0

Hi,
I have a Dell laptop (I know, I know, last one we own I promise) that appears to have at least one virus going on, and I'm a bit afraid to shut it down.

I noticed that some of my searches were getting redirected in IE, so I switched to firefox, but to no avail. Then my volume button was gone. Checked in control panel and no audio devices available. Then I tried to run microsoft malicious software removal tool. No go. Then I went to plug in my external hard drive to transfer all those precious pictures and videos I have over, doesn't recognize a device was plugged in. My windows flag button is not working, so I can't hit flag D for desktop or flag e for explorer, but I can get there through task manager.

So I ended up here on google chrome browser, and went through the readme first to go through the steps, taking notes in notepad as I went along.
I downloaded the atf cleaner and was able to scrub the explorer files, but no files were deleted from firefox. first I hit select all, then I tried one at a time.
Went to my control panel at this point and tried to uninstall firefox, but it's not in add/remove program list anymore. A program called "I want this" was listed there which I uninstalled (probably dumb). When I did this, firefox then popped up with the blekko search engine homepage. I closed this and went back to add/remove programs and blekko is there. Did a search on blekko and found it's a redirect virus, concurrent with what was happening and went to a site (had to type in the address, as I'm getting redirected here in chrome as well) and I noticed you have to restart your computer in safe mode to get rid of it, and I'm nervous about doing that right now.
I ran GMER, and noticed it began it's search, but then I changed windows and I can't get back to it. It's on my taskbar at the bottom of the page, but not in my task manager, so I can't switch to it or end process.
I downloaded malware bytes successfully and went to run it, but it doesn't run. It says it's running in task manager but nothing happens.
Firefox opened up unprompted again a few minutes ago saying "Thanks for downloading" with a the logo (I think) for ipod 3? I closed it. Argh.

So unfortunately, I don't have much fruitful information to give you, but was wondering, before I shut down or restart my computer if there is anything else I can try or what the best next step may be.

ETA - I can open windows explorer and see the file tree populate on the left, but it freezes when i click on my computer, so I can't go in and manually remove any files.

Thank you kindly for your time.

Edited by JennC

4
Contributors
10
Replies
14
Views
5 Years
Discussion Span
Last Post by powerade661
0

I also went to download combofix as I saw it referenced on another page and somehow the download was redirected to a wisedownloads download manager. I noted immediately it wasn't the file I was trying to download to went to exit out of the installer but it acted up, wouldn't let me close or exit and froze but I was able to close the tab. Oh look, here is firefox again... telling me thank you for downloading the wisedownloads and asked me to clicka big green download button so I clicked it. JUST KIDDING - I didn't click it. I closed firefox.

So - help!?

eta - nevermind my idiotness above. Apparently that was a googlead and I should have noticed the url at the bottom when I ran my mouse over the top. Issue above still holds.

Edited by JennC

0

Hi Jenn,

-- What is your OS? 7/XP/Vista? 64 or 32 bit?

**Give Malwarebytes another try and see if it runs. **
-- If not, we'll have to go ahead and reboot your machine and then try MBAM again.
-- If that fails, reboot to Safe Mode by tapping F8 on reboot and try to run MBAM in safe mode.

Let me know how you fare with the above. If MBAM does run, please post the scanlog for me. If no, then we'll take another tack.

Also, do you have another computer you can use to burn a CD?
Let me know.

Best Luck :)
PP

Edited by PhilliePhan

0

My OS is XP 32 bit (I'm sure, it's a $400 laptop). I went to reboot earlier and took an SD card out of the reader and all of a sudden I was able to run mbam and the other malicious software tools, so I ran like 4 of them (I think lavasoft is still working on it, but it's only found two). Attached the mbam log to this post.
.
Yes I can burn a CD elsewhere, and tomorrow I'll work on rebooting in safe mode. Thank you very much PP!

Edited by JennC

Attachments
Malwarebytes Anti-Malware 1.61.0.1400

www.malwarebytes.org



Database version: v2012.05.04.06



Windows XP Service Pack 3 x86 NTFS

Internet Explorer 8.0.6001.18702

Jennifer :: JENN [administrator]



5/4/2012 5:17:30 PM

mbam-log-2012-05-04 (17-17-30).txt



Scan type: Full scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 252914

Time elapsed: 5 hour(s), 35 minute(s), 48 second(s)



Memory Processes Detected: 0

(No malicious items detected)



Memory Modules Detected: 0

(No malicious items detected)



Registry Keys Detected: 3

HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{65bcd620-07dd-012f-819f-073cf1b8f7c6} (Adware.GamePlayLab) -> Quarantined and deleted successfully.

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{11111111-1111-1111-1111-110011221158} (Adware.GamePlayLab) -> Quarantined and deleted successfully.

HKCU\SOFTWARE\CROSSRIDER (Adware.GamePlayLab) -> Quarantined and deleted successfully.



Registry Values Detected: 2

HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon|Shell (Trojan.Agent) -> Data: C:\Documents and Settings\Jennifer\Application Data\hotfix.exe -> Quarantined and deleted successfully.

HKCU\Software\Crossrider|215AppVerifier (Adware.GamePlayLab) -> Data: f9a64b0d83ae21b2750ebc953b4c5d6e -> Quarantined and deleted successfully.



Registry Data Items Detected: 0

(No malicious items detected)



Folders Detected: 0

(No malicious items detected)



Files Detected: 3

C:\Documents and Settings\Jennifer\Local Settings\Temp\air79D.exe (Adware.GamePlayLabs) -> Quarantined and deleted successfully.

C:\Documents and Settings\Jennifer\Local Settings\Temp\~nsu.tmp\Au_.exe (Adware.GamePlayLabs) -> Quarantined and deleted successfully.

C:\Documents and Settings\Jennifer\My Documents\Downloads\DownloadManager_Setup.exe (PUP.Bundle.Installer.OI) -> Quarantined and deleted successfully.



(end)
0

Well, I can't boot up my computer in any mode, including safe. When I try to boot up in safe mode as it scrolls through the files it is opening it freezes at mup.sys. Any hope outside of reformatting my hard drive?

0

Hi Jenn,

There's still plenty we can do - depends which way you want to go. Lately, I prefer reformat with rootkitted malware. It's faster and a complete fix.
But, that's not always feasible these days.

Let's try a few things first. At the very least, we can get all of your important data transferred to external hard drive before we try any sort of destructive recovery.

---- Do you have a Windows OS disk?

---- On a working compy, please go here and download Ubunto Desktop -->
http://www.ubuntu.com/download/desktop

Download the 32-bit .iso file and burn it to CD as per the steps here (if you don't already have a preferred method for burning .iso) -->
http://www.ubuntu.com/download/help/burn-a-cd-on-windows

We can go from there. Let me know how the above goes.

I'll be around off and on over the weekend. I am not as active these days in the forum, but I'll keep an eye on this thread.

Cheers :)
PP

0

System Restore is not a viable option at this point given that the machine hangs on boot - That's why I wanted to use the Ubuntu boot CD to gain access.
But, you are on the right track as it is likely a corrupted registry causing the problem.

Frankly, in cases such as this, utilizing the recovery partition or OS disk to reinstall OS is fastest/easiest way to proceed. Jenn can use the Ubunto CD to transfer all the data she wants to save to her external HD before reinstalling windows.
If she comes back, I'll be happy to talk her through it :)

PP

Edited by PhilliePhan

0

Hi, I'm back. Ended up with a household full of real viruses, am finally getting motivated to tackle this.

Sorry I'm confused here, can I do this all with a usb, or do I need to burn the cd? Are there usb drivers that are unaccessible for doing this in the state my computer is in?
The instructions seemed a bit convoluted; one I have the iso desktop file, that's the one I want to burn to CD? Do I need to use Ubunto to retrieve my data; I recall doing this before (actually twice, I really, really don't like this computer, the bootup freezes at the same spot, though symptoms leading up to the freeze seem to vary) and I think I just partitioned it from the OS disk without a loss of data. But of course I don't remember exactly what I did and I'm paranoid about losing precious files.

0

Hi Jenn,

Burning the ISO to CD is best rather than going the USB route.
Once you have the Ubuntu CD burned, pop it into the ill compy and fire it up. You ought to be able to boot the CD without having to adjust the BIOS.
Your compy should give you the choice to boot from optical drive (or it may go ahead and boot Ubuntu automatically).
Anyhoo, select the option to Try Ubuntu without any change to your computer - We do not want to install Ubuntu.

Then, click the Places tab and navigate to the files you want to copy and you should be able to Copy&Paste or Drag&Drop them to your external hard drive.

Let me know if you have any problems. Once you get your files copied, we can have a whack at cleaning the machine.

Cheers :)
PP

0

Hi Jen, Another option is to run a rescue cd using BitDefender. To do so go to a different computer and go to here http://www.bitdefender.com/support/how-to-create-a-bitdefender-rescue-cd-627.html Follow steps below after that shutdown your computer, repeatedly tap f12 and it will prompt you with a list of options such as CD ROM, Hard drive or HDD and if you have chose to put the rescue cd on a usb flash drive then move your arrow keys down to your flash drive. For example, mine is a Sandisk Cruzer... Once you have booted outside of the operating system you will want to click sda1, or sda2. Note what you want to look for is program files or programfiles(x86) in sda1 or sda2. When you see the one that has program files or program files(x86) click that specific tab and click open. Bitdefender will scan for any viruses, from there it will prompt you to remove any viruses you have. Go ahead and do so, let me and Phillie know the results.

Edited by powerade661

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.