Author Topic: I wish it had worked  (Read 17149 times)

0 Members and 1 Guest are viewing this topic.

Offline zionstrat

  • Newbie
  • *
  • Join Date: Sep 2013
  • Posts: 7
  • Karma: 0
    • View Profile
I wish it had worked
« on: September 26, 2013, 04:02:44 pm »
Spent a week trying to recover a PC and will have to take it in- I notice that you asked for feedback, your app is one of the few that could run, but like most of them, it hung up after 5 minutes or so-

Only Kaspersky is able to keep the PC running, but it can't 'see the virus, so it doesn't do any good (maybe you guys could team up)-

Here's the thread with logs in case it gives you any ideas-

http://forums.malwarebytes.org/index.php?showtopic=133799&page=6
Cheers

ZS

Offline Willy2

  • Hero Member
  • *****
  • Join Date: Oct 2011
  • Posts: 1165
  • Karma: 18
    • View Profile
Re: I wish it had worked
« Reply #1 on: September 27, 2013, 12:33:47 am »
You say that WR 'hung up" after ~ 5 minutes. Some repairs in WR v1.9.18 (especially "04 - Repair WMI") simply take a long time (think minutes) to complete. And then it looks like the program has "hung up" when the program is still busy.

I have a good hunch where WR could "hang up" but without more info from you it remains a guess. So, can you tell me where WR "hangs up" ?

Offline zionstrat

  • Newbie
  • *
  • Join Date: Sep 2013
  • Posts: 7
  • Karma: 0
    • View Profile
Re: I wish it had worked
« Reply #2 on: September 27, 2013, 06:10:02 am »
Oh no, it's far more evil than that:)

The computer only runs for about 5 minutes- Then it does a dvd read- Then the apps hangs up- about a minute later it goes bsod-

Your app made it through stage 1 of the fix-

It's interesting, most other apps (that are really fast) are caused to hang up when they are looking at a specific file (I assume it is a malicious file)- They will make it to a specific file, they will sit there for 2-3 minutes, the disk will do a read and then the app is freed up and starts flying through the files again-

The problem is that the system is already shutting down and they will hit bsod before they can write the report.

Read the threads if you want more- The avast people said that it looks simply too messed up to fix- (interdestign becaues this infection occured while avast was in command:)

On the other thread, we got Kasparsky to keep the computer from crashing, however, it cant find the problem, so I think this was a particularly evil one-

Thanks for the feedback!
ZS

Offline zionstrat

  • Newbie
  • *
  • Join Date: Sep 2013
  • Posts: 7
  • Karma: 0
    • View Profile
Re: I wish it had worked
« Reply #3 on: September 27, 2013, 06:52:13 am »
Also,  I have a question about next steps-

I am pretty sure that this virus is a hang on from a crash I had last year- The symptoms are exactly alike-
!. I was running AVG on the first crash- It behaved just like this, I saved off the files, and built an entirely new computer after we gave up.
2. I switched to Avast and checked everything before I moved files- I also searched with Malware bytes, and Ccleaner and all was well-
3. This is a dedicated audio production computer so I have to download lots of drivers from music software vendors, but otherwise, this computer is kept as safe as possible.

So it seems most likely that this monster lives somewhere in those files and I'm afraid it will come back- So here are 2 questions-
1. How can I scan those files and find this thing?
2. How can I back up in such a way that recovery is possible (I do restore points constantly and they all were deleted)-

Thanks for any and all ideas!
ZS

Offline Willy2

  • Hero Member
  • *****
  • Join Date: Oct 2011
  • Posts: 1165
  • Karma: 18
    • View Profile
Re: I wish it had worked
« Reply #4 on: September 27, 2013, 07:02:10 am »
- Yes, that's a REAL nasty one.
- It's not my app but I have a good knowledge of what's going on "inside" WR.

Although I am not the author of the app, I can offer some advice:
- Tell the vendors their drivers/software are infected.
- Install Tweaking's Registry Backup. That's ALWAYS a good idea, no matter what. And especially because the malware deletes the restore points.
- Switch on Kasparsky and try to run a number of other WR repairs. (I know, some repairs will fail, but this is the best way to try to run WR). Or try WR in "Safe Mode".

Perhaps Shane has some better advice.
« Last Edit: September 27, 2013, 07:50:34 am by Willy2 »

Offline zionstrat

  • Newbie
  • *
  • Join Date: Sep 2013
  • Posts: 7
  • Karma: 0
    • View Profile
Re: I wish it had worked
« Reply #5 on: September 27, 2013, 08:42:45 am »
Wr still crashes in safe mode after 5

But are you saying that I can run WR from Kaspersky rescue disk environment? If so, how? I cant figure out how to launch WR-

This seems like the best of both worlds to me... ie Kaspesky seems to be keeping the virus at bay, but unable to see it-

If Wr could come in on top of it and get a chance to run, it sounds like a great opportunity!

Open to ideas!
ZS

Offline Willy2

  • Hero Member
  • *****
  • Join Date: Oct 2011
  • Posts: 1165
  • Karma: 18
    • View Profile
Re: I wish it had worked
« Reply #6 on: September 27, 2013, 09:20:05 am »
Don't know how to proceed from here. Wait for Shane.

Offline Shane

  • Administrator
  • Hero Member
  • *****
  • Join Date: Sep 2011
  • Posts: 9281
  • Location: USA
  • Karma: 137
  • "Knowledge should be shared not hidden."
    • View Profile
Re: I wish it had worked
« Reply #7 on: September 27, 2013, 06:31:47 pm »
If the system is infected you dont want to run my Windows Repair till after it is cleaned.

Have you ran combofix.exe yet on the system? That is pretty good at cleaning up things that others cant. :wink:
http://www.bleepingcomputer.com/download/combofix/

Shane

Offline jraju

  • Hero Member
  • *****
  • Join Date: Feb 2013
  • Posts: 2323
  • Location: india
  • Karma: 17
    • View Profile
Re: I wish it had worked
« Reply #8 on: September 27, 2013, 10:09:23 pm »
Hi, Have you tried mbar.exe antirootkit or aswmbr.exe , which contains the cure for infection in MBR. Have you attempted Boot scanning option in the AVast. Naturally, avast boot scan will kill all the trojan, rootkits, etc before the window boots.
          I have doubt, that your virus, if it is virus, gets to your system from the infected restore points.
             The mbr fix by reputed avast will do no harm to your computer. It will prompt, if you need cleaning of rootkits or fix mbr.
                Once the problem is over, kindly delete all system restore points, which are the main source of infection.
                   Shane, i think , will approve my idea to you. I have quite a number of uncurable diseases in my computer, which was set correct by avast boot scan, which is a boon to the society by AVAST
The Bottom line is "Check your hardware first if it supports the task you try".

Offline zionstrat

  • Newbie
  • *
  • Join Date: Sep 2013
  • Posts: 7
  • Karma: 0
    • View Profile
Re: I wish it had worked
« Reply #9 on: September 28, 2013, 03:46:30 pm »
Started with mbar.exe antirootkit and aswmbr.exe-  combo was one of the last we tried- Take a look at the thread I included- We literally tired 20 or more solutions.

Not sure anyone (including avast) suggested the boot scan with avast, but frankly we tried a weeks worth of stuff and it was the Avast people who were the first to tell me it was time to give up-

I took it to the shop yesterday and they will either fix it or rebuild it-

Unfortunately, either way, i still appear to be exposed in the future-

Thansk for the feedback and best regards,
ZS

Offline Shane

  • Administrator
  • Hero Member
  • *****
  • Join Date: Sep 2011
  • Posts: 9281
  • Location: USA
  • Karma: 137
  • "Knowledge should be shared not hidden."
    • View Profile
Re: I wish it had worked
« Reply #10 on: September 30, 2013, 11:46:21 am »
That had to of been one hell of an infection if none of those scanners could clean it. Or the infection simply killed the system before it was removed.

A repair install might fix it up, do you still have the system? It is something you can do yourself without losing anything and before you pay a shop :wink:

Shane

Offline zionstrat

  • Newbie
  • *
  • Join Date: Sep 2013
  • Posts: 7
  • Karma: 0
    • View Profile
Re: I wish it had worked
« Reply #11 on: September 30, 2013, 12:59:19 pm »
Shane thanks for the input-
Yeah it's going to be expensive, but I have lost a whole week of work and have to get going one way or the other, so I took it in-

But thanks for the input and best regards!
ZS

Offline Willy2

  • Hero Member
  • *****
  • Join Date: Oct 2011
  • Posts: 1165
  • Karma: 18
    • View Profile
Re: I wish it had worked
« Reply #12 on: October 03, 2013, 07:19:44 am »
If you got more trouble with your system again then I would fire up Kasparsky, grab the portable version of WR and run it. Just see if "something sticks".

Offline worcom

  • Newbie
  • *
  • Join Date: Oct 2013
  • Posts: 7
  • Karma: 0
    • View Profile
Re: I wish it had worked
« Reply #13 on: October 09, 2013, 01:03:59 am »
My own experience is, that once a Virus has infected a Computer you can assume the Anti Virus Software will not be working correctly,
the best way out(if you can) is to connect the  infected drive to a second Computer(I use a USB3 Docking Station)
and run the Anti Virus Software from there, "do not click on the infected drive" just note the drive letter and run the Software.
Once the Anti Virus has cleaned or OK'd the drive, put it back and reinstall the corrupted  Anti Virus
I have done this many times with complete success.


Offline zionstrat

  • Newbie
  • *
  • Join Date: Sep 2013
  • Posts: 7
  • Karma: 0
    • View Profile
Re: I wish it had worked
« Reply #14 on: October 09, 2013, 10:12:25 am »
Good suggestion- I wish someone had given me this idea at the time- I'm not really a techy-
Thanks for the future!