Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Terrible Infection


  • This topic is locked This topic is locked
43 replies to this topic

#1 shar907

shar907

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Michigan
  • Local time:12:45 PM

Posted 09 February 2013 - 02:16 PM

Could not open programs on my computer. Word program and many of the others disappeared. Internet explorer disappeared. Could only get on internet through Google Chrome. Could not use ComboFiX it kept stalling. Had to do a force shutdown. Now I can't get to my desktop. I keep getting the black screen that says safe mode, safe mode with networking, start windows normally, etc. When I click one of them it goes to a faint Window screen, then Dell screen then the black screen over and over again until I force it to shut down. I can't boot from a CD disk or USB stick I made on another computer after going to F2 and F12 to change which disk to boot from. It said invalid disk and the USB stick won't open the files I need. These were the instructions I got from another computer help site. Still not working.  Help

 

Shar907



BC AdBot (Login to Remove)

 


#2 dev00790

dev00790

    Bleeping Chocoholic


  • Members
  • 5,037 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:04:45 PM

Posted 10 February 2013 - 09:39 AM

I will be reporting this topic to staff who deal with unbootable computers. Someone will be with you soon.


Regards, dev00790

---------------------------------------

Marge: "Homer, the plant called. They said if you don't show up tomorrow don't bother showing up on Monday." Homer: "Woo-hoo! Four-day weekend!"I do not reply to Private Messages (PMs) asking for assistance - please use the forums instead. If I have been helping you, and I have not replied to your latest post in 48 hours please send me a PM. My Blog


#3 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:45 PM

Posted 11 February 2013 - 10:07 AM

Hi shar907,

It appears you are getting help here:
http://www.geekstogo.com/forum/topic/327041-win-32-expiro-infection/

Please confirm. You should only work with one helper. Geeks to Go is a great forum with a great community of malware helpers just like BleepingComputer. If that is not you, I can help with this issue.

-etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#4 shar907

shar907
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Michigan
  • Local time:12:45 PM

Posted 13 February 2013 - 12:20 AM

Feel more comfortable here. Was surprised to read ComboFix program had a problem and that it was not reported on Geeks To Go. My computer is still not functioning. Will try this website  for now.

Thanks

Shar907



#5 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:45 PM

Posted 13 February 2013 - 06:40 AM

Hi shar907,

OK, I will help you with this issue. G2G is a great site as well and maliprog was doing the same things I would start with and nothing they asked you do to resulted in the new issues you are encountering. I will warn you that Expiro is a nasty infection. The chances of recovery are slim. It is of a type called 'file infector'. This class of infection (including Ramnit, Virut, Sality, etc.) infect and rapidly spread across all files. It can also corrupt your operating system which likely explains the issues you have with freezing and booting at this point.

In my opinion, Expiro and other file infectors are not effectively disinfectable, so your best option is to perform a full reformat as there is no guarantee this infection can be completely removed. In most instances it may have caused so much damage to your system files that it cannot be completely cleaned or repaired. Further, your machine has likely been compromised by the backdoor Trojan and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume the computer is secure even if your anti-virus reports that the malware appears to have been removed.

These kinds of viruses can also spread via flash drive, so I recommend a complete reformat and restoring your backup. It's just not safe to pull your files off of this machine as the virus can easily spread. Expiro also has a backdoor functionality:

Backdoor Warning
One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you do decide to proceed, please continue with the fix below.

Step 1


If you want to attempt cleaning, please give me more information about the boot cycle. It is critical for me to understand exactly where it stops loading.

You boot, it shows a dell logo, is ask you to boot into normal or safe mode, no matter what you select you see the windows logo then it reboots again?

I saw that OTLPE didn't work for some reason. We'll try xPud from a USB flash drive. We'll just see if we can get it booting that way first. Try this please. You will need a blank USB drive.

Download http://unetbootin.sourceforge.net/unetbootin-xpud-windows-latest.exe & http://noahdfear.net/downloads/bootable/xPUD/xpud-0.9.2.iso to the desktop of your clean computer
  • Insert your USB drive
  • Press Start > My Computer > right click your USB drive > choose Format > Quick format
  • Double click the unetbootin-xpud-windows-387.exe that you just downloaded
  • Press Run then OK
  • Select the DiskImage option then click the browse button located on the right side of the textbox field.
  • Browse to and select the xpud-0.9.2.iso file you downloaded
  • Verify the correct drive letter is selected for your USB device then click OK
  • It will install a little bootable OS on your USB device
  • Once the files have been written to the device you will be prompted to reboot ~ do not reboot and instead just Exit the UNetbootin interface
  • After it has completed do not choose to reboot the clean computer simply close the installer
  • Remove the USB and insert it in the sick computer
  • Boot the Sick computer
  • Press F12 and choose to boot from the USB. If that doesn't work, let me know. Booting from USBs is different depending on your BIOS.
  • Follow the prompts
  • A Welcome to xPUD screen will appear
-etavares

Edited by etavares, 13 February 2013 - 06:42 AM.
Moved to Virus Removal Forum


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#6 shar907

shar907
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Michigan
  • Local time:12:45 PM

Posted 13 February 2013 - 09:51 PM

Finally got there but through the cd. Couldn't do it through the usb. Have the program on the sick computer screen now. Will wait for further instructions. Thanks



#7 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:45 PM

Posted 14 February 2013 - 09:58 AM

Hi shar907,

If you want to attempt cleaning, please give me more information about the boot cycle. It is critical for me to understand exactly where it stops loading.

You boot, it shows a dell logo, is ask you to boot into normal or safe mode, no matter what you select you see the windows logo then it reboots again?

Please answer that question. Exactly where it stops loading and rebooting will tell me where to look and what to run in xPud to try and get this booting.

-etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#8 shar907

shar907
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Michigan
  • Local time:12:45 PM

Posted 14 February 2013 - 10:57 AM

When I boot it shows a faint windows screen quickly goes to the Dell screen then the black screen with th safe mode , safe mode with networking screen, etc. If I click the safe mode or safe mode with networking  a list scrolls by quickly. It says Multi disk, partition, Windows System32, Drivers. Then it goes back to the windows screen, dell screen, black screen. If I click last good configuration, or normal it just goes back to the windows screen, Dell Screen and repeats it self until i shut it down.

 

Thanks



#9 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:45 PM

Posted 14 February 2013 - 03:40 PM

Hi shar907,

Please download:
http://noahdfear.net/downloads/xPUD_userinit_fix.ndf to a USB flash drive.

Boot the infected computer into xPud as before.
Once xPud loads, insert the USB drive you download the file to and wait a minute.
Click file and navigate to your USB. It's usually \mnt\sdb1\

Double-click xPud_userinit_fix.ndf from that location. It will run. When done, you'll see UserinitReport.txt show up in your USB drive.

Shut down xPud and pull out the flash drive.

From your clean computer, upload UserinitReport.txt to your reply in this thread. Then, try to boot the infected computer...DO NOT insert any USB drive if windows boots...we want to be careful to prevent the infection from jumping.

-etavares

Edited by etavares, 14 February 2013 - 03:40 PM.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#10 shar907

shar907
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Michigan
  • Local time:12:45 PM

Posted 14 February 2013 - 07:57 PM

When I  save it on USB flash drive the name of the file is xPUD_Userinit_fix NDF file 645kb. The icon wih this file is Internet Explorer. I save it on the USB flash and did as instructed. I could not find my USB flash drive in the xPud program. I did find mnt sdb1. But could not find the xPUD file.

Thanks



#11 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:45 PM

Posted 15 February 2013 - 06:36 AM

Is there mnt\sdb2 or mnt\sdc1? I can't predict where the usb drive will end up, it depends on your system setup.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#12 shar907

shar907
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Michigan
  • Local time:12:45 PM

Posted 15 February 2013 - 10:19 PM

I found it. It was in mnt file, sda1 file. Then I opened a  bus folder and found the USB file. I clicked it and it went to 6 folders (001-006) Then it went to "Searching for software hive.....please wait. This is the log I got,

Remote Registry Userinit Report

Login counts data not found in SAM

list_users: Cannot find usernames in registry! (is this a SAM-hive?)

(...)\Windows NT\CurrentVersion\Winlogon| Value <Userinit> of type REG_SZ, data length 68 [0x44]

C:\WINDOWS\system32\userinit.exe,

 

userinit.exe search results

a93aee1928a9d7ce3e16d24ec7380f89 /mnt/sda1/WINDOWS/system32/userinit.exe

25.5K Apr 14 2008

winlogon.exe search results

ed0ef0a136dec83df69f04118870003e /mnt/sda1/WINDOWS/system32/winlogon.exe

496.0K Apr 14 2008

explorer.exe search results

12896823fb95bfb3dc9b46bcaedc9923 /mnt/sda1/WINDOWS/explorer.exe

1009.5K Apr 14 2008

 

Tried to boot the infected computer. Still going to the black repeating screen and doing the same thing.

 

Thanks



#13 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:45 PM

Posted 16 February 2013 - 06:55 AM

Hello, shar907.
That looks OK. Is there any error code at any point during the boot loop? DO you have your Windows installation CD? We can try a repair install. I think this infection has really corrupted your computer and there is limited chance of recovery. File infectors are a very bad infection. File infectors corrupt the files they infect which will result in unbootable machines, programs that don't work right, etc. The repair install will leave the infection on your machine, but it may allow us to boot into Windows and attempt to clean what we can. Do you have that CD?


Step 1

Please boot into xPud and look for \mnt\sda1\combofix.txt (it could also be in sda2, sda3, etc.). Please attach it in your reply if it is there.

etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#14 shar907

shar907
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Michigan
  • Local time:12:45 PM

Posted 16 February 2013 - 12:48 PM

I don't have the Windows Installation cd. It was preinstalled on the computer. I can't find a combofix.txt anywhere. I checked in the sda1 and it only had the combofix.exe. I looked for it everywhere. Could not find it.

 

Thanks



#15 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:45 PM

Posted 17 February 2013 - 06:53 AM

Hello, shar907.

Do you know anyone that may have a windows cd (same version you have) that you could borrow?

Please try booting. Instead of selecting Safe Mode, select Enable Boot Logging. It will log what windows is trying to load and how successful it is.

Step 1
  • Boot the computer with the USB drive again.
  • Click on File
  • Expand mnt
  • Expand your USB (sdb1)
  • Confirm that you see driver.sh.
  • Press Tool at the top
  • Choose Open Terminal
  • Type bash driver.sh -af
  • Press Enter
  • You will be prompted to input a filename.
  • Type the following:

    combofix.txt

  • Press Enter
  • If succesful, the script will search this file.
  • At the nexp prompt type the following:

    ntbtlog.txt

  • Press Enter
  • At the next prompt, type exit and press Enter
  • After it has finished a report will be located in the USB drive as filefind.txt
  • Please note - all text entries are case sensitive

    Copy and paste the filefind.txt for my review. That will tell us if Combofix and the windows boot log were created. Then, we'll go get them if they were.

    etavares

Edited by etavares, 17 February 2013 - 06:54 AM.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users