Solved Ran Windows Defender Offline, can't boot up computer. Help please!

[cottonball]

Excellent!! Glad you are able to boot.

We are not done yet...Alureon is not a good thing to have.

Have to go out for a doctor's appointment in a short while (bad cold caused by the frigid weather in Illinois, maybe you've had it also in Missouri).

Will get back to you this evening.

 

[cottonball]

:info: In the meantime, go to the TDSSKiller Download
Select the .exe version
Double-click on TDSSKiller.exe to run the program.
When the TDSSKiller console opens, click on: Change Parameters
Under Additional Options, place a check in the box next to: Detect TDLFS File System
Click: OK

Press: Start Scan

If a suspicious object is detected by this program, the default action is Skip. Leave this action as is, and click on: Continue

If malicious objects are found, they show in the Scan results.
Ensure Cure (the default action) is selected, then click: Continue > Reboot now, to finish the cleaning process.
(Note: If Cure is not available, select Skip. :warn: Do not select: Delete :warn:

When done, the tool creates a log on the disk with the Windows Operating System, normally C:\
Logs have a name like:
C:\TDSSKiller.X.X.X_15.10.2013_15.31.43_log.txt

:ar: Also provide the TDSSKiller report in your reply.

 

[bsever]

Cotton - The weather here in St. Louis has been miserable, so I know what you mean.

The scan found one suspicious item. I have attached the scan log as requested.

 

[cottonball]

We are almost neighbors!! I live in O'Fallon, Illinois.

:info: On TDSSKiller...

Please run it once again, and this time, when presented with the TDSS File System entry in Threats Detected, select: Delete

Please attach the new TDSSKiller log in your reply.


To make sure there is nothing else 'lurking', let's do the following:

:info: Please go to the Malwarebytes Anti-Malware Download
Save to the Desktop
Double-click the downloaded MBAM file to run it.

When the installation begins, follow the prompts in the setup process.
Do not make any changes to default settings and when the program has finished installing, make sure only the following options are checked:
>Update Malwarebytes’ Anti-Malware
>Launch Malwarebytes’ Anti-Malware
Uncheck:
>Enable free trial of Malwarebytes Anti-Malware PRO
Click on the Finish button.

If an update is found, the program automatically updates itself.
At the program console, on the Scanner tab, and select: Perform Quick Scan

Next, click on the Scan button.

When the Malwarebytes scan is completed, click on: Show Results
When presented with a screen showing the malware detected, make sure everything is Checked, and click on: Remove Selected

When removal is completed, a report opens in Notepad.

:ar: Please copy/paste the entire contents of the MBAM report in your reply.

Note: If MBAM encounters a file that is difficult to remove, you are asked to reboot the computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) prevents MBAM from removing all the malware.


.

 

[ICIT2LOL]

cottonball I am just wondering if the ADWCleaner is worth a run here too as it might pick up something in the reg - what do you think??

http://www.bleepingcomputer.com/download/adwcleaner/

ADW download from bleepingcomputer delete any rubbish found

 

[matts6887]

now granted im not a solid 100% expert per say; I do however know a little about tackling viruses and yes some of them can be a royal pain in the a$$. At this point i am gonna have to agree about reinstalling the o.s. if the rescue disk doesnt work.

I had a virus on my prior computer just after i first got it and i had no way to do a rescue as the whole system was messed up beyond all recognition and the only thing left that i could do was a complete clean install.

 

[cottonball]

@ICit2lol,

Yep. Running ADWCleaner is part of the plan.

Trying to get rid of the big stuff first...

 

[bsever]

Neighbor! It sure is cold out there today...wishing I had heat in my truck this morning and waiting for a warmer weekend.

I attach the latest TDSSKiller log and the MBAM report is cut & pasted below:

Malwarebytes Anti-Malware 1.75.0.1300
Malwarebytes : Free Anti-Malware

Database version: v2014.01.23.05

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 11.0.9600.16476
POSTAL :: POSTAL-PC [administrator]

1/23/2014 10:56:44 AM
mbam-log-2014-01-23 (10-56-44).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 221653
Time elapsed: 7 minute(s), 27 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 1
C:\WINDOWS\System32\config\systemprofile\0.3407809187208656.exe (Exploit.Drop.UR.2) -> Quarantined and deleted successfully.

(end)

 

[bsever]

Also, MBAM popped up an urgent message to restart the computer to finish cleaning and so I did. Just FYI in case it's relevant.

 

[Slartybart]

Relevant!

CB's last sentence in post# 24 reads:
Note: If MBAM encounters a file that is difficult to remove, you are asked to reboot the computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) prevents MBAM from removing all the malware.

You took the correct action.

 

[cottonball]

Thanks, Slartybart!

bsever,

Please run the ESET Online Scanner...

Since it is implemented as an ActiveX control, it is best run on Internet Explorer.
Right click the IE shortcut and select: Run as Administrator

Next, in IE, download >ESET Free Online Scanner :: Complete Malware Detection :: ESET

On the ESET website, click on: Run ESET Online Scanner
Click: Start

When asked, allow the add-on to be installed.
Again, click: Start

On the next prompt, Computer Scan Settings, do not check: Remove found threats

Next, click on: Advanced Settings
Make sure the following options are checked:
>Scan for potentially unwanted applications
>Scan for potentially unsafe applications
>Enable Anti-Stealth Technology

By Current Scan Targets, Operating memory, Local drives, press: Change
In Selection of scan targets, Local drives, select the drives in question.
Click: OK

Click: Start
Follow the prompts.

When the scan completes, if threats are found, in the Scan Results prompt, click on: List of threats found
Click on: Export to text file
Save to the Desktop and name it: ESET Scan Results
Click on: Back
Click on: Finish, and close the program.

If anything is found, please provide the ESET Scan Results in your reply to determine what further action is necessary.


.

 

[bsever]

Thanks for the further direction, cottonball. I only just saw this post and have to run out, but I'll run the scan this weekend and provide the scan results. Thank you again.

 

[bsever]

Yikes! Six threats found. Persistent little so-and-so's.

I have attached the scan report as requested.

 

[Slartybart]

Ah, it's not that bad!
(1) in FRST quarantine - Ask toolbar
(2) in Dell Datasafe - both HiddenStart.A
(2) in TDSSKiller Quarantine - trojans
(1) in Downloads - another Ask toolbar

I don't know what Dell DataSafe is or hiddenStart.A is
The last one Ask toolbar get packaged with too many freeware apps.
>> if you run disk cleanup, it will be removed.
I'll wait for someone who knows about Dell DataSafe to add something.

I'd say your system looks fairly clean, but Cottonball has the final say.

That didn't hurt much, did it.

 

[Slartybart]

There some arguement on whether HiddenStart.A is part of Dell backup or not.
What's the use of HStart in Dell computers? - Productivity Software Forum - Software & Operating Systems - Dell Community

ESET picks up a some things it thinks might be a problem, but turn out to be false positives.

Again, Cottonball has the lead on this, I'm just adding comment on what I see in the log or found researching an unknown.

Bill

 

[bsever]

Thanks for the breakdown, Slartybart. Nah, didn't hurt too much. I just couldn't believe it that on the fourth or fifth pass it came up with 6 threats, so it's good to have a little perspective about what ESET actually came up with.

 

[Slartybart]

Glad it didn't hurt

Actually, I should clarify false positives. While still a true statement, ESET did find real threats in other scanner quarantines. I guess that's fair, ESET can't know if it's a real quantine of a nice place to hide. Knowing that you ran FRST and TDSSKiller makes it clear that the other scanners took care of the threats.

Bill

 

[cottonball]

1. C:\FRST\Quarantine\APNStub.exe a variant of Win32/Bundled.Toolbar.Ask application
2. C:\Program Files (x86)\Dell DataSafe Local Backup\hstart.exe a variant of Win32/HiddenStart.A application
3. C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\hstart.exe a variant of Win32/HiddenStart.A application
4. C:\TDSSKiller_Quarantine\23.01.2014_10.51.18\tdlfs0000\tsk0002.dta Win64/Olmarik.AL trojan
5. C:\TDSSKiller_Quarantine\23.01.2014_10.51.18\tdlfs0000\tsk0003.dta a variant of Win32/Rootkit.Kryptik.NH trojan

6. C:\Users\POSTAL\Downloads\PFPortChecker.exe a variant of Win32/Bundled.Toolbar.Ask application

Entries 1, 4, and 5 are already contained. If 4 and 5 were still around, we would have something to worry about.

Entries 2 and 3, as you guys have found out, are Dell's.

Entry #6, Bundled.Toolbar.Ask application, unless you specifically installed it, you can use ADWCleaner to clean it up:

AdwCleaner (by Xplode) Download > AdwCleaner Download
Save to the Desktop.

Before running the program, please read the AdwCleaner Usage Instructions.
It alerts users of Antivir Webguard to the consequences of using this program.
Also, be aware the program resets search settings to the default Microsoft search, if changed by adware.

To proceed, right-click on AdwCleaner.exe and select: Run as Administrator

At the main window, press the [Scan] button.
The Scan function does not delete anything. It just lists elements.

Once AdwCleaner completes its scan, it shows a list of elements.
You can uncheck any item(s) you do not want to remove.

Next, click the [Clean] button.

A small window appears to inform that all programs will close.

AdwCleaner proceeds to delete all checked elements.

If a reboot is needed, a small window appears notifying of such. Please click: OK

When the AdwCleaner logfile appears, please provide it in your reply.

(The logfile is also saved in C:\AdwCleaner\AdwCleaner[R0].txt)



.

 

[ICIT2LOL]

Now my 2 cents worth again I am wondering would a run with a bootable rescue disk be worth a try??

These are some and usually the Kaspersky is best IMHO.


5 Bootable AntiVirus Rescue CD for Windows: Free Download

 

[cottonball]

ICit2lol,

Thanks for the suggestion.

Quoting Kaspersky:

A Rescue Disk should be used in case of an infection that cannot be cured by means of antivirus software or disinfection utilities...running under operating system control.

bsever regained Operating System control, and there are several utilities that can get rid of the Bundled.Toolbar.Ask application...

...Not to worry.


.