Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Celas Virus


  • This topic is locked This topic is locked
38 replies to this topic

#1 cdeford

cdeford

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:06:58 AM

Posted 21 May 2012 - 08:31 PM

Hi,

I have acquired the CELAS virus (21 May). I've had one lockout while in safe mode (which is how I know what it is). Apart from that I'm getting multiple (usually every few seconds but can be longer) attempts to install Flash Player. If I don't stop the first install process, it starts a second with slightly different wording. I can kill the processes easily enough. Three processes are started. 1) ping.exe. 2) FP_AX_CAB_INSTALLER.exe (this results in a small blue pop-up saying Adobe Flash Player Installer and has a moving bar). 3) InstallFlashPlayer.exe (which gives a red pop-up, saying Adobe Flash Player 11.2 Installer). The lockout only happened once when I was in safe mode (with networking) trying to get rid of this problem, and gave me the same CELAS screen described by others. I can stop the processes with ctrl-alt-del or closing the pop-up windows, and boot normally or into safe mode.

My PC is very old (XP SP1). I only have a recovery disk from the PC seller, which no longer works (plus the company (Carrera) went out of business years ago), so I can't do a re-install or repair from disk.

Any help would be appreciated.

DDS log:

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 6.0.2800.1106
Run by CdeFord at 0:57:20 on 2012-05-22
.
============== Running Processes ===============
.
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.co.uk/
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - d:\programs\utilities\acrobat 7\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - d:\programs\utilit~1\spybot~1\SDHelper.dll
BHO: WsftpBrowserHelper Class: {601ed020-fb6c-11d3-87d8-0050da59922b} - d:\programs\utilities\ws-ftp\wsbho2k0.dll
BHO: {8d2dcceb-8eb1-4b50-aa2b-de457cb6d064} - c:\windows\system32\javaee32.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - d:\programs\utilities\acrobat 7\acrobat\AcroIEFavClient.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - d:\programs\utilities\acrobat 7\acrobat\AcroIEFavClient.dll
EB: Media Band: {32683183-48a0-441b-a342-7c2a440a9478} - %SystemRoot%\System32\browseui.dll
mRun: [EM_EXEC] c:\progra~1\logitech\mousew~1\system\EM_EXEC.EXE
mRun: [nForce Tray Options] sstray.exe /r
mRun: [MXO Auto Loader] c:\windows\MXOALDR.EXE
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [EPSON Stylus C84 Series] c:\windows\system32\spool\drivers\w32x86\3\E_S10IC2.EXE /P23 "EPSON Stylus C84 Series" /O5 "LPT1:" /M "Stylus C84"
mRun: [WinampAgent] "d:\programs\audio\winamp 2.91\Winampa.exe"
mRun: [YeppStudioAgent] c:\program files\samsung\samsung media studio\SamsungMediaStudioAgent.exe
mRun: [Acrobat Assistant 7.0] "d:\programs\utilities\acrobat 7\distillr\Acrotray.exe"
mRun: [XFILTER] "c:\program files\filseclab\xfilter\xfilter.exe" -a
mRun: [CanonSolutionMenu] c:\program files\canon\solutionmenu\CNSLMAIN.exe /logon
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [UnlockerAssistant] "d:\programs\utilities\unlocker\UnlockerAssistant.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\filsec~1.lnk - c:\program files\common files\filseclab\FilMsg.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\squeez~1.lnk - h:\multimedia\music\music database\utilities\sb server\SqueezeTray.exe
uPolicies-explorer: NoRecentDocsNetHood = 01000000
uPolicies-explorer: NoSMMyDocs = 01000000
uPolicies-explorer: NoSMMyPictures = 01000000
uPolicies-explorer: NoNetworkConnections = 01000000
IE: Convert link target to Adobe PDF - d:\programs\utilities\acrobat 7\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - d:\programs\utilities\acrobat 7\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - d:\programs\utilities\acrobat 7\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - d:\programs\utilities\acrobat 7\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - d:\programs\utilities\acrobat 7\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - d:\programs\utilities\acrobat 7\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - d:\programs\utilities\acrobat 7\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - d:\programs\utilities\acrobat 7\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Download all by Net Transport - d:\programs\utilities\nettransport\NTAddList.html
IE: Download by Net Transport - d:\programs\utilities\nettransport\NTAddLink.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - d:\programs\utilit~1\spybot~1\SDHelper.dll
LSP: mswsock.dll
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: DhcpNameServer = 192.168.1.254
TCP: Interfaces\{D5DBAE5D-EAC5-411D-A8C4-DD2CAC686518} : DhcpNameServer = 192.168.1.254
Notify: AtiExtEvent - Ati2evxx.dll
Notify: xromnop - c:\windows\system32\config\systemprofile\local settings\application data\xromnop.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\cdeford\application data\mozilla\firefox\profiles\q41ck5ik.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
FF - plugin: c:\program files\java\jre1.5.0_01\bin\NPJava11.dll
FF - plugin: c:\program files\java\jre1.5.0_01\bin\NPJava12.dll
FF - plugin: c:\program files\java\jre1.5.0_01\bin\NPJava13.dll
FF - plugin: c:\program files\java\jre1.5.0_01\bin\NPJava14.dll
FF - plugin: c:\program files\java\jre1.5.0_01\bin\NPJava32.dll
FF - plugin: c:\program files\java\jre1.5.0_01\bin\NPJPI150_01.dll
FF - plugin: c:\program files\java\jre1.5.0_01\bin\NPOJI610.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npFoxitReaderPlugin.dll
FF - plugin: d:\programs\audio\real alternative\browser\plugins\nppl3260.dll
FF - plugin: d:\programs\audio\real alternative\browser\plugins\nprpjplug.dll
FF - plugin: d:\programs\video\vlc media player\npvlc.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: RefControl: {455D905A-D37C-4643-A9E2-F6FEFAA0424A} - %profile%\extensions\{455D905A-D37C-4643-A9E2-F6FEFAA0424A}
FF - Ext: Names Dictionary for rikaichan: {566D6332-1439-43bf-857E-7AD5F137AD0C} - %profile%\extensions\{566D6332-1439-43bf-857E-7AD5F137AD0C}
FF - Ext: NoScript: {73a6fe31-595d-460b-a920-fcc0f8843232} - %profile%\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}
FF - Ext: DownloadHelper: {b9db16a4-6edc-47ec-a1f4-b86292ed211d} - %profile%\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
FF - Ext: ImageHost Grabber: {E4091D66-127C-11DB-903A-DE80D2EFDFE8} - %profile%\extensions\{E4091D66-127C-11DB-903A-DE80D2EFDFE8}
FF - Ext: Greasemonkey: {e4a8a97b-f2ed-450b-b12d-ee082ba24781} - %profile%\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}
FF - Ext: KillJasmin: killjasmin@pierros14.com - %profile%\extensions\killjasmin@pierros14.com
.
============= SERVICES / DRIVERS ===============
.
.
=============== Created Last 30 ================
.
2012-05-21 19:53:37 0 ----a-w- c:\documents and settings\cdeford\ntuser.tmp
2012-05-21 18:54:48 0 --sha-w- c:\windows\system32\dds_trash_log.cmd
.
==================== Find3M ====================
.
2011-06-03 15:25:52 625984 ----a-w- c:\program files\common files\ZugoInstaller.exe
2005-06-26 21:32:28 616448 -csha-r- c:\windows\system32\cygwin1.dll
2005-06-22 04:37:42 45568 -csha-r- c:\windows\system32\cygz.dll
2006-05-03 11:06:54 163328 --sha-r- c:\windows\system32\flvDX.dll
2007-02-21 12:47:16 31232 -csha-r- c:\windows\system32\msfDX.dll
2008-03-16 14:30:52 216064 -csha-r- c:\windows\system32\nbDX.dll
2010-01-06 23:00:00 107520 -csha-r- c:\windows\system32\TAKDSDecoder.dll
.
============= FINISH: 0:57:41.21 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:12:58 AM

Posted 22 May 2012 - 06:37 PM

Hello cdeford,
  • Welcome to Bleeping Computer.
  • My name is fireman4it and I will be helping you with your Malware problem.

    Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean".
  • In the upper right hand corner of the topic you will see a button called Watch Topic.I suggest you click it and select Immediate E-Mail notification and click on Proceed. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

  • Finally, please reply using the ADD REPLY button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply, unless they do not fit into the post.

The following tools can be run in safemode if needed. Please try to run them in normal mode first.

1.
Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!
  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • If TDSSKiller does not run, try renaming it.
  • To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
  • Click the Start Scan button.
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
    Note: If Cure is not an option, Skip instead, do not choose Delete unless instructed.
  • A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.


2.
Install Recovery Console and Run ComboFix

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

Download Combofix from any of the links below, and save it to your desktop.

Link 1
Link 2
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Close any open windows, including this one.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • If you did not have it installed, you will see the prompt below. Choose YES.
  • Posted Image
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Note:The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you
should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    Posted Image
  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running.
ComboFix will restart your computer if malware is found; allow it to do so.


Note: Please Do NOT mouseclick combofix's window while its running because it may cause it to stall.


Things to include in your next reply::
TdssKiller log
Combofix.txt
How is your machine running now?

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#3 cdeford

cdeford
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:06:58 AM

Posted 22 May 2012 - 07:06 PM

Hi, thanks for helping. Unfortunately TDSSKiller.exe does not run, even after renaming it as suggested.

#4 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:12:58 AM

Posted 22 May 2012 - 07:42 PM

Have you tried Combofix yet? If not go ahead and run it.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#5 cdeford

cdeford
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:06:58 AM

Posted 23 May 2012 - 09:53 AM

I downloaded and ran Combofix. It installed the recovery console, then started scanning. It identified rootkitzeroaccess as being present. It then said it had detected rootkit activity and needed to reboot my PC. After rebooting it started scanning. It got to 'stage 5 complete' when I had to go out for an appointment. When I got back there was a notepad log on the screen. I couldn't save it though, or even read most of it because I had lost mouse and keyboard support. After rebooting normally or to safe mode I still have no mouse or keyboard so the PC is effectively dead (I'm writing this in the library). If I boot to the console I have keyboard support but I don't know what to do with it.

#6 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:12:58 AM

Posted 23 May 2012 - 04:59 PM

Hello,

Have you tried booting into safe mode?
Now reboot into Safe Mode.
This can be done tapping the F8 key as soon as you start your computer
You will be brought to a menu where you can choose to boot into safe mode.
Make sure you choose the option without networking support.
Please see here for additional details.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#7 cdeford

cdeford
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:06:58 AM

Posted 24 May 2012 - 08:44 AM

Yes, I've already tried that. No mouse or keyboard in safe mode with or without networking. In fact I can't get in because I can't select username.

#8 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:12:58 AM

Posted 24 May 2012 - 03:43 PM

Are the keyboard and mouse both use USb ports? IF so try a different USB port.

Do you have a USB Flash drive?

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#9 cdeford

cdeford
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:06:58 AM

Posted 24 May 2012 - 04:32 PM

Keyboard is PS/2. Mouse is USB, though I use it with a PS/2 adapter. I tried the mouse in a different USB port with no effect. Yes I have a USB flash drive.

#10 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:12:58 AM

Posted 24 May 2012 - 06:52 PM

Restoring Erunt though Recovery console

1. Restart your computer
2. Before Windows loads, you will be prompted to choose which Operating System to start
3. Use the up and down arrow key to select Microsoft Windows Recovery Console
4. You must enter which Windows installation to log onto. Type 1 and press enter.
5. At the C:\Windows prompt, type the following bolded text, and press Enter:

cd erdnt\subs


6. At the next prompt, type the following bolded text, and press Enter:

batch erdnt.con

7. The erunt backups will begin copying.
8. At the next prompt, type the following bolded text, and press Enter:

exit

Windows will now begin loading.

Have your mouse and keyboard back now?

Edited by fireman4it, 24 May 2012 - 06:58 PM.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#11 cdeford

cdeford
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:06:58 AM

Posted 24 May 2012 - 07:52 PM

Sorry that didn't work. After getting to c:\windows and entering the batch command, I got the message "The system cannot find the file or directory specified". I did dir and found ERDNT with 0 bytes.

Edit: Whoops, sorry, missed the first step, please ignore.

Edit 2: After carrying out the batch command correctly, the PC tried to boot into Windows, but stalled on the following error message: "Windows cannot find C:\Combofix\CF9834.3XE" and hangs on the blue screen. I could not click the OK button because mouse and keyboard are still dead.

Edited by cdeford, 24 May 2012 - 08:04 PM.


#12 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:12:58 AM

Posted 25 May 2012 - 05:22 PM

Hello,

You have downloaded and ran Combofix from your C: drive instead of your desktop as the directions I gave you. When you left your machine after Combofix ran when it rebooted and left the notepad there you Antivirus porbablly became active and deleted a Combofix file needed to run. This is the reason we give directions to be patient and let it run and post the notepad immediately. We will try a couple other methods. Try booting into safemode and see if you can get into windows.


1.
1. Restart your computer
2. Before Windows loads, you will be prompted to choose which Operating System to start
3. Use the up and down arrow key to select Microsoft Windows Recovery Console
4. You must enter which Windows installation to log onto. Type 1 and press enter.
5. At the C:\Windows prompt, type the following bolded text, and press Enter:

chkdsk /r

(note the space between chkdsk and /r)
6. Allow it to complete undisturbed.
7. Remove the CD/DVD then reboot. Windows should now begin loading.


2.

For x32 (x86) bit systems download Farbar Recovery Scan Tool and save it to a flash drive.


Plug the flashdrive into the infected PC.

Enter System Recovery Options.

1. Restart your computer
2. Before Windows loads, you will be prompted to choose which Operating System to start
3. Use the up and down arrow key to select Microsoft Windows Recovery Console
4. You must enter which Windows installation to log onto. Type 1 and press enter.
5. At the C:\Windows prompt, type the following bolded text, and press Enter:

notepad

  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type e:\frst.exe and press Enter
    Note: Replace letter e with the drive letter of your flash drive.
  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.

Edited by fireman4it, 25 May 2012 - 05:23 PM.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#13 cdeford

cdeford
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:06:58 AM

Posted 25 May 2012 - 06:31 PM

Believe me when I say I appreciate you trying to help me, but please don't tell me I've done something I haven't. I downloaded ComboFix to my desktop and ran it from there. If the log needed to be posted immediately before the antivirus could kick in again then I'm sorry for that, but there are no instructions to that effect as far as I can see, though my AV doesn't delete files without manual confirmation anyway (at least not normally). I have done everything exactly as requested bar the one thing in the recovery console that certainly didn't cause any problems.

Now, as for the new instructions:

I ran chkdsk /r from the console
I don't know what CD/DVD you are referring to but I re-booted and the chkdsk command made no difference.

I downloaded frst and saved it to a flash drive which I inserted into the PC, then booted to the console. Typing 'notepad' simply gave the 'the command is not recognised' error message. I then tried running frst using all possible drives and each time received the same error message as above.

However, I do not know what you mean by 'Enter System Recovery Options' so conceivably I have missed something there.

Are you sure ComboFix works properly on SP1? Likewise, that the version of the console installed by ComboFix works properly on SP1? Because I'm beginning to have my doubts that either are compatible.

Edited by cdeford, 26 May 2012 - 07:18 AM.


#14 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:12:58 AM

Posted 27 May 2012 - 11:44 AM

Are you sure ComboFix works properly on SP1? Likewise, that the version of the console installed by ComboFix works properly on SP1? Because I'm beginning to have my doubts that either are compatible.

Combofix is compatible with all Windows versions Xp and above.


Please erase Frst from your USB. We will try another option. We will try and get a System Restore point before Combofix ran to go back to and see if that gives you back your mouse and keyboard.

Download http://unetbootin.sourceforge.net/unetbootin-xpud-windows-latest.exe & http://noahdfear.net/downloads/bootable/xPUD/xpud-0.9.2.iso to the desktop of your clean computer
  • Insert your USB drive
  • Press Start > My Computer > right click your USB drive > choose Format > Quick format
  • Double click the unetbootin-xpud-windows-387.exe that you just downloaded
  • Press Run then OK
  • Select the DiskImage option then click the browse button located on the right side of the textbox field.
  • Browse to and select the xpud-0.9.2.iso file you downloaded
  • Verify the correct drive letter is selected for your USB device then click OK
  • It will install a little bootable OS on your USB device
  • Once the files have been written to the device you will be prompted to reboot ~ do not reboot and instead just Exit the UNetbootin interface
  • After it has completed do not choose to reboot the clean computer simply close the installer
    Download http://noahdfear.net/downloads/rst.sh to the USB drive
  • Boot the Sick computer with the USB drive again
  • Press File
  • Expand mnt
  • Expand your USB (sdb1)
  • Confirm that you see rst.sh that you downloaded there
  • Press Tool at the top
  • Choose Open Terminal
  • Type bash rst.sh
  • Press Enter
  • After it has finished a report will be located at sdb1 named enum.log
  • Plug that USB back into the clean computer and open it

Please note: If you have an ethernet connection you can access the internet by way of xPUD (Firefox). You can perform all these steps on your sick computer. When you download the download will reside in the Download folder. It can be found under the File tab also. You can similarly access our thread by way of this OS too so you can send the logs that way.

Please also note - all text entries are case sensitive

Copy and paste the enum.log for my review

Edited by fireman4it, 27 May 2012 - 11:47 AM.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#15 cdeford

cdeford
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:06:58 AM

Posted 27 May 2012 - 02:23 PM

Hello. I've created the bootable flash drive. How do I boot from it? If it's meant to be automatic it doesn't work. Also I don't see anything after pressing F8. Unless it's Directory Services Restore Mode, I haven't tried that. Does it matter what file system is used for the quick format? I used NTFS since the only other option was exFat. It it needs to be Fat32 I'll need to get a new flash drive.

I tried enabling the flash drive in the bios. There were various USB settings and I tried them all, setting them as primary boot location in each case, but the flash drive was ignored each time. I do have a floppy drive but no disks.

Is there any way to tell from the first logs I posted what the liklihood is that programs or data on drives other than c: might have been infected? Also, what the risk of re-infection might be if I access the current c: drive as a data drive only?

Edited by cdeford, 27 May 2012 - 03:24 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users