Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Seneka Rootkit Found by AVG


  • Please log in to reply
13 replies to this topic

#1 NewToThis

NewToThis

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:54 PM

Posted 03 January 2009 - 08:47 PM

Our Windows XP Pro SP3 system is experiencing problems accessing anti-virus websites. The problem first became apparent when AVG Anti-Virus plus Firewall 8.0.200 could not update its virus definitions. The AVG website was inaccessible, but there was not an obvious network connection issue, as other websites were still available. Nothing showed up in the virus scan or stood out in Task Manager. A rootkit scan has revealed 12 hidden seneka* files on the PC.

I do not know how to rid my computer of a rootkit. I can only get to bleeping computer using my phone! Help, please!

BC AdBot (Login to Remove)

 


#2 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:09:54 PM

Posted 03 January 2009 - 08:50 PM

Please download Malwarebytes Anti-Malware and save it to your desktop.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes, they may alert you after scanning with MBAM. Please permit the program to allow the changes.

---------------------------------

If mbam won't install

Some types of malware will disable MBAM and other security tools. If MBAM will not install, try renaming it. Right-click on the mbam-setup.exe file and change the .exe extension to .bat, .com, .pif, or .scr and then double-click on it to run.

If after installation, MBAM will not run, open the Malwarebytes' Anti-Malware folder in Program Files, right-click on mbam.exe and change the .exe as noted above. Then double-click on it to run.
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#3 NewToThis

NewToThis
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:54 PM

Posted 03 January 2009 - 09:46 PM

Here is my Malwarebytes' Anti-Malware Log:

Malwarebytes' Anti-Malware 1.31
Database version: 1571
Windows 5.1.2600 Service Pack 3

1/3/2009 8:56:56 PM
mbam-log-2009-01-03 (20-56-56).txt

Scan type: Quick Scan
Objects scanned: 75796
Time elapsed: 15 minute(s), 20 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 2
Registry Keys Infected: 24
Registry Values Infected: 3
Registry Data Items Infected: 2
Folders Infected: 1
Files Infected: 23

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\nnnllIxW.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\ppkewbjc.dll (Trojan.Vundo.H) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{477c8e1c-0fb3-41ff-b8ba-643d3c2ffa4a} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{477c8e1c-0fb3-41ff-b8ba-643d3c2ffa4a} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wvulkkcu (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{477c8e1c-0fb3-41ff-b8ba-643d3c2ffa4a} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\cpbrkpie.coupon6ctrl.1 (Adware.Coupons) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{6e780f0b-bcd6-40cb-b2db-7af47ab4d4a4} (Adware.Coupons) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{a138be8b-f051-4802-9a3f-a750a6d862d4} (Adware.Coupons) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{9522b3fb-7a2b-4646-8af6-36e7f593073c} (Adware.Coupons) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{a85a5e6a-de2c-4f4e-99dc-f469df5a0eec} (Adware.Coupons) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{87255c51-cd7d-4506-b9ad-97606daf53f3} (Adware.Coupons) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{87255c51-cd7d-4506-b9ad-97606daf53f3} (Adware.Coupons) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{9522b3fb-7a2b-4646-8af6-36e7f593073c} (Adware.Coupons) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{9522b3fb-7a2b-4646-8af6-36e7f593073c} (Adware.Coupons) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\prunnet (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\xpreapp (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\4049c8a2 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\prunnet (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\nnnllixw -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\nnnllixw -> Delete on reboot.

Folders Infected:
C:\Program Files\Antivirus 2009 (Rogue.Antivirus 2009) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\nnnllIxW.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\WxIllnnn.ini (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\WxIllnnn.ini2 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wvUlkKCu.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ppkewbjc.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\cjbwekpp.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\tgogqjbf.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\fbjqgogt.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\senekakltngwrt.dll (Trojan.Seneka) -> Delete on reboot.
C:\Documents and Settings\Rich Green\Local Settings\Temp\seneka6256.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Rich Green\Local Settings\Temporary Internet Files\Content.IE5\CCEFMPUN\upd105320[1] (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\Documents and Settings\Rich Green\Local Settings\Temporary Internet Files\Content.IE5\CCEFMPUN\InstallAVg_770522166350[1].exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\Documents and Settings\Rich Green\Local Settings\Temporary Internet Files\Content.IE5\ECSRRUSJ\InstallAVg_770522166350[1].exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\Documents and Settings\Angela Green\Local Settings\Temporary Internet Files\Content.IE5\UKVBWKP9\upd105320[1] (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\Program Files\Antivirus 2009\av2009.exe.tmp (Rogue.Antivirus 2009) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\senekappxdqvmt.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\senekauirftjlb.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\senekadf.dat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\seneka.dat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\senekalog.dat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\seneka.sys (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\senekajrudqppk.sys (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\cbXOExUM.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

Edited by NewToThis, 03 January 2009 - 10:05 PM.


#4 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:09:54 PM

Posted 03 January 2009 - 10:55 PM

C:\WINDOWS\system32\drivers\senekajrudqppk.sys (Trojan.Agent) -> Delete on reboot.


This one right here is the core of the problem

You cant see them because they are cloaked by rootkit malware technology .

You have a serious and very real infection .


from the lead researcher at MBAM

reboot, update MBAM and run another scan
Chewy

No. Try not. Do... or do not. There is no try.

#5 NewToThis

NewToThis
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:54 PM

Posted 03 January 2009 - 11:49 PM

I updated Malwarebytes' Anti-Malware and ran it again:

Database version: 1607
Windows 5.1.2600 Service Pack 3

1/3/2009 10:20:26 PM
mbam-log-2009-01-03 (22-20-26).txt

Scan type: Quick Scan
Objects scanned: 76360
Time elapsed: 12 minute(s), 50 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 5
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 6

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\sprolm.dll (Trojan.Vundo) -> Delete on reboot.

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{935da119-f593-4c76-a1f0-7b5ec6efa711} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{935da119-f593-4c76-a1f0-7b5ec6efa711} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{935da119-f593-4c76-a1f0-7b5ec6efa711} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\sprolm.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\apqjmlyp.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\dlazyy.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\xcipevxa.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Rich Green\Local Settings\Temporary Internet Files\Content.IE5\0FL95WJD\index[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Angela Green\Local Settings\Temporary Internet Files\Content.IE5\DZ9ESYX3\index[3] (Trojan.Vundo) -> Quarantined and deleted successfully.


I restarted the computer and ran it one more time:

Malwarebytes' Anti-Malware 1.31
Database version: 1607
Windows 5.1.2600 Service Pack 3

1/3/2009 10:43:04 PM
mbam-log-2009-01-03 (22-43-04).txt

Scan type: Quick Scan
Objects scanned: 76403
Time elapsed: 15 minute(s), 7 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Am I done??

#6 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:09:54 PM

Posted 03 January 2009 - 11:56 PM

Due to the serious nature of this rootkit I have asked an expert to look at this thread
Chewy

No. Try not. Do... or do not. There is no try.

#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,936 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:54 PM

Posted 04 January 2009 - 12:03 AM

IMPORTANT NOTE: One or more of the identified infections was related to a rootkit component. Rootkits and backdoor Trojans are very dangerous because they use advanced techniques (backdoors) as a means of accessing a computer system that bypasses security mechanisms and steal sensitive information which they send back to the hacker. Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. Remote attackers use backdoor Trojans and rootkits as part of an exploit to gain unauthorized access to a computer and take control of it without your knowledge.

If your computer was used for online banking, has credit card information or other sensitive data on it, all passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised. They should be changed by using a different computer and not the infected one. If not, an attacker may get the new passwords and transaction information. If using a router, you need to reset it with a strong logon/password so the malware cannot gain control again. and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

Although the rootkit was identified and removed, your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume that because this malware has been removed the computer is now secure. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired. The malware may leave so many remnants behind that security tools cannot find them. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:

• "When should I re-format? How should I reinstall?"
• "Help: I Got Hacked. Now What Do I Do?"
• "Where to draw the line? When to recommend a format and reinstall?"

Should you decide not to follow that advice, I recommend following up and further investigation by submitting a DDS/Hijackthis log.

Please read the pinned topic titled "Preparation Guide For Use Before Posting A Hijackthis Log". If you cannot complete a step, then skip it and continue with the next. In Step 6 there are instructions for downloading and running DDS which will create a Psuedo HJT Report as part of its log.

When you have done that, post your log in the HijackThis Logs and Malware Removal forum, NOT here, for assistance by the HJT Team Experts. A member of the Team will walk you through, step by step, on how to clean your computer. If you post your log back in this thread, the response from the HJT Team will be delayed because your post will have to be moved. This means it will fall in line behind any others posted that same day.

Start a new topic, give it a relevant title and post your log along with a brief description of your problem, a summary of any anti-malware tools you have used and a summary of any steps that you have performed on your own. An expert will analyze your log and reply with instructions advising you what to fix. After doing this, we would appreciate if you post a link to your log back here so we know that your getting help from the HJT Team.

Please be patient. It may take a while to get a response because the HJT Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT "bump" your post or make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

If after 5 days you still have received no response, then post a link to your log in the thread titled "Post in this thread when you haven't received an answer in five days.".
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#8 LittleBox

LittleBox

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:08:54 PM

Posted 04 January 2009 - 12:20 PM

Hi, thanks for your notes! I ran into the seneka and AVG did not catch it. Experience simular problem noted in previous post. After much time my pc seem a bit more stable. But not sure what I do not know that still lingers. Are there any notes out there that this virus steals ID info. If so what kind. Also my MSconfig is no longer working.... I've seen other post that mention the regedit, taskmanager, and msconfig not running from Start\Run box. Does anyone know how to enable the msconfig... the command is excepted in the 'run' box... but then it closed before the dialogue box comes up... no error message?
Thanks in advance :thumbsup:

ps: I've since loaded Norton, Malawarebytes, ccleaner, and a few others... but not sure if they dug and served the same as the rootkit mentioned ealier. thnx

#9 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,936 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:54 PM

Posted 04 January 2009 - 03:08 PM

Some malware infections target and place restrictions on files such as regedit.exe, cmd.exe, msconfig and taskmgr.exe. These restrictions can be fixed but unless the malware is fully cleaned, they will probably reappear. That's why I recommended following up and further investigation by submitting a DDS/Hijackthis log.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#10 NewToThis

NewToThis
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:54 PM

Posted 04 January 2009 - 03:14 PM

I've decided to restore my computer. I've backed up the documents I need to disk. My question is, can I trust the recovery media that I just created from the partition on my computer? My Sony Vaio laptop didn't come with separate reinstallation CDs...

#11 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,936 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:54 PM

Posted 04 January 2009 - 03:29 PM

Reformatting/restoring a hard disk deletes all data. If you decide to reformat or do a factory restore, you can back up all your important documents, data files and photos. The safest practice is not to backup any autorun.ini or .exe files because they may be infected. Some types of malware may disguise itself by adding and hiding its extension to the existing extension of files so be sure you take a close look at the full name. After reformatting, as a precaution, make sure you scan these files with your anti-virus prior to copying them back to your hard drive.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#12 NewToThis

NewToThis
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:54 PM

Posted 05 January 2009 - 01:36 PM

Thanks for all of your help. I've reformatted the drive, updated the Windows software, and reinstalled the anti-virus protection. I'm slowly scanning and moving the documents back to the PC. I appreciate all of your help - is there anything else that I need to know?

#13 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,936 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:54 PM

Posted 05 January 2009 - 01:42 PM

You're welcome.

Tips to protect yourself against malware and reduce the potential for re-infection:
• "Simple and easy ways to keep your computer safe".
• "How did I get infected?, With steps so it does not happen again!".
• "Hardening Windows Security - Part 1 & Part 2".
• "IE Recommended Minimal Security Settings" - "How to Secure Your Web Browser".
• "Use Task Manager to close pop-up messages to safely exit malware attacks"

• Avoid gaming sites, underground web pages, pirated software, crack sites, and peer-to-peer (P2P) file sharing programs. They are a security risk which can make your computer susceptible to a smörgåsbord of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites. Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users. The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications. Read P2P Software User Advisories and Risks of File-Sharing Technology.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#14 Byte Me

Byte Me

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:08:54 PM

Posted 06 January 2009 - 08:26 PM

Just wondering, I ran into the same rootkit virus that the original poster had with the same symptoms and DL'd and ran the software from this site to clean the computer. Im wondering whether or not to re-format and re-install. This computer is only used for online gaming (WoW) and occasionally (rare) some online shopping thru a debit card account that has a pittance amount in there at most. Ive changed all PW's i can think of thru another computer, so really my only question is how much info can the hacker get thru having the debit card number?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users