Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

malware for two days


  • This topic is locked This topic is locked
43 replies to this topic

#1 miz-h

miz-h

  • Members
  • 194 posts
  • OFFLINE
  •  
  • Local time:03:18 PM

Posted 17 August 2012 - 08:57 AM

Two days ago, my xp pro was running fine. I was away from it for 30 mintes and when i returned, the screen was full of those blue warning windows telling me the hard drive was crashing, damaged, this was wrong, that was wrong. I did not panic, because I had a similar problem a year ago. Blasted thing has hidden nearly everything on my desktop; all but about five programs in the all programs file; my control panel, device manager, etc are all hidden. Used another computer to find my favorite bleeping computer site. Read, read, read. confused confused confused. opened Infected computer in safe mode with networking, could NOT get to Internet Explorer. Icon is on desktop, it blinks on/off when I right click it and tell it to open. Bleeping tells me to download stuff to my desktop, then run same. Cannot download from infected due to IE not working. Bleeping tells me to use another computer and download to a flash drive. Using my 92 year old mother's computer and HER flash drive, I tried to download to the flash drive and have no blasted idea if the "unhide" is on there or not. That's the only link I tried downloading. I'm hoping that unhide IS on the flash drive, so I plug that into my infected computer. The logo for it came right up on the screen in safe mode. Yet clicking on the logo does nothing. Clicking right or left on the smaller icon on the task bar does nothing. No menu pops up. I decide...stupidly, I guess, to reboot infected computer with flash drive still plugged in, hoping it would automatically tell me something upon relife. Infected computer will not boot. Black screen. Power light's on. Power light on flash drive is also on. Network light on computer is flashing as is normal. Usually a light next to that one blinks as the computer works itself around. THAT LIGHT is not even blinking a hair.

I am secure in knowing my files and data and life are still in there somewhere. Now what the heck have I done and how do I fix it??? The infected computer is an Acer desktop with XP Pro. My mom's laptop, which I hope to use as a "jumper" computer is a Dell running Windows 7. I am a logical person, yet have NO idea what I'm doing. I had to look up a tutorial on how to use a flash drive.

Edited by hamluis, 17 August 2012 - 10:22 AM.
Moved from XP to Am I Infected - Hamluis.


BC AdBot (Login to Remove)

 


#2 dev00790

dev00790

    Bleeping Chocoholic


  • Members
  • 5,037 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:08:18 PM

Posted 17 August 2012 - 07:17 PM

Hello,

I will be helping you with your problems. Please be patient while I assist you.

Some points for you to keep in mind while I am helping you to make things go easier and faster for both of us

  • Please do NOT run, install or uninstall any programs, unless instructed to do so.
    • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.
  • Please do not attach logs or use code boxes, just copy and paste the text.
    • Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.
  • Please read every post completely before doing anything.
    • Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.
  • Please provide feedback about your experience as we go.
    • A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.

NOTE: At the top of your post, click on the Watch Topic Button, select Immediate Notification, and click on Proceed. This will send you an e-mail as soon as I reply to your topic, allowing us to resolve the issue faster.

NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of hartaches if things don't go as planed. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.

NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. To open notepad, navigate to Start Menu > All Programs > Accessories > Notepad. Please remember to copy the entire post so you do not miss any instructions.

----------------------------------------------

Please do the following:

:step1:

Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!
  • Double-click on TDSSKiller.exe on your desktop to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • If TDSSKiller does not run, try renaming it.
  • To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
  • Click on change parameters
  • Under Objects to scan, check the box next to Loaded modules
  • If you are asked to reboot, then click Yes.

Next

  • Check the boxes next to Loaded modules, Verify file digital signatures, Detect TDLFS file system, then click OK.
  • Click the Start Scan button.
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
    Note: If Cure is not an option, Skip instead, do NOT choose Delete or Quarantine unless instructed.
  • A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the full contents of that file in your next reply.

:step2:

Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the full contents of that document.


:step3:

Please download Farbar Service Scanner and run it on the computer with the issue.
  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center/Action Center
    • Windows Update
    • Windows Defender
    • Other Services
  • Press Scan.
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the full contents of the log in your next reply.


:step4:

Please download MiniToolBox, save it to your desktop and run it.

Checkmark the following checkboxes:
  • Flush DNS
  • Report IE Proxy Settings
  • Reset IE Proxy Settings
  • Report FF Proxy Settings
  • Reset FF Proxy Settings
  • List content of Hosts
  • List IP configuration
  • List Winsock Entries
  • List last 10 Event Viewer log
  • List Installed Programs
  • List Devices
  • List Users, Partitions and Memory size.
  • List Minidump Files
  • List Restore points
NOTE: When using "Reset FF Proxy Settings" option Firefox should be closed.

Click Go and post the full contents of the result (Result.txt). A copy of Result.txt will be saved in the same directory the tool is run.

Regards, dev00790

---------------------------------------

Marge: "Homer, the plant called. They said if you don't show up tomorrow don't bother showing up on Monday." Homer: "Woo-hoo! Four-day weekend!"I do not reply to Private Messages (PMs) asking for assistance - please use the forums instead. If I have been helping you, and I have not replied to your latest post in 48 hours please send me a PM. My Blog


#3 miz-h

miz-h
  • Topic Starter

  • Members
  • 194 posts
  • OFFLINE
  •  
  • Local time:03:18 PM

Posted 18 August 2012 - 06:10 AM

You say to download tdss rootkit removing tool and save it to my desktop. I can download it from another computer and save it to a flash drive. I cannot GET TO my desktop due to black screen on infected computer. You say to backup and save everything that is important on my infected computer. I cannot GET TO what is important on my infected computer due to black screen.

I have had rkill on a flash drive, plugged into infected computer for 12 hours...unable to do anything with it due to black screen.

I did try control alt dele, which turned off the computer and then right back on. I pushed the f12 button and got a screen that asked how I wanted the computer to boot up. There were very few choices listed, and none, I thought would actually boot the computer. But I chose the flash drive, since it at least had the rkill on it. Now I have a black screen with a blinking cursor. Looks like I should type in a DOS command, but that's from another century, and I never learned much...have forgotten what I learned. Any ideas at this point, please?

Thanks, BC, for taking the time to help....

Edited by miz-h, 18 August 2012 - 07:41 AM.


#4 dev00790

dev00790

    Bleeping Chocoholic


  • Members
  • 5,037 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:08:18 PM

Posted 18 August 2012 - 09:08 AM

Hi

Are you able to boot into safe mode or safe mode with networking?

See here for instructions on how to boot into either of those.

Regards, dev00790

---------------------------------------

Marge: "Homer, the plant called. They said if you don't show up tomorrow don't bother showing up on Monday." Homer: "Woo-hoo! Four-day weekend!"I do not reply to Private Messages (PMs) asking for assistance - please use the forums instead. If I have been helping you, and I have not replied to your latest post in 48 hours please send me a PM. My Blog


#5 miz-h

miz-h
  • Topic Starter

  • Members
  • 194 posts
  • OFFLINE
  •  
  • Local time:03:18 PM

Posted 18 August 2012 - 09:19 AM

No. I could yesterday until I tried to download the rKill from the flash drive. Now, when I try to boot up pushing the F8 key for safemode, it goes to a totally black screen, no blinking cursor. But when I rebooted using the F12 button, I got the window asking what to boot it with, which listed non-booting things. I chose the flash drive and WAS able to get to the black screen with blinking cursor.

#6 miz-h

miz-h
  • Topic Starter

  • Members
  • 194 posts
  • OFFLINE
  •  
  • Local time:03:18 PM

Posted 18 August 2012 - 09:22 AM

AND...yesterday, when I Was ABle to get to safe with networking, the malware would NOT allow me to open the internet explorer. I would click on the icon and would get a VERY quick flash, like it was trying to open it, but then nothing. I tried left clicking, right clicking-open, going to start (where at the time the only things left on there were my email and internet) clicking on the internet there, same results as from the desktop. I'm possitive this is a malware nasty thing, but no idea which one or how to proceed when I cannot get to the desktop...

#7 dev00790

dev00790

    Bleeping Chocoholic


  • Members
  • 5,037 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:08:18 PM

Posted 18 August 2012 - 02:39 PM

Please remove the flash drive from the infected PC.

Next then try to get into safe mode via the link in my previous post.

Were you able to get into safe mode?
- If not then please say what happens in detail.

Regards, dev00790

---------------------------------------

Marge: "Homer, the plant called. They said if you don't show up tomorrow don't bother showing up on Monday." Homer: "Woo-hoo! Four-day weekend!"I do not reply to Private Messages (PMs) asking for assistance - please use the forums instead. If I have been helping you, and I have not replied to your latest post in 48 hours please send me a PM. My Blog


#8 miz-h

miz-h
  • Topic Starter

  • Members
  • 194 posts
  • OFFLINE
  •  
  • Local time:03:18 PM

Posted 18 August 2012 - 03:28 PM

I removed the flash drive; hit control alt dele to rejump the computer. Pushed F8, actual safe mode choice page came up. I selected safe mode with networking.

Right now it is sitting on a page listing "multi(0)disk(0)rddisk(0)partition(2)\Windows\system32\drivers\disk.sys"
or pci.sys or isapop.sys or pciide.sys or PCIIDEX.sys or Mount Mgr.sys or ftdisk.sys or dnload.sys or dnio.sys or PartMrgr.sys or UBHelper.sys or Volsnap.sys or atapi.sys or iaStor.sys or CLASSPNP.SYS or fltmgr.sys or sr.sys or KnxAMRT.sys or PxHelp20.sys or KSecDD.sys or Ntfs.sys or NDIS.sys or MUP.sys or kmxstart.sys

Now, about 4 minutes later, there is the blue "windows is starting up" screen. That stayed up for 12 minutes. Window now says: windows is running in safe mode...to proceed to work in safe mode, click yes." I clicked yes.

Now, I have a desktop. Shows icons for email stripper, recycle bin, internet explorer, outlook express, and windows media player (which I've never had up there because I don't use it) and a notepad of rkill, which has been up there since last year. I have a start button which, when pushed give me an icon for internet explorer and outlook express .... all programs, when clicked, lists MS Office small bus tools, MS Office tools, Safari, windows manager, and windows movie maker

THANK YOU FOR GETTING ME HERE!!!! Should I try to hit the internet explorer?? Yesterday, it would just only flash and not really open.

#9 dev00790

dev00790

    Bleeping Chocoholic


  • Members
  • 5,037 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:08:18 PM

Posted 19 August 2012 - 05:06 AM

Hi

:step1:

Please backup any files from the flash drive you wish to keep, as the drive will be wiped.
Be careful not to backup any files ending in .exe, .com, .pif, and .scr since this reduces the chance that infected files will be backed up.


:step2:

In Safe mode, after you get to the desktop, insert the flash drive.


:step3:

Next format the drive, following the instructions on link

:step4:

Let me know when you have done steps 1-3 above and I can give you the next instructions.

Regards, dev00790

---------------------------------------

Marge: "Homer, the plant called. They said if you don't show up tomorrow don't bother showing up on Monday." Homer: "Woo-hoo! Four-day weekend!"I do not reply to Private Messages (PMs) asking for assistance - please use the forums instead. If I have been helping you, and I have not replied to your latest post in 48 hours please send me a PM. My Blog


#10 miz-h

miz-h
  • Topic Starter

  • Members
  • 194 posts
  • OFFLINE
  •  
  • Local time:03:18 PM

Posted 19 August 2012 - 06:03 AM

I'm sorry, BC... I do not understand. the link above is for formatting the HARD drive of my computer. Are we going to be erasing everything on my whole computer??? I do not see, on the above link, ANY mention of formatting a flash drive. I've looked around from link to link on YOUR link, above, and I am more confused than ever. (also, IN that link it says something about going to start and then type in the dialogue box some code. The other day, when I clicked on start, I HAD no dialogue box. I've not clicked on ANYTHING at all since I got to the safe mode screeen yesterday, so I'm not sure what's going to be there)

I really don't want to lose everything on my computer.

#11 dev00790

dev00790

    Bleeping Chocoholic


  • Members
  • 5,037 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:08:18 PM

Posted 19 August 2012 - 07:28 AM

Hi

You need to format your USB flash drive, not your hard drive. - Even though the article tells you how how to format the hard drive, use the same instructions to format your USB flash drive only.

Regards, dev00790

---------------------------------------

Marge: "Homer, the plant called. They said if you don't show up tomorrow don't bother showing up on Monday." Homer: "Woo-hoo! Four-day weekend!"I do not reply to Private Messages (PMs) asking for assistance - please use the forums instead. If I have been helping you, and I have not replied to your latest post in 48 hours please send me a PM. My Blog


#12 miz-h

miz-h
  • Topic Starter

  • Members
  • 194 posts
  • OFFLINE
  •  
  • Local time:03:18 PM

Posted 19 August 2012 - 08:31 AM

okay. I'll see if it makes sense as I'm trying it... saying my computer prayers, here.

#13 miz-h

miz-h
  • Topic Starter

  • Members
  • 194 posts
  • OFFLINE
  •  
  • Local time:03:18 PM

Posted 19 August 2012 - 08:46 AM

In Windows XP and earlier, click on Start and then Run.

Or, Start and then to the control panel.

I cannot access either the control panel OR the run option. When I click on START, the only thing I have are icons for IE and Outlook Express, the Log Off, the Turn off Computer and All Programs. When I click on All Programs, I only get a List of 5 programs: MS Office Small Business Tools; MS Office Tools; Safari; Windows Messenger; Windows Movie Manager

So, I cannot follow the instructions to format the Flash Drive...unless you know of some other way to do it??? Could I Format it on my mother's laptop (windows 7) and then use it on my infected computer (XP PRo)????

#14 dev00790

dev00790

    Bleeping Chocoholic


  • Members
  • 5,037 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:08:18 PM

Posted 19 August 2012 - 10:44 AM

Could I Format it on my mother's laptop (windows 7) and then use it on my infected computer (XP PRo)????

Yes good idea. - Format the Flash drive on that PC, and let me know once you've done it.

Regards, dev00790

---------------------------------------

Marge: "Homer, the plant called. They said if you don't show up tomorrow don't bother showing up on Monday." Homer: "Woo-hoo! Four-day weekend!"I do not reply to Private Messages (PMs) asking for assistance - please use the forums instead. If I have been helping you, and I have not replied to your latest post in 48 hours please send me a PM. My Blog


#15 miz-h

miz-h
  • Topic Starter

  • Members
  • 194 posts
  • OFFLINE
  •  
  • Local time:03:18 PM

Posted 19 August 2012 - 11:10 AM

THANK the stars, thAT's done! Was so afraid I was going to erase HER computer stuff...there'd be heck to pay.

OK, BC... I now have a freshly formatted flash drive...




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users