Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Internet Security Pro has total grip


  • This topic is locked This topic is locked
53 replies to this topic

#1 al_morgan

al_morgan

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:12:48 PM

Posted 12 June 2013 - 02:33 AM

I've been very carefully following all the steps your site outlines...all day.  Many times, but with no success.

 

The first pass found 10 faults, and claimed they were cleaned, but they made no difference - I was still infected.  So I tried again and again, but nothing was found by Malwarebytes.  Rkill still finds quite a few issues.

 

The infected laptop(Vista) is no longer connecting with internet, and cannot do so in safe mode w. networking either.

Therefore I can't send email, and I can't burn dds.txt or attach.txt to a cd. (although I did the scan and have the files saved, ready to go...but I can't even print them !!)   I'm using a different computer to connect with this forum, but I'm deathly afraid to make a jump stick to bring misery onto this working computer for transmission.

 

The infected laptop is completely paralyzed - I'm ready to pull the pin and reformat.  Actually, I might buy a new machine, I'm that desperate.  I have data backed up, but the software I have loaded will be the real loss, as many were electronic downloads and no discs are available.

 

OMG I need help!



BC AdBot (Login to Remove)

 


#2 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:48 PM

Posted 12 June 2013 - 03:07 AM

Hi there,
my name is Marius and I will be assisting you with your Malware related problems.

Before we move on, please read the following points carefully.

  • First, read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.
  • Perform everything in the correct order. Sometimes one step requires the previous one.
  • If you have any problems while you are follow my instructions, Stop there and tell me the exact nature of your problem.
  • Do not run any other scans without instruction or Add/ Remove Software unless I tell you to do so. This would change the output of our tools and could be confusing for me.
  • Post all Logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.
  • If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.
  • Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.
  • My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.

 

 

 

 

Scan with FRST


To run FRST on Vista and Windows7:



Plug the flashdrive into the infected PC.

Enter System Recovery Options.


To enter System Recovery Options from the Advanced Boot Options:

  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.



To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.


On the System Recovery Options menu you will get the following options:

  • Startup Repair
  • System Restore
  • Windows Complete PC Restore
  • Windows Memory Diagnostic Tool
  • Command Prompt
  • Select Command Prompt


  • In the command window:
  • type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
  • Note: Replace letter e with the drive letter of your flash drive.
  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • Press Scan button.

It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#3 al_morgan

al_morgan
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:12:48 PM

Posted 13 June 2013 - 02:43 PM

Hi Marius - thank you for your help.

 

I have done exactly as you requested and have (hopefully) attached the txt file from FRST

 

 

AlAttached File  FRST.txt   20.75KB   7 downloads



#4 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:48 PM

Posted 14 June 2013 - 01:57 AM

Fix with FRST

  • Open notepad (Start =>All Programs => Accessories => Notepad).
  • Please copy the entire contents of the code box below.
    (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it on the flashdrive as fixlist.txt

    HKLM\...\Runonce: [2FCD20B6-D701-4C28-B666-AD080E5B0525] cmd.exe /C start /D "C:\Users\Alan\AppData\Local\Temp" /B 2FCD20B6-D701-4C28-B666-AD080E5B0525.exe -activeimages -postboot [x]
    HKLM\...\Runonce: [E40D2C02-9EC2-4018-BEA4-F401CAEA54D8] cmd.exe /C start /D "C:\Users\Alan\AppData\Local\Temp" /B E40D2C02-9EC2-4018-BEA4-F401CAEA54D8.exe -activeimages -postboot [x]
    HKU\Alan\...\Run: [Internet Security] C:\Users\Alan\AppData\Roaming\iwdefender.exe [ 2013-06-06] (The PHP Group)
    
    C:\Users\Alan\AppData\Local\Temp\2FCD20B6-D701-4C28-B666-AD080E5B0525.exe
    C:\Users\Alan\AppData\Local\Temp\E40D2C02-9EC2-4018-BEA4-F401CAEA54D8.exe
    C:\Users\Alan\AppData\Roaming\iwdefender.exe
    C:\Users\Alan\GoToAssistDownloadHelper.exe
    C:\Users\Alan\install_flashplayer11x32_chra_aih.exe
    C:\Users\Alan\install_flashplayer11x32_chrd_aih.exe
    C:\ProgramData\nvModes.dat
    C:\ProgramData\TtuHthIP.dat
    
    DeleteJunctionsIndirectory: C:\Program Files\Windows Defender
     
    

    NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

    Now please enter System Recovery Options again.

  • Run frst.exe (on 64bit, run frst64.exe) and press the Fix button just once and wait.
  • The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

 

 

 

Now you should be able to boot into windows normally.

 

 

 

 

Please download Malwarebytes Anti-Rootkit from here Malwarebytes : Malwarebytes Anti-Rootkit and save it to your desktop.

Be sure to print out and follow the instructions provided on that same page.

Caution: This is a beta version so please be sure to read the disclaimer and back up any important data before using.

  • Double click the mbar.zip file to open it, then 'Extract all files'.
  • Double click the mbar folder to open it, then double click mbar.exe to start the tool.

Check for Updates, then Scan your system for malware

If malware is found, do NOT press the Cleanup button yet. Click EXIT.

I'd like to see the log first so I can see what it sees. You'll find the log in that mbar folder as MBAR-log-<date and time>***.txt . Please attach that to your next reply.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#5 al_morgan

al_morgan
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:12:48 PM

Posted 15 June 2013 - 10:52 AM

HI Marius

I run the last set of instructions and have posted the fixlog here

 

 

Attached File  Fixlog.txt   1.28KB   2 downloads

 

 

I could not load the Anti-rootkit yet, however - the infected laptop cannot yet connect to a network, although it sees one there.  something needs to be reset, but the malware is blocking access to any windows control still.

 

I have downloaded the anti-virus onto a stick, but cannot transfer the file with that while in safe mode.  If I go ahead and use the usb stick while in regular windows mode, while infected, will the stick now be likely to transfer the malware back to the only safe computer in the house (this one).?  

 

Waiting for your response before proceeding with that step...


Edited by al_morgan, 15 June 2013 - 10:53 AM.


#6 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:48 PM

Posted 16 June 2013 - 02:58 PM

Run this tool on the clean machine and get your usb stick safe with it:

 

http://flash-disinfector.en.uptodown.com/download

 

Then go on with Malwarebytes Anti-Rootkit on the infected machine as there may nothing happen now to the other computers. :)


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#7 al_morgan

al_morgan
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:12:48 PM

Posted 17 June 2013 - 11:50 PM

OK  I finally got it to work.

The anti-rootkit would not run in normal windows.  Nothing really does... after a long wait (60 seconds +) a PC Speaker beep sounds, and a box comes up  with a big red X, the file path and name, and a warning "The specified service does not exist as an installed service" 

 

This is also why I cannot reconnect to the internet with the laptop - it sees the connection is available, but it cannot activate it and I cannot change any settings.

 

In order to make the anti-rootkit you provided work, I had to run it in Safe Mode with Networking, not in normal windows... same error message box comes up.  I hope that's ok.  Reprt is below - I think it found 4 problems, and I did not run a clenup yet.

 

 

 

 

Attached File  mbar-log-2013-06-17 (20-21-45).txt   2.86KB   6 downloads

 



#8 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:48 PM

Posted 18 June 2013 - 03:10 AM

Run another scan with mbar.exe and click the CleanUp button. It will require a reboot.

When it has rebooted, run another scan with mbar.exe and click CleanUp again if necessary.

Send the mbar-log.txt along with an update on machine behavior.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#9 al_morgan

al_morgan
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:12:48 PM

Posted 19 June 2013 - 09:51 AM

Ok scans are complete and cleanup is successful.  However, I cannot send you the mbar-log.txt because I cannot connect online, and now the USB drives are not being recognized in safe mode or in normal windows.

Basically every function is slowly being shut down.  The computer is painfully slow - it takes 5 minutes to boot up, each click of the mouse needs about 30 seconds or more before something happens.

 

If I abandoned this machine at this point, are the personal files safe to transfer into a new one?   ...if I can get the drives to work enough to make a transfer.



#10 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:48 PM

Posted 19 June 2013 - 11:41 PM

Then please run another scan with FRST in Recovery Mode and post the log.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#11 al_morgan

al_morgan
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:12:48 PM

Posted 20 June 2013 - 12:16 AM

Here are two files generated by FRST tonite

 

 

Attached File  FRST.txt   24.08KB   1 downloads

Attached File  Addition.txt   19.38KB   0 downloads



#12 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:48 PM

Posted 20 June 2013 - 12:27 AM

Can you go online with another brwoser?


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#13 al_morgan

al_morgan
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:12:48 PM

Posted 20 June 2013 - 01:52 AM

No, Ihave tried both Chrome and IE.  Email does not work either.  Does not work in safe mode with networking (should it?)   What 's strange is when I select "connect to a network" it actually sees the correct (wireless) network and there is a full signal, but any other attempt to make a connection results in the usual -beep- and "The specified service does not exist as an installed service" warning.  The status indicator icon in the lower right corner also shows no connection is made.

 

I have tried to connect with both wireless and by directly plugging in  - no change.

 

Again, the usb ports are not found by Explorer anymore (they were a few steps back)  but the CD Rom still reads and writes in safe mode.  The two logs I posted tonight were saved from the laptop onto the cd I had used to save FRST onto.



#14 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:48 PM

Posted 20 June 2013 - 01:54 AM

Navigate to the directory where you extracted mbar to.

Open the plugins folder and run fixdamage.exe by doubleclick.

 

Reboot and try again.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#15 al_morgan

al_morgan
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:12:48 PM

Posted 20 June 2013 - 10:14 AM

I ran fixdamage.exe .

  USB still not reading, but I was able to burn onto my cd rom.  After all that, here is the log you requested from the last mbar scan and cleanups

 

Attached File  mbar-log-2013-06-18 (18-10-46).txt   2.15KB   5 downloads






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users