Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Infected Computer with possible backdoor Trojans and rootkits [Solved]


  • This topic is locked This topic is locked

#46
JSntgRvr

JSntgRvr

    Global Moderator

  • Global Moderator
  • 10,967 posts
  • Download aswMBR.exe ( 511KB ) to your desktop.
  • Double click the aswMBR.exe to run it
    Posted Image
  • Click the "Scan" button to start scan
  • Click the "Fix" in case of infection

    Posted Image
  • Click Save log button and Save the aswMBR.log to the desktop
  • Post content of that log here for me

In addition, aswMBR will produce a copy of the boot sector, MBR.dat, on your desktop. Upload that file here.
  • 0

Advertisements


#47
BohoGypsy

BohoGypsy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 38 posts
I attempted to run the above action but during the scan (maybe 40 min. in or so) the computer froze, but the mouse still moved. No other actions, not even ctl,alt,dlt worked and I know that it wasn't still scanning because it had been an hour and five min. since the last scan. Thus it said 15:53 and the clock was at 16:58.
  • 0

#48
JSntgRvr

JSntgRvr

    Global Moderator

  • Global Moderator
  • 10,967 posts
Lets update FRST and run another scan:

Please download the latest version of theFarbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.
  • Double-click to run it. Put a check mark in Addition. When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

  • 0

#49
BohoGypsy

BohoGypsy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 38 posts
Sorry it took me so long. I had to work on a graphics art piece for a client yesterday, and it took longer then I anticipated. Here are the logs.

Attached Files


  • 0

#50
JSntgRvr

JSntgRvr

    Global Moderator

  • Global Moderator
  • 10,967 posts
I find no issues in those logs.

Lets take a look at the partitions.

Please download Listparts to a flash drive.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Click on Repair your computer menu item.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.
On the System Recovery Options menu you will get the following options:

Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt

  • Select Command Prompt
  • In the command window type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type e:\ListParts.exe (for x64 bit version type e:\ListParts64.exe) and press Enter
    Note: Replace letter e with the drive letter of your flash drive.
  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • Put check mark on List BCD.
  • Press Scan button.
  • It will make a log (Result.txt) in the flash drive. Please copy and paste it to your reply.

  • 0

#51
BohoGypsy

BohoGypsy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 38 posts
Going to run the above action now. It took me time to find a flash drive. Also wanted to note that while I was deleting files on my computer today to make more room on C Drive (the project for my client the other day took up some room, Avast notified me about a malicious action. It put it into the treasure chest. Maybe this is part of the problem.

Attached Files


  • 0

#52
BohoGypsy

BohoGypsy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 38 posts
Here are logs

Attached Files


  • 0

#53
JSntgRvr

JSntgRvr

    Global Moderator

  • Global Moderator
  • 10,967 posts
Lets remove the RECYCLE.BIN. Windows will recreate the folder upon a restart.

  • Please double-click OTL.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • Copy the entire content of the quote box (except the word quote) below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    :files
    C:\$RECYCLE.BIN

    :Commands
    [EMPTYTEMP]
    [RESETHOSTS]
    [EMPTYJAVA]
    [REBOOT]

  • Return to OTL, right click in the "Custom Scans/Fixes" window and choose Paste.
  • Click the red Run Fix button.
  • The computer will restart
  • A report will be produced and saved in the C:\_OTL\MovedFiles folder. Open that report and post its contents in a reply.

After a restart, please attempt to run aswMBR as posted on post #46.
  • 0

#54
BohoGypsy

BohoGypsy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 38 posts
Okay, here is the _OTL log. Thanks for helping me with the arduous process.

Attached Files

  • Attached File  _OTL.txt   3.71KB   43 downloads

  • 0

#55
BohoGypsy

BohoGypsy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 38 posts
I tried to run aswMBR and came back to find that my computer had shutdown unexpectedly. I received the error from windows that the computer had shutdown unexpectedly and restarted.
  • 0

Advertisements


#56
JSntgRvr

JSntgRvr

    Global Moderator

  • Global Moderator
  • 10,967 posts
Can you run AVAST in Safe Mode?
  • 0

#57
BohoGypsy

BohoGypsy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 38 posts
I think I can try. I have a choice between quick scan and full scan and with "pup" or not. Though I don't know if that feature works in safe mode without networking. Problem is anytime in I try to scan it always finds an infected file and freezes. Maybe because my hard drive isn't 100%, maybe the scans are too invasive?
  • 0

#58
BohoGypsy

BohoGypsy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 38 posts
I tried to scan Avast and it still freezes. So I tried to get creative to see if it was the hard drive or the virus. I believe it is the virus. I choose 8 files to scan {places where the virus might be}, thinking it won't overload just to scan a few files. It found a couple of infected files, but like with all scans from any antivirus, it gets nearly completed and the whole computer freezes and will not respond. Once again I had to shut it down and restart manually.

The folders I chose in scan:

Boot
Downloads
Users

Then the following folders I have never seen before and don't know if they are standard with various downloads, or if they are placed there by the virus:

Qoobox
Quarantine
found.001
found.002
found. 003
  • 0

#59
JSntgRvr

JSntgRvr

    Global Moderator

  • Global Moderator
  • 10,967 posts

found.001
found.002
found.003


These folders were created by CHKDSK (or similar) during an automatic disk scan performance after an abnormal system shutdown.

Qoobox
Quarantine


These by were created by Combofix.


We have an option to scan the computer from an external source. Perhaps you can give it a try. It is using a Rescue CD, in this case, the AVG Rescue CD:


"AVG rescue CD is basically a portable version of AVG anti-virus, which runs on linux distribution as bootable CD or bootable USB flash drive. This Rescue CD is equipped with AVG Antivirus , AVG Anti Spyware and some administrator recovery tool.


You can scan and remove computer virus without booting operating system first. It is suitable for recovering MS Windows and Linux operating systems (FAT32 and NTFS file systems) from virus and spyware attack. Meanwhile, Administrator toolset on AVG rescue disk are Windows Registry editor, a TestDisk utility for data recovering and lost partitions, a file browser for navigating folders, and a Ping tool for basic network diagnostics."

Please Note: Windows does not have to load for this scanner to work.

AVG Rescue CD Guide-check here

You can download AVG rescue CD HERE.
It's also located on ThisPage, make sure you download the .iso file.

Here's how it goes:

Download and install [email protected] ISO Burner
Click HERE for ISOBurner Instructions.
Install the program, and follow the next set of steps.

After you install [email protected] ISO Burner, put a blank cd-r in your burner and double click on the AVG Rescue CD.iso you downloaded and [email protected] ISO Burner should automatically open up.....now click BURN.

The program is very easy to use, you'll just be pressing Enter most of the time but here's how it goes:

1. After the rescue cd is made, boot-up the sick computer, put the rescue cd in and then restart it.
Note: In order to do so, the computer must be set to boot from the CD first. For information on how to do that....click HERE.
2. At the Boot Menu: Choose AVG Rescue CD (1) and press Enter

3. Let it load, at the "Disclaimer Screen"... just choose I agree or not and press Enter

4. At the "Update Screen", choose Yes and press Enter

Next screen, Choose Update from Internet and press Enter

5. At the "Update Priority Configuration" window, choose Priority 2 Virus Database Update and press Enter

6. Let it update and when finished, Press any key to continue

7. You end up back at the "Update Screen", choose Return and press Enter

8. Your at the "Main Menu" screen, choose Scan, press Enter

9. "Scan Type Menu", choose "Volumes Scan - Selected Volumes" and press Enter

10. "Scan Volumes", choose "OK" and press Enter

11. "Scan Options", choose "OK" and press Enter

12. "Run Scan", choose "Yes" and press Enter

13. When scan is complete, Press any key to continue

14. "Info screen", choose "OK" and press Enter

15. To see the scan report, select "Report File" and press Enter
Please look over the list as some files can be crucial for the Windows system and deleting them can make it inoperative, if in your not sure please Google the file or files.

16. "Scan Results Menu", use the up and down keys and choose "Select - Handle single or groups of infected files", press Enter
Go through the files and choose to Rename the infected file, don't choose Delete!
This is important....Rename<---

17. Read the "Warning Screen", "Yes" and Enter

18. Back to "Scan Results Menu", choose "Back or Return" to get to the "Main Menu" and then choose ---->Reboot System
Don't forget to take out the rescue cd.

19. All the malware files will be renamed to "_INFECTED.arl", to find all of these files....

Example: malware.exe would be renamed to malware.exe_infected.arl

20. Note: If you find the cd doesn't load, it's most likely do to a bad download or bad burn, download the file again and burn it at a slower speed.
  • 0

#60
BohoGypsy

BohoGypsy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 38 posts
I will have to get to this in a day or too. I am traveling at the moment for work, and this is going to take some time. Your patience is appreciated.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP