Startup Repair Loop - Infection

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by Goregrinder, Jan 14, 2013.

  1. Goregrinder

    Goregrinder Private E-2

    Hello all !
    I'm new here, and english is not my native language.
    So I have a BIG problem with a Windows 7 64Bits computer.
    I have been infected by a malware (I don't know what kind).
    The classic "you are watching porn blablabla you have to pay us 100$".
    So, as usual, I made a reboot and tried to get into the safe mode to run Malwarebytes. But this time, I couldn't enter the safe mode, and saw the "Startup Repair" window. (this operation of course, was unsuccesful).
    I still can't get access to the safe mode, or load a restoration point.

    I saw a thread here concerning the same kind of problem. There was instructions about Farbar tool.
    I followed strictly all instructions, and now, I bring you my FRST log :-D.

    Can you help me please ? I have all my work on this computer...
     

    Attached Files:

    Goregrinder, Jan 14, 2013
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Major Geeks!

    In addition to having a little remaining items from the Moneypak infection, you also have some missing system files that FRST pointed out where it said
    Thes need to be replaced. The below will scan with FRST to see if you have any backups that can be used.

    Boot to System Recovery Options and run FRST again.
    Type the below bolded text in the edit box after "Search:".

    kernel32.dll
    USP10.dll

    Then click the Search button.

    It will make a log (Search.txt) on the flash drive. Please attach this log to your next reply. (See How to attach)
     
    chaslang, Jan 14, 2013
    #2
  3. Goregrinder

    Goregrinder Private E-2

    Thank you a lot for your answer !

    So I tried to do what you have written about System Recovery options, but no recovery image was found :(, so I tried the System Restore tool, it failed...

    Here is the error message I get for each restore point :

    I have a DVD set for restoring my system. I did it with a software supplied with the computer when I bought it (ASUS computer. The creation of this set was proposed when I turned on the computer the first time.)
    I tried to find a restore image on those DVDs but without success :-D.
    Is this useful ?

    So I've just done the searches.
    I have to notify that for each search, I got more than 150 error windows saying that files in c:\windows\assembly\NativeImage\.... are unreadable or corrupt...:cry (very sorry for my approximative english)
     

    Attached Files:

    Goregrinder, Jan 15, 2013
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Download this >> View attachment fixlist.txt


    Save fixlist.txt to your flash drive.
    • You should now have both fixlist.txt and FRST64.exe on your flash drive.
    Now reboot back into the System Recovery Options as you did previously.
    Run FRST64 and press the Fix button just once and wait.
    The tool will make a log on the flashdrive (Fixlog.txt).
    Please attach this to your next message. (See how to attach)

    Now see if you can boot into normal Windows.
     
    chaslang, Jan 18, 2013
    #4
  5. Goregrinder

    Goregrinder Private E-2

    Hi Chaslang !

    Thank you for your support.
    So I've done all what you said.
    I did the "fix" step. I've tried to reboot Windows properly.
    A "checkdisk" process has been accomplished. After this, an usual Windows loading black screen (with the shining/moving Microsoft logo) appeared.
    After this, a blue screen of death appeared during less than one second. I had no time to read messages. Then, the computer rebooted, and did the same, again and again.
    So I've decided to retry all the steps you told me.
    I tried to restore the system from an old restoring point, but it failed at "finishing the restore...".
    I got this error message :

    Then I made a reboot, and BIG surprise : Windows is loaded properly !!!
    A little window said me after loading that the system restore has been made successfully !

    I attach my fixlog.txt file.
    What should I do now ?
    (Thank you so much !!!:):cool)
     

    Attached Files:

    Goregrinder, Jan 19, 2013
    #5
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay if you can boot into Windows then I suggest that you run the below now.

    READ & RUN ME FIRST. Malware Removal Guide
     
    chaslang, Jan 20, 2013
    #6
  7. Goregrinder

    Goregrinder Private E-2

    Thank you for answer ! :)

    I followed all the steps of "READ & RUN ME FIRST. Malware Removal Guide".
    All logs are attached.
    There is no log for tdsskiller. It found 1 threat :
    What shall I do now ? Wait a couple of days controling all is normal ?
     

    Attached Files:

    Goregrinder, Jan 22, 2013
    #7
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome.
    Yes there is. It is always created and it is right where the procedure said it would be. MGtools automatically put it into MGlogs.zip so we have them already. There were actually 3 files because you ran it more than once.

    Do you know what the below is?
    [TASK][SUSP PATH] {31E7A0A7-B1E7-49A6-8C00-75B0E00AD09D} : C:\Users\Gore\Desktop\Worms World Party(XP OK!)\WWP\wwp.exe -> TROUVÉ

    Also what is the below supposed to be for?
    O2 - BHO: Gacela2 - {4BEEA052-726D-4A6E-B65D-A6BD07C263F3} - C:\Program Files (x86)\Digital Connections\Gacela2.dll
    O9 - Extra button: (no name) - {4BEEA052-726D-4A6E-B65D-A6BD07C263F3} - C:\Program Files (x86)\Digital Connections\Gacela2.dll
    O9 - Extra 'Tools' menuitem: À propos de Digital Connections - {4BEEA052-726D-4A6E-B65D-A6BD07C263F3} - C:\Program Files (x86)\Digital Connections\Gacela2.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\ipsoslspservice.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\ipsoslspservice.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\ipsoslspservice.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\ipsoslspservice.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\ipsoslspservice.dll
    O23 - Service: Ipsos-Reporting-Service - Unknown owner - C:\Program Files (x86)\Digital Connections\Ipsos-Reporting.exe
    O23 - Service: Ipsos-Update-Service - Unknown owner - C:\Program Files (x86)\Digital Connections\Ipsos-Updater.exe
    O23 - Service: IpsosLSPService - Ipsos - C:\Program Files (x86)\IpsosLSPService\IpsosLSPService.exe

    Is this some kind of internet monitoring program?


    Uninstall the below old version of software:
    Java(TM) 6 Update 29
    Now install the current version of Sun Java from: Sun Java Runtime Environment


    Please download OTM by Old Timer and save it to your Desktop.
    • Run it by double clicking on it (Note: if using Vista, Win7, or Win8, don't double click, use right click and select Run As Administrator).
    • Copy the lines from the below codebox to the clipboard by highlighting ALL of them and pressing CTRL + C
      (or, after highlighting, right-click and choose Copy): Do not include the word Code: which is just a title line of
      the code box
    Code:
    :Processes
explorer.exe
 
:Files
C:\Program Files\Babylon\Babylon-Pro\BabylonHelper64.exe
C:\Program Files\Babylon\Babylon-Pro\captlib64.dll
C:\Program Files\Babylon\Babylon-Pro
C:\Program Files\Babylon
C:\Program Files (x86)\Babylon
C:\Users\Gore\AppData\Local\Temp\*.*
 
:Reg
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Prod.cap]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Babylon]
[-HKEY_USERS\S-1-5-21-2394617011-1892912865-372073190-1000\Software\Babylon]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}]
:Commands
[purity]
[EmptyTemp]
[start explorer]

[Reboot]
    • Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar
      ) and choose Paste.
    • Now click the large [​IMG] button.
    • If OTM asks to reboot your computer, allow it to do so. The report should appear in Notepad after the reboot.
    • Close OTM.
    Now navigate to the C:\_OTM\MovedFiles folder ( assuming your Windows drive is C). This is where your log will be
    saved in the form of Date and Time mmddyyyy_hhmmss.log. Just look for the most recent .log file. Attach
    this log file to your next message.


    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).


    Then attach the below logs:
    • the C:\_OTM\MovedFiles log
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    chaslang, Jan 24, 2013
    #8
  9. Goregrinder

    Goregrinder Private E-2

    Thank you for your patience and your useful answers !:)

    This is a crack for a game (Worms World Party: great game by the way:-D).
    It's a trusted crack taken from a trusted site (all files are verified before being uploaded on this site). So I think there's nothing to worry about this.

    Yes it is. But I wasn't able to remove it properly. Do you have some advices about it ?

    I ran OTM and MGtools/getlogs.bat.
    Logs are attached to this reply.

    For now, all seems to work good. I hope there are no more virus traces !:)
     

    Attached Files:

    Goregrinder, Jan 28, 2013
    #9
  10. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Sorry but there is no such thing.

    Uninstall it. It is still showing in your installed programs list. Otherwise reinstall and uninstall. Or run a tool like Revo Uninstaller Non malware issues like this can be discussed in the Software Forum.

    Your logs are clean.



    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep Malwarebytes Anti-Malware for scanning/removal of malware.
    2. Go back to step 4 oof the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
    3. Go to add/remove programs and uninstall HijackThis. If you don't see it or it will not uninstall, don't worry about it. Just move on to the next step.
    4. If running Vista or Win 7, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    5. Goto the C:\MGtools folder and find the MGclean.bat file. Double click ( if running Vista, Win7, or Win 8 Right Click and Run As Administrator ) on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
    6. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others) and running MGclean.bat did not remove, you can delete these files now.
    7. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    8. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures pointed to by step 6 of the READ ME
        for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    9. After doing the above, you should work thru the below link:
     
    chaslang, Jan 29, 2013
    #10
  11. Goregrinder

    Goregrinder Private E-2

    Thank you a lot for your help Chaslang :celebrate:drink:clap:hyper
    I'll tell my friends about this forum !

    So I'll follow the steps you told me and try to be more careful !
    Thank you again :).
     
    Goregrinder, Jan 30, 2013
    #11
  12. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome. Surf safely!​
     
    chaslang, Jan 30, 2013
    #12

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds