Rootkit is interfering with my antivirus scan
Posted 24 April 2012 - 05:01 PM
So I then assumed that I could probably have a possible infection. So I ran MalwareBytes, but it didn't detect anything. I then ran SuperAntiSpyware, but it didn't detect anything either except a few tracking cookies. So I then decided to run TDSSKiller for precautionary measures, and it actually detected one rootkit infection, so I allowed TDSSkiller to "cure" the infection, but it wouldn't allow me to cure it. An error message popped up saying "Can't cure MBR. Write standard boot code? Yes or No?". So I selected "No", then it said it would be cured after reboot. So I then rebooted the computer, then shut it down, and went to sleep being that it was so late last night.
So today, to furthermore make sure my computer wasn't infected, I tried to run my antivirus program, but at the start of the scan, my antivirus program gave me this message below...
I didn't have this issue until after I allowed TDSSKiller to cure the rootkit infection that it detected. So what do I do about this? Does this mean the rootkit is still infecting my computer? It's now preventing my antivirus program from running and scanning the way it usually does. I don't like this. Can you help me fix this problem please?
BC AdBot (Login to Remove)
Posted 24 April 2012 - 05:45 PM
Launch it.Click on change parameters-Select TDLFS file system
Click on "Scan".Please post the LOG report(log file should be in your C drive)
An error message popped up saying "Can't cure MBR. Write standard boot code?
Click on YES
Please download GMER from here(doesnot work on 64 bit OS)
Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
GMER will open to the Rootkit/Malware tab and perform an automatic Full Scan when first run. (do not use the computer while the scan is in progress)
If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
Now click the Scan button. If you see a rootkit warning window, click OK.
When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
Click the Copy button and paste the results into your next reply.
Launch it, allow it to download latest Avast! virus definitions
Click the "Scan" button to start scan.After scan finishes,click on Save log
Post the log results here
Posted 24 April 2012 - 08:10 PM
What can I do to prevent this message from appearing again? What is causing it? In the error message, it says if a driver is identified in the Stop message, disable the driver or check with the manufacturer for driver updates.
It also says in the message to check with my hardware vendor for any BIOS updates. It says "Disable BIOS memory options such as caching or shadowing. If you need to use Safe Mode to remove or disable components, restart your computer, press F8 to select Advanced Startup Options, and then select Safe Mode."
There is something that appears in the "Stop" message... this is exactly what is displayed in the Stop message below:
0x0000007E (0xC0000005, 0xBA4B9160, 0xBa50386c, 0xBA503568)
Then underneath that, there's another messsage that says (below):
kdcom.dll - Address BA4b9160 base at BA4B8000, DateStamp 4f8f0f42
So what should I do about this? I see that I'm actually able to load Windows in Safe Mode, but I can't load it normally, and that's definitely a problem. So can you please guide me through the steps to take to prevent this message from reappearing again so I can load Windows to fix the aforementioned issues?
Edited by -KiKi-, 24 April 2012 - 08:14 PM.
Posted 24 April 2012 - 08:37 PM
So instead of booting in Safe Mode, I went ahead and downloaded TDSSKiller in normal Windows. I chose the TDFLS selection as you requested. That same Rootkit.Boot.Pihar.c "malware object" threat that was detected before is still there, and now there's a TDSS File System "suspicious object" threat that has been detected. The "cure" option for the "rootkit malware object" is set on default, but for the TDSS File System "suspicious object" that was detected, the "skip" option is set on default. Do I choose "cure" for that particular threat as well, or leave it on "skip"?
Edited by -KiKi-, 24 April 2012 - 08:38 PM.
Posted 24 April 2012 - 08:40 PM
Go ahead and run fixtdss
Posted 24 April 2012 - 08:55 PM
Here's a photo of the boot screen below...
It's just stuck there on that boot screen with the cursor at the bottom blinking. What do I do about this now?? Help please.
Edited by -KiKi-, 24 April 2012 - 08:56 PM.
Posted 24 April 2012 - 09:20 PM
Press F8 or F10 on bootup and let me know what happens
Posted 24 April 2012 - 09:35 PM
I just tried F10, but it didn't work either. It still gets locked on the same screen. What should I do now?
Posted 24 April 2012 - 09:40 PM
If yes,can boot it and repair it? If not we have other ways,let me know
Posted 24 April 2012 - 09:47 PM
How do I use it? How do I repair it with the CD?
Edited by -KiKi-, 24 April 2012 - 10:37 PM.
Posted 24 April 2012 - 11:13 PM
Posted 25 April 2012 - 12:06 AM
Posted 28 April 2012 - 06:42 AM
Try this please. You will need a USB drive.
Download GETxPUD.exe to the desktop of your clean computer
- Run GETxPUD.exe
- A new folder will appear on the desktop.
- Open the GETxPUD folder and click on the get&burn.bat
- The program will download xpud_0.9.2.iso, and upon finished will open BurnCDCC ready to burn the image.
- Click on Start and follow the prompts to burn the image to a CD.
- Remove the USB & CD and insert it in the sick computer
- Boot the Sick computer with the CD you just burned
- The computer must be set to boot from the CD
- Gently tap F12 and choose to boot from the CD
- Follow the prompts
- A Welcome to xPUD screen will appear
- Press File
- Expand mnt
- sda1,2...usually corresponds to your HDD
- sdb1 is likely your USB
- Click on the folder that represents your USB drive (sdb1 ?)
- Press Tool at the top
- Choose Open Terminal
- Type the following and press enter:
dd if=/dev/sda of=mbr.bin bs=512 count=1
- Press Enter
- After it has finished a file will be located on your USB drive named mbr.bin
- Remove the USB drive and insert it back in your working computer and navigate to mbr.bin, zip it up and attach it to your next reply.
This will allow me to have a look at the MasterBootRecord of your drive and see if it is infected.
"Now faith is the substance of things hoped for, the evidence of things not seen."
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users