Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Mulitple virus attack? [Solved]

Started by Attilla the Bun , May 18 2012 05:29 PM

  • This topic is locked This topic is locked

#16
Render
Posted 30 May 2012 - 12:08 PM

Render

    Trusted Helper

  • Malware Removal
  • 4,195 posts
Hi,

Looks like your computer is infected with rootkit. I overlooked that so please follow the steps below:

1. Preferably from a clean computer, please download the following: gparted-live-0.10.0-3.iso (115 MB)

When you have the .ISO file downloaded, you need to create a bootable disk or flash drive with it, using a clean PC to do that. The .ISO file is a disk image. It should NOT be burned as a regular file. You need a program like BurnAware Free or ImgBurn that can burn an .ISO image. I think a CD is best as there is no way anything can write on it after it is made, but the USB may be more convenient and easier.


2. Now, please boot off of the newly created GParted CD. See How to Set BIOS to Boot from CDROM for information on how to boot from the CD.

You should arrive to the following screen:
Posted Image
Press the ENTER key

Posted Image
By default, "do not touch keymap" is highlighted. Leave this setting alone and press the ENTER key.

Posted Image
Next, choose your language and press the ENTER key. English is the default setting [33]

Posted Image
Once again, at this prompt, press the ENTER key.

You will now be taken to the main GUI screen below
Posted Image

Please take a picture of this screen (camera or phone pictures will work just fine), and post it here for me to see. It is very important that you complete this step.
  • 0

Advertisements

#17
Attilla the Bun
Posted 30 May 2012 - 12:27 PM

Attilla the Bun

    Member

  • Topic Starter
  • Member
  • PipPip
  • 35 posts
Good heavens.

We do have a laptop and a netbook in the house, which use the same broadband wirelessly. But how will I know if they are clean? We may have made the same mistakes on them! The old laptop is used far less than the netbook
  • 0

#18
Render
Posted 30 May 2012 - 12:30 PM

Render

    Trusted Helper

  • Malware Removal
  • 4,195 posts
We can check other computers later just to be sure. Please, proceed with instructions from my previous post for now.
  • 0

#19
Attilla the Bun
Posted 30 May 2012 - 02:51 PM

Attilla the Bun

    Member

  • Topic Starter
  • Member
  • PipPip
  • 35 posts
I've created the CD, but I can't get the bios to boot from it.
I finally managed to set the BIOS to boot from CD, but it isn't happening

Edited by Attilla the Bun, 30 May 2012 - 03:23 PM.

  • 0

#20
Render
Posted 30 May 2012 - 04:22 PM

Render

    Trusted Helper

  • Malware Removal
  • 4,195 posts
OK. And what is happening? Any errors?
  • 0

#21
Attilla the Bun
Posted 30 May 2012 - 05:08 PM

Attilla the Bun

    Member

  • Topic Starter
  • Member
  • PipPip
  • 35 posts
Have done it, (finally!) am just trying to find way of posting image!
  • 0

#22
Attilla the Bun
Posted 30 May 2012 - 05:33 PM

Attilla the Bun

    Member

  • Topic Starter
  • Member
  • PipPip
  • 35 posts
How do I post the image? It's a jpeg, it doesn't have a url!
  • 0

#23
Attilla the Bun
Posted 30 May 2012 - 05:41 PM

Attilla the Bun

    Member

  • Topic Starter
  • Member
  • PipPip
  • 35 posts
GUI-screen.jpg

I attached it, hope that's OK

Posted Image
  • 0

#24
Attilla the Bun
Posted 30 May 2012 - 05:44 PM

Attilla the Bun

    Member

  • Topic Starter
  • Member
  • PipPip
  • 35 posts
And that's how you post an image.... :rolleyes:
Not 'Insert Image', then!
  • 0

#25
Render
Posted 30 May 2012 - 06:03 PM

Render

    Trusted Helper

  • Malware Removal
  • 4,195 posts
Hmmm... Looks good from provided picture. Sign of infection is showing in RK report:

1 - [ACTIVE] NTFS (0x17) [HIDDEN!] Offset (sectors): 703261440 | Size: 9 Mo

Also typical for this infection is that you can't run rootkit detectors like TDSSKiller and aswMBR.

Are you using this computer for banking?

Do the following:
Start -> Run
type diskmgmt.msc
Click "OK"

Disk Management will open.

Click and hold the right side of the Disk Management Window and drag it to the right until you can see all the columns.

Take a screen Shot of the Disk Management Window and attach the screen shot to your reply.
  • 0

Advertisements

#26
Attilla the Bun
Posted 31 May 2012 - 12:19 AM

Attilla the Bun

    Member

  • Topic Starter
  • Member
  • PipPip
  • 35 posts
disc-managememnt-screen.jpg

I don't use it for banking, for this very reason. After this, I never will!
I do internet shopping, but following the advice on the 'Preventing Malware and Safe Computing' guide on this forum, I installed one of those keystroke scramblers.

I'm rather depressed that this has happened, as compared with a lot of people, I'm very careful - I have most of the programmes this forum recommends, (apart from the very complicated stuff) and I update and run them very regularly.
Depressed. :(
  • 0

#27
Attilla the Bun
Posted 01 June 2012 - 01:08 AM

Attilla the Bun

    Member

  • Topic Starter
  • Member
  • PipPip
  • 35 posts
Btw, I didn't mean my last to imply criticism of the forum's advice - I've had wonderful help here, and the Safe Computing guide has kept my computer (and my children's) safe for a very long time. If there was a problem, it was undoubtedly mine for being distracted and not updating and running the programmes for a couple of weeks.
It's just depressing that in spite of all we do to prvent it, there's all these evil people out there devoting themselves to finding ways to attack our computers. :(

I'm going away today until Monday, and so if I don't reply for three days, it's for that reason - is it possible to pause and continue this then?
  • 0

#28
Render
Posted 01 June 2012 - 04:50 AM

Render

    Trusted Helper

  • Malware Removal
  • 4,195 posts

I'm going away today until Monday, and so if I don't reply for three days, it's for that reason - is it possible to pause and continue this then?

No problem.

Please download MBRCheck.exe to your Desktop. Run the application.

If no infection is found, it will produce a report on the desktop. Post that report in your next reply.

If an infection is found, you will be presented with the following dialog:

Enter 'Y' and hit ENTER for more options, or 'N' to exit:


Type N and press Enter. A report will be produced on the desktop. Post that report in your next reply.
  • 0

#29
Attilla the Bun
Posted 04 June 2012 - 04:57 PM

Attilla the Bun

    Member

  • Topic Starter
  • Member
  • PipPip
  • 35 posts
Hi Render
Here's the report:

MBRCheck, version 1.2.3
© 2010, AD

Command-line:
Windows Version: Windows XP Home Edition
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x000000fd

Kernel Drivers (total 160):
0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
0x806E5000 \WINDOWS\system32\hal.dll
0xBA5A8000 \WINDOWS\system32\KDCOM.DLL
0xBA4B8000 \WINDOWS\system32\BOOTVID.dll
0xB9F79000 ACPI.sys
0xBA5AA000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xB9F68000 pci.sys
0xBA0A8000 isapnp.sys
0xBA0B8000 ohci1394.sys
0xBA0C8000 \WINDOWS\system32\DRIVERS\1394BUS.SYS
0xBA670000 pciide.sys
0xBA328000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
0xBA0D8000 MountMgr.sys
0xB9F49000 ftdisk.sys
0xBA330000 PartMgr.sys
0xBA0E8000 VolSnap.sys
0xB9F31000 atapi.sys
0xBA0F8000 disk.sys
0xBA108000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xB9F11000 fltMgr.sys
0xB9EFF000 sr.sys
0xBA118000 PxHelp20.sys
0xB9EE8000 KSecDD.sys
0xB9E5B000 Ntfs.sys
0xB9E2E000 NDIS.sys
0xBA128000 RapportKELL.sys
0xB9E14000 Mup.sys
0xBA158000 \SystemRoot\system32\DRIVERS\nic1394.sys
0xBA58C000 \SystemRoot\system32\DRIVERS\tunmp.sys
0xBA318000 \SystemRoot\system32\DRIVERS\intelppm.sys
0xBA470000 \SystemRoot\system32\DRIVERS\fdc.sys
0xB9960000 \SystemRoot\system32\DRIVERS\serial.sys
0xBA590000 \SystemRoot\system32\DRIVERS\serenum.sys
0xB9589000 \SystemRoot\system32\DRIVERS\parport.sys
0xBA478000 \SystemRoot\system32\DRIVERS\usbohci.sys
0xB9565000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xBA480000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xBA594000 \SystemRoot\System32\Drivers\cdrbsvsd.SYS
0xB9950000 \SystemRoot\system32\DRIVERS\imapi.sys
0xBA598000 \SystemRoot\system32\drivers\pfc.sys
0xB9940000 \SystemRoot\System32\Drivers\AFS2K.SYS
0xB9930000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xB9920000 \SystemRoot\system32\DRIVERS\redbook.sys
0xB9542000 \SystemRoot\system32\DRIVERS\ks.sys
0xB9910000 \SystemRoot\system32\DRIVERS\GEARAspiWDM.sys
0xB951A000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0xB9900000 \SystemRoot\system32\DRIVERS\nvnetbus.sys
0xB9441000 \SystemRoot\system32\DRIVERS\NVNRM.SYS
0xB8DB7000 \SystemRoot\system32\DRIVERS\nv4_mini.sys
0xB8DA3000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xBA5A0000 \SystemRoot\system32\DRIVERS\wmiacpi.sys
0xB98F0000 \SystemRoot\system32\drivers\WsAudio_DeviceS(1).sys
0xB8D7F000 \SystemRoot\system32\drivers\portcls.sys
0xB98E0000 \SystemRoot\system32\drivers\drmk.sys
0xB98D0000 \SystemRoot\system32\drivers\WsAudio_DeviceS(2).sys
0xBA168000 \SystemRoot\system32\drivers\WsAudio_DeviceS(3).sys
0xBA178000 \SystemRoot\system32\drivers\WsAudio_DeviceS(4).sys
0xBA188000 \SystemRoot\system32\drivers\WsAudio_DeviceS(5).sys
0xBA6DF000 \SystemRoot\system32\DRIVERS\audstub.sys
0xBA198000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xBA5A4000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xB8D68000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xBA1A8000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xBA1B8000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xBA488000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xB8D57000 \SystemRoot\system32\DRIVERS\psched.sys
0xBA1C8000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xBA490000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xBA498000 \SystemRoot\system32\DRIVERS\raspti.sys
0xBA1D8000 \SystemRoot\system32\DRIVERS\termdd.sys
0xBA4A0000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xBA4A8000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xBA5DC000 \SystemRoot\system32\DRIVERS\swenum.sys
0xB8C59000 \SystemRoot\system32\DRIVERS\update.sys
0xB9DE8000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xBA1E8000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xBA340000 \SystemRoot\system32\DRIVERS\flpydisk.sys
0xBA208000 \SystemRoot\system32\DRIVERS\NVENETFD.sys
0xBA218000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xBA5DE000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xB61B3000 \SystemRoot\system32\drivers\RtkHDAud.sys
0xBA370000 \SystemRoot\system32\drivers\nvhda32.sys
0xB6110000 \??\C:\Documents and Settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\34302\RapportCerberus32_34302.sys
0xBA5E2000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xBA76D000 \SystemRoot\System32\Drivers\Null.SYS
0xBA5E4000 \SystemRoot\System32\Drivers\Beep.SYS
0xBA380000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0xBA388000 \SystemRoot\System32\drivers\vga.sys
0xBA5E6000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xBA5E8000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xB60D9000 \SystemRoot\System32\Drivers\meiudf.sys
0xB60C8000 \SystemRoot\System32\Drivers\Udfs.SYS
0xBA390000 \SystemRoot\System32\Drivers\Msfs.SYS
0xBA398000 \SystemRoot\System32\Drivers\Npfs.SYS
0xBA560000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xB60B5000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xB605C000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xB6034000 \SystemRoot\system32\DRIVERS\netbt.sys
0xB600E000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xB5FD6000 \SystemRoot\system32\DRIVERS\tcpip6.sys
0xBA248000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xBA570000 \SystemRoot\System32\drivers\ws2ifsl.sys
0xBA258000 \SystemRoot\system32\DRIVERS\Ip6Fw.sys
0xB5F8C000 \SystemRoot\System32\drivers\afd.sys
0xBA268000 \SystemRoot\system32\DRIVERS\netbios.sys
0xBA3A0000 \SystemRoot\system32\DRIVERS\ssmdrv.sys
0xB5F6A000 \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
0xBA278000 \SystemRoot\system32\DRIVERS\arp1394.sys
0xBA3A8000 \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
0xB5F3F000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xB5F19000 \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys
0xBA3B0000 \SystemRoot\system32\DRIVERS\usbccgp.sys
0xBA288000 \??\C:\Program Files\Trusteer\Rapport\bin\RapportEI.sys
0xB5E09000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xBA3B8000 \??\C:\WINDOWS\system32\FreeOTFEHashWhirlpool.sys
0xBA3C0000 \??\C:\WINDOWS\system32\FreeOTFEHashTiger.sys
0xBA3C8000 \??\C:\WINDOWS\system32\FreeOTFEHashSHA.sys
0xBA3D0000 \??\C:\WINDOWS\system32\FreeOTFEHashRIPEMD.sys
0xBA588000 \??\C:\WINDOWS\system32\FreeOTFEHashMD.sys
0xBA3D8000 \??\C:\WINDOWS\system32\FreeOTFECypherTwofish_ltc.sys
0xBA3E0000 \??\C:\WINDOWS\system32\FreeOTFECypherSerpent_Gladman.sys
0xBA3E8000 \??\C:\WINDOWS\system32\FreeOTFECypherRC6_ltc.sys
0xBA3F0000 \??\C:\WINDOWS\system32\FreeOTFECypherMARS_Gladman.sys
0xBA298000 \??\C:\WINDOWS\system32\FreeOTFECypherDES.sys
0xBA3F8000 \??\C:\WINDOWS\system32\FreeOTFECypherCAST6_Gladman.sys
0xBA400000 \??\C:\WINDOWS\system32\FreeOTFECypherCAST5.sys
0xBA408000 \??\C:\WINDOWS\system32\FreeOTFECypherBlowfish.sys
0xBA2A8000 \??\C:\WINDOWS\system32\FreeOTFECypherAES_ltc.sys
0xBA410000 \??\C:\WINDOWS\system32\FreeOTFE.sys
0xBA2B8000 \SystemRoot\System32\Drivers\Fips.SYS
0xB616A000 \SystemRoot\system32\DRIVERS\usbscan.sys
0xB6166000 \SystemRoot\system32\DRIVERS\hidusb.sys
0xBA2C8000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0xBA2D8000 \SystemRoot\system32\DRIVERS\avkmgr.sys
0xB5D6C000 \SystemRoot\system32\DRIVERS\avipbb.sys
0xB6156000 \SystemRoot\system32\DRIVERS\kbdhid.sys
0xB5D0E000 \SystemRoot\System32\drivers\keyscrambler.sys
0xBA418000 \SystemRoot\system32\DRIVERS\NuidFltr.sys
0xBA2F8000 \SystemRoot\system32\DRIVERS\WDFLDR.SYS
0xB5C93000 \SystemRoot\system32\DRIVERS\Wdf01000.sys
0xBA554000 \SystemRoot\system32\DRIVERS\mouhid.sys
0xBA420000 \SystemRoot\system32\DRIVERS\point32.sys
0xBA438000 \SystemRoot\system32\DRIVERS\USBSTOR.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xB5FBA000 \SystemRoot\System32\drivers\Dxapi.sys
0xBA448000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xBA6BD000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF012000 \SystemRoot\System32\nv4_disp.dll
0xBF596000 \SystemRoot\System32\ATMFD.DLL
0xB54E7000 \SystemRoot\system32\DRIVERS\avgntflt.sys
0xB550A000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xB519A000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0xB50BD000 \SystemRoot\system32\drivers\wdmaud.sys
0xB5297000 \SystemRoot\system32\drivers\sysaudio.sys
0xBA5C4000 \SystemRoot\System32\Drivers\ParVdm.SYS
0xB4D6D000 \SystemRoot\system32\DRIVERS\srv.sys
0xB49C9000 \??\c:\documents and settings\all users\application data\trusteer\rapport\store\exts\rapportms\39624\rapportiaso.sys
0xB3C43000 \SystemRoot\system32\drivers\kmixer.sys
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 43):
0 System Idle Process
4 System
780 C:\WINDOWS\system32\smss.exe
844 C:\WINDOWS\system32\csrss.exe
872 C:\WINDOWS\system32\winlogon.exe
916 C:\WINDOWS\system32\services.exe
940 C:\WINDOWS\system32\lsass.exe
1112 C:\WINDOWS\system32\svchost.exe
1160 C:\WINDOWS\system32\svchost.exe
1256 C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
1344 C:\WINDOWS\system32\svchost.exe
1436 C:\WINDOWS\system32\svchost.exe
1556 C:\WINDOWS\system32\svchost.exe
1712 C:\WINDOWS\system32\spoolsv.exe
1764 C:\Program Files\Avira\AntiVir Desktop\sched.exe
1852 C:\WINDOWS\explorer.exe
1932 C:\WINDOWS\system32\svchost.exe
240 C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
248 C:\Program Files\Common Files\Java\Java Update\jusched.exe
264 C:\Program Files\BillP Studios\WinPatrol\WinPatrol.exe
292 C:\Program Files\SpywareGuard\sgmain.exe
304 C:\Program Files\SpywareGuard\sgbhp.exe
432 C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
444 C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
456 C:\Program Files\Avira\AntiVir Desktop\avguard.exe
476 C:\Program Files\Bonjour\mDNSResponder.exe
528 C:\WINDOWS\system32\DVDRAMSV.exe
892 C:\Program Files\Java\jre7\bin\jqs.exe
932 C:\PROGRA~1\McAfee\SITEAD~1\McSACore.exe
1204 C:\Program Files\Google\Update\GoogleUpdate.exe
1492 C:\WINDOWS\system32\svchost.exe
1800 C:\WINDOWS\system32\StkASv2K.exe
1900 C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
1988 C:\WINDOWS\system32\wdfmgr.exe
2288 C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
2844 C:\WINDOWS\system32\rundll32.exe
3048 C:\WINDOWS\system32\alg.exe
3384 C:\Program Files\Trusteer\Rapport\bin\RapportService.exe
1516 C:\WINDOWS\system32\wuauclt.exe
3668 C:\Program Files\Mozilla Thunderbird\thunderbird.exe
1816 C:\Program Files\Internet Explorer\iexplore.exe
3580 C:\PROGRA~1\McAfee\SITEAD~1\saUI.exe
1628 C:\Documents and Settings\User\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)

PhysicalDrive0 Model Number: ST3360320AS, Rev: 3.AAM

Size Device Name MBR Status
--------------------------------------------
335 GB \\.\PhysicalDrive0 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A
  • 0

#30
Render
Posted 05 June 2012 - 02:41 PM

Render

    Trusted Helper

  • Malware Removal
  • 4,195 posts
Well, going through your logs only RogueKiller's log is showing presence of rootkit. But looks like VRT tool successfully removed it. But hosts file is still "infected". Let's do the following:

We need to run an OTL Fix

Warning This fix is only relevant for this system and no other, using on another computer may cause problems.

  • Please double click on Posted Image on your Desktop (If running Vista or Windows 7, right click on it and select "Run as an Administrator")
  • Under the Custom Scans/Fixes box copy and paste this in (Please carefully select all text in code box beginning with : ):

    :OTL
  	
:Files
ipconfig /flushdns /c

:Reg

:Commands
[resethosts]
[emptytemp]
[EMPTYJAVA]
[createrestorepoint]
[reboot]
  • Make sure all other windows are closed and to let it run uninterrupted.
  • Click on Posted Image button.
  • OTL may ask to reboot the machine. Please do so if asked.
  • Click on Posted Image button.
  • A report will open. Copy and Paste that report in your next reply.
  • If the machine reboots, the log will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.
  • Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP