Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Sony Vaio PCG-61611L Infected (Nothing Opens) Need help!


  • This topic is locked This topic is locked
25 replies to this topic

#1 El Love

El Love

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:04:04 AM

Posted 27 January 2012 - 12:32 AM

Hello,

I've looked all over and tried everything, and still cannot find the solution to my problem.

For some reason, my computer (Windows 7) will not open executable files or files that require an executable to run. Please take the following into consideration:

1. Because of this I cannot get on a browser to download any sort of help such as ComboFix or MBAM.
2. I've tried all the different RKILL and DDS files. Renaming them doesn't seem to "trick" the malware.
3. Notepad and Calc works.
4. When I watch the task manager, I notice that any process that attempts to load with a *32 (32bit) next to it is killed after a few seconds (these include the RKILL files).
5. I've attempted starting programs via the task manager window and the command prompt.
6. I've tried the exefix.reg route. The merge is made successfully but it doesn't seem to have done anything.
7. The same outcome is also seen in all Safe Modes.
8. Restoring to an earlier point results in no change.

This seemed to have taken effect overnight; yesterday everything was fine. I don't know what else to do and am on the brink of defeat. Can anyone offer any assistance to this matter?

Thanks in advance.

El

Edited by El Love, 27 January 2012 - 12:35 AM.


BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:10:04 AM

Posted 29 January 2012 - 08:56 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. Click the Watch This Topic button at the top on the right.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks :thumbup2:
Posted Image
m0le is a proud member of UNITE

#3 El Love

El Love
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:04:04 AM

Posted 29 January 2012 - 10:17 PM

Hello there,

I am here. Thanks in advance for your help!

El

#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:10:04 AM

Posted 30 January 2012 - 05:22 AM

6. I've tried the exefix.reg route


Have you tried the .exe fix from here?


If that works then please run Combofix

Please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop making sure you rename it comfix.exe
  • Disable your AntiVirus and AntiSpyware applications including Firewalls, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Comfix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.


If it fails then run MBAM

MBAM is often stopped by malware too so when it has been downloaded please open the Malwarebytes' Anti-Malware folder in Program Files, right-click on mbam.exe and change the .exe extension to .bat, .com, .pif, or .scr

Please download Posted Image Malwarebytes Anti-Malware and save it to your desktop.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application or, if you are using Vista, right-click and select Run As Administrator on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
    If MBAM won't update then download and update MBAM on a clean computer then save the rules.ref folder to a memory stick. This file is found here: 'C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware' then transfer it across to the infected computer.
  • On the Scanner tab:
    • Make sure the "Perform Full Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes, they may alert you after scanning with MBAM. Please permit the program to allow the changes.
Posted Image
m0le is a proud member of UNITE

#5 El Love

El Love
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:04:04 AM

Posted 30 January 2012 - 10:50 AM

Hello,

when attempting to merge the reg file, I received the following error message:

"Cannot import. Not all data was successfully written to the registry. Some keys are open by the system or other processes."

The affected system is running Windows 7 and the website you linked here was entitled, Windows XP File Association Fixes. I don't know if that might be an issue or not.

Please advise.


El

#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:10:04 AM

Posted 30 January 2012 - 06:22 PM

Yes, sorry, that was the reason. Can you try running MBAM the way I showed?
Posted Image
m0le is a proud member of UNITE

#7 El Love

El Love
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:04:04 AM

Posted 30 January 2012 - 06:30 PM

Hello,

4. When I watch the task manager, I notice that any process that attempts to load with a *32 (32bit) next to it is killed after a few seconds (these include the RKILL files).


Just tried running comfix.exe and the MBAM setup, both of which failed to successfully run.

#8 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:10:04 AM

Posted 30 January 2012 - 07:52 PM

We need to boot outside Windows to get some information

Try this please. You will also need a USB drive.

Download GETxPUD.exe to the desktop of your clean computer
  • Run GETxPUD.exe
  • A new folder will appear on the desktop.
  • Open the GETxPUD folder and click on the get&burn.bat
  • The program will download xpud_0.9.2.iso, and upon finished will open BurnCDCC ready to burn the image.
  • Click on Start and follow the prompts to burn the image to a CD.
  • Next download dumpit to your USB
  • Remove the USB & CD and insert it in the sick computer
  • Boot the Sick computer with the CD you just burned
  • The computer must be set to boot from the CD
  • Gently tap F12 and choose to boot from the CD
  • Follow the prompts
  • A Welcome to xPUD screen will appear
  • Press File
  • Expand mnt
  • Click on sdb1 (sdb1 represents the USB drive).
  • Double click on the dumpit file.
  • A black window will pop-up and it will dump and zip the MBR to your USB drive.
  • Press Enter to exit the black window.
  • Click on HOME tab and choose Power Off to turn off xPUD.
  • Remove the USB drive and insert it back on your working computer.
  • Locate the mbr.zip file in your USB drive and attach it when you reply.

Posted Image
m0le is a proud member of UNITE

#9 El Love

El Love
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:04:04 AM

Posted 30 January 2012 - 08:00 PM

Is there a version for Mac? My clean computer is an iMac.

Apologies :unsure:

#10 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:10:04 AM

Posted 30 January 2012 - 08:05 PM

No, there's no mac programs on this forum at all, El Love.

Sorry :(
Posted Image
m0le is a proud member of UNITE

#11 El Love

El Love
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:04:04 AM

Posted 30 January 2012 - 08:08 PM

Is there any way to run a program without it being 32bit? I think if we can somehow manage that, we may be able to get somewhere. It seems to only kill 32bit (*32) processes.

#12 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:10:04 AM

Posted 30 January 2012 - 08:17 PM

We can't run a 32 bit program in 64 bit. But we can test the theory.

Attempt to download these two files. One is the 32 bit SystemLook program:

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    :filefind
    explorer.exe
    
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt


The other is the 64 bit version:

Please download SystemLook from the link below and save it to your Desktop.
Download Mirror #1
  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    :filefind
    explorer.exe
    
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt


We're not interested in the result of the scan but let me know which one(s) run.
Posted Image
m0le is a proud member of UNITE

#13 El Love

El Love
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:04:04 AM

Posted 30 January 2012 - 08:18 PM

If worst comes to worst I'll just use the factory recovery option. I think that's only other option at this point.

#14 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:10:04 AM

Posted 30 January 2012 - 08:20 PM

That's always an option and the safest one (if not the most practical if you have unrecoverable files).

This infection isn't following the usual pattern though so if you did have time and could get hold of another Windows machine to run xPUD I would be quite happy to have a look around and see what this is. Your choice though, El Love.
Posted Image
m0le is a proud member of UNITE

#15 El Love

El Love
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:04:04 AM

Posted 30 January 2012 - 08:24 PM

Oh I missed the latest post with the 32/64 bit files. I will try that now.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users