Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

avast quarantine problem


  • Please log in to reply
23 replies to this topic

#1 millipede

millipede

  • Members
  • 617 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:outer space
  • Local time:02:41 PM

Posted 04 August 2011 - 10:37 AM

So, I'm working on a friend's computer that needed their XP updated to SP3 and they needed a new antivirus program. They had an outdated version of system mechanic or something for antivirus. Didn't look like they were using it for internet any time recently but, at some point it had been infected.
From the start, things were difficult. Running updates took a while. Used malwarebytes to remove a few things, but not a ton. Eventually had just about everything up to date and installed Avast free. At this point I had not run any avast scans.
This thing, from time to time, would lock up, freeze, or just shut down.
One issue I noticed was that no matter what I did, after EVERY reboot, windows updates and firewall would be turned off and I would turn them on again.
I decided to run a scan with Avast... (oh, I also had trouble installing avast... install would just shut down part way through but I eventually got it in)
After all this trouble I thought to myself, perhaps I should run a scan in safe mode to make sure not as many bad things are running...
So I ran a scan.... files like crazy were infected...
I noticed a TON of them were in the restore folder so I thought to myself... I should turn off system restore while I'm doing this........

So... after the scan, which took a LONG time, it found a hair over 3,900 files infected...
then, the options... repair, delete, quarantine....
Well, I decided it might be best to try and repair them just in case any were important. So, I checked repair and hit "apply".
It LOOKED like it did something... the entries started being highlighted as it went down the list. Then it froze... I waited... and waited... eventually, it unfroze... But, next to all the things, it still had the option "repair". Didn't say ANYTHING at all was accomplished. So, I tried again. Same result.
So, I then tried quarantine... Same results, exactly... After trying that twice, I eventually just shut the thing down.

Now the problem.
When I reboot, it makes it to the login screen, the desktop background even shows up... I hit okay to login... "loading settings....." Then "saving settings....." as it is shutting down... then, back at the login screen.
I tried that again this morning in safe mode with the same exact results.
I tried loading the option where it chooses the last best stable condition or whatever. (can't think of the wording at the moment)... same result... I'm guessing having system restore off, there is no last known good configuration...

So, I'm googling and searching trying to find what to do next. Is there a way to restore files from quarantine, say from dos or something?
I have a copy of an XP cd here, and I think it's professional (THINK) but it's a weird one I got from somebody. XP plus, has "extra" stuff on it... and, I'm wondering if I could put it in and try to repair windows?
Or? is there something else I should try?

Thanks in advance for any thoughts.

BC AdBot (Login to Remove)

 


#2 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:07:41 PM

Posted 04 August 2011 - 11:33 AM

Can you post the logs from malwarebytes and avast?

Also I would not put any unofficial XP CD into a machine and try a repair install.

#3 millipede

millipede
  • Topic Starter

  • Members
  • 617 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:outer space
  • Local time:02:41 PM

Posted 04 August 2011 - 01:01 PM

windows will not let me completely log in for normal or safe mode. Would I be able to access the logs through dos prompt or something?

#4 millipede

millipede
  • Topic Starter

  • Members
  • 617 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:outer space
  • Local time:02:41 PM

Posted 05 August 2011 - 07:37 PM

anyone?

#5 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:07:41 PM

Posted 06 August 2011 - 07:55 AM

Ive already reported this topic to people who deal with unbootable computers due to malware related issues.

#6 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:41 PM

Posted 07 August 2011 - 07:15 AM

Hello, millipede.
My name is etavares and I will be helping you with this log.

Here are some guidelines to ensure we are able to get your machine back under your control.

  • Please do not run any unsupervised scans, fixes, etc. We can work against each other and end up in a worse place.
  • Please subscribe to this topic if you have not already done so. Please check back just in case, as the email system can fail at times.
  • Just because your machine is running better does not mean it is completely cleaned. Please wait for the 'all clear' from me to say when we are done.
  • Please reply within 3 days to be fair to other people asking for help.
  • When in doubt, please stop and ask first. There's no harm in asking questions!


OK, it sounds like a Bamital infection based on the logon/logoff loop. That is fixable. However, 3900 infected files is a lot! Do you remember the name of the virus that was being detected?

Also, to fix this we need access to the computer outside of Windows. SO, do you have a clean computer you can use and a USB flash drive we can use? We can create a bootable USB to get the computer bootable again.

etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#7 millipede

millipede
  • Topic Starter

  • Members
  • 617 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:outer space
  • Local time:02:41 PM

Posted 07 August 2011 - 09:40 AM

Normally, I don't need help with viruses. I am very good at figuring things out and following directions. But this one got me in a position I've never been in. Of course, that's what computers do.
I was working on two computers for my friend, both old Dell optiplex. I returned the other one yesterday and they said this one never really worked quite right. Every time I was making progress, things continued to act a little weird. The system would freeze from time to time.
My experience in safemode a good example... just not what I expected.
They decided to buy a newer, used computer but I will still need to move the old files for them and if there's room in the case and this HD is restored, they might as well have two hard drives.

My own computer is clean, so yes... and, I do have a flash drive. I started googling a minute ago about this and it says you have to format the flash drive. I'm going out in a bit and I thinki I'll pickup a new flash drive at walmart to use for this purpose. Never hurts to have a few of those laying around anyway.
I don't remember the virus. There was more than one but the majority were the same and the majority of them were situated in the restore files. I of course didn't look at all 3900 ha.

As I said, I tried the "repair" function in Avast but because it kept freezing, it never looked like it accomplished it. Didn't look like it accomplished the quarantine either but, I'm guessing it did. I had NO boot problems until after that scan.
I'll be on here again in a few hours. As I said, I'm good at following instructions so let me know what to do and I'll do it.
Thanks for your help.

#8 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:41 PM

Posted 07 August 2011 - 09:53 AM

Hello, millipede.

Sometimes antiviruses will remove infected system files but not properly replace them. This type of error is usually due to userinit.exe being missing, or the registry entry being incorrectly fixed.

Once you have a flash drive, do the following steps. If you want to fix it, do step 2. If you want to only transfer files, only do Step 1, then you can copy the files to external media from xPud. Just let me know.


Step 1

Try this please. You will need a USB drive.

Download http://unetbootin.sourceforge.net/unetbootin-xpud-windows-latest.exe & http://noahdfear.net/downloads/bootable/xPUD/xpud-0.9.2.iso to the desktop of your clean computer
  • Insert your USB drive
  • Press Start > My Computer > right click your USB drive > choose Format > Quick format
  • Double click the unetbootin-xpud-windows-387.exe that you just downloaded
  • Press Run then OK
  • Select the DiskImage option then click the browse button located on the right side of the textbox field.
  • Browse to and select the xpud-0.9.2.iso file you downloaded
  • Verify the correct drive letter is selected for your USB device then click OK
  • It will install a little bootable OS on your USB device
  • Once the files have been written to the device you will be prompted to reboot ~ do not reboot and instead just Exit the UNetbootin interface
  • After it has completed do not choose to reboot the clean computer simply close the installer
  • Remove the USB and insert it in the sick computer
  • Boot the Sick computer
  • Press F12 and choose to boot from the USB. If that doesn't work, let me know. Booting from USBs is different depending on your BIOS.
  • Follow the prompts
  • A Welcome to xPUD screen will appear

You can then use the File system to transfer files. Make sure to scan them with an antivirus and an antimalware (e.g. SuperAntiSpyware or MBAM).


Step 2

If you want to try to fix it first and copy files in Windows instead of xPUD, first start with this.

From your working computer, download xPUD_userinit_fix to your xPud flash drive.

Boot the infected computer from it, then navigate to your flash drive and double-click xPUD_userinit_fix to run it.

It should create a txt file in the same directory on your flash drive. Copy/paste the contents of UserinitReport.txt that will appear in your reply. You can do it from xPUD if it recognizes your network, if not, just plug it into your Windows computer and open the file from there.

etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#9 millipede

millipede
  • Topic Starter

  • Members
  • 617 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:outer space
  • Local time:02:41 PM

Posted 07 August 2011 - 04:27 PM

Well, I'm following the steps for number 1 there. I have the usb drive plugged in... booted to it... then....
Loading /boot/xpud....................................
actually, it's up to 5 rows of dots now... just loading.......................................................
been waiting a while. Is this normal?


Edit: it's now 5:56 here... Last update was at 4:27 to give you an idea of how long this is taking...
After about 10 rows of dots... we're not at
Loading /opt/media with almost two rows of dots after it.
So.... This has been loading for WELL over an hour, maybe two by now, or more.
yikes...


Edit again...
I walked away for a while and when I came back, I'm in... but now...

You can then use the File system to transfer files. Make sure to scan them with an antivirus and an antimalware (e.g. SuperAntiSpyware or MBAM).

I'm going to poke around now but, what files? Am I finding the files that are quarantined with avast?

Edited by millipede, 07 August 2011 - 07:10 PM.


#10 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:41 PM

Posted 08 August 2011 - 05:36 PM

Wow...it does take some time to boot, but that took an awfully long time.

If you click "File" from the menu, you can navigate the file system and copy files to an external hard drive if you just want to get your files off of it. Once you're booted, plug in another USB flash drive or external HD and you can copy files to it. You can also copy files to your hard drive. In the file system, \mnt\sda1\ is like your C:\ drive. If you have other partitions on that disk, they'll be sda2, sda3, etc. If you have multiple hard drives, you may also see sdb1, sdb2, etc. Your flash drive is usually sdb1, but if you have more than one physical hard drive, it will be sdc1, sdd1, etc...all depends on your particular system setup. You can still copy/paste files as needed by selecting them, right-click copy; then navigate where you want to paste them, right-click in the background just like My Computer in Windows and select Paste.

If you want to try and get it booting, run the userinit fix I posted in step 2.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#11 millipede

millipede
  • Topic Starter

  • Members
  • 617 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:outer space
  • Local time:02:41 PM

Posted 09 August 2011 - 03:35 PM

I'd rather not try to move the files that way, though I may end up doing so, as it's a bit awkward to navigate. I might miss files that would otherwise be easy to find.

So, I tried step 2. Takes forever for that to boot that way.... anyway... the resulting txt file is not very long and, confusing... but here it is.

Remote Registry Userinit Report

Hive </mnt/sda1/WINDOWS/system32/config/software>
(...)\Windows NT\CurrentVersion\Winlogon> Value <Userinit> of type REG_SZ, data length 26 [0x1a]
userinit.exe
(...)\Windows NT\CurrentVersion\Winlogon> EDIT: <Userinit> of type REG_SZ with length 26 [0x1a]
[ 0]: userinit.exe
-> newkv->len: 68
(...)\Windows NT\CurrentVersion\Winlogon> Value <Userinit> of type REG_SZ, data length 68 [0x44]
C:\WINDOWS\system32\userinit.exe,
 
userinit.exe search results

7dd796052e89cd2fd663945bfbf27253  /mnt/sda1/WINDOWS/SoftwareDistribution/Download/9866fb57abdc0ea2f5d4e132d055ba4e/userinit.exe
       32.5K Aug  3 18:33 

winlogon.exe search results

9f0121a2fdb5583b1728dcda38a643b4  /mnt/sda1/WINDOWS/SoftwareDistribution/Download/9866fb57abdc0ea2f5d4e132d055ba4e/winlogon.exe
      503.0K Aug  3 18:33 
ed0ef0a136dec83df69f04118870003e  /mnt/sda1/WINDOWS/system32/winlogon.exe
      496.0K Apr 14  2008 

explorer.exe search results

d8b93a03133ae3979c48e3402778cfbf  /mnt/sda1/WINDOWS/SoftwareDistribution/Download/9866fb57abdc0ea2f5d4e132d055ba4e/explorer.exe
     1016.5K Aug  3 18:32 
3b8af341e1b453164568d54927aaeeaf  /mnt/sda1/WINDOWS/explorer.exe
     1016.5K Apr 14  2008 

That's it... is that really useful?

#12 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:41 PM

Posted 09 August 2011 - 04:57 PM

Hello, millipede.

It was worth the time to boot into xPud. The log is perfect. You appear to have a bamital infection. So, I need to give you this warning:

Backdoor Warning
One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you do decide to proceed, please continue with the fix below.



Step 1


First, we need suitable replacement files as none appear to be on that computer. Do you have access to your WIndows CD? If not, there are a couple of legitimate ways to get those files, but that is the easiest.



etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#13 millipede

millipede
  • Topic Starter

  • Members
  • 617 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:outer space
  • Local time:02:41 PM

Posted 09 August 2011 - 06:44 PM

I am working on this for a friend. Two of her sons share that computer. The other day they bought two more used computers, one for them and one for a younger sibling. So...
My main concern is getting their files off. Pictures and the like.

So... the computer I'm working on is an xp machine and the only xp cd I have in my house is likely not legit... Someone I know and trust gave it to me, a copy, that they got from a friend that supposedly works for MS... It says XP plus. It's xp pro with some extra programs on it. I've never used it but that is all I have access to as far as XP goes.

Personally I'd like to get into windows to access the pictures and such easily. But, whatever we need to do we need to do.
my concerns now
Can I get pictures and other data, copy it to the new updated and protected machine, and not have to worry about this infection?
Also, I so far have not taken any files from the infected pc and moved them to the flash drive, but the flash drive has gone back and forth between that pc and my own personal windows 7 machine. I feel I'm fairly protected but, do I have anything to worry about for my own?

If I can get those files off safely, I can then reformat that HD. I can't put xp back on it but I can always put 2000 or Ubuntu. I've got both on CD's here.
Thanks for the help...

#14 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:41 PM

Posted 10 August 2011 - 06:12 PM

Do you have another computer with WIndows XP SP3 that you have access to?


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#15 millipede

millipede
  • Topic Starter

  • Members
  • 617 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:outer space
  • Local time:02:41 PM

Posted 10 August 2011 - 06:24 PM

yes. My own computer that I replaced just this year. It still has important files on it that I have yet to deal with..... As long as why you're asking wont damage that computer in any way, I'm game.

Edit... you might be replying already so I don't know if you'll see this right away but... My old one is XP Home... I am pretty sure the infected pc is XP Pro. Will that matter?

Edited by millipede, 10 August 2011 - 06:30 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users