Jump to content

Infected computer- Appreciate help!


zionstrat

Recommended Posts

  • Replies 112
  • Created
  • Last Reply

Top Posters In This Topic

Kevin we cross posted- I do appreciate you hanging in here-

 

Even in safe mode, combo it crashed as soon as it reached-

 

system file is infected!! attempting to restore c:windows\syswow64\cftmon.exe

 

wondering about the idea of going back to a restore point- Have never done that before- Would it make sense to go back a few weeks/months and install combo again? On the other hand, I expect it has been in the back ground for years so it should be just as smart at the earlier stages?

Link to post
Share on other sites

Yes using System Restore is a very good idea, maybe you can run more scan before you try that..

 

Please download SystemLook from the following link below and save it to your Desktop.

http://jpshortstuff.247fixes.com/SystemLook_x64.exe

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:

    :filefindcftmon.exe
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.


Note: The log can also be found on your Desktop entitled SystemLook.txt
 

Link to post
Share on other sites

bad news-

 

all my system restore points seem to be erased because I usually do at least 1 or 2 a month and I did a ton of them a year ago when I first configured this computer- I assume the virus was smart enough to erase them?

 

The only ones showing up are from what the apps have done today- I checked the box for older points and didnt see anything, but I could be doing something wrong since I never have restored before-

 

So am I right in guessing that restore is no longer an option?

Link to post
Share on other sites

It is not unusual for infection to flush restore points, very unfortunate. It is very strange that Combofix flags cftmon.exe yet SystemLook does not find it. That is a system file so can be replaced with System File Checker.

 

Can you follow the instructions to run sfc from a command prompt at boot, windows will not be loaded so maybe have a good chance to replace any corrupt system files. Go to the following link for full instruction....

 

http://www.sevenforums.com/tutorials/139810-sfc-scannow-run-command-prompt-boot.html

Link to post
Share on other sites

Kevin-

I made the disk and ran it, however Systems Recovery Options came up with a window that said that This version of the systems recovery options is not compatible with the version of windows that you are trying to repair. Try using a recovery disk that is compatible with this version of windows-

 

It's Win7 64 bit, not sure where else to do?

Link to post
Share on other sites

Did you make the recovery CD on the sick PC, it must be 64 bit. If you made it on your spare PC that is 32 bit. Look we are really struggling here, we maybe at a point where a reinstall is the only option left.

 

OK see if FRST can be run from the recovery environment....

 

download Farbar Recovery Scan Tool from here:                                                                  

http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/

save it to a USB flash drive. Ensure to get the correct version for your system, 32 bit or 64 bit

 

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

 

Plug the flash drive into the infected PC.

 

If you are using Vista or Windows 7 enter System Recovery Options.

 

Plug the flashdrive into the infected PC.

 

Enter System Recovery Options

 

To enter System Recovery Options from the Advanced Boot Options:

  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select Your Country as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.

 

On the System Recovery Options menu you will get the following options:

Startup Repair

System Restore

Windows Complete PC Restore

Windows Memory Diagnostic Tool

Command Prompt

 

  • Select Command Prompt
  • In the command window type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type  e:\frst64 or e:\frst depending on your version. Press Enter
    Note: Replace letter e with the drive letter of your flash drive.
  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.

 

Kevin.....

Link to post
Share on other sites

Thanks Kevin, I'm starting to think it's time to take it to the shop, but let's give it one last try-

 

As far as 64 bit recovery disk, yes the other machine is 32 bit, so I had a friend make a 64 bit on his system- No idea why it didn't work-

 

Ok,trying FRST, but seem to have hit a snag-

 

Advanced boot options gives me these options-

repair you computer

safe mode

dafe mode with net

safemode with comand

 

enable boot loogging

enable low res vid

last knowwn good config

dor serrvices restore

debug mode

disable automatic restart

desable driver signature

 

start wind normally

 

when I chose repair your computer I get the following

1. Insert windows intal disk

2. chose lang

3. click repair you computer

 

if you dont hvae this disk....

 

status:oxcxooooooe

info the boot section failed because a required device is inaceessible

 

It says enter=continue, but nothing happens when I hit enter.

 

Thanks again for your efforts-

zs

Link to post
Share on other sites

OK, we have big issue with your OS, obviously some kind of infection has corrupt certain system files. We have tried many tools and make no progress whatsoever, frustrating for us bot...

 

Ok lets try to run an offline tool that will make a diifference for us.... Read these instructions a couple of times, or better to print them off....

 

Kaspersky Rescue CD

STEP A:

 

Download and create a bootable Kaspersky Rescue Disk CD

 

1. Download the Kaspersky Rescue Disk ISOimage from below.

 

 KASPERSKY RESCUE DISK DOWNLOAD LINK (This link will open a new page from where you can download Kaspersky Rescue Disk ISO)

 

2. Download ImgBurn, a software that will help us create this bootable disk. (If you already have necessary software, use that)

 

 IMGBURN DOWNLOAD LINK (This link will open a new page from where you can download ImgBurn)

3. You can now insert your blank DVD/CD in your burner.

 

4. Install ImgBurn by following the prompts and then start this program.

 

5. Click on the Write image file to disc button.

 

6. Under 'Source' click on the Browse for file button, then browse to the location where you previously saved the Kaspersky Rescue Disk ISO file.(kav_rescue_10.iso)

 

7. Click on the big Write button.

 

8. The disc creation process will now start and it will take around 5-10 minutes to complete.

 

 

STEP B:

 

Configure the computer to boot from CD-ROM

 

On some machines,if you restart the computer and repeatedly tap the F11 key it should bring up the Boot Menu, from there you can select to boot from the CD.

IF this doesn't happen then you'll need to configure your computer to boot for a CD like you'll see below.

 

 Use the Delete or F2 keys, to load the BIOS menu.Information how to enter the BIOS menu is displayed on the screen at the start of the OS boot:

 

1. Use the Delete or F2 keys, to load the BIOS menu.Information how to enter the BIOS menu is displayed on the screen at the start of the OS boot:

 

2. In your PC BIOS settings select the Boot menu and set CD/DVD-ROM as a primary boot device.

 

3. Insert your Kaspersky Rescue Disk and restart your computer.

 

STEP C:

 

Boot your computer from Kaspersky Rescue Disk

 

1. Your computer will now boot from the Kaspersky Rescue Disk,and you'll be asked to press any key to proceed with this process

 

 

Kasp1-1.png

 

 

2. In the start up wizard window that will open, select your language using the cursor moving keys. Press the ENTER key on the keyboard.

 

 

Kasp2-1.png

 

 

3. On the next screen, select Kaspersky Rescue Disk. Graphic Mode then press ENTER.

 

 

Kasp3-1.png

 

 

4. The End User License Agreement of Kaspersky Rescue Disk will be displayed on the screen. Read carefully the agreement then press the C button on your keyboard.

 

5. Once the actions described above have been performed, the Kasprsky operating system will start.

 

STEP D:

 

Launch Kaspersky WindowsUnlocker to remove the malicious registry changes

 

This ransomware trojan has modified your Windows system registry so that when you're trying to boot your computer it will instead launch his lock screen.To remove this malicious registry changes we need to use the Kasersky WindowsUnlocker from Kaspersky Rescue Disk.

 

1. Click on the Start button located in the left bottom corner of the screen and select the Kaspersky WindowsUnlocker.

 

 

Kasp5-1.png

 

 

IF you can't find the WindowsUnlocker button, you can select Terminal and in the command prompt type windowsunlocker and then press Enter on the keyboard.

 

2. A white colored console window will appear and will automatically start loading the registry files for scanning and disinfection. The whole process will take only a couple of seconds and after this process you should be able to boot your computer in normal mode.

 

 

Kasp6-1.png

 

 

STEP E:

 

Scan your system with Kaspersky Rescue Disk

 

1. Click on the Start button located in the left bottom corner of the screen and select the Kaspersky Rescue Disk then click on My Update Center and press Start update.

 

 

Kasp7-1.png

 

 

2. When the update process has completed, the light at the top of the window will turn green, and the databases release date will be updated.

 

 

Kasp8-1.png

 

 

3. Click on the Objects Scan tab, then click Start Objects Scanto begin the scan.

 

 

Kasp9-1.png

 

 

4. If any malicious items are found, the default settings are to prompt you for action with a red popup window on the bottom right. Delete is the recommended action in most cases but we strongly recommend that you try first to disinfect , and if it doesn't work chose to quarantine the infected files just to be on the safe side.

 

 

Kasp10-1.png

 

 

5. When all detected items have been processed and removed, the light in the window will turn green and the scan will show as completed.

 

 

Kasp11-1.png

 

 

6. When done you can close the Kaspersky Rescue Disk window and use the Start Menu to Restart the computer.

 

7. When booted back into Windows Navigate > Start > Computer > C:\Kaspersky Rescue Disck 10.0 Open the folder, inside is log from KRD run named "ScanObject" copy/paste that file to your reply.

 

Kevin....

Link to post
Share on other sites

ok, have some good news- K loaded and ran, but there was no option for for windows unlocker on the menu- I see that I might be able to run from terminal mode, but first I am running the scan- Looks like the first time we will be able to get a meaningful report, so figured we might as well try before I go look for the unlocker-

nice to see something other than bios on the screen again:)

Link to post
Share on other sites

ok, K didnt find any threats, but I dont think it is seeing my ss drive- The only dives one the desktop or avaiable via file management are the DVD and the conventional spinning drive- 

 

Also, when I ran the windows unlocker, it only looked like about half of the commands were run- Again, my bet is that it isnt mapped to the bad drive and open to ideas-

 

thanks again!

Link to post
Share on other sites

I feel maybe go to the recovery environment as you did previously, you gave me this list to look at:

 

Advanced boot options gives me these options-

repair you computer

safe mode

dafe mode with net

safemode with comand

 

enable boot loogging

enable low res vid

last known good config

dor serrvices restore

debug mode

disable automatic restart

desable driver signature

 

I`ve listed one of the entries in red, can you try that option, windows may be able to use those settings and run again...

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.