Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Ran ComboFix now stuck on windows log screen


  • This topic is locked This topic is locked
7 replies to this topic

#1 TNE

TNE

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:08:46 AM

Posted 11 November 2011 - 07:00 AM

So to start from the beginning, lately I have had problems with trojans and viruses. Microsoft security essentials could remove some of those. But when I ran f-secure internet security virus and spyware check it could find only two viruses (Gen:Heur.Conjar.3 and Gen:Variant.Graftor.3468) both of which could not be removed. And now I have ping.exe process running in the backround and using a lot of processor.

After doing some Googling I came in to the conclusion that I might have a serious infection that many programs might not even found. So I ran ComboFix and it did indicate a very serious infection and if I remember correctly the infection was rootkit zero access. After ComboFix had ran for a while it asked to restart computer and after restart I'm stuck on the windows XP log screen and I can't do anything because my mouse or keyboard does not work. What might be the best way to proceed after this?

Thank you for your help in advance!

Edited by TNE, 11 November 2011 - 07:21 AM.


BC AdBot (Login to Remove)

 


#2 TNE

TNE
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:08:46 AM

Posted 12 November 2011 - 05:56 AM

I also tried to run windows in safe mode and same situation. Mouse or keyboard does not work so impossible to get through log screen.

#3 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:09:46 AM

Posted 12 November 2011 - 01:13 PM

:welcome:

Which operating system is installed?

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#4 TNE

TNE
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:08:46 AM

Posted 12 November 2011 - 01:41 PM

Windows XP SP3. I'm currently running f-secure boot CD check on my computer. I'm hoping that it can find if there is any infection left on my computer.

#5 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:09:46 AM

Posted 12 November 2011 - 09:20 PM

If still having issues, lets give it a try. Do you have the XP Install CD?

We will need to view the system status from an external environment. You will need a USB drive and a CD to burn. There will be several steps to follow.

Download GETxPUD.exe to the desktop of your clean computer
  • Run GETxPUD.exe
  • A new folder will appear on the desktop.
  • Open the GETxPUD folder and click on the get&burn.bat
  • The program will download xpud_0.9.2.iso, and upon finished will open BurnCDCC ready to burn the image.
  • Click on Start and follow the prompts to burn the image to a CD.
  • Next download driver.sh to your USB drive
  • Also Download Query.exe to the USB drive. In your working computer, navigate to the USB drive and click on the Query.exe. A folder and a file, query.sh, will be extracted.
  • Remove the USB & CD and insert them in the sick computer
  • Boot the Sick computer with the CD you just burned
  • The computer must be set to boot from the CD
  • In some computers you need to tap F12 and choose to boot from the CD, in others is the Esc key. Please consult your computer's documentation.
  • Follow the prompts
  • A Welcome to xPUD screen will appear
  • Press File
  • Expand mnt
  • sda1,2...usually corresponds to your HDD
  • sdb1 is likely your USB
  • Click on the folder that represents your USB drive (sdb1 ?)
  • Confirm that you see driver.sh that you downloaded there
  • Press Tool at the top
  • Choose Open Terminal
  • Type bash driver.sh
  • Press Enter
  • After it has finished a report will be located on your USB drive named report.txt
  • Then type bash driver.sh -af
  • Press Enter
  • You will be prompted to input a filename.
  • Type the following:

    Winlogon.exe

  • Press Enter
  • If successful, the script will search for this file.
  • After it has completed the search enter the next file to be searched
  • Type the following:

    volsnap.sys

  • Press Enter
  • If successful, the script will search for this file.
  • After it has completed the search enter the next file to be searched
  • Type the following:

    explorer.exe

  • Press Enter
  • After it has completed the search enter the next file to be searched
  • Type the following:

    Userinit.exe

  • Press Enter
  • After the search is completed type Exit and press Enter.
  • After it has finished a report will be located in the USB drive as filefind.txt
  • While still in the Open Terminal, type bash query.sh
  • Press Enter
  • After it has finished a report will be located in the USB drive as RegReport.txt
  • Then type dd if=/dev/sda of=mbr.bin bs=512 count=1


    Leave a space among the following Statements:

    dd is the executable application used to create the backup
    if=/dev/sda is the device the backup is created from - the hard drive when only one HDD exists
    of=mbr.bin is the backup file to create - note the lack of a path - it will be created in the directory currently open in the Terminal
    bs=512 is the number of bytes in the backup
    count=1 says to backup just 1 sector


    It is extremely important that the if and of statements are correctly entered.

  • Press Enter
  • After it has finished a report will be located in the USB drive as mbr.bin
  • Plug the USB back into the clean computer, zip the mbr.bin, and except for the mbr.bin zipped file, post the contents of the report.txt, filefind.txt and RegReport.txt in your next reply. The mbr.bin zipped file must be attached to your reply.

Edited by JSntgRvr, 12 November 2011 - 09:22 PM.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#6 TNE

TNE
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:08:46 AM

Posted 14 November 2011 - 09:35 AM

Well this is what I finally ended up doing:
1. Ran f-secure boot disk check
-f-secure found the two viruses I mentioned above but not zero access rootkit (ComboFix probably managed to remove it)
-same problem still exists
2. Backed up all of the most important files on my HDD using another computer and SATA to USB converter and external power supply
3. Booted computer to Windows repair console (using Windows XP CD) tried to rewrite boot sector and boot records
-same problem still exists
4. Booted to Windows CD and tried to repair Windows XP. I almost got it through but then installing/repairing program asked if I wanted to accept a program that hadn't passed Windows Logo testing and again it was impossible to answer when mouse or keyboard does not work...
5. Well I finally ended up formatting my HDD and installing windows and everything again. It will be pain but would be more pain if I wouldn't be able to backup important files. As my last backup was quite badly outdated.

By the way I found that my bios had a boot sector protection feature which I apparently accidentally left off after last Windows install. That could have saved me from a lot of trouble.

But thank you for your help anyway!

Edited by TNE, 14 November 2011 - 09:35 AM.


#7 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:09:46 AM

Posted 14 November 2011 - 09:47 AM

Thanks for the feedback.

Be safe.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#8 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:09:46 AM

Posted 25 November 2011 - 08:29 AM

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users