Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Possible Rootkit Infection?


  • This topic is locked This topic is locked

#46
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
I must admit I am now considering a hardware/driver error

Are you still getting the alerts ?
  • 0

Advertisements


#47
rvold7871

rvold7871

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 153 posts
No actually. In fact, all it took was to uninstall uTorrent and the attacks stopped. But I'm still getting BSOD's when I try to run any type of scan in normal mode (especially on the affected account) and not even chkdsk is working correctly...
  • 0

#48
rvold7871

rvold7871

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 153 posts
No actually. In fact, all it took was to uninstall uTorrent and the attacks stopped. But I'm still getting BSOD's when I try to run any type of scan in normal mode (especially on the affected account) and not even chkdsk is working correctly...

However, I ran all those scans (ComboFix, SAS, ESET, etc.) when c: was dirty. After running chkdsk c: /f /x do you think the scans would work now?

Edited by rvold7871, 26 June 2011 - 11:13 AM.

  • 0

#49
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Could you try SAS first please
  • 0

#50
rvold7871

rvold7871

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 153 posts
I tried running SAS but again, after a whole hour actually and after scanning most of the PC, it ended in a BSOD. Here is the message:

A problem has been detected and Windows has been shut down to prevent damage to your computer.

KERNEL_DATA_INPAGE_ERROR

If this is the first time you've seen this Stop error screen, restart your computer. If this screen appears again, follow these steps:

Check to make sure any new hardware or software is properly installed. If this is a new installation, ask your hardware or software manufacturer for any Windows updates you might need.

If problems continue, disable or remove any newly installed hardware or software. Disable BIOS memory options such as caching or shadowing. If you need to use Safe Mode to remove or disable components, restart your computer, press F8 to select Advanced Startup Options, and then select Safe Mode.

Technical information:

*** STOP: 0x0000007A (0xE248B938, 0xC000000E, 0xBF91E66F, 0x144EE860)

*** win32k.sys - Address BF91E66F base at BF800000, DateStamp 4d6f95bd

Beginning dump of physical memory
__________________________________________________________________________________________________________________________________________________________

Now, before it BSOD'd, I managed to get the file names of some malware that SAS picked up:
Adware.Tracking Cookie x 4
Trojan.Agent/Gen-Bancos x 1

I know it's no log, but it's something finally. What do you think we should do now?
  • 0

#51
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
If there was any infection I believe Dr Web would have caught it, cookies are of no import.

I have a feeling we are looking at either RAM or overheating as being the root cause

If you have more than one RAM module installed, try starting computer with one RAM stick at a time.

NOTE Keep in mind, the manual check listed above is always superior to the software check, listed below. DO NOT proceed with memtest, if you can go with option A

B. If you have only one RAM stick installed...
...run memtest...

1. Download - Pre-Compiled Bootable ISO (.zip)
2. Unzip downloaded memtest86+-2.11.iso.zip file.
3. Inside, you'll find memtest86+-2.11.iso file.
4. Download, and install ImgBurn: http://www.imgburn.com/
5. Insert blank CD into your CD drive.
6. Open ImgBurn, and click on Write image file to disc
7. Click on Browse for a file... icon:

Posted Image

8. Locate memtest86+-2.11.iso file, and click Open button.
9. Click on ImgBurn green arrow to start burning bootable memtest86 CD:

Posted Image

10. Once the CD is created, boot from it, and memtest will automatically start to run. You may have to change the boot sequence in your BIOS to make it work right.

To change Boot Sequence in your BIOS

Reboot the system and at the first post screen (where it is counting up memory) start tapping the DEL button
This will enter you into the Bios\Cmos area.
Find the Advanced area and click Enter
Look for Boot Sequence or Boot Options and highlight that click Enter
Now highlight the first drive and follow the directions on the bottom of the screen on how to modify it and change it to CDrom.
Change the second drive to the C or Main Drive
Once that is done then click F10 to Save and Exit
You will prompted to enter Y to verify Save and Exit. Click Y and the system will now reboot with the new settings.


The running program will look something like this depending on the size and number of ram modules installed:


Posted Image

It's recommended to run 5-6 passes. Each pass contains very same 8 tests.

This will show the progress of the test. It can take a while. Be patient, or leave it running overnight.

Posted Image

The following image is the test results area:

Posted Image

The most important item here is the “errors” line. If you see ANY errors, even one, most likely, you have bad RAM.
  • 0

#52
rvold7871

rvold7871

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 153 posts
It won't let me use the file you gave me. It comes up as an ActiveIso Burner type of file which apparently doesn't work with Imgburn. And I think you might be right about the overheating, the computer itself is a laptop and the fan is definitely not working.

Edited by rvold7871, 26 June 2011 - 04:05 PM.

  • 0

#53
rvold7871

rvold7871

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 153 posts
Just kidding. I got it to work :) and now we wait...
  • 0

#54
rvold7871

rvold7871

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 153 posts
No errors were found. I let it run 5 passes and nothing came up. Finally, a bit of good news, right? :)
  • 0

#55
rvold7871

rvold7871

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 153 posts
But more bad news on the way. I tried running Dr. Web again (full scan this time) and it crashed.
  • 0

Advertisements


#56
rvold7871

rvold7871

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 153 posts
BREAKTHROUGH!!! So I decided to get a little creative...

I ran SAS but I only did a check on C:\System Volume Information (that's where the trojan was found), I found the trojan, and paused the scan before it could crash. I immediately quarantined it, rebooted, and ran a SAS full system scan. And guess what, it ran to completion and produced a log! Here is that log.

Attached Files


  • 0

#57
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
All SAS got was tracking cookies, and data in the system volume is generally inactive until you use system restore

Download Speedfan (The download link is to the right), and install it. Once it's installed, run the program and post here the information it shows.
The information I want you to post is the stuff that is circled in the example picture I have attached.
To make sure we are getting all the correct information it would help us if you were to attach a screenshot like the one below of your Speedfan results.

To do a screenshot please have click on your Print Screen on your keyboard.
  • It is normally the key above your number pad between the F12 key and the Scroll Lock key
  • Now go to Start and then to All Programs
  • Scroll to Accessories and then click on Paint
  • In the Empty White Area click and hold the CTRL key and then click the V
  • Go to the File option at the top and click on Save as
  • Save as file type JPEG and save it to your Desktop
  • Attach it to your next reply

Posted Image

Speedfan instructions posted with acknowledgment to rshaffer61
  • 0

#58
rvold7871

rvold7871

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 153 posts
I'm hardly getting any data from that for some reason. It's just giving me two values as seen in the picture...?

HDQ 49 degrees C
Temp1 55 degrees C

Attached Thumbnails

  • untitled.JPG

  • 0

#59
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
And both are very red - you need to check all your vents for dust and it may be worth adding some form of additional ventilation for the laptop

Something like this to ensure a good airflow
  • 0

#60
rvold7871

rvold7871

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 153 posts
Ya. At my job there is a vent thing that it goes on; right now it's just sitting here on my desk in my room. The only problems we have now are that chkdsk won't run properly, and it doesn't boot the first time after restart; it gets stuck on the DELL welcome screen where you push F8 in order to get the advanced boot options. Would you like to see any other scans? Or is it time to clean-up?
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP