Avast WEBforum
Other => Viruses and worms => Topic started by: monkeybones on February 17, 2012, 07:10:40 AM
-
hello, all.
i would appreciate some help getting rid of a particularly nasty bug. i'm trying to avoid a wipe. please let me know what you would like me to install and which reports you'd like to get the ball rolling.
thank you in advance
-
Follow this guide>>http://forum.avast.com/index.php?topic=53253.msg451454#msg451454 , then post the resulting logs in this topic as attachments.
-
malwarebytes logs attached
-
the captcha is no longer showing up when i try to reply from the infected computer which means i cannot post a reply. when it's resolved i will post the otl logs.
-
trying to post from another computer. please let me know if it works for you.
-
the little bugger that sent me in search of help is MBR:\\.\PHYSICALDRIVE0
i'm hoping i can find a work around that won't require a wipe.
the problem is on my sister's computer.
she is using vista.
we do not have boot discs
-
last log
-
Here you go this should fix it
Re-Run aswMBR
Click Scan
On completion of the scanClick the Fix Button
(http://i1224.photobucket.com/albums/ee362/Essexboy3/aswMBR%20shots/aswMBRFix.gif)
Save the log as before and post in your next reply
-
this crashed the computer. it will not stay on now, even in safemode. windows starts the repair process but it shuts off the middle and the whole things starts over again.
-
OK lets retrace our steps and try again
From the safe mode menu select a restore point when you reboot run aswMBR please for a scan
-
i can't. the computer won't start, even in safemode.
it tried running the system disc check but failed.
session details
______________________
system disk = \device\harddisk0
windows directory = C:\windows
autochk run = 0
number of root causes = 1
every test completed succesfully error code 0x0
root cause found:
____________
unspecified changes to system configuration might have caused the problem.
that is the last thing i got from the computer. when it tries to restart, it blue screens. if it makes i past blue screen, it will turn off a few seconds after booting, even in safe mode. most times it will not make it to the safe mode screen at all.
-
test
-
Are you back in now ?
Do you have the windows CD so the we can access the deeper repairs
If you are in could you run a fresh OTL scan for me please
-
she doesn't have a cd, no.
i can get in for a moment at a time. i set things up bit by bit so i could scan, then save, then email the scan to myself on successive tries. i may be able to keep it open longer- it's being finicky. i am responding from my personal computer atm.
i will attempt the otl scan as soon as i get home from work this evening.
thanks for responding.
-
As soon as i can get to my computer I will post a link for you to burn a recovery console disc
-
OK here we go
Download win Vistax86 iso from here http://www.forum.probz.net/index.php?/files/file/21-windows-vista-recovery-environment-iso/
Burn to a cd as bootable - You can use ImgBurn (http://download.imgburn.com/SetupImgBurn_2.5.6.0.exe) do this.
Now reboot from the Windows Vista Recovery Environment CD and execute the following commands:
When you reboot you will see this although yours will say windows 7. Click repair my computer
(http://i1224.photobucket.com/albums/ee362/Essexboy3/RepairVista_7275.jpg)
Select your operating system
(http://i1224.photobucket.com/albums/ee362/Essexboy3/RepairVista_7277202.jpg)
Select Command prompt
(http://i1224.photobucket.com/albums/ee362/Essexboy3/RepairVista_7277.jpg)
At the command prompt type the following
Bootrec.exe /FixMbr
If that does not work then :
For x32 (x86) bit systems download Farbar Recovery Scan Tool (http://download.bleepingcomputer.com/farbar/FRST.exe) and save it to a flash drive.
For x64 bit systems download Farbar Recovery Scan Tool x64 (http://download.bleepingcomputer.com/farbar/FRST64.exe) and save it to a flash drive.
Plug the flashdrive into the infected PC.
Enter System Recovery Options.
To enter System Recovery Options by using Windows installation disc:
- Insert the installation disc.
- Restart your computer.
- If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
- Click Repair your computer.
- Select English as the keyboard language settings, and then click Next.
- Select the operating system you want to repair, and then click Next.
- Select your user account and click Next.
On the System Recovery Options menu you will get the following options:Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt[/list]
- Select Command Prompt
- In the command window type in notepad and press Enter.
- The notepad opens. Under File menu select Open.
- Select "Computer" and find your flash drive letter and close the notepad.
- In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
Note: Replace letter e with the drive letter of your flash drive.
- The tool will start to run.
- When the tool opens click Yes to disclaimer.
- Press Scan button.
- It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.
-
is that going to delete any files from her computer? should i try to save her photos/docs etc before i run the repair?
-
OTL LOGS
-
No none of the tools I use will delete files until they are told to do so - What is the current state of play, I see you are running from safe mode. Can you achieve normal mode
Did the Fixmbr allow you to get this far
-
can't get in at all right now. it keeps prompting start up repair then shutting down while it's loading files.
-
OK could you follow the destructions to download the farbar recovery tool and the windows recovery console ISO and I will get you up and running again
-
sorry. flu. been out of commission. still not up to snuff.
tried the disc, but no dice. i will try the farbar tool again and report back. there will likely be some lag between posts still while i'm recovering.
-
FRS will not do any repairs untill I tell it to. The initial run will be to determine the problem
-
it keeps saying "the device is not ready" when i try to open the flash drive from cp
-
OK this is not the ideal way but could you run FRS from safe mode
-
log
-
I can see nothing evident from that
Download the latest version of TDSSKiller from
here (http://support.kaspersky.com/downloads/utils/tdsskiller.exe) and save it to your Desktop.
- Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.
(http://i466.photobucket.com/albums/rr21/JSntgRvr/tdss_1.jpg)
- Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.
(http://i466.photobucket.com/albums/rr21/JSntgRvr/tdss_2.jpg)
- Click the Start Scan button.
(http://i466.photobucket.com/albums/rr21/JSntgRvr/tdss_3.jpg)
- If a suspicious object is detected, the default action will be Skip, click on Continue.
(http://i466.photobucket.com/albums/rr21/JSntgRvr/tdss_4.jpg)
- If malicious objects are found, they will show in the Scan results and offer three (3) options.
- Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.
(http://i466.photobucket.com/albums/rr21/JSntgRvr/tdss_5.jpg)
- Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.
A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste its contents on your next reply.
[/list]
-
is there a way to get this on the infected machine without downloading? it's difficult to keep the computer on long enough to get online, let alone download. right now it's just cycling through the blue screen over and over and i can't get it to stay on at all.
-
I thought you had manage to achieve safe mode ( Use safe mode with networking)
-
it works SOMETIMES. and in spurts. the computer is still cycling over and over and over, restarting itself. sometimes it won't turn on at all.
-
Do you have a USB drive that you can use ?
We will use an mobile operating system called xPUD, and a script called rst.sh to restore your computer.
Download http://unetbootin.sourceforge.net/unetbootin-xpud-windows-latest.exe & http://noahdfear.net/downloads/bootable/xPUD/xpud-0.9.2.iso to the desktop of your clean computer
- Insert your USB drive
- Press Start > My Computer > right click your USB drive > choose Format > Quick format
- Double click the unetbootin-xpud-windows-387.exe that you just downloaded
- Select the ISO file link and browse to xpud.iso
(http://i1224.photobucket.com/albums/ee362/Essexboy3/Misc%20screen%20shots/XPud.jpg)
- Press Run then OK
- It will install a little bootable OS on your USB
- After it has completed do not choose to reboot the clean computer simply close the installer
- Download the following tool and save it inside the bootableUSB
- rst.sh (http://noahdfear.net/downloads/rst.sh)
- Remove the USB and insert it in the sick computer
- Boot the Sick computer
- Press F12 and choose to boot from the USB
- Follow the prompts
- A Welcome to xPUD screen will appear
- Press File
- Expand mnt
- sda1,2...usually corresponds to your HDD
- sdb1 is likely your USB
- Press Tool at the top
- Choose Open Terminal
- In the open terminal window, type in the following:
bash rst.sh
- Press "Enter" and let it run uninterrupted.
(The program lists available Restore Points and will save a report enum.log located in the USB drive.)
- The program is finished when it say's "Done".
- Type "Exit" to close the terminal window.
- Please attached the enum.log file in your reply. (You may remove your USB drive when transferring log to a clean computer).
-
the first steps worked and i got everything on the usb.
f12 did nothing, but i was able to find the key i needed to boot from the usb
when it loaded xpud nothing happened
it says "no job control on this shell"
-
Could you confirm that you copied the Xpud ISO when you ran unetbootin
As per my screenshot
-
yes, i did
-
Could you get a fresh copy of Xpud - reformat the USB and try again please
-
now it says
"could not find kernal image: linux
boot: _"
-
I can say from experience that many of the newer AMD based motherboards have problems with the newer Linux kernnels. I can't use the latest Kapersky recovery CD since it uses a later Linux kernnel and my Gigabyte BIOS chokes on it.
-
i feel like each successive step is making it worse and worse...
-
i was given safemode option. still in sm w/ networking.
anything else i can do while i'm in here?
-
Did TDSSKiller find anything ? as the report is not complete
Now reboot from the Windows Vista Recovery Environment CD and execute the following commands:
- bootrec /FixMbr
- bootrec /FixBoot
- exit
-
what do i select to get to that point?
-
with tss i mean. what i posted is everything it saved. the scan ran to completion.
what do i do after the boot commands? each said "completed successfully"
-
the object found by kaspersky is:
TDSS File System
Physical drive: \Device\Harddisk0\DR0
Suspicious object, medium risk
my options are:
skip
copy to quarantine
delete
there is never a "cure" screen
-
U have to select delete for tdss file system and continue...reboot if asked and attach the tdsskiller log.
-
can't upload log. get error "Your file is too large. The maximum attachment size allowed is 200 KB.
"
-
log attempt
-
Just post the bottom section of the log please
The last 20 lines or so
-
i was able to post the whole thing. it's in the post preceding yours.
-
Can you now access normal windows ?
-
no. it doesn't stay on.
-
what does it look like to you? can you tell me more about what it is i'm trying to do?
is there anything i can be doing in between communication that would be helpful?
-
From safe mode we will use SFC to check out the system file structure
Go start > All Programs > Accessories
Right click command prompt and select run as administrator
In the black box type :
sfc /scannow
Then press enter
Let me know if it repairs any files
Also are there any dump files in c:\Windows\minidumps
-
the scan is running.
there are no files in minidump
-
Microsoft Windows [Version 6.0.6002]
Copyright (c) 2006 Microsoft Corporation. All rights reserved.
C:\Users\Alexandra>sfc/scannow
Beginning system scan. This process will take some time.
Beginning verification phase of system scan.
Verification 100% complete.
Windows Resource Protection found corrupt files but was unable to fix some of th
em.
Details are included in the CBS.Log windir\Logs\CBS\CBS.log. For example
C:\Windows\Logs\CBS\CBS.log
C:\Users\Alexandra>
-
Could you zip the CBS log and upload to mediafire and post the sharing link
-
i'm sorry, i don't know how to do that on her computer.
can i post it here in parts for you, or would that be prohibitive? save it in separate text files perhaps, in successive posts?
-
Could you scan the log and look for files that it was unable to repair. Then let me know what they were
-
got it... just had to restart a few times until networking would connect :)
http://www.mediafire.com/?n231yub28nsxja5
-
OK got it - it will take a while to interpret though
-
thank you for your time and help.
-
The only file it had problems with is an ini file which is of no consequence
Could you try a startup repair from the Vista CD to see if that can progress any further than the one on the hard drive
-
yes, i will... and then what? will it also create a log?
-
If that does not complete a repair could you set the computer not to auto restart on failure.
This will give a blue screen with data on the driver/file that is failing
Details here
http://pcsupport.about.com/od/windowsvista/ht/arestartvista.htm
Then try normal mode and let me know what is written on the blue screen
-
no repair was made from disc
i have followed the directions to prevent automatic restart, but the selection is not holding between shut down and restart. i have already made multiple attempts.
i will keep trying until i hear back from you
-
I feel it may be time to consider resetting the system
-
what would cause it to do this?
-
Hi monkeybones,
This should be essexboy's decide, but at the end of the day when no more options open to you without being able to boot, then you could consider to backup all your data and then reinstall, see:
http://www.howtogeek.com/howto/windows-vista/use-ubuntu-live-cd-to-backup-files-from-your-dead-windows-computer/
polonus
-
It could one of any of a number of problems a corruption of a system file, missing data from a service registry key. This is the sort of problem that you could spend months chasing. But at some stage you must cut your losses and bite the bullet
-
how do we do that.