Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Windows XP Pro Brought Down By Palladium Pro


  • This topic is locked This topic is locked
51 replies to this topic

#1 BikeRidinBill

BikeRidinBill

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Southern California, USA
  • Local time:03:49 AM

Posted 18 February 2011 - 06:57 AM

My system has been down a few weeks now, and I've tried a few things to recover it, but it's beyond my knowledge this time. I generally don't fall for these things, but admittedly Palladium Pro popped up at just the right time, and I was in too big a hurry working on a project to pay close enough attention. After clicking OK, I realized what I'd done... I'd just donned the "Stupid" hat. Anyway... moving on...

I happened upon these forums via my still functioning laptop, and found a post by Surgeon General (My link) regarding the use of P.E. Builder, Runscanner & ISO Recorder to create a boot disc and scan my infected drive. My first attempt was not successful, as I apparently left some step out along the way.

However, though there were a few discrepancies between the actual screens I encountered, & the instructions, my second attempt seems to have successfully created two files... OTL.txt & Extras.txt. Both are attached below...

I have a Pentium dual core 2.6 with 4 gigs of ram, xp pro with SP3 (orig OEM disc was SP2), a high end video card, and multiple hard drives (2 fixed and several USB). I use this for video editing, and with many "in progress" projects on the drives (including the boot drive), I cannot afford to lose any data. Without it, I have no income making capabilities.

I'm not sure what the next step is, but I'm ready to learn... I'm no expert by any means, but not exactly a novice either. I have built several of my computers in the past, but had this one built for me.

I had sent a private message to Surgeon General regarding this issue, and was given some pointers on correctly running the scan, which I think I've now accomplished. So, I'm hoping to follow up from there...

Thanks in advance for all your help!
Bill

OTL.txt
..................

Attached Files


Edited by Blade Zephon, 18 February 2011 - 07:46 AM.
Moved to Log Forum. ~BZ


BC AdBot (Login to Remove)

 


#2 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,958 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:07:49 AM

Posted 19 February 2011 - 10:02 AM

Hi and :welcome:

Leys take a look at the Master Boot Record (MBR).

Download MBRFix from here.

Save and extract its contents to the USB drive.

Boot the computer with the BartPE CD and insert the USB drive. There are three files in the MBRFix folder. From these, only copy the MBRFix.exe to the root directory of the Local Drive, (C:\).

When saved, the MBRFix.exe should appear as C:\MBRFix.exe.

Bring the computer to a Command Prompt (Click on the Start button, then on Run. Type CMD and click OK).

At the prompt type the following and press Enter after each line:

C:
cd C:\
MbrFix /drive 0 savembr MBRDUMP.txt


Leave a space between the following arguments:

MbrFix
/drive
0
savembr
MBRDUMP.txt

The drive is Drive zero (Drive 0)

This will create a file in the C:\ folder labeled MBRDUMP.txt. Copy this file to the USB and attach it to a reply.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#3 BikeRidinBill

BikeRidinBill
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Southern California, USA
  • Local time:03:49 AM

Posted 19 February 2011 - 10:11 PM

Hello S.G.

Ok, that was no problem for an old DOS dog like me... it looks like the resulting text is perhaps binary or some other code? Anyway... here it is, attached per your request!

Thanks, Bill

Attached Files



#4 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,958 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:07:49 AM

Posted 19 February 2011 - 10:50 PM

I am having that MBRDUMP checked. Will post back once I receive feedback.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#5 BikeRidinBill

BikeRidinBill
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Southern California, USA
  • Local time:03:49 AM

Posted 20 February 2011 - 01:55 AM

Thanks!

#6 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,958 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:07:49 AM

Posted 20 February 2011 - 04:55 PM

According to my colleague, the current MBR is corrupted. Lets write another MBR.

  • Download NTBR_CD by noahdfear.
  • Extract its contents to the desktop.
  • Once extracted, open the NTBR_CD folder and click on the BurnItCD application.
  • Insert a blank CD when prompted. The .iso image will be burned to the CD.
  • Boot the computer with the CD you just burned and follow the prompts.
  • Press Enter for English.
  • At the menu type 1 to select MBRWORK then hit Enter

    This screen will show the hard drive configuration.
    Posted Image
  • Type 5 to Install standard MBR code then hit Enter
  • Type 1 to select Standard then hit Enter
  • Type Y then hit Enter to confirm
  • Type E then hit Enter to exit
  • Back at the menu, type 6 to Quit.
  • Press Ctrl+Alt+Del to restart the machine.
  • Eject the CD upon restart and boot normally.

If successful, get an Internet connection and run Combofix as follows:

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  • Please, never rename Combofix unless instructed.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    -----------------------------------------------------------

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      If AVG or CA Internet Security Suite is installed, you must remove these programs before using Combofix. If any of these applications will not uninstall, it is first recommended to uninstall it with AppRemover by Opswat. http://www.appremover.com/supported-applications. Do not use AppRemover on Norton

      -----------------------------------------------------------

    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

    -----------------------------------------------------------

  • Double click on combofix.exe & follow the prompts.
  • Install the Recovery Console if prompted.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" .
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security.

Please do not install any new programs or update anything (always allow your antivirus/antispyware to update) unless told to do so while we are fixing your problem. If combofix alerts to a new version and offers to update, please let it. It is essential we always use the latest version.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#7 BikeRidinBill

BikeRidinBill
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Southern California, USA
  • Local time:03:49 AM

Posted 20 February 2011 - 06:30 PM

I'll be tied up taking care of other business matters till tomorrow. I will do these tasks per your instructions tomorrow, and let you know how it goes.

Your assistance is greatly appreciated!

Bill

#8 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,958 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:07:49 AM

Posted 20 February 2011 - 07:19 PM

:thumbup2: :thumbup2:

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#9 BikeRidinBill

BikeRidinBill
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Southern California, USA
  • Local time:03:49 AM

Posted 21 February 2011 - 07:46 PM

Have recreated the MBR, and had some trouble uninstalling AVG from Control Panel. By the way, it was nice to actually SEE my desktop after all these weeks! Anyway, I downloaded AppRemover and am running it now. It's 64% completed, but taking quite a while to run... not sure if that is normal.

The error message I got when trying to remove AVG via Add/Remove Programs was....
Local Machine: installation failed
Installation:
Error: Action failed for registry key HKLM\SOFTWARE\Microsoft\Windows NT\Current Version\Windows: creating registry key....
Access is denied.

Continuing with App Remover

#10 BikeRidinBill

BikeRidinBill
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Southern California, USA
  • Local time:03:49 AM

Posted 21 February 2011 - 09:05 PM

AppRemover locked up and froze the first time around, so rebooted and ran it again. Second time it went fairly quickly and was successful in removing AVG.

Running ComboFix now... it just downloaded an update copy of the Windows Recovery Console and installed it... now continuing to scan disc with ComboFix...

After 45 minutes of waiting, it appears that the AutoScan may be frozen... I just have a window with a blinking cursor and the descriptive text above that, which reads... "Scanning for infected files... This typically doesn't take more than 10 minutes. However, scan times for badly infected machines may easily double."

I also noticed that it never did disable my wireless internet connection... it only downloaded an updated version of ComboFix, and then downloaded the updated WRC.

I'll let it sit for a while longer and see what happens. Not sure if I should reboot and re-run ComboFix or not. Please advise... :)

#11 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,958 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:07:49 AM

Posted 21 February 2011 - 09:15 PM

Still frozen?

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#12 BikeRidinBill

BikeRidinBill
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Southern California, USA
  • Local time:03:49 AM

Posted 21 February 2011 - 10:57 PM

yup... it hung up...

#13 BikeRidinBill

BikeRidinBill
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Southern California, USA
  • Local time:03:49 AM

Posted 21 February 2011 - 11:54 PM

Well, looks like it just hangs and goes nowhere... Is my internet connection supposed to be on while running the scan, or off? I see the HD light flicker very briefly every once in a while, but that's about it...

#14 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,958 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:07:49 AM

Posted 22 February 2011 - 12:01 AM

Download GMER from Here. Note the file's name and save it to your root folder, such as C:\.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security program drivers will not conflict with this file.
  • Click on this link to see a list of programs that should be disabled.
  • Double-click on the downloaded file to start the program. (If running Vista, right click on it and select "Run as an Administrator")
  • Allow the driver to load if asked.
  • You may be prompted to scan immediately if it detects rootkit activity.
  • If you are prompted to scan your system click "No", save the log and post back the results.
  • If not prompted, click the "Rootkit/Malware" tab.
  • On the right-side, all items to be scanned should be checked by default except for "Show All". Leave that box unchecked.
  • Select all drives that are connected to your system to be scanned.
  • Click the Scan button to begin. (Please be patient as it can take some time to complete)
  • When the scan is finished, click Save to save the scan results to your Desktop.
  • Save the file as Results.log and copy/paste the contents in your next reply.
  • Exit the program and re-enable all active protection when done.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#15 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,958 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:07:49 AM

Posted 22 February 2011 - 12:25 AM

If unsuccessful with GMER, lets try t run Combofix renamed.

Remove the copy you previously downloaded, and download a fresh copy as follows:

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**
  • If you are using Firefox, make sure that your download settings are as follows:
    • Tools->Options->Main tab
    • Set to "Always ask me where to Save the files".
  • During the download, rename Combofix to MyPoppy as follows:

    Posted Image

    Posted Image

  • It is important you rename Combofix during the download, but not after.
  • Please do not rename Combofix to other names, but only to the one indicated.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    -----------------------------------------------------------

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      -----------------------------------------------------------

    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

    -----------------------------------------------------------

  • Double click on MyPoppy.exe & follow the prompts.
  • Install the Recovery Console if prompted.
  • When finished, it will produce a report for you.
  • Please post the "C:\MyPoppy.txt" . ( I believe Combofix will also rename the report)
**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**


Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security.

Please do not install any new programs or update anything (always allow your antivirus/antispyware to update) unless told to do so while we are fixing your problem. If combofix alerts to a new version and offers to update, please let it. It is essential we always use the latest version.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users