Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

TRO/ROOT KIT?


  • Please log in to reply

#121
RKinner

RKinner

    Malware Expert

  • Expert
  • 19,788 posts
  • MVP
If a boot CD runs on one PC and not on another identical PC and the BIOS settings are the same then it certainly sounds like hardware. Perhaps you got a bad batch of motherboards?



Got another CD for you to burn.

Ultimate boot cd.

http://www.ultimatebootcd.com/

It has lots of tests on it for memory, cpu, hard drive etc. Perhaps you can find what is wrong with it using that. Would like to see if it works on both PCs. Do burn it to a CD. Don't try to use a USB drive.
  • 0

Advertisements


#122
DAV2

DAV2

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 140 posts
Ron, thanks again. Neither Ult... nor Hir... will boot. Since it passes all tests and boots all other bootable disks, I think it is just that Hir... and Ult... are possibly outdated and do not work with the latest Sata 3 disks. I also realize that these ???viruses??? are sneaky. I scanned with Com... and it quarantined "FLASH" on an attached data disk, however, I realized it had already installed on the boot drive and this was before attaching to the net.
Wondering what is the best way to stop this install behavior and to stop Trojans and viruses that are confirmed by databases that are over 6 mo apart and virus total from lodging inside of pagefile.sys, so they are only found on a boot disk scan?
Good news is after all kill disks and removal of all from data disks, I got a clean load of Win with no Trojan or virus in the pagefile so far. Unfortunately, PNG files still do not open in photo viewer on any computer running Win. Hoping to get more than a few weeks on this load of Win, before it self destructs. Com... still is crashing at its same rate and Kas... and Avast still turn themselves off, but I am hoping.
  • 0

#123
RKinner

RKinner

    Malware Expert

  • Expert
  • 19,788 posts
  • MVP

Since it passes all tests and boots all other bootable disks, I think it is just that Hir... and Ult... are possibly outdated and do not work with the latest Sata 3 disks.


Could be.

I just had a hard drive fail on my Vista. Booted off Hiren's and was able to get to the selection menu but the miniXP didn't work. Assumed it was because the hard drive was dead. Will have to go back and see if it works with the new hard drive.

Com... still is crashing at its same rate and Kas... and Avast still turn themselves off, but I am hoping.

I hope you are not trying to run two or more anti-viruses at the same time. They fight each other and slow the PC down and don't work nearly as well as a single anti-virus.

All I can say to keep your load clean is keep it up to date and make sure the firewall is tight. Be careful about USB drives.
  • 0

#124
DAV2

DAV2

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 140 posts
Ron, thanks again. No, I never run 2 A/V at the same time and since Win crashes and burns so often, I never have to use the erase A/V programs. I just Kill disk and start a new A/V, but only watch as it also turns itself off and loads the computer with Trojans/viruses until Win fails again. Usually takes only weeks for the process to unfold. In my testing, Com... looks like the tightest firewall, but I wish they would fix it so it stopped giving the " Unknown " bug crash at the rate of 2 times a week. This has been going on now for more than 6 mo and despite all the requests to fix it, it is still crashing at the same rate on any and all computers running Win/64. (Also wish they would fix it so it does stop turning its own protection off, that I constantly have to re-enable.)
I isolate all computers, but need USB to load A/V etc. What do you need to happen to make sure the USB is safe? I also use USB to do backup of the data disks. Usb 3.0 is finally at a rate that makes them useful. Also the new Sata 3 are finally able to do the about 40 G scan of Mal... in about 2-3 minutes +. Great when you have to scan multiple times a day to find/remove Trojans/viruses from multiple computers.
  • 0

#125
RKinner

RKinner

    Malware Expert

  • Expert
  • 19,788 posts
  • MVP
On a clean system, with a new USB drive create folders called autorun.inf and desktop.ini on the root (\ ) of the USB drive.

That will keep malware from installing in the two most common locations on the USB drive.

The default on Win 7 is not to run autorun.inf files that it finds on USB drives so that threat is not as bad as it was. As far as I know tho you can still get infected by a bad desktop.ini file if you look at the USB drive with Explorer. Best to look at them first with Command Prompt and delete any autorun.inf and desktop.ini files (and create the two folders) before you look at them with Explorer.

Ron
  • 0

#126
DAV2

DAV2

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 140 posts
Thanks for the USB info. Ron, is there any way to stop all the popup "Do you want to let the Unknown program that is unsigned that has been downloaded from the internet to take complete control of the computer"? I try to never download anything from the internet, but it looks like Win does it automatically. Can this be stopped any way? Just takes a day or 2 after connect to the net that this starts. Also the "Win" trusted installer wants to install "unknown" programs downloaded from the internet. Anyway to stop all these interrupting popups?
Avast just stopped working on realtime scanning again and I noticed that it immediately flagged suspicious behavior of one of MBAM anti maleware files. I never knew that MBAM was active unless I used it to do a manual scan. How do I stop this behavior?

If I have data on the USB, is there any problem, if I delete the 2 above mentioned files on the command prompt?

Edited by DAV2, 04 February 2012 - 12:24 PM.

  • 0

#127
RKinner

RKinner

    Malware Expert

  • Expert
  • 19,788 posts
  • MVP
MBAM installs a driver so it is always active. You need to uninstall it to keep it from running.

Is that the exact wording of the popups?
  • 0

#128
DAV2

DAV2

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 140 posts
Not exact. I should have it memorized by now, since it has happened so frequently, but I do not. It does say Unknown program and it does say unsigned and it does say from the internet, (or from a file on the computer that has ben downloaded from the internet.), but how it says it exactly, I forget.
I do not know why MBAM should have a driver to keep it active unless I use it. In any case was just wanting to know why it was flagged on the behavior scan right after Avast real-time scanning was re-enabled. I wish they would design Avast and all the other A/V not to automatically turn off themselves and not to mention it. I usually catch it on boot or after a crash, when I inspect the computer for functioning A/V, but I really can not be watching every computer all the time to see exactly when they turn themselves off.

If I have data on the USB, is there any problem, if I delete the 2 above mentioned files on the command prompt?

Edited by DAV2, 04 February 2012 - 12:44 PM.

  • 0

#129
RKinner

RKinner

    Malware Expert

  • Expert
  • 19,788 posts
  • MVP
Once the two files are deleted then it should be safe to run an a-v scan of the contents.
  • 0

#130
DAV2

DAV2

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 140 posts
Ron, thanks. I will do the USB.

It only took a few days running Kas... and Com... (firewall only) to get a different Trojan.


;******
;Scan header
;VPS file version: May 31, 2011 - [110531-0]
;Params: C:\ D:\ X:\ Scan: Full files, All files, Ignore targeting, Archive: All packers,
;Columns: File name TAB Status [OK,INFECTED,ERROR]
;******
D:\Kaspersky Rescue Disk 10.0\kavrescue_sysinfo_2012_01_28.13_39_43.tgz\kavrescue_sysinfo_2012_01_28.13_39_43.tar ERROR: The file is a decompression bomb.
D:\pagefile.sys INFECTED: Win32:FakeVimes-B [Trj]
;--------------------------
;Files: 35777
;Folders: 3277
;Files size: 19162787222
;Infected files: 1
;--------------------------
;USER CANCEL SCAN
;******
;Scan footer
;Scan completed with return code: 0
;******


;******
;Command header
;Columns: File name TAB Command TAB Returned code TAB Custom parameter 1 TAB Custom parameter 2
;******
D:\pagefile.sys DELETE OK 1 0

;******
;Command footer
;******

What do you think I should do?
  • 0

Advertisements


#131
RKinner

RKinner

    Malware Expert

  • Expert
  • 19,788 posts
  • MVP
This one:

D:\Kaspersky Rescue Disk 10.0\kavrescue_sysinfo_2012_01_28.13_39_43.tgz\kavrescue_sysinfo_2012_01_28.13_39_43.tar ERROR: The file is a decompression bomb.

is obviously a false positive.

Hard to say what the other one is. Could also be a false positive. Is Kaspersky still running happily?
  • 0

#132
DAV2

DAV2

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 140 posts
Happy? Kas... has turned itself off at times and Com... has crashed and changed its security settings. Is that happy? I deleted the Pagefile and had Win do the same, however it has been my experience that they simply return. As far as false positive, remember that with the last 3, they showed exact results with different data bases months apart and when I shrunk the pagefile small enough, it ran positive on virus total. Does that suggest false positive? Also it is the same Trojan on different computers. Is this a Trojan/virus flavor of the week that is running? It is also the same data base scanner that is showing the different Trojans/viruses and then being confirmed with updated databases and on different computers. All simply a false positive??? How can I be so lucky to start with a false positive and all the "Unknown" programs that want to install on all the different computers every time I connect to the internet, then watch Win slowly become more and more dysfunctional, until like just recently, require a complete reload on more than 1 computer for different reasons? (PNG FILES WENT BACK FROM READABLE TO UN-READABLE ON ALL WIN/64 COMPUTERS) (Just lucky me.)

Edited by DAV2, 04 February 2012 - 06:57 PM.

  • 0

#133
RKinner

RKinner

    Malware Expert

  • Expert
  • 19,788 posts
  • MVP
Next time you get a popup about the unknown take a screen shot of it:

http://graphicssoft....nscreenshot.htm Save the file as a .jpg or the forum won't allow it.
  • 0

#134
DAV2

DAV2

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 140 posts
Ron, ok, but getting a little frustrated. I was swatting them away like flies just earlier today. Now took a long time just to see1. Did the screen shot but the paste was only of the test shot I took as a practice. Is there something I need to do to clear the screenshots after paste and how do I get to the last one? I will keep trying.
  • 0

#135
DAV2

DAV2

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 140 posts
Ron, tried it again and it still only pasted the previous and not the screen I hit the key on. I think it may be because the screen is one of the grayed out screens by Win. It is captioned

User Account Control

Do you want to allow the following program from an unknown publisher to make changes to the computer?

program: unknown
publisher: unknown
file origin: downloaded
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP