Avast WEBforum
Other => Viruses and worms => Topic started by: Lynn210 on October 31, 2009, 12:41:30 AM
-
My main computer was hit today by a really nasty virus/trojan
The first thing it did was uninstall - or destroy Malwarebytes
It wont let me run Bitdefender.. wont let me reinstall..
I cant boot to Safe Mode..
Avast finds it.. but does not seem to be able to get rid of it.
When I let Avast run a boot scan.. it detects a file and I get that list
of what I want to do.. then it just locks up.. no matter what number
I press .. nothing happens after that point.
Can I get some help...
This is one of those Fake AV malware thingies.. with all the added nasties above
plus it downloads ads and porno stuff.. keeps popping up what looks like WIndows warnings about infected files.. at one point it would not let me use task manager to end it..
I tried uninstalling it with Add/Remove it just keeps reinstalling itself.
Never came across one like this before..
-
Download ComboFix (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) from Bleeping Computer onto desktop in a different filename.
* Double-click on ComboFix
* Click Run
* Click Yesto agree
* Click Yes to install the Windows Recovery Console
* Click Yes to continue scanning malware
* ComboFix will create a log after it finished scanning. Post or attach ComboFix log.
-
Also, please post the name of the Avast detection, and the location (full path and name) where it was detected.
-
Avast detects about a dozen files.. I managed to get to where
I could open the CHEST and it has about 12 files in it.
Do you want all of those files and paths.
I have to constantly battle popups to see anything
I have rebooted and run Avast over and over and each time it seems
to get a little easier to function.
I am running avast right now.. and it keeps finding more files
mostly temp files
other files off the top of my head are
calc.dll
notepad.dll
ie
I managed to copy combofix with a new name via my network.
As soon as avast finishes running its scan I will post that log
Is there a way to copy and paste the Avast Chest?
-
This sounds like it might be beatable. Probably best to go with one thing at a time, though. Being methodical is important, so just do the combofix as suggested by Jtaylor for now.
You can't copy/paste the chest. You could post a screenshot. (Example below.)
You'd probably need to maximize it, then move the column header as indicated in the pic to view the entire path. And, as indicated, it is only the "infected'' section of the chest that is of interest.
-
I have tried several times to get combofix to work..
I cant get it to run.. when it starts I get a popup that says
runonce is infected..
I dont know if these popups are real or not.. any time I try to run
anything .. including avast virus scan .. I get one.
I will try a screen print of the virus chest.. there are so many trojans
in there it looks like a virus dictionary!
I did a screen print but cannot get paint to run to copy it to..
so I tried excel.. it copied but did not save the file.. now I cant
fun excel anymore.. says infected
Seems I get to use a file/program once then from then on it is blocked
and I get a pop up saying cannot run .... file is infected.
There are 25 items in the Chest.. mostly trojans..
I am going to try rebooting .. maybe I will get somewhere that way.
-
Delete Combofix. Run a disk cleanup. (Let me know if you need directions)
Download it again, but this time, change the name of it at the "save as" point when downloading:
Download Combofix from any of the links below. You must rename it before saving rename it to Gotcha.exe before saving it to your desktop.
Try running it again with the new name.
-
I'm sorry to say, this is sounding fairly bad. Shows symptoms of the Win 32 Vitro, an infector that basically infects everything on the drive when it's used/opened.
Does the name "Vitro'' appear in the virus chest at all?
I'd start to look at backing up important files.
If you have anything real important, it may even be better to remove the HD, and taking it to a shop to extract the important files without the OS running, as files could be infected during the backup process otherwise.
The above is just a precaution; we don't know what is at play, yet.
-
I dont remember seeing Vitro
I saw something that said Mabolb-tm or something like that
and others.. I have shut down the computer cause it was driving me
nuts..
As for files.. there is very little on the internal hard drive.. I store
everything except the OS on external drives.
I will reboot and list some of the viruses from the chest..
I did try downloading Combofix with a different name.. but will try again
with the name you suggest.
-
What is a disk cleanup?
How do I do that?
I normally use CCleaner on a regular basis but that is not working
anymore either.
So how would I do a cleanup
-
Um, forget about the cleanup. If Ccleaner isn't working, we probably don't' want to go messing up system tools, either.
(Normally it's "Start>all programs>accessories>system tools> >disk cleanup.") You can try it if you want, then after doing it, see if it is disabled as a result of having run.
Try Combofix as "gotcha.exe". Do that first.
Try renaming the main exe of the MBAM program, located in C:\Program files\malwarebytes anti malware (It's called MBAM.exe) to something like Lynn.exe, and see if it will run then. (Probably won't. Worth a crack.)
Whatever you do, don't place any of those storage disks back in the infected computer. I'm very glad you have backed up stuff. It makes the prospect of a format and reinstall much less painful. (For you, of course. Won't hurt me, much.)
You can mess around with trying to fix this if you want, and as long as people here have ideas/help available, or you can just save time if you prefer, do a full format, and reinstall Windows.
Do you have another working computer with a net connection available?
-
Yes I have 2 other computers on the same network.. both connected to the internet..
I have been transferring from computer 2 to the malfunctioning one via the network.. I managed to open excel and got a screenshot thru the network
Its a risk I know but I will attach it for you and run avast to make sure I
didn't bring anything over.
I have no idea how to format and reinstall..
My conputers are Dell computers and they have one small partition and one large..
I format my external drives all the time .. but never did a computer and
OS install..
I will try combofix now that I got the screen shot..
-
Had to transfer to paint so it is in 2 parts..
Everytime I reboot and run avast.. I get more files added to the chest.
The files are still to large.. how can I make them smaller or get them to you?
-
Crikey. Disconnect the infected machine from the network. Now.
-
Thing is, until we know for sure what you're dealing with, it remains unknown (but a possibility) that it could affect the other computers on the home network.
So, at a minimum, at least make sure the other computers are well and truly firewalled inbound from the sick computer.
The sick computer appears to not be able to run any application more than once, if at all. That points to a fairly virulent infection, that Avast is unable to clean. I strongly suspect the infection agent is polymorphic (as Vitro is), that is, it re-codes/renames itself each time it infects something, to (a) make it mmore difficult to fix, and (b) to evade detection.
You do not want any part of that code getting into another computer.
Any idea how you got this?
-
I was doing my weekly TV guide.. so I had zaptoit open IMDB TV.com
and a few others..
How can I get that excel spreadsheet to you..
It is 204kb and this system only takes 200kb at a time
It has a complete list of the Avast Chest but I have copied the list
best I can.. These are the VIrus/Trojans .. do you want me to match them to their respective files?
Win32:Malware-gen
Win32:MalOb-T[Cryp]
JS:FakeAV-AI[Trj]
Win32:Spyware-gen[Spy]
Win32:Rootkit-gen[Rtk]
Win32:Walivun[Trj]
Win32:Trojan-gen
Most of the files affected are temp files
uacdf4f.tmp C:\Documents and Settings\Lynn\LocalSettings\temp
uace20e.tmp C:\Documents and Settings\Lynn\LocalSettings\temp
uace53b.tmp C:\Documents and Settings\Lynn\LocalSettings\temp
uadeeae.tmp C:\Documents and Settings\Lynn\LocalSettings\temp
uacf0e1.tmp C:\Documents and Settings\Lynn\LocalSettings\temp
Uninstal.exe C:\ProgramFiles\ActiveSecurity
uqxq44.dll c:\windows\system32
winamp.exe C:\Documents and Settings\Lynn\LocalSettings\temp
trz11.tmp C:\WINDOWS\system32
trz10.tmp C:\WINDOWS\system32
syssvc.eve C:\WINDOWS (this one appears 15 times)
scandsk.dll C:\documents and settings\lynn\startmenu\programs\startup
rundll32.dll C:\Documents and Settings\Lynn\LocalSettings\temp
ntuser.dll in c:\DOCUME~1\Lynn (appears 3 times)
litoqbe_cr[1].htm C:\Documents and Settings\Lynn\LocalSettings\ ~~~(another temp internet file)
islv.exe C:
Installer.exe in c:\DOCUME~1Lynn\LOCALS~1\Temp (appears 3 times)
iehelper.dll in c:\windows\system32 (this one appears 4 times)
flst[1]js c:\Documents ...blah blah .. TempInternetFiles\IE5\LDJALNF3
coreext.dll c:\programfiles\active security
calc.dll in c:\windows\system32
6to4v32.dll in c:\windows\system32
asecurity.exe (this one is one of the popups phony security things that caused the problem I believe) c:\programfiles\active security
-
What about the Microsoft Recovery Console?
I can boot up into that (or I could anyway) but I dont know how
to use it ...
or boot up from a disk into safe mode
I think if I could get into safe mode maybe that would help get rid of this.
-
Sorry... as a last resort .. I would not mind reformatting if someone could guide me.
I have all my software discs..
I dont have a full scale OS disc.. I have a Dell OEM OS disc.. would that work?
I have a bunch of useless software on the sick computer.. dont use it so would not
reinstall it.. just my CD ROM drive and DVD drive.. Nero .. Office.. that is about all
I use on that computer.. Dont use email there..
-
How to reformat
WinXP
http://video.google.com/videosearch?hl=no&source=hp&q=how+to+reformat+xp&um=1&ie=UTF-8&ei=eTXsSoCjGYLY-Qbl_KHwCw&sa=X&oi=video_result_group&ct=title&resnum=4&ved=0CBsQqwQwAw#
vista
http://video.google.com/videosearch?hl=no&source=hp&q=how+to+reformat+xp&um=1&ie=UTF-8&ei=eTXsSoCjGYLY-Qbl_KHwCw&sa=X&oi=video_result_group&ct=title&resnum=4&ved=0CBsQqwQwAw#q=how+to+reformat+vista&hl=no&view=2&emb=0
XP http://www.google.no/search?hl=no&source=hp&q=how+to+reformat+xp&meta=&aq=f&oq=
vista http://www.google.no/search?hl=no&q=how+to+reformat+vista&meta=&aq=f&oq=
how to reinstall a dell computer
http://www.ehow.com/how_2172122_dell-computer-microsoft-windows-xp.html
-
I read about reformatting.. WOW!!
I have all drivers .. but I would sure like to avoid reformatting
Do you suppose I could reboot to CD and try a system repair?
or are the viruses/trojans too bad for that?
-
I read about reformatting.. WOW!!
I have all drivers .. but I would sure like to avoid reformatting
Do you suppose I could reboot to CD and try a system repair?
or are the viruses/trojans too bad for that?
I really hate how quick people are to encourage you to throw in the towel and reformat, even on an antivirus supplier's website. I think it's shameful.
If you've not yet done so, (I read only the second page of the forum) perform all updates, then schedule a boot-time scan. Avast's boot-time scan can eliminate most serious problems by nuking them before Windows actually starts. Make a note of any filenames which it states it is unable to remove for one reason or another. There are ways to remove these later, once we know where they are.
If you find things that won't move to the chest for whatever reason, download the latest Puppy Linux LiveCD (it's very small) burn it to a CD (burn image, not burn the file as a file......) and use the simple explorer interface to find and remove the files that you noted earlier.
One other thing you can try is a program called ComboFix. I use ComboFix as a sort of digital Drano to blast loose really severely clogged computers. That one's also worth a try. Once you use ComboFix to knock it free, the Avast boot scan will certainly fix the rest. There is some risk with ComboFix, but I've never had it make a problem for me yet. It fixes the computers that are so clogged they won't even allow Avast to run, because some viruses do that.
I am an Avast Reseller, and I believe wholeheartedly in Avast. Give it a chance to work before you exercise the nuclear option................
-
(I read only the second page of the forum)
Welcome to the forum, and how about reading the first page, and then come back and suggest a fix, please?
I'm very not keen of reformatting, also. But if programs won't run, it starts to look like an easier option, sometimes.
Depends on the user.
Lynn210,
I fully understand your preferring not to format. I can offer some limited advice. I'm not a formally trained anti malware jedi. (Yes, there are online schools for these. And a qualification. Not called "Jedi", though.)
Does this (http://www.bleepingcomputer.com/virus-removal/remove-active-security) look like what you have?
Unfortunately the removal instructions rely on being able to use MBAM, which has been disabled.
I suspect this is a new variant of the "active security" malware, with a crypto/polymorphic component.
Have you had any success getting the re-named combofix to run? Someone else (hopefully) is waiting for that log, if available.
I'd try these steps in the order I've written them. You should only connect this computer to the net, and have the other computers firewalled from it, for as long as it needs to update security programs.
Did you try renaming the main exe of MBAM? That is an quick and easy step that may possibly work, and thus worth trying. If you are able to get MBAM to run, update it and perform a quick scan immediately, and at the end, select everything, then select "remove selected".
You could also try downloading Superantispyware (http://www.superantispyware.com/download.html), install and update it, and have it scan. Quarantine everything it finds. The installer can be downloaded on one of the good computers, to a flash drive, and then copied to the (disconnected) sick computer for installation. If it installs, connect that computer long enough for it to update.
This post, (http://forum.avast.com/index.php?topic=48011.msg405223#msg405223) by one of the more experienced forum users, contains links to BART disk vendors. (They're free. Avast has a BART disk, too, but it's designed for system admins in a corporate environment, and pricey.)
Read the instructions on each site (I'd try Dr Web or Avira, first) on what to do, download and burn the disk on a good computer, and see how you go.
-
Hi Tarq57,
We have qualified malware eliminators aboard here, just a PM to essexboy and I know he would love to kill this one with the help of ComboFix or some other hogwart tools. Remember this is an ever evolving battle because the malware changes almost overnight, today's' ComboFix is not tomorrow's and sometimes have to be renamed to Gotcha or another random name, same goes for MBAM.
I would sure give this a try, because there is not a trace of a dangerous file-infector like virut that makes a "total recall" solution inevitable...
polonus
-
Thanks, D, I might just do that.
Lynn210, a link (http://uk.answers.yahoo.com/question/index?qid=20091017120525AACnXze) to a manual removal that worked (apparently) for one user.
-
Hi lets have a quick look to see what you have
To ensure that I get all the information this log will need to be uploaded to Mediafire (http://www.mediafire.com/) and post the sharing link.
Download OTL (http://oldtimer.geekstogo.com/OTL.exe) to your Desktop
- Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
- Under the Custom Scan box paste this in
netsvcs
%SYSTEMDRIVE%\*.exe
%systemroot%\system32\eventlog.dll
%systemroot%\system32\scecli.dll
%systemroot%\netlogon.dll
%systemroot%\system32\cngaudit.dll
%systemroot%\system32\sceclt.dll
%systemroot%\ntelogon.dll
%systemroot%\system32\logevent.dll
%systemroot%\system32\drivers\iaStor.sys
%systemroot%\System32\drivers\nvstor.sys
%systemroot%\system32\drivers\atapi.sys
%systemroot%\system32\drivers\IdeChnDr.sys
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options /s
%systemroot%\*. /s /r
- Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
- When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
-
essexboy
This sounds great if I could get that far..
Once I execute a program it will not work anymore.
notepad is one of them
excel and so on
I did try changing the combofix name.. did not work..
reports it as an infected file as soon as it is clicked on.
I looked at the link for manual removal of active security
Sometimes I can get into task manager .. other times I cant I get a popup
saying it is infected too and cannot run..
I have found that if I move really fast after a reboot I can out run
this program.. but only for seconds.
Avast is putting everything into the vault.. so I am wondering if this is
also messing up my system files
I am trying a Repair for the original CD .. but get stuck at
iaStor.sys driver.. I researched it and all but haven't gotten anywhere
If I go to the one stored on my computer.. windows says it is "incompatible"
I can't find the file on my Dell resource file either... and windows repair will not bypass it
repair stalls..
-
OK that tells me that , that is probably the infected file. Can you run OTS ?
-
If you cannot run OTS
Please save this (http://ad13.geekstogo.com/Win32kDiag.exe) file to your desktop.
Click on Start->Run, and copy-paste the following command (the bolded text) into the "Open" box, and click OK.
"%userprofile%\desktop\win32kdiag.exe" -f -r
When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with notepad and post the contents here.
-
What is OTS?
-
Do I include the quotes in the command?
-
Yes include the quotes, I posted the OTS instructions in my first post. Here it is again
To ensure that I get all the information this log will need to be uploaded to Mediafire (http://www.mediafire.com/) and post the sharing link.
Download OTL (http://oldtimer.geekstogo.com/OTL.exe) to your Desktop
- Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
- Under the Custom Scan box paste this in
netsvcs
%SYSTEMDRIVE%\*.exe
%systemroot%\system32\eventlog.dll
%systemroot%\system32\scecli.dll
%systemroot%\netlogon.dll
%systemroot%\system32\cngaudit.dll
%systemroot%\system32\sceclt.dll
%systemroot%\ntelogon.dll
%systemroot%\system32\logevent.dll
%systemroot%\system32\drivers\iaStor.sys
%systemroot%\System32\drivers\nvstor.sys
%systemroot%\system32\drivers\atapi.sys
%systemroot%\system32\drivers\IdeChnDr.sys
%systemroot%\*. /s /r
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options /s
- Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
- When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
-
While I am doing all this.. should I disable Avast?
-
No, no need for that
-
As I mentioned earlier.. I tried a repair with the windows CD
and it stalled at ... iaStor.sys driver needed.
There was one on the computer.. tried it.. Windows says it is incompatible
Could not find one on my Driver CD that came with the computer
Now I cant get out of setup .. cant get the computer to boot
in safe mode or any other mode including "last configuration that worked"
Now what??
-
Is this a Dell system ?
-
Yes ... I just spent half hour there trying to find the driver
-
I can't find the correct driver either as there are about 6 varieties for Dell - do you have a Dell driver disc? It will be in the sata/scsi folder (hopefully)
What is the model of your system ?
-
Yes I have the Dell Driver Disc
It is an installation disk.. I tried to look at it on this computer
but was afraid it might try to install and mess this computer up.
The sick computer is a Dell XPS 410
Dell lists it as a XPS 410/9200
-
http://support.dell.com/support/downloads/driverslist.aspx?c=us&l=en&s=gen&ServiceTag=&SystemID=DIM_PNT_9200_XPS_410&os=WW1&osl=en&catid=&impid
There are drivers here for the Dell version you have
I believe this is the one you require
http://support.dell.com/support/downloads/download.aspx?c=us&l=en&s=gen&releaseid=R158601&SystemID=DIM_PNT_9200_XPS_410&servicetag=&os=WW1&osl=en&deviceid=8615&devlib=0&typecnt=0&vercnt=2&catid=-1&impid=-1&formatcnt=1&libid=41&typeid=-1&dateid=-1&formatid=-1&fileid=211963
Let me know if it works and we will progress from there
-
I've yet to find an infection so bad that I had to go nuclear. I did deal with an infection that sounded very much like this one, and it was indeed tough to get around, as the virus prevented you from running anything it didn't want to have running.......such as anything that might get rid of it. It was a renamed ComboFix that broke its stranglehold and let me get at it. Have you tried renaming it something totally stupid, like, ert-y76p.exe? Does it even attempt to run when clicked, or does it just sit there?
Another option that I have used on a number of severely virused-up machines is F-prot for Linux running off a LiveCD. Try downloading Puppy Linux 4.1.2, burn the image to a CD (must be done with the "burn image" function, not just burning the file,) and boot from it. If you can get it to connect to the internet, (90-95% odds you can, if only wired) then the XFProt item on the menu will download the very latest version of F-Prot, and give you a skin through which to look at the output. I don't recall if there's any way to tell it to automatically delete the junk it finds, but it gives you a nice detailed log of what it finds, so you can address the problems it finds any of a number of ways. Puppy Linux is great for stuff like this as it's a quick download and it's very easy to get it live.
If it comes down to it, is there another computer you could simply add your hard drive to as a second and simply scan it with Avast that way?
-
http://support.dell.com/support/downloads/driverslist.aspx?c=us&l=en&s=gen&ServiceTag=&SystemID=DIM_PNT_9200_XPS_410&os=WW1&osl=en&catid=&impid
There are drivers here for the Dell version you have
I believe this is the one you require
http://support.dell.com/support/downloads/download.aspx?c=us&l=en&s=gen&releaseid=R158601&SystemID=DIM_PNT_9200_XPS_410&servicetag=&os=WW1&osl=en&deviceid=8615&devlib=0&typecnt=0&vercnt=2&catid=-1&impid=-1&formatcnt=1&libid=41&typeid=-1&dateid=-1&formatid=-1&fileid=211963
Let me know if it works and we will progress from there
iaStor.sys is the Intel SATA driver for MS Windows. You can't delete it or do much of anything to it because Windows depends upon it for access to the boot device. A virus that gets into that would indeed be very clever, and also difficult to remove, but I have my personal doubts as to whether it did. Still, using the update driver function to replace that file can't hurt, but the problem is that it can't do it live, so it gets the files ready, then reboots using the new ones. This behavior should theoretically lose a virus stored in the old version, but I can conceive several possible ways that it could jump into the new one as well. However, I'm not optimistic about that being your problem. Have you tried uploading a copy of it to www.virustotal.com? That'll give you a pretty good idea of whether or not it's part of your problem. Dollars to doughnuts it isn't. It'd be a very clever virus indeed that could tamper with that file and not give you a blue-screen-of-death before you even got the computer booted up.
-
essexboy
The file you found is an executable.. it needs to be executed to get to the
driver.. and I suppose this needs to be done on the computer it is going to
be installed on.. which I cannot get to.
WIndowsXP repair is asking for a file.. I dont think it can read an executable.
Also.. It has been a very long time since I burned a CD .. and I have never
burned an image..
I have Roxio on this computer.. will that do it?
-
essexboy
I have another disk that is for my hard drive .. it says it is a combo
drive and the disk is supposed to have the drivers.. but hear again
it does not list the driver as a file.. you have to activate setup
and so on
The disk name is WD Dual-option Media Center and Combo Drive
Installation and drivers..
My service tag number is F57KQB1
I think you can use it to see a list of all that is on this computer
It did not ask for a password or anything..
-
essexboy
The file you found is an executable.. it needs to be executed to get to the
driver.. and I suppose this needs to be done on the computer it is going to
be installed on.. which I cannot get to.
WIndowsXP repair is asking for a file.. I dont think it can read an executable.
Also.. It has been a very long time since I burned a CD .. and I have never
burned an image..
I have Roxio on this computer.. will that do it?
I understand what he's trying to get you to do, and no, Windows repair won't use that executable, but you can use another computer to extract the files and then give them to Windows with a (write-protected, if possible!) thumb drive.
Roxio will burn the image very nicely, though I can't give you exact steps. Here's a link to the image I'd recommend: http://distro.ibiblio.org/pub/linux/distributions/puppylinux/puppy-4.1.2-k2.6.25.16-seamonkey.iso (http://distro.ibiblio.org/pub/linux/distributions/puppylinux/puppy-4.1.2-k2.6.25.16-seamonkey.iso) My recommendation would be to download this and make the CD on a different computer. Here's a link to a free CD image burning program that will assure that you correctly burn the image to CD: http://www.burnatonce.net/files/bao0995.exe (http://www.burnatonce.net/files/bao0995.exe) Open the image in burnatonce, and tell it to burn. You can't get it wrong.
Once you get the Puppy CD burned, just put it in and boot the problem puter from it. (You might have to hit F12 during boot to get the one-time boot device menu.) Then use the "connect" icon on the desktop to establish an internet connection, and run the XFProt shortcut (Puppy menu>Utilities?>XFProt------going by memory here) to download the AV.
-
OK .. I do use F12 to get to the boot menu
I don't have a "Connect" icon on my desktop
Will this mess up my connection for Windows?
If I could get this to run.. will that give you what you need to know what
to do to get rid of the viruses and trojans?
Then there remains getting the computer to boot up WIndowsXP
-
To All
You have bombarded me with all these instructions..
How about putting some order to things for me..
What should I do first and so on.
Remember.. I cannot get out of repair to boot the computer.
and I do want to get WindowsXP running again.
-
I understand your bewilderment.
Essexboy is the trained malware eliminator; I'd be inclined to follow his instructions, if you can.
(You may have noticed I stopped posting to the thread once he started to. He knows about these things. ;))
-
OK .. I do use F12 to get to the boot menu
I don't have a "Connect" icon on my desktop
Will this mess up my connection for Windows?
If I could get this to run.. will that give you what you need to know what
to do to get rid of the viruses and trojans?
Then there remains getting the computer to boot up WIndowsXP
Naturally. You don't have a "connect" icon on your desktop because you haven't booted from the Puppy CD yet. ;D
This will not harm Windows XP in any way unless the viruses already have. Here's how the LiveCD works: it boots up into a working, virus-free Linux operating system entirely from the CD, making no changes to the hard drive in the process. You are ABLE to change the hard drive as needed, so you can scan it for viruses and fix problems found.
Once you boot from the CD, you'll actually be able to access the web still with the "browse" button on the desktop to give us updates and such as to your status on the repair process. I'd like it if you booted from the CD, got connected to the internet ("connect") then used "Browse" to let me know you did, and what icons you see at the bottom of your screen (sda1, sda2, sda3, etc.) I'll help you with the specifics of XFProt, too.
-
To All
You have bombarded me with all these instructions..
How about putting some order to things for me..
What should I do first and so on.
Remember.. I cannot get out of repair to boot the computer.
and I do want to get WindowsXP running again.
What's-his-face may be trained, but I do this for a living. I'm taking some time on a Saturday night to help you out of the goodness of my heart. If you want me to go away, that's fine, but I'm not going to be told off by a third party.
The difference between my approach and that of Essexboy is that Essexboy is attempting to repair this from within the Windows framework. Because of the way Windows works, and the way tough viruses work, this is not always possible, and in this case it's clearly very difficult. My approach takes a fix-it-offline approach, which allows all files to be inspected with none of them in use, and repairs can be made much more easily that way.
If you want my help, I'll be happy to walk you through the whole thing step-by-step. I'll fire up a dummy computer with the same stuff you've got and help you specifically through. It's not really difficult, just different.........but this virus has opened your eyes to a whole new world of "different" already, hasn't it? :o
-
To All
You have bombarded me with all these instructions..
How about putting some order to things for me..
What should I do first and so on.
Remember.. I cannot get out of repair to boot the computer.
and I do want to get WindowsXP running again.
When you say you cannot get out of repair to boot the computer, I presume you mean that you booted into a repair from the recovery CD? If not, which repair are you in?
It sounds as though my approach will likely be the only one that will work, as it can eliminate the viruses without the need to boot into Windows.
If possible, here's what I'd like to see you do:
1. Download the .ISO file that I linked, as well as BurnatOnce, on a different, clean computer. Install BurnatOnce and use it to burn the .iso file to a (must be completely blank) CD.
2. Put the newly-burned CD in the CD drive on the problem computer and then turn it off. Don't worry about the repair in progress.
3. Turn the problem computer back on, and use F12 to get the boot menu. Instruct it to boot from CD. Puppy will ask a few basic questions (what kind of mouse, keyboard layout, video) and the defaults should get you to happy glacier background with a "connect" button!
4. Use the connect button to establish a connection to the internet ("Internet by Network....." option, then "eth0" button, then "auto DHCP" should get you on. You don't need to save the configuration.
5. Close the network wizard, click the "browse" button, come back here and let me know you've gotten that far.
Fair enough? That will have you in an internet-connected Linux environment that I can use to get this virus off your computer.
-
Well, it appears that everyone else has gone to bed or something. I need to soon as well.
Lynn, if you really want to get this fixed without a reformat, I'm quite certain that I can help you do that. Just let me know if you want my help. As you can see from my last post, I can be very specific and detailed, and guide you the whole way through. Just let me know how I can serve you. I know it's tough to be at the mercy of malicious software and the sometimes overly-technical instructions of strangers.
-
I have been trying to get the sick computer to boot from the CD..
so far no luck
I must be doing something wrong...
I got the ISO file from the link..
I did not use the burnatonce because my computer seemed to do it ok
but if I have to use that burner then I will..
I dont know if I can find another empty CD .. I dont use CDs
I use DVDs
I am going to try turning off the sick computer as you said and just turn it on and see what happens. When I go into the boot menu it asks
1. Onboard or USB FLoppy Drive
2 Sata Drive (not present)
3 Onboard or USB CD-ROM Drive
and so on
I tried 1 and 3 with no luck.. will give it another try.
Appreciate the help... I am just very very tired.. I have been at it for
nearly 36 hours now..
-
No luck
When I try to boot to the CD ROM drive it says boot device not available.
Does that mean there is something wrong with my CD drives now?
When Dell starts up it does show the 2 CD DVD drives as being there..
-
36 hours???!!! :o Wow, you're very dedicated! Wow........!
Option 3 is what you need. The problem is likely that you simply burned the file to the CD as a file, not as an image. The file you downloaded is a CD image which contains many files and a boot image in one image file.
If you burned it properly, it should show about 7 files present on the CD, not one. If it only shows one, you burned it as a file, not an image, and I suspect that this is in fact what happened.
You can't simply drag the file onto the CD layout in Roxio (familiar enough with it to know that); there should be a menu item which says something to the effect of "burn CD from image" or "burn .iso to CD" or something like that.
Otherwise, there's always BurnatOnce.......all it does is burn image files, so you can't get it wrong, which is why I suggested it.
My example box is ready to help you with the next steps once you get it booted from CD!
-
If you need a blank CD, let's see how far I can frisbee.....better still, I'll burn it first. ;D
Where are you, and what time is it? I hope you at least have taken a brief time-out from your 36-hour marathon to sleep.....?
EDIT: I'm going to take a shower. I'll be back in 15-20 minutes or so. Hopefully by then you'll be booted into Puppy.
-
Ok ... redid the CD and it seems to be booting up ok
so far
And to answer your question about the repair setup
I was attempting to repair Windows XP with the original disk
The repair function .. not the recovery console
Anyway.. Puppy is up and running
OK I am up and running and connected to the internet
Icons at the bottom are:
fd0 sda1 sda2 sdb1 sdc1 sdd1 sde1 sr0 sr1
I have thought about switching to a linux OS many times.. just have not had
the time to re learn ... so I have stuck with windows even though it is a real pain
in the butt
If you are still there I am waiting next instruction..
If you are gone .. to bed or whatever.. I could sure use some sleep too!!
I will check back on and off
-
I am in Florida .. still hot and sticky in November!!!
and it is now 10PM
I did get some sleep around 5am till 7:30
I am going to take a break and sit down for a while
and relax..
-
Ah, yay! Phase 1 complete! A non-crippled Operating System running on the computer and connected to the Internet.
OK, then, Phase 2.
From the Puppy Menu, (can't be the Start Menu, because that's a M$ trademark) under utilities, select XF-Prot virus scanner. It will give you a red warning about it not being installed, connect to the internet and hit ok or enter or whatever. Tell it to go, and it will download the installed for f-prot antivirus. Then press enter for default installation, and it will download the latest updates.
While it's doing that, click on the "sda2" hard drive icon at the bottom, and verify that it appears to contain folders named "windows," "Documents and Settings," etc., indicating that this is (as I suspect) the partition on which Windows is installed.
EDIT: Please log back into the forum with the "Browse" button in Puppy, as this will allow us to continue this discussion on the computer being repaired. This is not critical, but it'd be a good idea.
-
It looks like you've either gone to bed (probably a good idea! 36 hours.......ouch) or logged off. Anyway, I'm on a Puppy computer and have XF-prot up and have reminded myself about its functionality (haven't had to use it in a bit)
Once you get it downloaded, find out which drive icon contains the infected Windows installation. I believe it will be sda2 in your case. In the process of verifying where Windows lives, you'll mount the drive so that Linux can access it. If it proves to be sda2 where Windows lives, type "/mnt/sda2" without the quotes in the box that says "Path to scan" on XFPROT 1.23. Leave the box below it unchecked or it won't scan most of it. I'd suggest you change the "Report file" location from "/root/.xfprot/xfprot.log" to "/mnt/sda2/xfprot.log" as this location will be easier to find later and will be permanent (on the hard drive.) Don't use quotes in any dialog box, I'm just using them to help clarify my instructions.
I suggest (for now) checking the box that says "report only" so that it doesn't actually change any files, then select the button that says "F1 scan" at the bottom. After that......give it time. It will sit there and "scanning" for awhile, possibly hours. I suggest you let it scan and go to bed. Once it's done, it'll show the beginning of the report in the scan window, and we'll go from there. Once it gets to that point, you should attach the report file to a post here so we can go over the results. I'll help you with that if you have difficulty once we get to that point.
-
I have a warning from XFPROT
it says you are running xfprot as root Continue?
Yes or No?
-
Oh, yes, of course. ;D
All it's saying is that you are running with full privilege. Puppy always runs that way. In Windows-ese, you're running as administrator.
-
Ready to hit f1Scan
So I will see you later??
-
I'll be around! I'm going to go to bed soon, as I think you should. Once you do hit the "F1 scan" button, it should start rifling through your hard drive, looking for creepy-crawlies! If it doesn't run for very long, we'll have to check the settings.
Once I go to bed, I likely won't be available until tomorrow afternoon (after Church) but I think you have the info to get a good solid scan done by then, and then we can fix the findings then. Will that work for you?
Let me know if it looks like the first part of the scan is going properly.
-
Scan is finished.. doesn't look like it found much..
But I am not sure I am looking at the right file.
Let me know what to do next..
-
(F5 F5 F5.)... am watching this thread with baited breath!
Love to you all!
Omega40
-
A linux cd is a good option although malware now infects the following system drivers (this is the latest list)
%SYSTEMDRIVE%\iaStor.sys
%SYSTEMDRIVE%\nvstor.sys
%SYSTEMDRIVE%\atapi.sys
%SYSTEMDRIVE%\IdeChnDr.sys
%SYSTEMDRIVE%\viasraid.sys
%SYSTEMDRIVE%\AGP440.sys
%SYSTEMDRIVE%\vaxscsi.sys
And as the get better at circumventing system protection they will add more to the list. At the moment the main priority is to get you up and running again - so replacing the iastor.sys file will achieve that
If I have read rightly you are booting to a live cd and copying a fresh copy of this file to system 32 - is that correct ?
-
essexboy
I booted using the Puppy Linux CD and have access through linux to the computer
Did and XFPROT scan only .. found 1 infected file.. did it again .. found 2 infected files.
That is pretty much where we left off.. he went to bed .. I took a much needed break
It is now 9AM where I live..
I believe my mentor "edifyguy" intends to get rid of the viruses and then repair windows.
Is that what you would do?
It has been a very long time since I burned to CDs so it took me awhile to get it
right.. I have not done the iaStor.sys as yet.
I kinda thought getting rid of the viruses first was a good idea..
Where did this list come from:
"A linux cd is a good option although malware now infects the following system drivers (this is the latest list)
%SYSTEMDRIVE%\iaStor.sys
%SYSTEMDRIVE%\nvstor.sys
%SYSTEMDRIVE%\atapi.sys
%SYSTEMDRIVE%\IdeChnDr.sys
%SYSTEMDRIVE%\viasraid.sys
%SYSTEMDRIVE%\AGP440.sys
%SYSTEMDRIVE%\vaxscsi.sys
"
-
Omega40
Welcome!
Looks like we have quite a following.. I guess I am not the only one
who has ONE NASTY VIRUS/TROJAN
-
If I may...Is this not all really working 'blind' ?
Unless I have completley missed it ,I note this forum does not have a section for members to post their HJT Logs for analysis by Trained Helpers..
Lynn210 has been asked to run the ComboFix tool but which Trained Helper on here will be analysing its report ? Surely, until her HJT log is analysed and the infections noted how can we know that the ComboFix tool is the right one to run ;attempting to run that tool on an inappropriate infection can cause unwanted effects which include rendering the computer completley useless :'(
Has anyone Trained in HJT analysis yet seen an HJT log from this computer to see what may be going on ?
-
I believe my mentor "edifyguy" intends to get rid of the viruses and then repair windows.
Is that what you would do?
This is the only way to do it as far as I can see, although I would probably work on the repair first. At the moment there is no AV that I am aware that can detect or repair this particular infection
What we need to do is replace the bad iastor file with a clean copy. Were you able to extract it from the dell site. One other option is to do a parallel install. That would leave your documents and settings intact but replace windows entirely
Where did this list come from:
"A linux cd is a good option although malware now infects the following system drivers (this is the latest list)
%SYSTEMDRIVE%\iaStor.sys
%SYSTEMDRIVE%\nvstor.sys
%SYSTEMDRIVE%\atapi.sys
%SYSTEMDRIVE%\IdeChnDr.sys
%SYSTEMDRIVE%\viasraid.sys
%SYSTEMDRIVE%\AGP440.sys
%SYSTEMDRIVE%\vaxscsi.sys
"
These are files that have been compromised that we have so far located - with control of these files you can control what programmes run with the system. The list is growing though If I may...Is this not all really working 'blind' ?
Unless I have completley missed it ,I note this forum does not have a section for members to post their HJT Logs for analysis by Trained Helpers..
Lynn210 has been asked to run the ComboFix tool but which Trained Helper on here will be analysing its report ? Surely, until her HJT log is analysed and the infections noted how can we know that the ComboFix tool is the right one to run ;attempting to run that tool on an inappropriate infection can cause unwanted effects which include rendering the computer completley useless :'(
Has anyone Trained in HJT analysis yet seen an HJT log from this computer to see what may be going on ?
At the moment no analysis logs have been generated. HJT would not find this infection as it is no longer man enough for the job. The analysis tools I use are OTL and OTS which give a much clearer picture of the system, and no, combofix should not have been attempted until the nature of the infection is known ( I do not think Combofix will run on this bit of malware until the way is prepared for it ). But, until this system is up again no analysis tools can be run
-
essexboy
Isn't the use of Puppy Linux a "parallel install" more or less only temporary?
And if I upload a new clean file to the Windows system -- if this is an infected file --
wouldn't the virus just infect it again?
Also.. I have a feeling that alot of other system files are going to be needed
by Repair..
Can your OTS OTL program be run using Puppy Linux? or does it have
to sit right on the OS it maps out?
-
Snowflake
If you go back through all of the info here .. this virus I have will not allow me to
execute anything .. it immediately kills the program .. or infects it... so we are
doing a workaround.. getting access to the drive and OS without being in the OS
is pretty much a beginning.. till we can get control of the Virus and not vice versa.
Then we hopefully can run tools that will identify all the problem areas and thus
make repairs.
-
Unfortunately it only runs in a windows or PE environment. The Author hasn't thought about a Linux version, I may put that to him
And if I upload a new clean file to the Windows system -- if this is an infected file --
wouldn't the virus just infect it again?
The indications we have so far is that the file that does the infecting is deleted once it has done it's job. So a new file should be safe
-
Aha, here we go then. You state that it seems to have found only one or two files each time you've run it, but that would be only what it's showing in the short bit of the log you can see when it finishes. You need to grab the log from the hard drive and look at it; better still, share it with us.
From that computer, please reply to this forum and attach the logfile so that we may look at it. Note that the linux file structure is different than Windows, and you'll need to "Browse" then double-click "File System" then "mnt" then "sda2" then "xfprot.log" if you changed its location as suggested.
Did you leave it in report only or did you change its behavior to automatic? If you changed it to automatic at some point, it may have deleted some or all of the problem files the first time, which would remove them from the log the second time. This is OK, but it would be better to know what we're dealing with here.
As for the iaStor.sys, I have a way to get that right for you without a Dell executable. Like I said, I do this for a living, and have many tricks up my sleeve.
-
As for the iaStor.sys, I have a way to get that right for you without a Dell executable. Like I said, I do this for a living, and have many tricks up my sleeve.
Now this is a trick I would like to have access to and use (full credit given) ;D
-
Ok.. here goes .. :-[
The file is too large.. it is 240K
the limit here is 192K
It is just text so I suppose I could split it in two and post it with
2 messages.. will that work?
-
As for the iaStor.sys, I have a way to get that right for you without a Dell executable. Like I said, I do this for a living, and have many tricks up my sleeve.
Now this is a trick I would like to have access to and use (full credit given) ;D
ME TOO!
-
Yep split the post
-
As for the iaStor.sys, I have a way to get that right for you without a Dell executable. Like I said, I do this for a living, and have many tricks up my sleeve.
Now this is a trick I would like to have access to and use (full credit given) ;D
ME TOO!
Here you go then: the actual files, ready to unzip to a floppy for use during Windows install, or whatever the present purpose may be.
http://downloadcenter.intel.com/Detail_Desc.aspx?agr=Y&ProdId=2101&DwnldID=17883&lang=eng (http://downloadcenter.intel.com/Detail_Desc.aspx?agr=Y&ProdId=2101&DwnldID=17883&lang=eng)
Just gotta know what you're looking for! ;D
-
Yep split the post
You could actually use Pupzip to compress it small enough to attach, then rename the .tar.gz or .zip to .txt so that the forum attachment engine will take it.............just let us know what it SHOULD be! ;)
-
I've got to get ready for Church.....should be back about 12:30........
Hope all goes smoothly until then. I had hoped to see your log first, but if it's not to be, I'll have to be patient. :'(
-
Thanks for that - would a flash drive be as good if there is no floppy drive fitted ?
-
Having a problem
I split the file ok .. but when I saved it it saved it to
"root" folder
When I try to upload it .. forum wont take it .. says it has to be
an " ---" file.. checked file properties.. says it is a txt file..
tried to save as .. could not find save as text .. tried a rename
with a .txt extension.. would not let me do that.. tried to zip original file
couldn't figure out how to do that.. clicked on the zip icon but says
program not available or something to that affect.
-
Think I got it... hopefully ;D
-
Thanks for that - would a flash drive be as good if there is no floppy drive fitted ?
Not exactly........Windoze setup isn't looking for a thumb drive. You can put them on the hard drive first with Linux and then point it there for the files under some circumstances.
Otherwise, you'll need either a USB floppy or a thumb drive that emulates USB floppy to use the F6 functionality.
If you can avoid the BSOD long enough without the F6 functionality, just having them on the hard drive to add later can be sufficient.
-
Think I got it... hopefully ;D
I can't read that apparently....what format is it actually in? Did you try using Geany to delete the second half, save as one thing, then delete the first half and save as something else?
I'm gone to Church now......
-
Its a zip file
tar.gz I think .. I just renamed the extension like you said
so that the forum would allow the upload.
-
If it was .tar.gz, something went wrong in the process, because it contains no files. Did you add the logfile to the .tar.gz?
You can simply launch the "zip" icon, then select "new" from the menu, give it a name, then add the logfile from "file system" "mnt" "sda2" "xfprot.log" but don't forget to "add to list" then "ok" and it will make a .tar.gz file with your logfile. Then rename and post.
I can't see that there's anything inside the file you posted. Please try again; I'm dying to see what it found! ;D
-
This is exactly what I did..
I will try again..
-
Something is wrong...
I open a new zip.. it has a name tar.gz
I click file system the Add button becomes avail
click mnt still got the add button
click sda2 button is still there till I click on a file
then the add button disappears and instead of
the zip file name in the Name area of PUPZIP the file
I clicked on is there and no add button.
This did not happen the first time.. I had no problem
adding the file to the add section
-
I am trying to upload to a share host MediaFire
but it does not seem to want to take the file..
It is stuck on initializing..
There is another file share host debuggers use but I cant
remember the name of it.
Do you know of a file share place that will take a file from
Linuz OS
-
Tried something else ..
-
Let me know if they made it ok
:-[
-
Is it possible to access the Avast vault from Puppy Linux
-
Ah, yes! I see said the blind man as he picked up a hammer and saw! ::)
Click the "Console" icon and type this in:
"rm -f /mnt/sda2/WINDOWS/syssvc.exe" without the quotes. It IS case sensitive.
Then:
"rm -r -f /mnt/sda2/Program\ Files/MyWebSearchWB"
If you get no complaints, that means that those two are goners.
Now, let's let XF-prot off its leash a bit more. Set heuristics to "Maximum", and check the boxes next to "Scan inside archives" and "scan for other various malware"
Before you do that, though, just for grins, hit the update button one more time and see if there's any newer updates from our friends at f-prot.
Allowing it to check inside archives should actually make the logfile shorter, as it won't skip them all and note that it did.
I look forward to the results of the next scan. I feel like we're actually making progress now.
-
Is it possible to access the Avast vault from Puppy Linux
Yes, it is, sort of. The files can be accessed from the sda2 icon or from /mnt/sda2. They live in Program Files/Alwil Software/Avast4/DATA/chest but the files are not named anything but random names. What was found and which is which is tracked in index.xml which lives there with them.
I'm curious as to what your index.xml contains......could you upload that for us while your next scan is progressing? Rename it to .txt and it should upload. It should be small.
By the way, anything will take files from Linux, if the browser in use supports the usual protocols. You're using Seamonkey, which is sorta a mongrelized FireFox.....pretty standard stuff.......I'm surprised that you're having trouble with things like uploads, as I'm using the exact same software as you are to type this. I've not had trouble with things like that from Puppy.
-
Ah, yes! I see said the blind man as he picked up a hammer and saw! ::)
Click the "Console" icon and type this in:
"rm -f /mnt/sda2/WINDOWS/syssvc.exe" without the quotes. It IS case sensitive.
Then:
"rm -r -f /mnt/sda2/Program\ Files/MyWebSearchWB"
OK .. they both came back cannot remove read only file system
When you type thes commands.. you need to indicate where there is a space.. it is very hard to tell for some reason..
-
Here's a script to do it, hopefully. It should give you an idea of what it did, but might not. It should wait for 10 seconds after it's done so you can read what it did, if anything didn't work. Rename it to remove the .txt and it's a script.
-
I tried to run a new scan but it is acting strange
I updated ok
Then when I click f1 to scan it says file name already exists overwrite
I say ok .. then it opens the old file.. the program flickers but it does not look
like it is doing anything..
So I tried using a different file name xfprot2.log
Same thing.. it opens the old file.. flickers and does not appear to be
doing anything.
Should I try deleting the old file? or what
-
Sorry to seem so dumb ::)
but how do I run the script?
Youre the pro not me this is all new to me ;D
-
Ummmm.......flickers? I confess I don't know what you mean by "flickers." If you reuse the log filename, it will ask about that, but it should start cooking.
With these options it will run much slower, but as long as the thingy by "Scanning: /" keeps moving once in awhile, it's OK. Does it appear to be scanning?
-
Sorry to seem so dumb ::)
but how do I run the script?
Youre the pro not me this is all new to me ;D
Just save it on down to the my-documents folder, right-click it, select "File remove1.sh.txt > Rename" and then remove the .txt from the end of it. It will then be able to be run just by clicking on it. (The icon will change to a green program window thing.)
-
It doesn't say scanning anywhere.. it opens the old report
window .. the window has a title that says;
xterm_simulate_hold.sh
but nothing is changing
the old file info is there and it looks exactly the same.
You have a copy of the old log so why dont I try getting
rid of the old log.
Check this info to:
Path to scan
/mnt/sda2
Report file
/mnt/sda2/xfprot.log
Report Only
Maximum
Scan Inside Archives
Scan for various other malware
-
Looks like you're doing everything correctly. Try closing XFPROT and starting it again from the menu. Be sure to check your settings after doing that.
Did you get the remove script to go?
-
One other thought: is there still a green ball by the sda2 icon? There should be. If not, just click it once and it should come back.
-
Is it possible to access the Avast vault from Puppy Linux
Yes, it is, sort of. The files can be accessed from the sda2 icon or from /mnt/sda2. They live in Program Files/Alwil Software/Avast4/DATA/chest but the files are not named anything but random names. What was found and which is which is tracked in index.xml which lives there with them.
<snip>
You're right in the 'sort of' comment. Even if it is possible to access the files in the chest folder, assuming you are able to work out what the random file names are (if that data is in the index.xml, and I would doubt that, seems too easy), those files are also encrypted.
So if you did manage to find what files are what, you would have to decrypt them and that isn't going to be easy.
-
When I click on the renamed file I get this window
No run action specified for files of this type (application/x-shellscript) - you can set a run action by choosing `Set Run Action' from the File menu, or you can just drag the file to an application.
Note: If this is a computer program which you want to run, you need to set the execute bit by choosing Permissions from the File menu.
-
Is it possible to access the Avast vault from Puppy Linux
Yes, it is, sort of. The files can be accessed from the sda2 icon or from /mnt/sda2. They live in Program Files/Alwil Software/Avast4/DATA/chest but the files are not named anything but random names. What was found and which is which is tracked in index.xml which lives there with them.
<snip>
You're right in the 'sort of' comment. Even if it is possible to access the files in the chest folder, assuming you are able to work out what the random file names are (if that data is in the index.xml, and I would doubt that, seems too easy), those files are also encrypted.
So if you did manage to find what files are what, you would have to decrypt them and that isn't going to be easy.
That data does seem to be present in the index.xml file, but not in an easily-human-perceivable format. I think the greater information to be gained is the names of the threats found, which are in human-perceivable format. I'd like to see Lynn's, if she has a chance to upload it, but it's more a matter of curiosity.
-
When I click on the renamed file I get this window
No run action specified for files of this type (application/x-shellscript) - you can set a run action by choosing `Set Run Action' from the File menu, or you can just drag the file to an application.
Note: If this is a computer program which you want to run, you need to set the execute bit by choosing Permissions from the File menu.
Ugh, yes, that can happen. Do this: right-click it, select "Window > Terminal Here" then type in "sh remove1.sh" in the resulting window. That'll run it and it should remove the previously discovered evilware.
How are we coming with the second-phase scan? Still not going? It should just go..........did you close the "xterm simulate hold.sh" window from before? You should have.
-
Every time I try to type what it says at the top of the scanning window I get knocked out of the forum .. so lets try one more time
I got it to run by letting it put the report in its default location
the first few lines say Error: Can not open devicefile /dev/ram10 no such file or
directory
there are 6 lines all the same except ram10 thru ram15
Nothing else is showing but one of the lines next to scanning spins around
every now and then...
-
OK, fine, fine. That'll do........
I wonder why it's complaining now about putting the report right on the hard drive.....it shouldn't mind.
The main reason that I wanted to put the report file somewhere else was simply that it goes, by default, in a hidden folder that doesn't get saved to the hard drive (isn't permanent) but we'll work around it. Not a big problem.
Let us know when it gets done with the second scan.
EDIT: If I wasn't clear, it's working now. It's actually scanning.
-
/quote]
Ugh, yes, that can happen. Do this: right-click it, select "Window > Terminal Here" then type in "sh remove1.sh" in the resulting window. That'll run it and it should remove the previously discovered evilware.
How are we coming with the second-phase scan? Still not going? It should just go..........did you close the "xterm simulate hold.sh" window from before? You should have.
[/quote]
Still says the same thing .. cannot remove
that the files are read only
-
I suppose the file can be copied to the hard drive.
tell me something.. what do I have to do so that I dont end up
on the home page of the forum everytime I reply..
Isn't there some way to stay in the thread?
-
Do you think it is ok to mess around with the hard drive
to find that file you wanted while it is scanning?
-
OK, then here's what's going on:
Your hard drive apparently got mounted read-only because of an improper shutdown in Windows last time. The read-write NTFS driver will not go by default if the drive is flagged dirty by Windows, and then the default mounter takes over and mounts it read-only.
Once the scan is done and ONLY once the scan is done, type this in a console box:
"umount * /dev/sda2" (no quotes, * indicates a space)
"ntfs-3g * /dev/sda2 * /mnt/sda2 * -o * force"
This will force it to give us read-write access to the hard drive, which will be essential to fixing this. But if you do that while it's scanning, it flat out won't work, or it'll interrupt the scan.
-
There is a copy of the chest contents (not screenshot - transposed/typed) here. (http://forum.avast.com/index.php?topic=50422.msg427028#msg427028)
-
OK /
I thought I had closed the old scan window but it was still open..
I closed it now.. the scan seems to be going ok.. slow but sure..
Should I let it go or restart it?
Since it is set to a diff location wouldnt it be ok.. or is it
running in a temp area .. ???
-
I suppose the file can be copied to the hard drive.
tell me something.. what do I have to do so that I dont end up
on the home page of the forum everytime I reply..
Isn't there some way to stay in the thread?
Yes. Click "Additional Options..." and check the box that says "Return to this topic" and it'll do that.
As for rifling around on the hard drive while it's scanning, yes it's possible, yes it's safe, but there's a bug in the explorer that will crash the desktop if you dig too deep into the Windows folder with it, just due to the sheer droves of files present. I'd suggest you wait to dig too much.
One thing you could do while you're waiting is to go into the Avast! chest and upload the index.xml file so we can see what Avast! had found. Copy it to my-documents first, though, otherwise it won't rename since the hard drive is read-only right now. That file lives in sda2 > Program Files > Alwil Software > Avast4 > DATA > chest. You can get to my-documents in 2 clicks by clicking the "File" icon in the upper-left corner, then my-documents in there. Then just drag the file over, rename it, and upload it.
-
I meant to mention that to you edifyguy
I thought it would be of interest then forgot with all else going on
I had to type it all because I could not get anything to work.. not even
notepad..
:o
-
OK /
I thought I had closed the old scan window but it was still open..
I closed it now.. the scan seems to be going ok.. slow but sure..
Should I let it go or restart it?
Since it is set to a diff location wouldnt it be ok.. or is it
running in a temp area .. ???
It's scanning the real thing, it's just putting the report in a temporary area that will go away once the puter is turned off. Once it's done, we'll copy it back to the hard drive, once we get it out of read-only mode. Not a big deal. I'd let it go. Otherwise it will redo the part it has scanned already. Not necessary.
-
Here goes nothing
-
Going to take a break while it is scanning.. unless there is
something else you want done..
Meet you back here in an hour?
That last scan took 30 minutes so if this one is
doing archives I suppose it would take at least an hour.. no?
-
Could take longer, actually. This time around, it's very carefully analyzing every file for things that look like they would do bad things, which will likely result in a few false positives, but we'll root through that once it's done. The net effect though, is that instead of mostly just looking for code signatures it knows already are evil, it's actually analyzing code, and it'll take longer to do that way.
Also, that looks like the correct file. You're actually pretty good at this. Not everyone could do what you've done here. Give yourself a pat on the back. ;)
-
Wow.......thanks for uploading the chest log.........that was..........revealing. :-\
There were a number of files that were captured repeatedly, including the syssvc.exe that we were attempting to remove from the first scan around. It's part of a rootkit, a virus that installs as a driver, and those are very difficult to get rid of while Windows is running, because they're very difficult to unload while Windows is running, as they are highly self-protecting. Using Linux to work on Windows while it's offline is going to be our best shot.
I'm going to distill your chest log into a second removal script to make sure that none of these previously-known evil files are still hanging around. I think they likely have been removed with the exception of the syssvc.exe file, but better safe than sorry........
-
OK, here's a remover script for any stragglers that Avast found but F-prot didn't.
I get the impression that the syssvc.exe was the key foot-in-the-door that had your computer strangled. Just removing that will likely be sufficient to unlock Windows, but we're going to be thorough about this.
One thing I did out of curiosity is that this second script (run like the first: rename, right-click, window > terminal here, sh remove2.sh ) doesn't delete things, except for the contents of 2 temporary file repositories that should definitely be emptied under the circumstances. The rest it moves to a safe location so we can see if it did, in fact, find anything.
I look forward to the second scan logfile.
-
Curious.......it seems a few other people are following this, because the files get downloaded many more times than just by Lynn. Is this helping anyone else, too?
-
Yep never used Linux in this manner before ;D
-
Yes .. we have quite a following it seems.
I saw someone using this Puppy Linux system on a different
forum when I was looking around for help..
OK.. the scan is running reaaaaallly slow... but it is still going.
Do you want me to run the second script now or wait till the scan is done.
-
Curious.......it seems a few other people are following this, because the files get downloaded many more times than just by Lynn. Is this helping anyone else, too?
Yep. Curious, want to see what is done. Learning.
-
Question...
I run several external hard drives on this computer.
I have disconnected all of them for now.. but will I have
to scan those before reattaching them once this computer
is back up and running..
What are the chances that this virus infected those files.
They are data files .. not program files or anything like that.
I keep all program and OS files on the main computer.. and then
all other files are stored external... I do that on all 3 of my computers.
I have had viruses before and they never infected the external drives
but this one is a devil... so was just wondering.
-
It is unlikely that your external drives have been affected, but possible, so once we get your computer running properly again, you will want to scan them carefully and not use them on any other computers for awhile. The likelihood is low of a problem, as what usually happens with these virii is that they seek out what looks like a Windows installation and implant themselves into that. Most viruses don't just stick copies of themselves in random stuff.....the goal is to have the code executed, not just to have lots of copies of it. So most viruses are choosy, and put their payload into files that will affect things, like Windows installations and sometimes programs. There's not much point in infecting data files, as they are opened, but not executed.
I'm glad that this is proving to be so educational for everyone. Like I said, I've got some tricks! ;D
I wouldn't bother with that script until the scan is done, as the hard drive is still read-only right now, remember?
-
I think I just messed up the scan
I was typing something to you and used a dash
seems using a dash is a no no.
anytime I do.... something weird happens and this forum
crashes
This time the forum crashed and I ended finishing what I was typing
in the scanning window.. it still seems to be wiggling but there is now a few letters after the wiggle lines.
What should I do?
-
I'm glad that this is proving to be so educational for everyone. Like I said, I've got some tricks!
I don't understand half of what you are doing but it is very interesting to follow...... :o..... ;D
-
seems using a dash is a no no.
anytime I do something weird happens and this forum
crashes
I wonder if there is something not quite right with the computer you are using to view the forum? Apart from one server overload message here, about two hours ago, it's working fine, here. Perhaps you should use another browser or computer?
Check that cookies are allowed.
Dashes and all other regular punctuation markings are allowed.!@#$%^&*()_+/"etc
-
So .. to leave off.. once the scan is done
need to copy the log file to a permanent location..
send you a copy of the log file..
I follow the instructions to change the hard drive to read-write
then run script one ... then script two
Since this scan is going to take quite a while.. I will take a break
and check back here every half hour or so to see if the scan is
finished..
-
I think I just messed up the scan
I was typing something to you and used a dash
seems using a dash is a no no.
anytime I do.... something weird happens and this forum
crashes
This time the forum crashed and I ended finishing what I was typing
in the scanning window.. it still seems to be wiggling but there is now a few letters after the wiggle lines.
What should I do?
----don't worry about it------it's fine--------it'll keep going anyway----------those extra letters are just that----extra letters.
Well, I just spit out 40-11 dashes, and it's not crashed out.....I don't know how you are getting that behavior......
But the scan should be fine. It'll ignore extra input unless it sees something it recognizes, like ctrl-c (stop) or something else like that.
-
seems using a dash is a no no.
anytime I do something weird happens and this forum
crashes
I wonder if there is something not quite right with the computer you are using to view the forum? Apart from one server overload message here, about two hours ago, it's working fine, here. Perhaps you should use another browser or computer?
Check that cookies are allowed.
Dashes and all other regular punctuation markings are allowed.!@#$%^&*()_+/"etc
She's using the exact same browser that I am, and the exact same OS. I don't know why hers is so fussy. Mine isn't. But she needs to stick with that for now, at least on that computer, because it's all tied to what we're doing.
-
Are you running Puppy Linux from a floppy with limited resources.
or full scale Linux in a stable system.
-
I do both, but at the moment I'm running in RAM from a LiveCD just like you are. That way everything (theoretically) should look and act exactly the same. Sometimes I customize things in a real installation. ;)
-
Let me know when that scan finishes.....I did warn you that it'd take awhile.....I'll pop in and check for your notification that it's done when it is.
If you can without too much grief, post the log once it's finished. If you have trouble, I'll help you later.
-
Scan is still running.
-
I'm glad that this is proving to be so educational for everyone. Like I said, I've got some tricks!
I don't understand half of what you are doing but it is very interesting to follow...... :o..... ;D
Ditto ;)
-
I'm glad that this is proving to be so educational for everyone. Like I said, I've got some tricks! ;D
I don't understand each detailed step but, at a glimpse of it, you seem to be working at diagnosing/repairing Windows system against the persistent malware through one of the most user-friendly Linux distribution. It's pretty interesting to read and I "hope" it will teach me something. It's nice to have another expert in this forum. O.K. I'll leave you to do the job, edifyguy.
-
Scan is done...
You are going to love this one!
:o
-
I did the thingy for making the hard drive read write
I will check it out now..
Do you want me to run the 2 scripts or should I wait till
you look over the scan...
The green dot has disappeared from the sda2 icon.
I can still access the drive but dont know if I can write to it or not.
-
Will check back at 10PM
-
Waiting for your next instrucitons..
Will keep checking back every half hour or so.
-
Sorry about that......had to go tend to some spouse-things, and by the time I got done with that it was bedtime.
What happened once you did the instructions to make the hard drive read-write? Did the remove scripts work as expected at that time?
I'm going to distill another remove script from your latest log. There are some false positives, but I think I recognize them. There are a few things that we'll just relocate to be safe. I feel pretty confident that we're getting this licked.
-
The green dot next to the hard drive icon is gone..
I can still access the drive and what is on it..
I have not done the scripts as I wanted to make sure
you still wanted me to do them .. or to wait for a combined
script.
Let me know for sure.. then I will do them
-
I'm not surprised that the green dot is gone.....we just mounted it manually, and the green dot was just not notified. No big deal.
See if the first 2 remove scripts will run properly now, and I'll have a 3rd in a few minutes.
By the way, to whoever said that we're using the easiest Linux edition known, they're right. Puppy is awesome! ;D
-
The first one sat for a few seconds
then returned back to the prompt with no other action
indicated
The second one came back with a bunch of no such files
mv cannot stat `/mnt/sda2/etc etc etc
There were 8 lines like this.. I suppose they match your script
-
Good, that means the first one worked, and the second one didn't find much. That means that Avast! was doing a pretty good job at what it was made to do. ;D
If you would, type this in a console for me, just for grins, and tell me what it spits out:
ls * /mnt/sda2/quarants
* means a space here.
-
bsh: /mnt/sda2/quarants: is a directory
-
I like Avast very much so far..
I have tried many AV programs
Avast is the first one that was super fast and did not
cause my browser to run like it was plodding through mud.
I would like to set it on automatic.
While these programs are waiting for a reply as to what
to do with a suspected file.. doesn't the virus have a chance
to do its damage? or is it in a sort of limbo till I reply.
-
Avast freezes the system when it finds something, so that the only thing able to do anything is itself. The others generally don't, and I've seen a few viruses that really took advantage of that.....
Try this command:
ls /mnt/sda2/quarants/*
The asterisk is real in this one. The space is a space (there's only one.)
-
It returned a bunch of file names in green type
Are these items in quarantine?
here are the file names
calc.dll
hernel132.dll
ntuser.dll
winsock.dll
wsock32.dll
-
OK, here's the last remover script.
I commented out a few lines that we can actually allow it to perform later if need be. They are files that I think are likely false positives, but which it might be good to remove anyway if we continue to have problems.
-
It returned a bunch of file names in green type
Are these items in quarantine?
here are the file names
calc.dll
hernel132.dll
ntuser.dll
winsock.dll
wsock32.dll
Yes, this is a personal quarantine we made to remove things that Avast! had detected, but might not have been able to remove.
You know, I think we should uncomment a few things in the 3rd remover...........use this one, please.
-
mv: cannot stat `/mnt/sda2/WINDOWS/syssvc.exe' : No such file or directory
-
Good, that means that the first script got rid of the horrid thing.
Now, I'm going to make a package with a few known clean files in it to replace a couple that will be needed to even get Windows to log on once we're done. I'll put it here:
http://www.silverdollarsolutions.com/files (http://www.silverdollarsolutions.com/files)
And I'll call it lynn.tar.gz
-
including that driver that repair needed?
-
Oh, well, I gave you the link to that on Intel's website. You should have been able to download that already.
If you're planning to do a repair anyway (it might not be necessary) go ahead and download it, then extract it to /mnt/sda2/intel so that it's on the hard drive where you can simply point to it.
The file is there, but if you're going to do a repair, you won't need it.
-
If I dont need to do a repair that would be great .. but dont forget
the system is hung up in repair at the point where it needed the
driver.. I could not get it to boot up at all
But you are the pro so I will wait and see..
If needed I can go back and get that link.. no problem
-
Got the files.. they are saved to hard drive in my docs
-
Am I understanding that you extracted the files within the archive into my-documents?
If not, please do, EDIT: and here's the script to move the pieces into place.
-
No.. I downloaded the archive into my docs.. but i can extract them if need be
-
Done
ran script.. paused a second then returned to the prompt
-
Ah, good..........did the extracted files in my-documents disappear? They should have gone away as they went where they belonged.
If they did, then it worked........and it's time to reboot and see what kind of progress we've made. Internet Explorer may be broken, but we should at least be able to get into Windows, unless the virus has severely broken something.
Do this, though......please download that driver anyway and extract it to /mnt/sda2/intel anyhow. That way if we need it, it's waiting for us.
-
OK Took awhile but found the download link
tried to extract it to intel directory but it says
intel directory does not exist and do I want to create it?
-
Of course! I thought you understood that. We're creating a new place with fresh files in it.
-
Done! Reboot now?
Let it go naturally and see what happens?
-
Just one more thing..
I extracted the file windows was looking for..
It occurred to me that since you made a "new
place" for the files.. then maybe you wanted all the files
extracted since there is a license and so on.
-
Yes, I did mean to extract all the files, as I think it will want to replace more than just that one; I think that was just the first in the list.
Once you get those files extracted, I'd like you to reboot normally and see what happens.
-
It does not complete the boot.. it is in a loop
-
It gets to a window and that window says setup is being restarted
so I guess it is looking for the Repair Disk????? >:(
-
Not exactly......
What it's saying is that it realizes that it was dumped in the middle of a repair for some reason. Will setup actually restart and allow you to finish the repair without starting it over again?
-
I will insert the disk in the drive and see what happens
It did start where it left off before.. so maybe it still will.
-
Looks like it is starting from the beginning again
-
It loaded a bunch of files now it says Setup is Starting Windows
Now I have the Window asking if I want to install or repair
OH There is a 3rd option that says press f3 to exit setup without
installing XP
-
Repair, but not with the recovery console. Select install first, then accept the EULA, then select to repair the existing installation.
When (if) it asks about the iaStor.sys and/or similar, direct it to the C:\intel folder we created earlier with the files in it.
-
Is it a TRUE window, or are you in a blue text-mode setup? My instructions are for the text-mode setup. If it's a window, you've got something different, and repair may be the correct first click.
-
The bugger knows it tried to repair this version once before .. it is checking to see where it left off and if it can pick up there or start over I guess.. it is copying files.. so my guess is it is going to start over..
-
That's OK. Nothing wrong with that.
I believe we've removed at least most of the malicious stuff from where it can hinder the repair process. I expect that the repair should be able to complete now, especially since we now have the full driver for the SATA controller available. (You did unzip the rest of those files......didn't you?)
Keep me posted!
-
It has picked up where it left off.. says 37 minutes to complete
so far it is not asking for the driver... so I guess I will see you in
30 minutes
-
OK it asked for the file again.
I went to C: intel and now it is saying that the software I am trying to install for this hardware did not pass the Windows logo testing to verify it is compatible with XP
Then there is a warning you probably know what that says
Should I keep going?
-
At the beginning of this thread I gave essexboy my Dell service tag number
which gives a list of the EXACT hardware that is on the sick computer.
If that will help get the right driver here is the tag again: F57KQB1
At the Dell Site it does not ask for a password.. you just plug the
tag number in and up comes the computer specifics.
If it doesn't matter.. or can be fixed later.. then let me know..
I will wait to hear.
-
Yes, that's fine. All that is is a Windows self-protection that says it doesn't know about this. Go ahead and use it.
It's not signed because it's not really meant for use like we're using it......but it'll be fine. ;)
EDIT: It's NOT saying that it's not the right driver, only that it can't prove that it has been certified with XP.
-
One thing curious about this install..
Before this whenever I boot up the version of Windows in the boot sequence always said WIndows XP MEdia Center or something to that effect.. now it says
Microsoft Windows XP Professional
-
This is curious.. it is asking for the disk that says
"HP Scanning Software"
That did not come with this computer
The HP scanner is part of an ALL IN ONE I bought later
The disk is totally unrelated to Dell or to Windows
I will put the disk in and see what happens
-
That's because the Media Center Edition is an extension of XP Professional. There's a few little pieces added in that make Pro into MCE. Not a great deal of difference, and even if you did end up with Pro instead of MCE I doubt that you'd notice the difference.
On an interesting side note, I have Avast! for Linux working on my Puppy test box! I made a self-installing .PET file of it, and if it proves beneficial, I could easily have it running on yours too. I think F-prot has done the job, but if we need something Avastier to finish the job, now we can.
I frankly wish I had tried this sooner, as it was so easy to get it working that we could have used Avast! for Linux to scan instead. Next time.......
-
Dumb computer!!
The window asking for HP Scanning disk said insert in D drive or click ok to pick a different location.. then froze up.. I put the disk in E drive .. did not like it there so I had to remove the XP disk and put it in the D drive then it unfroze and moved on.. It will prob ask for the installation disk again soon but it has not yet.
It was smart enough to know about the scanner but it didn't even know about the second drive
-
This is curious.. it is asking for the disk that says
"HP Scanning Software"
That did not come with this computer
The HP scanner is part of an ALL IN ONE I bought later
The disk is totally unrelated to Dell or to Windows
I will put the disk in and see what happens
Yes, that's because it wants to replace any and all drivers that didn't come from Micro$oft, and it recognizes that as a 3rd-party driver (which it is) .......so it should be OK.
If it comes to it, you can likely skip it, as it should already be in place.
-
Dumb computer!!
The window asking for HP Scanning disk said insert in D drive or click ok to pick a different location.. then froze up.. I put the disk in E drive .. did not like it there so I had to remove the XP disk and put it in the D drive then it unfroze and moved on.. It will prob ask for the installation disk again soon but it has not yet.
It was smart enough to know about the scanner but it didn't even know about the second drive
Haha, well, it's not that it doesn't KNOW about the second drive, but rather that the way it's performing addressing right now it may not be able to access it. Setup uses a rather strange way of accessing CD drives to avoid the hassle of following changing drive letters around.
It does sound like you're getting somewhere, though!
-
Got another not so friendly warning
says
Software Installation
(red circle with white x in middle) has not passed Windows Logo
testing to verify its compatibility with Windows XP.
This software will not be installed. Contact your system administrator
------------
So it looks like some unnamed or unknown software is not going to be installed.
Its finalizing the install now.. almost finished I think
-
So it looks like some unnamed or unknown software is not going to be installed.
.....Probably a good thing, considering. ;D
If need be, we can add most anything we need to back in later.
-
Its booting up slowly but surely (I hope)
The name of that first line went back to Windows Media Center by the way..
The resolution of the WIndows logo is much smaller than usual and it is just sitting there .. says please wait............................................
Got an hour glass but it does not seem to be doing anything..
no noise...
I removed the Install CD because the boot sequence is to disk drive first.. so
I thought I should.. was I wrong?
-
It's smaller than usual because it's doing its pre-first-run checklist. Always happens that way.
I'd give it a few minutes, but if it still doesn't start, just kill the power and try again. It's not supposed to stop there, but it's not unusual for repair installations to get stuck there.
EDIT: It no longer needs the CD.
-
This forum seems to be the most-viewed forum on here in half of forever! I guess people think this is mighty interesting! :o
I'm going to be on my SmartPhone shortly, but I'll check in on you as I can.
-
It's like waiting for your local regional sports team to win the series. ;D
-
It's like waiting for your local regional sports team to win the series. ;D
Absolutely on that. ;-)
-
I'm glad everyone is having a good time!! ;D
Its booting up .. looks like it always did... so far
OOOOPS there's all my icons.. wowwy!
and they are all in the same place they are supposed to be..
Still loading... anyone want to place some bets???
-
Go, Cowboys, Go !
-
I'm glad everyone is having a good time!! ;D
Its booting up .. looks like it always did... so far
OOOOPS there's all my icons.. wowwy!
and they are all in the same place they are supposed to be..
Still loading... anyone want to place some bets???
As they should be. It shouldn't look different.
Once it gets reasonably booted up, see if ComboFix will run now. It should. We definitely want it's behavior-based analysis.
-
warning... that darn microsoft NET .. never co-operates
error messages
1.
.NET Framework Initialization Error
Red CIrcle with white x C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\mscorwks.dll could not be located
2.
Red CIrcle with white x wscsvc32
3.
RUNDLL
Error loading C:\WINDOWS\system32\calc.dll
The specified module could not be found
4.
RUNDLL
Error loading C:\DOCUMENTS~~1\Lynn\ntuser.dll
The specified module could not be found
5.
Red CIrcle with white x The requested lookup key was not found in any active activation context.
6.
services.exe - Application Error
Red CIrcle with white x The instruction at "0x7792fdf1" referenced memory at "0x00000000". The memory could not be "written".
Click on OK to terminate the program
CLick on CANCEL to debug the program
7.
Security Warning
Red CIrcle with white x
Application cannot be executed. The file wmiadap.exe is infected.
Do you want to activate your antivirus software now?
Woops.. could not get the rest of them .. Windows shut down the computer
due extreme hazard
Avast found a Root Kit virus
alot of these warnings were happening all the while the compter was infected before I tried the repair... so I guess we still have work to do...
It is rebooting now..
-
Try rebooting it in safe mode (F8 during initial startup)
Some of those errors were due to things we knew were malicious and removed.
Once it comes back up, update Avast and schedule a boot-time scan, if it will.
If it won't, since Avast is detecting the stuff, we'll use Avast for Linux! :D
How much RAM do you have in that box?
-
Had to shut down Avast but it looks like combofix may run.. it is updating.
win32 error keeps popping up
combofix is backing up registry (whats left of it)
Combofix is scanning.....
Now if the computer doesn't shut itself down we may get somewhere.
----------------
2 Gigs of Ram Dual Core
-
Combo fix completed stage 1
and now stage 2 is done
and now stage 3 is done
and we are heading for the finish line... ;D
I hope
-
Maybe this topic could go down with another epic tail:
War and Peace
http://en.wikipedia.org/wiki/War_and_Peace
-
Good good good. Sounds like we've broken it's back......now it's just a matter of putting it down completely.
I wondered about RAM because I was curious if you'd have to make a savefile for Puppy to run Avast for Linux. Doesn't sound that way. ;)
With a bit of luck, ComboFix will finish what we've started, and then Avast can do final cleanup with a boot-time scan.
-
Edifyguy, could you give us a link of your linux w/ avast!. I'd love to have a copy for the future after following this thread.
-
Here comes stage 4 (didn't know it had a stage 4)
still going..
by the way as soon as Windows was almost up.. Avast updated itself.
but will do another as soon as combofix is done.
here we go....
stage 5 done
stage 6 done
stage 6A ??? done
stage 7 done
stage 8 done
-
War and Peace, ROFL! :D
This has been a rather epic journey, hasn't it? But it's a journey that is leading homeward.
I'm surprised that ComboFix made no mention of rootkit activity.....that's good! Really good. That means that we've definitely broken its back.
-
Here comes stage 4 (didn't know it had a stage 4)
still going..
by the way as soon as Windows was almost up.. Avast updated itself.
but will do another as soon as combofix is done.
here we go....
stage 5 done
stage 6 done
stage 6A ??? done
stage 7 done
stage 8 done
There's 50 of them. :o
-
Woops .. turned by back and we are all the way down to stage 33
The system seems to be stable for now.. so combofix should finish
then I will upload the results to you...
With a repair I will have to do a WIndows update too wont I?
Combofix deleted a bunch of files and folders and is now rebooting the computer...
I have never seen it do this before.. must have been a bad one.
-
For those with rudimentary knowledge of Linux:
Download and burn the Puppy Linux 4.1.2 iso file. (I don't trust the newer ones.....stick with 4.1.2 for now)
Download Avast! for Linux Workstation. Download the .tar.gz version.
From a console, run tgz2pet on the downloaded file.
From the explorer, click on the resulting file. It will self-install.
From the explorer, navigate to /bin, where you'll find a shortcut to Avast GUI. Click it.
Insert a valid key, download updates, and scan for bugs!
Lynn, ComboFix sounds like it is doing exactly what it was made to do now. You will have to apply many updates, but they can be done through the "yellow shield" updater. There's no great hurry, as MCE should have at least service pack 2 already with it.
-
Combofix is preparing its log report
all the same errors are popping up
plus some new ones
-
Errors are good at this point. It means that we've removed pieces of evilware that it has been instructed to execute.
Can you schedule an Avast boot-time scan now? If it just updated, you're good to go there.
EDIT: I also am eager to see your ComboFix log. Please upload it. It'll be at C:\combofix.log IIRC
-
Cant do anything till combofix finishes ... it says not to run any programs.
I can hear it running so I know it is still going .. must be a very long log
report?? ???
-
I dunno what takes it so long to prepare its report......but it does......but it's a great read when it's done! War and Peace-type epic stuff. ;D
I personally have disregarded it's warning to not start anything until it's done.....I'm impatient like that......but in this case, better to not.
Getting any really fishy warnings still, or just "XXX doesn't exist" type warnings?
-
Just a few warnings not as bad as before
The log is finished.. very interesting however it is 548kb
This site will only take 192 at a time.. so where should I upload it
to ...
FYI Avast wont load.. seems to be a problem with the skin.. so I guess
I have to download it again or do a repair or something
I will wait till you are back online so you can tell me the best way to fix
this..
-
No new post in 26 min...the anticipation is killing me!
-
No new post in 26 min...the anticipation is killing me!
Suspense is gruling as I'm sure it is more so to both Lynn and edifyguy.
I'm set on "Notify". Better than doing F5 F5 F5. lol
-
Hi Lynn you could upload the log to Mediafire (http://www.mediafire.com/) and post the sharing link.
I am looking at the Linux set up now, it is a lot smaller than the PE I use at 290Mb
-
Link to combofix log
http://www.mediafire.com/file/zmymy2ogz5j/ComboFix.txt
-
Be back later.. edifyguy must be taking a break ..
-
There appear to be a few miscreants remaining but I will wait for edifyguy to return ;D
-
Be back later.. edifyguy must be taking a break ..
Edifyguy had to go to work for a bit ;)
I'm going to look at your log.
I'd rather you didn't uninstall Avast! at the moment if it can be prevented. There's a way to circumvent the skins if that's actually what's holding it up from starting, but I'd rather not stop the on-access scanner at the moment. Can you blame me? ;D
-
Ok .. no problem..
When should I check back
-
Well, ComboFix did a great job, as usual. :D
If you right-click the Avast! a-ball, you can go into "Program Settings" and uncheck the box next to "Enable skins for simple user interface." If skins are preventing you from starting Avast! that should let it start.
From the Tools menu, select "Schedule boot-time scan" and let it scan everything. I personally suggest telling it that it's OK to move everything to the chest including stuff in the Windows folder (advanced options.)
From the looks of your ComboFix log, ComboFix did most of the work already, and Avast! just needs to finish the leftovers.
One warning: your computer is a bit of a mess. You'll probably need to reinstall Internet Explorer 8, as we may have broken it by moving a suspicious file out of its reach. You'll also want to make a fresh System Restore point and then run Eusing Free Registry Cleaner to clean up the mess of stuff in the registry that used to point to Malware but now points nowhere and makes error messages. You might also need to uninstall and reinstall the .NET framework.
But your computer should otherwise behave pretty normally now, from the looks of the ComboFix log. The running processes look good.
Anybody notice anything I didn't? I'm not quite at leisure to study it just yet......
-
I'm going through the ComboFix log, and I'm making a list of additional suspicious/malicious files to remove. I think I'll send it to you as a DOS script that will just move them to our previously designated safe spot.
One thing I see.....it reports that both Avast and BitDefender on-demand scanning were disabled. Did you do that at ComboFix's request (I usually don't) or did something else do it?
-
Here's a Windows removal script. Rename it to remove the .txt and it'll run. Let me know if you get any strange messages out of it. It'll pause and keep the window open so you can read the messages.
-
OK let me catch up
To run the boot scan .. of course I have to reboot right?
Does the script you made run the same way as in Linux
just click on it or type it into the command window
I disabled Avast at combo fixes request but combo fix reactivated it once it was finished.
Bitdefender .. I only use the online scanner now...
I tried the program and did not like it.. one of many that made my browser
so slow I grew a few gray hairs waiting for it to load.
.NET framework.. is a bumber.. it took me a long time to get that right last time
I had to uninstall and re-install
So...
Where should I start.. with the script or the boot scan?
-
I notice that you have Scheduler.exe in your script
That is a small little program I have used for many years
to set alarm notices for my daily reminders.
I have it on all my computers..
Makes a nice loud alarm at times I set each day.
and a window pops up with a message to me that I type
into the interface when I set the alarm.
Took me a long time to find one easy to use and very loud!
Oh.. extensions don't show in windows so I will try to retype
the name of the file as it should be and hopefully that will do it
otherwise I guess I need to manually open the command window and copy the
test into it???
-
Avast boot scan finished
Found a few more files
They are now in the chest.
I cannot get the bat file to run
Windows extensions are not turned on
I know there is a way to turn them on but dont remember
how to do it... so I cannot change the "dummy" txt extension
I reinstalled Malwarebytes.. thought I would run it too...
It has found 14 objects .. so far.. may just be the files already
in the chest.. but it can't hurt to see what it finds.
-
Are we there yet? :D
-
Still working at it.. edifyguy is taking a break..
-------------
I ran Malwarebytes just to see what it would find... it found a bunch more stuff
First Ran Quick Scan... then FUll Scan.. will attach those logs for you.
--------
Whenever computer reboots the only error popups are .NET framework
and RUNDLL
-----------------
-
I think MBAM checks the registry, so it'll find more interesting stuff. MBAM also looks for more privacy intrusions than Avast! does, whereas Avast! is primarily concerned with keeping viruses at bay.
SpyBot S&D would be another worthwhile check for privacy problems.
I think you've about got it, sounds like. Going to review your logs.
About getting that script to run: From any explorer select Tools then Folder Options, then on the View tab uncheck the box that says to hide extensions on known file types. That will allow you to truly change it into a .bat from the dummy .txt file. If scheduler is something you hold dear, just delete that line before you run it. It just looked as hokey as sin sitting there right in the root of the program files folder like that........
-
Ran CCleaner to do some registry cleaning
attaching results
Cannot update IE -
actually cannot download anything
keep getting an error message..
Is that because of .NET framework?
suppose that should be next
What is the best way to go about fixing .NET framework
-
Was going to run Bitdefender online Scanner too but
cant seem to get IE to let me do anything not even install IE8
Turned updates on but could not access the page that checks for updates
needed...
-
Hehe....no......your issue with IE8 is due to a file we removed because it was suspicious. Apparently it was safe. You can actually put it back manually if you like. It's in C:\quarants, it's called extexport.exe and it belongs in Program Files\Internet Explorer
If putting that back doesn't fix it (it should) I'll provide you with a link you can type into the "Run..." dialog box to download the reinstaller for it.
Looking at the MBAM logs, the full scan only found the stuff that ComboFix had quarantined already. But that's OK. I'm sure you feel better now that they've been quarantined twice. :D
-
Yes .. I love to execute those viruses!!
-
Does that IE file go in a subfolder or the main folder
I moved it back to the main folder and can now get GOOGLE
but when I try to access other pages I get
red circle with white X The requested lookup key was not found
in any active activation content
-
I used Firefox to download IE8 but the installation will not complete
because an update is missing ..
Kind of a catch 10 .. cant use the update site unless I use IE
and IE will not work..
Firefox is my usual browser .. it is running but very slow and "jerky"
-
Waiting to hear what to do next to get this thing running right.
Also.. I have been battling this lsdelete screen on start up
I read how to remove the file at a forum.. and it worked on my other computers
but not on this one... it keeps coming back..
If you are not familiar with it .. it is a leftover file from uninstalling
AdAware ..
Have you heard of this problem.. it usually hangs your startup at least 20-30 seconds
-
The lsdelete is being triggered by the BootExecute key in the registry....I saw it there in the ComboFix log. You can remove it with Start > Run... > "regedit" [enter] then search for it and delete it. It should be under a heading called BootExecute IIRC.
I think FF is probably running goofy due to odd settings from the virus. I think there's a way to clear them out, but I usually use Opera, so I'm not sure right off the top of my head.
If you go to the Control Panel, then System, then the Automatic Updates tab, if you set it to "notify me but don't automatically download or install" you should almost immediately get the yellow shield in the system tray ready to serve updates.
Out of curiosity, which update was it looking for? I don't think IE8 requires much more than XP SP2......
I think the red circle/white x is leftovers from malware. Go to "Internet Options" (hopefully from the Control Panel, can also be accessed from within IE) and go to the tab most to the right. There should be a button to set everything back to defaults. Ya might wanta do that.....:D
According to MBAM, we're dealing with Vundo here. Realize that Vundo is a highly destructive virus, and getting everything "exactly right" again may take some doing. That is, of course, one of the reasons why a lot of people just go straight for the "nuclear option" whenever something like this happens. I think that's a bit of a wimpy approach, myself.......it's much more interesting to break its back with Linux, kill it outright with ComboFix, and then clean up after it with half-a-dozen other tools. ;D
-
The registry is where I have deleted this file 2-3 times before and it keeps coming back somehow.. I will try again..
I already turned on updates .. no yellow shield
IE install did not specify which update .. just said an update was missing.
I think before all this happened I was running SP3
I set IE to defaults still get that warning.
-
I know that .NET framework messes up alot of things..
Maybe I should fix that next..
If I remember right.. I go into add remove and remove all the versions
that are in there.. there are usually 5-6 of them
Then download the latest cumulative update which is 3.5 something
Correct?
-
Should I still run that bat file?
-
Theoretically, yes, but they aren't always all installed, and sometimes a program wants a specific version, so you really need all 3-4 of them to be there for everything possible to work correctly. I'd consider just removing them all and then replacing only the ones that your programs ask for.
Also, there's a program that might help--it's designed to clean up after Vundo. http://vundofix.atribune.org/ (http://vundofix.atribune.org/)
As for the updates, be sure that wuauclt.exe is running by checking the Task Manager under Processes. (Ctrl+Alt+Del) If it's not, check that the services are running, as well as their dependencies. Start > Run... > "services.msc" [enter] Check Automatic Updates, and Background Intelligent Transfer Service. If they aren't running and won't start, that's another issue. Be sure you DIDN'T set it to "Automatic" in the control panel, as that makes it time-triggered. "Notify me......." will act immediately.
-
Should I still run that bat file?
Be a good idea. MBAM nuked most of what I had in there already, but it can't hurt to be sure. Just remove the line about scheduler so you keep it.
-
You know, running SpyBot Search and Destroy and maybe Ad-Aware would be a really good idea. It would likely help with some of the stupidity with the registry that mr. Vundo created for us.
I need to go to bed, as I do work for a living, but look forward to an update in the morning.
I think we've beat the virus, and now it's just a matter of fixing all the stuff it broke. >:(
-
And all this trouble from looking for a tv guide? Yikes...
-
wuauclt.exe not found
the two services are listed as "started"
-
The .NET framework update carries the earlier versions within it I believe
" Microsoft .NET Framework 3.5
Brief Description
Microsoft .NET Framework 3.5 contains many new features building incrementally upon .NET Framework 2.0 and 3.0, and includes .NET Framework 2.0 service pack 1 and .NET Framework 3.0 service pack 1. "
-
Spybot is running... found lots of stuff.. is now doing a boot scan
Adaware is next
-
Spybot found tons of stuff and got rid of it.. ran it again and it came back clean.
Running Adaware now..
Still cannot do any downloads of any kind on the sick machine..
have to download on this computer and move it over to the other.
Ran Vundo.. came back clean
-
Adaware was pretty clean.. usual cookies from those constant ads
Bitdefender has an online quick scan for Firefox.. dont know how good
it is but it came back with nothing..
Still cannot download anything on that computer.. which is basically what
the virus did.. blocked all downloads.. so as you say.. something must be
broken somewhere..
Could not uninstall .NET frame.. it is looking for an original installation disk
and would not accept the OS disk I have.. or at least I have no idea where
the file must be.. the window shows a file name of letters and numbers that
are about 20 or so characters long.
-
Letters and numbers 20 characters long.....that's the temporary folder it used to install it through Windows Update. Try downloading the redistributable (sometimes called "for network administrators") version and going with that. It might do a repair install, or at least an uninstall and reinstall.
-
Here is the link to the Microsoft site for .net framework
http://www.microsoft.com/downloads/details.aspx?familyid=333325FD-AE52-4E35-B531-508D977D32A6&displaylang=en#Instructions
According to instructions.. I am supposed to uninstall all previous versions through
add/remove (my system will not uninstall)
I just read some more and it says I must have all updates to use this version...
so I am thinking that maybe that is what is wrong with it and that is why I am
getting the .NET framework error message.
The version that was on my computer when it got "sick" was this version ..
3.5 .. and I no longer have all the updates so....
We are back where we started from.. I cannot get Windows to update
There are an awful lot of files that are needed to update.. to do them manually
will take forever... plus I think you have to do them in the correct order.
I was missing that one file you mentioned earlier.. maybe that has something to do
with Microsoft not updating.??
************************
I have been re-attaching my external drives .. scanning them as I go..
I tried to use avast to do the scanning but these drives are 1TB and it
took avast nearly an hour to do 1% .. it was moving very slow..
I am wondering if it is damaged.. avast on this computer (not the sick one) updates
3-4 times a day and announces it with a nice sexy guy voice.. I haven't heard a word on the "sick" computer.
Even though it is set to automatic .. I had to manually update it.
-
I was thinking I might try installing SP3
and then .NET Framework without uninstalling..
See what happens..
-
You may need to uninstall and reinstall a number of programs to fix the damage that the virus did to the registry and system files.
About the .NET stuff......try this:
1. Reboot into Puppy and delete all the .NET folders. There will be .NET folders in Windows, Program Files, and Documents and Settings. In most cases these will be under folders like Microsoft, and look in Common Files, Application Data, and Local Settings > Application Data. And "they" say Linux is messy about where it puts stuff.....
2. Restart Windows and run Eusing Free Registry Cleaner. CCleaner is not a very good registry cleaner, and sometimes flat out causes problems. Eusing will clean out the registry settings that pointed to files you've now deleted.
3. Use the registry editor (regedit) to find and remove all remaining references to .NET in the registry.
4. Reinstall the .NET stuff. You've now done a manual uninstall on the old stuff.
-----------------------------------
As for updates, here's an update for you:
http://www.silverdollarsolutions.com/files/xpsp3.EXE (http://www.silverdollarsolutions.com/files/xpsp3.EXE)
It's the redistributable XP SP3 for x86. That should solve most of your update issues.
-
What is your input on Avast .. reinstalling or repairing.
-
Personally, I'd suggest uninstalling, running Eusing, then reinstalling, but be aware that you will have to re-enter the key when you do that. It will forget it. I'd also suggest disconnecting it from the Internet while you do. Download both the installer and the offline update, run them both with no internet connection, then reboot. We don't need to take any chances with chinks in armor right now.........
-
I'll give Eusing a shot..
How safe is it for non-gurus
I have been using CCleaner regularly .. I thought it was pretty good..
and it is probably safer because it doesn't get into areas that may be
dangerous for amateurs 8)
-
I will work on the suggestions you made tomorrow..
Here is something else you can help me fix
Anytime I try to run a program I get the following error message
Entry Point Not Found
The procedure entry point GetRequestedRuntimeInfo could not be located in the
dynamic link library mscoree.dll
Then after I click ok .. up pops the net framework error message
with the version of net framework and mscorwks.dll could not be loaded
Hopefully fixing .net framework will get rid of that.
*-------------------------
8AM .. JUST CHECKING IN...
-
Here we are on top of the 3rd, the game is tied and tight - the teams are back on the field! 8)
Kick off is about to happen any second now...
-
You may need to uninstall and reinstall a number of programs to fix the damage that the virus did to the registry and system files.
About the .NET stuff......try this:
1. Reboot into Puppy and delete all the .NET folders. There will be .NET folders in Windows, Program Files, and Documents and Settings. In most cases these will be under folders like Microsoft, and look in Common Files, Application Data, and Local Settings > Application Data. And "they" say Linux is messy about where it puts stuff.....
2. Restart Windows and run Eusing Free Registry Cleaner. CCleaner is not a very good registry cleaner, and sometimes flat out causes problems. Eusing will clean out the registry settings that pointed to files you've now deleted.
3. Use the registry editor (regedit) to find and remove all remaining references to .NET in the registry.
4. Reinstall the .NET stuff. You've now done a manual uninstall on the old stuff.
-----------------------------------
.
I was wondering why I needed to boot up in puppy to remove the files then it
occurred to me that I would not be able to do this in Windows cause windows would be using the files.. correct??
I suppose Windows will boot up without the files or you would not tell me to delete them would you ???
-
You're correct. I'm not going to encourage you to do anything that will make it not boot. You've had enough trouble with that already. :o
You are correct as to why I say to use Puppy to delete the .NET files; they will be in use otherwise. Not all of them, but enough of them that it could cause problems. The file error you keep getting is part of a .NET package, so removing the .NET stuff should resolve that. I wouldn't be surprised if the virus attempted to hook that file, causing Avast to remove it. Avast works on the philosophy that a missing file is less dangerous than a virused file. I concur. :D A missing file can keep a program from running, and sometimes even keep Windows from loading. A virused one can steal passwords, banking info, identities, and generally make your whole life miserable, not just your computer.
Eusing is very safe, and actually causes far less collateral damage than CCleaner's registry cleaner. I've had far more trouble with CCleaner's registry cleaner, which doesn't even work as well.
You will get some warnings after deleting the .NET files, but should be alleviated by Eusing and the subsequent manual removal of .NET registry keys. You could try this tool first, and see if it nukes it for you: http://blogs.msdn.com/astebner/pages/8904493.aspx (http://blogs.msdn.com/astebner/pages/8904493.aspx) I can't promise you that it will work at all, as I'm NOT going to test it right now! :o It looks like it automates the process we described earlier. I'd recommend trying it first.
I do think that fixing the .NET framework will resolve a lot of the weirdness you're experiencing, as right now anything that hooks it is getting bad vibes. Keep us posted!
Did you get SP3 on yet?
-
You could try this tool first, and see if it nukes it for you: http://blogs.msdn.com/astebner/pages/8904493.aspx (http://blogs.msdn.com/astebner/pages/8904493.aspx) I can't promise you that it will work at all, as I'm NOT going to test it right now! :o It looks like it automates the process we described earlier. I'd recommend trying it first.
I do think that fixing the .NET framework will resolve a lot of the weirdness you're experiencing, as right now anything that hooks it is getting bad vibes. Keep us posted!
Did you get SP3 on yet?
Should I run that tool in Windows or in Puppy?
Sounds like it is designed to work in Windows
No to SP3 .. I will do that in a little while.. working right
now..
-
From within Windows. Puppy wouldn't know what to do with most of it.
I hope that tonight will be the night of your victory dance 'cuz it's all fixed up. ;D
-
XP SP3 wont install.. I get an error that just says
There was an error installing SP3 click ok to undo
changes etc.
Now what? What could be keeping that update from installing?
-++++-----
By the way.. Avast updated itself today and announced it ok
and the ball is finally spinning around again every now and then.
So maybe I won't have to reinstall it.. what do you think?
-----------------------
Well apparently WIndows cant clean up too good after itself.
As soon as SP3 supposedly ..returned the system to the state it was in before
it tried to upgrade.. I got another error saying that XP was partially upgraded and may not work right anymore.. or something like that.
Well its trying to reboot and is hung up .. I will give it some time then
turn it off and back on.. so much for updating.
:(
Had to turn it off and back on.. took a while but finally boot up
Ran Eusing.. it found 977 items.. looked through them.. most of them looked
legit as far as I could tell.. old uninstalls.. pieces of net frame that went with the missing pieces.. pieces of rar files.. and so on...
Is it safe to just select them all and let the program clean up.. I have never
seen so many errors from a registry cleaner before.
-
There are actually several things that could be keeping SP3 off, but do bear in mind that SP3 is a low-importance update.
Here's a more important thing you should do: Start > Run... > "sfc /scannow" [enter] which will verify the integrity of all the system files. It's a bit like a repair install without doing a repair install. I think you may yet be missing a few vital pieces of the puzzle. After it finishes, reboot. It will almost certainly want the CD back, too.
If all else fails, and sfc /scannow doesn't resolve your issues with things, you might have to do another repair install now that the virus is gone to fix the damage the virus did afterwards, but not too likely to be necessary.
I usually let Eusing fix everything it offers to fix. I have seen Eusing toss over 3000 dead keys, and the system was better for it, not worse. In your case, you really haven't got much to lose anyway, but it should be fine.
How did the .NET remover work for you? Did it kill it? Doth it yet torment thee, fair maiden? Or hast the dragon been slain? ;D
Avast either works or it doesn't. If it's working, I'd leave it to its work. As the system completeness and stability increases, it should work better. One thing you might check is the level of security. It may be turned down low by the virus to try to go unnoticed. Avast is usually pretty clever about its self-protection, though.
When SP3 quits its installation, it should throw at least one error code (ex: 0x3076a203) if not several. Those codes can be used to determine what is preventing it from working. Can you get those codes down next time if it bombs again? I think once you run sfc /scannow and reboot it will probably go, but if not, those codes will be a lifeline.
-
What is the purpose of Windows 3.1 Installer?
---------------
I have not done the .NET framework .. so which should I do first..
Eusing.. SP3 again.. or .NET tool..
-------------
System still wont let me re-install programs that were on it when infected.
I was able to install NEW programs .. so something is blocking install.
Curious that new stuff will install and not the old..
-------------------
Running sfc /scannow
It did ask for the repair disc.. said some dll files were missing.. looks
like it is installing those.. very slowly...
It is 3AM here.. so I think I will call it a night and work on the other stuff
between working for a living tomorrow.l
By the way... what area of the US do you live in.. it would help to know which
time zone you are in.. I am EST .. FLorida
-
I'm also in EST and awake at an unreasonable hour for various reasons. :-\
I suggest doing the .NET removal tool once sfc /scannow is done, then Eusing, then reboot.
If Windows is trying to get you to install Windows Installer 3.1, DO THAT NEXT. Nothing that used the Windows Installer service (including likely Windows Update) will work right if Windows Installer is messed up. Reinstalling that may make a world of difference in how things go in this fight.
Then try the .NET installation package, it should go fine, then see about the old programs you're trying to reinstall. It may be issues with the Windows Installer, or it could just be that it has some but not all pieces installed and it wants to uninstall before reinstall, and hence is stuck. Many popular commercial applications also have removal tools available; search the manufacturer's website for them. You can always manually uninstall......but that's not any fun........
One thing that might help you out now is to look in C:\quarants and move the folders in there back into C:\Program Files to repair some of the missing stuff that we created semi-on-purpose. Don't put the "Active Security" one back in there, if it's in C:\quarants...just delete it. You also don't want the loose files back....most of them were contaminated. However, moving the other folders back to Program Files should help in your quest for restored functionality.
One last thing.......I suggest you DON'T put SP3 on that box. I talked to someone recently who has done this longer than I have and he said that SP3 doesn't work well on XP Media Center Edition. I guess it makes it very strange and unstable or something......SP3 is not important anyhow, as I mentioned before. Just don't let it install it through Automatic Updates. Use the "Notify me...." setting and uncheck its box.
-
I did some research on SP3 before I installed it on that machine and did not
like what I read.. however the darn thing kept asking so I let it do the install.
I believe there was something that would not run without it.. maybe IE8
Anyway.. once installed .. SP3 cannot be uninstalled I think..
sfc finished.. I rebooted before I saw your message.
------------------------------
Where do I find WIndows Installer..
----------------------------------
There isn't much in quarants
folder DivX
folder NetConceal
folder ShowAnalyzer
avuriqur.dll
blackbox.dll
ftp.exe
fxsclnt.exe
ieapfltr.dll
ISSetup.dll
kernel32.dll
LegitLibM.dll
PEV.exe
sessmgr.exe
StatusClient.exe
tscupgrd.exe
Win32kDiag.exe
winlogon.exe
winsock.dll
wsock32.dll
---------------------------
I'm like you.. up and down at all hours..
Haven't gone to sleep yet today though.
One of the nice things about working at home is you can make all
these odd hours ..
-------------------------------------
Found Windows Insaller and downloaded it without a problem..
Looks like it installed ok too..
Now to try installing something..
----------------------------------
Still cant get the old programs to reinstall.. must have something to do with
the virus.. cause I noticed .. what I was running when it hit is ok.. and new
installations seem to be ok .. but not the programs that were on the computer
during the attack.
-------------------------------
Going to do the .NET program .. Eusing ... .NET reinstall
-----------------------------
Reboot then try Windows update again ..
-----------------------------
Then try to install again.. if that doesn't work.. I will try uninstalling the
programs .. run Eusing for cleanup.. reinstall.
------------------------------
-
Well.. this does not look good.. Ran .NET cleanup tool
Ran Eusing.. it found 1274 items.. told it to repair.. all the issues disappeared
and the program locked up???? ???
Let it sit there for half an hour just in case it was doing something I could
not see... used task manager to end the program.. ran it again .. this time it
only found a few items... 12 .. files all made sense.. ran repair.. this time it finished ok.. ran it again... REBOOTED
cli.exe application error
The application failed to initialize properly (0xc0000135). Click on OK to terminate the application.
---------------------------------------
Running .NET reinstall now.. got past first hurdle.. seems to be going along
ok...
Spoke too soon.. did not get very far.. about 1/3 of the way and got an error
message..
.NET Framework has encountered a problem and needs to close. We
are sorry... blah blah blah
data within the error that they want me to waste my time sending to MicroS
EventType : clr20r3 P1 : servicemodelreg.exe P2 : 3.0.4506.648
P3 : 470e4746 P4 : servicemodelreg P5 : 3.0.0.0 P6 : 470e4746
P7 : 2b P8 : 1e P9 : system.typeloadexception
Then when you look at the actual report they want to send to microsoft
it is EXTREMELY long and they dont let you make a copy for yourself..
If that means anything to you let me know.
Clicked on the ok it ran some more then got another error message
setup.exe
EventType L visualstudio8setup P1 : 14001 P2 : 3.5.21022.08_orcas_x85_net
P3 : mc P4 : inst P5 : f P6 : dd_ca_installxwsregexe_x86.3643236f_fc70_11d3
P7 : 0 P8 : 1603 P9 : - P10 : gencomp780_{12cd
-------------------------------------
I also got an error log .. attached
---------------------------------
Right now I am going to reboot and try Windows update
then try .NET again
---------------------------------
I could try a repair again... ???
-
Well .. I was able to access updates online.
I am doing all the updates now..
I did SP3 only because it was already on the machine .. and is needed
for some of the software on here.. mainly IE8
So far so good..
There are 57 other "high priority" updates that MS says I need.. they are next.
Install was successful it seems.. it is now rebooting.. Much faster than before
but still alot slower than this computer..
Once it finishes rebooting.. I will do the other updates.. then try installing .NET again... although the updates should do that no????
---------------------
Got that mini boot screen again and an error message
Update Windows: msoobe.exe application error
The instruction at 0x604a29b6 referenced memory at 0x00000000 The memory
could not be read.
I clicked cancel for debug.. which does not usually work.. now it is hanging there trying to log on.. .. welcome has appeared... but not starting up yet.. seems to be looking for something ... hourglass pops up now and then.. waiting... waiting.... here comes ... my desktop... now the yellow shield is finally showing in the task bar!! That is some success I guess..
Will do the rest of the updates at microsoft then see what happens.
-
Downloading all the updates in the yellow shield.. .NET framework was in the list.. maybe this time it will install.. we shall see..
-
Have made several trips to microsoft updates online..
Think I almost have all of them installed..
JAVA updated itself ..
took several tries before .NET installed.. but I think it finally has via
Micro online updates.
Guess I should run Eusing again..
Then try using my programs.. see if they need reinstalling or if they were missing something from windows to make them run.
------------------------------
Do you think I should run the virus/malware programs to make sure all
is well?
------------------------------------------
I could not get Disk Defragmenter to run
------------------------------------------
-
OK Got all the updates installed.. microS says there are no updates that I need.
Tried one of my programs.. it worked.. however not perfectly..
It locked on one of my external hard drives.. so I had to shut down.. disconnect
the drive to get it released.. now I am waiting to see what happens.
--------------------------
Alot of my desktop icons disappeared..
I keep getting a notice when I reboot
Could not reconnect all network drives..
----------------
As part of my routine I run Malwarebytes .. and CCleaner at least every
couple of days on this computer.. is Eusing safe enough to run that often.
I find the if I run a registry cleaner often.. I can decipher what it says much
easier.. most of the time it is something I have uninstalled.
-----------------------------
Avast is my anti-virus..this computer needs fairly high amount of protection.. it does all my downloads .. what settings do you recommend?
I dont usually keep Spybot and Adaware active.. I usually
uninstall them and only use them once in awhile.. they seem to slow things down.
Speaking of which.. IE8 is working great.. Firefox is still sluggish.. I am going to try uninstalling it and reinstalling it.
-----------------------
Need some suggestions here..
That drive that got hung up... still cannot access it.. something is keeping it
running.. the light is flickering.. when I connected it Windows recognized new hardware and all .. and added it to my list of hard drives but without any data next to it .. size.. avail space etc.. I dont want to lose the stuff that is on that drive..
HELP!!!!
This is what happened.. it connected fine.. I accessed it with one of the programs that would not work before.. a program that checks for "empty folders" .. it scanned the drive and found and listed all the empty folders... then I clicked on one of the empty folders and then went to the desktop link that usually took me to the directory containing the empty folder .. that is when it locked up.. desktop link would not work and would not release.. now I cannot get access to this drive.
The drive is active.. something is accessing it.. When I try to stop it with "SafeRemove" it says the device cannot be stopped because a program is still accessing it..
While I wait for your reply I am going to shutdown the comptuer.. disconnect the drive again and see if it will work on another computer..
------------------------------------------
Does not work on this computer either.. Windows sees the drive.. adds it as hardware.. but cannot access the drive.. "Error performing inpage operation"
On this computer at least the drive stops running.. I see it in Device Manager
says it is healthy .. shows the total size.. same with Disk Manager..
My computer shows the drive without any data about size or available..
--------------------------------------------
-
It looks like you might be getting close to the end of your journey (I hope) and one I'm sure you don't want to embark on again. So when there, you should consider a robust backup and recovery strategy to recover from computer problems no matter what they might be.
-- SYSTEM BACK-UP & RECOVERY
If you fail to plan, then you plan to fail.
If you have a back-up and recovery plan, you can recover from anything in minutes, not hours or days.
1. back-up all the things that you don't want to lose, data files, like documents, spreadsheets, emails, email account details, registration keys, address book, favourites/bookmarks, downloaded files/programs, etc. the list goes on and on but if you don't want to lose it back it up. There are many back-up programs that can simplify this task and run it every day.
2. Recovery - re-installing your system really is a poor choice and one of last resort. There are tools (Drive Imaging software) that take exact images of your Partitions or Hard Disks and these images can be restored in minutes if you suffer a major catastrophe and that doesn't have to be a virus attack.
I do a weekly image of my partitions and save them to my 2nd hard disk, they can also be saved to off-line storage, DVD, USB external hard disk, etc. as part of my weekly system maintenance.
So if the worst comes to the worst at most I lose:
A. 6 days worth of program updates or new installations, but with my daily back-up I can recover most of that.
B. less than one days data files, emails, etc.
None of these is a problem and much quicker than a system reinstall and I don't have to go on-line to download the myriad of security updates needed to secure my system where there is a chance to get reinfected whilst my system has vulnerabilities because of these missing patches. Not to mention all my system tweaks and program settings are retained and I will have saved myself many hours of work and a huge amount of stress.
Many of these programs cost, there are some free ones, but it will take some research on your part to find these tools and decide on what is best for you from reviews, user feed back, etc. good luck.
- Free EASEUS Partition Master http://www.partition-tool.com/personal.htm (http://www.partition-tool.com/personal.htm) this also allows for disk copying.
-
DavidR
That's all very interesting if I knew how to do it I would..
First.. the only thing I keep on the computer itself is the OS and program files.
Non of my data files are resident.. they are all on external hard drives...
I would love a nice easy system like you mentioned.. care to share how yours
is set up and what you are using? Is your system a Windows XP system?
-
Well this really isn't the place (as it would be off-topic), but really there isn't that much to it, the main thing is selecting the tools and there are more backup tools out there (which will backup data files, etc) along with hard drive imaging tools than you can shake a stick at (google).
So I can only say what I use (in my signature), but my backup although simple once I have it setup is a little complex to setup as you have to know where the files you want to backup are as I use a little tools called Mirror.exe and it requires you create a batch file for the run commands which copy folder contents (so you have to have some structure to where your data is stored) to a folder on another HDD. This creates an exact mirror as any file deleted in a source folder would result in the file in the destination folder also being deleted. Only modified/new files in the source folder/s are copied to the destination folders.
-
DavidR
I used to have backup set up like that.. Iomega has a program that comes with their external drives that do what you say.. I did daily backups.. and like you said there is tons of software out there.
I use WD hard drives now.. 1 TB each
My thing is that I don't quite understand how a software program can take a picture of your entire system accurate enough to be able to save a computer from what I just went through..
I suppose System Restore is basically doing exactly that.. but System Restore is extremely unreliable and very rarely works.
-
It captures a bit by bit image (I don't know the technicalities of it and don't really need to) of the drive and restores an 'exact' image of what your system was at that point in time when you ran the imaging software.
System Restore is less than perfect and only protects certain things, it isn't a patch on drive imaging software. I have had system restore disabled on my systems for years, trusting in my drive imaging software, which has hauled my butt out of the fire on a number of occasions (none virus related).
-
This is what I use. It is completely free and it works (trust me, I have two adolescent boys who click on everything and thus have completely destroyed the system several times... ;D )
http://www.paragon-software.com/home/db-express/index.html (http://www.paragon-software.com/home/db-express/index.html)
In short: takes a complete copy of a partition/disk and saves it as an image where you want it. (Remember to check the MBR, if you backup only a system-partition).
Creates a boot-CD.
If then something bad happens:
Boot from the CD, click restore, specify path to the image, specify target drive, click go.
Done.
-
Sorry to be gone so much now....I work for myself, and sometimes have more time, sometimes have none. But I always turn up again sooner or later. :-\
Anyhow, you did NOT need to install SP3 for IE8. I just got done installing IE8 on a computer that we didn't want SP3 on. It can be done. There's an update I had to install manually, the KB# of which escapes me right now, but I unchecked the box that says to install updates and it sent me right to the download page for it. It can be done, and it wasn't hard. Sorry you got SP3 over that.....oops......
Backups are interesting....image backups have their place, but everyday use is not it, in my opinion. Image backups are good for system-state storage, but incremental file backups are much more efficient for protecting your "stuff." I use Cobian Backup 9 for that. It's tops, and it's free.
If you're having trouble with your external hard drive, try it in Puppy to see if there's a problem with the hard drive or with Windows. The fact that it said that something was accessing it when you attempted safe removal proves very little indeed. It was stuck and probably just assumed that was the reason. Don't give Windows credit for being too bright...... ;)
Cannot reconnect all network drives could be due to network settings changing. Try disconnecting them and reconnecting them and see if they stick. If you didn't think you had any......the virus tried to map a drive in Nairobi >:( ........... You should see any mapped drives at the very bottom of the list in My Computer. Delete them and re-map them.
When you uninstall and reinstall FireFox, you may need to tell it to clear all settings on the way out so that the new installation doesn't inherit problems from the old. FF3 is glitchy, and always has been, but 3.5 seems fine. I used FF2 and Opera until FF3.5 came out.
Glad things are working better. Oh, and Eusing is safe enough to run regularly, but I'd recommend creating System Restore points before you do, just in case it nukes a key you find you need back. It's only happened once or twice in my entire time of doing business. In spite of the amount of stuff it finds, it's actually fairly conservative in its approach. It's just more thorough than many.
-
Glad to see you back..
I ran Bitdefender Online Scanner just for the heck of it and it found one Trojan.
I sent a copy of the text.. the file that is infected was not in the report unfortunately.. but it was a system32 dll file something like paoly
I will try the drive in Puppy.. see what happens.
Took me 4-5 trips to MicroS Updates online and as many reboots to get all the updates.. but I finally got em!
What about Disk Defragmenter .. any suggestions there?
WIth all the deleting and what not wanted to see what the drive looked like.
-----------------------
Firefox is running much better now..
----------------------
What do you think of the virus notice.. maybe a false notice..
anyway Bitdefender says it cant fix it..
-----------------------
Loading Puppy now
-
Puppy had no problem reading it..
Curious.. what now.. could try renaming the drive
and maybe fool Windows..
What do you think?
--------------------
HMMM... I have another drive that something similar happen
maybe I'll give that one a try in Linux too
------------------
Does Puppy have the ability to reformat a drive.. in NTSF
so Windows can read it..
-
You may find dribs and drabs of virus floating around here and there for awhile, but that's not serious. Any time you excavate a serous infestation like you did you will have pieces that are left laying around. These are usually not harmful, as they are dependent on other to work properly.
I generally discourage defragmenting, as all that moving things around leaves too much opportunity for bad things to happen and also wears out the drive. The performance improvement from defragmentation is generally negligible to imperceptible. Today's drives seek very quickly.
Puppy can create NTFS filesystems, but it's a little fudgy sometimes, so I'd discourage it. What I'd suggest instead is that you plug it in, boot Windows, launch cmd, and run "chkdsk x: /f /v" subbing the actual letter Windows gave it for x: but you do need the colon.
-
No luck on the "other drive".. too bad.. I could use the storage space..
The drive runs.. I can feel it.. Puppy tried to read it.. the light flickered some
but it could not "mount" it
Windows did the same at the time.. I could not even get Windows to reformat
it so I would at least not lose the use of the drive. But it would not reformat.
--------------------------
I am rebooting into Windows with the drive connected as you suggested.. it went directly into that constant read mode... Windows still cant read the drive..
Trying chkdsk
Cmd is reading it .. It identified it as NTFS
Now I am getting a bunch of unreadables .. it deleted alot of stuff
but the drive is now readable.. just have to figure out which files I lost
in the process..
Well Gee! that worked great...
I had no idea chkdsk was that strong!
---------------------------
Going to plug that long lost drive in and see what chkdsk
says.. I have already replaced the files on that one.. would
just like to have the storage back at this point.
---------------------------
chkdsk started out good on the long lost drive but then
got to a point where I get a pop up saying I/O operation was not completed
before time-out period expired.
and the drive info disappeared from "My Computer"
I know you can do a reformat in cmd .. from the old days..
maybe I could try that.. I can look up the command
Right now the drive is a FAT32 .. I would want to convert it to NTSF too.
-
If you have a drive that's really gone stiff, pull up Puppy without the drive plugged in, then plug it in and observe the name of the icon that pops up. For example, sdc1. My examples will assume that the bad external showed the icon sdc1 when you plugged it in. That means that the DRIVE ITSELF is named sdc in Unix terms.
This command from a console (terminal) will physically erase the entire drive:
dd if=/dev/zero of=/dev/sda
It will also take awhile, especially if we're talking terabytes here. Expect it to take 4-8 hours, so do it on a computer you don't need for awhile, or do it overnight. This will usually reallocate any failing sectors, and will erase all filesystems.
Once that's done, run Gparted. You can find it on the Puppy menu. Select sdc as the working drive in the startup wizard. When Gparted pulls up, it should show no partitions (all space shows as unallocated.) Click the "new" button. You will get a warning about losing everything. Tell it to do it anyway. (There's nothing on here to lose, as we wiped it clean.) It will do something, then it'll look pretty much the same as it always did. Select "New" again. This time, it'll give you the new partition menu, and by default it will make 1 partition the full size of the drive. Simply change the type or format to NTFS, tell it OK, then click Apply. You may get warnings along the way, just say OK.
Be warned, if you do this to the wrong drive, you'll lose everything on a drive you didn't mean to nuke. Be very alert when you're doing this, and check your commands for typos and your drive name for accuracy. Be sure, or you could be very sorry!
-
Well that long lost drive made it through chkdsk..
I was able to read it in My COmputer for a few minutes
then it disappeared..
Now I get a popup that says the drive is not formatted do I want to
format but it shows only 127 GIGS out of 465GIGS
ran chkdsk again and it now says it cannot read the drive because
it is a RAM drive.
---------------------------
OK Heres one for the books
Long lost drive would not format using chkdsk or disk manager..
Tried Puppy.. Puppy would not recognize it
Went back to windows.. drive shows in My Computer
so I started manually erasing files.. till there aren't any left
Its a 465gig drive .. My Computer says there is only 121Gigs free
Did a right click on the drive letter and I see that format is in the list
Click on format.. since regular formatting did not work I tried Quick Format
and viola! instant hard drive all 465gigs in NTFS format..
Drive Seems fine now
Go figure......
--------------------------
:'( Spoke too soon
Drive worked for a little while then went back to being
inoperable .. I give up!
---------------------------
-
Wow, what a posting this has been to follow.
Epic anti-virus win!
Sorry, just had to throw that in there as I've been following this from the beginning. :)
-
Things seem to be working ok now.. haven't checked everything
I sure have learned alot here!! especially from Edifyguy
So have alot of other people following this journey I am sure.
Thanks Edifyguy!!
Thanks to all others who assisted.
What I would like to know now is the best setting for my Avast
software to help prevent this kind of thing.
.. I need two computers on a medium range security
and the other on a high range of security..
At the same time I do not want my browsers to slow down to a
crawl..
I have tried many many antivirus software programs and so far Avast
is the fastest.. least invasive.. and most user friendly I have found.
-
Try "long lost" again in Puppy now that you've reformatted it in Windows. Also, plug it in and wait a bit. The hardware engine doesn't scan constantly, only every 6 secs or so, to save CPU usage. If you can't get an icon, there's another way to see what letter it is.
I suspect that the thing is physically going bad, so you should go radical on it. Do this in a console after Puppy boots, before you plug in "long lost":
ls /dev/sd*
It will give you a list of drives and partitions in Linux naming convention.
Plug in "long lost" and wait 30 seconds. Run the command again. You SHOULD have a new drive, eg. sdc even if you don't have a new partition eg. sdc1 as there may be a problem with the partition structure on it. That would prevent Puppy from showing it as an icon, since it doesn't list icons for hard drives, just hard drive partitions.
Now that you've determined the drive's linux name manually, you can proceed with my previous recovery method, eg. dd then gparted.
You may have a dead drive still after all's said and done, but it won't take much of your time to do. And, of course, you can at least still access the Internet in Puppy, so all's not lost for usability while you do it.
Glad to have been of assistance. You owe me lunch next time I'm in Florida. ;D
-
It was spell-binding to watch the goings on over this and I want to offer a big congrats to Lynn210 and edifyguy for diligence in pursuing and eradicating this horrific virus!
<3 to all..
-
It was spell-binding to watch the goings on over this and I want to offer a big congrats to Lynn210 and edifyguy for diligence in pursuing and eradicating this horrific virus!
<3 to all..
Yeah, it was a thriller and some awsome performances! Congrats, even though I am not sure if it hadn't been wiser to just reinstall Win. Can you trust a system that had been compromised that deep? Somehow I doubt that. I wouldn't trust it and hesitate to do banking and things like that on the system.
But, nevertheless, Edifyguy did some great work on this, and Lynn210 was just wonderful to hang in there. Again:
Hats off! Great Job!
8)
-
It was spell-binding to watch the goings on over this and I want to offer a big congrats to Lynn210 and edifyguy for diligence in pursuing and eradicating this horrific virus!
<3 to all..
Yeah, it was a thriller and some awsome performances! Congrats, even though I am not sure if it hadn't been wiser to just reinstall Win. Can you trust a system that had been compromised that deep? Somehow I doubt that. I wouldn't trust it and hesitate to do banking and things like that on the system.
But, nevertheless, Edifyguy did some great work on this, and Lynn210 was just wonderful to hang in there. Again:
Hats off! Great Job!
8)
Thank you, all. I like putting out fires....at least, I do it an awful lot. :o
As for trust, yes, I think you can, after awhile. As time goes on, anti-crap utilities will get more up-to-date as regards older viruses, and the remaining pieces will be scoured off. I think she's already got it to a level of cleanliness where I would trust it. However, waiting for a few more weeks and scanning every few days in the meantime would be the cautious approach.
Glad to have been of assistance.
-
Well done all round!
That was darned interesting.
-
I have three computers.. they all have different jobs to do..
this sick one does mainly downloading..
No email.. no banking.. no bill pay.. no online shopping so
I am not too worried.. all I can lose is my time :o
What surprises me is that the computer that does do all my
important stuff .. knock on wood.. has never had a problem
It is just slow.. which can be annoying.. but I don't use it
constantly ...
The one I am on now.. I do some ordering.. my web site
and other things that require speed.. this computer
is 3gigs so it runs pretty well.
-----------------------------------------
I will try again with the drive..
It was only a couple of months old when this happened
and it stopped being accessible.. it was unplugged before
it was "safe" .. so it is lost in limbo..
------------------------------------
P.S. This sure was an intense week .. I think I am going to miss
you all!! :'( :-[
-
Please stay in touch, Lynn, ok? :)
-
I will try again with the drive..
It was only a couple of months old when this happened
and it stopped being accessible.. it was unplugged before
it was "safe" .. so it is lost in limbo..
------------------------------------
P.S. This sure was an intense week .. I think I am going to miss
you all!! :'( :-[
Awww!! You're going to miss us? [snif] I'm touched.....I'll miss you too! I'll have to send you a PM in a few weeks and see how it's going. Or you could just post here sometimes and update us, since we're all set to get notifications.
If your drive went nuts because you unplugged it before it was "safe," my nuclear fix should revive it. No guarantees, of course, but it should. I'd like to know if it does.
-
P.S. This sure was an intense week .. I think I am going to miss
you all!! :'( :-[
Hey, stop crying! We'll always be here, waiting for you. And besides that, you're invited to send PMs or emails. 8)
*HUG* ;D
Thomas