Windows 7 Forums

Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: Post Malware


29 Jun 2011   #21

win 7 ult. x64
 
 
ubuntu to access

I went to cnet and ended up with a fake cnet page and now I am on a malware ridden laptop running ubuntu from cd just to return to this website. I have tried everything and now am in the process of doing a system restore from an image I did after I completed the updates and installed the service pack 1 on the desktop. I downloaded the link for the current hijack program and will do it on the desktop as soon as the restore is complete. I will post it via the laptop as I don't know how long it will last as I have only used it for 3 hrs trying various scans from several top recomendations.
I am almost to the point of giving up and cancelling my internet and selling all my systems as scrap!


After 1.5 months, several new hard drives, 30 installs of win 7 etc I have one other possibility that might be the problem. I understand now that I need the correct drivers for the intel chipset and to configure it for a file that win 7 would look for while installing the os. I have several listings for amd and now I wonder if the drivers or the config file for the chipset is not used when installing Windows 7 does it default to use several amd references thus allowing an exploit when I have a intel i5 processor?

I have read the install instructions of the chipset and don't quite understand what I need to do to make the "batch file" or whatever it is called so the install uses this to correctly config my system when it installs.

Does anyone know what I am talking about.?

Could this be why I keep getting violated and can't figure out how to stop it.

I will be back (malware letting me) as soon as I get the log from the restore image, or maybee just re-install using the batch file for the correct processor/chipset.

I just don't know anymore.


My System SpecsSystem Spec
.

30 Jun 2011   #22

win 7 ult. x64
 
 
ubuntu to access

I went to cnet and ended up with a fake cnet page and now I am on a malware ridden laptop running ubuntu from cd just to return to this website. I have tried everything and now am in the process of doing a system restore from an image I did after I completed the updates and installed the service pack 1 on the desktop. I downloaded the link for the current hijack program and will do it on the desktop as soon as the restore is complete. I will post it via the laptop as I don't know how long it will last as I have only used it for 3 hrs trying various scans from several top recomendations.
I am almost to the point of giving up and cancelling my internet and selling all my systems as scrap!


After 1.5 months, several new hard drives, 30 installs of win 7 etc I have one other possibility that might be the problem. I understand now that I need the correct drivers for the intel chipset and to configure it for a file that win 7 would look for while installing the os. I have several listings for amd and now I wonder if the drivers or the config file for the chipset is not used when installing Windows 7 does it default to use several amd references thus allowing an exploit when I have a intel i5 processor?

I have read the install instructions of the chipset and don't quite understand what I need to do to make the "batch file" or whatever it is called so the install uses this to correctly config my system when it installs.

Does anyone know what I am talking about.?

Could this be why I keep getting violated and can't figure out how to stop it.

I will be back (malware letting me) as soon as I get the log from the restore image, or maybee just re-install using the batch file for the correct processor/chipset.

I just don't know anymore.
My System SpecsSystem Spec
30 Jun 2011   #23

win 7 ult. x64
 
 

can someone help me with this ( see below )

************************************************************
* 8F. INSTALLING THE WINDOWS 7* INF FILES PRIOR
* TO OS INSTALLATION
************************************************************
The simplest method for installing Windows? onto new hardware is to
start directly from the Windows product DVD with an answer file called
Autounattend.xml. Boot the computer with the Windows Setup media in the
DVD drive and the configuration set available on an external drive.
By default, Windows Setup searches all removable media for an answer
file called Autounattend.xml. Autounattend.xml must be located at the
root of the removable media.

The answer file enables you to automate all or parts of Windows Setup
Includeing adding INF files. You can create an answer file by using Windows
System Image Manager (Windows SIM).

Microsoft* published a Wndows Automated Installation Kit(WAIK)
(Must be the windows 7 version) which facilitates creation of answer files
and image creation for unattended installs of Windows 7 with tools such as Windows SIM

To create a configuration set you will need:
Windows System Image Manager (Windows SIM) installed on a technician computer.
An authorized copy of a Windows Vista? product DVD.
Chipset device driver .inf files.
Access to a network share or removable media with sufficient storage space.

1. Create a New Answer File
(In this step, you define basic disk configuration and other settings that are required
for an unattended installation.)
A. On your technician computer, insert the Windows 7 product DVD into the local
DVD-ROM drive.
B. On the desktop of the technician computer, navigate to the \Sources directory
on your DVD-ROM drive. Copy the Install.wim file from the Windows product DVD
to a location on the computer.
C. Open Windows SIM. On the desktop of the computer, click Start, point to
Programs, point to Microsoft Windows OPK (or Windows AIK), and then click
Windows System Image Manager.
D. On the File menu, click Select Windows Image.
E. In the Select a Windows Image dialog box, navigate to the location where
you saved the Install.wim file, and then click Open.
Note:
A warning will appear that a .clg file does not exist.
Click OK to create a .clg file.
If there is more than one Windows image in the .wim file, you are prompted
to select the Windows image to open.
F. On the File menu, click New Answer File.
2. Create a Distribution Share
(In this step, you create a distribution-share folder on your technician computer.
The distribution share will store out-of-box drivers, applications, and any resource
files needed for your custom installation.)
A. In Windows SIM, in the Distribution Share pane, click Select a Distribution
Share.
B. Right-click to select Create Distribution Share.
C. The Create a Distribution Share dialog box appears.
D. Click New Folder, and then type a name for the folder. For example
"C:\MyDistributionShareClick"
E. In the Distribution Share pane, the distribution share folder opens.
Windows SIM automatically creates the following folder structure.
C:\MyDistributionShare\$OEM$ Folders
C:\MyDistributionShare\Packages
C:\MyDistributionShare\Out-of-Box
3. Add Drivers and Applications to Distribution Share
A. In Windows SIM, on the Tools menu, select Explore Distribution Share.
B. The Distribution Share window opens.
C. Copy your device driver files (.inf) to the Out-of-Box Drivers folder.
1. Create subdirectories for each driver. For example,
create directories "Chipset" and "Video" in the Out-of-Box Drivers
folder.
D. Close the distribution share folder.
4. Add a Device Driver to the Answer File
(In this step, you add an out-of-box drivers (.inf) path to your answer file.)
A. In Windows SIM, on the Insert menu, click Driver Path, and then click Pass 1
windowsPE.
B. The Browse for Folder dialog box appears.
C. Select the driver path to add to the answer file, and then click OK.
For example, "C:\MyDistributionShare\Out-of-Box Drivers\Chipset"
5. Validate the Answer File
(In this step, you validate the settings in your answer file and then save them to a file.)
A. In Windows SIM, click Tools, and then click Validate Answer File.
B. If the answer file validates successfully, a "success" message appears in the
Messages pane; otherwise, error messages appear in the same location.
C. If an error occurs, in the Messages pane, double-click the error to navigate
to the incorrect setting. Change the setting to fix the error, and then
revalidate the answer file.
D. On the File menu, click Save Answer File. Save the file as Unattend.xml.

6. Create a Configuration Set
(In this step, you create a configuration set that will gather all of the resource files
that you specified in your answer file into one location.)
A. In Windows SIM, on the Tools menu, select Create Configuration Set.
B. The Create Configuration Set window opens.
C. Specify a destination location where you intend to publish the configuration set
D. Select a removable dirve such as a USB flash drive (UFD), and then click OK.
7. Deploying a Configuration Set Without a Network
A. Turn on the new computer.
B. Insert both the removable media containing your configuration set and the
Windows 7 product DVD into the new computer.
Note: When using a USB flash drive, insert the drive directly into the
primary set of USB ports for the computer. For a desktop computer,
this is typically in the back of the computer.
C. Restart the computer by pressing CTRL+ALT+DEL.
Note: This example assumes that the hard drive is blank.
E. Windows Setup (Setup.exe) begins automatically.
F. By default, Windows Setup searches all removable media for an answer file
called Autounattend.xml. Autounattend.xml must be located at the root of the
removable media.
G. After Setup completes, validate that all customizations were applied, and then
reseal the computer by using the generalize option

For more information about Windows Server 2008 answer
files and unattended installations, please refer to the
Windows Automated Installation Kit (WAIK) User's Guide

I wonder if this is why I keep having problems with my installs ( several references to amd when I have an intel i5 )
My System SpecsSystem Spec
.


30 Jun 2011   #24

win 7 ult. x64
 
 

here is the log just the image restore completed

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 10:44:38 PM, on 6/29/2011
Platform: Windows 7 SP1 (WinNT 6.00.3505)
MSIE: Internet Explorer v9.00 (9.00.8112.16421)
Boot mode: Normal

Running processes:
C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 2011\avp.exe
C:\Program Files (x86)\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 2011\ievkbd.dll
O2 - BHO: link filter bho - {E33CF602-D945-461A-83F0-819F76A199F8} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 2011\klwtbbho.dll
O4 - HKLM\..\Run: [AVP] "C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 2011\avp.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
O9 - Extra button: &Virtual Keyboard - {4248FE82-7FCB-46AC-B270-339F08212110} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 2011\klwtbbho.dll
O9 - Extra button: URLs c&heck - {CCF151D8-D089-449F-A5A4-D9909053F20F} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 2011\klwtbbho.dll
O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
O20 - AppInit_DLLs: C:\PROGRA~2\KASPER~1\KASPER~1\mzvkbd3.dll
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: AMD External Events Utility - Unknown owner - C:\Windows\system32\atiesrxx.exe (file missing)
O23 - Service: Kaspersky Anti-Virus Service (AVP) - Kaspersky Lab ZAO - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 2011\avp.exe
O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\Wat\WatUX.exe,-601 (WatAdminSvc) - Unknown owner - C:\Windows\system32\Wat\WatAdminSvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)

--
End of file - 5582 bytes
My System SpecsSystem Spec
30 Jun 2011   #25

win 7 ult. x64
 
 

I don't know what kind of remote code is used against me but apparently ubuntu from cd lasts longer than a clean install of window 7 on a hard drive !!!!
My System SpecsSystem Spec
30 Jun 2011   #26
Microsoft MVP

Windows 7 Ultimate 32bit SP1
 
 

Have you tried resetting your router and changing the password, then re-installing Windows?
My System SpecsSystem Spec
30 Jun 2011   #27

win 7 ult. x64
 
 

yes

I am now using ubuntu from cd to respond

I am using a program now to wipe the hpa area of the hard drive, I am going to take a cd and download the latest bios to the cd, driver files for the chipset and wait for the hard drive to complete the wiping process ( 20 hrs ) and see if I just killed the drive or if it will still work. I am not getting any support for the hpa area from the manufacture of the drive, so either it kills whatever is in that location of the drive or .......

I don't have to much more to do other than give up!

Wish me luck and will post the outcome ( 20hrs + re-install # 31)

Does anyone know how to set up the " unattended " install file that can be used whine installing the OS. I posted the directions but I am not an engineer and don't understand what I need to do to make the file

Someone please help as I would like to try this install with the "wiped" drive and "unattended" install file for windows installer. I always end up now with defaults listed in the install log referencing amd and am not sure if that is normal or a default due to not having that file available during the install
My System SpecsSystem Spec
Reply

 Post Malware




Thread Tools



Similar help and support threads for2: Post Malware
Thread Forum
malware System Security
Malware-splosion: 2013 Will be Malware's Biggest Year Ever Security News
need help getting rid of malware System Security
Malware Removal Guide 2011: How to Get Rid of All The Latest Malware Security Basics
is this malware please help General Discussion
do not help with Mac malware Chillout Room
think I have bad Malware System Security

Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd

All times are GMT -5. The time now is 04:18 AM.
Twitter Facebook Google+



Windows 7 Forums

Seven Forums Android App Seven Forums IOS App
  

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33