Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Need help removing Trojan.Dropper.BCMiner [Solved]


  • This topic is locked This topic is locked

#16
steven.weintraub

steven.weintraub

    Member

  • Topic Starter
  • Member
  • PipPip
  • 27 posts
And yes, on Hiren's XP, I do have access to a Command Prompt window along with all the tools it provides. Unfortunately, FRST64 is not included on it. I need to figure out how to get it there as the USB stick isn't available. I'm also thinking that at this point, it's not a virus, but just a Vista issue that's causing the OS from not coming up all the way to desktop at this point. I don't have a recovery disc (never ordered from HP), so the ISO you provided should do the trick.
  • 0

Advertisements


#17
steven.weintraub

steven.weintraub

    Member

  • Topic Starter
  • Member
  • PipPip
  • 27 posts
OK. I was able to load drivers on Hiren's WinXP image and "see" the USB drive. I copied the Avira log and attached it. I've copied and transferred FRST64 and Vista ISO files. I mounted the Vista ISO file as V: drive, but not sure what to do with it. I don't see how to use it for recovery as a mounted ISO image drive.

Attached Files


  • 0

#18
steven.weintraub

steven.weintraub

    Member

  • Topic Starter
  • Member
  • PipPip
  • 27 posts
I went ahead and used WiNToBootic.exe and dropped the Vista ISO image to it. Going to boot up the laptop with this USB image. I know it's not 4GB, but the image fit on the 1GB drive and I'll see if it will boot up off of it and report back.

OK. It booted up from the USB Vista image. I'm at the System Recovery Options page where Startup Repair is the top option. Is that something that I can try to "automatically fix problems that are preventing Windows from starting" as it says?

BTW, I also copied FRST64.exe to c:\temp earlier on the laptop, so I can boot up WinXP and run that first if you think it necessary. Personally, I'd like to get Vista working and verify that the laptop is cleared now. Just let me know how you'd like me to proceed. Also, I'll be away at work until @ 7:30 PM tonight. I'll look for your instructions then.

Edited by steven.weintraub, 13 July 2012 - 05:12 AM.

  • 0

#19
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
I will delete all of the quarantine files once you are happy.. At the moment they are not a threat
  • 0

#20
steven.weintraub

steven.weintraub

    Member

  • Topic Starter
  • Member
  • PipPip
  • 27 posts
Well, I went ahead and ran Startup Repair from the ISO image on the USB thumb-drive. It didn't indicate that it found anything to correct, but I went ahead and restarted, hoping for the best. Same problem..... Laptop comes up quickly with a low-def @ Microsoft Corporation image and status bar, then the display goes black with just a moveable cursor. I tried booting up without my external USB mouse, but that didn't help. I plugged it in and it started to work again, so something is recognizing the USB and ext. mouse but not getting to Windows startup.

BTW, SAFE mode loads drivers until crcdisk.sys then throws up the black screen w/mouse.

NOT SURE WHAT TO DO AT THIS POINT!!!!

Edited by steven.weintraub, 13 July 2012 - 06:33 PM.

  • 0

#21
steven.weintraub

steven.weintraub

    Member

  • Topic Starter
  • Member
  • PipPip
  • 27 posts
Found the following and am going to try to repair.
http://securitywatch...ath-is-it-vista

I booted off the Hiren CD and was able to run regedit and load a Hive of system as instructed. Unfortunately, it's a dead end since the correct KEY value was there all along. All the other suggestions I've seen so far searching on KSOD aren't promising. Could not get to task mgr or anything else, no ctrl-alt-del, nothing but a mouse courser. Time to think of something else....

Edited by steven.weintraub, 13 July 2012 - 09:29 PM.

  • 0

#22
steven.weintraub

steven.weintraub

    Member

  • Topic Starter
  • Member
  • PipPip
  • 27 posts
OK. I was able to boot up off the thumb drive with the Vista ISO image that you provided earlier. From there, I loaded the only previous restore point it found. It was from 7/11 that was taken before I removed Symantec AV Win64. Success, the laptop booted up to a workable desktop. Symantec Win64 is running/enabled, but it is trying to install something off a previously attached F-drive that's no longer plugged in. I'm going to cancel it and look around. Not sure where the system is now with regards to infections, so I could use some help at this point. Symantec is not enabled, so there's no AV running right now. It looks like the infected files are are still located in the quarantined directories.

Let me know what you want me to look at/run next to see where it stands.
  • 0

#23
steven.weintraub

steven.weintraub

    Member

  • Topic Starter
  • Member
  • PipPip
  • 27 posts
I exported a copy of the registry and created another restore point. I made sure DEP was turned on for all programs. I was able to turn off Symantec from loading via System Configuration panel. MBAM protection is on and I downloaed the latest DB updates. A quick scan showed 0 issues found.

I do see some things that are questionable. Windows Security Center is OFF and can't be started. Windows Defender fails "to initialize: 0x8007006 the handle is invalid". It also says that Windows FW is NOT using the recommended settings to protect your computer.

So, what's next?
  • 0

#24
steven.weintraub

steven.weintraub

    Member

  • Topic Starter
  • Member
  • PipPip
  • 27 posts
One other thing that I forgot to mention when looking around Users, is that there's an unknown account which I traced to c:\Users\iTunes\My Documents. I discovered it via Control Panel -> System -> Advanced systems settings (System Properties Advanced Tab) -> User Profiles -> Settings. It shows up as Account Unknown - 536 MB - local. That size matches \users\iTunes. [There is a Delete option, but I didn't do that. Don't want to mess up my iTunes library, etc.]

What has me concerned though is that I cannot access this folder. I tried to give myself Full Control via ALLOW check box, but was denied. The account is S-1-5-21-<xxxxx-xxxxx-xxxxxx>-1002. My understanding that this is a SID, but not sure what it's for, how it got created, and why I can't view/touch/see anything in that directory when I'm the only Administrator account on the box.

Can you explain why and shed some light on this SID? I'd like to know it's safe and if there's a way to see what's in that folder. I do see some references to S-1-5-21 and viruses.

Edited by steven.weintraub, 13 July 2012 - 11:50 PM.

  • 0

#25
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Hi it appears that I somehow missed a few post and got out of synch with you..

Lets confirm the current status:

Windows boots to normal mode
The iTunes Folder is meant to be hidden on a Vista system as it is part of a symbolic link to allow backwards compatibilty with XP
You cannot control access with that as it is system reserved
Windows Security centre is not active


I will need to have a quick look to see where we are now

Could you first run an OTL quick scan selecting All Users

Then run the following programme to check security centre

run farbar service scanner

Posted Image

Tick "All" options.
Press "Scan".
It will create a log (FSS.txt) in the same directory the tool is run.

Please copy and paste the log to your reply.
  • 0

Advertisements


#26
steven.weintraub

steven.weintraub

    Member

  • Topic Starter
  • Member
  • PipPip
  • 27 posts
Thanks for the reply and info concerning iTunes. Good to know that I can ignore the S-1-5-21 unknown account and not being able to access that directory. I'm a wee bit paranoid after this infection, so can't be too careful. And yes, I can boot/reboot normally again. MBAM is up and active.

I'm at work now, but will run another OTL quick scan and FSS as instructed when I get home at 8:00 PM EST. Hopefully they'll come back all-clear and we can delete the quarantined files and final cleanup steps/removing tools/Windows Security Center. I'd also like your opinion on best approach going forward/best freeware.

I'm working another long day tomorrow and only have Monday to wrap things up before going out of town on "holiday" as you chaps call it. Hope to be declared clean and ready to reconnect to the internet to answer email, pay some bills, etc. before leaving.

Talk to you later tonight.
  • 0

#27
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
OK end of the day for me here but I will be back first thing in the morning
  • 0

#28
steven.weintraub

steven.weintraub

    Member

  • Topic Starter
  • Member
  • PipPip
  • 27 posts
OK. I ran OTL and FSS. The output text files have been attached.

Farbar Service Scanner Version: 08-07-2012
Ran by Steve (administrator) on 14-07-2012 at 20:13:03
Running from "C:\Users\Steve\Desktop"
Microsoft® Windows Vista™ Home Premium Service Pack 2 (X64)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo IP is accessible.
Yahoo.com is accessible.


Windows Firewall:
=============
mpsdrv Service is not running. Checking service configuration:
The start type of mpsdrv service is OK.
The ImagePath of mpsdrv service is OK.

MpsSvc Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open MpsSvc registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open MpsSvc registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open MpsSvc registry key. The service key does not exist.

bfe Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open bfe registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open bfe registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open bfe registry key. The service key does not exist.


Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Security Center:
============
wscsvc Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open wscsvc registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open wscsvc registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open wscsvc registry key. The service key does not exist.


Windows Update:
============

Windows Autoupdate Disabled Policy:
============================


Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open WinDefend registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open WinDefend registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open WinDefend registry key. The service key does not exist.


File Check:
========
C:\Windows\System32\nsisvc.dll => MD5 is legit
C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit
C:\Windows\System32\dhcpcsvc.dll
[2009-06-13 22:45] - [2009-04-11 03:11] - 0268288 ____A (Microsoft Corporation) 3ED0321127CE70ACDAABBF77E157C2A7

C:\Windows\System32\drivers\afd.sys
[2012-02-14 17:13] - [2012-01-03 10:25] - 0404992 ____A (Microsoft Corporation) C4F6CE6087760AD70960C9EB130E7943

C:\Windows\System32\drivers\tdx.sys => MD5 is legit
C:\Windows\System32\Drivers\tcpip.sys
[2012-07-05 12:54] - [2012-03-30 08:45] - 1423744 ____A (Microsoft Corporation) 46D448E9117464E4D3BBF36D7E3FA48E

C:\Windows\System32\dnsrslvr.dll
[2011-05-21 00:31] - [2011-03-02 12:12] - 0117760 ____A (Microsoft Corporation) 06230F1B721494A6DF8D47FD395BB1B0

C:\Windows\System32\mpssvc.dll
[2009-06-13 22:46] - [2009-04-11 03:11] - 0603136 ____A (Microsoft Corporation) 897E3BAF68BA406A61682AE39C83900C

C:\Windows\System32\bfe.dll
[2009-06-13 22:45] - [2009-04-11 03:11] - 0458240 ____A (Microsoft Corporation) FFB96C2589FFA60473EAD78B39FBDE29

C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit
C:\Windows\System32\SDRSVC.dll => MD5 is legit
C:\Windows\System32\vssvc.exe
[2009-06-13 22:47] - [2009-04-11 03:11] - 1433600 ____A (Microsoft Corporation) B75232DAD33BFD95BF6F0A3E6BFF51E1

C:\Windows\System32\wscsvc.dll
[2009-06-13 22:45] - [2009-04-11 03:11] - 0074752 ____A (Microsoft Corporation) 9EA3E6D0EF7A5C2B9181961052A4B01A

C:\Windows\System32\wbem\WMIsvc.dll
[2009-06-13 22:46] - [2009-04-11 03:11] - 0221696 ____A (Microsoft Corporation) D2E7296ED1BD26D8DB2799770C077A02

C:\Windows\System32\wuaueng.dll => MD5 is legit
C:\Windows\System32\qmgr.dll
[2009-06-13 22:47] - [2009-04-11 03:11] - 1081856 ____A (Microsoft Corporation) 6D316F4859634071CC25C4FD4589AD2C

C:\Windows\System32\es.dll
[2009-06-13 22:46] - [2009-04-11 03:11] - 0361984 ____A (Microsoft Corporation) E12F22B73F153DECE721CD45EC05B4AF

C:\Windows\System32\cryptsvc.dll
[2012-07-05 13:00] - [2012-04-23 12:25] - 0174592 ____A (Microsoft Corporation) 62740B9D2A137E8CED41A9E4239A7A31

C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\rpcss.dll
[2009-06-13 22:47] - [2009-04-11 03:11] - 0719872 ____A (Microsoft Corporation) CF8B9A3A5E7DC57724A89D0C3E8CF9EF



**** End of log ****

Attached Files

  • Attached File  OTL.Txt   151.65KB   22 downloads
  • Attached File  FSS.txt   4.85KB   20 downloads

  • 0

#29
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
OK lets now replace the missing registry keys

Download the attached Zip file



Extract all Seven .reg files to the desktop
Right click each in turn and select Merge
Accept the warnings
Reboot the system and re-run Farbar

Let me know what problems are outstanding
  • 0

#30
steven.weintraub

steven.weintraub

    Member

  • Topic Starter
  • Member
  • PipPip
  • 27 posts
I backed up the Registry, then tried to load the seven .reg file provided. I worked for four of them, but would not Merge legacy_bfe, legacy_mpssvc, and legacy_wscsv.

I rebooted and ran FSS again.

Attached Files

  • Attached File  FSS.txt   3.55KB   27 downloads

Edited by steven.weintraub, 15 July 2012 - 05:18 AM.

  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP