sys
      nvstor32.sys
      ahcix86s.sys
      /md5stop
      %systemroot%\system32\drivers\*.sys /lockedfiles
      %systemroot%\System32\config\*.sav
      %systemroot%\*. /mp /s
      %systemroot%\system32\*.dll /lockedfiles
      %systemroot%\system32\drivers\*.sys /90
      CREATERESTOREPOINT

    • Push
    • A report will open. Save that log to your flash drive. Copy and Paste that report in your next reply.

    =========

    With your next post please provide:

    * OTLPE.txt
    Posted Image
    m0le is a proud member of UNITE

    #5 m0le

    m0le

      Can U Dig It?


    • Malware Response Team
    • 34,527 posts
    • OFFLINE
    •  
    • Gender:Male
    • Location:London, UK
    • Local time:04:32 AM

    Posted 20 September 2010 - 06:44 PM

    Hi,

    I have not had a reply from you for 3 days. Can you please tell me if you still need help with your computer as I am unable to help other members with their problems while I have your topic still open. The time taken between posts can also change the situation with your PC making it more difficult to help you.

    If you like you can PM me.

    Thanks,


    m0le
    Posted Image
    m0le is a proud member of UNITE

    #6 rabbi79

    rabbi79
    • Topic Starter

    • Members
    • 32 posts
    • OFFLINE
    •  
    • Local time:12:32 AM

    Posted 20 September 2010 - 11:05 PM

    Hi m0le,

    Sorry for the delay in response.
    You mention the XP CD, but her infected computer runs Vista. Do you mean use a Vista CD instead?
    (BTW, the computer is a Dell.) Secondly, she is sure that she has it, however, we recently moved and have not found it yet. I do have a Microsoft Windows 7 Ultimate disk though.
    I am not as comfortable performing these fixes personally as I have been when it was my computer, so I am thinking I may just have somebody else work on it.
    If we find the Vista CD, and I decide to proceed with working on the laptop myself, would I be able to PM you to reopen the thread?

    Thanks for the help

    #7 m0le

    m0le

      Can U Dig It?


    • Malware Response Team
    • 34,527 posts
    • OFFLINE
    •  
    • Gender:Male
    • Location:London, UK
    • Local time:04:32 AM

    Posted 21 September 2010 - 12:23 PM

    QUOTE
    You mention the XP CD, but her infected computer runs Vista. Do you mean use a Vista CD instead?


    Yes, I do mean that. Sorry.

    I am going to close this topic. When you're ready then please post a new topic and PM me and I will pick it up. thumbup2.gif

    ----------------------------------------------------

    This topic has been closed.

    If you're the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

    Everyone else please begin a New Topic.
    Posted Image
    m0le is a proud member of UNITE




    0 user(s) are reading this topic

    0 members, 0 guests, 0 anonymous users