Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Inferted with malware


  • This topic is locked This topic is locked
12 replies to this topic

#1 Eric12334

Eric12334

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:04:01 PM

Posted 19 April 2012 - 09:14 AM

I started working with Boopme.

I was not able to get DDS to work (I followed the instruction on the guide regarding the script blockers, but still no luck. I just opens in notepad as machine code).I got a log for GMER and toolbox

Symptoms: At start up the computer freeze for about 3 hours... then starts working more or less mormaly for a while.
I have Norton suite installed.

I ran Malwarebytes, FixTDSS, TDSS killer, ESET online scan. They removes some items, but I still have the main problem of the frozen computer.

When I ran the GMER scan the item shown under "process" cltlMH.exe was in red is that the bad file?

Please advise.

Thanks

Ok I was told to use OTM instead of DDS so here is the log.

Thanks


EDIT: merged posts into one~~boopme

Attached Files


Edited by boopme, 20 April 2012 - 12:10 AM.


BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Instructor
  • 33,790 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:12:01 AM

Posted 23 April 2012 - 07:12 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. Click the Watch This Topic button at the top on the right.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks :thumbup2:
[If I have helped you fix your PC then please donate. Thanks
jetian6yw.jpg
m0le is a proud member of UNITE

#3 Eric12334

Eric12334
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:04:01 PM

Posted 23 April 2012 - 07:36 PM

Hello m0le:

Thanks for helping me.
I had to do something while waiting for answer, so I was able to remove Norton. I installed karpersky free trial. It identified the virus as Rootkit.Boot.Pihar.c in \Device\harddisk0\DR0.
I try to reboot the computer using the norton boot disk. It since I cannot change the boot secquence to USB only. So is the BIOS corupted?
Frankly it looks pretty bad, and if I have to end up reformating my disk I may as well do it now instead of after a week of frustrating battle.

Do you think there is a way to cure the problem while avoiding the nuclear option?

Thanks.

#4 m0le

m0le

    Can U Dig It?


  • Malware Response Instructor
  • 33,790 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:12:01 AM

Posted 24 April 2012 - 06:20 PM

The Pihar rootkit is destructive when it takes hold but we shouldn't give up just yet.

I need some to know if you have the ability to boot the machine - in normal and/or safe mode?
[If I have helped you fix your PC then please donate. Thanks
jetian6yw.jpg
m0le is a proud member of UNITE

#5 Eric12334

Eric12334
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:04:01 PM

Posted 24 April 2012 - 08:20 PM

Hello,

Yes the more I read about it the more I feel I should save myself and bitrthe bullet. But if you think there is a chance, let's try.


So right now the computer works normaly. The only thing I cannot do is reboot in safe mode. When I do that I get the blue screen.

I have run all the sofware and I have the logs.

Thanks

Edited by Eric12334, 24 April 2012 - 08:21 PM.


#6 Eric12334

Eric12334
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:04:01 PM

Posted 25 April 2012 - 01:03 AM

to respond to your question. Yes now the machine is working normally, but I cannot go into safe mode.
I have been using the Norton recur disk and then run a tdsskiller and karpersky suite as soon as I boot.

#7 m0le

m0le

    Can U Dig It?


  • Malware Response Instructor
  • 33,790 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:12:01 AM

Posted 25 April 2012 - 04:44 PM

The only problem is safe mode? Please can I see a TDSSKiller log.
[If I have helped you fix your PC then please donate. Thanks
jetian6yw.jpg
m0le is a proud member of UNITE

#8 Eric12334

Eric12334
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:04:01 PM

Posted 25 April 2012 - 08:39 PM

Here are all the logs

Attached Files



#9 m0le

m0le

    Can U Dig It?


  • Malware Response Instructor
  • 33,790 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:12:01 AM

Posted 26 April 2012 - 02:49 PM

Thanks for providing the Combofix log. You should not be using this unaided.

However, please rerun the program (agreeing any updates) as shown below

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the box below into it:

RegNull::
[HKEY_USERS\S-1-5-21-602162358-1897051121-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{3247C3F5-9323-2B95-3756-E5223F58968F}*


Save this as CFScript.txt, in the same location as Comfix.exe (called ComboFix.exe in the below graphic)


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

If the program requests for you to update Combofix then click Yes.

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.


Please also run aswMBR

Please download aswMBR ( 511KB ) to your desktop.
  • Double click the aswMBR.exe icon to run it
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

[If I have helped you fix your PC then please donate. Thanks
jetian6yw.jpg
m0le is a proud member of UNITE

#10 Eric12334

Eric12334
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:04:01 PM

Posted 26 April 2012 - 06:35 PM

Hello,

When I try combofix, I am getting the error message that I am running Norman Security Suite. I removed all the anti-virus software, What is this norman thing?What should I do about it?

#11 m0le

m0le

    Can U Dig It?


  • Malware Response Instructor
  • 33,790 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:12:01 AM

Posted 26 April 2012 - 08:52 PM

Norman is a legitimate antivirus. You might be able to remove it through Windows or you may need to use an uninstaller.

See Kaspersky's guidance here
[If I have helped you fix your PC then please donate. Thanks
jetian6yw.jpg
m0le is a proud member of UNITE

#12 m0le

m0le

    Can U Dig It?


  • Malware Response Instructor
  • 33,790 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:12:01 AM

Posted 01 May 2012 - 08:12 PM

Hi,

I have not had a reply from you for 5 days. Can you please tell me if you still need help with your computer as I am unable to help other members with their problems while I have your topic still open. The time taken between posts can also change the situation with your PC making it more difficult to help you.

If you like you can PM me.

Thanks,


m0le
[If I have helped you fix your PC then please donate. Thanks
jetian6yw.jpg
m0le is a proud member of UNITE

#13 m0le

m0le

    Can U Dig It?


  • Malware Response Instructor
  • 33,790 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:12:01 AM

Posted 03 May 2012 - 06:28 PM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.
[If I have helped you fix your PC then please donate. Thanks
jetian6yw.jpg
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users