Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Rootkit Corrupted OS. Can't Restore System/Repair/Backup.

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Rootkit Corrupted OS. Can't Restore System/Repair/Backup.

Unread postby jinugy » October 27th, 2011, 10:48 pm

Here's my problem:

When I turned on my laptop yesterday morning, the screen was all black, like the system was hanging. So I decided to take out the batteries, put them back in, and turn the laptop on again (I do this everytime it hangs--no problem whatsoever). Upon turning back on, a black screen with "Windows is loading files..." appeared. When it was done, a blue background picture appeared (which was not my wallpaper, but looked Microsoft-ish), and Startup Repair started. This must've been because of a suspicious EXE file I accidentally ran the night before =(

Startup Repair started checking my system for probems. After it was done, it said that Startup Repair cannot repair this computer automatically. Sending more information can help Microsoft create solutions: 1) Send; 2) Don't send. I didn't send it, cause I can't bloody well connect to the Internet. The problem event name was StartupRepairOffline.

HP's Recovery Manager then popped up. From there, I had three choices: 1) Microsoft system restore, 2) Run computer checkup (I could also run Command Prompt from here), and 3) File backup program. I tried restoring to just before the problems appeared, but it failed. The I tried backing up, but it wouldn't allow me to click "Next" and proceed for certain file types like pictures & videos. I can only backup HTML files and file settings.

So I decided to run HijackThis from an external hard drive by opening Task Manager using Command Prompt. It ran and I saved the log (see below). But when I run DDS, the window suddenly closes. When I run GMER, a window popped up, saying that "GMER has found system modification, which might have been caused by rootkit activity. Do you want to fully scan your system?" I clicked no. Then after unchecking "IAT/EAT" and checking "C:\" & "Show all," the app ran for around a minute, then an error message popped up:

"The instruction at 0x0040c676 referenced memory at 0x88e83d2e, The memory could not be read. Click on OK to terminate the program."

When I ran GMER again, a BSOD appeared. PAGE_FAULT_IN_NONPAGED_AREA. Technical information:

*** STOP: 0x00000050 (0x996A4000, 0x00000000, 0x90c69114, 0x00000000)
jinugy
Active Member
 
Posts: 6
Joined: October 27th, 2011, 10:41 pm
Advertisement
Register to Remove

HijackThis Log

Unread postby jinugy » October 27th, 2011, 10:50 pm

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 3:09:42 PM, on 10/27/2011
Platform: Windows 7 (WinNT 6.00.3504)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal

Running processes:
X:\windows\System32\smss.exe
X:\windows\system32\csrss.exe
X:\windows\system32\wininit.exe
X:\windows\system32\csrss.exe
X:\windows\system32\services.exe
X:\windows\system32\lsass.exe
X:\windows\system32\lsm.exe
X:\windows\system32\winlogon.exe
X:\windows\system32\svchost.exe
X:\windows\system32\svchost.exe
X:\windows\System32\svchost.exe
X:\windows\system32\winpeshl.exe
X:\Windows\RM\Launcher.exe
X:\windows\system32\svchost.exe
X:\sources\recovery\recenv.exe
X:\sources\recovery\StartRep.exe
X:\windows\system32\svchost.exe
X:\windows\System32\svchost.exe
X:\windows\system32\svchost.exe
X:\Windows\RM\RecoveryMgr.exe
X:\Windows\System32\Cmd.exe
X:\windows\system32\conhost.exe
X:\windows\system32\taskmgr.exe
D:\Program Files\7-Zip\7zFM.exe
X:\Program Files\Smadav\SM?RTP.exe
D:\Program Files\IObit\Advanced SystemCare 4\ASC.exe
D:\Program Files\IObit\Advanced SystemCare 4\ASCTray.exe
G:\Apps\Security\Anti-rootkit\HijackThis 2.0.5 (Beta)\HijackThis.exe
X:\windows\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O10 - Broken Internet access because of LSP provider 'x:\windows\system32\winrnr.dll' missing
O13 - DefaultPrefix:
O13 - WWW Prefix:
O13 - Home Prefix:
O13 - Mosaic Prefix:
O13 - FTP Prefix:

--
End of file - 2005 bytes

Please help T_T
jinugy
Active Member
 
Posts: 6
Joined: October 27th, 2011, 10:41 pm

Re: Rootkit Corrupted OS. Can't Restore System/Repair/Backup

Unread postby NonSuch » October 28th, 2011, 2:36 am

You have replied to your own topic, and as a result we must close this topic.

May I draw your attention to THIS topic, which you should have read before posting for help.

THIS is the section that tells you why you should not reply to your own topic.

This topic will now be closed

If you still require help, please open a new thread in the Malware Removal forum, post the DDS logs asked for in the first link I posted and wait for assistance.
User avatar
NonSuch
Administrator
Administrator
 
Posts: 28747
Joined: February 23rd, 2005, 7:08 am
Location: California


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 284 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware