Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Please Help! Nasty Windows Recovery Malware


  • This topic is locked This topic is locked
11 replies to this topic

#1 Lissi

Lissi

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:10:01 AM

Posted 12 June 2011 - 07:59 PM

Hi,

I was told to post here for help after posting for over a week in the Am I Infected thread.
Here is my thread link: http://www.bleepingcomputer.com/forums/topic401602.html

I have Windows XP SP2 and after going to check my isp email my Avast virus went off and then my screen went black hiding everything & Windows Recovery window popped up warning me with critical messages.

At first I thought it was real, I used the scan & then I saw they wanted $79.99 to fix this I realized it was a scam. At that point I found a way to get online by going to run & typing firefox I was searching for what to do to get rid of this nasty thing, it was very hard to see through all the popups. I saw Spyware Doctor recommended to use, I downloaded it...it scanned then I found out it cost money which I didn't know. I did not buy it.

I think I went to my Gmail Account & logged in, I'm not sure if I did I was in a panic. I'm afraid to now log into my Gmail. Could the Windows Recovery Malware be in there? That is my main email I use, I do need to access it but I don't want to get my old clean pc infected. Please advise.

My pc then shut off & turned back on leaving me with the Windows blue screen hiding everything...my Windows XP page first loads then my log in screen shows, the only account I have is Admin...then Just the blue screen, I cannot see start, icons, taskbar...nothing! In safe mode I cannot see anything either just a black screen with safe mode at the top & bottom.

Safemode with networking does not work. Ctrl+alt+delete tells me Task Manager has been disabled. The only area I can see in safemode is Command Prompt which I don't know how to use.

I downloaded from my clean old & slow pc Rkill & Malwarebytes Anti-Malware and burned them separately to disks, I put Rkill disk into my infected pc, no window opened over this horrible blue screen so I could see to run it. My disk drive was running but after about two hours I saw nothing happening so I removed the disk. My screen saver did kick in while running the disk.

I work with graphic arts programs & everything I have is on the infected pc. I wanted to get an external hard drive but couldn't afford it, so I have nothing backed up. :(

I would greatly appreciate help with removing this nasty terrible malware. I hope it can be removed by me with help from you. I really need my pc.

Thank you in advance.

BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:03:01 PM

Posted 20 June 2011 - 07:36 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. Click the Watch This Topic button at the top on the right.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks :thumbup2:
Posted Image
m0le is a proud member of UNITE

#3 Lissi

Lissi
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:10:01 AM

Posted 21 June 2011 - 12:04 AM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.

  • Please subscribe to this topic, if you haven't already. Click the Watch This Topic button at the top on the right.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks :thumbup2:


Hi m0le,

I've been watching this topic closely, I know how busy you've been here, I am very happy to see you. :thumbsup:

I haven't done a thing with my infected pc since I posted here since I can't see anything on it, all explained in my first post here and in the other thread link.

Nor have I've gone to my main gmail account because I don't know if it could have the malware there...I wish I could remember if I went there or not when I got infected, it doesn't make sense for me to have logged in but I might of since I wasn't thinking straight, I was freaking out.

It's a habit of mine to check that gmail account several times a day so that's why I think I might have, if that makes sense. I really do need to access that account if it's safe to do so. Please let me know if it is or isn't safe.

I will wait for further instructions from you.

Thanks! :)

Lissi

#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:03:01 PM

Posted 21 June 2011 - 02:01 PM

Your Gmail account is safe but we have to remove the rogue antivirus from the machine.

We may have to bypass the fake screen to run some programs. Let's see what we can do.

First, when running in safe mode what is it you can see on the screen? Just the command prompt window?

Second, do you have a flashdrive?
Posted Image
m0le is a proud member of UNITE

#5 Lissi

Lissi
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:10:01 AM

Posted 22 June 2011 - 09:02 PM

Your Gmail account is safe but we have to remove the rogue antivirus from the machine.

We may have to bypass the fake screen to run some programs. Let's see what we can do.

First, when running in safe mode what is it you can see on the screen? Just the command prompt window?

Second, do you have a flashdrive?


I'm happy to hear my Gmail account is safe, thank you very much for letting me know. I sure hope we can remove the rogue antivirus. The old slow pc I'm on is driving me nuts....but it is clean.

When I'm running in safe mode the only place I see is just the command prompt window, everything else is hidden.

I have a 2GB SanDisk Cruzer USB flashdrive, nothing is on it, would that be good to use? If it is good to use is there a way to set it so it doesn't get infected?

Thanks, I'll keep checking for your instructions.

#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:03:01 PM

Posted 23 June 2011 - 01:15 PM

Okay, this is the easier option but doesn't always work for us.

Let's try to boot your computer using the Ultimate Boot CD for Windows (UBCD4win).

Please print this guide for future reference!

You will need a blank CD, a clean computer and a flash drive.

Please follow the steps below and let me know if you were successful. If you were unable to create the UBCD4win, please tell me what error messages you got and/or what steps you got hung up on.

1. Download and Run Ultimate Boot CD for Windows
  • Save it to your Desktop.
  • Double-Click on the UBCD4Win.EXE that you just downloaded to your desktop.
  • Follow all of the instructions/prompts that come up.
    NOTES:
  • Do not install to a folder with spaces in it's name.
  • Your Anti-Virus may report viruses or trojans when you extract UBCD4Win, these are "False-Positives." Read HERE for information regarding the files that normally trigger AV software.
2. Insert your XP CD with SP1/SP2/SP3 into a CD Rom drive
  • Double-Click on UBCD4WinBuilder.exe located in your C:\ubcd4win folder.
  • Click "I agree" to the Builders License.
  • Click NO to Search for Windows Installation Files
  • Make the following selections from the Main Screen that pops up:
    • Builder
    • Source:(path to Windows installation files)
    • Enter the path to the drive where your XP CD is located.
    • You can click on the "..." button on the right to navigate to the path as well.
  • Custom: (include files and folders from this directory)
    • No information is necessary, leave blank.
  • Output: (C:\ubcd4win\BartPE)
    • Keep the default BartPE
  • Media output
  • Choose Create ISO image
  • Do not choose Burn to CD/DVD


Please note: If your XP install disc is SP1 then please .....

  • Disable- DComLaunch Service
  • Enable- LargeIDE Fix

    This can be done by pressing the "Plugin" button and checking or unchecking the appropriate selections

Also note: If you have a Dell XP install disc you will need to follow the instructions here
http://www.ubcd4win.com/faq.htm#dell
[/list]
3. Click on the "Build" button
  • You will see the Windows EULA message. Click on I Agree
  • You will now see the Build Screen. Let it run it's course
  • When the Build is finished you can click close, then exit


4. Burn your ISO file to CD
  • Please see HERE on how to burn an ISO to CD.
[/list]
==========

Next........

From your clean computer..

Please download OTLPE.zip and save it to a flash drive.
http://oldtimer.geekstogo.com/OTLPE.zip
http://www.itxassociates.com/OT-Tools/OTLPE.zip

Double click and unzip OTLPE.zip to its own folder on your flash drive. Name it OTLPE <-- Important!!

==========

Plug your flash drive into your sick computer now and do as instructed below..

==========

1. Restart Your sick Computer Using the UBCD4Win Disc That You Have Created
  • Insert the UBCD4Win disc in to one of your CD/DVD drives.
  • Restart your computer.
    • The computer should choose to boot from the UBCD4Win CD automatically. If it doesn't and you are asked if you want to boot from CD, then choose that option.
  • In the window that pops up select Launch The Ultimate Boot CD For Windows and press Enter.
    • It may take a little longer for the Desktop to appear than it does when you start your computer normally. Just let the process run itself until the desktop appears.
  • Once the desktop appears, you will receive a message asking: Do you want to start Network support?
    • Click on Yes if you want to use the PE environment to get online post your log and reply by way of an Ethernet connection.
  • You should now have a desktop that looks like this:

    Posted Image


==========

Single click My computer from your UBCD4W desktop to navigate to the OTLPE folder that you saved to your flash drive.

Open the OTLPE folder and double click Start.bat.

  • When asked "Do you wish to load remote user profile(s) for scanning", select Yes
  • Ensure the box "Automatically Load All Remaining Users" is checked and press OK
  • OTLPE should now start

    Change the following settings
    • Change Services, Drivers, Standard and Extra Registry to All

  • Copy and Paste the following code into the Posted Image textbox. Do not include the word "Code"

    netsvcs
    msconfig
    safebootminimal
    safebootnetwork
    activex
    drivers32
    %ALLUSERSPROFILE%\Application Data\*.
    %ALLUSERSPROFILE%\Application Data\*.exe /s
    %APPDATA%\*.
    %APPDATA%\*.exe /s
    %SYSTEMDRIVE%\*.exe
    /md5start
    userinit.exe
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32.sys
    ahcix86s.sys
    /md5stop
    %systemroot%\system32\drivers\*.sys /lockedfiles
    %systemroot%\System32\config\*.sav
    %systemroot%\*. /mp /s
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\system32\drivers\*.sys /90
    CREATERESTOREPOINT
  • Push Posted Image
  • A report will open. Save that log to your flash drive. Copy and Paste that report in your next reply.

=========

With your next post please provide:

* OTLPE.txt

Edited by m0le, 23 June 2011 - 01:15 PM.

Posted Image
m0le is a proud member of UNITE

#7 Lissi

Lissi
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:10:01 AM

Posted 23 June 2011 - 03:52 PM

Hi m0le,

Problem with step 2, When I bought my Compaq Presario laptop it didn't come with an XP2 install disc...I had to burn to 9 CD's to create recovery discs and it did not tell me what was on each disc I burned, they are just labled 1, 2, 3 and so on. The same I had to do for the older laptop I'm on. :(

I hope there's some other way to do this?

Thanks

#8 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:03:01 PM

Posted 23 June 2011 - 06:22 PM

We may have to use those recovery disks but for now we will try bypassing the Windows operating system and taking a look at the machine using a Linux operating system installation called xPUD

Download GETxPUD.exe to the desktop of your clean computer
  • Run GETxPUD.exe
  • A new folder will appear on the desktop.
  • Open the GETxPUD folder and click on the get&burn.bat
  • The program will download xpud_0.9.2.iso, and upon finished will open BurnCDCC ready to burn the image.
  • Click on Start and follow the prompts to burn the image to a CD.
  • Download http://noahdfear.net/downloads/rst.sh to the USB drive
  • Insert the USB drive and CD in the Sick computer and boot the computer from the CD again
  • Press File
  • Expand mnt
  • Expand your USB (sdb1)
  • Confirm that you see rst.sh that you downloaded there
  • Press Tool at the top
  • Choose Open Terminal
  • Type bash rst.sh
  • Press Enter
  • After it has finished a report will be located at sdb1 named enum.log
  • Plug that USB back into the clean computer and open it
Please note: If you have an ethernet connection you can access the internet by way of xPUD (Firefox). You can perform all these steps on your sick computer. When you download the download will reside in the Download folder. It can be found under the File tab also. You can similarly access our thread by way of this OS too so you can send the logs that way.

Please also note - all text entries are case sensitive

Copy and paste the enum.log for my review
Posted Image
m0le is a proud member of UNITE

#9 Lissi

Lissi
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:10:01 AM

Posted 26 June 2011 - 02:47 PM

We may have to use those recovery disks but for now we will try bypassing the Windows operating system and taking a look at the machine using a Linux operating system installation called xPUD

Download GETxPUD.exe to the desktop of your clean computer

  • Run GETxPUD.exe
  • A new folder will appear on the desktop.
  • Open the GETxPUD folder and click on the get&burn.bat
  • The program will download xpud_0.9.2.iso, and upon finished will open BurnCDCC ready to burn the image.
  • Click on Start and follow the prompts to burn the image to a CD.
  • Download http://noahdfear.net/downloads/rst.sh to the USB drive
  • Insert the USB drive and CD in the Sick computer and boot the computer from the CD again
  • Press File
  • Expand mnt
  • Expand your USB (sdb1)
  • Confirm that you see rst.sh that you downloaded there
  • Press Tool at the top
  • Choose Open Terminal
  • Type bash rst.sh
  • Press Enter
  • After it has finished a report will be located at sdb1 named enum.log
  • Plug that USB back into the clean computer and open it
Please note: If you have an ethernet connection you can access the internet by way of xPUD (Firefox). You can perform all these steps on your sick computer. When you download the download will reside in the Download folder. It can be found under the File tab also. You can similarly access our thread by way of this OS too so you can send the logs that way.

Please also note - all text entries are case sensitive

Copy and paste the enum.log for my review


Hi m0le,

I'm sorry I wasn't able to get back to you sooner. The last few days there have been bad lightening storms here so I wouldn't take a chance getting online. Another problem it seems my old clean pc wasn't clean, it was acting really strange so I ran Malwarebytes Anti-Malware and it found 3 infections which I let it remove but now I keep getting warning messages from norton, which was preinstalled for a 60 day trial & after a week I had uninstalled it or so I thought and installed Avast. I found many files after a search saying norton 2006. The norton popups are very annoying. I don't know if its safe for me to delete the files I found some end in .dll, my old pc is better but still a bit off.

I do have an ethernet cord & connection and would rather do it that way, I don't want to infect my old pc with the flash drive after using it in my infected pc, from what I understand it's a good possibilty it will infect my flash drive by writing a file called autorun.inf on the flash drive.

I know some things about pc's but not in this area, I never went into safe mode until this happened, I don't know how to boot off a CD. Could you please explain how I do this? Also can I use a regular CD that you burn for an ISO file?

Also in your instructions which I'm copy & pasting below - I'm not clear if this is done with xpud_0.9.2.iso or the noahdfear download? Since I won't be using my flash drive I'm not sure.

Thanks very much for your help.

Press File

Expand mnt

Expand your USB (sdb1)

Confirm that you see rst.sh that you downloaded there

Press Tool at the top

Choose Open Terminal

Type bash rst.sh

Press Enter

After it has finished a report will be located at sdb1 named enum.log

#10 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:03:01 PM

Posted 26 June 2011 - 06:14 PM

The instructions are used when you have burnt the xPUD iso and are then booting the system with it and the xPUD splash screen appears.
Posted Image
m0le is a proud member of UNITE

#11 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:03:01 PM

Posted 30 June 2011 - 07:29 PM

How's that going, Lissi?
Posted Image
m0le is a proud member of UNITE

#12 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:03:01 PM

Posted 01 July 2011 - 08:06 PM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users