Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

How do I recover HD infected with USPS Virus


  • This topic is locked This topic is locked
5 replies to this topic

#1 DocnOR

DocnOR

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:04:03 PM

Posted 09 March 2012 - 03:46 PM

EDIT moved from AII to MRL foe\r proper assistance~~


I open an attachment of a USPS Email Delivery Failure Notice, I was expecting a package that was late arriving and it GOT ME!
This virus started as a PC Check and quickly turned into a "Reboot" loop and shut down all access to "C" drive from safe mode, CD/DVD RW, 3.5 floppy, and hid "C" drive files.
How can I access this drive to remove infected files or do I format entire drive and lose wanted info on drive?
This same virus hit a second drive installed in same machine a month later, only it just Shut Down on its own and when I restarted it hours later it went into reboot loop instantly. I shut down machine and haven't tried to restart it, so I don't know if I can boot from XP CD or not. This virus seems to block more ways of access each time you reboot it.
I read one solution here but since I cannot load windows or a dos prompt it does me no good. Unless.......
Could I install a new drive, install XP +Ser Pack 1-3 and then make infected drive a slave and access it from new drive to disinfect drive or copy needed files and reformat drive?
Please any help would be great ........
Thank you .... Doc

Edited by boopme, 09 March 2012 - 04:10 PM.


BC AdBot (Login to Remove)

 


#2 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,997 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:04:03 PM

Posted 10 March 2012 - 09:21 AM

Hi DocnOR and :welcome: to BleepingComputer's Virus/Trojan/Spyware/Malware Removal forum.

My name is Oh My! and I am here to help you!


===================================================


Ground Rules:

  • First, I would also like to inform you that most of us here at Bleeping Computer offer our expert assistance out of the goodness of our hearts. Please try to match our commitment to you with your patience toward us. If this was easy we would never have met. :)
  • Please do not run any tools or take any steps other than those I will provide for you while we work on your computer together. I need to be certain about the state of your computer in order to provide appropriate and effective steps for you to take. Most often "well intentioned" (and usually panic driven!) independent efforts can make things much worse for both of us. If at any point you would prefer to take your own steps please let me know, I will not be offended. I would be happy to focus on the many others who are waiting in line for assistance.
  • Please perform all steps in the order they are listed in each set of instructions. Some steps may be a bit complicated. If things are not clear, be sure to stop and let me know. We need to work on this together with confidence.
  • Please copy and paste all logs into your post unless directed otherwise. Please do not re-run any programs I suggest. If you encounter problems simply stop and tell me about it.
  • When you post your reply, do not use the Posted Image button but use the Posted Image button instead.
  • In the upper right hand corner of the topic you will see the Posted Image button. Click on this then choose Immediate E-Mail notification and then Proceed and you will be sent an email once I have posted a response.
  • If you do not reply to your topic after 5 days we assume it has been abandoned and I will close it.
  • When your computer is clean I will alert you of such. I will also provide for you detailed information about how you can combat future infections.
  • I would like to remind you to make no further changes to your computer unless I direct you to do so.
  • Now let's get started :thumbup2:

===================================================


Please allow me some time to review the information you have provided. I will post back as soon as possible.
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#3 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,997 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:04:03 PM

Posted 11 March 2012 - 07:44 AM

Greetings DocnOR,


Welcome aboard. Let's try this first step to see if we can determine what is going on with your machine.

Please attempt to perform the following for me, if you would.


===================================================


BartPE/OTLPE

--------------------

Let's try to boot your computer using a Boot CD.

Please print this guide for future reference!

You will need a blank CD, your Windows XP install disc, a clean computer and a flash drive.

Please follow the steps below and let me know if you were successful. Please tell me what error messages you got and/or what steps you got hung up on.


----------


  • Download the PE Builder to your desktop

  • Double-Click on the PE Builder that you just downloaded to your desktop.
  • Follow all of the instructions/prompts that come up

----------


  • Insert your XP CD with SP1/SP2/SP3 into a CD Rom drive

  • Double-Click on PE Builder.exe located on your desktop.
  • Click NO to Search for Windows Installation Files
  • Make the following selections from the Main Screen that pops up:

  • Builder
  • Source:(path to Windows installation files)
  • Enter the path to the drive where your XP CD is located (You can click on the "..." button on the right to navigate to the path as well)
[/list][/list]
  • Custom: (include files and folders from this directory)
  • No information is necessary, leave blank
[/list][/list]
  • Output:
  • Keep the default
[/list][/list]
  • Media output
  • Choose Create ISO image
  • Do not choose Burn to CD/DVD
  • Download the RunScanner plugin and save it to your desktop

    Please note: You will be prompted for the folder that it shall be saved. By default it appears as runscanner10025. It should be modified to just runscanner <--- Important!!!

  • Press the Plugin button on the PE Builder interface
  • Press the Add button and navigate to the location of the RunScanner plugin to install
  • Please note: If you are using a Windows XP disc with sp2 then highlight RpsSS needs to launch DComLaunch and then press Enable
[/list][/list]
  • When you are done press Close and the PE Builder interface will re-appear

----------


  • Click on the "Build" button

  • You will see the Windows EULA message. Click on I Agree
  • You will now see the Build Screen. Let it run it's course
  • When the Build is finished you can click close, then exit

----------



----------


  • Download OTLPE.zip

  • From your clean computer please download OTLPE.zip from here or here and save it to a flash drive.
  • Double click and unzip OTLPE.zip to its own folder on your flash drive. Name it OTLPE <-- Important!!

----------


Plug your flash drive into your sick computer now and do as instructed below


----------


  • Restart Your sick Computer Using the PE Builder ISO CD That You Have Created

    • Insert the CD in to one of your CD/DVD drives.
    • Restart your computer
    • The computer should choose to boot from the CD automatically. If it doesn't and you are asked if you want to boot from CD, then choose that option
    • Once the desktop appears, you will receive a message asking: Do you want to start Network support?
    • Click on No
    • After it loads press the Go button in the lower left and do the following
    • Go
    • System
    • Display
    • Screen Resolution
    • 1024x768
  • Next choose
    • Go
    • Programs
    • A43 File Management Utility

----------


  • In A43File Management you should see your flash drive
  • Navigate to the OTLPE folder that you saved to your flash drive
  • Open the OTLPE folder and double click Start.cmd
  • When asked "Do you wish to load remote user profile(s) for scanning", select Yes
  • Ensure the box "Automatically Load All Remaining Users" is checked and press OK
  • OTLPE should now start
  • Change the following settings
  • Change Services, Drivers, Standard and Extra Registry to All
  • Uncheck LOP and Purity check
Please note: Stay with your computer during the course of the scan. If "Entry Point Errors" are encountered simply press "ok" and allow the program to continue. <-- Important!!


----------


  • Copy and Paste the following code from your flash drive into the Posted Image textbox.

    netsvcs
    msconfig
    safebootminimal
    safebootnetwork
    activex
    drivers32
    %ALLUSERSPROFILE%\Application Data\*.
    %ALLUSERSPROFILE%\Application Data\*.exe /s
    %APPDATA%\*.
    %APPDATA%\*.exe /s
    %SYSTEMDRIVE%\*.exe
    /md5start
    userinit.exe
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32.sys
    ahcix86s.sys
    /md5stop
    %systemroot%\system32\drivers\*.sys /lockedfiles
    %systemroot%\System32\config\*.sav
    %systemroot%\*. /mp /s
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\system32\drivers\*.sys /90
    CREATERESTOREPOINT
  • Push Posted Image
  • A report will open named "OTL.txt" and another will be minimized to the system tray named "Extra.txt". Save both log's to your flash drive.
  • Copy and Paste them in your next reply.


===================================================


Things I would like to see in your next reply. Please be sure to copy and paste the information rather than send an attachment. :thumbsup2:

  • OTLPE.txt
  • Extra.txt

Edited by Oh My, 11 March 2012 - 12:30 PM.

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#4 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,997 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:04:03 PM

Posted 14 March 2012 - 07:56 AM

Greetings DocnOR,


===================================================

72 Hour Bump

It has been more than 72 hours since my last post.

  • Do you still need help with this?
  • If after 48hrs you have not replied to this thread then it will have to be closed.

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#5 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,997 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:04:03 PM

Posted 16 March 2012 - 04:54 PM

Greetings DocnOR,

Do you still need assistance?

If we don't receive a reply within 24 hours we will assume the issue has been resolved and we will close this topic.
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#6 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:03 PM

Posted 18 March 2012 - 04:20 PM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users