HELP!! Spyware / Malware Hell
Welcome, Guest. Please login or register. Did you miss your activation email?


Pages: [1]
« previous next »
  Print  
Author Topic: HELP!! Spyware / Malware Hell  (Read 378 times)
junkie_ball
Newbie
*
Posts: 20


View Profile
« on: September 11, 2010, 09:19:30 AM »
I've been asked to look at a laptop running Vista Home Premium that is infected with malware security suite for sure.  I would normally run a malwarebytes to start the cleanup process.  My issue is it will not allow me to run any install programs or infact any programs already installed on the system such as notepad.

My next point of attack was safe mode unfortunately i am unable to access this it gives an error "windows failed to start".  This could simply be down to the fact someone tried to part install windows 7 on the laptop and never completed the install although when starting the laptop it does give a duel boot menu if you allow it to startup normally.

Regedit, Taskmanger, cmd are all diasabled what is the next course of action?  Is there a malware program i can run directly from a usb drive? Although would not be confident the laptop would allow this to run.  Never been stumped by virus remaovals before but this one is getting me there.
Logged
BJseal91
Hero Member
*****
Posts: 699



View Profile
« Reply #1 on: September 11, 2010, 10:13:27 AM »
junkie_ball
what error messages dose it give you when you try and load notepad regedit cmd or taskmgr
I have had a virus very sim and have 3 tools for you once I know your problem let me know asap
Logged
Britec
Administrator
Hero Member
*****
Posts: 3498



View Profile
« Reply #2 on: September 11, 2010, 12:20:54 PM »
 Azn junkie_ball

Burn Kaspersky 2010 Rescue Disk to cd and run that.

Download Kaspersky 2010 Rescue Disk ISO file

--------------------------------------------

Then please run this app and post log in http://www.briteccomputers.co.uk/forum/virustrojanspywaremalware/

OTL by OldTimer – A Modern Replacement for HijackThis

•   Download OTL to your desktop.
•   Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
•   When the window appears, underneath Output at the top change it to Minimal Output.
•   Check the boxes beside LOP Check and Purity Check.
•   Under Custom Scan paste this in

netsvcs
drivers32
%SYSTEMDRIVE%\*.*
%systemroot%\Fonts\*.com
%systemroot%\Fonts\*.dll
%systemroot%\Fonts\*.ini
%systemroot%\Fonts\*.ini2
%systemroot%\Fonts\*.exe
%systemroot%\system32\spool\prtprocs\w32x86\*.*
%systemroot%\REPAIR\*.bak1
%systemroot%\REPAIR\*.ini
%systemroot%\system32\*.jpg
%systemroot%\*.jpg
%systemroot%\*.png
%systemroot%\*.scr
%systemroot%\*._sy
%APPDATA%\Adobe\Update\*.*
%ALLUSERSPROFILE%\Favorites\*.*
%APPDATA%\Microsoft\*.*
%PROGRAMFILES%\*.*
%APPDATA%\Update\*.*
%systemroot%\*. /mp /s
CREATERESTOREPOINT
%systemroot%\System32\config\*.sav
%PROGRAMFILES%\bak. /s
%systemroot%\system32\bak. /s
%ALLUSERSPROFILE%\Start Menu\*.lnk /x
%systemroot%\system32\config\systemprofile\*.dat /x
%systemroot%\*.config
%systemroot%\system32\*.db
%PROGRAMFILES%\Internet Explorer\*.dat
%APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x
%USERPROFILE%\Desktop\*.exe
%PROGRAMFILES%\Common Files\*.*
%systemroot%\*.src
%systemroot%\install\*.*
%systemroot%\system32\DLL\*.*
%systemroot%\system32\HelpFiles\*.*
%systemroot%\system32\rundll\*.*
%systemroot%\winn32\*.*
%systemroot%\Java\*.*
%systemroot%\system32\test\*.*
%systemroot%\system32\Rundll32\*.*
%systemroot%\AppPatch\Custom\*.*
%APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x
%PROGRAMFILES%\PC-Doctor\Downloads\*.*
%PROGRAMFILES%\Internet Explorer\*.tmp
%PROGRAMFILES%\Internet Explorer\*.dat
%USERPROFILE%\My Documents\*.exe
%USERPROFILE%\*.exe
%PROGRAMFILES%\Mozilla Firefox\0*.exe
%PROGRAMFILES%\Mozilla Firefox\firefox.exe /md5
%PROGRAMFILES%\Internet Explorer\iexplore.exe /md5
%systemroot%\ADDINS\*.*
%systemroot%\assembly\*.bak2
%systemroot%\Config\*.*
%systemroot%\REPAIR\*.bak2
%systemroot%\SECURITY\Database\*.sdb /x
%systemroot%\SYSTEM\*.bak2
%systemroot%\Web\*.bak2
%systemroot%\Driver Cache\*.*
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\ Auto Update\Results\Install|LastSuccessTime /rs

•   Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
o   When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
o   Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply.
o   You may need two posts to fit them both in.
« Last Edit: September 11, 2010, 12:23:35 PM by Britec » Logged


BJseal91
Hero Member
*****
Posts: 699



View Profile
« Reply #3 on: September 11, 2010, 01:49:16 PM »
junkie_ball
Here are the tools to download to get you back on track

http://www.softpedia.com/get/PORTABLE-SOFTWARE/System/Re-Enable-Portable.shtml

and download this

http://www.briteccomputers.co.uk/forum/virustrojanspywaremalware/fix-exe-files-that-have-been-disabled-by-mailwear-and-viruses/

this will get the exe files back up and running then also do what brian said these are just some tools to fix the disabled items after the fix

any help let us know ind regards

Bradley
Logged
junkie_ball
Newbie
*
Posts: 20


View Profile
« Reply #4 on: September 11, 2010, 03:19:17 PM »
\\\thanks fpr the replies everyone.

No worries cracked it used a vista install disk to restore to an earlier point from there was able to use a user account software i have to active the admin acount on boot up.  Next step was to correct the boot record by deleting the the partial windows 7 boot instruction which was set as default.  This then allowed me to start vista in safe-mode from where i was able to run the usual malware and virus tools to remove any remaining traces of malware and virus's on the system.

Again appreciate your comments.
Logged
MrTicker
Sr. Member
****
Posts: 343



View Profile
« Reply #5 on: September 11, 2010, 03:47:20 PM »
Hi There junkie_ball,

Have you checked your system for rootkits?

This rogue often comes along with the TDSS,TDL3 or ALUREON Rootkit and you wiil need to use TDSSKILLER to remove it. You can get it here:

http://www.softpedia.com/get/Antivirus/TDSSKiller.shtml

.......and here is another link for you to check out.

http://www.bleepingcomputer.com/virus-removal/remove-tdss-tdl3-alureon-rootkit-using-tdsskiller


Old System Restore Points may contain the infection you have just cleaned up,so as a final step after the removal of any malware etc, I always remove all System Restore Points and then creating a new one.

This is easily accomplished by doing: RT CLK>MY COMPUTER>PROPERTIES>SYSTEM RESTORE>Put a tick in the box>CLK YES>Wait while the SRP's are deleted and then take the tick out of the box and the system will create a new SRP for you.Doing this will ensure that the machine will not be reinfected by an old SRP.

ONLY DO THE ABOVE WHEN YOU ARE ABSOLUTE CERTAIN THAT YOU HAVE A CLEAN MACHINE.

Cheers,HTH,

ticker
Logged


Don't need to be a weatherman to know which way the wind blows
Pages: [1]
  Print  
« previous next »
 
Jump to: