Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Blinking cursor after running offline Windows Defender


  • This topic is locked This topic is locked
35 replies to this topic

#1 markitsmad

markitsmad

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:01:07 AM

Posted 28 October 2012 - 07:04 AM

Hi:

First of all let me apologise - I have got in to trouble by trying to remove a virus and looking for a solution on this forum even though I did not check this forum initially for advice on malware removal.

I have a Windows XP machine which was infected by the Ukash / Metropolitan Police ransom-ware. I disconnected the machine from its internet connection and ran the off line version of Windows Defender from a USB drive. I initially ran it as a quick scan and removed what it had identified as malware. I then ran a full scan. After having run the full scan I was unable to remove the 6 or so pieces of Malware discovered. So I thought I would try and re-satert the machine anyway to see if the threat was more manageable.

On re-booting the machine there were no POST type errors but Windows XP did not load and I am stuck with a blinking cursor in the top left hand corner of the machine.

Any suggestions about what I can do?

best wishes

Mark

BC AdBot (Login to Remove)

 


#2 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,065 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:04:07 AM

Posted 30 October 2012 - 12:34 PM

Hello, and welcome to BleepingComputer! :)

Try this please. You will need a USB drive.

Download GETxPUD.exe to the desktop of your clean computer
  • Run GETxPUD.exe
  • A new folder will appear on the desktop.
  • Open the GETxPUD folder and click on the get&burn.bat
  • The program will download xpud_0.9.2.iso, and upon finished will open BurnCDCC ready to burn the image.
  • Click on Start and follow the prompts to burn the image to a CD.
  • Remove the USB & CD and insert it in the sick computer
  • Boot the Sick computer with the CD you just burned
  • The computer must be set to boot from the CD
  • Gently tap F12 and choose to boot from the CD
  • Follow the prompts
  • A Welcome to xPUD screen will appear
  • Press File
  • Expand mnt
  • sda1,2...usually corresponds to your HDD
  • sdb1 is likely your USB
  • Click on the folder that represents your USB drive (sdb1 ?)
  • Press Tool at the top
  • Choose Open Terminal
  • Type the following and press enter:

    dd if=/dev/sda of=mbr.bin bs=512 count=1

  • Press Enter
  • After it has finished a file will be located on your USB drive named mbr.bin
  • Remove the USB drive and insert it back in your working computer and navigate to mbr.bin, zip it up and attach it to your next reply.

This will allow me to have a look at the MasterBootRecord of your drive and see if it is infected.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#3 markitsmad

markitsmad
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:01:07 AM

Posted 09 November 2012 - 04:47 AM

Attached File  mbr.zip   521bytes   4 downloads

Elise:

Apologies for the delayed response, but I have been unwell!

I attach the zipped copy of the mbr.bin file as requested!

best wishes

Mark

#4 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,065 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:04:07 AM

Posted 09 November 2012 - 07:28 AM

Unfortunately you have a nasty rootkit on board. Please run the following fix, then try to boot normally in Windows.

  • Download tdl_fix.sh and save it to an USB drive.
  • Boot the infected computer with the CD you just burned and the slash drive inserted
  • The computer must be set to boot from the CD (How to boot from the CD-ROM)
  • Follow the prompts
  • A Welcome to xPUD screen will appear, choose your language
  • click the File tab.
  • Expand mnt
  • Click on the folder under mnt that represents your USB drive (sdb1)
  • You should see the tdl_fix.sh file in the main window.
  • Select Tool from the Menu
  • Choose Open Terminal
  • Type
    bash tdl_fix.sh
    then press Enter.
  • Read the warning then type y and press Enter to continue.
  • Type
    sda
    then press Enter when prompted.
  • You will be shown a list of partitions to choose marking active.
  • Type 2 then press Enter.
  • When you receive no warning about bootloader files but are presented with another view of the partition structure and asked if it looks correct, type y then press Enter
  • The script will complete and prompt you to reboot the computer.
  • Close the Terminal window and restart back into Windows. (change to boot from harddisk)
  • Post the contents of the tdl_fix.txt file that was created on your flash drive and let me know how the computer is behaving.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#5 markitsmad

markitsmad
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:01:07 AM

Posted 09 November 2012 - 08:36 AM

Elise:

Thanks for your prompt reply.

tdl_fix.txt file attached.

Re-started machine and it ran chkdsk - identified volume as dirty. Resolved issues.

Re-started machine and booted in to windows OK.

Ran HitManPro and a Trojan & 2 pieces of Malware identified.

What do you suggest?

best wishes

Mark

Attached Files



#6 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,065 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:04:07 AM

Posted 09 November 2012 - 09:18 AM

Lets run a few scans to see what else needs fixing here. :)

Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!
  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • If TDSSKiller does not run, try renaming it.
  • To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
  • Click Advanced options and check "scan for TDLFS File System".
  • Click the Start Scan button.
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit. Most likely the TDLFS file system will be detected, you can allow that to be deleted (Cure will not be an option).
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
  • A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.


We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#7 markitsmad

markitsmad
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:01:07 AM

Posted 09 November 2012 - 10:41 AM

Hi Elise:

Ran TDSS Rootkiller and it found nothing.

See attached Word screenshot and log file.

Tried to run DDS but each time (despite shutting down AV and disconnecting internet) it ran double the suggested time and locked up the machine - left it 15 min before re-booting, as this was the only way to get back in.

Had earlier run Hitmanpro and attach the log from this.

Other symptoms are:

- My computer, My Docs, Run, etc ere not visible from the Start button
- All Program folders are visible but not content ie shortcuts to prog (nb I had previously run 'unhide' to make some of these visible before contacting you).

best wishes

Mark

Attached Files



#8 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,065 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:04:07 AM

Posted 09 November 2012 - 11:15 AM

Its detected just fine. :)

14:46:15.0007 2284 \Device\Harddisk0\DR0 ( TDSS File System ) - skipped by user
14:46:15.0007 2284 \Device\Harddisk0\DR0 ( TDSS File System ) - User select action: Skip

Please delete this instead of skipping, and afterwards try to run DDS again. Please do not run other scans in the mean time.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#9 markitsmad

markitsmad
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:01:07 AM

Posted 09 November 2012 - 11:56 AM

Hi Elise:

Deleted TDSS file system as suggested

Disable AV & disconneted from internet but DDS still does not run :-(

best wishes

Mark

#10 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,065 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:04:07 AM

Posted 09 November 2012 - 12:05 PM

Hi Mark, in that case lets just use another tool. :)

OTL
-----
Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#11 markitsmad

markitsmad
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:01:07 AM

Posted 09 November 2012 - 12:32 PM

Elise:

Thanks for your patience.

Success!

Files attached.

Mark

Attached Files



#12 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,065 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:04:07 AM

Posted 09 November 2012 - 01:43 PM

Hi again, please see if the following will run. If not, just exit and let me know.

We need to run a scan with Combofix:

  • Please go to the download page for ComboFix by sUBs.
  • Click the Download Now button pictured below and save the file to your desktop:

    Posted Image
  • Disable any anti-virus and/or firewall software you have installed.
    instructions can be found here if needed
  • Close all open windows including your web browser
    as mentioned in the first post, you may want to print out all instructions before starting
  • Double-click on the ComboFix icon on your desktop. Posted Image
  • Read the Disclaimer and click I Agree if you want to run the software, then you should see a window like the one below:

    Posted Image
  • DO NOT use your computer while ComboFix is running. There are a lot of things going on behind the scenes and a single mouse click can cause the program to stall.

    However, if you see the prompt below, please click Yes to download the Microsoft Windows Recovery Console.

    Posted Image

    If an Internet connection is not available or you choose not to install the recovery console, ComboFix will run in Reduced Functionality mode
  • Allow ComboFix to reboot the computer if necessary, it will run again after you log back in.
  • When complete, a log file will be displayed, please copy and paste the contents of this file into your next post.

    Posted Image

More information about downloading and using ComboFix can be found here if needed.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#13 markitsmad

markitsmad
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:01:07 AM

Posted 12 November 2012 - 05:26 AM

Elise:

Ran Combofix - it ran the bit about Recovery Module restarted the PC but the log.txt file did not appear to be displayed. Is there I can do to check whether it ran an identify the location of the log file?

best wishes

Mark

#14 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,065 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:04:07 AM

Posted 12 November 2012 - 06:41 AM

You can find the log at c:\combofix.txt

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#15 markitsmad

markitsmad
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:01:07 AM

Posted 12 November 2012 - 06:53 AM

Elise:

This does not exist in this location - is the implication that Combofix did not run - should I run it again?

best wishes

Mark




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users