Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Need help with NASTY virus


  • This topic is locked This topic is locked
69 replies to this topic

#1 jelindholm

jelindholm

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:11:32 PM

Posted 15 July 2012 - 11:11 AM

Hello!

This is my last effort to get help before I turn my laptop into an expensive coaster...or a frisbee.

I have a Windows 7 Sony Vaio i3 laptop and a very nasty virus. My laptop worked perfectly two days ago. Yesterday afternoon, I left my computer, and came back to find about twenty of the same pop-up on the screen that looked legitimate, saying that there was some kind of error. Unfortunately I didn't write it down, but another pop-up window came up that looked like an actual Windows message saying to 'scan now' or restart, but there were some grammatical errors so I could tell it was fake. I had been getting the blue screen occasionally the past couple of weeks but was always able to return to normal.

All of my files on the desktop were greyed out/hidden but I have my laptop set so I can see hidden files. All of my startup items, control panel, etc were missing from the start menu. Only a few things remained (firefox, etc.) but they wouldn't run anyway. After researching online I typed "System Restore" in start, and was able to ignore the many pop-ups to restore to a previous Windows from the 13th. Took a long time, but that worked, and once I had it up and running, I was able to copy pretty much all of my files to an external hard drive quickly. I restarted, and was able to get into safe mode. I ran Malwarebytes, and it found more than 20 items. Removed them. Scanned with Spybot and it found 50 more items! Removed them but it said 5 remained. Restarted in regular mode. Within minutes the pop-ups started again. Ran "system restore" again overnight. Woke up and it had successfully restored. Tried to run "Vaio Care" so I could do a "factory reset" from its built in drive, but within minutes of entering Windows I immediately got the pop-ups and all the programs were gone again - Vaio Care disappeared as I was trying to run it.

Now - I can't get past the blue screen! I should be able to push F10 or Alt+F10 to get to the Vaio Recovery options when rebooting, but when I do, I get the blue screen. I can press F8 when the Vaio logo comes up, and I get the Advanced Boot Options, but I tried safe mode, safe mode with networking, and safe mode with command prompt, and I get the blue screen "BAD_SYSTEM_CONFIG_INFO" for each. In trying to boot to regular Windows 7 mode, I get "UNMOUNTABLE_BOOT_VOLUME". Tried to set it to not restart when there's an error - that didn't work.

Contacted Sony (my laptop is out of warranty) and they give you 15 minutes free tech support, which I tried twice. The only thing they could advise me to do was press F2 and enter the BIOS, then reset the BIOS to factory, which I did, then try to access Vaio Recovery. Still get the same blue screen every time.

PLEASE HELP! A Vaio Recovery Disk is too expensive for me right now, and I'd almost rather go without a laptop until I can buy a new one...another thing to mention - this is not your typical SmartHDD virus - no antivirus popped up on the screen when I WAS able to access Windows. I did get the C: failed messages though, and could not run a CD/DVD or anything on an external HD, or copy any files when the virus was in effect. All of my files on the computer were immediately hidden.

Thanks so much for your time,
J.

BC AdBot (Login to Remove)

 


#2 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,076 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:07:32 AM

Posted 17 July 2012 - 02:20 AM

Hello, and sorry for the delay!
This certainly should be fixable, but first we need to find out a bit more about what's going on.

Try this please. You will need a USB drive.

Download GETxPUD.exe to the desktop of your clean computer
  • Run GETxPUD.exe
  • A new folder will appear on the desktop.
  • Open the GETxPUD folder and click on the get&burn.bat
  • The program will download xpud_0.9.2.iso, and upon finished will open BurnCDCC ready to burn the image.
  • Click on Start and follow the prompts to burn the image to a CD.
  • Remove the USB & CD and insert it in the sick computer
  • Boot the Sick computer with the CD you just burned
  • The computer must be set to boot from the CD
  • Gently tap F12 and choose to boot from the CD
  • Follow the prompts
  • A Welcome to xPUD screen will appear
  • Press File
  • Expand mnt
  • sda1,2...usually corresponds to your HDD
  • sdb1 is likely your USB
  • Click on the folder that represents your USB drive (sdb1 ?)
  • Press Tool at the top
  • Choose Open Terminal
  • Type the following and press enter:

    dd if=/dev/sda of=mbr.bin bs=512 count=1

  • Press Enter
  • After it has finished a file will be located on your USB drive named mbr.bin
  • Remove the USB drive and insert it back in your working computer and navigate to mbr.bin, zip it up and attach it to your next reply.

This will allow me to have a look at the MasterBootRecord of your drive and see if it is infected.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#3 jelindholm

jelindholm
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:11:32 PM

Posted 17 July 2012 - 09:32 AM

Okay great! I will try this now! I hope it works...Thanks so much for your help!

#4 jelindholm

jelindholm
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:11:32 PM

Posted 17 July 2012 - 10:21 AM

Okay...the clean computer was able to do everything you said and finally burn the iso. I put the newly burned DVD and a USB into the infected laptop and turned it on. It is already set to run from the internal optical DVD drive.

A screen came up with the xPUD logo and a language selection. I chose English and pressed enter once. It took a long time to leave this screen. It didn't ask me for any other selections (ex. where you said to select "File") - a black screen with white text came up and it started running the program (I guess).

Here is what it said - I have to type this out from a screen shot I took with my phone - here goes:

----
09 i686
Kernel command line: noisapnp quiet initrd=/opt/media lang=en knap=us BOE=/boot/xpud
Build Date: 26 October 2009 05:15:02PM
xorg-server 2:1.6.4-2ubuntu4 (buildd@)
Before reporting problems, check http://wiki.x.org
to make sure that you have the latest version.
Markers: (--) probed, (**) from config file, (==) default setting,
(++) from command line, (ii) notice, (II) international,
(WW) warning, (EE) error, (NI) not implemented, (??) unknown.
(==) Log file: "/var/log/Xorg.0.log", Time: Tue Jul 17 10:56:32 2012
(==) Using config file: "/etc/X11/xorg.conf"
(EE) No devices detected.

Fatal server error:
no screens found

Please consult the The X.Org Foundation support
at http://wiki.x.org
for help.
Please also check the log file at "/var/log/Xorg.0.log" for additional information.

ddxSigGiveUp: Closing log
[ 11.322421] sd 6:0:0:0: [sdb] Assuming drive cache: write through
[ 11.325381] sd 6:0:0:0: [sdb] Assuming drive cache: write through
[ 11.355459] sd 6:0:0:0: [sdb] Assuming drive cache: write through
giving up.
xinit: No such file or directory (errno 2): unable to connect to X server
xinit: No such process (errno3): Server error.
xauth: (argv:1: bad display name "(none):0" in "remove" command
sh: no job control in this shell
sh-4.0# _
------

Since it said "unable to connect to X server", I checked my wifi on the laptop and the slider had been turned to the OFF position - thought that may have effected the outcome. So I turned it back on and restarted. It ran the program again - this time I didn't press enter for English and it ran anyway. I got the same exact response. I checked the USB with the clean computer because the light on the USB came on and was flashing like it was doing something, but there was no new file on the USB.

SO - am I doing something wrong?

Thank you again for your help!

#5 jelindholm

jelindholm
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:11:32 PM

Posted 17 July 2012 - 10:24 AM

WAIT a minute! My screen is so bright apparently I missed the [TAB to enter options] at the bottom under language selections! Didn't see it until I sat down across the room and looked from another angle. It was so faint...trying again now!! Sorry

#6 jelindholm

jelindholm
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:11:32 PM

Posted 17 July 2012 - 10:29 AM

I hit TAB (to enter options), and on the same logo screen for xPUD at the bottom (underneath language selections) the following pops up:

> /boot/xpud noisapnp quiet initrd=/opt/media lang=eng kmap=us

I didn't press anything else yet...

#7 jelindholm

jelindholm
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:11:32 PM

Posted 17 July 2012 - 10:36 AM

Pressed enter after the "> /boot/xpud noisapnp quiet initrd=/opt/media lang=eng kmap=us" popped up on the bottom of the screen and it got the same result as posted above. I also tried using the arrow keys, tab, etc. and it doesn't respond to anything.

#8 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,076 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:07:32 AM

Posted 17 July 2012 - 10:48 AM

This means xPUD doesn't recognize your video hardware, which is not uncommon.

I'd like you to follow the instructions given at Ubuntu Windows Installer to allow you to run Ubuntu alongside your current system.

Now boot your machine into Ubuntu:
  • Once the Ubuntu desktop is loaded, click the top icon in the left panel.
  • Type terminal in the search box.
  • Click on the frirst Terminal icon that is displayed - this will open a command prompt window
  • Type the following line and press enter
sudo dd if=/dev/sda of=mbr.txt bs=512 count=1
  • Now open Home Folder (click the third icon from the top in the left panel)
  • Right click on mbr.txt and select copy
  • Next select File System from the left side of the Home Folder
  • Now double click on host folder
  • Move mouse into space, right click and select paste
  • Now reboot your machine into Windows
  • Attach c:\mbr.txt to your next reply

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#9 jelindholm

jelindholm
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:11:32 PM

Posted 17 July 2012 - 11:02 AM

Okay, I will do this - but do I burn it on a disk in order to run it on the infected laptop? I still can't get past the blue screen to enter Windows...

#10 jelindholm

jelindholm
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:11:32 PM

Posted 17 July 2012 - 11:04 AM

Nevermind - found the iso file for Ubuntu and I'm downloading it now - I'll burn to disk and try to run it on the laptop...

#11 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,076 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:07:32 AM

Posted 17 July 2012 - 11:08 AM

Okay, please let me know in case you encounter any trouble. :)

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#12 jelindholm

jelindholm
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:11:32 PM

Posted 17 July 2012 - 11:38 AM

Okay! I have the Ubuntu disk running in the laptop now. It's asking if I want to TRY or INSTALL Ubuntu - which one?

#13 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,076 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:07:32 AM

Posted 17 July 2012 - 11:52 AM

Try, that way you run as live CD, which means no changes are made to your computer.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#14 jelindholm

jelindholm
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:11:32 PM

Posted 17 July 2012 - 12:08 PM

Okay thanks! I'll post an update shortly.

#15 jelindholm

jelindholm
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:11:32 PM

Posted 17 July 2012 - 12:16 PM

Okay, I got as far as clicking on 305 GB Filesystem, which is the only option similar to File System in the Home Folder, but there is no Host folder there...

Instead, I pasted it into the USB drive folder - is that okay?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users