Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

XP Restore Malware Removal


  • This topic is locked This topic is locked
26 replies to this topic

#1 ericke1

ericke1

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:02 AM

Posted 12 June 2011 - 06:04 PM

THANK YOU GUYS FOR SUCH A GREAT FORUM!!

I had somehow got the XP Restore Malware Removal on my computer. Followed the instructions with TDSSKiller, Malwarebytes and believe I was able to remove all the items. After running unhide, most of my desktop files were restored and my start item folders were restored but no programs or files in the start items folders are showing up-I am however able to open files with programs that are not in the start folder. For example, although the Microsoft Office folder says "empty", when I open a doc file, the program launches fine.


I disabled my Avira and Malwarebytes when running unhide but still same issue, what next-here are all the log files:

Im including some older MBRcheck scan logs before and after too.

I should note that on few sites when I click on them on google after a search Im redirected to another site. I did run the rootkill file too, but nothing. So im assume some rootkit/malware is still there. Gmer log also attached.

ENJOY!!

Attached Files



BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:02:02 PM

Posted 20 June 2011 - 07:38 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. Click the Watch This Topic button at the top on the right.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks :thumbup2:
Posted Image
m0le is a proud member of UNITE

#3 ericke1

ericke1
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:02 AM

Posted 20 June 2011 - 09:30 PM

Hey thanks, Im here and awaiting your valuable instructions

#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:02:02 PM

Posted 21 June 2011 - 01:36 PM

It looks like you winged it. Let's check for more trouble with aswMBR

Please download aswMBR ( 511KB ) to your desktop.
  • Double click the aswMBR.exe icon to run it
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

Posted Image
m0le is a proud member of UNITE

#5 ericke1

ericke1
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:02 AM

Posted 21 June 2011 - 09:33 PM

Attached File  aswMBR.txt   1.63KB   3 downloadsThanks, here it is

#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:02:02 PM

Posted 22 June 2011 - 05:02 PM

An encouraging lack of rootkit there.

Please run Combofix next

Please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop making sure you rename it comfix.exe
  • Disable your AntiVirus and AntiSpyware applications including Firewalls, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Comfix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Posted Image
m0le is a proud member of UNITE

#7 ericke1

ericke1
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:02 AM

Posted 22 June 2011 - 09:23 PM

Thanks, see attached log file.

After rebooting, I saw a window that stated "ERROR LOADING.....wmicrtport.dll"

All my programs are now back, and seem to work

Attached Files


Edited by ericke1, 22 June 2011 - 09:37 PM.


#8 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:02:02 PM

Posted 23 June 2011 - 01:23 PM

Not a file I recognise. Let's track down the registry entry that is attempting to load it.

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    :regfind
    wmicrtport
    
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
Posted Image
m0le is a proud member of UNITE

#9 ericke1

ericke1
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:02 AM

Posted 23 June 2011 - 07:31 PM

Now after restarting, that dll missing popup didnt appear again, but Windows selection screen, ie XP Pro, Safe Mode keeps coming on without me pressing F8 (this happened when combofix ran the first time too) but it automatically selects Windows XP and starts

Here is the logfile anyway

Attached Files



#10 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:02:02 PM

Posted 24 June 2011 - 01:02 PM

That startup change is the Windows Recovery Console which Combofix installs. As the link explains it is a safeguard.

Loks like Combofix also completed the removal of the file we were looking for too. :thumbup2:

Please run the system through ESET's online scanner

I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Under scan settings, check Posted Image and check Remove found threats
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image
If no log is generated that means nothing was found. Please let me know if this happens.
Posted Image
m0le is a proud member of UNITE

#11 ericke1

ericke1
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:02 AM

Posted 26 June 2011 - 04:14 PM

Wow it found even more stuff, anyway I can remove the combofix startup enabling safety feature?

Attached Files


Edited by ericke1, 26 June 2011 - 04:14 PM.


#12 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:02:02 PM

Posted 26 June 2011 - 04:53 PM

It found only what was already locked in Combofix's quarantine, what it believed to be malware, Ask, what was in the system restore folder and the legitimate antimalware tool SDFix executable file.

Really, that was pretty clean :)


Deleting the Recovery Console isn't straightforward but here it is

Warning: To remove the Recovery Console you need to modify the Boot.ini file. Modifying this file incorrectly can prevent your computer from starting properly. Please only attempt this step if you feel comfortable doing this.

To remove the Recovery Console from your hard drive follow these steps:

1. Double-click on My Computer and then double-click on the drive you installed the Recovery Console (usually the C: drive).

2. Click on the Tools menu and select Folder Options.

3. Click on the View tab.

4. Select Show hidden files and folders and uncheck Hide protected operating system files.

5. Press the OK button.

6. Now at the root folder delete the Cmdcons folder and the Cmldr file.

7. At the root folder, right-click the Boot.ini file, and then click Properties.

8. Click to clear the Read-only check box, and then click the OK button.

9. Click on Start, then Run and type Notepad.exe c:\boot.ini in the Open: field and press the OK
button.

10. Remove the entry for the Recovery Console. It will look similar to this:

C:\cmdcons\bootsect.dat="Microsoft Windows Recovery Console" /cmdcons

Make sure you only delete that one entry.

11. When you are done, close the notepad and save when it asks.

12. Right click again on the boot.ini file and select Properties.

13. Put a checkmark back in the Read-only checkbox and then press the OK button.

The recovery console should now be removed from your system. :)


How is the machine running now
Posted Image
m0le is a proud member of UNITE

#13 ericke1

ericke1
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:02 AM

Posted 26 June 2011 - 05:19 PM

Hi, it says access denied when I try to delete the cmdcons folder, Im in administrator mode too :(

#14 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:02:02 PM

Posted 26 June 2011 - 06:38 PM

This is a permissions issue.

ComboFix often removes file and folder access permissions. So you need to take ownership of the folder cmdcons which you already have done. You are the owner now, but have you set the permissions of what you can do with that folder. Right-click on the folder, select Security tab, and check Allow in front of Full Control and save settings.

Can you now delete it?
Posted Image
m0le is a proud member of UNITE

#15 ericke1

ericke1
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:02 AM

Posted 27 June 2011 - 10:39 PM

When you right click, both under properties as well as "sharing and security" there is no such option

Computer seems same as before we ran combofix but now websites at least dont point me to another website when I put in a web address




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users