Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Laptop is unable to boot after Trojan and Rootkit removal


  • This topic is locked This topic is locked
8 replies to this topic

#1 ziltoidomni

ziltoidomni

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:05:10 AM

Posted 15 March 2017 - 11:58 AM

I have a lenovo laptop running Windows 7 Home Premium that had a pretty nasty infection that placed itself in the master boot record. It was bluescreening and giving a lenovo specific error that pointed to rootkit infection. I was able to boot the laptop to a Windows 7 PE disk and get the command prompt open. I used Bootrec /fixmbr and rebooted successfully. I did a quick scan with Hitman pro just to see what we're dealing with, and Hitman immediately returned a result of an Alureon or Alureon variant rootkit infection. Immediately, I used msconfig to switch to safemode and reboot. Here, I used Kaspersky TDDSKiller, MBAM Anti-Rootkit, Combofix, Hitman Pro, Adwcleaner, SuperAntiSpyware, and Malwarebytes to clean the system. All programs found and successfully removed infections.

 

I rebooted the machine successfully, but then rebooted again after resetting the msconfig options back to normal boot. This is where the real problems started. System POSTs and boots windows, but the firefly animation gets half way through and freezes. Flash of blue, and the machine attempts to restart. 

 

- Startup repair does not work

- A restore point created after removing the infections in safe mode does not work. 

- Bootrec commands do not work: fixmbr is successful, but does not change anything. Fixboot does not complete citing some corruption that makes it unable to write a new bootsector. 

- Attempted rebuilding the BCD. Not effective. 

- No image to restore from.

 

I then found this forum and followed instructions to generate an FRST report for you guys to look through. This is where my expertise is limited. I don't know what to look for in the logs, and I'm hoping you can help me figure out what needs to be included in the fixlog for FRST to fix. 

 

FRST log: 

Spoiler



BC AdBot (Login to Remove)

 


#2 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,410 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:08:10 AM

Posted 16 March 2017 - 12:05 PM

Welcome. :)

Download the attached file and save it in the same directory FRST64 is saved.

  • Start FRST64 with Administrator privileges.
  • Press the Fix button.
  • When finished, a log file (Fixlog.txt) will pop up and saved in the same location the tool was ran from.

Please copy and paste its contents in your next reply.

 

Restart the computer. If successful, follow these steps.

Please download Junkware Removal Tool to your Desktop.

  • Please close your security software to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista or 7, right-mouse click it and select Run as administrator.
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete, depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your Desktop and will automatically open.
  • Please post the contents of JRT.txt into your reply.

Download AdwCleaner from here. Save the file to the desktop.


NOTE: If you are using IE 8 or above you may get a warning that stops the program from downloading. Just click on the warning and allow the download to complete.

Close all open windows and browsers.

  • XP users: Double click the AdwCleaner icon to start the program.
  • Vista/7/8 users: Right click the AdwCleaner icon on the desktop, click Run as administrator and accept the UAC prompt to run AdwCleaner.
    You will see the following console:

iO5EZayK.png


  • Click the Scan button and wait for the scan to finish.
  • After the Scan has finished the window may or may not show what it found and above, in the progress bar, you will see: Pending. Please uncheck elements you don't want to remove.
  • Click the Clean button.
  • Everything checked will be moved to Quarantine.
  • When the program has finished cleaning a report appears.Once done it will ask to reboot, allow this

adwcleaner_delete_restart.jpg


  • On reboot a log will be produced please copy / paste that in your next reply. This report is also saved to C:\AdwCleaner\AdwCleaner[C0].txt

 


No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#3 ziltoidomni

ziltoidomni
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:05:10 AM

Posted 17 March 2017 - 12:53 PM

TEACH ME THE WAY SENSEI. Seriously you are amazing. I wish to know more in case I ever have to deal with this again. 

 

Here are the logs. 

Attached Files



#4 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,410 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:08:10 AM

Posted 17 March 2017 - 03:58 PM

I am glad you were able to successfully boot the computer. Lets take a deeper look.

 

Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Make sure that under Optional Scans, there is a checkmark on List BCD and Addition.txt.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The tool will also produce another log (Addition.txt ). Please attach this to your reply.

 

Please also post the Fixlog.txt that must be next to your old version of FRST64 in the external drive.


No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#5 ziltoidomni

ziltoidomni
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:05:10 AM

Posted 17 March 2017 - 05:50 PM

System seems a tad slow, and some dll exceptions are thrown on startup... 

 

Attached Files



#6 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,410 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:08:10 AM

Posted 17 March 2017 - 08:40 PM

Chrome.dll is returning some errors. You will need to remove and reinstall Chrome.

 

Please remove the following Ads Programs throughout the Control Panel:
 
Ask Toolbar Updater
CouponBar

 
Download and run the AVG removal tool from here.
 
Download the attached file and save it in the same directory FRST64 is saved.

  • Start FRST64 with Administrator privileges.
  • Press the Fix button.
  • When finished, a log file (Fixlog.txt) will pop up and saved in the same location the tool was ran from.

Please copy and paste its contents in your next reply. After the restart perform an online virusscan.
 
Temporarily disable your AntiVirus and AntiSpyware protection - instructions here.

  • Please visit the ESET Online Scanner website
  • Click the SCAN NOW button to download the esetonlinescanner_enu.exe file to the Desktop
  • Double click esetonlinescanner_enu.exe. Accept the Terms of Use
  • Select Enable detection of potentially unwanted applications
  • In Advanced Settings: make sure that Clean threats automatically is unchecked
  • And Enable detection of potentially unsafe applications, Enable detection of suspicious applications, Scan archives, and Enable Anti-Stealth technology are all checked.
  • Click Scan
  • The program will begin to download it's virus database. The speed may vary depending on your Internet connection.
  • When completed, the program will begin to scan. This may take several hours. Please, be patient.
  • Do not do anything on your machine as it may interrupt the scan.
  • When completed it'll show a list of "Threats found", click beneath it on Save to text file.... and save it as ESET log.txt on your Desktop.
  • Then click Do not clean. Place a checkmark at Delete application's data on close, click Finish and close the program.

Post the ESET log.txt report.

Don't forget to re-enable previously switched-off protection software!


No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#7 ziltoidomni

ziltoidomni
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:05:10 AM

Posted 18 March 2017 - 12:42 AM

Got a lot of stuff going on this weekend. Might not be able to get back to you for a couple of days. Thanks for your help so far. If you don't mind, what exactly have each of the FRST scans found, and what have your scripts fixed? Also, what does ESET do that the antivirus programs I've used so far have not done?



#8 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,410 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:08:10 AM

Posted 18 March 2017 - 09:03 AM

AVG entries, orphans entries, temp files and reset your firewall and TCPI.

 

The ESET will remove entries that other programs failed to detect. Not every antivirus programs is made equal. Their database differs.

 

I usually  leave the topic opened for 5 days.


No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#9 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,410 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:08:10 AM

Posted 01 April 2017 - 02:31 PM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users