Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

MS Removal tool virus


  • This topic is locked This topic is locked
17 replies to this topic

#1 jamz39

jamz39

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:18 PM

Posted 19 April 2011 - 09:24 PM

I had the ms removal tool virus. I downloaed and ran rkill. It worked. I downloaded and run the malaware program, it worked as described.
It said it needed to reboot the computer. It did, but now keeps going back to the safe startup screen selection and wont reboot to windows. What is wrong? Computer now worse than with virus.
Thanks.

BC AdBot (Login to Remove)

 


#2 AustrAlien

AustrAlien

    Inquisitor


  • Members
  • 6,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cowra NSW Australia
  • Local time:02:18 PM

Posted 20 April 2011 - 01:37 AM

Hello and :welcome: to the BC forums.

Please sit tight and be patient.

I have requested that an experienced helper who specialises in un-bootable computers respond to your topic.

Thank you.
AustrAlien
Google is my friend. Make Google your friend too.

Posted Image

#3 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,635 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:12:18 AM

Posted 20 April 2011 - 08:57 AM

Hi, :welcome:

Lets take a look.

We will need to view the system status from an external environment. You will need a USB drive and a CD to burn. There will be several steps to follow.

Download GETxPUD.exe to the desktop of your clean computer
  • Run GETxPUD.exe
  • A new folder will appear on the desktop.
  • Open the GETxPUD folder and click on the get&burn.bat
  • The program will download xpud_0.9.2.iso, and upon finished will open BurnCDCC ready to burn the image.
  • Click on Start and follow the prompts to burn the image to a CD.
  • Next download driver.sh to your USB drive
  • Also Download Query.exe to the USB drive. In your working computer, navigate to the USB drive and click on the Query.exe. A folder and a file, query.sh, will be extracted.
  • Remove the USB & CD and insert them in the sick computer
  • Boot the Sick computer with the CD you just burned
  • The computer must be set to boot from the CD
  • In some computers you need to tap F12 and choose to boot from the CD, in others is the Esc key. Please consult your computer's documentation.
  • Follow the prompts
  • A Welcome to xPUD screen will appear
  • Press File
  • Expand mnt
  • sda1,2...usually corresponds to your HDD
  • sdb1 is likely your USB
  • Click on the folder that represents your USB drive (sdb1 ?)
  • Confirm that you see driver.sh that you downloaded there
  • Press Tool at the top
  • Choose Open Terminal
  • Type bash driver.sh
  • Press Enter
  • After it has finished a report will be located on your USB drive named report.txt
  • Then type bash driver.sh -af
  • Press Enter
  • You will be prompted to input a filename.
  • Type the following:

    Winlogon.exe

  • Press Enter
  • If successful, the script will search for this file.
  • After it has completed the search enter the next file to be searched
  • Type the following:

    explorer.exe

  • Press Enter
  • After it has completed the search enter the next file to be searched
  • Type the following:

    Userinit.exe

  • Press Enter
  • After the search is completed type Exit and press Enter.
  • After it has finished a report will be located in the USB drive as filefind.txt
  • While still in the Open Terminal, type bash query.sh
  • Press Enter
  • After it has finished a report will be located in the USB drive as RegReport.txt
  • Then type dd if=/dev/sda of=mbr.bin bs=512 count=1


    Leave a space among the following Statements:

    dd is the executable application used to create the backup
    if=/dev/sda is the device the backup is created from - the hard drive when only one HDD exists
    of=mbr.bin is the backup file to create - note the lack of a path - it will be created in the directory currently open in the Terminal
    bs=512 is the number of bytes in the backup
    count=1 says to backup just 1 sector


    It is extremely important that the if and of statements are correctly entered.

  • Press Enter
  • After it has finished a report will be located in the USB drive as mbr.bin
  • Plug the USB back into the clean computer, zip the mbr.bin, and except for the mbr.bin zipped file, post the contents of the report.txt, filefind.txt and RegReport.txt in your next reply. The mbr.bin zipped file must be attached to your reply.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#4 jamz39

jamz39
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:18 PM

Posted 20 April 2011 - 09:19 AM

Thanks,
I'll try tonight. Seems like a lot to go through to just restart a pc that was just cleaned and rebooting on its own. I can't understand what caused this. It was working with the virus and after using the malaware software downloaed from this site no longer will boot after everything seemed to be going as described. Just curious why it won't allow it to start in safe mode?
Thanks again.

#5 jamz39

jamz39
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:18 PM

Posted 20 April 2011 - 06:34 PM

Well I burned the cd, and download the other files to usb drive. When I start the pc with the cd, it goes to the xPUD screen, hit english, go to files. I can see the hard drive files under sda1, sda5, but nothing on sdb1 or sbd2. Like it isn't seeing the usb drive. Can't continue from there because it cant find driver.sh, which I have verified is on the usb drive?
Thanks, jamz

#6 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,635 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:12:18 AM

Posted 20 April 2011 - 08:43 PM

While on xPUD, remove and reinsert the USB drive. XPUD will re-detect the device and you will be able to see the files.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#7 jamz39

jamz39
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:18 PM

Posted 21 April 2011 - 07:14 AM

Ok. I got to the end as the described process. I get the report.txt file, filefind.txt on the usb drive, but no mbr.bin or regreport.txt. Tried 3 times, same result?? Help

#8 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,635 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:12:18 AM

Posted 21 April 2011 - 10:41 AM

We don't know why, but it has happened before. Once you ran the commands, see if the reports were written in the USB before you remove the USB drive. If present, rename the reports before removing the USB drive. For example. if after running dd if=/dev/sda of=mbr.bin bs=512 count=1, the MBR.bin is present, rename it to MBR.txt before removing the USB drive. That sometimes resolves that issue. If that does not resolve the issue, please provide me with the specs of the computer such as, the Operating System, Brand, Model,....... etc.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#9 jamz39

jamz39
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:18 PM

Posted 21 April 2011 - 11:33 AM

The files mbr.bin or regreport.txt are not showing up on the infected computer. I thought maybe I just couldn't see them but when I move usb to good pc they are not there either.
PC is HP/Compac 8710P, WINDOWS XP operating software. Only 1-2 years old.
Thanks

#10 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,635 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:12:18 AM

Posted 21 April 2011 - 11:39 AM

Do you have the Installation CD or are able to get one to create a bootable CD?

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#11 jamz39

jamz39
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:18 PM

Posted 21 April 2011 - 12:06 PM

unfortunately, no. guess I am in trouble.

#12 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,635 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:12:18 AM

Posted 21 April 2011 - 01:42 PM

Yes you may be. We must see whats wrong in the system before any action. We just can't proceed blindfolded. Is there an option to perform a Recovery to Factory Settings during boot. I am sure HP no longer supports XP.

One last question, throughout xPUD, are you able to see the contents of the hard drive (Where the system and documents are)?

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#13 jamz39

jamz39
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:18 PM

Posted 21 April 2011 - 02:10 PM

No option. Just boots right to the safe mode selction screen (safe mode, safe mode w. promt, safe mode last know good config etc) it tries to go to XP, with the bar at the bottom then always goes right back to the safe mode selection screen, I do see a quick flash of blue screen each time it kicks out of XP startup but it flashes too fast to read it.

Yes I can see all the contents of the hard drive when in xPUD. I can even open some files from that screen.

I just don't understand what happened. It was working with the virus. It wasn't until I downloaded the virus removal from this site, which appeared to work, and during the restart went into this loop. What would have caused that?

Theres got to be away around this without reloading everything and losing all my software?? Is there not a way to force it into the restore point option screen?

#14 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,635 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:12:18 AM

Posted 21 April 2011 - 02:15 PM

In xPUD browse to the Windows folder in the hard drive. Look for a folder labeled minidump. If present, copy that folder to the USB, zip the folder and attach the zipped folder to a reply.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#15 jamz39

jamz39
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:18 PM

Posted 22 April 2011 - 11:04 PM

Mini dump file attached.
Thanks




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users