WIN32:Carberp-FN found in pagefile.sys by BART CD 3

[killerkilgore]

Hi all and need help,

system - ACER netbook. It has 2 partition 1 is the recovery and one is the OS, which is Windows XP SP3 all the updates. The recover partition has a partition type of 12 and the OS has a type of 07. To activate the recovery you hit ALT-F10 at startup.

OK I ran the BART CD 3 beta on said system and found that the pagefile.sys was infected with WIN32:carberp-FN Trojan. so I did the following with the help of BART CD 3:

1 use the file shredder to over write the pagefile.sys
2 cleaned all the junk files. also deleted contents of the restore directory.
3 cleaned the registry
4 ran the check disk
5 ran the clean the disk space part of file shredder
6 shutdown
7 remove the boot disk and rebooted
8 updated avast v6 free edition
9 undated and ran ccleaner and malwarebytes removed item they found
10 rebooted
11 used the disk cleanup in windows
12 shutdown and booted the BART CD again.
13 still found the pagefile was infected. just deleted it.
14 rebooted with CD also had a thumbnail drive attached which contained PTEDIT32
15 used PTEDIT32 to change the partition type of the recovery partition to type 0B
16 rebooted with BART CD
17 now BART CD can see both partitions (drives)
18 removed junk files on C: and deleted the restore directory again
19 ran disk checker on both D: and C: ( D=recovery C=windows )
20 ran the shredder free space cleaner on both D: and C: ( D=recovery C=windows )
21 rebooted and windows converted the recovery partition back to a type 12 (cant get to it by windows)
22 updated and complete scan with avast 6 free
23 rebooted with BART CD 3
24 the SOB pagefile was infected again with WIN32:carberp-fn
25 give up and ask forum members for some help

thanks in advance

KillerKilgore

[killerkilgore]

should this be in the "viruses and worms" section?
if so could am admin move it there.

thanks
killerkilgore

[killerkilgore]

Well, I seem to have resolved the problem. Steps below:

1. moved pagefile to C:\temp directory and rescanned with BART CD
2. still infected
3. remove junk files
4. manually removed temp files, cookies, and history from c:\document and settings\[users]\local settings\[dir]
where [user] = all users on machine example admin, all users, owner ect.
where [dir] = temp file, cookies, history, temp internet files ect.
5. deleted system restore directory
6. deleted recycle bin
7. clean registry.
8. shred C:\temp and C:\Windows\Temp with DOD pass
9. cleaned free space.
10 remove junk files
11. clean registry.
12. cleaned free space.
13. rebooted into windows updated AV program.
14. copied pagefile to C:\temp directory and rescanned with BART CD
15. it was CLEAN.
16. in the process of shred C:\temp and C:\Windows\Temp with DOD pass just to be safe
17. drink a little drink smoke a little smoke.

KillerKilgore