Author Topic: Root kit or virus? (Read 35349 times)

essexboy · « **Reply #45 on:** May 19, 2013, 03:41:08 PM »

Quote

I still cannot read USB jumpdrives when plugged into the USB ports plugged into the MB. When USB drives are plugged in they do not register in Win Explorer. I have a PCI card to provide 2 USB 3.0 ports and I can read USB sticks plugged into those ports.

Weird I had some USB ports go on me yesterday, similar problem

From device manager right click the USB ports and select uninstall. Once they are all uninstalled then reboot and try again

Brian Bunney · « **Reply #46 on:** May 19, 2013, 03:55:51 PM »

Re the printer: sorry, I should have noted that the printer is a network printer and the status of device manager was taken with the affected computer removed from my network. That probably explains the alerts in device manager. Like I said, I wasn't too worried about that until I get the other more serious problems sorted out. Since the "event" I have not had other devices connected to the network at the same time that the affected computer is on the network. It is quite cumbersome.

I did try to uninstall some of the USB ports, but each time I select one my mouse and keyboard quit working. I then have to reboot and the USB port gets reinstalled. I have tried 2 different ports with the same result. The keyboard and mouse are wireless connected thru a USB KVM switch. My monitors connected thru the same switch continue to work??

I am stumped.

essexboy · « **Reply #47 on:** May 19, 2013, 05:02:46 PM »

As the PCI usb ports are recognised I would hazard a guess that the motherboard ones are broken

And again as the CD drive is recognised then the CD reader may also be broken... How old is the computer ?

Brian Bunney · « **Reply #48 on:** May 19, 2013, 06:39:43 PM »

The computer in its current state is about 1 year old. The MB is 2-3 years old; an ASUS P7P55D MB which isn't outdated. Computer is home built and most recent reconfig was about a year ago with addition of SSD system drive. The cd drive is an LG BDDVDRW which is not outdated or old. I don't believe the usb ports and cd drive failed at same time as the event that Avast logged and the same time that Avast was disabled. They quit working properly but it is not a hardware failed issue.

I have done some more investigation. I have tried some other USB media and the system can see the media in all ports but does not see any security or OS related tools such as AV software. For example it identifies a usb stick with Portable Apps OS as a stick with a single audio track on it but does not see the Portable App or folders under the app.

I tried removing/uninstalling a different usb port and again the kb and mouse quit working.

I dl'd and installed Kaspersky AV. After the install both IE 9 and Google Chrome could no longer access the internet. When I ran the AV it hung at 2% because it could not get an update I guess. When I uninstalled KAV, IE9 and Chrome both worked fine.

I am quite prepared to reformat C and install Windows 7 but don't know how I can do this if I can't read the CD. I need to know what has caused the cd drive to function the way it is and how to correct it.

I read part of a thread (on another forum) yesterday where a user had a similar problem and when he replaced the cd drive with 2 other known good cd drives he experienced the same issue. Unfortunately the thread quit before it reached a solution.

essexboy · « **Reply #49 on:** May 19, 2013, 06:44:49 PM »

Hmm this is intriguing then as it would suggest that something is monitoring the output from the drives

Batch File

Warning: this fix is specific to the user in this thread. No one else should follow these instructions as it may cause more harm than good. If you are after assistance, please start a thread of your own.

Click on the Start button and in the search box, type Notepad and click on it
Copy (Ctrl+C) all of the text in the following box and paste (Ctrl+V) it into Notepad

Code: [Select]


CD \
DIR /S /A:L > %USERPROFILE%\Desktop\JunctionPoints.txt
START JunctionPoints.txt
EXIT

Go to File > Save As... and save it to your Desktop named fix.bat. Make sure you change the Save as type to All Files (*.*)
Locate fix.bat on your Desktop and right click then select Run as administrator

When this finishes scanning, it should open a file, JunctionPoints.txt, copy and paste this into your next post please. If it doesn't open, it can be found on your Desktop.

Brian Bunney · « **Reply #50 on:** May 19, 2013, 09:49:12 PM »

Junctionpoints.txt is attached.

Additional info. I have VMware Player installed and it runs Windows XP as a VM. I can see additional information (U3 and Portableapps.com) on the usb sticks although both U3 and Portableapps.com do not appear to run. I am not sure if that is an XP thing or a symptom of my problem. I can see the cd/dvd drive however it will not read a Win 7 factory cd.

essexboy · « **Reply #51 on:** May 19, 2013, 10:03:03 PM »

As it stands I can see no malware so I will do some more research

Brian Bunney · « **Reply #52 on:** May 22, 2013, 12:16:46 AM »

I have moved a CD/DVD-Rom from another system to the affected system. It allowed me to boot to a Windows 7 CD and I was able to reformat and re-install Windows 7.

After the re-install I was able to read media in the affected BDDVDRW drive and I was able to read USB sticks. I will know go about rebuilding the system with my programs.

I am very disappointed that although Avast IS recognized the scripts as potential threats, it did not block them and my system became infected with something unknown.

My concerns now are what code has been written to 2 hard drives other than the system drive and what code may have been written to other systems on my network (laptop, Win Server, wife's mac). So far numerous scans of the 2 hard drives has revealed no threats. Is there any way to be sure?

Also, the 3 usb sticks that I tried on the affected system may have become corrupt. When I tried one on my laptop Avast indicated the U3 and PortableApps.com programs would run in the sandbox. I immediately removed the usb stick and have set all 3 aside. Is there a process to sanitize these?

essexboy · « **Reply #53 on:** May 22, 2013, 03:50:47 PM »

It is exceedingly rare where malware will jump drives, all I can think of is that the registry was changed in some obscure place to disable the CD/USB

Sanitise the USB's with this

Download McShield to your desktop and install
It will initially run a scan and show the result as a toaster by the system clock
Then in the control centre select scanner and tick unhide items on flash drives

Plug in the drive and McShield will start a scan

Then get the log which will be here :

Start > all programs > MCShield > logs > all scans

And post that

Brian Bunney · « **Reply #54 on:** May 23, 2013, 01:29:24 AM »

Yes, but a registry change does not explain why the cd-rom wasn't recognized at boot-up nor how it just seemed to block AV software and disk tools. That has me stumped.

I am away from home for a week but will post the mcshield logs once I return.

essexboy · « **Reply #55 on:** May 23, 2013, 01:39:30 PM »

I must admit I can see no way the boot cd was changed as that data is held in BIOS and although I have heard of malware infecting the BIOS it is mostly proof of concept stuff rather than actual infections

Author Topic: Root kit or virus? (Read 35349 times)

essexboy

Re: Root kit or virus?

Brian Bunney

Re: Root kit or virus?

essexboy

Re: Root kit or virus?

Brian Bunney

Re: Root kit or virus?

essexboy

Re: Root kit or virus?

Brian Bunney

Re: Root kit or virus?

essexboy

Re: Root kit or virus?

Brian Bunney

Re: Root kit or virus?

essexboy

Re: Root kit or virus?

Brian Bunney

Re: Root kit or virus?

essexboy

Re: Root kit or virus?