Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

virus clean up Issues after deleted some files


  • This topic is locked This topic is locked
35 replies to this topic

#1 routineclean

routineclean

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:01 AM

Posted 19 October 2016 - 10:44 PM

Hi

 

After virus scan, and deleted some files 

Windows show some files missing.

 

Could not restore the windows file, 

Thus did a upgrade of windows to avoid deletion of files.

 

Requesting help to following up to check virus is removed.

 

Thanks

 

 

Attached Files



BC AdBot (Login to Remove)

 


#2 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,596 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:01 PM

Posted 20 October 2016 - 07:48 AM

Hi routineclean :)

My name is Aura and I'll be assisting you with your malware issue. Since we'll be working together, you can call me Aura or Yoan, which is my real name, it's up to you! Now that we've broke the ice, I'll just ask you a few things during the time we'll be working together to clean your system and get it back to an operational state.
  • As you'll notice, the logs we are asking for here are quite lenghty, so it's normal for me to not reply exactly after you post them. This is because I need some time to analyse them and then act accordingly. However, I'll always reply within 24 hours, 48 hours at most if something unexpected happens;
  • As long as I'm assisting you on BleepingComputer, in this thread, I'll ask you to not seek assistance anywhere else for any issue related to the system we are working on. If you have an issue, question, etc. about your computer, please ask it in this thread and I'll assist you;
  • The same principle applies to any modifications you make to your system, I would like you to ask me before you do any manipulations that aren't in the instructions I posted. This is to ensure that we are operating in sync and I know exactly what's happening on your system;
  • If you aren't sure about an instruction I'm giving you, ask me about it. This is to ensure that the clean-up process goes without any issue. I'll answer you and even give you more precise instructions/explanations if you need. There's no shame in asking questions here, better be safe than sorry!;
  • If you don't reply to your thread within 3 days, I'll bump this thread to let you know that I'm waiting for you. If you don't reply after 5 days, it'll be closed. If you return after that period, you can send me a PM to get it unlocked and we'll continue where we left off;
  • Since malware can work quickly, we want to get rid of them as fast as we can, before they make unknown changes to the system. This being said, I would appreciate if you could reply to this thread within 24 hours of me posting. This way, we'll have a good clean-up rhythm and the chances of complications will be reduced;
  • I'm against any form of pirated, illegal and counterfeit software and material. So if you have any installed on your system, I'll ask you to uninstall them right now. You don't have to tell me if you indeed had some or not, I'll give you the benefit of the doubt. Plus, this would be against BleepingComputer's rules;
  • In the end, you are the one asking for assistance here. So if you wish to go a different way during the clean-up, like format and reinstall Windows, you are free to do so. I would appreciate you to let me know about it first, and if you need, I can also assist you in the process;
  • I would appreciate if you were to stay with me until the end, which means, until I declare your system clean. Just because your system isn't behaving weirdly anymore, or is running better than before, it doesn't mean that the infection is completely gone;
    This being said, I have a full time job so sometimes it'll take longer for me to reply to you. Don't worry, you'll be my first priority as soon as I get home and have time to look at your thread;
This being said, it's time to clean-up some malware, so let's get started, shall we? :)

I don't see any traces of infection in your logs (only a few things we could clean up using FRST to make your system nice and tidy). Do you remember what you were infected with (malware name)? And do you still have the logs showing the infection?

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#3 routineclean

routineclean
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:01 AM

Posted 20 October 2016 - 09:26 AM

Hi Aura

 

I was using bitdefender rescue cd , and was not able to extract the logs.

 

I did a screenshot of the files deleted, and extracted a sfcdetails logs for the error due to the files deleted.

 

Refer attached.

 

Thanks

Attached Files



#4 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,596 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:01 PM

Posted 20 October 2016 - 10:36 AM

Looks like false positives to me. I've seen a lot of legitimate files being targetted in Bitdefender Rescue CD, no idea why. And these files could have been easily replaced if you ever find yourself in the same situation next time. Simply post a thread in the Windows 10 section here or in the Windows Update section of the Sysnative forums and a Windows Update Analyst will assist you :)

Was this the only scan you ran and from which you told yourself you were infected?

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#5 routineclean

routineclean
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:01 AM

Posted 20 October 2016 - 11:24 PM

Hi Aura

 

Sadly the first infection was sometime back, and did not know better to use the forums for help.

 

After detecting the virus symptoms is that can't download large files , the download will just stop.

can't search using regedit since will hang after a few searches.

 

Attached is previous FRST.txt and Addition.txt before this start of treat.

 

The existing issue now is that can't create live cd such as Trend Macro RescueCD, refer attached image of the crush.

There is no issue if I use another computer to create the Trend Macro RescueCD.

 

Please review if able salvage this incident.

 

Thanks 

 

Attached Files



#6 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,596 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:01 PM

Posted 21 October 2016 - 07:26 AM

I don't see any traces of infection in these logs, except for a proxy hijack in Mozilla Firefox that could be caused by one of the two VPN extensions that were installed.

Which web browser are you using to download the files?
What are you researching in Regedit? Did you give it a few minutes even after the hang? The Registry is large so it can take it sometime to go through it.
What program are you using to create the Rescue CD?

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#7 routineclean

routineclean
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:01 AM

Posted 22 October 2016 - 07:05 AM

Hi

 

Which web browser are you using to download the files?

Firefox, IE, Chrome
What are you researching in Regedit? Did you give it a few minutes even after the hang? The Registry is large so it can take it sometime to go through it.

Yes I did give it time, on other machine if i cancel the regedit the search UI will just close and allow to search again.

On the affected machine when I cancel the regedit nothing happens, thus have to force close the regedit.
What program are you using to create the Rescue CD? 

Trend macro Rescue CD is the program itself: refer https://origin-www.trendsecure.com/Info/Rescue_Disk/html/download.html

 

Thanks



#8 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,596 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:01 PM

Posted 22 October 2016 - 12:27 PM

Around what % of the download does it hangs?
In Regedit, run a search, then click only once on the Cancel button and give it a few moments (minutes). Does the search UI eventually exit?
And it looks like a component used in the Rescue CD to create the CD is hanging (since it's part of an open-source program).

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#9 routineclean

routineclean
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:01 AM

Posted 23 October 2016 - 07:12 AM

Hi Aura

 

Those issue for download, and registry search , with missing files were resolved after inplace upgrade of Windows 10.

 

The chkdsk also manage to reclaim back some bad clusters, refer to attached logs.

 

Curiously https://origin-www.trendsecure.com/Info/Rescue_Disk/html/download.html

can't be run on this same computer even in the second boot.

 

Please advice what to proceed from here.

 

Thanks

Attached Files



#10 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,596 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:01 PM

Posted 23 October 2016 - 09:17 AM

That's good to know :)

Are you still getting the same error for TrendMicro Rescue CD?

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#11 routineclean

routineclean
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:01 AM

Posted 23 October 2016 - 10:52 AM

Hi Aura

 

0. https://origin-www.trendsecure.com/Info/Rescue_Disk/html/download.html can't be created on this same computer.

 

1. Is there any other virus in the logs? 

2. is it issue on the bad clusters?

 

Please advice next steps.

 

Thanks



#12 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,596 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:01 PM

Posted 23 October 2016 - 12:06 PM

Are you trying to create it with a CD, or a USB Flash Drive?

There were no remnants in your logs, and a repair install should have taken care of them. As for the bad sectors, we should check your hard drive as well to make sure it's not failing.

S8ANNnz.pngGSmartControl
Follow the instructions below to test your hard drive health with GSmartControl:
  • Download GSmartControl and save it on your Desktop;
  • Extract the content of the GSmartControl .zip archive and execute gsmartcontrol.exe;
  • Identify your drive in the list, and double-click on it to bring up it's window (usually you'll find your drive by it's size or it's brand name);
  • Go in the Perform Tests tab, then select Extended Self-test in the Test type drop-down list and click on Execute (this test can take a few hours to complete);
  • Once the test is over, the results will be displayed at the bottom of the window. Please copy and paste these results in your next reply;
  • Also, go in the Attributes tab and if you have any entries highlighted in red or pink, copy and paste their name in your next reply (or take a screenshot of the GSmartControl window and attach it in your next reply);
    info_failing.png

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#13 routineclean

routineclean
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:01 AM

Posted 24 October 2016 - 10:43 PM

Hi Aura

 

The scan took a while and unable to complete the scan, refer attached of the logs with errors.

 

So far the bad clusters appeared after virus infection, after each clean some bad clusters are release.

 

The two issues above may be different related.

 

Please advice next steps.

 

Thanks

Attached Files



#14 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,596 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:01 PM

Posted 25 October 2016 - 07:08 AM

This isn't good.
196 Reallocated_Event_Count 0x0032   100   100   000    Old_age   Always       -       92
197 Current_Pending_Sector  0x0022   100   100   000    Old_age   Always       -       73
This means that your hard drive is currently on its way to failure. The problem is that I cannot tell you when it'll happen. It can be in a few days, like it can be a few months or a few years. However, since both of these attributes are over 50 (one of which is close to 100), I would suggest you to back-up all your data as soon as possible, and consider buying a new hard drive as well.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#15 routineclean

routineclean
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:01 AM

Posted 25 October 2016 - 09:44 AM

Hi Aura

 

Hard disk old is a separate issue.

 

It does not show why the program unable to complete the scan.

 

The bad cluster is also able to be freed from the chkdsk scan.

 

Please advice the following:

1. a. Clear up of virus , b. is there way to clear up the bad cluster.

2. What options to migrate out from old hard drive to new one: there are 2 Boot OS on this hard drive.

 

Thanks 






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users