Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

win32.patched hn Trojan/rootkit + possibly others [Solved]

Started by kilkennycat , Jan 05 2012 07:02 AM

  • This topic is locked This topic is locked

#16
kilkennycat
Posted 11 January 2012 - 07:02 AM

kilkennycat

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
ok,

I am
just double checking that everything is backed up before proceeding.

The laptop belongs to my grandfather ( hence there being no AV and it getting infected somehow ! )

I will check to see if vista recovery was pre installed, but I don't recall seeing it on previous attempts to use safe mode.

It is a packard bell laptop which I believe came with one of those stupid recovery discs but no repair on either the recovery disc or the system ( what on earth were Microsoft thinking ? )

I will try to find his recovery disk as Im assuming if we cant repair we are looking at this stage at just reinstaling. But I have a horrible feeling he wont have a clue when I ask for the disks !

Thank you for all your help thus far.
  • 0

Advertisements

#17
Dakeyras
Posted 11 January 2012 - 07:30 AM

Dakeyras

    Anti-Malware Mammoth

  • Expert
  • 9,772 posts
Hi. :)

You're welcome and thanks for the update also...

In the event you cannot run a Startup repair merely proceed to the install a Anti-Virus instructions and we will go from there, thank you.
  • 0

#18
kilkennycat
Posted 11 January 2012 - 04:23 PM

kilkennycat

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
success !

I discovered the repair option and ran as requested, it found no issues, so I went ahead and downloaded microsoft security essentials.

It installed without issue, but failed to turn on firewall returning and error.

Next I tried to update MSE but this also failed so I was unable to scan.

I rebooted into safe mode and tried twice more and finally managed to update and run scan which found and removed the following :

ame: TrojanDropper:Win32/Sirefef.B
ID: 2147628107
Severity: Severe
Category: Trojan Dropper
Path: file:_C:\Qoobox\Quarantine\C\Windows\System32\drivers\dfsc.sys.vir;file:_C:\Windows\system32\drivers\afd.sys.vir;file:_C:\Windows\winsxs\x86_microsoft-windows-dfsclient_31bf3856ad364e35_6.0.6002.18451_none_894b9dbde369cb1f\dfsc.sys


Name: Trojan:Win32/Sirefef.P
ID: 2147651154
Severity: Severe
Category: Trojan
Path: file:_C:\Qoobox\Quarantine\C\Windows\System32\c_51343.nl_.vir

Name: Virus:Win32/Patchload.O
ID: 2147646272
Severity: Severe
Category: Virus
Path: file:_C:\Qoobox\Quarantine\C\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe.vir

Name: Virus:Win32/Patchload.O
ID: 2147646272
Severity: Severe
Category: Virus
Path: file:_C:\Qoobox\Quarantine\C\Program Files\SUPERAntiSpyware\SASCORE.EXE.vir

Name: Virus:Win32/Patchload.O
ID: 2147646272
Severity: Severe
Category: Virus
Path: file:_C:\Qoobox\Quarantine\C\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe.vir

I rebooted into normal mode and MSE is running with live protection, I performed another scan which returned no errors or problems.

trying to access Windows defender now says " The specified service does not exist as an installed service "

and trying to turn on windows firewall = Due to an unidentified problem, windows cannot display windows firewall settings.

also there are still affected icons ( old exes ) the virus took over sitting on desktop that still will not allow me to delete or access ( rkill and OTL )
  • 0

#19
Dakeyras
Posted 12 January 2012 - 05:22 AM

Dakeyras

    Anti-Malware Mammoth

  • Expert
  • 9,772 posts
Hi,

I have bad news I'm afraid. :(

One or more of the identified infections is the extremely severe Zero Access Rootkit plus other comprising malware!

OK since we are dealing with the aforementioned infection(s) I would be providing your good self with a disservice if I did not make you aware of the ramifications below:

This allows hackers to remotely control your computer, steal critical system information and Download and Execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Although an attempt could be made to clean this machine, it could never be considered to be truly clean, secure, or trustworthy. We could not say definitively that unknown and unseen malware will have been removed, nor will your system be restored to its pre-infection state. We cannot remedy unknown changes the malware may likely have made in order to allow itself access, nor can we repair the damage it may possibly have caused to vital system files. Additionally, it is quite possible that changes made to the system by the malware may impact negatively on your computer during the removal process. In short, your system may never regain its former stability or its full functionality without a reformat. Therefore, your best and safest course of action is a reformat and reinstallation of the Windows Operating System, and that is the course we strongly recommend.

Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall

I can attempt to clean this machine(anything I try may not be successful) but I can't guarantee that it will be at all secure afterwords and or stable.

Should you have any questions, please feel free to ask.

Please let myself know what you have decided to do in your next post.
  • 0

#20
kilkennycat
Posted 12 January 2012 - 05:59 AM

kilkennycat

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Hi,

I completely agree !

Luckily the laptop wasn't used for any banking, and I have had it disconnected from the net ever since it came to me except to update MSE .

My grandfather has still had no luck in finding any disks, recovery or otherwise.

However there is a recovery option on pressing F8 and I have gone ahead and started that.

here are my next queries : given that the recovery discs must have been on a partition somewhere on the laptop is it really going to be safe now or could that recovery section have become infected ?

and ... how safe will the files I backed up be ?

as I was moving them over to the HDD I found it very strange that I was getting messages " These files contain properties that cannot be copied to the new location "

.
  • 0

#21
Dakeyras
Posted 12 January 2012 - 06:42 AM

Dakeyras

    Anti-Malware Mammoth

  • Expert
  • 9,772 posts
Hi. :)

here are my next queries : given that the recovery discs must have been on a partition somewhere on the laptop is it really going to be safe now or could that recovery section have become infected ?

Given that you have revoked the recovery via F8, that is actually a defacto reformat and reinstallation of the Windows Operating System and basically the machine will be as when first purchased/switched on etc. So the machine can be considered both safe and clean.

Though all Service Packs and Critical Updates will need re-installing via Windows Update afterwards etc. Then install a Anti-Virus application.

and ... how safe will the files I backed up be ?

as I was moving them over to the HDD I found it very strange that I was getting messages " These files contain properties that cannot be copied to the new location "

It may just be that they are both picture and music related, though to err on the side of caution connect the HDD but do not allow autorun and then scan it with both a Anti-Virus and say Malwarebytes' Anti-Malware

Though probably be a good idea to download and install Panda USB Vaccine on the machine you intend to scan the external HDD with before actually connecting it.

Next:

The below two topics are worth reading for future reference:-

What to do if your Computer is running slowly

And...

COMPUTER SECURITY - a short guide to staying safer online

Next:

This is a very helpful/useful set of advice from Microsoft: Microsoft Safety & Security Center

Any questions? Feel free to ask, if not stay safe(your Grandfather too)!
  • 0

#22
kilkennycat
Posted 12 January 2012 - 06:51 AM

kilkennycat

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
You have been a great help.



I probably should have gone down the reformat route to start with, but at least I can say we tried , and I learnt a few more things along the way .

Just hope he learnt a lesson and will listen to my advice in future !

thank you again !
  • 0

#23
Dakeyras
Posted 12 January 2012 - 07:03 AM

Dakeyras

    Anti-Malware Mammoth

  • Expert
  • 9,772 posts
You're most welcome! :)
  • 0

#24
Dakeyras
Posted 13 January 2012 - 07:20 AM

Dakeyras

    Anti-Malware Mammoth

  • Expert
  • 9,772 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP