Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

'Other User' Virus after S.M.A.R.T. Virus Removal Attempt


  • Please log in to reply
12 replies to this topic

#1 eyerin100

eyerin100

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:07 AM

Posted 19 June 2012 - 09:56 AM

I'm trying to help rescue my parent's laptop that was infected with the S.M.A.R.T. Virus. I'm not that tech-savvy myself, but am willing to seek any help before they pitch their seemingly pooched computer.

They are running Vista Basic (pre-installed with purchase) on a Dell Inspiron 1525 and there were no recovery disks included with their purchase. I had installed MalwareBytes, CCleaner and Spybot on their unit when purchased, which they ran on a regular basis, and were pretty good at keeping up with it.

Thanks to this amazing site, we managed to bring most of it back from it's condition by using RKill and unhide (downloaded on USB from my clean laptop). It seemed to be successful, as the desktop icons mostly came back, and the above anti-virus, cleaning programs were run several times at this point and during rkill. At one point on his own, my father tried a restore point through safe mode, as there was still a couple of crazy things (for one, Google toolbar pop-up installation he couldn't get rid of). I'm not sure if that was a good idea or not, but it was done.

When the laptop is fired up now in a normal manner, the black and white Windows Error Recovery Screen comes up, then a few seconds later, an sort of abnormal large looking "Please Wait" starts and circles, then it goes into the dreaded 'Other User' Screen that looks fake. If you press Enter then, another bogus screen comes up that says User Name and Password. No matter what, there is no way in getting past this. These fake screens look 'different' and the text is large and blurry. I'm not sure what particular name this virus may have or if it's an off-shoot of another one.


The bottom line is:
-Dell will ONLY send recovery disks within the U.S. (We're in Canada)
-F8 Safemode attempts (any and EVERY option on that page) always takes us back to the bogus User Name Screen.
-Tried burning a credible (?) recovery CD - boot disk for Vista and booting from BIOS, placing the CD/DVD option first..it was looking promising until I eventually got a pop-up message saying it wasn't compatible. It was the right version...maybe a poorer choice website.

I'm at my wits end with this nasty 'User name' thing that nothing, but nothing can get past. Perhaps I have a good use for the hammer in our toolbox now.

As I mentioned, I'm not really that computer savvy, but can take some direction, even though I'm still learning computer-speak. Any help is sincerely appreciated.

ADDED: I'm not sure if this is relevant, but I just tried various F keys upon turning the beast on. I came into:
_______________________________________________________________________________________________

"EDIT BOOT OPTIONS"
Edit Windows boot options for: Windows Vista
Path: \Windows\system32\winload.exe
Partition: 3
Hard Disk: 80
[ /NOEXECUTE=OPTIN IN/MINT
]



ENTER=Submit

______________________________________________________________________________________________

Edited by eyerin100, 19 June 2012 - 10:12 AM.


BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,530 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:07 PM

Posted 19 June 2012 - 11:36 AM

Hello, lets also do this,,If you can.. If not we can do something else.

Please download MiniToolBox, save it to your desktop and run it.

Checkmark the following checkboxes:
  • Flush DNS
  • Report IE Proxy Settings
  • Reset IE Proxy Settings
  • Report FF Proxy Settings
  • Reset FF Proxy Settings
  • List content of Hosts
  • List IP configuration
  • List Winsock Entries
  • List last 10 Event Viewer log
  • List Installed Programs
  • List Users, Partitions and Memory size.
Click Go and post the result (Result.txt). A copy of Result.txt will be saved in the same directory the tool is run.

Note: When using "Reset FF Proxy Settings" option Firefox should be closed.



Reboot into Safe Mode with Networking
How to enter safe mode(XP/Vista)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode with Networking using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode
.


Get a new copy and Run RKill....


Download and Run RKill
  • Please download RKill by Grinler from one of the 4 links below and save it to your desktop.

    Link 1
    Link 2
    Link 3
    Link 4

  • Before we begin, you should disable your anti-malware softwares you have installed so they do not interfere RKill running as some anti-malware softwares detect RKill as malicious. Please refer to this page if you are not sure how.
  • Double-click on Rkill on your desktop to run it. (If you are using Windows Vista, please right-click on it and select Run As Administrator)
  • A black screen will appear and then disappear. Please do not worry, that is normal. This means that the tool has been successfully executed.
  • If nothing happens or if the tool does not run, please let me know in your next reply

Do not reboot your computer after running rkill as the malware programs will start again. Or if rebooting is required run it again.



Please download TDSSKiller.zip and and extract it.
  • Run TDSSKiller.exe.
  • Click Start scan.
  • When it is finished the utility outputs a list of detected objects with description.
    The utility automatically selects an action (Cure or Delete) for malicious objects.
    The utility prompts the user to select an action to apply to suspicious objects (Skip, by default). Let the options as it is and click Continue
  • Let reboot if needed and tell me if the tool needed a reboot.
  • Click on Report and post the contents of the text file that will open.

    Note: By default, the utility outputs the log into system disk (it is usually the disk with installed operating system, C:\) root folder. The Log has a name like: TDSSKiller.Version_Date_Time_log.txt.


Rerun MBAM (MalwareBytes) like this:

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan (normal mode).
After scan click Remove Selected, Post new scan log and Reboot into normal mode.

Please ask any needed questions,post logs and Let us know how the PC is running now.

Edited by boopme, 19 June 2012 - 11:37 AM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 eyerin100

eyerin100
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:07 AM

Posted 19 June 2012 - 01:23 PM

Hello boopme,

Thank you very much for your reply.

I can't run any logs.
Basically, I can't get into anything on the computer.

Seems no matter what I do - (any options in F8 or otherwise), I'm always kicked into the fake 'Other User' page. I have tried every possible option in F8, including safe mode and running down the list of all the options.

Starting the computer normally, the same thing happens.

I was able to run rkill, unhide, mbam, etc. previously with the SMART Virus, until this nasty piece of work took over :(

I am sending this through my own clean computer and not the infected one.

Edited by eyerin100, 19 June 2012 - 01:32 PM.


#4 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:12:07 PM

Posted 19 June 2012 - 01:28 PM

Try this press F10 on bootup

In this line

/NOEXECUTE=OPTIN IN/MINT

Just remove this entry by using backspace

IN/MINT

After removing it should like this

/NOEXECUTE=OPTIN

Now press ENTER

See if you can start normally now

Edited by narenxp, 19 June 2012 - 01:36 PM.


#5 eyerin100

eyerin100
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:07 AM

Posted 19 June 2012 - 01:38 PM

Narenxp,
I booted up with F10, and backspaced to remove IN/MINT, pressed enter, and unfortunately was still taken back to the darned Other User Screen.

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,530 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:07 PM

Posted 19 June 2012 - 02:11 PM

This infection changes settings on your computer so that when you launch an executable, a file ending with .exe, it will instead launch the infection rather than the desired program. To fix this we must first download a Registry file that will fix these changes. From a clean computer, please download the following file and save it to a removable media such as a CD/DVD, external Drive, or USB flash drive.

FixNCR.reg

insert the removable device into the infected computer and open the folder the drive letter associated with it. You should now see the FixNCR.reg file that you had downloaded onto it. Double-click on the FixNCR.reg file to fix the Registry on your infected computer.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 eyerin100

eyerin100
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:07 AM

Posted 19 June 2012 - 02:55 PM

I have only used a USB stick once or twice. I downloaded the FixNCR.reg program onto my clean computer with a USB and double-checked the drive it to view the USB drive files to be sure it's there. Apologies, but I don't used a flash drive much.

On the USB stick data, I see:
FixNCR Registration Entries 2 KB

I then fired up Mr/Ms. Infectious, plugged in the USB and waited... I inserted the flash drive separately both before and after firing up and gave it plenty of time. No matter what I do, the boot up process always leads me to the fake (?) 'Other User' page that's giving me grief.

This 'Other User' page, in describing it, has the familiar blue-green Windows background with 'Other User' and above that, an enlarged 1" X 1" icon of a blank computer screen. The 'Other User' font almost resembles a safe mode situation, where everything is larger and a bit stretched out, if you know what I mean. There is an 'Ease of Access' button on the bottom left hand corner, which doesn't respond to left click or right click.

I am at a loss.

#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,530 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:07 PM

Posted 19 June 2012 - 03:48 PM

Hmmm. Time for a deeper look. From the First acoount ..Please go here....Preparation Guide ,do steps 6-9.

Create a DDS log and post it in the new topic explained in step 9 which is here Virus, Trojan, Spyware, and Malware Removal Logs and not in this topic,thanks.
If GMER won't run (it may not on a 64 bit system) skip it and move on.

Let me know if that went well.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#9 eyerin100

eyerin100
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:07 AM

Posted 19 June 2012 - 04:52 PM

With all due respect, boopme, this is great if I could do Steps 6 - 9, but I can't get any further or create any logs with this laptop always immediately reverting to the Other User screen.

Thanks for the suggestion of putting this in another topic, but creating any log anywhere whatsoever seems to be an impossibility at this stage.

"If GMER won't run (it may not on a 64 bit system) skip it and move on."

I guess I'll have to move on, but thanks for the help and your time.

The laptop is pooched, I guess.

Much appreciate your time and patience.

Edited by eyerin100, 19 June 2012 - 04:57 PM.


#10 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,530 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:07 PM

Posted 19 June 2012 - 07:22 PM

Ok,I was hoping it work. I will have another come here and get this back up.. You will need a flash or CD drive.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#11 eyerin100

eyerin100
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:07 AM

Posted 19 June 2012 - 09:42 PM

I asked my Dad to have another good relook for any disks that came with the machine. He'd been hospitalized the last few days and now on the mend, so was able to find some. They'd been tucked away for 4 years.

He found the 'Dell Reinstallation CD for Window Vista Home Basic' (is THIS the gem we're looking for?!). The disk says 'The software is already installed on your computer. Use this DVD only to reinstall the OS on a Dell PC.'

Also a 'Microsoft Works 9' disk, a 'Dell Drivers and Utilities' disk (Already installed on your Computer), Dell 'Application' disk (Already installed on your computer), and a Roxio Creator.

Please tell me this is all good?

NOTE: There is not much on this infected laptop that is critical for backing up. At this point, a working one is better than it's current state.

I so appreciate your concerns with my problem. :)

Edited by eyerin100, 19 June 2012 - 10:19 PM.


#12 eyerin100

eyerin100
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:07 AM

Posted 22 June 2012 - 10:52 AM

UPDATE: Solved!

After almost a week of monkeying around with this blasted Dell Inspiron 1525 computer, I can proudly drop it off to my parents today and the old girl looks just as good as new. Just like me now. :)

My adventures, being a person who is fairly computer challenged, have been interesting to say the least. From getting Vista reinstalled (easy), to a missing Network Controller Driver after painstakingly following Dell's recommendations, order and instructions, then for some unknown reason finding a mile long ?fb_xd_fragment=after the msn.com address on the home page when the thing finally connected to the internet. All in all, I managed and survived. Thank goodness the original Dell disks were found.

I just wish to say that this website is a complete Godsend and I visited often during the last month when the S.M.A.R.T. virus hit, which also spawned more malware and rendered the machine totally inoperable.

I'm thrilled, my parents are overjoyed, and now I can get back to work. Thank goodness I'm self-employed.

Thank you, thank you, thank you for all the amazing info on bleepingcomputer.com. It will be my go-to website for sure if I'm ever (heaven forbid) in this situation again, or even just popping in here and there to enjoy all the tutorials and fantastic information.

:)

#13 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,530 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:07 PM

Posted 22 June 2012 - 02:29 PM

Thank you ! for the update and kind words :thumbup2:
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users