Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with AV Security Virus attack


  • This topic is locked This topic is locked
25 replies to this topic

#16 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,925 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:06:43 AM

Posted 24 October 2010 - 03:10 PM

When exactly do these registry errors occur? Random, or when you perform certain actions?

Please rerun OTL, do a quick scan and post me the new log.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


BC AdBot (Login to Remove)

 


#17 vpoison

vpoison
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:08:43 PM

Posted 24 October 2010 - 04:20 PM

Here is the new OTL log.

I can only operate the computer in safe mode, when i try to boot the computer in normal mode, before giving me the login screen, i get this error:
"STOP: C0000218 (Registry file failure)
The registry can not load the hive (file): \Systemroot\System32\Config\Software
or its log or alternate.
It is corrupt, absent or not writable.

Beginning dump of physical memory
Physical memory dump complete.
Contact your system administrator or technical support group for further assistance"

I cannot use the computer in normal mode.

Attached Files

  • Attached File  OTL.Txt   71.32KB   1 downloads


#18 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,925 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:06:43 AM

Posted 25 October 2010 - 03:57 AM

The simplest solution would be to do a repair installation using your XP CD as described here

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#19 vpoison

vpoison
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:08:43 PM

Posted 27 October 2010 - 01:44 PM

I tried it last night, the computer did boot up, so I guess it worked. However, I kept getting this error "Windows just recovered from serious error, send a report to Microsoft". I am yet to install the updates and use the computer to ensure everything works properly. I request you to keep this topic open until this weekend.

I have Malware Bytes and Norton Antivirus already installed, do you recommend any other software instead of Malware Bytes so that this does not occur in the future? This seemed like a serious malware activity and normally would except the Norton to Malware Bytes to pick it up, however it did not. Please advise.

Many thanks for your help.
VK

#20 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,925 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:06:43 AM

Posted 27 October 2010 - 02:25 PM

Hi, I've heard of this as some sort of bug. Please click Send error report and let me know if it comes back next restart.

I am not convinced this problem was caused by malware. It sometimes happens that the registry becomes corrupted (as in your case).

Please read these advices, in order to prevent reinfecting your PC:
  • Install and update the following programs regularly:
    • an outbound firewall. If you are connected to the internet through a router, you are already behind a hardware firewall and as such you do not need an extra software firewall.
      A comprehensive tutorial and a list of possible firewalls can be found here.
    • an AntiVirus Software
      It is imperative that you update your AntiVirus Software on regular basis.If you do not update your AntiVirus Software then it will not be able to catch the latest threats.
    • an Anti-Spyware program
      Malware Byte's Anti Malware is an excellent Anti-Spyware scanner. It's scan times are usually under ten minutes, and has excellent detection and removal rates.
      SUPERAntiSpyware is another good scanner with high detection and removal rates.
      Both programs are free for non commercial home use but provide a resident and do not nag if you purchase the paid versions.
    • Spyware Blaster
      A tutorial for Spywareblaster can be found here. If you wish, the commercial version provides automatic updating.
    • MVPs hosts file
      A tutorial for MVPs hosts file can be found here. If you would like automatic updates you might want to take a look at HostMan host file manager. For more information on thehosts file, and what it can do for you,please consult the Tutorial on the Hosts file
  • Keep Windows (and your other Microsoft software) up to date!
    I cannot stress how important this is enough. Often holes are found in Internet Explorer or Windows itself that require patching. Sometimes these holes will allow an attacker unrestricted access to your computer.
    Therefore, please, visit the Microsoft Update Website and follow the on screen instructions to setup Microsoft Update. Also follow the instructions to update your system. Please REBOOT and repeat this process until there are no more updates to install!!
  • Keep your other software up to date as well
    Software does not need to be made by Microsoft to be insecure. You can use the Secunia Online Software occasionally to help you check for out of date software on yourmachine.
  • Stay up to date!
    The MOST IMPORTANT part of any security setup is keeping the software up to date. Malware writers release new variants every single day. If your software updates don't keep up, then the malware will always be one step ahead. Not a good thing.
Some more links you might find of interest:

Please reply to this topic if you have read the above information. If your computer is working fine, this topic will be closed afterwards.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#21 vpoison

vpoison
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:08:43 PM

Posted 27 October 2010 - 03:18 PM

I agree with you that registry error was probably not caused by Malware. Registry error was caused by something else.

What I meant was the rootkit activity seemed like a major deal and suprisingly not picked up either by Norton or Malware Bytes, normally I would expect them to, therefore asking for additional suggestions. I am usually pretty good with with updates. I update Norton and Malware Bytes two times or more a week.

I will try using the computer and let you know.

Thanks,
VK

#22 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,925 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:06:43 AM

Posted 27 October 2010 - 03:32 PM

Unfortunately malware writers update their stuff a lot faster than any security programs. Besides security, a safe surfing behavior is important (see also the links in my last post).

Please let me know if you have any more questions.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#23 vpoison

vpoison
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:08:43 PM

Posted 30 October 2010 - 09:00 PM

Hi Elise,

I finally installed all available updates from Microsoft, updated Norton Antivirus and Malware Bytes and ran a scan.
Malware Bytes came with no infections. However, Norton found a potential threat:
File Name: i2omp.sys.vir
Threat: Backdoor.Tidser.I!nf
Action: Left Alone
Original Location: C:\Qoobox\Quaratine\C\Windows\System32\Drivers
Status: Infected
Action Description: The file was left unchanged

This is the same file that combofix found during the scan and had me write down the location of the file as
C:\Windows\System32\Drivers\iomp2.sys

What do you recommend?

Also, is it OK to have "Malware Bytes" and "Spybot Search and Destroy" programs installed on the computer? Or does this create a conflict like Anti-virus programs?

Thank you.
VK

#24 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,925 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:06:43 AM

Posted 31 October 2010 - 03:11 AM

Hi, Norton detected this file in combofix quarantine. Did you uninstall combofix as instructed? If not, do so, and the file will be gone.

Spybot and MBAM are okay and will not interfere with your AV.

Please let me know if this answers your questions. :)

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#25 vpoison

vpoison
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:08:43 PM

Posted 31 October 2010 - 06:19 PM

OK, done. I uninstalled combofix using start->run...
Computer is back to functioning normally. Many thanks to you.

I installed spybot and ran it, it found a few more threats, i think they were minor and removed them. I will make sure I keep these programs up to date.
Lastly, there is still a combofix folder on my computer C:\Combofix, there is only one file in it "NircmdB" i think it is driver. Should I leave it alone or manually delete it.
Once this is answered, the topic can be closed.

Once again, I appreciate your patience and help.
Regards,
VK

#26 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,925 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:06:43 AM

Posted 01 November 2010 - 03:36 AM

Hi, you can manually delete the file/folder.

I will now close this topic, if you need it reopened, please send me a PM.

Everyone else, please start a new topic.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users