loringdesign Posted April 7, 2014 Author ID:814765 Share Posted April 7, 2014 delete the first copy as here is the completed versionhello, I would like to set a block of time today or when you are able to work on this so that i can give it my full attention and make use of the valuable help you are offering. By coming and going so sporadically i don't mean to be unappreciative or difficult. I was being pulled in many directions but now its more manageable. So i will address your four points as best I can and then if you would be kind enough to let me know when you can work on this again i will try to shift my schedule accordingly. if we could hit it first thing monday morning that would probably be best. So if you are 3 hrs ahead and are able to help me around 8 or 9 (east coast time) I plan to up early and prepared. if the morning doesnt work my next opening would be late afternoon my time. Lastly, would it be helpful to start with a phone call if you even work that way? if so im at 3107708114 anytime. Ok I will address the 4 points below in orange font: 1: Can you get to a command prompt with the infected computer??if i understand the quick answer is "no" but i have to ask 2 questions backA) is a command prompt very particular as in "safe mode with command prompt" or is it anywhere Im able to type words like start menu "run" or "search"?B) Does "infected computer" refer to the infected drive only or literally the unit with desktop and multiple drives I tried to run the infected drive set as master in all 3 safe modes and from the cd using all your suggestions and tricks only to end up on the ICE page`2: Not getting the malware out of the registry is going to be a problem.what should i try?3: If you have Malwarebytes 2.0 on the good drive, we can run a Custom scan on the infected hard drive.This would be the first thing to do.I have the free version but have a day or so left on the trial of the full versionHow do I run a custom scan4: Then access the infected drive and look for the malware files. (below are samples from past infections)The can be anywhere but usually in these locations.Of course the user names will be different:Ok, but you say "look at", will we be able to delete the malware files? end Link to post Share on other sites More sharing options...
MrCharlie Posted April 7, 2014 ID:814822 Share Posted April 7, 2014 1: Can you get to a command prompt with the infected computer??if i understand the quick answer is "no" but i have to ask 2 questions backA) is a command prompt very particular as in "safe mode with command prompt" or is it anywhere Im able to type words like start menu "run" or "search"?Yes, safe mode with command promptB) Does "infected computer" refer to the infected drive only or literally the unit with desktop and multiple drivesJust the driveI tried to run the infected drive set as master in all 3 safe modes and from the cd using all your suggestions and tricks only to end up on the ICE page`2: Not getting the malware out of the registry is going to be a problem.what should i try?Will get to that later3: If you have Malwarebytes 2.0 on the good drive, we can run a Custom scan on the infected hard drive.This would be the first thing to do.I have the free version but have a day or so left on the trial of the full versionHow do I run a custom scanThis is the first thing I want to do:With the infected drive set as slave and the good drive as masterComputer up and running off the good driveStart Malwarebytes > choose Scan > Custom Scan > Scan Now > Put a check in the box next to the infected drive (may be E, F, etc) > Now click Start ScanThat should start a scan on the infected drive.4: Then access the infected drive and look for the malware files. (below are samples from past infections)The can be anywhere but usually in these locations.Of course the user names will be different:Ok, but you say "look at", will we be able to delete the malware files?We'll address this after running Malwarebytes.No need for me to call you and I'm here all day.MrC Link to post Share on other sites More sharing options...
loringdesign Posted April 7, 2014 Author ID:814850 Share Posted April 7, 2014 ok going to try this now Link to post Share on other sites More sharing options...
MrCharlie Posted April 7, 2014 ID:814860 Share Posted April 7, 2014 OK...MrC Link to post Share on other sites More sharing options...
loringdesign Posted April 7, 2014 Author ID:814877 Share Posted April 7, 2014 It's still scanning but found 1 object. Scanning second to last area on the list. Also I didn't tell you that I have Norton 360 on this computer. does that matter?Just found 2nd object Link to post Share on other sites More sharing options...
MrCharlie Posted April 7, 2014 ID:814881 Share Posted April 7, 2014 No it doesn't, MrC Link to post Share on other sites More sharing options...
loringdesign Posted April 7, 2014 Author ID:814954 Share Posted April 7, 2014 i need to be at appointments from 1230 on . Didnt think the scan would take so long . is it normal? im at 61000 objects scanned , duration 4 hrs, 6 bad guys detected. are you able to tell me any of the next steps for when i come back? what time to you clock out? I do have a tech support through remote access with norton although they did not seem current with ICE. at some point i am able to get in windows and online should i have them clean it up? I was thinking it might be better to stick with you to the end but i wanted you to know i had that source. especially with your registry concerns right. anyways thanks again. im just going to let the scan run Link to post Share on other sites More sharing options...
MrCharlie Posted April 7, 2014 ID:814965 Share Posted April 7, 2014 Yes it can take that long, it's doing a Full scan which is good.After it's done, make sure you select all item and quarantine or delete them.Post the log for me. I'm here all day longSee if it boots up and we'll take it from there.MrC Link to post Share on other sites More sharing options...
loringdesign Posted April 8, 2014 Author ID:815354 Share Posted April 8, 2014 The log of my malware scan is attachedmbam-log-2014-04-07 (06-25-26).xml Link to post Share on other sites More sharing options...
MrCharlie Posted April 8, 2014 ID:815365 Share Posted April 8, 2014 Did it boot up??? If so.......(please use notepad to save the logs or just post them) Please download Farbar Recovery Scan Tool (FRST) and save it to a folder. (use correct version for your system.....Which system am I using?) FRST <----for 32 bit systems FRST64 <----for 64 bit systemsDouble-click to run it. When the tool opens click Yes to disclaimer.Press Scan button. (make sure the Addition box is checked)It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.If the logs are large, you can attach them: To attach a log: Bottom right corner of this page. New window that comes up. MrC Link to post Share on other sites More sharing options...
loringdesign Posted April 8, 2014 Author ID:815391 Share Posted April 8, 2014 attached is the logFRST.txt Link to post Share on other sites More sharing options...
MrCharlie Posted April 8, 2014 ID:815395 Share Posted April 8, 2014 Can you post the Addition.txt log form FRST, MrC Link to post Share on other sites More sharing options...
loringdesign Posted April 8, 2014 Author ID:815402 Share Posted April 8, 2014 see attachmentAddition.txt Link to post Share on other sites More sharing options...
loringdesign Posted April 8, 2014 Author ID:815403 Share Posted April 8, 2014 so where do we stand with it all would you think and any chance of data recovery? no urgency just planning stuff out Link to post Share on other sites More sharing options...
MrCharlie Posted April 8, 2014 ID:815408 Share Posted April 8, 2014 There were 2 logs from Malwarebytes, one showed the malware and one was clean. Can you post or attach the one showing the malware, please use note pad so I can read it. --------------------- Download the attached fixlist.txt to the same folder as FRST. Run FRST.exe and click Fix only once and wait The tool will create a log (Fixlog.txt) in the folder, please post it to your reply. ------------------------------- Please download and run RogueKiller 32 bit to your desktop. RogueKiller<---use this one for 64 bit systems Which system am I using? Quit all running programs. For Windows XP, double-click to start. For Vista or Windows 7-8, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run. Click Scan to scan the system. When the scan completes > Close out the program > Don't Fix anything! Don't run any other options, they're not all bad!!!!!!! Post back the report which should be located on your desktop. MrC Link to post Share on other sites More sharing options...
MrCharlie Posted April 8, 2014 ID:815411 Share Posted April 8, 2014 and any chance of data recovery? What did you lose? System restore wasn't running. MrC Link to post Share on other sites More sharing options...
loringdesign Posted April 8, 2014 Author ID:815415 Share Posted April 8, 2014 see attached. it opened for me so should be able to readmbam-log-2014-04-07 (08-38-12).xml Link to post Share on other sites More sharing options...
loringdesign Posted April 8, 2014 Author ID:815417 Share Posted April 8, 2014 ON RECOVERY: Lastly you might recall i compounded my problems last week by erasing data (back up wasnt recording this drive) on the "F" drive when installing windows because i reformatted. Im prepared to except a lost there but wanted to try to get some of it back if possible; my work files, dwgs, cad files, sketch up, jpegs, word docs etc. Are you able to assist me there at all? Link to post Share on other sites More sharing options...
MrCharlie Posted April 8, 2014 ID:815421 Share Posted April 8, 2014 .XML <-------I don't know what program creates these files with .XML extensions. If I open them up with notepad they come out all distorted.Anyway, this was the only file deleted that was related to the virus.Kaspersky may have gotten some also.F:\Documents and Settings\All Users\Application Data\wjlqfvg.gsa----------------------------------Please complete these steps:https://forums.malwarebytes.org/index.php?showtopic=145516&p=815408--------------------------------------------------------------The lost data is gone and probably over written by now.MrC Link to post Share on other sites More sharing options...
loringdesign Posted April 8, 2014 Author ID:815428 Share Posted April 8, 2014 ROGUEKILLER crashed before completing. should i run again Link to post Share on other sites More sharing options...
MrCharlie Posted April 8, 2014 ID:815433 Share Posted April 8, 2014 Download a fresh copy and try it in safe mode, MrC Link to post Share on other sites More sharing options...
MrCharlie Posted April 8, 2014 ID:815443 Share Posted April 8, 2014 Lets see if we can get system restore repaired:Please download Farbar Service Scanner and run it on the computer with the issue.Make sure the following options are checked: (Check them all)Internet ServicesWindows FirewallSystem RestoreSecurity CenterWindows UpdateWindows DefenderPress "Scan".It will create a log (FSS.txt) in the same directory the tool is run.Please copy and paste the log to your reply.MrC Link to post Share on other sites More sharing options...
loringdesign Posted April 8, 2014 Author ID:815451 Share Posted April 8, 2014 Ive got a few of your instructions backed up (not completed) since the crash. does it matter which i do first? download and run roguekiller in safe mode rescan with Farbar? complete the Kaspersky steps above find different log format ans rersend also i will need to break from this soon for other obligations. doesit matter when ? Link to post Share on other sites More sharing options...
MrCharlie Posted April 8, 2014 ID:815459 Share Posted April 8, 2014 Do the FRST fix first. (run FRST with the downloaded fixlist.txt) Then.....try RogueKiller in safe mode (download a fresh copy) Last do Farber Scanner Service scan. There's no Kaspersky to do. MrC Link to post Share on other sites More sharing options...
loringdesign Posted April 8, 2014 Author ID:815468 Share Posted April 8, 2014 if i double click the xml malware log files they open right up via explorer or chrome. is that no good for you and if so how shall i resave them the only times there was an over write on the F drive was when norton virus software and XP were installed. i did run a free recovery a while ago and it seemed like recognizable files were present just couldnt retrieve them these3 files copied to my desktop before crash . dont know if the help or notroguekiller fileexe dmp (wasnt permitted to be uploaded2 more attacheddebug.logdrwtsn32.log Link to post Share on other sites More sharing options...
Recommended Posts