Jump to content

Infected computer

Menard5

By Menard5
in Resolved Malware Removal Logs

 Share

Recommended Posts

Menard5

Menard5

Posted
Posted

Hi. I have a computer running windows vista that has been infected. At the advice of a relative I ran combofix. The only thing I can get my computer to do now is restart.

Originally the virus would not allow me to run any virus protection. I was also very limited as to what, if anything I could do on the internet. I was finally able to load malwarebyes by downloading on another computer and then loading it on by USB. This found nothing. I have tried both system restore and system recovery. Restore did not work, and recovery won't run. It gets part way and then locks me out. I then ran combofix as recommended.

Now my computer continually restarts.

Is there anything that I can do to fix it?

Thank you for your help!!!!

Link to post
Share on other sites
LDTate

LDTate

Posted
Posted

So that I understand, you're stuck in a boot loop without a Vista OS.

Have you tried Safe Mode or Last Known Good?

Restart your computer in Safe Mode.

Press F8 after the Power-On Self Test (POST) is done. You need to press F8 before the Windows logo appears. If the Windows logo appears, you will need to try again by waiting until the Windows logon prompt appears, and then shutting down and restarting your computer.

On the Advanced Boot Options screen, use the arrow keys to highlight the safe mode option you want, and then press ENTER. For more information about options, see Advanced startup options (including safe mode).

Log on to your computer with a user account that has administrator rights.

When your computer is in safe mode, you'll see the words Safe Mode in the corners of the display. To exit safe mode, restart your computer and let Windows start normally.

Link to post
Share on other sites
Menard5

Menard5

Posted
  • Author
Posted

I have started in safe mode. When I then go to try to start normally, it is still in a constant loop. Once the Window symbol comes up, it reboots itself. Does it matter which safe mode? I have only logged in on the option that says "Safe mode." I am not in front of it now, but I believe there were 2 or 3 other options.

While in safe mode I have rerun malwarebytes. When I try the OS reformat and recovery after that, it does get a little further along in the process but then blocks me. If I try reformat again after that, it stops right away again.

So that I understand, you're stuck in a boot loop without a Vista OS.

Have you tried Safe Mode or Last Known Good?

Restart your computer in Safe Mode.

Press F8 after the Power-On Self Test (POST) is done. You need to press F8 before the Windows logo appears. If the Windows logo appears, you will need to try again by waiting until the Windows logon prompt appears, and then shutting down and restarting your computer.

On the Advanced Boot Options screen, use the arrow keys to highlight the safe mode option you want, and then press ENTER. For more information about options, see Advanced startup options (including safe mode).

Log on to your computer with a user account that has administrator rights.

When your computer is in safe mode, you'll see the words Safe Mode in the corners of the display. To exit safe mode, restart your computer and let Windows start normally.

Link to post
Share on other sites
LDTate

LDTate

Posted
Posted

Try Safe Mode:

http://www.bleepingcomputer.com/tutorials/tutorial143.html

Lets see if we can restore the pc back to where it worked right.

Close and save any documents that you may have open.

Click on the Start button to open your Start Menu.

When the Start Menu opens click on the All Programs menu option.

Click once on the Accessories Start Menu group.

Click once on the System Tools Start Menu group.

Click once on the System Restore icon. After you click on the icon, if a User Account Control window opens you should click on the Continue button.

You will now be at the System Restore screen

By default, Vista will already have selected the Recommended restore option. This restore point is one was made after a new program, driver, or update was installed. If you would like to use this restore point, you can click on the Next button to start the restore process. On the other hand, if there is a more recent restore point that you would like to restore you should select Choose a different restore point and press the Next button. This will bring you to a screen, as shown in Figure 2, that contains a listing of all the available restore points that you can restore to.

You should select the restore point that you would like to restore and press the Next button to start the restore process. Vista will display a Window showing your selected restore point and asking you to confirm that this is the one you would like to restore.

If you would like to select a different restore point press the Back button. Otherwise you can press the Cancel button to exit System Restore or the Finish button to begin the restore process. If you selected Finish, Vista will display a second prompt asking you to confirm that you would like to continue the restore.

If you are sure you want to do the restore, then press the Yes button. Vista will now log you off of the computer and start the System Restore process as shown in Figure 5 below.

When the restore has been completed, you computer will be restarted and when Vista boots back up it will be restored to its previous state. When you log in to Vista for the first time after the restore, you will see a message showing that the restore was successful.

If there are any problems with your computer due to the last restore, you can revert back to your previous settings by going back into the System Restore Utility and selecting the Undo System Restore option and pressing the Next button.

Your computer should now be working properly again.

Link to post
Share on other sites
LDTate

LDTate

Posted
Posted

I'll assume you have Safe Mode with networking so you have internet access.

If not: Download the tools needed to a flash drive or other USB device, and transfer them to the infected computer.

If the tool won't run from the desktop, try running it from the USB device.

Please don't attach the scan results, use Copy/Paste

DO NOT use any TOOLS such as Combofix or HijackThis fixes without supervision.

Doing so could make your pc inoperatible and could require a full reinstall of your OS, losing all your programs and data.

Vista and Windows 7 users:

1. These tools MUST be run from the executable. (.exe) every time you run them

2. With Admin Rights (Right click, choose "Run as Administrator")

Stay with this topic until I give you the all clean post.

You might want to print these instructions out.

Note: Close all browsers before running ATF Cleaner: IE, FireFox, etc.

Please download ATF Cleaner by Atribune.

Download - ATF Cleaner

Link to post
Share on other sites
Menard5

Menard5

Posted
  • Author
Posted

I had already run combofix at the suggestion of a relative prior to looking for help here. I have not run it since. I ran the suggested logs. Thanks for your help!

When I proceed to run as administrator, the only prompt I get is C:\Users\Menard

Here are the 2 logs:

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-12-12.02)

Microsoft

Link to post
Share on other sites
LDTate

LDTate

Posted
Posted

Please download mbr.exe and save it to your root directory, usually C:\ <- (Important!).

  • Go to Start > Run and type: cmd.exe
  • press Ok.
  • At the command prompt type: c:\mbr.exe -t >>"C:\mbr.log"
  • press Enter.
  • A "DOS" box will open and quickly disappear. That is normal.
  • A log file named mbr.log will be created and saved to the root of the system drive (usually C:\).
  • Copy and paste the results of the mbr.log in your next reply.

Link to post
Share on other sites
Menard5

Menard5

Posted
  • Author
Posted

Here is the file. In the combofix folders, I do not see any .txt files.

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net

Windows 6.0.6002 Disk: SAMSUNG_HD501LJ rev.CR100-12 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0

device: opened successfully

user: MBR read successfully

kernel: MBR read successfully

user & kernel MBR OK

copy of MBR has been found in sector 9 !

Link to post
Share on other sites
Menard5

Menard5

Posted
  • Author
Posted

When I first run it I see a screen that says access denied. Need administrator rights. It also said that somewhere in the middle of the scan. When I looked through the folder, this is the only thing I saw that was a .txt file

-------- 2010-12-30 - 06:34:32 -------------

-------- 2010-12-30 - 06:52:30 -------------

error: 31

-------- 2010-12-30 - 07:10:54 -------------

error: 31

-------- 2011-01-01 - 18:44:42 -------------

error: 31

-------- 2011-01-04 - 05:50:06 -------------

error: 31

-------- 2011-01-04 - 06:10:04 -------------

Link to post
Share on other sites
LDTate

LDTate

Posted
Posted

Usually when the syatem won't start in Normal Mode but will start in Safe Mode, it's a driver / security software that's causing the issues.

For XP:

  • Click START run
  • Now type ComboFix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.

For Vista / Windows 7

  • Click START Search
  • Now type ComboFix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.

If you used DeFogger

To re-enable your Emulation drivers, double click DeFogger to run the tool.

  • The application window will appear
  • Click the Re-enable button to re-enable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK

IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_enable which will appear on your desktop.

Your Emulation drivers are now re-enabled.

Next:

Uninstall these using Add/Remove Programs:

Ask.com

Java

Link to post
Share on other sites
LDTate

LDTate

Posted
Posted

1. Use the System File Checker tool (SFC.exe) to determine which file is causing the issue, and then replace the file. To do this, follow these steps:

Open an elevated command prompt. To do this, click Start, click All Programs, click Accessories, right-click Command Prompt, and then click Run as administrator. If you are prompted for an administrator password or for a confirmation, type the password, or click Allow.

2. Type the following command, and then press ENTER:

sfc /scannow <-- Note the space, it needs to be there.

The sfc /scannow command scans all protected system files and replaces incorrect versions with correct Microsoft versions.

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.