Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Removed malware with HitmanPro now can't login


  • This topic is locked This topic is locked
14 replies to this topic

#1 turtle2k1

turtle2k1

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:49 AM

Posted 03 February 2013 - 05:35 PM

I removed some malware/virus with HitmanPro and whenever my computer starts it goes staright to a login screen where the only option is 'other user'. All username/password combinations I can think of do not work and there are no other options? I have tried system restore but no restore points are recognised (even though I created one last week). I managed to run FRST using command prompt in the recovery environment. The log is below. I am using Vista. Many thanks.

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 02-02-2013 02
Ran by SYSTEM at 03-02-2013 19:22:40
Running from G:\
Windows ™ Code Name "Longhorn" Preinstallation Environment (X86) OS Language: English(US)
The current controlset is ControlSet001

==================== Registry (Whitelisted) ===================

HKLM\...\Winlogon: [Shell] cmd.exe /k start cmd.exe [x ] ()

==================== Services (Whitelisted) ===================

3 sacsvr; C:\Windows\System32\sacsvr.dll [14848 2006-11-02] (Microsoft Corporation)

==================== Drivers (Whitelisted) ====================

0 FBWF; C:\Windows\System32\DRIVERS\fbwf.sys [69120 2006-11-02] (Microsoft Corporation)
0 Ramdisk; C:\Windows\System32\DRIVERS\ramdisk.sys [22528 2006-11-02] (Microsoft Corporation)
0 sacdrv; C:\Windows\System32\DRIVERS\sacdrv.sys [83560 2006-11-02] (Microsoft Corporation)
0 WimFsf; C:\Windows\System32\Drivers\WimFsf.sys [52224 2006-11-02] (Microsoft Corporation)
3 USBSTOR; C:\Windows\system32\drivers\usbstor.sys [x]

==================== NetSvcs (Whitelisted) ===================

NETSVC: sacsvr -> C:\Windows\system32\sacsvr.dll (Microsoft Corporation)

==================== One Month Created Files and Folders ========

2013-02-03 19:22 - 2013-02-03 19:22 - 00000000 ____D C:\FRST
2013-02-03 12:53 - 2013-02-03 16:09 - 268435456 __ASH C:\Windows\System32\temppf.sys

==================== One Month Modified Files and Folders ========

2013-02-03 19:22 - 2013-02-03 19:22 - 00000000 ____D C:\FRST
2013-02-03 16:09 - 2013-02-03 12:53 - 268435456 __ASH C:\Windows\System32\temppf.sys
2013-02-03 16:09 - 2009-06-20 19:55 - 00060048 ____A C:\Windows\System32\FNTCACHE.DAT


==================== Known DLLs (Whitelisted) =================


==================== Bamital & volsnap Check =================

C:\Windows\explorer.exe IS MISSING <==== ATTENTION!.
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll
[2006-11-02 00:38] - [2006-11-02 01:46] - 0633856 ____A (Microsoft Corporation) E698A5437B89A285ACA3FF022356810A

C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys
[2006-11-02 00:52] - [2006-11-02 01:51] - 0208488 ____A (Microsoft Corporation) 11EF6C1CAEF76B685233450A126125D6

c:\Windows\system32\codeintegrity\Bootcat.cache IS MISSING <==== ATTENTION!.

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points =========================


==================== Memory info ===========================

Percentage of memory in use: 10%
Total physical RAM: 4024.07 MB
Available physical RAM: 3613.56 MB
Total Pagefile: 3776.23 MB
Available Pagefile: 3607.31 MB
Total Virtual: 2047.88 MB
Available Virtual: 1975.72 MB

==================== Partitions =============================

1 Drive c: (PQSERVICE) (Fixed) (Total:10 GB) (Free:1.92 GB) NTFS
2 Drive d: (DATA) (Fixed) (Total:69.52 GB) (Free:55.75 GB) NTFS
3 Drive e: (2007.11.03_2329) (CDROM) (Total:0.12 GB) (Free:0 GB) UDF
4 Drive f: (PQSERVICE) (Fixed) (Total:10 GB) (Free:1.92 GB) NTFS
5 Drive g: (DATAWRITE) (Removable) (Total:1.97 GB) (Free:1.97 GB) FAT32
6 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
7 Drive y: (ACER) (Fixed) (Total:69.52 GB) (Free:33.52 GB) NTFS ==>[System with boot components (obtained from reading drive)]

Disk ### Status Size Free Dyn Gpt
-------- ---------- ------- ------- --- ---
Disk 0 Online 149 GB 1849 KB
Disk 1 Online 2017 MB 0 B

Partitions of Disk 0:
===============

ACTIVE - Mark the selected basic partition as active.
ADD - Add a mirror to a simple volume.
ASSIGN - Assign a drive letter or mount point to the selected volume.
ATTRIBUTES - Manipulate volume attributes.
AUTOMOUNT - Enable and disable automatic mounting of basic volumes.
BREAK - Break a mirror set.
CLEAN - Clear the configuration information, or all information, off the
disk.
CONVERT - Convert between different disk formats.
CREATE - Create a volume or partition.
DELETE - Delete an object.
DETAIL - Provide details about an object.
EXIT - Exit DiskPart.
EXTEND - Extend a volume.
FILESYSTEMS - Display current and supported file systems on the volume.
FORMAT - Format the volume or partition.
GPT - Assign attributes to the selected GPT partition.
HELP - Display a list of commands.
IMPORT - Import a disk group.
INACTIVE - Mark the selected basic partition as inactive.
LIST - Display a list of objects.
ONLINE - Online a disk that is currently marked as offline.
REM - Does nothing. This is used to comment scripts.
REMOVE - Remove a drive letter or mount point assignment.
REPAIR - Repair a RAID-5 volume with a failed member.
RESCAN - Rescan the computer looking for disks and volumes.
RETAIN - Place a retained partition under a simple volume.
SELECT - Shift the focus to an object.
SETID - Change the partition type.
SHRINK - Reduce the size of the selected volume.

=========================================================

Partitions of Disk 1:
===============

ACTIVE - Mark the selected basic partition as active.
ADD - Add a mirror to a simple volume.
ASSIGN - Assign a drive letter or mount point to the selected volume.
ATTRIBUTES - Manipulate volume attributes.
AUTOMOUNT - Enable and disable automatic mounting of basic volumes.
BREAK - Break a mirror set.
CLEAN - Clear the configuration information, or all information, off the
disk.
CONVERT - Convert between different disk formats.
CREATE - Create a volume or partition.
DELETE - Delete an object.
DETAIL - Provide details about an object.
EXIT - Exit DiskPart.
EXTEND - Extend a volume.
FILESYSTEMS - Display current and supported file systems on the volume.
FORMAT - Format the volume or partition.
GPT - Assign attributes to the selected GPT partition.
HELP - Display a list of commands.
IMPORT - Import a disk group.
INACTIVE - Mark the selected basic partition as inactive.
LIST - Display a list of objects.
ONLINE - Online a disk that is currently marked as offline.
REM - Does nothing. This is used to comment scripts.
REMOVE - Remove a drive letter or mount point assignment.
REPAIR - Repair a RAID-5 volume with a failed member.
RESCAN - Rescan the computer looking for disks and volumes.
RETAIN - Place a retained partition under a simple volume.
SELECT - Shift the focus to an object.
SETID - Change the partition type.
SHRINK - Reduce the size of the selected volume.

=========================================================

Last Boot: 2012-01-25 17:46

==================== End Of Log ============================

BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:04:49 AM

Posted 03 February 2013 - 07:27 PM

Greetings and Welcome to The Forums!!

My name is Gringo and I'll be glad to help you with your malware problems.

I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of us

  • Please do not run any tools unless instructed to do so.
    • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.
  • Please do not attach logs or use code boxes, just copy and paste the text.
    • Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.
  • Please read every post completely before doing anything.
    • Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.
  • Please provide feedback about your experience as we go.
    • A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.
NOTE: At the top of your post, click on the Watch Topic Button, select Immediate Notification, and click on Proceed. This will send you an e-mail as soon as I reply to your topic, allowing us to resolve the issue faster.

NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of heartaches if things don't go as planed. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.

NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. To open notepad, navigate to Start Menu > All Programs > Accessories > Notepad. Please remember to copy the entire post so you do not miss any instructions.




I do not know if this will work but it is a shot



Open notepad. Please copy the contents of the code box below. To do this highlight the contents of the box and right click on it. Paste this into the open notepad. Save it on the flash drive as fixlist.txt

Last Boot: 2012-01-25 17:46


NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

On Vista or Windows 7: Now please enter System Recovery Options.

Run FRST again like we did before but this time press the Fix button just once and wait.
The tool will make a log on the flash drive (Fixlog.txt) please post it to your reply.

Also boot the computer into normal mode and let me know how things are looking.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 turtle2k1

turtle2k1
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:49 AM

Posted 04 February 2013 - 04:54 PM

I ran the fix log and got the following output. The computer will not boot to the other user login page now it just starts trying to boot and then restarts in a cycle until i turn it off?

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 02-02-2013 02
Ran by SYSTEM at 2013-02-04 21:51:34 Run:1
Running from G:\

==============================================

DEFAULT hive was successfully copied to System32\config\HiveBackup
DEFAULT hive was successfully restored from registry back up.
SAM hive was successfully copied to System32\config\HiveBackup
SAM hive was successfully restored from registry back up.
SECURITY hive was successfully copied to System32\config\HiveBackup
SECURITY hive was successfully restored from registry back up.
SOFTWARE hive was successfully copied to System32\config\HiveBackup
SOFTWARE hive was successfully restored from registry back up.
SYSTEM hive was successfully copied to System32\config\HiveBackup
SYSTEM hive was successfully restored from registry back up.

==== End of Fixlog ====

#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:04:49 AM

Posted 04 February 2013 - 05:18 PM

Hello


while in the recovery environment I want instead of picking command prompt try startup repair
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 turtle2k1

turtle2k1
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:49 AM

Posted 04 February 2013 - 05:31 PM

It says 'startup repair cannot repair this computer automatically'

At the bottom of the repair details it says:

Root cause found:
---------------------
Boot configuration is corrupt.

Repair action:partial table repair
Result: Failed. Error code = 0x490

#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:04:49 AM

Posted 04 February 2013 - 06:18 PM

Boot back into the recovery environment and this time select command prompt


type in the following


bootrec /rebuildbcd
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 turtle2k1

turtle2k1
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:49 AM

Posted 05 February 2013 - 12:21 PM

Windows error recovery now appears. If I select launch startup repair nothing happens and if I select start windows normally it just boots to the windows error recovery again. Am I looking at having to do a clean install of Vista? Thanks

#8 turtle2k1

turtle2k1
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:49 AM

Posted 05 February 2013 - 12:31 PM

I've just tried to do a startup repair from the recovery console of Vista DVD and it states it cannot complete a repair automatically.

#9 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:04:49 AM

Posted 05 February 2013 - 12:31 PM

It is starting to look like it - is there any files you would like to save from the computer?


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#10 turtle2k1

turtle2k1
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:49 AM

Posted 05 February 2013 - 01:39 PM

Yes i'm just trying to copy them to my usb stick from command prompt.

#11 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:04:49 AM

Posted 05 February 2013 - 09:26 PM

Hello


here is something I have used to do just that - remove files from an unbootable computer



You don't need to run the scan that is listed - just when you get booted into xpud you can navigate around using the left hand pane to find your files



Download http://unetbootin.sourceforge.net/unetbootin-xpud-windows-latest.exe & http://noahdfear.net/downloads/bootable/xPUD/xpud-0.9.2.iso to the desktop of your clean computer
  • Insert your USB drive
  • Press Start > My Computer > right click your USB drive > choose Format > Quick format
  • Double click the unetbootin-xpud-windows-387.exe that you just downloaded
  • Press Run then OK
  • Select the DiskImage option then click the browse button located on the right side of the textbox field.
  • Browse to and select the xpud-0.9.2.iso file you downloaded
  • Verify the correct drive letter is selected for your USB device then click OK
  • It will install a little bootable OS on your USB device
  • Once the files have been written to the device you will be prompted to reboot ~ do not reboot and instead just Exit the UNetbootin interface
  • After it has completed do not choose to reboot the clean computer simply close the installer
  • Next download http://noahdfear.net/downloads/driver.sh to your USB
  • Remove the USB and insert it in the sick computer
  • Boot the Sick computer
  • Press F12 and choose to boot from the USB
  • Follow the prompts
  • A Welcome to xPUD screen will appear
  • Press File
  • Expand mnt
  • sda1,2...usually corresponds to your HDD
  • sdb1 is likely your USB
  • Click on the folder that represents your USB drive (sdb1 ?)
  • Confirm that you see driver.sh that you downloaded there
  • Press Tool at the top
  • Choose Open Terminal
  • Type bash driver.sh
  • Press Enter
  • After it has finished a report will be located on your USB drive named report.txt
  • Remove the USB drive and insert back in your working computer and navigate to report.txt

    Please note - all text entries are case sensitive
Copy and paste the report.txt for my review
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#12 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:04:49 AM

Posted 08 February 2013 - 03:04 AM

just checking on you did you get your files removed?
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#13 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:04:49 AM

Posted 12 February 2013 - 01:16 AM


Greetings


I have not heard from you in a couple of days so I am coming by to check on you to see if you are having problems or you just need some more time.

Also to remind you that it is very important that we finish the process completely so as to not get reinfected. I will let you know when we are complete and I will ask to remove our tools




Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#14 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:04:49 AM

Posted 15 February 2013 - 06:41 PM



Hello

48 Hour bump

It has been more than 48 hours since my last post.
  • do you still need help with this?
  • do you need more time?
  • are you having problems following my instructions?
  • if after 48hrs you have not replied to this thread then it will have to be closed!

  • Gringo


I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#15 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:04:49 AM

Posted 18 February 2013 - 02:16 PM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users