Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

trojandropper


  • This topic is locked This topic is locked
30 replies to this topic

#1 Robertboughton

Robertboughton

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:05:58 AM

Posted 21 July 2012 - 10:17 AM

I have what I think is a trojan dropper virus.

About a minute or so after starting my laptop I get the folling popup
"Windows has encountered a critical problem and will restart autmatically in one minute. Please save your work now."

I did manage to get rkill.com to stop it running and was able to run Malwarebytes which appeared to find some trojans and kill them off. It asked me to reboot to finish its cleanup, but when the laptop restarted the virus ran again as above.

Can you help. It's driving me mad!!!!!!!!!

Edited by hamluis, 21 July 2012 - 10:41 AM.
Moved from Vista to Am I Infected - Hamluis.


BC AdBot (Login to Remove)

 


#2 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:12:58 AM

Posted 21 July 2012 - 10:43 AM

Does this happen in safemode?

Download

aswMBR

Launch it, allow it to download latest Avast! virus definitions
Click the "Scan" button to start scan.After scan finishes,click on Save log

Post the log results here

Edited by narenxp, 21 July 2012 - 10:44 AM.


#3 Robertboughton

Robertboughton
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:05:58 AM

Posted 21 July 2012 - 11:04 AM

Yes, it happens in safe mode as well

I can only get as far as launching aswMBR before the computer shutsdown again!

#4 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:12:58 AM

Posted 21 July 2012 - 01:08 PM

Let me ask a malware response team member to help you

good luck

#5 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,207 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:08:58 AM

Posted 24 July 2012 - 04:25 AM

Hello, and sorry for the delay.

Could you run rkill once again and post me the MBAM log?

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#6 Robertboughton

Robertboughton
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:05:58 AM

Posted 24 July 2012 - 04:16 PM

Hello
See below log from rkill.com
I also got 3 message boxes that came up one after the other all saying "Installation failed". This was after Launching rkill, but before the cmd window appeared
Hope this helps diagnose my problem
Thanks
Robert

======================================================
This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.

Rkill was run on 24/07/2012 at 22:07:18.
Operating System: Windows Vista ™ Business


Processes terminated by Rkill or while it was running:

C:\Windows\system32\services.exe
C:\Users\Admin\AppData\Local\Google\Update\GoogleUpdate.exe
C:\Users\Admin\AppData\Local\Google\Update\GoogleUpdate.exe
C:\Users\Admin\AppData\Local\Google\Update\GoogleUpdate.exe


Rkill completed on 24/07/2012 at 22:07:30.

#7 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,207 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:08:58 AM

Posted 24 July 2012 - 04:28 PM

Well, that at least tells us what the problem is! :)

Can you continue to work in Windows after you run rkill like this? If so, do the following.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#8 Robertboughton

Robertboughton
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:05:58 AM

Posted 24 July 2012 - 04:35 PM

I don't think I can run this. I won't have enough time before I get the shutdown message "Windows has encountered a critical problem and will restart autmatically in one minute. Please save your work now."

I only had just about enough time to complete the rkill log and save to a flash drive before it shutdown

#9 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,207 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:08:58 AM

Posted 25 July 2012 - 02:22 AM

Do you have a vista DVD at hand?

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#10 Robertboughton

Robertboughton
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:05:58 AM

Posted 25 July 2012 - 03:44 AM

Sorry, no I don't have the Vista DVD.
Regards
Robert

#11 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,207 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:08:58 AM

Posted 25 July 2012 - 05:12 AM

Try this please. You will need a USB drive.

Download GETxPUD.exe to the desktop of your clean computer
  • Run GETxPUD.exe
  • A new folder will appear on the desktop.
  • Open the GETxPUD folder and click on the get&burn.bat
  • The program will download xpud_0.9.2.iso, and upon finished will open BurnCDCC ready to burn the image.
  • Click on Start and follow the prompts to burn the image to a CD.
  • Next download driver.sh to your USB drive
  • Remove the USB & CD and insert it in the sick computer
  • Boot the Sick computer with the CD you just burned
  • The computer must be set to boot from the CD
  • Gently tap F12 and choose to boot from the CD
  • Follow the prompts
  • A Welcome to xPUD screen will appear
  • Press File
  • Expand mnt
  • sda1,2...usually corresponds to your HDD
  • sdb1 is likely your USB
  • Click on the folder that represents your USB drive (sdb1 ?)
  • Confirm that you see driver.sh that you downloaded there
  • Press Tool at the top
  • Choose Open Terminal
  • Type bash driver.sh -f and press Enter.
  • Type services.exe and press Enter
  • After it has finished a report will be located on your USB drive named filefind.txt
  • Exit xPUD, remove the USB drive and insert it back in your working computer and navigate to filefind.txt

    Please note - all text entries are case sensitive
Copy and paste the filefind.txt for my review

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#12 Robertboughton

Robertboughton
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:05:58 AM

Posted 25 July 2012 - 06:07 AM

Thanks very much for this.
May take a while for me to complete. Will get back to you with the results as soon as I can
Regards
Robert

#13 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,207 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:08:58 AM

Posted 25 July 2012 - 06:16 AM

Okay, please take your time! :)

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#14 Robertboughton

Robertboughton
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:05:58 AM

Posted 25 July 2012 - 07:46 AM

Not sure if I've done something wrong. Followed your instructions that all went fine, but the log file is very short. Just contains:-



Search results for service.exe



That's it, nothing else
Regards
Robert

#15 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,207 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:08:58 AM

Posted 25 July 2012 - 07:57 AM

Tahts because you used the wrong file name; its services.exe not service.exe :)

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users