Serious malware infection

Forum Guidelines

Read the following topic before creating a new topic in this forum. It contains instructions on the what we would like you to post, which will enable us to help you more quickly.

Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help

Posted Image

Unfortunately, with the amount of logs we receive per day, the average response time is 5 days. I want to assure you, though, that your topic will be looked at and responded to. So please be patient.

Posted Image

DO NOT RUN ComboFix unless requested to.

Posted Image

Only members of the Malware Response Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log.

Posted Image

When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc.

Posted Image

Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.

3 Pages
←
1
2
3

You cannot start a new topic
This topic is locked

Serious malware infection Stubborn remnants won't go away

#31 SweetTech

Agent ST

Group: Malware Response Team
Posts: 12,662
Joined: 15-March 09
Gender:Male
Location:Antarctica

Posted 17 June 2011 - 01:05 PM

Zip this file up and attach it: C:\Users\William\Desktop\MBR.dat

Have I helped you? If you'd like to assist in the fight against malware, click here

The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.

#32 stevejones

Member

Group: Members
Posts: 22
Joined: 06-June 11

Posted 18 June 2011 - 11:11 AM

Here we are,

Attached File(s)

MBR.zip (507bytes)
Number of downloads: 1

#33 SweetTech

Agent ST

Group: Malware Response Team
Posts: 12,662
Joined: 15-March 09
Gender:Male
Location:Antarctica

Posted 18 June 2011 - 11:28 AM

I want to get a look at your MBR from an external environment.

Try this please. You will need a USB drive.

Download http://unetbootin.sourceforge.net/unetbootin-xpud-windows-latest.exe & http://noahdfear.net/downloads/bootable/xPUD/xpud-0.9.2.iso to the desktop of your clean computer

Insert your USB drive
Press Start > My Computer > right click your USB drive > choose Format > Quick format
Double click the unetbootin-xpud-windows-387.exe that you just downloaded
Press Run then OK
Select the DiskImage option then click the browse button located on the right side of the textbox field.
Browse to and select the xpud-0.9.2.iso file you downloaded
Verify the correct drive letter is selected for your USB device then click OK
It will install a little bootable OS on your USB device
Once the files have been written to the device you will be prompted to reboot ~ do not reboot and instead just Exit the UNetbootin interface
After it has completed do not choose to reboot the clean computer simply close the installer
Next download dumpit to your USB
Remove the USB and insert it in the sick computer
Boot the Sick computer
Press F12 and choose to boot from the USB
Follow the prompts
A Welcome to xPUD screen will appear
Press File
Expand mnt
Click on sdb1 (sdb1 represents the USB drive).
Double click on the dumpit file.
A black window will pop-up and it will dump and zip the MBR to your USB drive.
Press Enter to exit the black window.
Click on HOME tab and choose Power Off to turn off xPUD.
Remove the USB drive and insert it back on your working computer.
Locate the mbr.zip file in your USB drive and attach it when you reply.

#34 stevejones

Member

Group: Members
Posts: 22
Joined: 06-June 11

Posted 19 June 2011 - 12:55 PM

Sorry, I am unable to complete these instructions. It seems this motherboard refuses to boot from USB. I have tried to burn the ISO to a disc but this won't boot either. Well I guess that is it. Thank you for your time, much appreciated.

#35 SweetTech

Agent ST

Group: Malware Response Team
Posts: 12,662
Joined: 15-March 09
Gender:Male
Location:Antarctica

Posted 19 June 2011 - 01:13 PM

Okay, I'm going to say this again, the easiest and quickest solution maybe to reformat and re-install the operating system. If you're still not looking to do that, then I'll have to see what else we can try, but I'm not sure how much more we'll be able to do before a reformat and re-install would be required anyways.

This post has been edited by SweetTech: 19 June 2011 - 01:14 PM

#36 stevejones

Member

Group: Members
Posts: 22
Joined: 06-June 11

Posted 19 June 2011 - 03:32 PM

Well I appreciate that. I just find it ridiculous that a malware infection requires a reformat. Vista was only installed a few weeks before this happened. Can you think of any other way of removing this "Rootkit.Win32.BackBoot.gen" that doesn't involve booting into a different environment? If not, then reformat it will have to be. Secondly, if I do reformat, what do you suggest I do to prevent this from happening again?

#37 SweetTech

Agent ST

Group: Malware Response Team
Posts: 12,662
Joined: 15-March 09
Gender:Male
Location:Antarctica

Posted 19 June 2011 - 04:22 PM

Quote

Well I appreciate that. I just find it ridiculous that a malware infection requires a reformat. Vista was only installed a few weeks before this happened.

It's unfortunate, but sadly an infection is so severe that the only way to effectively and efficiently disinfect it is by reformatting and re-installing the operating system.

Quote

Can you think of any other way of removing this "Rootkit.Win32.BackBoot.gen" that doesn't involve booting into a different environment?

I did think of something else that we can try, but I can't guarantee that it will work. Even if it does work we might encounter a situation where the computer won't boot, and the only option is to reformat and re-install.

If you still want to proceed with trying it do the following:

Please download and scan with the Kaspersky Virus Removal Tool from one of the links provided below and save it to your desktop.

Link 1

Link 2

Be sure to print out and read the instructions provided in:

How to Install Kaspersky Virus Removal Tool

How to use the Kaspersky Virus Removal Tool to automatically remove viruses

Double-click the setup file (i.e. setup_9.0.0.722_22.01.2010_10-04.exe) to select your language and install the utility.
Vista/Windows 7 users right-click and select Run As Administrator.
If you receive a UAC prompt asking if you would like to continue running the program, you should press the Continue button.
When the 'Setup page' appears, click Next, check the box 'I accept the license agreement' and click Next twice more to begin extracting the required files.
Setup may recommend to scan the computer in Safe Mode. Click Ok.
A window will open with a tab that says Autoscan and one for Manual disinfection.
Click the green Start scan button on the Autoscan tab in the main window.
If malware is detected, you will see the Scan Alert screen. Place a checkmark in the Apply to all box, and click Disinfect if the button is active.
After the scan finishes, if any threats are left unneutralized in the Scan window (Red exclamation point), click the Neutralize all button.
Place a checkmark in the Apply to all box, and click Disinfect if the button is active.
If advised that a special disinfection procedure is required which demands system reboot, click the Ok button to close the window.
In the Scan window click the Reports button, choose Critical events and select Save to save the results to a file (name it avptool.txt).
Copy and paste the report results of any threats detected and if they were successfully removed in your next reply. Do not include the longer list marked Events.
When finished, follow these instructions on How to uninstall Kaspersky Virus Removal Tool 2010.

-- If you cannot run this tool in normal mode, then try using it in "safe mode".

#38 SweetTech

Agent ST

Group: Malware Response Team
Posts: 12,662
Joined: 15-March 09
Gender:Male
Location:Antarctica

Posted 21 June 2011 - 01:42 PM

Still with me?

#39 stevejones

Member

Group: Members
Posts: 22
Joined: 06-June 11

Posted 21 June 2011 - 03:32 PM

Hold on.

#40 SweetTech

Agent ST

Group: Malware Response Team
Posts: 12,662
Joined: 15-March 09
Gender:Male
Location:Antarctica

Posted 21 June 2011 - 04:06 PM

#41 stevejones

Member

Group: Members
Posts: 22
Joined: 06-June 11

Posted 23 June 2011 - 12:33 PM

No joy!

Autoscan: completed 1 minute ago (events: 2, objects: 3456, time: 00:06:17)
23/06/2011 18:25:02 Task started
23/06/2011 18:31:19 Task completed

#42 SweetTech

Agent ST

Group: Malware Response Team
Posts: 12,662
Joined: 15-March 09
Gender:Male
Location:Antarctica

Posted 23 June 2011 - 12:40 PM

I'm running out of ideas over here. I'm not really sure what else we can try aside from a reformat and re-install.

#43 stevejones

Member

Group: Members
Posts: 22
Joined: 06-June 11

Posted 23 June 2011 - 12:47 PM

TDS is the only thing that found it, but no removal option was given... I wonder why they call it "removal tool". :lol:

Ok well I guess we have exhausted all possible avenues. Thank you for your time SweetTech, it is appreciated.

#44 SweetTech

Agent ST

Group: Malware Response Team
Posts: 12,662
Joined: 15-March 09
Gender:Male
Location:Antarctica

Posted 23 June 2011 - 01:01 PM

No problem! Sorry the end result couldn't of been more positive.

Take care.

Cheers,
ST.

#45 SweetTech

Agent ST

Group: Malware Response Team
Posts: 12,662
Joined: 15-March 09
Gender:Male
Location:Antarctica

Posted 25 June 2011 - 11:24 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.