Malware removal steps complete, still have problems

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by pazzoduc, Aug 7, 2011.

  1. pazzoduc

    pazzoduc Private E-2

    Infected by viruses, ran Spybot and Malwarebytes, MWB had been turned off, not normal. Still had problems, so Completed Read Me steps, Still have problems

    Computer would not operate in std mode, so steps up to combofix were done in safe mode. Safe mode did not allow uninstall of Java, so this step was skipped.

    Running Vista 64 so RootRepeal was not done.

    Everything was fine for a few minutes. Browsed major geeks for a moment and start-up programs seemed fine.

    When re-enabling user account control, double clicking the EnableUAC.reg brought up the windows does not recognize this file extension, browse to find the correct program. Tried twice, same result. So i did it manually through control panel and rebooted. Everything fine.

    After re-start, step 6 of Vista instructions, right clicked Computer and things went bad. Computer locked. Tried a few times rebooting and problems got worse. Now in STD mode computer locks or screen goes black. Task manager will not come up to see what apps and processes are running. Sometimes desktop or startmenu will fade to grey and everything locks.

    Also of note, in STD mode, I get a pop-up window titled Security Alert: You are about to view pages over a secure connection... no one will be able to see pages etc. I closed the window clicked google chrome to nav to Majorgeeks and all seemed well enough. Clicked restore pages, then naving MajorGeeks the browser locked with the message waiting on cache.

    Now computer boots in STD mode, but erratically. Safe mode with networking is all I can do and still have access to MG.

    Attaching logs.
    Also attaching log from Malware Bytes std operation, and then log from first run before Read Me steps. In next post...
     

    Attached Files:

  2. pazzoduc

    pazzoduc Private E-2

    Other MWB logs attached...
     

    Attached Files:

  3. thisisu

    thisisu Malware Consultant

    Go to the below link and follow the instructions for running TDSSKiller by Kaspersky

    Please also download MBRCheck to your Desktop.
    See the download links under this icon [​IMG]
    • Double click MBRCheck.exe to run (Vista and Win7 right click and select Run as Administrator)
    • It will show a Black screen with some information that will contain either the below line if no problem is found:
      • Done! Press ENTER to exit...
    • Or you will see more information like below if a problem is found:
      • Found non-standard or infected MBR.
      • Enter 'Y' and hit ENTER for more options, or 'N' to exit:
    • Either way, just choose to exit the program at this point since we want to see only the scan results to begin with.
    • MBRCheck will create a log named similar to MBRCheck_07.16.10_00.32.33.txt which is random based on date and time.
    • Attach this log to your next message. (How to attach items to your post)

    Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

    Run C:\MGtools\analyse.exe by double-clicking it (Vista and Win7 right-click and select Run as Administrator)
    Choose Do a system scan only and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    After clicking Fix, exit HJT.


    Now we need to use ComboFix
    • Make sure that ComboFix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    • If ComboFix tells you it has expired or need to be updated to a new version, make sure you allow it to update.
    • Open Notepad and copy/paste the text in the below quote box into it:
    • Save the above as CFScript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFScript.txt on top of ComboFix.exe
      [​IMG]
    • Follow the prompts.
    • When it finishes, a log will be produced named C:\ComboFix.txt
    • Attach this log to your next message. (How to attach items to your post)
    Note: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

    If after running ComboFix you discover none of your programs will open up because you recieve the following error: Illegal operation attempted on a registry key that has been marked for deletion then you will need to reboot your computer which will normally fix this problem.

    Now run C:\MGtools\GetLogs.bat by double-clicking on it (Vista and Win7 right click and select Run as Administrator)

    This will automatically update all the logs in MGlogs.zip!
    Make sure you click Accept on the License Agreement from HiJackThis!/analyse.exe twice (yes twice) if prompted.

    Then attach C:\MGlogs.zip to your next message (How to attach items to your post)
     
  4. pazzoduc

    pazzoduc Private E-2

    OK, next steps completed.

    TDSSKiller found nothing....
    MBRCheck Found the Non-std/infected MBR

    Logs attached.
     

    Attached Files:

  5. thisisu

    thisisu Malware Consultant

    You have an infected Master Boot Record (MBR). Since MBR infections are only worsening, we recommend that you make sure you have any important data backed up before proceeding with the below.

    Do you have your Windows Vista install DVD? If so,

    1. Put the Windows Vista installation disc in the disc drive, and then start the computer.
    2. Press a key when you are prompted.
    3. Select a language, a time, a currency, a keyboard or an input method, and then click Next.
    4. Click Repair your computer.
    5. Click the operating system that you want to repair, and then click Next.
    6. In the System Recovery Options dialog box, click Command Prompt.
    7. Type bootrec /fixmbr , and then press ENTER.
    If warned that replacing the MBR may be risky, press Y to continue
    Now type Exit to exit the Recovery Environment.

    Note: There is a SPACE AFTER bootrec
    Note: To start the computer from the Windows Vista DVD, the computer must be configured to start from the DVD drive. For more information about how to configure the computer to start from the DVD drive, see the documentation that is included with the computer or contact the computer manufacturer.

    You can also view this page for more information on using Bootrec /fixmbr:
    http://support.microsoft.com/kb/927392

    After using the bootrec /fixmbr command, please reboot into Windows Vista and rerun MBRCheck and attach its new log here

    Also let me know what malware problems you are still experiencing.
     
  6. pazzoduc

    pazzoduc Private E-2

    I can't seem to get to the System Recovery options on the Vista disc.

    I located the instructions and I am booting from the Cd drive. But vista boots completely, no system recovery option dialog box appears.

    I checked the Dell support site and found an alternate method to do the MBR repair, but it is only compatible with 32bit systems. This box is 64bit.

    Any Ideas? Anyone?
     
  7. pazzoduc

    pazzoduc Private E-2

    OK, found a post at MSsupport that indicated the Start-up disc may have been pre-loaded in a partition. Found another post that indicated how to access. Well, gave enough info to figure it out anyhow.

    For ref by anyone else out there that might have this issue:

    Vista 64 pre-loaded on a dell box:
    When booting, the dell logo appears. All the lit tells you to press F12 while the logo is displayed. This allows you to boot from the CD drive. But your Vista disc does not have the System Recovery Options.

    What you really want to do is wait for the Dell logo to disappear, then before the windows logo appears, press F8. Then choose the option to repair the computer. From there, the instructions in the above posts work.
     
  8. thisisu

    thisisu Malware Consultant

    Are you booting off the DVD?
    You must boot off the Vista DVD after you insert it in your CD/DVD drive.


    1. Insert the DVD
    2. Reboot your computer
    3. At the DELL Splash screen, press F12
    4. This takes you to the Boot Menu
    5. Select CD/DVD Rom from the selection by using the Down / up arrows (Note: It will probably be HL-DT-ST DVD+-RW GA10N or something similar [according to your logs])
    6. Press ENTER have you have selected the CD/DVD Rom drive.
    7. You'll hear the DVD spinning up, be ready to press ANY key when you see the following message:
    [​IMG]

    This takes a while to load (30-45 seconds)
    When the below screen appears:
    [​IMG]

    Choose Repair your computer
    Now you be presented with this screen:
    [​IMG]
    Press Next
    You will now see this screen below:
    [​IMG]
    Choose Command Prompt which is at the bottom of the list.
    A black box appears on top of the previous screen. This is the command prompt.
    Now type in: bootrec /fixmbr and press ENTER afterwards.
    Now you will see:
    [​IMG]
    Type exit and press ENTER.
    Now restart your computer WITHOUT booting off the DVD again

    Once back into Windows.. Rerun MBRCheck and attach its latest log
     
  9. pazzoduc

    pazzoduc Private E-2

    Yes, I was booting off the cd/dvd drive. But it was not working.
    The DVD drive did spin up, and the DVD was being read, but vista started normally and completely every time.
    I was able to get to System Recovery Options as I described above.
    The Vista CD is not complete, and there is a sepearate drives, utilites disc. Dell separated some of the Vista CD onto a partitioned part of the HD. At least that is how I see it with my limited knowledge. SRO runs from there. I have a DELL OEM version of the vista disc. It is not the std MS one.

    Ran command prompt, then bootrec /fixmbr and got the Operation Completed Successfully message.
    Then I rebooted.

    I forgot to run MBR check again yesterday and the computer ran all night. Windows did an update and now the same problems are back. And the same MBR error was found. Ran MBR check now.

    Log attached.

    This AM I have to get some work done. So I re-enabled emulation, UAC and activated MS free version of security. And MWB is running. So, if I need to repeat any steps, will need to deactivate those. I have to do some work via internet on secure sites, but wanted to have as much security as possible.
     

    Attached Files:

  10. pazzoduc

    pazzoduc Private E-2

    One thing I did notice, the security warning box now does not appear on start up. Only a smaller white box flashes momentarily on the screen.
     
  11. thisisu

    thisisu Malware Consultant

    Does it behave this way on other bootable CDs/DVDs, or just this particular one?
    The problem is that it's still infected. If you didn't complete these steps using the Vista Recovery Console DVD, the chances are very high nowadays (due to malware advancing) that malware will block your attempts while you are operating on a live/active hard drive.

    This is fine. When you return, please answer my questions about if all DVDs/CDs are unbootable (only the ones that are intended to be booted from) and also let me know what malware problems you are still experiencing.
     
  12. pazzoduc

    pazzoduc Private E-2

    All other DVD's, Cd's etc work fine. Explorable, launchable etc.

    I can explore the Vista Cd as well, but launching it only boots Vista normally?
     
  13. thisisu

    thisisu Malware Consultant

    Are you seeing this screen when you reboot with the Vista DVD inserted?
    [​IMG]
    And you're pressing any key when you see it? Please go into more detail on exactly what happens for you when trying to boot off your Vista DVD.
     
  14. pazzoduc

    pazzoduc Private E-2

    Re-reading your response, I don't think I have any other Cd's that are meant to boot. Only execute after boot.

    Also, the same symptoms are back:
    "Computer locking. Tried a few times rebooting and problems got worse. Now in STD mode computer locks or screen goes black. Task manager will not come up to see what apps and processes are running. Sometimes desktop or startmenu will fade to grey and everything locks.

    Also of note, in STD mode, I get a pop-up window titled Security Alert: You are about to view pages over a secure connection... no one will be able to see pages etc. I closed the window clicked google chrome to nav to Majorgeeks and all seemed well enough. Clicked restore pages, then naving MajorGeeks the browser locked with the message waiting on cache.

    Now computer boots in STD mode, but erratically. Safe mode with networking is all I can do and still have access to MG."

    I am trying to get as much work done as possible in safe mode. Not surfing internet or anything not absolutely required.
     
  15. pazzoduc

    pazzoduc Private E-2

    I can possibly take a video of what is happening during boot and post it somewhere, or attach it.
     
  16. pazzoduc

    pazzoduc Private E-2

    Nope
     
  17. pazzoduc

    pazzoduc Private E-2

    HEY, BTW: Thanks for the help, regardless of if you/me/we can fix it. I really do appreciate your efforts.
     
  18. pazzoduc

    pazzoduc Private E-2

    I can access the option to boot from Cd. Choose the Cd as described in your instaructions. Then when choosing the CD option, the screen goes black, The Cd spins up, and the normal Vista boot sequence occurs. Taking me to a desktop as normal.

    On this machine, the Cd boot option is accessed by choosing f12 during the dell logo screen.
     
  19. pazzoduc

    pazzoduc Private E-2

    Should I try the same sequence with NO cd in the drive?
     
  20. thisisu

    thisisu Malware Consultant

    Are you able to get into the BIOs?

    To get into the BIOs, reboot your PC and start pressing F2 when you see the Dell Splash screen.
    Every BIOs is a bit different, don't change any settings yet, I just want you to use your DOWN and UP ARROW keys to see what the current "Boot Sequence" is set to.

    Here is one very common Dell BIOs:
    [​IMG]
     
  21. thisisu

    thisisu Malware Consultant

    At the very TOP LEFT CORNER of your screen, when you hear this DVD spinning up, normally you will see "Press any key to boot from or CD/DVD"
    You only have about 4-5 seconds to press a key, otherwise it will just boot off the next bootable device (hard drive in your case)
     
  22. thisisu

    thisisu Malware Consultant

    I'm starting to suspect that your DVD-rom drive is defective.
    • Do you have an external DVD rom drive?
    • Does the Vista DVD have signs of scratches/smudges on the read side?
     
  23. pazzoduc

    pazzoduc Private E-2

    No, drive is internal
    No, no scratches.
    I can play music, games etc on the drive, and burn DVD's etc...

    I just re-did the exercise a few times, and have more info as follows.

    At the dell screen, choose f12 for boot options
    Boot options appear. Second line is CD drive. CD/DVD: P1-HL-DT-ST DVD+/-RW GA1
    Select this drive and hit enter.
    Drive spins up and screens shows:
    CD Boot Priority 32, then the #32 changes to 34.

    Here, two things can occur:
    #1, If I do nothing, normal vista boot occurs.

    #2, If I hit any key I get:
    CD Rom Boot Priority..Boot ready.
    A few moments later, the Operating system choice appears (Vista the only one).
    If I choose this, Vista boots normally.
    There is another choice on the screen:
    Select F8 for advanced.
    If I select f8, I get a screen similar to the "Windows did not shut down properly screen, boot safe mode etc". But the screen has more options. One is Repair this computer.
    Choosing repair and choosing command prompt, executing fixmbr, operation completes sucessfully.
    Reboot computer, run MBR check.

    Still infected! Argggggg!!!!!!
     
  24. thisisu

    thisisu Malware Consultant

    This is the only part of your post that I didn't understand. What were you trying to tell me here?

    Yes, it's basically pointless to try bootrec /fixmbr from the built in F8 "Repair your computer"

    When are you getting this message? And when are you "hitting any key"?

    What I meant was: Do you have an extra external DVD-rom drive?

    By the way, please read my post here
     
    Last edited: Aug 10, 2011
  25. pazzoduc

    pazzoduc Private E-2

    After choosing the CD to boot from, the screen goes black, and boot priority 32/34 appears in the far upper left corner. Not: Press any key to boot from CD as you expect.

    If I hit any key during the boot priority message, then I get the following:
    CD Rom Boot Priority..Boot ready

    No, don't have an external drive to try. I do have an older laptop. Don't know if that will help?

    In your other post:
    "Press any key to boot from or CD/DVD"
    I do not see this, I will try again.
    I do however, see the message in the first paragraph above.
     
  26. thisisu

    thisisu Malware Consultant

    Can you take a picture of the DVD you're trying to boot from? Then attach the picture here. Or upload to another location.
     
  27. pazzoduc

    pazzoduc Private E-2

    Now it is getting stranger....

    I hit any key TWICE during the Boot priority message, this indeed did bring up the "Press any key to boot from or CD/DVD" message.
    Hit any key (Enter) , and I got a message across the bottom of the screen: Windows Loading Files. With a white progress bar across the screen.
    The DVD could be heard working, starting stopping etc.
    Then I got all the screens in your posts above, and executed the steps.

    Running MBR check again...

    Still infected.

    BUT: I can now work in std mode, and the boot up went much better/quicker. The security warning box appears, and if I close it, it reappears a short time later.

    Cd photo attached, I have a drivers and utilities CD as well.
     

    Attached Files:

    Last edited: Aug 10, 2011
  28. pazzoduc

    pazzoduc Private E-2

    Oh , and the boot priority message counted down 34, 32, 31 this time
    I pressed a key twice before it went any farther, so don't know what would have come next...
     
  29. pazzoduc

    pazzoduc Private E-2

    I just discovered how to do thanks.... :-o
     
  30. thisisu

    thisisu Malware Consultant

    Please attach the latest MBRCheck log for me to review whenever you're finished.
     
  31. pazzoduc

    pazzoduc Private E-2

    here ya go
     

    Attached Files:

  32. thisisu

    thisisu Malware Consultant

    This one is still infected. -- Maybe you attached the wrong log?
    Were you able to boot off the DVD and complete the steps?
     
  33. pazzoduc

    pazzoduc Private E-2

    well, everything went as you described it should, and as I described above.

    I deleted all the logs and ran again to make sure I had the right one.

    Still infected.

    I thought for sure it was successful, because this time all of the screens were just as you describe.
     

    Attached Files:

  34. thisisu

    thisisu Malware Consultant

    You mentioned the computer seems to be operating better now, correct? Let's ignore what MBRCheck says for now as there have been some cases where MBRCheck will report a bad MBR code even though a computer runs perfectly fine.

    Please re-run ComboFix
    • Allow it to update if prompted.
    • Attach its latest log.

    Now run C:\MGtools\GetLogs.bat by double-clicking it (Vista and Win7 right click and select Run as Administrator)
    Then attach C:\MGlogs.zip to your next message (How to attach items to your post)
    Notes:
    • This will automatically update all the logs inside MGlogs.zip
    • Make sure you click Accept on the License Agreement from Trend Micro HiJackThis - v2.0.4 twice if prompted.
     
  35. pazzoduc

    pazzoduc Private E-2

    Right after I typed that last message the CPU froze again. Rebooting is back to the same problems. I am now in safe mode again.
    It is getting late and I have to pack for a week long trip. I'll bump this thread back to the top when I get back.

    Thanks for the help so far! Have a good week!
     
  36. pazzoduc

    pazzoduc Private E-2

    Reviewing the thread, I realized I had not answered this part of your questions.
    I can indeed access the bios info.

    Here are the screen shots. A bit different than yours, but similar.
     

    Attached Files:

  37. thisisu

    thisisu Malware Consultant

  38. pazzoduc

    pazzoduc Private E-2

    OK, did the Bios change, completed the boot rec fix, shut down, returned the bios to boot from the HD, booted up, ran MBRcheck, attached log.

    Things seem to be working right, we'll see.....
     

    Attached Files:

  39. thisisu

    thisisu Malware Consultant

    It's still marked as Faked! which is no good.

    Let's try the following:

    Please download aswMBR by Avast to your desktop.

    • Double-click aswMBR.exe to run it (Vista and Win7 right-click and select Run as Administrator)
    • Select No when asked Would you like to download latest Avast! virus definitions?
    • Click the [Scan] button.
      Note: This scan should only take a few seconds to complete.
    • On completion of the scan click [Save log], save it to your desktop and attach this log to your next message. (How to attach items to your post)
    • Now click the [FixMBR] button.
    • Follow the rest of the prompts.

    Reboot and rerun MBRCheck, attach its latest log. Also remember to attach your log from aswMBR.
     
  40. pazzoduc

    pazzoduc Private E-2

    Wait.... Did not follow the instructions properly. Give me a bit
     
  41. thisisu

    thisisu Malware Consultant

    Yes, are you sure you've been booting off the Vista DVD to repair the MBR?

    Let's do this:

    Rerun aswMBR
    Double-click aswMBR.exe to run it (Vista and Win7 right-click and select Run as Administrator)
    Select No when asked Would you like to download latest Avast! virus definitions?
    Click the [Scan] button.
    Note: This scan should only take a few seconds to complete.
    On completion of the scan click [Save log], save it to your desktop and attach this log to your next message.
     
  42. pazzoduc

    pazzoduc Private E-2

    Nope.... sorry.

    Going to run through this again.

    aswMBR first,
    change Bios to CD boot first
    boot CD and run command prompt Boot rec fix
    reboot to bios and change to HD,
    Boot from HD
    run aswMBR scan

    Attach all three logs.

    Is this correct?

    Also, Before I left last week, I reactivated the spyware/malware programs, re-emulated, and set UAC back to normal. Do I need to change all these settings back to the Read Me steps?
     
  43. thisisu

    thisisu Malware Consultant

    I don't want you to do anything right now except boot from your Vista DVD and then follow the steps described here: http://forums.majorgeeks.com/showpost.php?p=1653734&postcount=8

    When you have done this. Post back here letting me know whether or not you were successful. I will give you further instructions.
     
  44. pazzoduc

    pazzoduc Private E-2

    OK, successfully booted from CD.
    Ran the repair. Got the successful message.
    In safe mode (see below), ran MBR check as admin.

    Log attached.

    I really do believe the CPU is booting from the CD drive. The Bios priority is set to require the CD first, and when prompted to boot from the CD, pressing any key brings up all of the screens in the post instructions. When the CPU boots from the hard disc, the screens are different.

    The computer was doing well until I launched IE. With Google Chrome i didn't know how to save to my desktop to download aswMBRfix. So, I launched IE. Immediately the security warning box popped up and now all of the previous issues are back. (This all occurred this am while working through the previous posts).
     

    Attached Files:

  45. thisisu

    thisisu Malware Consultant

    Which previous posts? I only told you to work through these steps: http://forums.majorgeeks.com/showpost.php?p=1653734&postcount=8

    I have never seen doing the procedure while using the Vista DVD (not just inserted, but actually booting off of it) fail to correct an infected MBR.

    Let me do some more research on this, but in the meantime -- again, rework http://forums.majorgeeks.com/showpost.php?p=1653734&postcount=8. Be absolutely positive that you are booting off the Vista DVD.
     
  46. pazzoduc

    pazzoduc Private E-2

    I meant the ones before that (See #39 thru #41). The ones where you instructed to do the aswMBRfix.

    As it stands now, I verified the CD boot, ran the Command prompt bootrec fix, rebooted via hard drive, ran MBRfix and waiting on further instr.

    I can take a video of the process and post it if you think it will help.
     
    Last edited: Aug 19, 2011
  47. pazzoduc

    pazzoduc Private E-2

    can I set the bios to #1 CD and set #2 to something other than the hard drive? Effectively preventing a boot from anything other than the CD?
     
  48. thisisu

    thisisu Malware Consultant

    No you wouldn't be able to do that with a Dell BIOs. In other types of BIOs, yes this is possible.

    I want you to do this, because you may be infected with popureb.E

    Download Hitman Pro

    Now run HitmanPro35_x64.exe by running as Administrator.
    click Next > Default Scan (recommended)

    Don't let it fix anything just yet, Just screenshot the results here when it is finished scanning.
     
  49. pazzoduc

    pazzoduc Private E-2

    Assuming save and run from desktop?
     
  50. thisisu

    thisisu Malware Consultant

    Correct ;)
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds