Avast WEBforum
Other => Viruses and worms => Topic started by: stained on December 29, 2011, 12:21:14 AM
-
Avast just detected 41 root kits on full system scan, but was unable to remove them as Avast indicated they are password protected. How do I get rid of them? Help :)
-
ehhh.....password protected rootkits ::)
could you attach a screenshot of the scan result
-
Sorry, I misspoke; Avast unable to remove root kits indicating that they are in password protected archives. Will attempt to run another scan for screen shots. PC is now blocking Windows Updates access.
-
2nd Avast full system scan netted nothing detected. Windows Updates is no longer functional; have included log.
-
http://forum.avast.com/index.php?topic=53253.0
follow the above to link to the guide and attch the logs here i will notify a malware removal expert.
oldman notified.
-
Here are the requested logs.
-
Here is final log requested.
-
Sorry, I misspoke; Avast unable to remove root kits indicating that they are in password protected archives. Will attempt to run another scan for screen shots. PC is now blocking Windows Updates access.
When avast find files that are password protected, you usually get a message saying: could not scan (password protected archive)
and files that can not be scanned are just that....does not mean they are infected
that is why this was a bit strange to me if avast say that the password protected archives contain rootkit
so if you could attach a screen shot of the scan result ?
OBS: your Malwarebytes log is not readable....looks like chinese. you probaly saved it in wrong format
-
All logs were saved in ANSI format. My computer is out of control. I can't run any scans any more as it either kills the program or reboots itself. I have a back door trojan allowing someone complete control over my PC. I have had to reinstall AVAST and it is not detecting anything now. CPU usage is crazy whenever I try to run scans, use internet, or attempt to download programs. Even programs uploaded via flash drive fail to run. I was almost finished with Symantec Power Eraser (which is designed to deal with back door trojans), selecting from a checklist that it provided, those files that according to it were in need of deletion as well as safe to delete when it locked up and rebooted itself.
I am at my wits end with this. I need serious help. Is it possible to block the "other user's" access to my PC in some manner? HELP!!!!!
-
Can you get into safe mode and try another scan?
May need dr web cure it bootable cd
-
If it helps...
Read the instructions, download and burn (maybe from another computer), finally use one of this rescue CD's:
1. G Data BootCD (https://www.gdatasoftware.com/support/main-subjects/upgrade-service/download.html)
2. Dr. Web (http://www.freedrweb.com/livecd/?lng=en)
3. Avira (http://www.free-av.com/en/tools/12/avira_antivir_rescue_system.html)
4. BitDefender (http://download.bitdefender.com/rescue_cd/)
5. Kaspersky (http://devbuilds.kaspersky-labs.com/devbuilds/RescueDisk10/)
6. F-Secure (http://www.f-secure.com/linux-weblog/2009/09/22/rescue-cd-311/)
7. Vba32 Rescue (http://www.anti-virus.by/en/vba32rescue.shtml)
You can check also this comparison article (http://www.raymond.cc/blog/archives/2008/12/11/13-antivirus-rescue-cds-software-compared-in-search-for-the-best-rescue-disk/).
-
Thank you for the help!!! I will try all and let you know how it turns out :)
-
Thank you for the help!!! I will try all and let you know how it turns out :)
You're welcome. We'll be here to try to help ;)
-
could you attach a screenshot of the scan result
Can you do this as requested? A screen capture of the Avast log file that stated it found 41 rootkits.
-
since you now have attached the files requested in Essxboys guide, i recomend you now wait for Essexboys advice instead of testing every tool thrown in here
Essexboy likes to know whats in there before selecting the tool to use.....and not the other way around ;)
-
I can see nothing apparent in the logs that would cause the problems you are describing
Please download the following programmes to your desktop:
Dr Web Live CD (http://www.freedrweb.com/livecd/)
ImgBurn (http://www.filehippo.com/download_imgburn/)
Install IMGBurn
- Double click Dr Web
- IMGBurn will open
- Burn the ISO to a cd
- Reboot the infected computer with the CD in the drive
- Ensure that the first boot device is CD - If you are not sure about that then see this page (http://www.hiren.info/pages/bios-boot-cdrom) for instructions
- As loading starts, a dialogue window will prompt you to choose between the standard and safe modes.
(http://i1224.photobucket.com/albums/ee362/Essexboy3/Dr%20Web%20shots/livecdbootscreen.gif)
- Use arrow keys to select DrWeb-LiveCD (Default)
- When the system is loaded, check the disks or folders you want to scan, and click on “Start”.
(http://i1224.photobucket.com/albums/ee362/Essexboy3/Dr%20Web%20shots/livecdDriveselection.gif)
- The programme will now scan for and cure/delete any malware that it finds. Allow it to do so
- Once completed reboot to normal windows
- No log is produced so once in normal windows run a fresh OTL scan and let me know if the problems persist
-
I found out what has infect my 2 pcs. It is a boot sector virus (Botnet type). Not sure which one though; hoping you can help me figure that part out, as well as how to remove it? I have included some logs and screen shots for analysis. Help please!!!!
P.S. The Trojan corrupted and disabled AVAST!!!!!
-
Here are MBRCheck log and Combo log as well. Also; I forgot that I loaded windows on my XPS 200 as well. It is quiet now, as before it was going crazy, so I am guessing that the Trojan perfers Windows 7 over Vista. :)
-
please use dr.web as specified by essexboy and post log please...
-
I am working on it right now. :)
-
Attached is the OTL log. Dr Web indicates there were 13 files with errors. No threats detected. No infected, malicious, or suspicious items. No threats neutralized. Scan duration=2hrs & 32 mins. And yes; the problem still persists. Windows 7 MBR unreachable, so system has no option but to Boot from sector that root kit resides in. :(
1. /lib/modules/2.6.30-drweb-6.0.0/build *Cannot get file attributes with error. No such file or directory. Contains error*
2. /lib/modules/2.6.30-drweb-6.0.0/source *Cannot get file attributes with error. No such file or directory. Contains error*
3. /win/D:/hiberfil.sys * File too large, skipped. Contains error*
4. /win/D:/pagefile.sys * File too large, skipped. Contains error*
5. /mnt/disk/sda2/ hiberfil.sys * File too large, skipped. Contains error*
6. /mnt/disk/sda2/ pagefile.sys * File too large, skipped. Contains error*
7. /mnt/module/.pivot/mn1/ module /.rootfs/opt/drweb/doc/livecd/default * File too large, skipped. Contains error*
8. /mnt/module/.pivot/mn1/ module /.rootfs/root/config/fpanel/default * File too large, skipped. Contains error*
9. /mnt/module/_white/dev/core * File too large, skipped. Contains error*
10. /mnt/module/_white/lib/modules/2.6.30-drweb-6.0.0/build * File too large, skipped. Contains error*
11. /mnt/module/_white/lib/modules/2.6.30-drweb-6.0.0/source * File too large, skipped. Contains error*
12. /lib64/modules/2.6.30-drweb-6.0.0/build * File too large, skipped. Contains error*
13. /lib64/modules/2.6.30-drweb-6.0.0/source * File too large, skipped. Contains error*
-
Bootmgr appears to be missing so we will see if we can find a spare
- Run OTL.
- Select All Users
- Under the Custom Scan box paste this in
netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
bootmgr.*
/md5stop
CREATERESTOREPOINT
- Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
- When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
- Post both logs
THEN
Download aswMBR.exe (http://public.avast.com/~gmerek/aswMBR.exe) ( 1.8mb ) to your desktop.
Double click the aswMBR.exe to run it Click the "Scan" button to start scan
(http://i1224.photobucket.com/albums/ee362/Essexboy3/aswMBR%20shots/aswMBRScan.gif)
On completion of the scan click save log, save it to your desktop and post in your next reply
(http://i1224.photobucket.com/albums/ee362/Essexboy3/aswMBR%20shots/aswMBRsavelog.gif)
-
Here you are sir. (I used an alias Windows 7 admin account) :)
Perhaps I should have used "Stained"?
-
OK I have found a spare- lets try that shall we
Warning This fix is only relevant for this system and no other, using on another computer may cause problems
Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot
Run OTL
- Under the Custom Scans/Fixes box at the bottom, paste in the following
:Files
C:\bootmgr|C:\Windows\Boot\PCAT\bootmgr /replace
:Commands
[CREATERESTOREPOINT]
[Reboot]
- Then click the Run Fix button at the top
- Let the program run unhindered, reboot the PC when it is done
- Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
-
Here is the requested log. ???
Am I incorrect; does not OTL produce 2 results logs? Shouldn't there be another called "Extras"??? If so, it failed to produce it. My apologies if I am incorrect here.
(P.S. I ran the scan 2 times.)
-
Well, the same old problems have returned in earnest (I was able to reinstall AVAST, but it cannot detect malware if it is hidden on an inaccessible section of the hard drive)(I ran a full system scan & boot scan & AVAST detected nothing.). At this point I am fairly certain that a root kit has created its own version of the MBR, is hidden, protected, and tricking the OS into loading from it, instead of the real MBR. I am contemplating the installation of Ubuntu OS to overwrite the hard drive, and then re-installing windows OS in the hope that this will overwrite the root kit code (In which ever boot sector it is residing.), and be rid of this problem (providing that it has not infected the BIOS as well). Or, somehow isolating the sector that the root kit is hiding in (Provided it can be located.) by creating a new boot partion with a real MBR, and positioning it so that the OS will boot from it instead(If this is feasible?). From what I have read online about the type of root kit/s I suspect to have infected my PCs, (TDL4, also known as TDSS, Alureon (Microsoft), Olmarik (ESET), or TidServ (Symantec), is a multi-component malware family used by botnet owners to steal information and generate revenue through ad clicks. Also see this link: http://www2.gmer.net/mbr/). they are extremely difficult to eradicate. These ideas may be unorthodox, impractical, or nonsensical, and yes I may be getting ahead of the process here, but sometimes it takes a bit of trickery to vanquish those nasty Trojans. What are your thoughts? ???
-
Try running all these 3 tools in safe mode[make sure u dont have a internet connection while running them] links below:
1.FixTDSS.
http://www.symantec.com/content/en/us/global/removal_tool/threat_writeups/FixTDSS.exe
2.Kaspersky virus removal tool.
http://www.kaspersky.com/antivirus-removal-tool?form=1
3.Bitdefender bootkit remover.
http://www.malwarecity.com/community/index.php?s=a40eb250f5d2a2b8894f2fde83cde93b&app=downloads&module=display§ion=download&do=confirm_download&hash=a0cdd22e04717c2dca571515d28aab8a
Hope this will fix it. ;) just try it.
-
Greetins,
true indian :)
I will run the tools as instructed and provide results. I am currently re-installing Vista OS. Be back soon.
Thank you!
-
Hello again,
Here are the results:
Kapersky tool result: no threats detected.
FixTDSS tool result: no threats detected.
Bitdefender tool error message: "Failed to intialize". (Tried to run it in safe mode with networking)
Any suggestions on how to get Bitdefender tool to run? I tried sneaking it in via flash drive, and naming it family pics. Perhaps the root kit identified it and stop it from running.
-
try in safe mode without networking.
rename it randomly and then try it...if this doesnt work see page 3
-
Read the instructions, download and burn (maybe from another computer), finally use one of this rescue CD's:
http://download.bitdefender.com/rescue_cd/
-
Here is a link for Bitdefender root kit removal tool for both 32bit & 64bit systems: http://www.malwarecity.com/blog/free-removal-tool-for-tdl4-available-now-1106.html
I was able to run Bitfender root kit removal tool on my 32bit system running vista, as well as my 64bit system; result "no threats detected" on either PC.
I was able to run FixTDSS result: Backdoor Tidserv has not been found on your computer.
I ran Kaspersky on 32bit system running Vista and attached the report. Odd items found.
-
did bitdefender tool run on the infected pc?
Reboot the computer and press F8 to get to the safe mode menu
Once there select recovery console
At the command prompt type :
FIXMBR
Accept the warning and then type Exit
tell me after this if same symtoms persist?
-
Recovery console is not one of the options on the "Advanced Boot Options" screen that appears after hitting F8.
The options are:
Safe Mode
Safe Mode with networking
Safe Mode with command prompt (Would this work?)
Enable Boot Logging
Last Known Good Configuration
Debugging Mode
Disable automatic restart on system failure
Disable Driver Signature Enforcement
Start Windows Normally
I thought the only way to access the Recovery Counsel was by Booting up OS installation disk, and selecting "Repair your Computer". I am not trying to be flippant. I am just a little confused?
-
Boot from your windows installation CD,
When you reboot you will be presentes with a welcome screen . Click repair my computer
Select your operating system
Select Command prompt
At the command prompt type the following :
Bootrec.exe /FixMbr
-
Check out this link:
http://www.besttechie.net/forums/topic/12840-vistas-system-recovery-console/
-
try the above as i mentioned...
-
I did as instructed and this is the resulting error message: "FIXMBR" is not recognized as an internal or external command, operable program or batch file.
In Vista System Recovery Options I executed the command "Bcdedit" and I copied (By typing exactly what appears on the screen into notepad) and attached the result. Would please look at it?
I wondering if you were to look at yours and compare mine, if one could see an error, corruption, or root kit? Please be so kind as to check this out.
One item after "resumeobject" looks suspicious. I am going to compare my 2 PCs Windows Boot Manager settings. It would be most helpful to have other eyes on this. From this command window one can make major changes to the MBR. If you check the link in my last post, it lists commands.
You might find them intriguing.
Thank you so very much for your patience with me and all you are doing to help me with this!!!!!
-
At the command prompt type the following :
Bootrec.exe /FixMbr
did u notice the space between .exe and /
-
At the command prompt type the following :
Bootrec.exe /FixMbr
I have tried as instructed via the command prompt but still get the same error message. Are you perhaps running an earlier version of Vista? See below:
The Recovery Console in earlier versions of Windows has been removed in this version of Windows and replaced by several tools located in the System Recovery Options menu. The System Recovery Options menu is on the Windows Vista installation disc. If your computer manufacturer has preinstalled recovery options, the menu might also be installed on your hard disk. If your computer does not include the System Recovery Options menu, your computer manufacturer might have customized or replaced the tool. Check the information that came with your computer or go to the manufacturer's website.
If Windows doesn't start correctly, you can use these tools to repair startup problems, restore your system files to an earlier point in time, run tests on your computer's random access memory, and in some editions of Windows Vista, restore your entire computer and system files from backups. For more information, see What are the system recovery options in Windows Vista?
I am currently in Windows Vista Boot Configuration Data Store Editor via the command bcdedit /?. I checked a Microsoft technical support site for more information on commands in this particular environment. I found this command "bcdedit /?" is the "Help" command that lists a multitude of options for MBR configuration. I am going to see what I can find out by using the Commands that control the boot manager.
-
That command worked just fine. Only one problem; it is displaying a humongous amount of data! Is there anyway I can copy or screen print this for you??? Otherwise it will be a lot of typing; not saying I am not willing to do this for you, just hoping for a more efficient means of providing you this data.
-
lets see if i can first fix the windows updates problem..go to normal mode
1.Open Command Prompt by Start -> Run and type “cmd“
2.On the Command Prompt, type “net stop wuauserv“. This is done so that you will terminate the windows automatic update service to allow us to delete the cache files.
3.Still on the Command Prompt, type “cd /d %windir%” or “cd\windows“
4.Type “rd /s SoftwareDistribution“.
5.Thats it, the cache has been purged. Now we need to restart the windows automatic update service again. To do that, type “net start wuauserv“
-
If the command worked this time..how is the pc running now?
-
The command worked just fine. As for how the PC is running; let me see if it gives me any problems while I install AVAST.
-
did u try the fix i gave for windows updates in my previous post?
-
Yes; indeed I did. It corrected the problem with Windows Update. Thank you very much!
-
glad i could help! ;D
tell me if u are perfectly a subject to further problems and then i will give u tips on keeping u clean..
-
Well; here are some other problems:
I am still curious as to how my PC, on its own, managed to create a user account named "Other User" which appeared on the log on screen that was password protected, and at the same time changed my log on password and locked me out forcing me to do another re-install of Vista. Also, how is it possible that it blocked access to this site? I received an error message saying the server is too busy try again later. I kept trying but received that same message. Any other site was available. So out of curiosity I checked my IP configuration and found that it was altered, so I used Microsoft's Mr Fix It and was immediately able to access this site. This did not happen on only one occasion; it has happened 3 times on this site (Also happened 4 times with Bleeping Computer; which by the way I would not recommend, as the malware specialist wasn't, shall we say very special; so that experience was frustrating to say the least.) It was only by a very lucky accident that I found this site; I didn't know it existed. I was trying to trouble shoot AVAST and happened upon you.
Why do I keep getting a popup window error message when trying to download malware related software; stating that IE cannot complete the download and Explorer must close? (Both PCs) Why are my settings and administrator privileges being changed on their own; why do I find "Windows" folder, or other folders and files that are normally accessible locking me out stating "access denied"? (Both PCs) Even attempting to change permissions, or take ownership, I get "access denied",? (Both PCs)
Sorry; I don't mean to ramble on, but what ever this is that is affecting both of my PCs has never happened to me before. I have overcome other virus/malware infections many times, but this is the weirdest thing I have ever encountered. Right now the XPS 200 running Vista is whining, running very hard and loud. I have a Dell XPS 720 w/ Intel Quad core processor, 8GBs of high speed Ballistix ram running Windows 7, and a Dell XPS 200 w/ Intel Dual core processor, 3GBs of high speed Ballistix ram running Vista and for the life of me do not understand the CPU usage being so high on both of them along with all the other odd occurrences. So I do believe I will need your continued assistance with this until it is resolved.
Again; thank you very much for your help, and your patience! :)
-
Do the following:
- Click on the Start button and then choose Control Panel.
- Click on the System and Security link.
Note: If you're viewing the Large icons or Small icons view of Control Panel, you won't see this link so just click on the Administrative Tools icon and skip to Step 4.
- In the System and Security window, click on the Administrative Tools heading located near the bottom of the window.
- In the Administrative Tools window, double-click on the Computer Management icon.
- When Computer Management opens, click on Disk Management on the left side of the window, located under Storage.
After a brief loading period, Disk Management should now appear on the right side of the Computer Management window.
Note: If you don't see Disk Management listed, you may need to click on the |> icon to the left of the Storage icon.
Take a screen Shot of the Disk Management Window and attach the screen shot to your reply.
-
Here you go!
I ran Eset Online Scanner on both my PCs and this was found on both; Variant of Win32/Toolbar.Widgi found by Eset Online scanner.
It was quarantined and deleted on both PCs.
-
As we have what appears to be a download stop on two different PC's we may be looking at a router instead of a system problem here
Could you reset your router to default settings
There should be a hole at the back/side/bottom of the router marked reset
Inseide there is a button
Press that for 10 seconds and then release
-
I have a cable modem, but no router. I know, hard to believe, right? I think its time to buy one.
-
What are the current problems on the main computer ?
-
Why do I keep getting a popup window error message when trying to download malware related software; stating that IE cannot complete the download and Explorer must close? (Both PCs) Why are my settings and administrator privileges being changed on their own; why do I find "Windows" folder, or other folders and files that are normally accessible locking me out stating "access denied"? (Both PCs) Even attempting to change permissions, or take ownership, I get "access denied",? (Both PCs)
Sounds to me like your Win 7 permissions are screwed up. Normally running the MS "FixIT" utility should have corrected this.
Here is a link on how to reset permissions to default using secedit:http://answers.microsoft.com/en-us/windows/forum/windows_7-security/how-to-restore-default-security-permissions/ab58f918-da72-42c0-ba71-161d52b73d46 (http://answers.microsoft.com/en-us/windows/forum/windows_7-security/how-to-restore-default-security-permissions/ab58f918-da72-42c0-ba71-161d52b73d46). I assume you will have to open command prompt window as admin although the article doesn't state that. I have not run this fix so I cannot vouch for it. Don't do this until you get an OK from Essexboy.
-
I just ran ESET online scanner on my Dell XPS 720 and it has detected 11 threats.
Here is the Scan Results log:
C:\Program Files (x86)\BabylonToolbar\BabylonToolbar\1.5.3.17\BabylonToolbarApp.dll a variant of Win32/Toolbar.Babylon application cleaned by deleting - quarantined
C:\Program Files (x86)\BabylonToolbar\BabylonToolbar\1.5.3.17\BabylonToolbarEng.dll Win32/Toolbar.Babylon application cleaned by deleting - quarantined
C:\Program Files (x86)\BabylonToolbar\BabylonToolbar\1.5.3.17\BabylonToolbarsrv.exe probably a variant of Win32/Toolbar.Babylon application cleaned by deleting - quarantined
C:\Program Files (x86)\BabylonToolbar\BabylonToolbar\1.5.3.17\BabylonToolbarTlbr.dll Win32/Toolbar.Babylon application cleaned by deleting - quarantined
C:\Program Files (x86)\BabylonToolbar\BabylonToolbar\1.5.3.17\bh\BabylonToolbar.dll Win32/Toolbar.Babylon application cleaned by deleting - quarantined
C:\Windows\Temp\nsx575D.tmp Win32/PrcView application cleaned by deleting - quarantined
C:\Windows\Temp\37E7AD6E-BAB0-7891-812F-B16BC8CA4620\MyBabylonTB.exe Win32/Toolbar.Babylon application deleted - quarantined
C:\Windows\Temp\A0600933-BAB0-7891-A047-11BBDDFA753A\MyBabylonTB.exe Win32/Toolbar.Babylon application deleted - quarantined
C:\Windows\Temp\A294E332-BAB0-7891-B763-2F315D91A888\MyBabylonTB.exe Win32/Toolbar.Babylon application deleted - quarantined
C:\Windows\Temp\BabylonToolbar\BabylonToolbar\1.5.3.17\BabylonToolbar4ie.exe Win32/Toolbar.Babylon application deleted - quarantined
C:\Windows\Temp\ICReinstall\cnet2_mhotspot_exe.exe a variant of Win32/InstallCore.D application cleaned by deleting - quarantined
Curious, I had run ESET previously, and at time it indicated 1 threat: "Variant of Win32/Toolbar.Widgi" (This was detected on both PCs) which it removed.
Also ran ESET online scanner on Dell XPS 200 and it found no threats. Currently attempting to install 69 updates on this machine; Wow, it succeeded! :)
I will be doing follow up scans.
As far as how the Main Computer is running; I would have to say it seems to be running a bit better. It is not quite up to snuff yet. Still sluggish, abnormally high CPU usage,
and AVAST logs showing unknowns (I will attach an AVAST Boot log (shows unknown processes) ran on Dell XPS 720, as well as Dell XPS 200 "BOOTSECT 1/1/2012" shows MBR missing? (You had just helped me create one.).
I wonder if this odd behavior could be caused by residual affects of a trojan/root kit, or if there is still a (Hidden) infection present
that is yet to be discovered? ??? Perhaps it will behave normally once all Vista updates, and service packs are installed. :)
-
the infection is complex to deal and it may be MBR infection so we have to wait until esseboy sees the logs angives further instructions....
-
Understood.
Here are screen shots of most recent AVAST Full System Scan on XPS 720.
It indicates that some files could not be scanned? I wonder if any of these could be malware???
-
click on start
click on documents'
top left click on downloads
empty it
the reason is why cozz many detected items are in your download folder...
NEXT
download ATF cleaner from here:
www.majorgeeks.com/ATF_Cleaner_d4949.html
open the ATF.cleaner.exe select all the given categories
click on empty/delete
thats it now those locked temp files should be killed and removed ;D scan again with avast and see if anymore files are locked in the scan.
attach the screenshots of the results.
-
I have emptied my "Download Folder" as instructed. :)
I downloaded ATF cleaner and ran it. Now running AVAST Full System Scan.
Will attach screen shots.
Thank you true indian :)
When I ran ATF cleaner on my Dell XPS 200 it indicated "Prefetch" (Disabled)??? Also, ATF indicates that "No files were removed"?????
How do I re enable Prefetch???
(I am currently downloading Vista SP2 on Dell XPS 200; will run AVAST when done and post screen shots for it as well)
-
ok download and run ATF Cleaner as i said in the previous post and then do a scan again with avast and attach screenshots...
-
thats not a problem if it is disabled....
i am happy that my windows update fix worked... :)
-
I have Advanced System Care Free on my PCs for cleaning registry, temp files.. etc.. It indicates that my Vista system condition is "Poor", so am running Deep Care.
Vista SP2 successfully installed thanks to you true indian!!!! :)
-
I have Advanced System Care Free on my PCs for cleaning registry, temp files.. etc.. It indicates that my Vista system condition is "Poor", so am running Deep Care.
Vista SP2 successfully installed thanks to you true indian!!!! :)
No problem! ;D i am glad i could help u!
-
so how is the system running now?
-
I was running harder still, and now I know why. I am currently on my Dell XPS 720 in safe mode with networking. I shut down my Dell XPS 200 Vista OS PC and am installing Linux OS "Ubuntu" so that it cannot be used by the Bot Net anymore. I have to find out how to remove the Bot Net Back Door Trojan Root Kit that it is infected with. I took screen shots of my Web Browser (Mozilla) advanced settings, as well as Task Manager processes. The web browser shot shows International Settings that do not belong there. Processes shows International Settings and Restricted Settings that do not belong there. I am having one slight problem; I cannot upload the screen shots as they are too large. You see I had to download them from the Dell XPS 200 PC onto a flash drive and save them to my Dell XPS 720 PC. Those who have remote access are messing with me when I am in normal mode and preventing me from shrinking the screen shots to a size that is up-loadable. Sounds crazy I know, but it's true, and when you see the shots you will be a believer too. Any suggestions on how to upload the screen shots, or is it possible to post them directly into the post? Help!!!
I just had an idea, as soon as Ubuntu is loaded and I familiarize myself with it, I should be able to post those shots for you. :)
-
download the following programmes to your desktop:
Dr Web Live CD
http://www.freedrweb.com/livecd/
ImgBurn
http://www.filehippo.com/download_imgburn/
Install IMGBurn
Double click Dr Web
IMGBurn will open
Burn the ISO to a cd
Reboot the infected computer with the CD in the drive
Ensure that the first boot device is CD - If you are not sure about that then see this page for instructions
As loading starts, a dialogue window will prompt you to choose between the standard and safe modes.
Use arrow keys to select DrWeb-LiveCD (Default)
When the system is loaded, check the disks or folders you want to scan, and click on “Start”.
The programme will now scan for and cure/delete any malware that it finds. Allow it to do so
Once completed reboot to normal windows
-
Okay, I'm back. I am currently out of CD-Rs so cannot do anything involving CDs until I pick some up. So will have to wait on that for now.
I am on the XPS 200 using Linux OS and it is quiet as a mouse. It's wonderful!!!!!!!!!! :)
-
then just scan in safe mode with dr.web:
download for free from here:
http://www.freedrweb.com/cureit/?lng=en
-
Problem confirmed by certified computer technican. Verified Bot Net Stealth MBR back door root kit; allows remote user/s full access to PC/s. Probable TDL4 or variant. Non removable. Hard Disks cannot be disinfected by any current known means. Possible new antivirus software currently in development to be deployed in 6 months to 1 year will be able to remove. I have pulled both infected hard drives and replaced them. Both PCs running completely normally now. Google Bot Nets, TDL4, or stealth MBR root kits for more information, and pray you do not become infected by one. Thank you india and essexboy for your assistance!
-
Probable TDL4 or variant. Non removable. Hard Disks cannot be disinfected by any current known means.
I dont agree...i have disinfected at least 12 PCs having this botnet using DR.web cureit!,kaspersky rescue disk,norton bootable tool.
-
I dont agree...i have disinfected at least 12 PCs having this botnet using DR.web cureit!,kaspersky rescue disk,norton bootable tool.
[/quote]
Well, I suppose there is no harm in trying DR.web cureit.
I will try it and let you know what happens. :)
-
I am sure essexboy would want to assist u with this...
anyway There should be a way out with this...i dont give it that deep its indestructable...I PMes essex and informed on this hope he joins this topic soon..
-
Okay,
I tried all of these: DR.web cureit!,kaspersky rescue disk,norton bootable tool.
All negative; no threats detected.
The last time I was online with you (couple days ago), "they" cut me off from this website completely. I kept resetting IP configurations (which requires a reboot) and they kept blocking, so I had no way of communicating with you until now.
-
The stealth TDL is removable..
We need to run the latest copy of this programme
Download aswMBR.exe (http://public.avast.com/~gmerek/aswMBR.exe) ( 1.8mb ) to your desktop.
Double click the aswMBR.exe to run it Click the "Scan" button to start scan
(http://i1224.photobucket.com/albums/ee362/Essexboy3/aswMBR%20shots/aswMBRScan.gif)
On completion of the scan click save log, save it to your desktop and post in your next reply
(http://i1224.photobucket.com/albums/ee362/Essexboy3/aswMBR%20shots/aswMBRsavelog.gif)
-
thanks for joining essexboy! ;D
@stained please do this too..
1.Download the latest version of GMER from here:
http://www.gmer.net/
2.Open GMER.It will begin to do its scan allow the scan to complete and then click on save log button.Attach the log here on next reply it will be helpful to essexboy to have a look on it.
(http://www2.gmer.net/gmer.jpg)
-
The avast anti-rootkit scan and the aswMBR tool are based on the GMER anti-rootkit tool and aswMBR.exe is made by the same person who works for avast!
So I rather doubt that essexboy will require GMER to be run, as a general observation he hasn't in the past other than an exceptional case not routine measure.
-
Sorry David actually we and essex had a chat over PM for this TDL4 infection and essex mentioned that GMER has realeased a newer version for it so since i saw that essex has ran it before i was sure it would be good idea to give a idea of the hidden infection...sorry again! :-[
-
You can give this a try: http://www.malwarecity.com/community/index.php?app=downloads&showfile=48 (http://www.malwarecity.com/community/index.php?app=downloads&showfile=48)
It's a new botkit scanner from BitDefender. It ran less than a minute on my PC.
-
Thank you Don,
I will give it a try! :)
-
that tool has alerdy been tried see the previous pages :P...
can u attach the latest aswmbr and gmer logs...see previous page we have their latest version which is fully effective in removing them..
can u download and run the latest version...
attach the logs.
-
I have pulled both infected hard drives and replaced them. Both PCs running completely normally now. Google Bot Nets, TDL4, or stealth MBR root kits for more information, and pray you do not become infected by one. Thank you india and essexboy for your assistance!
It appears to me "we are beating a dead horse" here trying to clean up your old drives.
You can still use those old drives as additional storage once they have been wiped with at least a DoD level disk wipe utility. You don't want to do that with those infected drives installed along side your new drives. I do this by creating a bootable CD with USB access and a disk wipe utility. I then connect the infected drive externally using a IDE/SATA to USB adapter and run the wipe utility from the CD.