1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Smart hdd infection

Discussion in 'Malware Removal' started by DeanK, Apr 26, 2012.

  1. DeanK

    DeanK Private E-2

    Ok, I know I should have come to you guys first, but I tried to fix this myself and things have gotten worse. I have a Dell D810, wirelessly connected to my network that has gotten the Smart Hdd virus. Changed it to safe mode and tried Malawarebytes with no luck. Then downloaded Roguekiller and ran it and the virus infected safe mode! Now I don't have any acces to any programs or anything in safe mode either.

    I need help to get back so I can even try anything. I have other computers to download info onto memory sticks, but right now the d810 can't even recognize it.

    This is a pickle George, a real pickle.
     
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Major Geeks!

    You left out a very important detail that impacts what we may say next!!!

    What version of Windows are you running?
     
  3. DeanK

    DeanK Private E-2

    rolleyesOpps...Windows XP Professional, service pack 3.

    If I can gain acces to personal files, I can check a save the few my kids have saved there to another computer and wipe the hard drive if necessary. The vast majority of personal files are kept on another computer acting as a server of sorts. So I may have the nuclear option.:major

    Thanks!
     
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Do you have your Windows XP boot disk? It may or may not be able to be used to run a repair.

    To do backups ( not really a topic for this forum ), you will have to research using some other special boot CD that allows that ability. Like perhaps the below link mentions:

    Use Ubuntu Live CD to Backup Files from Your Dead Windows Computer

    Are you saying the PC does not boot up at all, or are you saying it boots up but you do not seem to be able run anything? If the latter, are you 100% sure you cannot run anything?
     
  5. DeanK

    DeanK Private E-2

    I have the disk that came with the computer, which I think is the boot disk.

    The computer does boot up: in regular mode the smart hdd virus pops up right away, listing 21 write fault errors, then S.M.A.R.T. Check pops up and starts running. It seems I can pause it from running, and cannot get the Windows Task Manager to come up, or get internet explorer running. The desktop is blank also.
    I did find a work around to get to my C: drive, after showing all hidden files, my documents was listed under start, and I can get to it. I can also plug in a flash drive and access it! So in short, I have no network or internet access, but can access C: and a flashdrive. SMART HDD keeps complaining with different failure warnings, but the 'recovery' program is paused.

    I would appreciate any suggestions of what I should load on the flashdrive to run on the infected computer. Thanks.




    Safemode with networking is worse. No ccess to file or programs period.
     
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay then we will try to make use of this.

    Okay and we will make use of this too.

    Use another PC to download the below programs to your flash drive:
    Then put the flash drive into the problem PC and copy each of the above files from the flash drive into your My Documents folder that you said you have access too. Once copied to the My Documents folder, try the below:

    • Run MGtools.exe by double clicking on it and wait for it to finish running. It will tell you when finished. Attach the log from MGtools which will be C:\MGlogs.zip Full details on running MGtools are here >> Using MGtools You will have to copy the log file back to your flash drive to use your other PC to post here.
    • Now try to run ComboFix.exe by double clicking on it. Since you do not have an internet connection you cannot install the recovery console or perform any other updates. Just see if you can get it to run. If it does then attach the C:\combofix.txt log it creates to your next message.
    • Now see if you can get the Malwarebytes installer to run. If you can then run a full scan with it and fix any problems it finds. Immediately reboot your PC after selecting to fix problems.
    Let me know what you can and cannot do. If things do not work, tell me exactly what problems you have.
     
  7. DeanK

    DeanK Private E-2

    When I started up the computer after leaving it off for a few days, the smart hdd didn't attack like before. The desktop was blank but the Start menu was populated again (files weren't hidden again either). I had an internet connection too.

    MGTools ran fine, file attached.

    Combofix ran and updated, and reported I had a rootkit.zeroaccess! virus. After a while it froze, so I rebooted it and ran Combofix again. Froze again during the scan. Oh yeah, during the load (both times) it said there was a parasite in dplayx.dll that was trying to attatch itself to combofix.

    Ran Malwarebytes and it came up with 9 trojans, which I think snagged it. The third run of combofix froze up again, but there was no report of the virus.


    View attachment 178410

    View attachment 178411

    :-D I have some success here! What do you think?
     
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Please only follow instructions given. You should not run anything extra times. If something does not work when requested then skip it and report back what happened exactly.

    You did not attach valid files, please try attach the logs again. See: HOW TO: Attach Items To Your Post
     
  9. DeanK

    DeanK Private E-2

    Sorry, just thought i couldn't hurt.

    Here are the files.
     

    Attached Files:

  10. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay your infection may have hidden some things from you ( like Start Menu, Programs....etc ). Let's fix this.

    Please download and save the below to your Desktop or anywhere else you can find it ( if the Desktop is not showing )

    http://download.bleepingcomputer.com/grinler/unhide.exe

    Now run it ( if you are running Vista or Win 7, use right click and select Run As Administrator ). Did that help with your missing items?

    Now run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista or Win 7, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    O2 - BHO: SearchPredictObj Class - {389943B0-C3A2-4E69-82CB-8596A84CB3DC} - C:\Program Files\SearchPredict\SearchPredict.dll
    O4 - HKLM\..\Run: [LHWmcRqHquM.exe] C:\Documents and Settings\All Users\Application Data\LHWmcRqHquM.exe
    O4 - HKLM\..\Run: [XkFcjVGVgWJhiQK.exe] C:\Documents and Settings\All Users\Application Data\XkFcjVGVgWJhiQK.exe
    O4 - HKLM\..\Run: [XkFcjVGVgWJhiQK.exe] C:\Documents and Settings\All Users\Application Data\XkFcjVGVgWJhiQK.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

    After clicking Fix, exit HJT.


    Now download The Avenger by Swandog46, and save it to your Desktop.
    See the download links under this icon [​IMG]
    • Extract avenger.exe from the Zip file and save it to your desktop
    • Run avenger.exe by double-clicking on it.
    • Do not change any check box options!!
    • Copy everything in the Quote box below, and paste it into the Input script here: part of the window:
    • Now click the Execute button.
    • Click Yes to the prompt to confirm you want to execute.
    • Click Yes to the Reboot now? question that will appear when Avenger finishes running.
    • Your PC should reboot, if not, reboot it yourself.
    • A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:
    • C:\avenger.txt
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
  11. DeanK

    DeanK Private E-2

    Unhiding went fine.

    When I run HiJack This, it gets denied access to a hosts file. There's a funny line:

    01 - Hosts: ::1 localhost

    that I've never seen before when running HiJack This. Should I delete this? I didn't do it pending your instuctions. Also, I only found line 02 and the last 04 line to fix, the other 04 lines were not listed.

    I haven't really run it through it's paces, but I'll try it out and post again.
     

    Attached Files:

  12. DeanK

    DeanK Private E-2

    Ok, page loading is slower right now, running a video off youtube gives choppy video but the audio is smooth. I ran something I know I've run before so I'd see the difference. The commit charge seems higher than usual, but I can't find any unusual processes running.

    Obviously the worst is past now, with no pop-up warnings and I can see and run everything. Time will tell if any strange warning pop up again like after the first round of fixes.

    Sorry I didn't say this earlier, thank you for your help! As you can see with my extra tinkering I try to fix things myself, and I have been successful in the past just by following your first steps. This virus was a tough one, and it's great to have this computer up and running again.

    Any next steps?
     
  13. DeanK

    DeanK Private E-2

    Update:

    explorer.exe is hogging mem usage, eating up between 160,000k and 250,000k. It moves up and down, and when it does the CPU usage goes up, 50-100%.

    I have no idea what is running there.:confused
     
  14. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    No! This is normal.


    Run this Disable/Remove Windows Messenger to remove Windows Messenger. Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.


    Now goto the below link and follow the instructions for running TDSSKiller from Kaspersky
    • Be sure to attach your log from TDSSKiller
    Now please also download MBRCheck to your desktop.

    See the download links under this icon [​IMG]
    • Double click MBRCheck.exe to run (vista and Win 7 right click and select Run as Administrator)
    • It will show a Black screen with some information that will contain either the below line if no problem is found:
      • Done! Press ENTER to exit...
    • Or you will see more information like below if a problem is found:
      • Found non-standard or infected MBR.
      • Enter 'Y' and hit ENTER for more options, or 'N' to exit:
    • Either way, just choose to exit the program at this point since we want to see only the scan results to begin with.
    • MBRCheck will create a log named similar to MBRCheck_07.16.10_00.32.33.txt which is random based on date and time.
    • Attach this log to your next message. (See: HOW TO: Attach Items To Your Post )
     
  15. DeanK

    DeanK Private E-2

    I removed Windows Messenger.

    TDS Skiller did not run as an .exe or .com. I redownloaded it on a thumbdrive and tried to run it that way but no luck either.

    MBRcheck file attached.

    No other pop-ups or virus attacks to report, but last problem (slowness) is unchanged.
     

    Attached Files:

  16. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    MBRcheck shows a faked MBR
    Code:
    PhysicalDrive0 Model Number: HTS541010G9AT00, Rev: MBZOA60A
          Size  Device Name          MBR Status
      --------------------------------------------
         93 GB  [URL="file://\\.\PhysicalDrive0"]\\.\PhysicalDrive0[/URL]   MBR Code Faked!
                SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A
    You need to fix this. Earlier in message number 5 you said you think you have your Win XP boot disk. You need to check and make sure you really have a CD that is a bootable Windows XP disk and check to see if you can boot to the Recovery Console with it. If you can get to the command prompt of the Recovery Console, you need to run the below command.

    fixmbr
    exit

    The second command will reboot. Just reboot normally to Windows and rerun MBRcheck and attach a new log.
     
  17. DeanK

    DeanK Private E-2

    Sorry about the delayed response, I had a serious accident.

    The boot disk I tought I had is the Operating System reinstallation CD (Windows XP, SP2) that I recieved with the computer. With it in the cd drive, I was able to choose the recovery console, but the computer appears to freeze while loading it. I tried a couple of times with the same results. Is there a generic boot disk I can make with one of my other computers and use on this one?
     
  18. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Hope everything is okay!

    If you had any external/removable devices ( like USB flash drives, USB hard disks, camera's, MP3 player.....etc ) plugged in then unplug all of them an try again. If this does not help, try the below.

    Fix MBR using ARCDC
     
  19. DeanK

    DeanK Private E-2

    I'll be healing for a long time...I'm very lucky, it could have been worse or even fatal.

    Used ACRDC and made a dic off another computer, and ran it on the troubled laptop here. Nothing seems to have changed. Laptop giving fits about attaching files for some reason, so I copied and pasted the latest MBRcheck file I reran after running fixmbr.



    MBRCheck, version 1.2.3
    (c) 2010, AD

    Command-line:
    Windows Version: Windows XP Professional
    Windows Information: Service Pack 3 (build 2600)
    Logical Drives Mask: 0x0000000c

    Kernel Drivers (total 119):
    0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
    0x806D1000 \WINDOWS\system32\hal.dll
    0xBA5A8000 \WINDOWS\system32\KDCOM.DLL
    0xBA4B8000 \WINDOWS\system32\BOOTVID.dll
    0xB9F79000 ACPI.sys
    0xBA5AA000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
    0xB9F68000 pci.sys
    0xBA0A8000 isapnp.sys
    0xBA4BC000 compbatt.sys
    0xBA4C0000 \WINDOWS\system32\DRIVERS\BATTC.SYS
    0xBA670000 PCIIde.sys
    0xBA328000 \WINDOWS\System32\Drivers\PCIIDEX.SYS
    0xBA5AC000 intelide.sys
    0xB9F4A000 pcmcia.sys
    0xBA0B8000 MountMgr.sys
    0xB9F2B000 ftdisk.sys
    0xBA330000 PartMgr.sys
    0xBA0C8000 VolSnap.sys
    0xB9F13000 atapi.sys
    0xBA338000 cercsr6.sys
    0xB9EFB000 \WINDOWS\System32\Drivers\SCSIPORT.SYS
    0xBA0D8000 disk.sys
    0xBA0E8000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
    0xB9EDB000 fltmgr.sys
    0xB9EC9000 sr.sys
    0xB9EB2000 KSecDD.sys
    0xB9E9F000 WudfPf.sys
    0xB9E12000 Ntfs.sys
    0xB9DE5000 NDIS.sys
    0xB9DCB000 Mup.sys
    0xBA2F8000 \SystemRoot\system32\DRIVERS\intelppm.sys
    0xBA568000 \SystemRoot\system32\DRIVERS\CmBatt.sys
    0xB9C27000 \SystemRoot\system32\DRIVERS\ati2mtag.sys
    0xB9C13000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
    0xB9BF5000 \SystemRoot\system32\DRIVERS\b57xp32.sys
    0xBA3E0000 \SystemRoot\system32\DRIVERS\usbuhci.sys
    0xB9BD1000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
    0xBA3E8000 \SystemRoot\system32\DRIVERS\usbehci.sys
    0xB9BBB000 \SystemRoot\system32\DRIVERS\gtipci21.sys
    0xBA570000 \SystemRoot\system32\DRIVERS\SMCLIB.SYS
    0xB9B27000 \SystemRoot\system32\DRIVERS\bcmwl5.sys
    0xB9AE4000 \SystemRoot\system32\drivers\STAC97.sys
    0xB9AC0000 \SystemRoot\system32\drivers\portcls.sys
    0xBA318000 \SystemRoot\system32\drivers\drmk.sys
    0xB9A9D000 \SystemRoot\system32\drivers\ks.sys
    0xB9A6A000 \SystemRoot\system32\DRIVERS\HSFHWICH.sys
    0xB996D000 \SystemRoot\system32\DRIVERS\HSF_DPV.SYS
    0xB98C0000 \SystemRoot\system32\DRIVERS\HSF_CNXT.sys
    0xBA3F0000 \SystemRoot\System32\Drivers\Modem.SYS
    0xBA108000 \SystemRoot\system32\DRIVERS\i8042prt.sys
    0xBA3F8000 \SystemRoot\system32\DRIVERS\mouclass.sys
    0xBA400000 \SystemRoot\system32\DRIVERS\kbdclass.sys
    0xBA118000 \SystemRoot\system32\DRIVERS\serial.sys
    0xBA574000 \SystemRoot\system32\DRIVERS\serenum.sys
    0xBA128000 \SystemRoot\system32\DRIVERS\imapi.sys
    0xBA138000 \SystemRoot\system32\DRIVERS\cdrom.sys
    0xBA148000 \SystemRoot\system32\DRIVERS\redbook.sys
    0xBA408000 \SystemRoot\system32\DRIVERS\GEARAspiWDM.sys
    0xBA6A0000 \SystemRoot\system32\DRIVERS\audstub.sys
    0xBA158000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
    0xBA578000 \SystemRoot\system32\DRIVERS\ndistapi.sys
    0xB9881000 \SystemRoot\system32\DRIVERS\ndiswan.sys
    0xBA168000 \SystemRoot\system32\DRIVERS\raspppoe.sys
    0xBA178000 \SystemRoot\system32\DRIVERS\raspptp.sys
    0xBA410000 \SystemRoot\system32\DRIVERS\TDI.SYS
    0xB9870000 \SystemRoot\system32\DRIVERS\psched.sys
    0xBA188000 \SystemRoot\system32\DRIVERS\msgpc.sys
    0xBA418000 \SystemRoot\system32\DRIVERS\ptilink.sys
    0xBA420000 \SystemRoot\system32\DRIVERS\raspti.sys
    0xB9840000 \SystemRoot\system32\DRIVERS\rdpdr.sys
    0xBA1A8000 \SystemRoot\system32\DRIVERS\termdd.sys
    0xBA5CC000 \SystemRoot\system32\DRIVERS\serscan.sys
    0xBA5CE000 \SystemRoot\system32\DRIVERS\swenum.sys
    0xB97E2000 \SystemRoot\system32\DRIVERS\update.sys
    0xBA594000 \SystemRoot\system32\DRIVERS\mssmbios.sys
    0xBA1B8000 \SystemRoot\System32\Drivers\NDProxy.SYS
    0xBA1F8000 \SystemRoot\system32\DRIVERS\usbhub.sys
    0xBA5D2000 \SystemRoot\system32\DRIVERS\USBD.SYS
    0xBA5D6000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
    0xBA6A7000 \SystemRoot\System32\Drivers\Null.SYS
    0xBA5D8000 \SystemRoot\System32\Drivers\Beep.SYS
    0xBA440000 \SystemRoot\System32\drivers\vga.sys
    0xBA5DA000 \SystemRoot\System32\Drivers\mnmdd.SYS
    0xBA5DC000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
    0xBA448000 \SystemRoot\System32\Drivers\Msfs.SYS
    0xBA450000 \SystemRoot\System32\Drivers\Npfs.SYS
    0xB9D72000 \SystemRoot\system32\DRIVERS\rasacd.sys
    0xB169F000 \SystemRoot\system32\DRIVERS\ipsec.sys
    0xB1646000 \SystemRoot\system32\DRIVERS\tcpip.sys
    0xB162D000 \SystemRoot\system32\DRIVERS\netbt.sys
    0xB1607000 \SystemRoot\system32\DRIVERS\ipnat.sys
    0xBA218000 \SystemRoot\system32\DRIVERS\wanarp.sys
    0xBA55C000 \SystemRoot\System32\drivers\ws2ifsl.sys
    0xB15E5000 \SystemRoot\System32\drivers\afd.sys
    0xBA228000 \SystemRoot\system32\DRIVERS\netbios.sys
    0xB15BA000 \SystemRoot\system32\DRIVERS\rdbss.sys
    0xB15A1000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
    0xBA268000 \SystemRoot\System32\Drivers\Fips.SYS
    0xBA2B8000 \SystemRoot\System32\Drivers\Cdfs.SYS
    0xB1561000 \SystemRoot\System32\Drivers\dump_atapi.sys
    0xBA618000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
    0xBF800000 \SystemRoot\System32\win32k.sys
    0xB98B8000 \SystemRoot\System32\drivers\Dxapi.sys
    0xBA498000 \SystemRoot\System32\watchdog.sys
    0xBF000000 \SystemRoot\System32\drivers\dxg.sys
    0xBA7CB000 \SystemRoot\System32\drivers\dxgthk.sys
    0xBF012000 \SystemRoot\System32\ati2dvag.dll
    0xBF04E000 \SystemRoot\System32\ati2cqag.dll
    0xBF080000 \SystemRoot\System32\atikvmag.dll
    0xBF0B2000 \SystemRoot\System32\ati3duag.dll
    0xBF2E6000 \SystemRoot\System32\ativvaxx.dll
    0xAF375000 \SystemRoot\system32\DRIVERS\ndisuio.sys
    0xAE01A000 \SystemRoot\system32\DRIVERS\mrxdav.sys
    0xAE005000 \SystemRoot\system32\drivers\wdmaud.sys
    0xAF2E9000 \SystemRoot\system32\drivers\sysaudio.sys
    0xADECF000 \SystemRoot\system32\DRIVERS\mdmxsdk.sys
    0xADD77000 \SystemRoot\system32\DRIVERS\srv.sys
    0xAD8D6000 \SystemRoot\System32\Drivers\HTTP.sys
    0x7C900000 \WINDOWS\system32\ntdll.dll

    Processes (total 36):
    0 System Idle Process
    4 System
    744 C:\WINDOWS\system32\smss.exe
    820 csrss.exe
    844 C:\WINDOWS\system32\winlogon.exe
    888 C:\WINDOWS\system32\services.exe
    900 C:\WINDOWS\system32\lsass.exe
    1052 C:\WINDOWS\system32\ati2evxx.exe
    1064 C:\WINDOWS\system32\svchost.exe
    1160 svchost.exe
    1200 C:\WINDOWS\system32\svchost.exe
    1232 C:\WINDOWS\system32\svchost.exe
    1404 svchost.exe
    1600 C:\WINDOWS\system32\ati2evxx.exe
    1668 svchost.exe
    1676 C:\WINDOWS\explorer.exe
    184 C:\WINDOWS\system32\spoolsv.exe
    232 scardsvr.exe
    284 svchost.exe
    708 C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    732 C:\Program Files\Bonjour\mDNSResponder.exe
    1532 C:\WINDOWS\system32\svchost.exe
    2060 wmiprvse.exe
    2264 C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
    2296 C:\PROGRA~1\WINDOW~4\Datamngr\DATAMN~1.EXE
    2320 C:\Program Files\iTunes\iTunesHelper.exe
    2336 C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
    2372 C:\WINDOWS\system32\ctfmon.exe
    2380 C:\WINDOWS\system32\rundll32.exe
    2444 C:\Program Files\PIXELA\ImageMixer 3 SE Ver.4\Transfer Utility\CameraMonitor.exe
    2560 alg.exe
    2920 C:\Program Files\iPod\bin\iPodService.exe
    3800 C:\WINDOWS\system32\svchost.exe
    2044 C:\WINDOWS\system32\wuauclt.exe
    2816 C:\Program Files\Internet Explorer\iexplore.exe
    3764 C:\Documents and Settings\D810\Desktop\MBRCheck.exe

    \\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)

    PhysicalDrive0 Model Number: HTS541010G9AT00, Rev: MBZOA60A

    Size Device Name MBR Status
    --------------------------------------------
    93 GB \\.\PhysicalDrive0 MBR Code Faked!
    SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A


    Found non-standard or infected MBR.
    Enter 'Y' and hit ENTER for more options, or 'N' to exit:
     
  20. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Then you may have been trying to reattach the same old log. You need to run a new scan with MBRcheck before ATTACHing the new log. If this is really a new log then you did not get the MBR fixed by booting into the Recovery Console and you will need to do it again and make sure you follow all steps properly. You must BOOT your computer from the CD. You cannot be running Windows and then run those commands.
     
  21. DeanK

    DeanK Private E-2

    Ok, new file attached, but I don't think you are going to like it. The fake mbr on the report keeps coming up even though I ran the recovery disk and followed the instructions. I thought there could be a problem that I made it off another computer, so I made another disk off of this laptop (with some difficultly). It ran the same way. Every time I run it, it gives a caution warning and when I proceed it says a new mbr has been successfully written. I am 99% sure I'm doing what you are telling me to do and the narcotics I am on isn't fuzzing things up!
     

    Attached Files:

  22. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Step 1: We are going to be using the ARCDC disc again at the end of the below, but first we need to make another CD to remove an infected partition.

    Step 2: Now for ALL Windows Users continue here with G-Parted Instructions.
    Now boot off of the newly created GParted CD.
    [​IMG]
    You should be here...
    Press ENTER
    [​IMG]
    By default, do not touch keymap is highlighted. Leave this setting alone and just press ENTER.
    [​IMG]
    Choose your language and press ENTER. English is default [33]
    [​IMG]
    Once again, at this prompt, press ENTER
    You will now be taken to the main GUI screen below
    [​IMG]
    According to your logs, the partition that you want to delete is 2.48 MB MiB
    Click the trash can icon to delete and then click Apply.
    You should now be here confirming your actions:
    [​IMG]
    Now you should be here:
    [​IMG]
    Is boot next to your OS drive? According to your logs, your OS drive is the 93.16 GB GiB sized partition.
    [​IMG]
    If boot is not next to your OS drive under Flags, right-mouse click the OS drive while in Gparted and select Manage Flags

    In the menu that pops up, place a checkmark in boot like the picture below:
    [​IMG]
    Now press the Close button to save these changes.
    Now double-click the [​IMG] button.
    You should receive a small pop up like this:
    [​IMG]
    Choose reboot and then press OK.


    Now use the ARCDC boot CD made earlier and per the instructions to boot to the Recovery Console command prompt and execute the following commands pressing ENTER after each:
    • fixmbr
    • fixboot
    • exit
    Once back in Normal Windows

    Now run a new scan with MBRCheck

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).


    Then attach the below logs (See: How to attach):
    • the new log from MBRcheck
    • C:\MGlogs.zip
     
    Last edited: May 18, 2012
  23. DeanK

    DeanK Private E-2

    I did think it was possible, but somehow I messed up your directions.

    I downloaded the lastest version of gparted-live (124MB), download Imgburn, installed it, ran it, burned the iso file on the cd, and rebooted the laptop off the cd. And the laptop booted up in windows, nothing special. I didn't get the screens you show, so now I'm stuck.

    Do you have any idea where I went wrong? Perhaps I burned the cd incorrectly. The Imgburn wasn't the version you instructions show images of, so I made the cd the most logical way.

    I hate to be a pain, but I just can't figure out where I went wrong.

    Continuing thanks for your help!!!
     
  24. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You have to make a bootable disc. You cannot just copy the iso file to the CD as that would just be a simple data disc. Also you need to make sure your BIOS is set to allow booting from the CD before booting from the hard disk drive.

    The link I gave you form ImgBurn was for v 2.5.6.0 and the instructions link I gave you for using it were also for version 2.5.6.0 so you just need to follow them exactly as written.
     
  25. DeanK

    DeanK Private E-2

    Ahhh, yes! Thank you. I did NOT lower the write speed and that's where I went wrong. Fixed that and everything went perfect according to your instructions.

    Files are attached.
     

    Attached Files:

  26. DeanK

    DeanK Private E-2

    Update:

    Still getting redirects and the fake mbr as you'll see in the log. Computer is much, much faster. Not doing much else with it pending future actions to fix it further.
     
  27. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    No there is no fake MBR anymore. It has been fixed per your last log.

    Which broswers do you see redirects in? Test both FireFox and IE to see if it is with both but DO NOT have both open at the same time. Test only one at a time and close the other before testing the second.
     
  28. DeanK

    DeanK Private E-2

    I Googled a few subjects and linked to them on Firefox and IE. Firefox had no redirects while IE had a couple of redirects. I saw one reference to Searchqu in Firefox. I thought I had eliminated that annoying thing a while ago.

    I'm anxiously giddy we are getting close to completely fixing everything!
     
  29. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista or Win 7, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    O4 - HKCU\..\Run: [Google] rundll32.exe "C:\Documents and Settings\D810\Local Settings\Application Data\Identities\Google\totah.dll",DllRegisterServer
    O4 - HKUS\S-1-5-18\..\Run: [Google] rundll32.exe "C:\Documents and Settings\D810\Local Settings\Application Data\Identities\Google\totah.dll",DllRegisterServer (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [Google] rundll32.exe "C:\Documents and Settings\D810\Local Settings\Application Data\Identities\Google\totah.dll",DllRegisterServer (User 'Default user')

    After clicking Fix, exit HJT.

    Now copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Make sure that you tell me if you receive a success message about adding the above
    to the registry. If you do not get a success message, it definitely did not work.


    Now download The Avenger by Swandog46, and save it to your Desktop.
    See the download links under this icon [​IMG]
    • Extract avenger.exe from the Zip file and save it to your desktop
    • Run avenger.exe by double-clicking on it.
    • Do not change any check box options!!
    • Copy everything in the Quote box below, and paste it into the Input script here: part of the window:
    • Now click the Execute button.
    • Click Yes to the prompt to confirm you want to execute.
    • Click Yes to the Reboot now? question that will appear when Avenger finishes running.
    • Your PC should reboot, if not, reboot it yourself.
    • A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

    Now download a new copy of combofix.exe to your Desktop and then see if you can get ComboFix to run now.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:
    • C:\avenger.txt
    • C:\combofix.txt log if ComboFix ran this time.
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
  30. DeanK

    DeanK Private E-2

    Everything ran, files attached. Did a couple of different checks (searches, youtube video, eyc.). No redirects! Test video runs very well (Eddie Izzard: Death Star Canteen). Only thing I noticed was the laptop is no longer connected to my local network, so I can't access files on my main computer. I think I can manage reconnecting that after you give the final stamp of approval.
     

    Attached Files:

  31. DeanK

    DeanK Private E-2

    I would guess that Chaslang is on a well derserved vacation, since I haven't seen him replying to anyones posts, including mine. I would appreciate it if anyone else could review the files form my last post and let me know the status of my problem. In the last week it has not misbehaved, though I did pick up another redirect trogan that Malwarebytes took care of removing. There is still a Host :: localhost line when I run Hijack this that I've never seen before on this or any of my three computers. I tried to delete it and it comes right back. Like I said, any help is appreciated!
     
  32. DeanK

    DeanK Private E-2

    Hi, I know it's been a while, but I was hoping to get some final feedback from you. The computer is running well, but I never know what could be lurking in the background. I would appreciate a final bill of health so I can uninstall the many programs I downloaded to work on the problem. Thanks for your help.
     
  33. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Yes I was. ;)

    This is normal! It is part of the syntax for IPv6.

    Now that we have a ComboFix log, we have one more fix to do.



    Uninstall the below old versions of software:
    Java(TM) 6 Update 30

    Now we need to use ComboFix
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    • If ComboFix tells you it has expired or need to be updated to a new version, make sure you allow it to update.
    • Open Notepad and copy/paste the text in the below quote box into it:
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below
    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    If after running Combofix you discover none of your programs will open up because you recieve the following error: Illegal operation attempted on a registry key that has been marked for deletion then you will need to reboot your computer which will normally fix this problem.

    After reboot, now install the current version of Sun Java from: Sun Java Runtime Environment

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:
    • C:\ComboFix.txt
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
  34. DeanK

    DeanK Private E-2

    Hope you had a great vacation!:)

    Here how it went:

    Java uninstalled

    Ran Combofix per instructions. A warning came up saying that Combofix had expired and I chose to run it at diminished functionality. Afterwards, I did not have any problem opening any programs, so I did not reboot.

    Updated SunJava installed

    Ran Getlogs

    C:combofix.txt will not attach (old copy? is this the diminished functionality result?)

    Haven't take it for a spin to see how things are running, but it was performing ok previously.
     
  35. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You have to use the new version. Expired versions will not fix anything. Download the new version and use it to repeat the same fix.

    Attach new combofix.txt and new MGlogs.zip
     
  36. DeanK

    DeanK Private E-2

    Hi, the files are attached.

    One other update: I recently added Avira as my anti-virus. On the first run it found TR/Crypt.XPACK.Gen and removed it. I didn't know if this meant anything to you, so I thought I'd let you know.

    Overall the computer is running well, though sometimes I can't get Google results when I use Google search in my top bar. It happens only sometimes.
     

    Attached Files:

  37. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Not really. Names of infections are not necessarily that helpful. We need to know what files, folders and registry keys are being implicated. For all I know, it was something we already fix and Avira just found what was quarantined.

    I'm sorry but you did not run ComboFix like I requested in the fix. You need to make and use the CFScript.txt file as instruction. You just ran a scan with ComboFix. You did not run the fix.
     
  38. DeanK

    DeanK Private E-2

    Ok, I ran Combofix with the CFScript.txt as requested, and after reboot the computer has no connectivity. Tried repairing it and it states it cannot renew the IP address.

    I've attached ComboFix.txt as requested. This is the first time we've taken a step backwards, perse. I checked what I could to see if I did anything wrong, but I couldn't find anything (which isn't saying alot given my expertise, but I'm trying!)
     

    Attached Files:

  39. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Hmmm! I don't see why based on this log. Let's get a new log from MGtools to see what shows up.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:
    • C:\MGlogs.zip
     
  40. DeanK

    DeanK Private E-2

    Ok, file attached.
     

    Attached Files:

  41. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay seems to be some residual damage from your original infection. Probably was just a coincidence that it showed up after running combofix. You have some important registry keys that the infection deleted. Let's see if the below can fix this for you.

    Download Windows Repair by Tweaking.com and unzip the contents into a newly created folder on your desktop.
    • Now run Repair_Windows.exe by double clicking on it ( if you are running Vista or Win 7, use right click and select Run As Administrator)
    • Now select the Start Repairs tab.
    • The click the Start button.
    • Create a System Restore point if prompted.
    • On the next screen, click the Unselect All button to first deselect all repairs.
    • Now select the following repair options:
      • Reset Registry Permissions
      • Reset File Permissions
      • Register System Files
      • Repair WMI
      • Repair Windows Firewall
      • Remove Policies Set By Infections
      • Repair Winsock & DNS Cache
      • Repair Proxy Settings
      • Repair Windows Updates
      • Set Windows Services To Default Startup
    • Now on the lower right side check the box to Restart/Shutdown System When Finished
    • Then make sure the Restart System radio button is enabled.
    • Shutdown any other programs that you are running now before continuing.
    • Now click the Start button.
    • Be patient while the tool repairs the selected items.
    • It should reboot automatically when finished.

    After reboot, run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).


    Then attach the below logs:
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
  42. DeanK

    DeanK Private E-2

    Actions completed without any problems.

    File attached.

    The problem with connecting to the internet still remains, I tried a simple repair and it came back with the same IP address problem.
     

    Attached Files:

  43. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    That strange! Normally it is able to repair these issues and fix the missing registry keys. Were there any errors while running it at all? The Reset Registry and File Permissions part of the fix takes a long time to run.


    Please download the below registry patch and save it to your Desktop.

    netbt.reg

    The right click on it and select Merge. Allow it to be added to your registry. Do not let any protection software interfere with the change. Then reboot your PC. After reboot see how things are working. And also so we can check that the fix worked properly, do the below.

    Run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).


    Then attach the below logs:
    • C:\MGlogs.zip
     
  44. DeanK

    DeanK Private E-2

    netbt.reg renewed the internet connection! Everything seems to be functioning again, though my toolbars are black.

    Ran GetLogs.bat and noted anything that pops up while it's running:

    -HiJackThis is denied access to hosts file

    -ProcessDLL.exe failed to initialize properly (0xc0000135)

    File attached.

    Thanks for getting the internet reconnected!
     

    Attached Files:

  45. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Excellent!

    What toolbar? Do you mean tha Weather Channel Toolbar ?
     
  46. DeanK

    DeanK Private E-2

    The command toolbar, and favorites. I get some symbols but the rest is black, I can't even read the words. Everything else is great so far!
     
  47. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    I'm still not sure exactly what you are referring to. I don't know whether you mean from within your browser or whether you are clicking on the Start button in the task bar and then the menus are black. Please describe exactly what you are doing/looking at.

    If you are referring to in you browser, do you mean Internet Explorer's command bar where the below menu selections normally show?

    File Edit View Favorites Tools Help


    If you are referring to IE8 then try the below. Print the instructions because you need to have IE shutdown before following them.
    • Right click on your Desktop and select Properties
    • On the Display Properties menu make sure the Themes tab is selected
    • Use the little pull down arrow button to select Windows Classic theme then select Apply
    • After you have hit Apply go back up to the theme selection menu and now select My Current Theme This makes Windows Classic your Current Theme
    • Click OK to reset the setting and restart you computer.
    • After restart, see if you still have the problem.
     
    Last edited: Jun 30, 2012
  48. DeanK

    DeanK Private E-2

    Well, I may not have described it clearly, but your fix did the trick!

    So...is there anything else I need to do to finish fixing my problem? I can't detect any problems anymore.
     
  49. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Great news! ;)



    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Press and hold the Windows key [​IMG] and then press the letter R on your keyboard. This opens the Run dialog box.
      • Copy and paste the below into the Run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /uninstall
        • Notes: The space between the combofix" and the /uninstall, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
    3. Go back to step 6 oof the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
    4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    6. If running Vista or Win 7, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    7. Go to add/remove programs and uninstall HijackThis.
    8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
      related to MGtools and some other items from our cleaning procedures.
    9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures pointed to by step 7 of the READ ME
        for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    10. After doing the above, you should work thru the below link:
     
  50. DeanK

    DeanK Private E-2

    Thanks for everything!:cool
     

Share This Page

MajorGeeks.Com Menu

MajorGeeks.Com \ All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ NEW! PC Games \ System Tools \ Macintosh \ Demonews.Com \ Top Downloads

MajorGeeks.Com \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds