Jump to content

Third post....please help

RayA

By RayA
in Resolved Malware Removal Logs

 Share

Recommended Posts

RayA

RayA

Posted
Posted

My problems started with PC Antispyware 2010 and Windows Antivirus Pro. Nothing would run, just many popups wanting be to download the software. Programs in the control panel would not run. I tried to install HJT from a thumb drive with no success. Also tried to boot from safe mode, but computer will not boot into safe mode, it loops back to the DOS screen asking whether you wat to boot to Safe Mode, Safe Mode with Networking, etc. The only way it would boot is Last Known Good Cofiguration or Normally.

I then renamed mbam.exe to iexplore.exe. This allowed mwb to start and run for about 3 or 4 minutes before Windows shut down. During that process, many infected objects were found....but apparantly no log file is created until the scan is complete.

After reading some of the advice files here, I decided to download and run Rootrepeal. I found two things.... a .sys file prefixed with UAC and one with SKYNET. I had Rootrepeal wipe these files. This allowed MWB to run normally. After several passes with MWB I was down to spyware.banker, which MWB identified, removed and asked for a reboot. After rebooting, MWB still found it.

Again, following advice found here, and with the intention of posting MWB and HJT logs here, I removed McAfee, and downloaded Avira. Avira found additional problems, the most frequent of which was TR/Patched.EL.66. I quarantined all files found, rebooted, and ran MWB. It found 8 instances of spyware.banker. I removed them and was requested to reboot, which I did.

It will now not boot at all....not normally, not in safe mode and not to the last known good configuration.

I am running Winows XP Media Edition SP2.

Please help.

Link to post
Share on other sites
  • Staff
miekiemoes

miekiemoes

Posted
  • Staff
Posted

Hi,

It will now not boot at all....not normally, not in safe mode and not to the last known good configuration.

I am running Winows XP Media Edition SP2.

I'm afraid this is a lost case here already. The malware you were dealing with damages a lot, and from what I read here is, you were probably also dealing with Virut (TR/Patched).

Also, latest malware is designed to make your pc unbootable if you attempt to remove it.. also see here:

When a Bot master goes mad - Kill the OS and here A Zeus botnet self-destructs

That's why we always recommend to backup important data anyway, because this problem is known.

In your case, a format and reinstall is the best solution. Also see here: Malware Removal - Where to draw the line

Link to post
Share on other sites
RayA

RayA

Posted
  • Author
Posted

Most, but not all ofmy data is backed up. There are some files that I would still like very much to retrieve. Is it possible to boot the computer from a Bootable windows CD such as UBCD for Windows then retrieve the needed files?

Additionally, is it reasonable to reformat and expect that all traces of the issue are gone?

Link to post
Share on other sites
  • Staff
miekiemoes

miekiemoes

Posted
  • Staff
Posted

Yes, you can do that. BartPE is great for this:

http://www.nu2.nu/pebuilder/

Be careful when backing up executables, because I have the feeling that you were dealing with a file infector as well and this one infects legitimate .exe/.scr/.htm/.html/.xml/.zip/.rar files...

If you back them up and replace them afterwards, it will infect your computer again.

But in either way, a format and reinstall will get rid of all your problems anyway - no traces will be there.

Link to post
Share on other sites
bch

bch

Posted
Posted

Hi,

I am new to this forum but I came across it when my system became infected. It seems that there is so much going on and from what I have gathered from your post's, this is not a good thing :(

Needless to say I am not relishing the idea of having to "scrub and reformat" my entire system.

If I need to start a new thread plus let me know as I will be happy to do so. I am hoping that you can give me a little more direction on getting this resolved.

Thank you,

Sincere Regards

Link to post
Share on other sites
RayA

RayA

Posted
  • Author
Posted

For thw information of anyone interestested, a BartPE CD must be built on a machine running XP. I was however able to recover all my data by using Knoppix. I downloaded it and burnid the CD using my Vista machine, then booted my damaged XP machine with it. This is a Linux based program, but it reads the windows data. I just copied and pasted the desired files onto a Flash Drive.

This is freeware available at http://www.knoppix.net/.

Link to post
Share on other sites
hilander999

hilander999

Posted
Posted
For thw information of anyone interestested, a BartPE CD must be built on a machine running XP. I was however able to recover all my data by using Knoppix. I downloaded it and burnid the CD using my Vista machine, then booted my damaged XP machine with it. This is a Linux based program, but it reads the windows data. I just copied and pasted the desired files onto a Flash Drive.

This is freeware available at http://www.knoppix.net/.

Just to clarify things here, pebuilder (Including UBCD4WIN) Requires an Windows XP SP1 (or higher) setup CD, or Windows 2k3 (any service pack level) to build the bartpe ISO file which is bootable from a CD, Thumbdrive or network share depending on how you configure it.

You CAN build your bartpe on a running Vista\Win7 System with no problem at all, providing you do have the required source CD.

In this situation, a linux build is a good choice because all you have to do is download and burn the ISO, which is easier to do when your already trying to deal with a major computer problem.

Link to post
Share on other sites
bch

bch

Posted
Posted

Thanks for the update. However in the course of scouring all of these helpful threads and forums, I decided to try using Kaspersky rescue disc to see if that would be of any help. I booted my system using the Kaspersky rdisc and low and behold, I am able to do a full scan and it found a brand new variant Virus /Trojan that was just updated a few days ago. Seems that I got the nasty

Backdoor.Win32.Bredolab.gs
This is one nasty virus and what is reall scary is the fact that what I have seen alot from everyone talking about these kind of have some of the same charateristics. I have not had a chance to check out my system as I am running a second full scan on it now. Once I am logged back on as my own profile I will update on here. All I can say is Goodbye McAfee!!! Hello Kaspersky. :(
Link to post
Share on other sites
  • Staff
miekiemoes

miekiemoes

Posted
  • Staff
Posted

That's good news that you could log in after all, however, now when you're in, I suggest you back up your important data anyway, because I'm sure the problems are not over yet and your Windows is still damaged, so a next reboot can result in an unbootable situation again.

Also, I really hope it's not Virut present here as well...

Link to post
Share on other sites
  • Staff
miekiemoes

miekiemoes

Posted
  • Staff
Posted

Since there is no feedback anymore, I assume this issue is resolved ... so, this Topic is closed.

If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.