Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Nastiest malware infection - HELP


  • This topic is locked This topic is locked
5 replies to this topic

#1 Roger 786

Roger 786

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:02 PM

Posted 03 May 2011 - 09:36 AM

Dear Sir,

I need your help because this problem is driving me crazy. I beleive my computer is infected with some nasty malware which is proving very difficult to detect. I have performed numerous scans using spyware search and destroy/malware bytes/TDSS Killer/Bootkik remover/TDSS remover latest - although some of the scans claim to have found a few infected files and removed them, any new scans do not show any new infections found but the net effect of the problem is as follows:


Background information: I opened a legitimate website (2 days ago) but it started the java script and installed windows xp antispyware 2011 Malware. I used rkill.exe to stop it and then remove it with malwarebytes. Then I uninstalled Avast! (i was angry it failed to stop an unauthorized connection) and then replaced it with AVG internet security 2011 - but its resident shield is a right pain in the *** , and combofix wouldnt run with it, so I happily uninstalled AVG (with help from revo uninstaller)

- Including your own, many other malware removal and microsoft's websites are blocked. I am using firefox and everytime I try to open your website it says Firefox can't establish a connection to the server at www.bleepingcomputer.com.

- Google redirects, if i open a link in a new tab it will open a random website something like licosearch, I can only make sure I open the page I want by copying the link, and then pasting it manually in a new window

- Unable to start the ESET scanner (it wouldn't let me open the ESET website but luckily I already had their setup file) upon starting the sccanner it says unable to connect, proxy configured? I don't know what to type in the proxy - I normally connect direct to the internet.

- Unable to load up the computer in safe mode, it loads up a screenful of dlls but then reverts back to the very first screen you see when you start the computer, it repeats the cycle until i chose to start windows normally

- Most websites are working, computer is working but It is obvious that there is something nasty malware hiding in my machine, following extensive reading on your forums, I found a similar case and attempted to follow the steps you specified

- I include a Combofix log + malware bytes log for your perusal.

I would be grateful if you can supervise me from here on, as I tried everything I could think and find on the internet but the problem remains.

Thanking you in anticipation.

Kind regards,

Roger


Note: I was following the instructions given in the thread with heading "Updates and Antimalware sites blocked - infection stopping update and preventing access to websites" - The user reported after combofix he could access the bloced website (eg microsoft) - IN my case I couldn't therefore, I did not follow the steps for using ATF Cleaner and thought its best if I seek some assistance from this point onwards.

UPDATE: In my desperation to try and get the safe mode working somehow, I tried the following (with disasterous results)

1. Googled for similar problems
2. Found something called safe mode fixer
3. I have superantispyware installed , it includes a utility called BOOT SAFE, I thought this is exactly what I was looking for as it offered to boot the computer into safe mode with networking.

RESULT: Computer is going round in circles without booting, as mentioned in previous post, if safe mode is selected a screenful if .sys load (last of which is AVGIDSEH.SYS)and then it reverts back to the initial boot screen (that you see soon as you turn the computer on)- and the process just repeats and repeats

Upon further reading on net i understand BOOT SAFE modifies the BOOT.INI and now computer wll always want to boot in safe mode, unless we can some how fix the boot.ini file again.

I also have the Windows Recovery Console installed but I get the BLUE SCREEN OF DEATH when I run it. The last line of whch reads

****STOP: 0x00000007B (0xF78D2524, 0xC000000034, 0x0000000000, 0x000000000)

Lastly, I found out about this AVG rescue disk that can be copied onto a USB Flash drive and make force the computer to use this to boot. Problem is my computer boot order does not show removable disk/USB options, it has HDD, CD ROM Group and Floppy Group only)

This is driving my crazy please help!

Roger

UPDATE 2: I am sorry to be commenting for a third time before you have had a chance to respond to my first message, I understand it will push me further down the list when you can reply me but I thought it is important to let you know the following

- Following the situation in my previous update, i borrowed a UBUNTO (Linux OS) boot cd from my neibhour, it allowed me to see the file system. I renamed the BOOT.INI.SAB to BOOT.INI and BOOT.INI to BOOT.INI.SAB2

I read somewhere that superantispyware creates this .sab or .bak file of the boot.ini as it was before any chages

This did the trick as the BOOT.INI.SAB did not have the command to enter safe mode therefore, now i can at least start the windows.

But all the other problem stil remain .. and I cannot access safe mode the normal way and other problems etc.

Loking forward for your reply.

Roger

EDIT: Posts merged ~Budapest

Attached Files


Edited by Budapest, 03 May 2011 - 04:38 PM.


BC AdBot (Login to Remove)

 


#2 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,784 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:08:02 PM

Posted 12 May 2011 - 10:32 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.
If you are unable to create a log because your computer cannot start up successfully please provide detailed information about the Windows version you are using: What we in particular need to know is version, edition and if it is a 32bit or a 64bit system. [/b]
If you are unsure about any of these caracteristics, just let us know and we'll help you figuring it out. Please also tell us if you have your Windows CD/DVD handy.


Please include a clear description of the problems you're having, along with any steps you may have performed so far.

Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.

Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.
We need to create an OTL Report
  • Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • In the custom scan box paste the following:
    msconfig
    safebootminimal
    activex
    drivers32
    netsvcs
    %SYSTEMDRIVE%\*.exe
    /md5start
    explorer.exe
    winlogon.exe
    wininit.exe
    hlp.dat
    /md5stop
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt<--Will be minimized

In the upper right hand corner of the topic you will see a button called Watch Topic.I suggest you click it and select Immediate E-Mail notification and click on Proceed. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

animinionsmalltext.gif

Follow BleepingComputer on: Facebook | Twitter | Google+


#3 Roger 786

Roger 786
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:02 PM

Posted 13 May 2011 - 05:08 AM

Dear Myrti, No need to apologise as I understand you guys are doing a wonderful job helping us folks out and we can only be thankful. However, because I hadn't got a reply for many days, I posted the same query on http://forums.techguy.org - they made me do a couple of reports and scans, in the end they drew a conclusion that my machine is probably infected with RAMNIT virus, and the only realistic solution now is to format and re-install the operating system.

You can check the other thread, it will have most of the information you need from me, the link is:
http://forums.techguy.org/virus-other-malware-removal/995704-microsoft-antivirus-websites-blocked-plus.html

If you arrive at the same opinion as them, than I definitely will have to format etc, if not then I can start the procedures you instruct me to perform. I will wait for your reply before performing any further procedures.

Thanks in advance.

Roger

#4 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,784 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:08:02 PM

Posted 13 May 2011 - 05:45 AM

Hi,

I'm sorry to say that I definitely agree with the assessment and would have come to the same conclusion as dvk01.

Sorry to be the bearer of bad news for you.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

animinionsmalltext.gif

Follow BleepingComputer on: Facebook | Twitter | Google+


#5 Roger 786

Roger 786
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:02 PM

Posted 13 May 2011 - 08:32 AM

Dear Myrti,

I was already mentally prepared to format/reinstall OP - as I googled RAMNIT and it is quite obvious once you read that there are no other realistic alternatives , it is only unfortunate that in this instance the bad guys have one over the good ones, formatting/reinstalling is just admitting defeat i guess - anyhw hopfully sooner or later some1 can come up with a FIX for this RAMNIT sh**

Thank you aagain for your time.

Roger

#6 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,784 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:08:02 PM

Posted 14 May 2011 - 03:28 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

animinionsmalltext.gif

Follow BleepingComputer on: Facebook | Twitter | Google+





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users