Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Trojan horse Patched_c.JQJ and Exploit Rogue Scanner (type 1349)


  • This topic is locked This topic is locked
21 replies to this topic

#1 amygrrl00

amygrrl00

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:31 PM

Posted 18 November 2010 - 03:30 PM

I have been having problems with virus/error alerts on my Dell laptop (Windows XP) so earlier today I loaded my laptop in Safe Mode and ran:
1st - Malwarebytes (3 objects found)
2nd - AVG Anti-Virus (scan was done in Command Prompt and did not provide a report, it just closed when completed)
3rd - Malwarebytes one more time (no objects found, did not save either reports).

Then I restarted my laptop in normal mode, upon loading I get 4 RUNDLL error boxes that popup:
1. Error Loading c:\windows\blps40.dll
2. Error Loading c:\windows\system32\cf5m8x.dll
3. Error Loading c:\windows\system32\lc9l4h.dll
4. Error Loading c:\windows\system32\vztjkaj.dll

AVG Free's Resident Shield Alert also pops up with the following notifcations:
File: C:\documents and settings\Amy\local settings\temp\Jlj.exe
Infection: Trojan Horse Generic20.ICA
Result: Infected <-- There are a few of these notifications
And
File: ...\system32\winlogon.exe
Infection: Trojan Horse Patched_c.JQJ
Result: Object is white-listed (critical/system file that should not be removed) <-- there are SEVERAL of these notifications

I have also gotten an AVG Popup saying that a certain file was infected with an "Exploit Rogue Scanner (type 1349)." I apologize, but I have closed out that box so I do not have the name of the infected file.

DDS.txt:
DDS (Ver_10-11-10.01) - NTFSx86
Run by Amy at 13:57:21.85 on Thu 11/18/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_18
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2038.1220 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\O2Micro Flash Memory Card Driver\o2flash.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\AVG\AVG9\avgemc.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
"C:\WINDOWS\System32\svchost.exe"
"C:\WINDOWS\System32\svchost.exe"
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Documents and Settings\Amy\Local Settings\Application Data\Google\Update\1.2.183.39\GoogleCrashHandler.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\Amy\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Amy\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Amy\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Amy\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://login.live.com/login.srf?wa=wsignin1.0&rpsnv=10&ct=1233177297&rver=5.5.4177.0&wp=MBI&wreply=http:%2F%2Fmail.live.com%2Fdefault.aspx%3Fn%3D825341771&id=64855
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = https://my.netgear-support.com/myNETGEAR/ENG/login.asp
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: c:\windows\system32\f45i14.dll: {b1ba20c1-a503-59bd-f412-03b53a2c8951} - c:\windows\system32\f45i14.dll
TB: {9D425283-D487-4337-BAB6-AB8354A81457} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [Google Update] "c:\documents and settings\amy\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [Nzefiholur] rundll32.exe "c:\windows\blsps40.dll",Startup
uRun: [uPc+MV0NZNaXms] rundll32.exe c:\windows\system32\lc9l4h.dll, SystemServer
uRun: [uPc+MV0NWSaXms] rundll32.exe c:\windows\system32\cf5m8x.dll, SystemServer
uRun: [uPc+MV0NwoaGuo] rundll32.exe c:\windows\system32\vztjkaj.dll, SystemServer
uRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil10k_ActiveX.exe -update activex
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\logitech webcam software\LWS.exe" /hide
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Nrozawebewahazuy] rundll32.exe "c:\windows\efudewilulok.dll",Startup
IE: &Search - http://tbedits.televisionfanatic.com/one-toolbaredits/menusearch.jhtml?s=100000415&p=XPxdm003YYUS&si=&a=90F5C5D1-D3B5-43AD-8236-6AE35DFD5FF1&n=2010091919
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://photo2.walgreens.com/WalgreensActivia.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx1.hotmail.com/mail/w3/resources/MSNPUpld.cab
DPF: {4F29DE54-5EB7-4D76-B610-A86B5CD2A234} - hxxp://archives.gametap.com/static/cab_headless/GameTapWebPlayer.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0015-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_17-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} - hxxp://gfx1.hotmail.com/mail/w4/pr01/photouploadcontrol/MSNPUpld.cab
DPF: {EFD1E13D-1CB3-4545-B754-CA410FE7734F} - hxxp://www.cvsphoto.com/upload/activex/v3_0_0_2/PhotoCenter_ActiveX_Control.cab
DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com/activex/ractrl.cab?lmi=100
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxdev.dll
Notify: LMIinit - LMIinit.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
STS: c:\windows\system32\f45i14.dll: {b1ba20c1-a503-59bd-f412-03b53a2c8951} - c:\windows\system32\f45i14.dll

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-1-28 216400]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-1-28 29584]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-1-28 243024]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\avg\avg9\avgemc.exe [2010-7-15 921952]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-7-15 308136]
R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\logmein\x86\LMIGuardianSvc.exe [2010-10-12 374152]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\logmein\x86\rainfo.sys [2010-1-27 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2010-8-2 47640]
R3 O2MDRDR;O2MDRDR;c:\windows\system32\drivers\o2media.sys [2009-1-28 48472]
R3 O2SDRDR;O2SDRDR;c:\windows\system32\drivers\o2sd.sys [2009-1-28 43480]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-3-6 135664]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]

=============== Created Last 30 ================

2010-11-17 00:45:33 -------- d-----w- c:\docume~1\amy\applic~1\Malwarebytes
2010-11-17 00:45:24 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-11-17 00:45:23 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-11-17 00:45:23 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-11-17 00:45:23 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-11-17 00:32:57 0 ----a-w- c:\windows\Gluxiyuw.bin
2010-11-17 00:32:55 -------- d-----w- c:\docume~1\amy\locals~1\applic~1\{C90C344F-5764-49AD-9326-946FD4F5DAF0}
2010-11-17 00:31:19 760832 ----a-w- c:\windows\system32\drivers\pnmfssdjp.sys
2010-11-17 00:31:12 -------- d-----w- c:\docume~1\alluse~1\applic~1\WSTB
2010-10-22 18:24:54 -------- d-----w- c:\docume~1\alluse~1\applic~1\Photodex
2010-10-20 19:43:02 974848 -c----w- c:\windows\system32\dllcache\mfc42.dll
2010-10-20 19:43:02 953856 -c----w- c:\windows\system32\dllcache\mfc40u.dll
2010-10-20 19:42:49 617472 -c----w- c:\windows\system32\dllcache\comctl32.dll

==================== Find3M ====================

2010-10-06 21:57:27 83360 ----a-w- c:\windows\system32\LMIRfsClientNP.dll
2010-10-06 21:57:26 53632 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\LMIproc.dll
2010-10-06 21:57:25 87424 ----a-w- c:\windows\system32\LMIinit.dll
2010-10-06 21:57:25 29568 ----a-w- c:\windows\system32\LMIport.dll
2010-09-18 16:23:26 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53:25 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53:25 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53:25 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-10 05:58:08 916480 ----a-w- c:\windows\system32\wininet.dll
2010-09-10 05:58:06 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-09-10 05:58:06 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-09-01 11:51:14 285824 ----a-w- c:\windows\system32\atmfd.dll
2010-08-31 13:42:52 1852800 ----a-w- c:\windows\system32\win32k.sys
2010-08-27 08:02:29 119808 ----a-w- c:\windows\system32\t2embed.dll
2010-08-27 05:57:43 99840 ----a-w- c:\windows\system32\srvsvc.dll
2010-08-26 12:52:45 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-08-23 16:12:04 617472 ----a-w- c:\windows\system32\comctl32.dll

============= FINISH: 14:03:15.76 ===============

I forgot to mention that my default browser has been Google Chrome, however, anytime I type in a URL or Google Search, the browser redirects to a random, unrelated website. Therefore I had to use Internet Explorer to conduct this forum post.

EDIT: Posts merged ~BP

Attached Files


Edited by Budapest, 18 November 2010 - 04:21 PM.


BC AdBot (Login to Remove)

 


#2 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:31 PM

Posted 28 November 2010 - 09:50 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process. Please also continue to work with me until I give you the all clear. Even if your computer appears to act better, you may still be infected.

Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.

Once we start working together, please reply back within 3 days or this thread may be closed so we can help others who are waiting.

We need to create an OTL report,
  • Please download OTL from this link.
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Under the Custom Scan box paste this in:

    netsvcs
    msconfig
    drivers32 /all
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\system32\*.sys /90
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\System32\config\*.sav
    %SYSTEMDRIVE%\*.*
    %systemroot%\system32\Spool\prtprocs\w32x86\*.dll
    %systemroot%\*. /mp /s
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    CREATERESTOREPOINT

  • Click the Quick Scan button.
  • The scan should take a few minutes.
  • Please copy and paste both logs in your reply.



In your reply, please post both OTL logs.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#3 amygrrl00

amygrrl00
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:31 PM

Posted 29 November 2010 - 09:16 AM

Yes I am still in need of your assistance, however things have gotten worse for my laptop. I am on my work computer now and do not have my laptop with me, however I am now getting a blue screen upon startup which will not allow me to load in Safe Mode or get past the blue screen. I will get the error message off of there this evening and post it in a reply tomorrow.

#4 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:31 PM

Posted 29 November 2010 - 06:33 PM

OK. I need two things to help diagnose this.


Posted Image

I need the text that appears (if any) where IRQL_NOT_LESS_OR_EQUAL appears.
I also need the error code immediately following the STOP at the bottom. 0x0000000A in this case.

PS> and if a file name is in there, please let me know.

Edited by etavares, 29 November 2010 - 06:33 PM.
image tags


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#5 amygrrl00

amygrrl00
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:31 PM

Posted 29 November 2010 - 06:36 PM

The blue screen reads EXACTLY as follows:
Stop: c000021a {Fatal System Error}
The windows Logon Process system process terminated unexpectedly with a status o
f 0xc0000034 (0x00000000 0x00000000).
The system has been shut down.

Edited by amygrrl00, 29 November 2010 - 06:41 PM.


#6 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:31 PM

Posted 29 November 2010 - 06:46 PM

When you have the option to choose Safe Mode, is there an option for "Last Known Good Configuration"? If so, please try booting with that option.

Do you have an Windows installation CD/DVD?

Do you have a flash drive we can use? It needs to be at least 512MB capacity and needs to be blank.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#7 amygrrl00

amygrrl00
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:31 PM

Posted 29 November 2010 - 06:57 PM

1. The computer gives me the option to load in the Last configuration mode, but when I choose that option, I get the same blue screen with the same error.
2. I do have the original windows disc
3. I have will have access to a large flash drive tomorrow.

#8 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:31 PM

Posted 29 November 2010 - 07:14 PM

Hello, amygrrl00.

Ok, please do the following once you get the flash drive. It will make a bootable USB we can check files and registry settings...and have access to your data if worse gets to worse. I'll provide more instructions once you let me know you can boot into xPud. Once you do boot, it will take 5-30 minutes, so please be patient.

Try this please. You will need a USB drive.

Download http://unetbootin.sourceforge.net/unetbootin-xpud-windows-latest.exe & http://noahdfear.net/downloads/bootable/xPUD/xpud-0.9.2.iso to the desktop of your clean computer
  • Insert your USB drive
  • Press Start > My Computer > right click your USB drive > choose Format > Quick format
  • Double click the unetbootin-xpud-windows-387.exe that you just downloaded
  • Press Run then OK
  • Select the DiskImage option then click the browse button located on the right side of the textbox field.
  • Browse to and select the xpud-0.9.2.iso file you downloaded
  • Verify the correct drive letter is selected for your USB device then click OK
  • It will install a little bootable OS on your USB device
  • Once the files have been written to the device you will be prompted to reboot ~ do not reboot and instead just Exit the UNetbootin interface
  • After it has completed do not choose to reboot the clean computer simply close the installer
  • Remove the USB and insert it in the sick computer
  • Boot the Sick computer
  • Press F12 and choose to boot from the USB. If that doesn't work, let me know. Booting from USBs is different depending on your BIOS.
  • Follow the prompts
  • A Welcome to xPUD screen will appear

at this point, select Home in the left side, then Power Off.

Please let me know if you got into xPud or if you had issues.

etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#9 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:31 PM

Posted 04 December 2010 - 08:27 AM

still with me?


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#10 amygrrl00

amygrrl00
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:31 PM

Posted 04 December 2010 - 09:33 AM

I'm still with you and was able to boot from the USB. I am actually typing this message from my sick computer now. I am ready for the next step when you are.

#11 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:31 PM

Posted 05 December 2010 - 11:20 AM

Hello, amygrrl00.
This could be one of many things. So we'll start with a faulty winlogon.exe since we know it was infected.

Please download driver.sh and save it to your xPud flash drive. You can do this from your clean computer in Windows, or try it in xPud, but you will have to figure out which partition is the flash drive (likely sdb1.

  • Boot the sick computer with the xPud USB drive again.
  • Click on File
  • Expand mnt
  • Expand your USB (likely named sdb1)
  • Confirm that you see driver.sh.
  • Press Tool at the top
  • Choose Open Terminal
  • Type bash driver.sh -f
  • Press Enter
  • You will be prompted to input a filename.
  • Type the following exactly as shown (all lowercase):

    winlogon.*

  • Press Enter
  • If succesful, the script will search for this file.
  • After it has finished a report will be located in the USB drive as filefind.txt

Please note - all text entries are case sensitive

Copy and paste the contents of filefind.txt for my review in your reply. If we can't find a suitable replacement, we'll use one from the Windows CD.


etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#12 amygrrl00

amygrrl00
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:31 PM

Posted 05 December 2010 - 03:36 PM

Does this look correct?

Search results for winlogon.*

ed0ef0a136dec83df69f04118870003e /mnt/sda2/WINDOWS/ServicePackFiles/i386/winlogon.exe
496.0K Apr 14 2008

01c3346c241652f43aed8e2149881bfe /mnt/sda2/WINDOWS/$NtServicePackUninstall$/winlogon.exe
490.5K Aug 4 2004

Attached Files



#13 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:31 PM

Posted 06 December 2010 - 07:06 PM

Interesting. I don't see one in your main folder. It's quite possible your antivirus detected an infected file and quarantined it, but didn't realize that it is required for windows to boot!

Let's investigate that. Do you see winlogon.exe in this location?
/mnt/sda2/windows/winlogon.exe

Also, is there an sda1 folder with /windows/ folder in it?


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#14 amygrrl00

amygrrl00
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:31 PM

Posted 06 December 2010 - 10:26 PM

No and no :-(

There is a /mnt/sda2/windows folder but no winlogon.exe

#15 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:31 PM

Posted 07 December 2010 - 08:39 AM

Ok, please boot into xPud.

Navigate to
/mnt/sda2/WINDOWS/ServicePackFiles/i386/winlogon.exe, right-click on it and select Copy

Navigate to
/mnt/sda2/windows/

Right click in the background and select Paste...confirm that winlogon.exe is now visible in that folder.

Reboot into Windows.

Were you able to boot into Windows?


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users