Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help Please!!!! Think I Just Got A Virus


  • This topic is locked This topic is locked
66 replies to this topic

#1 Cookyman

Cookyman

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:11:29 PM

Posted 25 July 2011 - 01:44 PM

Help Please!!!! I Just Got A Virus
Need some help please!!
I just got hacked.

Can't get pass the Windows welcome screen.
Every time I reboot or go to safe mode, the screen goes to the blue welcome screen.
When I click on my name or Administrator, the settings say loading your personal settings, and then go to saving your personal settings instantly.

All this happened right after I did a Malewarebyte scan, which I think I got the virus from.
Thought I was on the Malewarebyte site, but the sent me the download by email link.
Should have realized right then and there, that there would be a problem.

I know some about computing, but I'm a very good listener and learner.

Could somebody guide me in the right direction?

Thanks in advance.

Sorry if I posted this in the wrong place.

BC AdBot (Login to Remove)

 


#2 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:06:29 AM

Posted 25 July 2011 - 01:50 PM

So you have no access to Windows what so ever?

What safe mode did you try, there are several to choose from. Try it again, and just pick Safe Mode.

#3 Cookyman

Cookyman
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:11:29 PM

Posted 25 July 2011 - 01:54 PM

Thanks so much for the quick response.

When I go to safe mode the same thing happens.
I tried all 3 safe modes

Safe Mode
Safe Mode with Networking
Safe Mode with Command Prompt

Edited by Cookyman, 25 July 2011 - 02:10 PM.


#4 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,635 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:02:29 AM

Posted 25 July 2011 - 05:23 PM

Hi, :welcome:

Lets give it a try.

We will need to view the system status from an external environment. You will need a USB drive and a CD to burn. There will be several steps to follow.

Download GETxPUD.exe to the desktop of your clean computer
  • Run GETxPUD.exe
  • A new folder will appear on the desktop.
  • Open the GETxPUD folder and click on the get&burn.bat
  • The program will download xpud_0.9.2.iso, and upon finished will open BurnCDCC ready to burn the image.
  • Click on Start and follow the prompts to burn the image to a CD.
  • Next download driver.sh to your USB drive
  • Also Download Query.exe to the USB drive. In your working computer, navigate to the USB drive and click on the Query.exe. A folder and a file, query.sh, will be extracted.
  • Remove the USB & CD and insert them in the sick computer
  • Boot the Sick computer with the CD you just burned
  • The computer must be set to boot from the CD
  • In some computers you need to tap F12 and choose to boot from the CD, in others is the Esc key. Please consult your computer's documentation.
  • Follow the prompts
  • A Welcome to xPUD screen will appear
  • Press File
  • Expand mnt
  • sda1,2...usually corresponds to your HDD
  • sdb1 is likely your USB
  • Click on the folder that represents your USB drive (sdb1 ?)
  • Confirm that you see driver.sh that you downloaded there
  • Press Tool at the top
  • Choose Open Terminal
  • Type bash driver.sh
  • Press Enter
  • After it has finished a report will be located on your USB drive named report.txt
  • Then type bash driver.sh -af
  • Press Enter
  • You will be prompted to input a filename.
  • Type the following:

    Winlogon.exe

  • Press Enter
  • If successful, the script will search for this file.
  • After it has completed the search enter the next file to be searched
  • Type the following:

    volsnap.sys

  • Press Enter
  • If successful, the script will search for this file.
  • After it has completed the search enter the next file to be searched
  • Type the following:

    explorer.exe

  • Press Enter
  • After it has completed the search enter the next file to be searched
  • Type the following:

    Userinit.exe

  • Press Enter
  • After the search is completed type Exit and press Enter.
  • After it has finished a report will be located in the USB drive as filefind.txt
  • While still in the Open Terminal, type bash query.sh
  • Press Enter
  • After it has finished a report will be located in the USB drive as RegReport.txt
  • Then type dd if=/dev/sda of=mbr.bin bs=512 count=1


    Leave a space among the following Statements:

    dd is the executable application used to create the backup
    if=/dev/sda is the device the backup is created from - the hard drive when only one HDD exists
    of=mbr.bin is the backup file to create - note the lack of a path - it will be created in the directory currently open in the Terminal
    bs=512 is the number of bytes in the backup
    count=1 says to backup just 1 sector


    It is extremely important that the if and of statements are correctly entered.

  • Press Enter
  • After it has finished a report will be located in the USB drive as mbr.bin
  • Plug the USB back into the clean computer, zip the mbr.bin, and except for the mbr.bin zipped file, post the contents of the report.txt, filefind.txt and RegReport.txt in your next reply. The mbr.bin zipped file must be attached to your reply.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#5 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,323 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:02:29 AM

Posted 25 July 2011 - 06:18 PM

Hello, just letting you know I moved this topic to Here in the Virus, Trojan, Spyware, and Malware Removal Logs forum where it will stay.

Please remember to click the Watch Topic button at the top right and select Immediate Notification so you do not miss any replies now that you were moved.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#6 Cookyman

Cookyman
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:11:29 PM

Posted 25 July 2011 - 06:56 PM

Hello, just letting you know I moved this topic to Here in the Virus, Trojan, Spyware, and Malware Removal Logs forum where it will stay.

Please remember to click the Watch Topic button at the top right and select Immediate Notification so you do not miss any replies now that you were moved.


Thank you for moving this to the right section.
I already put a watch on it.
Thanks again.

#7 Cookyman

Cookyman
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:11:29 PM

Posted 25 July 2011 - 06:58 PM

I will get the USB drive tomorrow.
Is there a certain size I should get?

#8 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,635 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:02:29 AM

Posted 25 July 2011 - 07:11 PM

It doesn't have to be a large capacity drive. Get a cheaper one.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#9 Cookyman

Cookyman
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:11:29 PM

Posted 26 July 2011 - 03:08 PM

Quickie question

What are the chances of when I do a scan or whatever from my sick computer that the virus will or will not infect my working computer?
Just worried about screwing up the working unit.

#10 Cookyman

Cookyman
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:11:29 PM

Posted 26 July 2011 - 04:36 PM

Sorry but I'm already having problems.
When I tried to download driver.sh this is what I got




Windows has the following information about this file type. This page will help you find software needed to open your file.



File Type: Unknown

Description: Windows does not recognize this file type.

You may search the following Web site for related software and information:

Search the web


Have questions? See these Frequently Asked Questions.


What should I do next?
Then I went and proceeded to put the CD and driver into the sick computer as you mentioned.
It just continued doing what it was doing before I tried anything.
Never saw the Welcome to xPUD screen.

#11 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,635 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:02:29 AM

Posted 26 July 2011 - 08:05 PM

You need to follow the instructions as written. Download and save the file to the USB, but do not run it in windows. It will be ran once in xPUD, which is a Linux base environment.

Edited by JSntgRvr, 26 July 2011 - 08:07 PM.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#12 Cookyman

Cookyman
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:11:29 PM

Posted 26 July 2011 - 08:32 PM

Could you please put that into easier words for me.
How do I run it if not in windows?
Sorry but I am a computer dummy

#13 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,635 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:02:29 AM

Posted 26 July 2011 - 08:52 PM

Download GETxPUD.exe to the desktop of your clean computer

First you will need to create a bootable CD

  • Run GETxPUD.exe
  • A new folder will appear on the desktop.
  • Open the GETxPUD folder and click on the get&burn.bat
  • The program will download xpud_0.9.2.iso, and upon finished will open BurnCDCC ready to burn the image.
  • Click on Start and follow the prompts to burn the image to a CD.


Then you will need to download the files needed to identify the problems and boot the computer with the CD you justcreated.

  • Next download driver.sh to your USB drive
  • Also Download Query.exe to the USB drive. In your working computer, navigate to the USB drive and click on the Query.exe. A folder and a file, query.sh, will be extracted.
  • Remove the USB & CD and insert them in the sick computer
  • Boot the Sick computer with the CD you just burned
  • The computer must be set to boot from the CD
  • In some computers you need to tap F12 and choose to boot from the CD, in others is the Esc key. Please consult your computer's documentation.

  • Follow the prompts
  • A Welcome to xPUD screen will appear
  • Press File
  • Expand mnt
  • sda1,2...usually corresponds to your HDD
  • sdb1 is likely your USB
  • Click on the folder that represents your USB drive (sdb1 ?)
  • Confirm that you see driver.sh that you downloaded there
  • Press Tool at the top
  • Choose Open Terminal
  • Type bash driver.sh
  • Press Enter
  • After it has finished a report will be located on your USB drive named report.txt
  • Then type bash driver.sh -af
  • Press Enter
  • You will be prompted to input a filename.
  • Type the following:

    Winlogon.exe

  • Press Enter
  • If successful, the script will search for this file.
  • After it has completed the search enter the next file to be searched
  • Type the following:

    volsnap.sys

  • Press Enter
  • If successful, the script will search for this file.
  • After it has completed the search enter the next file to be searched
  • Type the following:

    explorer.exe

  • Press Enter
  • After it has completed the search enter the next file to be searched
  • Type the following:

    Userinit.exe

  • Press Enter
  • After the search is completed type Exit and press Enter.
  • After it has finished a report will be located in the USB drive as filefind.txt
  • While still in the Open Terminal, type bash query.sh
  • Press Enter
  • After it has finished a report will be located in the USB drive as RegReport.txt
  • Then type dd if=/dev/sda of=mbr.bin bs=512 count=1


    Leave a space among the following Statements:

    dd is the executable application used to create the backup
    if=/dev/sda is the device the backup is created from - the hard drive when only one HDD exists
    of=mbr.bin is the backup file to create - note the lack of a path - it will be created in the directory currently open in the Terminal
    bs=512 is the number of bytes in the backup
    count=1 says to backup just 1 sector


    It is extremely important that the if and of statements are correctly entered.

  • Press Enter
  • After it has finished a report will be located in the USB drive as mbr.bin
  • Plug the USB back into the clean computer, zip the mbr.bin, and except for the mbr.bin zipped file, post the contents of the report.txt, filefind.txt and RegReport.txt in your next reply. The mbr.bin zipped file must be attached to your reply.

  • I really don't know anything easier.

    Edited by JSntgRvr, 26 July 2011 - 08:52 PM.

    No request for help throughout private messaging will be attended.

    If I have helped you, consider making a donation to help me continue the fight against Malware!
    btn_donate_SM.gif


    #14 Cookyman

    Cookyman
    • Topic Starter

    • Members
    • 45 posts
    • OFFLINE
    •  
    • Local time:11:29 PM

    Posted 26 July 2011 - 10:29 PM

    Thank you again Sir for the quick response.

    My problem is in the 2nd step you highlighted for me.

    This part:

    •Next download driver.sh to your USB drive

    •Also Download Query.exe to the USB drive. In your working computer, navigate to the USB drive and click on the Query.exe. A folder and a file, query.sh, will be extracted.

    I cannot open driver.sh for some reason, and when I download Query.exe in my working computer and go to navigate there is no Query.exe showing.

    Is it possible I purchased a bad flash drive?
    I bought a Cruzer Blade USB Flash Drive 4 GB

    #15 JSntgRvr

    JSntgRvr

      Master Surgeon General


    • Malware Response Team
    • 11,635 posts
    • OFFLINE
    •  
    • Gender:Male
    • Location:Puerto Rico
    • Local time:02:29 AM

    Posted 27 July 2011 - 10:09 AM

    Lets take it step by step. You don't need to run driver.sh while on Windows, but after the computer is booted to xPUD. Follow these steps:

    Download GETxPUD.exe to the desktop of your clean computer
    • Run GETxPUD.exe
    • A new folder will appear on the desktop.
    • Open the GETxPUD folder and click on the get&burn.bat
    • The program will download xpud_0.9.2.iso, and upon finished will open BurnCDCC ready to burn the image.
    • Click on Start and follow the prompts to burn the image to a CD.
    • Next download driver.sh to your USB drive
    • Remove the USB & CD and insert them in the sick computer
    • Boot the Sick computer with the CD you just burned
    • The computer must be set to boot from the CD
    • In some computers you need to tap F12 and choose to boot from the CD, in others is the Esc key. Please consult your computer's documentation.
    • Follow the prompts
    • A Welcome to xPUD screen will appear
    • Press File
    • Expand mnt
    • sda1,2...usually corresponds to your HDD
    • sdb1 is likely your USB
    • Click on the folder that represents your USB drive (sdb1 ?)
    • Confirm that you see driver.sh that you downloaded there
    • Press Tool at the top
    • Choose Open Terminal
    • Type bash driver.sh
    • Press Enter
    • After it has finished a report will be located on your USB drive named report.txt
    • Plug the USB back into the clean computer, post the contents of the report.txt in your reply.

    Edited by JSntgRvr, 27 July 2011 - 10:11 AM.

    No request for help throughout private messaging will be attended.

    If I have helped you, consider making a donation to help me continue the fight against Malware!
    btn_donate_SM.gif





    0 user(s) are reading this topic

    0 members, 0 guests, 0 anonymous users