Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible virus infection and stuck in “safe mode”…


  • Please log in to reply
6 replies to this topic

#1 lame-O

lame-O

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:06 AM

Posted 01 July 2011 - 03:58 AM

Possible virus infection and stuck in “safe mode”…

Whilst surfing the net a strange box opened up telling me that the computer had been infected. Quickly I closed them down and so don't remember much about them (I think there was two boxes)

There has'nt been any sign of a message telling me to phone up and pay for a code number ….Which apparently can happen. as in “trojan ransomeware” but c:\program files\plugin.exe (Trojan.Ransomware) is reported in the Malwarebytes Anti-Malware scan, as shown below, under files infected.

I first of all tried to run Avast and update the prog. and definitions, but the scan was being froze after a couple of mins., time and again…

The laptop was being shut down on trying to perform a scan in avast.

WINXP (Build 2600)
SP3
32BIT
EDITION 2007
VERSION 5.1
(I have the original Product Recovery Disc) WINXP

Anti virus is Avast (free version.)
I have CCleaner
I have Malwarebytes anti malware
(All are up to date)



I then downloaded Malwarebytes Anti-Malware and ran it on “full scan” and it reported the following...

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A078F691-9C07-4AF2-BF43-35E79EECF8B7} (Adware.Softomate) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SETUP.EXE (Heuristics.Shuriken) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Adware_Pro (Rogue.AdwarePro) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\ScanQuery (Adware.ScanQuery) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SCANQUERY_SERVICE (Adware.ScanQuery) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
c:\documents and settings\all users\start menu\Programs\Zango (Adware.180Solutions) -> Quarantined and deleted successfully.
c:\program files\mozilla firefox\extensions\{de9265d8-d55d-4286-9dc4-f8d8a0ca2f64} (Adware.ScanQuery) -> Quarantined and deleted successfully.
c:\program files\mozilla firefox\extensions\{de9265d8-d55d-4286-9dc4-f8d8a0ca2f64}\chrome (Adware.ScanQuery) -> Quarantined and deleted successfully.
c:\program files\mozilla firefox\extensions\{de9265d8-d55d-4286-9dc4-f8d8a0ca2f64}\defaults (Adware.ScanQuery) -> Quarantined and deleted successfully.
c:\program files\mozilla firefox\extensions\{de9265d8-d55d-4286-9dc4-f8d8a0ca2f64}\defaults\preferences (Adware.ScanQuery) -> Quarantined and deleted successfully.
c:\program files\scanquery (Adware.ScanQuery) -> Quarantined and deleted successfully.
c:\documents and settings\all users.windows\application data\scanquery (Adware.ScanQuery) -> Quarantined and deleted successfully.

Files Infected:
c:\documents and settings\john2\Desktop\stuff\autocad 2002\SETUP.EXE (Heuristics.Shuriken) -> Quarantined and deleted successfully.
c:\program files\plugin.exe (Trojan.Ransomware) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\MSVolume.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
c:\documents and settings\all users\start menu\Programs\Zango\open library.url (Adware.180Solutions) -> Quarantined and deleted successfully.
c:\program files\mozilla firefox\extensions\{de9265d8-d55d-4286-9dc4-f8d8a0ca2f64}\chrome.manifest (Adware.ScanQuery) -> Quarantined and deleted successfully.
c:\program files\mozilla firefox\extensions\{de9265d8-d55d-4286-9dc4-f8d8a0ca2f64}\install.rdf (Adware.ScanQuery) -> Quarantined and deleted successfully.
c:\program files\mozilla firefox\extensions\{de9265d8-d55d-4286-9dc4-f8d8a0ca2f64}\chrome\scanquery.jar (Adware.ScanQuery) -> Quarantined and deleted successfully.
c:\program files\mozilla firefox\extensions\{de9265d8-d55d-4286-9dc4-f8d8a0ca2f64}\defaults\preferences\prefs.js (Adware.ScanQuery) -> Quarantined and deleted successfully.


I found that I could only start up in "safe mode" (along with networking), a normal boot up was no longer possible…not sure at which point this happened….for a short while after contacting the infection I was able to run in normal mode.

Although it says that Trojan.Ransomware was successfully deleted, it was flagged up on a later scan by the malware prog. so maybe it's in the registry ? although in later scans done whilst being stuck in “safe mode” it’s not being flagged up, we’re currently all clear alledgedly of infection in “full scans” done by “malwarebytes anti-malware” and “Microsoft Safety Scanner.” And the CCleaner Is all clear on registry issues.

I ran an updated CCleaner on registry cleaner and then tried for a "system restore" I think that "system restore" files may have been damaged by the CCleaner registry clean ? but in any case I think that "System Restore" had been got at by the virus already because it had previously started a “sys. Restore” but suddenly it stopped and kicked out of it, no doubt having being infected earlier.

I then tried to start "System Restore" using the %systemroot%system32restorerstrui.exe Command prompt without success.

I believe that system restore will now not be of any use even if it would start up as all the saved points are probably wiped out.

I then tried starting in “normal mode” with the diagnostic startup facility of the system config. Utility, but no joy.

The latest full scans with the malwarebytes anti-malware prog. whilst still only able to start in Safe Mode are stating that everything is clear of infection but I would imagine that If I was able to get the PC to start in normal mode that the trojan would be found on subsequent scans.

I did a “Microsoft safety full scan” in safe mode and it only flagged up one problem which was (adware:win32/open candy) …duly deleted. After a 3 hour scan I was hoping for something more significant than some “run of the mill spyware”.

Even though the above two scans are reporting things are clear (except for The (adware:win32/open candy) (which was duly deleted) I still think that only part of the malware has been detected and removed… But what do I know, I’m no expert…

Help needed please.
phelter snatch

Edited by hamluis, 01 July 2011 - 06:22 AM.
Moved from XP to Am I Infected.


BC AdBot (Login to Remove)

 


#2 lame-O

lame-O
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:06 AM

Posted 03 July 2011 - 10:27 AM

Hi there,

As an additional bit of info. on the original problem...I now believe that I probably have a faulty harddrive.

Coincidence or not(bearing in mind malware was strongly suspect originally) I'm not sure, but some tests are pointing to "bad blocks on the harddrive" whereas others are not.

the drive is healthy. According to belarc adviser

Description = The device, \Device\Harddisk0\D, has a bad block. …according to OTL

there was a wiring prob. or the harddrive itself was faulty. according to Fujitsu FJDT ver 7.00

1/ A definite pointer to a harddrive problem is what I now need

2/.If there is a harddrive problem which leads to having to replace the drive I would welcome some info on how to back up files whilst being stuck in "safe mode", I have access to an old desktop computer if that could be helpfull...but don't think it has usb conn's.

#3 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:01:06 AM

Posted 04 July 2011 - 05:51 AM

Since you ran OTL, Please follow the instructions in ==>This Guide<==.

Once the proper logs are created, then make a NEW TOPIC and post it ==>HERE<== Please include the link to this topic in your new topic and a description of your computer issues and what you have done to resolve them.

If you can produce at least some of the logs, then please create the new topic and explain what happens when you try to create the log(s) that you couldn't get. If you cannot produce any of the logs, then still post the topic and explain that you followed the Prep. Guide, were unable to create the logs, and describe what happens when you try to create the logs.

Once you have created the new topic, please reply back here with a link to the new topic.

#4 lame-O

lame-O
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:06 AM

Posted 06 July 2011 - 12:06 PM

Hi there,

To cut a long story short I am back to normal run mode.

A computer whiz kid mate of mine dropped round and suggested that all that was required was to reinstall windows off the sp3 disc and then reinstall the drivers etc.

Some tests I ran previously were suggesting that the hard drive was close to being finished, describing the problem as being a bad block etc.

Just how long the Hard drive will last is another story, but at the time when the virus struck there was some loss of data from the windows startup procedure which resulted in the loop situation whereby the only way out was to go into safe mode.

Thanks for your input...

#5 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:01:06 AM

Posted 06 July 2011 - 01:02 PM

So is your issue resolved?

#6 lame-O

lame-O
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:06 AM

Posted 06 July 2011 - 02:19 PM

Not impressed guys, I asked for guidance on how to back up files when stuck in safe mode...and the first thing you suggest after I'd waited three days and more, was that "I should do a back up" these are the jokes folks.

However, just after I'd waded thro' the megga long test procedures ad infinitum, a jolly green giant came a calling and promptly suggested the easy way out of it all. (see previous post)

lame no more

#7 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:01:06 AM

Posted 06 July 2011 - 07:19 PM

Unfortunately in Safe Mode there is no viable backup option but network via safe mode with networking you can move your data to another computer or networked device.

The only reason I referred you to the Malware Department, is because you ran a tool that is specifically designed to assist in the malware removal process.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users