Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Badly Infected


  • This topic is locked This topic is locked
17 replies to this topic

#1 Dave Clark

Dave Clark

  • Members
  • 213 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Tenerife
  • Local time:06:38 PM

Posted 22 April 2013 - 04:03 AM

EAttached File  attach.txt   24.84KB   0 downloadsAttached File  dds.txt   14.87KB   5 downloadsnclosed is DDS log will explain via Laptop

Dave

BC AdBot (Login to Remove)

 


#2 Dave Clark

Dave Clark
  • Topic Starter

  • Members
  • 213 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Tenerife
  • Local time:06:38 PM

Posted 22 April 2013 - 04:13 AM

Hi,

I've had to reply from my laptop.

I got a phone call from someone who addressed me by my name and obviously he had my telephone number supposedly from Window security. He said I had problems with my computer and it was a new virus which had infected a large number of computers. I laughed at him before hanging up. He rang back next day and he said "they" could see my computer was infected and that he had my windows serial number which he then proceeded to tell me! He said the number over the phone and it was correct. He then took me into the event viewer on my computer and there are a lot (over 2000) errors and warnings all dated from 2nd April to date 17th April and ongoing.
He then said he would help me to clean up my computer by taking me into safe mode. At this point I hung up on him again.(I thought at the time that it was worrying that he had both my name and telephone number as I live in Tenerife and am not in any telephone book!) Also I haven’t downloaded anything of any consequence that I know of but I did buy a 10way USB Hub from Amazon which I installed at about the time of the first errors in the Event Viewer,(is it possible to doctor a USB hub with a microchip to gain access to my computer? As after installing it the boot up hangs for about 10 secs after checking memory but before detecting HDD drives but after removing the Hub it goes to loading windows OK but takes about 10 mins to load instead of the normal 3-4 mins). One other thing when I uninstalled the Hub my computer hung and I had to shut it down manually.I also allowed an update from Microsoft at about that time but I do make sure it looks legit.

 

Since then Google Chrome then loaded about 60-70 web pages into my favourites tool bar which I had to delete one at a time My computer is now running very very slow I ran the online ESET Scanner but after 9hrs it was only 16% through so I had to close it down. !!! On reading a similar post it appears that it is the Bios that gets attacked rendering the computer useless.I tried to post from my computer but it wouldn't send eventually I managed to to get the DDS files to you. My computer now will not recognise the USB slots. 

 

Hope you can help.

 

I’m posting from my laptop as the infected computer is getting really bad.

 

Regards,

 

Dave



#3 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:06:38 PM

Posted 23 April 2013 - 07:41 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.

  • Please subscribe to this topic, if you haven't already. Click the Watch This Topic button at the top on the right.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.

The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks :thumbup2:


Posted Image
m0le is a proud member of UNITE

#4 Dave Clark

Dave Clark
  • Topic Starter

  • Members
  • 213 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Tenerife
  • Local time:06:38 PM

Posted 24 April 2013 - 08:04 AM

Hi Mole,

Many thanks for replying. The computer is in a right mess and don't know if it's possible to repair as it was running so slow.

 

Regards,

 

Dave



#5 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:06:38 PM

Posted 24 April 2013 - 08:23 PM

We'll see what we can do for your machine. For anyone who may be reading this, no-one from Microsoft or Windows (?) will ever phone your home unsolicited

 

Please download ComboFix from one of these locations:

* IMPORTANT !!! Save ComboFix.exe to your Desktop making sure you rename it comfix.exe


  • Disable your AntiVirus and AntiSpyware applications including Firewalls, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Comfix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
 

whatnext.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

If you receive the message "Illegal operation attempted on a registry key that has been marked for deletion." then please reboot the system.

 


Posted Image
m0le is a proud member of UNITE

#6 Dave Clark

Dave Clark
  • Topic Starter

  • Members
  • 213 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Tenerife
  • Local time:06:38 PM

Posted 25 April 2013 - 03:11 AM

Hi Mole,
Attached is the comfix log. None of the USB ports are working which means I cannot work on the laptop and post on this infected computer
Another rather worrying thing is that none of my external USB HDDs will work on my Laptop they are listed as Not Recognized and they did work previous to this, the same applies to both of my printers and my scanner printer. Could he have damaged the HDD's & Printers? Never had anything like this before.

Attached Files



#7 Dave Clark

Dave Clark
  • Topic Starter

  • Members
  • 213 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Tenerife
  • Local time:06:38 PM

Posted 25 April 2013 - 04:23 AM

Rebooted and still no USB ports. Win Patrol asking if OK to change:- Microsoft Corporation C\Windows\system32\rundl32.exe\ieframe.dll,openURL%  TO- rundl32.exe ieframe.dll,OpenURL %

 

I've denied the change, is that OK or should I allow?

 

Regards,

 

Dave



#8 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:06:38 PM

Posted 25 April 2013 - 06:25 PM

No, you can deny or allow it. Combofix makes some changes to the system, it sets some defaults which are thought of as "safe"

 

Let's make sure that we have a clean machine before we see what else needs attention.

 

Please run ESET's online scan next

 

I'd like us to scan your machine with ESET OnlineScan

  • Hold down Control and click on this link to open ESET OnlineScan in a new window.
  • Click the esetonlinebtn.png button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the esetsmartinstaller_enu.png
      icon on your desktop.
  • Check "YES, I accept the Terms of Use."
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Under scan settings, check "Scan Archives" and "Remove found threats"
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click List Threats
  • Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Click the Back button.
  • Click the Finish button.

 

 


Posted Image
m0le is a proud member of UNITE

#9 Dave Clark

Dave Clark
  • Topic Starter

  • Members
  • 213 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Tenerife
  • Local time:06:38 PM

Posted 26 April 2013 - 01:40 PM

Hi Mole all Done,

Noticed that a folder of photographs I had been working on on my desktop have disappeared!! Seems unlikely but true.

Will see what the computer is like when I reboot in the morning.

Regards,

Dave

Attached Files



#10 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:06:38 PM

Posted 26 April 2013 - 08:34 PM

Okay, let me know


Posted Image
m0le is a proud member of UNITE

#11 Dave Clark

Dave Clark
  • Topic Starter

  • Members
  • 213 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Tenerife
  • Local time:06:38 PM

Posted 27 April 2013 - 07:25 AM

Hi Mole,
The computer is still very slow, it takes just over 8 minutes to load windows as against less than 4 mins previously. It seems as if something is constantly running in the background. When I clicked on my computer I even got the search torch before it displayed! According to Task Manager the CPU is running at 100%. System Idle = 44% System = 50%.<br />Did a search for the last folder I was working on and it's gone!<br />Can find only 1 USB working which is a bind.Looked up in windows help and it said that if the Universal Host Controllers had Enhanced rather than Universal then the drivers and controller are OK. Only 1 out of 5 controllers has the Enhanced attribute I tried reloading drivers for the other 4 but got the message that there wasn't a better match than the installed driver. I even had the original Disk from the Motherboard and also a USB Drivers disk none of which made any difference. So I've connected my 10way Trust USB Hub to the good USB socket and seem to be operating OK from that apart from 1 hiccup when Windows Explorer. for no apparent reason went "Non Responding"<br />Is it recommended to get rid of Java? I read somewhere that it is a very weak link when surfing the net.<br />Just reloaded Task Manager and the CPU has dropped to 5% ??<br /><br />So really just need to know why the startup time has increased over 100%<br /><br />Regards,<br /><br />Dave

Edited by Dave Clark, 27 April 2013 - 07:26 AM.


#12 Dave Clark

Dave Clark
  • Topic Starter

  • Members
  • 213 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Tenerife
  • Local time:06:38 PM

Posted 27 April 2013 - 07:29 AM

Hi again Mole,<br /><br />Just noticed my post has a lot of &lt;br&gt; types in it tried to edit the post but then the editor seemed to freeze ????

#13 Dave Clark

Dave Clark
  • Topic Starter

  • Members
  • 213 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Tenerife
  • Local time:06:38 PM

Posted 27 April 2013 - 07:31 AM

Hi again Mole,<br /><br />Just noticed my post has a lot of &lt;br&gt; types in it tried to edit the post but then the editor seemed to freeze ????

#14 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:06:38 PM

Posted 28 April 2013 - 03:18 AM

Try booting the machine without any services or startup programs loading. This will eliminate or pinpoint the main problem.

1. Click Start, type msconfig in the Start Search box, and then press Enter. If you are prompted for an administrator password or for a confirmation, type the password, or click Continue.

2. On the General tab, click Selective Startup.

3. Under Selective Startup, click to clear the Load Startup Items check box.

4. Click the Services tab, click to select the Hide All Microsoft Services check box, and then click Disable All.

5. Click Apply and OK.

6. When you are prompted, click Restart.

7. After the computer starts let me know how it loaded and is running


Posted Image
m0le is a proud member of UNITE

#15 Dave Clark

Dave Clark
  • Topic Starter

  • Members
  • 213 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Tenerife
  • Local time:06:38 PM

Posted 28 April 2013 - 09:45 AM

Hi Mole did as you said but still took about 7 mins to boot up. At first runs very slow as if lots still going on then after about 5 mins starts to settle down and is a bit faster but still not as fast as it used to be. I've still got all start ups disabled. Just to give you an idea of time Mbam took 6hrs and 37 mins to scan my computer. It normally takes less that 2 hrs.

dave




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users