Jump to content

Black Screen After Malwarebytes Scan And Reboot


Recommended Posts

Hi,

Recently i've been being redirected to ad websites on Internet Explorer when i've been trying to go to web addresses. This happened pretty frequently but mostly when clicking google results.

I ran Malwarebytes and it found around 5 or 6 different things, being naive i simply clicked remove rather than writing down what they were. It then prompter me to reboot. Since doing that however i can't boot in standard mode, right now i'm in safe mode with networking. When i boot in standard mode i simply have a black screen with the cursor.

Any help would be appreciated and for info i can't burn anything with this PC as the burner is broken, i do have access to a siblings laptop to put things on Pen Drives etc.

Regards

Luke

Link to post
Share on other sites

Sorry i have an update which should hopfully help diagnose. I've run Malwarebytes and checked the quarantine and found the items that were 'removed', also i have the logs and will paste them.

The infected items were:

  • HKCR/exefile/shell/open/commandl - this appeared three times
  • Trojan Dropper in Appdata/Local/Temp
  • Hijack.Start Menu x 2 in HKLM/Software/Clients/StartMenuInternet/Firefox.exe/shell/open/commandl
  • Trojan Spy Eyes in C:/sooi832.bin and C:/sooi832.bin/7275F41A1CAb0CF
  • Pup.Casino.Gen in Appdata

Here are the logs


  • Malwarebytes' Anti-Malware 1.50.1.1100
    www.malwarebytes.org
    Database version: 5363
    Windows 6.0.6001 Service Pack 1
    Internet Explorer 8.0.6001.19048
    05/05/2011 10:43:41
    mbam-log-2011-05-05 (10-43-41).txt
    Scan type: Full scan (C:\|D:\|)
    Objects scanned: 255982
    Time elapsed: 1 hour(s), 22 minute(s), 21 second(s)
    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 1
    Folders Infected: 0
    Files Infected: 0
    Memory Processes Infected:
    (No malicious items detected)
    Memory Modules Infected:
    (No malicious items detected)
    Registry Keys Infected:
    (No malicious items detected)
    Registry Values Infected:
    (No malicious items detected)
    Registry Data Items Infected:
    HKEY_CLASSES_ROOT\exefile\shell\open\command\(default) (Broken.OpenCommand) -> Bad: ("C:\Users\admin\AppData\Local\mnd.exe" -a "%1" %*) Good: ("%1" %*) -> Quarantined and deleted successfully.
    Folders Infected:
    (No malicious items detected)
    Files Infected:
    (No malicious items detected)

  • Malwarebytes' Anti-Malware 1.50.1.1100
    www.malwarebytes.org
    Database version: 5363
    Windows 6.0.6001 Service Pack 1
    Internet Explorer 8.0.6001.19048
    07/05/2011 21:29:14
    mbam-log-2011-05-07 (21-29-14).txt
    Scan type: Quick scan
    Objects scanned: 1
    Time elapsed: 5 second(s)
    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0
    Memory Processes Infected:
    (No malicious items detected)
    Memory Modules Infected:
    (No malicious items detected)
    Registry Keys Infected:
    (No malicious items detected)
    Registry Values Infected:
    (No malicious items detected)
    Registry Data Items Infected:
    (No malicious items detected)
    Folders Infected:
    (No malicious items detected)
    Files Infected:
    (No malicious items detected)

  • Malwarebytes' Anti-Malware 1.50.1.1100
    www.malwarebytes.org
    Database version: 5363
    Windows 6.0.6001 Service Pack 1
    Internet Explorer 8.0.6001.19048
    09/05/2011 11:11:42
    mbam-log-2011-05-09 (11-11-42).txt
    Scan type: Full scan (C:\|)
    Objects scanned: 255925
    Time elapsed: 1 hour(s), 42 minute(s), 22 second(s)
    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 1
    Folders Infected: 0
    Files Infected: 1
    Memory Processes Infected:
    (No malicious items detected)
    Memory Modules Infected:
    (No malicious items detected)
    Registry Keys Infected:
    (No malicious items detected)
    Registry Values Infected:
    (No malicious items detected)
    Registry Data Items Infected:
    HKEY_CLASSES_ROOT\exefile\shell\open\command\(default) (Broken.OpenCommand) -> Bad: ("C:\Users\admin\AppData\Local\dfn.exe" -a "%1" %*) Good: ("%1" %*) -> Quarantined and deleted successfully.
    Folders Infected:
    (No malicious items detected)
    Files Infected:
    c:\Users\admin\AppData\Local\Temp\0.8744307441719152.exe (Trojan.Dropper) -> Quarantined and deleted successfully.

  • Malwarebytes' Anti-Malware 1.50.1.1100
    www.malwarebytes.org
    Database version: 5363
    Windows 6.0.6001 Service Pack 1
    Internet Explorer 8.0.6001.19088
    19/06/2011 05:15:57
    mbam-log-2011-06-19 (05-15-57).txt
    Scan type: Full scan (C:\|)
    Objects scanned: 256314
    Time elapsed: 1 hour(s), 24 minute(s), 36 second(s)
    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 1
    Folders Infected: 0
    Files Infected: 0
    Memory Processes Infected:
    (No malicious items detected)
    Memory Modules Infected:
    (No malicious items detected)
    Registry Keys Infected:
    (No malicious items detected)
    Registry Values Infected:
    (No malicious items detected)
    Registry Data Items Infected:
    HKEY_CLASSES_ROOT\exefile\shell\open\command\(default) (Broken.OpenCommand) -> Bad: ("C:\Users\admin\AppData\Local\tfn.exe" -a "%1" %*) Good: ("%1" %*) -> Quarantined and deleted successfully.
    Folders Infected:
    (No malicious items detected)
    Files Infected:
    (No malicious items detected)

  • Malwarebytes Anti-Malware (Trial) 1.61.0.1400
    www.malwarebytes.org
    Database version: v2012.04.04.08
    Windows Vista Service Pack 1 x86 NTFS
    Internet Explorer 8.0.6001.19088
    admin :: ADMIN-PC [administrator]
    Protection: Enabled
    14/06/2012 16:06:47
    mbam-log-2012-06-14 (16-06-47).txt
    Scan type: Full scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 329255
    Time elapsed: 3 hour(s), 20 minute(s), 3 second(s)
    Memory Processes Detected: 0
    (No malicious items detected)
    Memory Modules Detected: 0
    (No malicious items detected)
    Registry Keys Detected: 0
    (No malicious items detected)
    Registry Values Detected: 0
    (No malicious items detected)
    Registry Data Items Detected: 2
    HKLM\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command| (Hijack.StartMenuInternet) -> Bad: ("C:\Users\admin\AppData\Local\mnd.exe" -a "C:\Program Files\Mozilla Firefox\firefox.exe") Good: (firefox.exe) -> Quarantined and repaired successfully.
    HKLM\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command| (Hijack.StartMenuInternet) -> Bad: ("C:\Users\admin\AppData\Local\mnd.exe" -a "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode) Good: (firefox.exe -safe-mode) -> Quarantined and repaired successfully.
    Folders Detected: 1
    C:\sooi832.bin (Trojan.SpyEyes) -> Quarantined and deleted successfully.
    Files Detected: 3
    C:\Users\admin\AppData\Local\Temp\cas6FE3.tmp (PUP.Casino.Gen) -> Quarantined and deleted successfully.
    C:\Users\admin\AppData\Local\Temp\ms0cfg32.exe (Exploit.Drop.CFG) -> Quarantined and deleted successfully.
    C:\sooi832.bin\7275F41A1CAB0CF (Trojan.SpyEyes) -> Quarantined and deleted successfully.
    (end)

Hope this helps

Link to post
Share on other sites

Hello luke_brown89 and :welcome:! My name is Maniac and I will be glad to help you solve your malware problem.

Please note:

  • If you are a paying customer, you have the privilege to contact the help desk at support@malwarebytes.org or here (http://helpdesk.malwarebytes.org/home). If you choose this option to get help, please let me know.
  • I recommend you to keep the instructions I will be giving you so that they are available to you at any time. You can save them in a text file or print them.
  • Make sure you read all of the instructions and fixes thoroughly before continuing with them.
  • Follow my instructions strictly and don’t hesitate to stop and ask me if you have any questions.
  • Post your log files, don't attach them. Every log file should be copy/pasted in your next reply.

BACKDOOR WARNING

One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

Help: I Got Hacked. Now What Do I Do?

Help: I Got Hacked. Now What Do I Do? Part II

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.

Please follow the instructions here:

http://forums.malwarebytes.org/index.php?showtopic=9573

Post both log files in your next reply.

Link to post
Share on other sites

Thanks for your reply,

Looking at everything and the fact the pc is use for banking etc it looks like a reformat is the only option. I'm going to have to get a new vista disk in the next couple of days, I have disconnected the pc from the Internet and will leave offline for this period of time.

I have contacted the bank to change cards etc just in case.

From what you said I take it this is the best way forward.

Luke

Link to post
Share on other sites

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.