Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rootkit is interfering with my antivirus scan


  • This topic is locked This topic is locked
75 replies to this topic

#1 -KiKi-

-KiKi-

  • Members
  • 162 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:06:57 PM

Posted 24 April 2012 - 05:01 PM

Yesterday my desktop started acting weird. The entire screen went blue and wouldn't display anything, so I shut it completely off for a few minutes, then I turned it back on, Windows didn't load normally the way it usually does.

So I then assumed that I could probably have a possible infection. So I ran MalwareBytes, but it didn't detect anything. I then ran SuperAntiSpyware, but it didn't detect anything either except a few tracking cookies. So I then decided to run TDSSKiller for precautionary measures, and it actually detected one rootkit infection, so I allowed TDSSkiller to "cure" the infection, but it wouldn't allow me to cure it. An error message popped up saying "Can't cure MBR. Write standard boot code? Yes or No?". So I selected "No", then it said it would be cured after reboot. So I then rebooted the computer, then shut it down, and went to sleep being that it was so late last night.

So today, to furthermore make sure my computer wasn't infected, I tried to run my antivirus program, but at the start of the scan, my antivirus program gave me this message below...


Posted Image


I didn't have this issue until after I allowed TDSSKiller to cure the rootkit infection that it detected. So what do I do about this? Does this mean the rootkit is still infecting my computer? It's now preventing my antivirus program from running and scanning the way it usually does. I don't like this. Can you help me fix this problem please?

BC AdBot (Login to Remove)

 


#2 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:06:57 PM

Posted 24 April 2012 - 05:45 PM

Download

TDSSkiller

Launch it.Click on change parameters-Select TDLFS file system

Click on "Scan".Please post the LOG report(log file should be in your C drive)

An error message popped up saying "Can't cure MBR. Write standard boot code?

Click on YES

Please download GMER from here(doesnot work on 64 bit OS)

http://www2.gmer.net/download.php

Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.

GMER will open to the Rootkit/Malware tab and perform an automatic Full Scan when first run. (do not use the computer while the scan is in progress)

If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
Now click the Scan button. If you see a rootkit warning window, click OK.
When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
Click the Copy button and paste the results into your next reply.


Download

aswMBR

Launch it, allow it to download latest Avast! virus definitions
Click the "Scan" button to start scan.After scan finishes,click on Save log

Post the log results here

#3 -KiKi-

-KiKi-
  • Topic Starter

  • Members
  • 162 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:06:57 PM

Posted 24 April 2012 - 08:10 PM

Okay...something else has gone wrong now. I was in the process of doing what you asked above, been when I booted up the computer, I got a blue screen with an error on it. So I turned the computer off and turned it back on again, and the the blue error screen appeared again. I've tried 3 times, and it keeps appearing. Windows won't load at all because of the error screen. Here's a photo of it below...


Posted Image


What can I do to prevent this message from appearing again? What is causing it? In the error message, it says if a driver is identified in the Stop message, disable the driver or check with the manufacturer for driver updates.

It also says in the message to check with my hardware vendor for any BIOS updates. It says "Disable BIOS memory options such as caching or shadowing. If you need to use Safe Mode to remove or disable components, restart your computer, press F8 to select Advanced Startup Options, and then select Safe Mode."

There is something that appears in the "Stop" message... this is exactly what is displayed in the Stop message below:

0x0000007E (0xC0000005, 0xBA4B9160, 0xBa50386c, 0xBA503568)

Then underneath that, there's another messsage that says (below):

kdcom.dll - Address BA4b9160 base at BA4B8000, DateStamp 4f8f0f42


So what should I do about this? I see that I'm actually able to load Windows in Safe Mode, but I can't load it normally, and that's definitely a problem. So can you please guide me through the steps to take to prevent this message from reappearing again so I can load Windows to fix the aforementioned issues?

Edited by -KiKi-, 24 April 2012 - 08:14 PM.


#4 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:06:57 PM

Posted 24 April 2012 - 08:25 PM

Rerun TDSSkiller in safemode

If you're not able to launch TDSSkiller

Download

FIXTDSS

Launch it ,It may ask for restart,reboot the PC

On reboot ,click on REPAIR

let me know how it went

#5 -KiKi-

-KiKi-
  • Topic Starter

  • Members
  • 162 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:06:57 PM

Posted 24 April 2012 - 08:37 PM

Oh wow! I just turned the computer on again, and miraculously the blue error screen didn't pop up this time. Windows loaded normally. That is so strange. I'm in awe!

So instead of booting in Safe Mode, I went ahead and downloaded TDSSKiller in normal Windows. I chose the TDFLS selection as you requested. That same Rootkit.Boot.Pihar.c "malware object" threat that was detected before is still there, and now there's a TDSS File System "suspicious object" threat that has been detected. The "cure" option for the "rootkit malware object" is set on default, but for the TDSS File System "suspicious object" that was detected, the "skip" option is set on default. Do I choose "cure" for that particular threat as well, or leave it on "skip"?

Edited by -KiKi-, 24 April 2012 - 08:38 PM.


#6 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:06:57 PM

Posted 24 April 2012 - 08:40 PM

Select delete for TDSSfile system,restart the PC and run TDSSkiller again,if it still detects boot.pihar

Go ahead and run fixtdss

good luck

#7 -KiKi-

-KiKi-
  • Topic Starter

  • Members
  • 162 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:06:57 PM

Posted 24 April 2012 - 08:55 PM

WOW! Just when I overcome one issue, I run into another. After I chose to cure the rootkit threat and delete the TDSS threat, I allowed TDSSKiller to reboot the computer as you requested. Now the computer won't reboot. So I shut it off, then turned it on again, and the computer freezes in mid-boot.

Here's a photo of the boot screen below...


Posted Image

It's just stuck there on that boot screen with the cursor at the bottom blinking. What do I do about this now?? Help please.

Edited by -KiKi-, 24 April 2012 - 08:56 PM.


#8 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:06:57 PM

Posted 24 April 2012 - 09:20 PM

Can you boot into safemode?

Press F8 or F10 on bootup and let me know what happens

#9 -KiKi-

-KiKi-
  • Topic Starter

  • Members
  • 162 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:06:57 PM

Posted 24 April 2012 - 09:35 PM

I had already took it upon myself to boot into Safe Mode (F8) three times, but it didn't work. It still gets locked on that same screen.

I just tried F10, but it didn't work either. It still gets locked on the same screen. What should I do now?

#10 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:06:57 PM

Posted 24 April 2012 - 09:40 PM

Do you have your OS CD?

If yes,can boot it and repair it? If not we have other ways,let me know

#11 -KiKi-

-KiKi-
  • Topic Starter

  • Members
  • 162 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:06:57 PM

Posted 24 April 2012 - 09:47 PM

Yes, I have the CD. The only downside to having the Windows XP CD is that the CD comes with Service Pack 2, which means I will have to go back and reinstall Service Pack 3 from the Microsoft website, will I? Or does what you're about to have me do with it won't affect SP3?

How do I use it? How do I repair it with the CD?

Edited by -KiKi-, 24 April 2012 - 10:37 PM.


#12 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:06:57 PM

Posted 24 April 2012 - 11:13 PM

Repair will remove the service pack,let me ask a malware expert for help as we may need to use advanced tools

#13 -KiKi-

-KiKi-
  • Topic Starter

  • Members
  • 162 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:06:57 PM

Posted 24 April 2012 - 11:20 PM

Okay. I'll be here waiting.

#14 -KiKi-

-KiKi-
  • Topic Starter

  • Members
  • 162 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:06:57 PM

Posted 25 April 2012 - 12:06 AM

Have you found out the information yet? Should I get started right now on it? How do I do the repair?

#15 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 53,440 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:02:57 AM

Posted 28 April 2012 - 06:42 AM

Hello and sorry for the delay. Lets first have a look at your drive's master boot record as that is where the problem lies most likely.

Try this please. You will need a USB drive.

Download GETxPUD.exe to the desktop of your clean computer
  • Run GETxPUD.exe
  • A new folder will appear on the desktop.
  • Open the GETxPUD folder and click on the get&burn.bat
  • The program will download xpud_0.9.2.iso, and upon finished will open BurnCDCC ready to burn the image.
  • Click on Start and follow the prompts to burn the image to a CD.
  • Remove the USB & CD and insert it in the sick computer
  • Boot the Sick computer with the CD you just burned
  • The computer must be set to boot from the CD
  • Gently tap F12 and choose to boot from the CD
  • Follow the prompts
  • A Welcome to xPUD screen will appear
  • Press File
  • Expand mnt
  • sda1,2...usually corresponds to your HDD
  • sdb1 is likely your USB
  • Click on the folder that represents your USB drive (sdb1 ?)
  • Press Tool at the top
  • Choose Open Terminal
  • Type the following and press enter:

    dd if=/dev/sda of=mbr.bin bs=512 count=1

  • Press Enter
  • After it has finished a file will be located on your USB drive named mbr.bin
  • Remove the USB drive and insert it back in your working computer and navigate to mbr.bin, zip it up and attach it to your next reply.

This will allow me to have a look at the MasterBootRecord of your drive and see if it is infected.
regards, Elise

"Now faith is the substance of things hoped for, the evidence of things not seen."


banner.png

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users