Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Trojan - Windows 7

Started by J_Mac , Oct 29 2010 06:15 PM

Please log in to reply

#16
azarl

Posted 11 November 2010 - 10:18 AM

GeekU Admin

Community Leader
25,310 posts

Try this please. You will need a USB drive.

Download http://unetbootin.so...dows-latest.exe & http://noahdfear.net.../xpud-0.9.2.iso to the desktop of your clean computer

Insert your USB drive
Press Start > My Computer > right click your USB drive > choose Format > Quick format
Double click the unetbootin-xpud-windows-387.exe that you just downloaded
Press Run then OK
Select the DiskImage option then click the browse button located on the right side of the textbox field.
Browse to and select the xpud-0.9.2.iso file you downloaded
Verify the correct drive letter is selected for your USB device then click OK
It will install a little bootable OS on your USB device
Once the files have been written to the device you will be prompted to reboot ~ do not reboot and instead just Exit the UNetbootin interface
After it has completed do not choose to reboot the clean computer simply close the installer
Next download http://noahdfear.net...loads/driver.sh to your USB
Remove the USB and insert it in the sick computer
Boot the Sick computer
Press F12 and choose to boot from the USB
Follow the prompts
A Welcome to xPUD screen will appear
Press File
Expand mnt
sda1,2...usually corresponds to your HDD
sdb1 is likely your USB
Click on the folder that represents your USB drive (sdb1 ?)
Press Tool at the top
Choose Open Terminal
Type dd if=/dev/sda of=mbr.bin bs=512 count=1 and press Enter - Please note - all text entries are case sensitive
A file named mbr.bin will be created in the USB drive. Zip that file and attach it to a reply.

#17
J_Mac

Posted 11 November 2010 - 10:44 AM

Member

Topic Starter
Member
82 posts

It seems lik I've finally got you at a time where we are active at the same time

here is the attached zip file.

Attached Files

mbr.zip 567bytes 272 downloads

#18
azarl

Posted 11 November 2010 - 11:22 AM

GeekU Admin

Community Leader
25,310 posts

Some good news anyway, the MBR doesn't appear to be infected anymore, I'm hoping TDSSKiller just upset it a bit when it it cleared out the infection. Fingers crossed

Insert your USB drive - the one you previously installed xPUD on - into a clean computer
Download xPUDtestdisk.exe and save it to the USB device
Double click xPUDtestdisk.exe to extract the contents to your USB device
Remove the USB and insert it in the sick computer
Boot the Sick computer
Press F12 and choose to boot from the USB
Follow the prompts
A Welcome to xPUD screen will appear
Press File
Expand mnt
sda1,2...usually corresponds to your HDD
sdb1 is likely your USB
Click on the folder that represents your USB drive (sdb1 ?)
Press Tool at the top
Choose Open Terminal
Type testdisk/testdisk_static
Press Enter
The TestDisk command window will open
Choose Create and press Enter
TestDisk will now detect all local hard drives
Use the arrow (up and down) keys to highlight the disk called /dev/sda if it represents your primary hard drive and press Enter
If you're not sure then note everything you see and post it for my review
Select Intel (even if you have an AMD processor) and press Enter
Select [Analyse] and press Enter, then press Enter again to run a [Quick Search]
When complete, press Enter to continue, then select [Deeper Scan] and press Enter.
When the deeper search completes, press Q repeatedly until TestDisk closes.
Close the Terminal Window
Remove the flash drive and put it back in the working computer, then post the contents of (or attach) the testdisk.log file on the flash drive.

Please note - all text entries are case sensitive

#19
J_Mac

Posted 15 November 2010 - 09:17 PM

Member

Topic Starter
Member
82 posts

Tue Nov 16 12:37:48 2010
Command line: TestDisk

TestDisk 6.12-WIP, Data Recovery Utility, April 2010
Christophe GRENIER <[email protected]>
http://www.cgsecurity.org
OS: Linux, kernel 2.6.31.2 (#5 SMP Mon Dec 7 11:56:35 UTC 2009) i686
Compiler: GCC 4.4 - Jul 27 2010 17:00:22
ext2fs lib: 1.41.9, ntfs lib: 10:0:0, reiserfs lib: 0.3.1-rc8, ewf lib: 20080501
/dev/sda: LBA, HPA, LBA48, DCO support
/dev/sda: size 488397168 sectors
/dev/sda: user_max 488397168 sectors
/dev/sda: native_max 488397168 sectors
/dev/sda: dco 488397168 sectors
Warning: can't get size for Disk /dev/mapper/control - 0 B - CHS 1 1 1, sector size=512
Hard disk list
Disk /dev/sda - 250 GB / 232 GiB - CHS 30401 255 63, sector size=512 - ATA WDC WD2500BEVT-2
Disk /dev/sdb - 1998 MB / 1905 MiB - CHS 1015 62 62, sector size=512 - TOSHIBA TransMemory

Partition table type (auto): Intel
Disk /dev/sda - 250 GB / 232 GiB - ATA WDC WD2500BEVT-2
Partition table type: Intel

Analyse Disk /dev/sda - 250 GB / 232 GiB - CHS 30401 255 63
Geometry from i386 MBR: head=255 sector=63
check_part_i386 1 type 27: no test
NTFS at 1567/0/1
NTFS at 1580/0/1
get_geometry_from_list_part_aux head=255 nbr=5
get_geometry_from_list_part_aux head=8 nbr=2
get_geometry_from_list_part_aux head=16 nbr=2
get_geometry_from_list_part_aux head=32 nbr=2
get_geometry_from_list_part_aux head=64 nbr=1
get_geometry_from_list_part_aux head=128 nbr=1
get_geometry_from_list_part_aux head=240 nbr=1
get_geometry_from_list_part_aux head=255 nbr=5
Current partition structure:
1 P Windows RE(store) 0 1 1 1566 254 63 25173792
2 * HPFS - NTFS 1567 0 1 1579 254 63 208845 [SYSTEM RESERVED]
3 P HPFS - NTFS 1580 0 1 30401 48 31 463012420 [Acer]
Ask the user for vista mode
Computes LBA from CHS for Disk /dev/sda - 250 GB / 232 GiB - CHS 30402 255 63
Allow partial last cylinder : Yes
search_vista_part: 1

search_part()
Disk /dev/sda - 250 GB / 232 GiB - CHS 30402 255 63
NTFS at 0/1/1
filesystem size 25173792
sectors_per_cluster 8
mft_lcn 786432
mftmirr_lcn 1573361
clusters_per_mft_record -10
clusters_per_index_record 1
HPFS - NTFS 0 1 1 1566 254 63 25173792 [PQSERVICE]
NTFS, 12 GB / 12 GiB
NTFS at 1567/0/1
filesystem size 208845
sectors_per_cluster 1
mft_lcn 69615
mftmirr_lcn 104422
clusters_per_mft_record 2
clusters_per_index_record 8
HPFS - NTFS 1567 0 1 1579 254 63 208845 [SYSTEM RESERVED]
NTFS, 106 MB / 101 MiB
NTFS at 1580/0/1
filesystem size 463012420
sectors_per_cluster 8
mft_lcn 786432
mftmirr_lcn 28938085
clusters_per_mft_record -10
clusters_per_index_record 1
HPFS - NTFS 1580 0 1 30401 48 31 463012420 [Acer]
NTFS, 237 GB / 220 GiB
get_geometry_from_list_part_aux head=255 nbr=5
get_geometry_from_list_part_aux head=8 nbr=2
get_geometry_from_list_part_aux head=16 nbr=2
get_geometry_from_list_part_aux head=32 nbr=2
get_geometry_from_list_part_aux head=64 nbr=1
get_geometry_from_list_part_aux head=128 nbr=1
get_geometry_from_list_part_aux head=240 nbr=1
get_geometry_from_list_part_aux head=255 nbr=5

Results
* HPFS - NTFS 0 1 1 1566 254 63 25173792 [PQSERVICE]
NTFS, 12 GB / 12 GiB
P HPFS - NTFS 1567 0 1 1579 254 63 208845 [SYSTEM RESERVED]
NTFS, 106 MB / 101 MiB
P HPFS - NTFS 1580 0 1 30401 254 63 463025430 [Acer]
NTFS, 237 GB / 220 GiB

interface_write()
1 * HPFS - NTFS 0 1 1 1566 254 63 25173792 [PQSERVICE]
2 P HPFS - NTFS 1567 0 1 1579 254 63 208845 [SYSTEM RESERVED]
3 P HPFS - NTFS 1580 0 1 30401 254 63 463025430 [Acer]

search_part()
Disk /dev/sda - 250 GB / 232 GiB - CHS 30402 255 63
NTFS at 0/1/1
filesystem size 25173792
sectors_per_cluster 8
mft_lcn 786432
mftmirr_lcn 1573361
clusters_per_mft_record -10
clusters_per_index_record 1
HPFS - NTFS 0 1 1 1566 254 63 25173792 [PQSERVICE]
NTFS, 12 GB / 12 GiB
NTFS at 1566/254/63
filesystem size 25173792
sectors_per_cluster 8
mft_lcn 786432
mftmirr_lcn 1573361
clusters_per_mft_record -10
clusters_per_index_record 1
HPFS - NTFS 0 1 1 1566 254 63 25173792 [PQSERVICE]
NTFS found using backup sector!, 12 GB / 12 GiB
NTFS at 1567/0/1
filesystem size 208845
sectors_per_cluster 1
mft_lcn 69615
mftmirr_lcn 104422
clusters_per_mft_record 2
clusters_per_index_record 8
HPFS - NTFS 1567 0 1 1579 254 63 208845 [SYSTEM RESERVED]
NTFS, 106 MB / 101 MiB
NTFS at 1579/254/63
filesystem size 208845
sectors_per_cluster 1
mft_lcn 69615
mftmirr_lcn 104422
clusters_per_mft_record 2
clusters_per_index_record 8
HPFS - NTFS 1567 0 1 1579 254 63 208845 [SYSTEM RESERVED]
NTFS found using backup sector!, 106 MB / 101 MiB
NTFS at 1580/0/1
filesystem size 463012420
sectors_per_cluster 8
mft_lcn 786432
mftmirr_lcn 28938085
clusters_per_mft_record -10
clusters_per_index_record 1
HPFS - NTFS 1580 0 1 30401 48 31 463012420 [Acer]
NTFS, 237 GB / 220 GiB
NTFS at 4844/254/63
filesystem size 61448625
sectors_per_cluster 8
mft_lcn 786432
mftmirr_lcn 16
clusters_per_mft_record -10
clusters_per_index_record 1
HPFS - NTFS 1020 0 1 4844 254 63 61448625 [50main]
NTFS found using backup sector!, 31 GB / 29 GiB
NTFS at 30400/254/63
filesystem size 463009365
sectors_per_cluster 8
mft_lcn 786432
mftmirr_lcn 28938085
clusters_per_mft_record -10
clusters_per_index_record 1
HPFS - NTFS 1580 0 1 30400 254 63 463009365 [Acer]
NTFS found using backup sector!, 237 GB / 220 GiB
NTFS at 1579/254/63
filesystem size 208845
sectors_per_cluster 1
mft_lcn 69615
mftmirr_lcn 104422
clusters_per_mft_record 2
clusters_per_index_record 8
get_geometry_from_list_part_aux head=255 nbr=9
get_geometry_from_list_part_aux head=8 nbr=2
get_geometry_from_list_part_aux head=16 nbr=2
get_geometry_from_list_part_aux head=32 nbr=2
get_geometry_from_list_part_aux head=64 nbr=1
get_geometry_from_list_part_aux head=128 nbr=1
get_geometry_from_list_part_aux head=240 nbr=1
get_geometry_from_list_part_aux head=255 nbr=9

Results
HPFS - NTFS 0 1 1 1566 254 63 25173792 [PQSERVICE]
NTFS, 12 GB / 12 GiB
HPFS - NTFS 1020 0 1 4844 254 63 61448625 [50main]
NTFS found using backup sector!, 31 GB / 29 GiB
HPFS - NTFS 1567 0 1 1579 254 63 208845 [SYSTEM RESERVED]
NTFS, 106 MB / 101 MiB
HPFS - NTFS 1579 254 63 1592 254 63 208846
NTFS, 106 MB / 101 MiB
HPFS - NTFS 1580 0 1 30400 254 63 463009365 [Acer]
NTFS found using backup sector!, 237 GB / 220 GiB
HPFS - NTFS 1580 0 1 30401 254 63 463025430 [Acer]
NTFS, 237 GB / 220 GiB

interface_write()
1 * HPFS - NTFS 0 1 1 1566 254 63 25173792 [PQSERVICE]
simulate write!

write_mbr_i386: starting...
write_all_log_i386: starting...
No extended partition

TestDisk exited normally.

#20
azarl

Posted 16 November 2010 - 02:53 AM

GeekU Admin

Community Leader
25,310 posts

Thanks for that

Try this please. It's similar to a command we ran earlier

Restart your PC, press and hold the F8 key as it restarts. You need to press F8 before the Windows logo appears. If the Windows logo appears, you need to try again by waiting until the Windows logon prompt appears, and then shutting down and restarting your computer.
On the Advanced Boot Options screen, use the arrow keys to highlight Repair your computer, and then press Enter.
Select a keyboard layout, and then click Next.
On the System Recovery Options menu, click on Command Prompt
In the command window type bootrec.exe /fixboot and press enter
Reboot

#21
J_Mac

Posted 17 November 2010 - 09:47 AM

Member

Topic Starter
Member
82 posts

Computer still will not boot

#22
azarl

Posted 17 November 2010 - 11:55 AM

GeekU Admin

Community Leader
25,310 posts

A GeeksToGo expert is going to take a look

Download NTBRHive.exe on your working computer and save it to the xPud flash drive we created earlier, in the root directory (e.g. F:\ or whatever drive letter Windows assigned that USB drive.)
Next, double-click NTBRHive.exe on your USB drive and let it run. You should see USB drive ready to collect hives. If you get an error message, STOP here and let me know.
boot the infected computer from the updated xPud flash drive.
Select File on the left side.
You need to find which are Windows partitions on the infected computer and which is the flash drive. Typically, sda* are the hard drive partitions and sdb* is the USB. Select the various \mnt\sdb1 etc. until you see the flash drive based on the files. You should see hives.sh on the right window when you have selected the correct partition.
With hives.sh visible in the main window and only the correct sdb* selected that represents the USB drive, click Tool on the menu across the top and select Open Terminal.
In the terminal window type bash hives.sh (it's case sensitive) and press Enter to start the tool. The current directory will be shown, which should match the USB device, eg; /mnt/sdb1
When prompted to type the name of the hive, type the following bold text in lowercase and press Enter.

both
when complete, press enter to exit the script
Type exit and press Enter to close the terminal window.
power off the computer from the menu options on the left.

When you've done that , plug the USB in your working PC. Open the usb, there should be two hive files, ntbsoft and ntbsyst. Please zip these files up to maxsubmit.zip and go to http://noahdfear.net/max/upload.php

Fullow the instructions for uploading this file. Please enter the link to this topic too, where requested - http://www.geekstogo...-7/page__st__15

#23
J_Mac

Posted 22 November 2010 - 10:14 PM

Member

Topic Starter
Member
82 posts

Hi Azarl, was able to follow all steps successfully.

#24
azarl

Posted 23 November 2010 - 02:23 AM

GeekU Admin

Community Leader
25,310 posts

OK, I'll be back shortly when I get a response

#25
azarl

Posted 25 November 2010 - 02:47 AM

GeekU Admin

Community Leader
25,310 posts

Ensure your USB drive is inserted for this please

Restart your PC, press and hold the F8 key as it restarts. You need to press F8 before the Windows logo appears. If the Windows logo appears, you need to try again by waiting until the Windows logon prompt appears, and then shutting down and restarting your computer.
On the Advanced Boot Options screen, use the arrow keys to highlight Repair your computer, and then press Enter.
Select a keyboard layout, and then click Next.
On the System Recovery Options menu, click on Command Prompt
- In the command window type diskpart and press enter to run the Diskpart command
- Type "list volume" to obtain the drive letter assigned to the flash drive
- Type "Exit" to quit the diskpart utility
Type the following command, replacing the red x with the appropriate letter for the flash drive.

bcdedit /v >x:\bcd.txt

In your next reply please include bcd.txt

#26
azarl

Posted 04 December 2010 - 05:04 AM

GeekU Admin

Community Leader
25,310 posts

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.

#27
J_Mac

Posted 19 January 2011 - 02:25 AM

Member

Topic Starter
Member
82 posts

Sorry for the LONG delay of my reply. Here is the last requested attachment from the latest instruction.

Attached Files

bcd.txt 1.14KB 269 downloads

#28
azarl

Posted 19 January 2011 - 05:12 PM

GeekU Admin

Community Leader
25,310 posts

Press F10 after powering up the machine, which should bring up an 'Edit Boot Options' screen.
If it shows either of the following:

[ /NOEXECUTE=OPTIN /MININT
[ /NOEXECUTE=OPTIN IN/MINT

hit backspace to remove them, leaving only the /noexecute=optin, then press Enter to continue and see if it starts normally.

#29
J_Mac

Posted 20 January 2011 - 08:16 AM

Member

Topic Starter
Member
82 posts

AZARL!!!! I have seen my beautiful home screen again my laptop has come back to life

!!!! I am so happy lol. The one that came up was the MININT one but after following your instruction it was able to boot.

After shutting down and turning it back on it goes to the sane black windows recovery screen but after going to the boot options menu it is able to to boot up.

I have not done anything yet except turn on and boot the computer then shut it down again. The only change I have made is restore the default boot order.

Thank you