Jump to content

My HJT Log I have a Trojan ?


darkeyes
 Share

Recommended Posts

Hello darkeyes

 

Setting the machine to boot from an external device can be a little tricky.

 

My original instructions are somewhat generic as different machines have different procedures to accomplish the same thing.

 

Is this a HP machine?

 

Lets try this:

 

 

First, plug the USB stick into the infected machine, then restart the machine.

 

As soon as the machine has restarted, look for a message that will say something such as "Press the Escape key for startup menu".

 

As soon as you see this press the required key (You'll have to be quick).

 

You will be taken to the Startup Menu page.

 

In the menu there will be a number of options (F1, F9 etc). One of the options will be "Boot Options" - it may be F9.

 

Press the key that corresponds to Boot Options.

 

Look for the name of your USB drive in the Boot Options Menu.

 

If you see it, select it by using the up/down arrow keys and press Enter.

 

The machine should now boot from the USB drive.

 

At this point please continue with the instructions provided earlier.

 

 

If the above does not work for you, please let me know the exact make and model of your machine and we'll take it from there :)

Link to comment
Share on other sites

  • Replies 78
  • Created
  • Last Reply

Top Posters In This Topic

Thank you, will give this a try. I shut the computer down last evening and after rebooting then I opened the Goole browser and saw the Mydomainadvisor again and was directed to a

search page.

 

 

Adding...After doing the above, screen is showing this

 

0.024001...MP-Bios bug.8254 Timer not connected to IO-APIC

0.041000 Kernel Panic:-not syncing:IO-APIC + timer doesn't work!

Boot with apic=debug and send a report Then try booting with the "noapic" option..............0.41002................................................................................................................................Loading/opt/media......................................ready

 

 

 

 

this screen is staring at me...the light on the usb stick is slowly flashing so maybe it is doing somthing? How long should I wait and watch before maybe it's doing nothing? Thank you!

Edited by darkeyes
Link to comment
Share on other sites

Hello darkeyes

 

Please do not edit your posts as I do not receive a notification when you have done so :)

 

After doing the above

Can you clarify a little for me here please.

 

At what point exactly does the error screen appear?

 

Do you see the error message after you have booted from the USB drive (but before the Welcome to xPUD screen appears), or does the error appear after you have run dumpit?

Link to comment
Share on other sites

Hello darkeyes

 

Thank you for your patience.

 

The problem appears to be a bug with the bios.

 

I would like to check something before we continue.

 

Please restart the machine and press the escape key as you did before to access the boot menu.

 

Press the key that corresponds to Boot Options.

 

Once into the Boot Options Menu, please let me know of you see an option called "noapic".

 

DO NOT do anything with the noapic option just yet - we only need to confirm its presence or absence at this time.

Link to comment
Share on other sites

Hi again JonTom.

I restarted the computer used the ESC key, then I was asked to choose a language (english) then a ble box appeared and on it showed 4 choices 2 of them being the USB stick which I chose. I am getting the black page again with the same message as earlier.

 

0.024001...MP-Bios bug.8254 Timer not connected to IO-APIC blah blah blah.......

 

I just tried it (rebooting) again and a very quick window appeared with Xpud................................................................................................................................................................................................................................................................................................................................................................................................................... please tell me what to do next. Thank you!

Link to comment
Share on other sites

Hello darkeyes

 

Thank you for the extra information.

 

I just tried it (rebooting) again and a very quick window appeared with Xpud

Are you able to continue with the dumpit instructions after the xPUD screen appears? If you are able to carry on please do so.

 

 

If not, lets try this:

 

I restarted the computer used the ESC key, then I was asked to choose a language (english) then a ble box appeared and on it showed 4 choices 2 of them being the USB stick which I chose. I am getting the black page again with the same message as earlier.

At the xPUD language selection screen (the first screen displayed) press the Tab button. A line will appear below showing the current boot options. Type noapic (it will be appended to the current options) then press Enter.

 

Once the above has been done attempt the steps required to run dumpit.

 

Let me know how you get on in your next reply and if you run into any problems just come back and let me know.

 

Its getting pretty late where I am, so I'm going to sign off for tonight. We will continue after I get some sleep :)

Link to comment
Share on other sites

JonTom,

 

Thank you for sticking with me on my computer issues. I am going to give this another shot this evening and if I don't luck out I am going to call it a night too.

 

 

Ok I tried it a couple of times.......I think I missed doing something and I ended up with the error screen again. It is late here on the east coast so I too will call it a night. I may not be able to check back here until sometime Tuesday afternoon, but I will be back. Thank you again.

Link to comment
Share on other sites

Hello darkeyes

 

Thank you again

No problem at all :)

 

I think I missed doing something and I ended up with the error screen again

Okay. Give it one more try when you have the time and if the same thing happens let me know (there are other ways to accomplish the same thing).
Link to comment
Share on other sites

Jon Tom,

 

Just tried again and I ended up the same....not getting past that page....0.024001...MP-Bios bug.8254 Timer not connected to IO-APIC blah blah blah.......

 

I have to be somewhere for awhile and will check back here later. Thank you!

Link to comment
Share on other sites

Hello darkeyes

 

We have other options available to try. At the moment I am waiting to hear back from our xPUD expert.

 

I will get back to you as soon as we have a way forward.

 

Thank you for your patience.

Link to comment
Share on other sites

Hello darkeyes

 

Lets see if we can get the MBR dump using another method.

 

The following procedure works best if you use a disk in conjunction with a USB drive. If you do not have the capacity to burn a disk (or if the infected machine does not have a disk reader) let me know.

 

 

 

 

We'll use a CD that we will make bootable. We also need a USB flashdrive that has some space on it. We will not be changing any of the data on the usb device just using it for a file.

 

  • Save these files to your Desktop

  • Open BurnCDCC and Extract All files to to it's own folder
  • Double Click BurnCDCC
  • Click Browse and navigate to the Puppy Linux ISO file you just downloaded
  • click on it and click Open
  • IMPORTANT: Adjust the speed bar to CD: 4x DVD: 1x
  • Click Start
  • Your CD Burner Tray will open automatically
  • Insert a blank CD and close the tray
  • Click OK
The CD should eject when finished.

 

You can save these instructions to a notepad on your usb device. Once you have mounted the drives you should be able view them by clicking on them.

 

Please note commands used with this tool are case sensitive and must be typed exactly as shown.

 

 

To use the CD

 

  • Insert the CD and restart the computer
  • When the computer first starts please press the key indicated on the screen to enter the bios or setup.
  • Make the necessary changes to make the CD first in the boot order
  • Save the changes and exit the bios/setup
  • Your computer will restart and boot from the Puppy Linux Live CD

  • Set your language, time. etc preferences and continue
  • Click the Mount Icon located at the top left of your desktop (should be 3rd from the left top row)
  • A Window will open, click mount for each drive listed
  • if you have a USB Flash Drive connected it's usually automatically mounted upon boot, but click the "usbdrv" tab and make sure it is mounted.

In the lower left you will see some icons with a green light on them. Click on the one that represents your usb device.

  • right click on a blank space in the window that opens
  • highlight Window
  • Click Terminal here
  • in the window that opens type the following line and hit enter

     

    dd if=/dev/sda of=mbr.bin bs=512 count=1

     

    (note there is a space after dd and a space after sda and a space after bin and a space after 512)

  • After it has finished a file will be located on your USB drive named mbr.bin
  • click menu
  • highlight shutdown
  • click reboot
  • use the arrow key to select Do not save
  • hit enter
  • remove the CD before the computer restarts and allow the computer to boot

Please zip MBR.bin and attach it to your next reply.

Edited by JonTom
Typo!
Link to comment
Share on other sites

Hi Jon Tom,

 

Thank you for this next set of instructions. Without going into personal details here, I am going to have to wait until Friday evening or Saturday to be able to give this a try. I am going to be having a medical test that requires a couple of days prep work so will be unable to continue with these test for now. I thank you for being here to help me and I will be back by this weekend in hopes that we can figure this out. Thank you again......and see you soon.

 

Carline

Link to comment
Share on other sites

Hello darkeyes

 

Absolutely no problem at all.

 

I will leave your thread open and I'll be here when you get back. If you need any extra time just let me know (please feel free to send me a PM) :)

 

I hope everything goes well.

 

Best wishes

JonTom

Link to comment
Share on other sites

Hello again Jon Tom.....I Am back again to see if we can get my computer to behave itself again. I have asked my friend to come over and help me to carry out your latest instructions, I don't want to do them wrong :nono: Will hopefully get something posted here soon, so thank you again Jontom!

 

Carline

Link to comment
Share on other sites

I made the Cd and when it loads I am getting this error message...

 

Kernel panic-not syncing:IO-APIC + timer doesn't work! Boot with apic=debug and send report. Then try booting with the 'noapic' option.

 

I am not sure how to boot with noapic ??

 

Thats where it is at right now. Thank You.

Link to comment
Share on other sites

Hello darkeyes

 

Well this is certainly causing us more than our fair share of problems :(

 

Without an MBR dump to analyse we are stuck.

 

Replacing an MBR without definite evidence of infection is not advisable.

 

Combofix and TDSSK are not removing the source of the redirects and there appears to be a number of potential issues with your system BIOS.

 

To be honest, the best course of action at this point (for a quick fix) would be to back up all of your important data and perform a reformat and reinstallation of your operating system.

 

If you do not have an installation disk you can contact the manufacturer of your machine and ask for one for a nominal fee.

 

I realise that recommending a reformat and reinstallation may not be what you wanted to hear, but it would be the best way to ensure that all infecting malware is completely removed from the machine.

 

If you require any assistance performing the procedure let me know and I can provide some additional information.

 

Best wishes

JonTom :)

Link to comment
Share on other sites

Hi JonTom

 

I had a feeling this is how it was going to turnout seeing as we couldn't get the programs to work correctly. What a bummer !!

 

I guess I have no choice now but to reinstall my system, I have the disk and will give it a try. If I run into any problems I will come back for some help. Thank yo so much JonTom for all of your help. Wishing you and yours a Happy Holiday and a very Happy New Year!! :xmas_laugh:

Link to comment
Share on other sites

Hello darkeyes

 

I have the disk and will give it a try

Please do make sure that you back up all of your data before the reinstallation (very important).

 

Thank yo so much JonTom for all of your help

No problem at all darkeyes. I only wished that we could have resolved your problems without having to take this course of action, but given the circumstances, I do believe that it is the best course of action to take.

 

You may find the following information useful:

 

 

If you have a set of recovery disks or a recovery partition installed, the following links contain information about how to return your machine back to factory settings:

 

Lenovo Machines: http://www.pc.ibm.co...uerecovery.html

 

 

HP Machines: http://h10010.www1.h...c=us&dlc=en#N81

 

 

Information about performing a reformat and reinstallation can be found here.

 

 

Wishing you and yours a Happy Holiday and a very Happy New Year!!

And the same to you :)

 

Best wishes

JonTom

Link to comment
Share on other sites

JonTom

 

Thank you!

 

I think I just made a bad mistake......I did not see your last reply to me and I went ahead and (with a friend) we did a complete reinstall of WIN XP.using what looked like a brand new installation disk along with the product numbers that were on the back of the wrapper that my friend said they had found on Craig's list. Well after reinstalling the XP , I felt I should do whatever Windows updates are needed when up pops a box from Microsoft with a message that "this copy" of Windows cannot be validated and the product key is not correct. So I think this disk is a possible fake?? Something felt a bit off from the very beginning and now I know why. So I am back to square one. I did search through all of my computer stuff and I did find a set of disks that I had ordered from HP directly a few years ago when I had a problem back then.

 

So JonTom, can I reinstall again over this "fake" copy with the one from HP? Thank you again!

 

Carline

Link to comment
Share on other sites

Hello darkeyes

 

It sounds as though you have a set of HP recovery disks. Those disks should allow you to return the machine back to factory settings (exactly as it was when you first bought the machine).

 

As I mentioned before, make sure you have backed up all of your important data, then give those disks a try (instructions about how to use them to restore your machine can be found here: http://h10010.www1.h...=us&dlc=en#N415 scroll to the bottom of the page for the section on recovering using the recovery disks). You will also (most likely) have a recovery partition installed on your machine that can be invoked to perform the recovery if the disks should fail.

 

I am not sure if the "fake" disk issue will cause problems with the factory reset, but give it a try.

 

If you encounter any problems let me know and I can put you in touch with one of our trustworthy Tech Crews who will be able to provide you with some excellent support :)

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share


×
×
  • Create New...