Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

TRojan.MetaJuan - Rootkit.TDSS Infection


  • This topic is locked This topic is locked
18 replies to this topic

#1 woofer-001

woofer-001

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:01:31 AM

Posted 01 September 2009 - 10:09 PM

Thank you for this site!!
I have an A8N-SLI Deluxe that is badly infected. The virus's first hit me on the 8-29-09.

I have seen notices from Norton that I have the "Trojan.Metajuan". Other scanners are saying I have "Rootkit.TDSS", "RogueAntiSpyware.System", "AdwareMaxifiles", "AdwareSoftomate", and "TrojanVirtumonde".

I am getting random windows popping up for non-existant AntiVirus products and Windows Firewall messages about different Virus attacks. I have the Windows Firewall turned off since I am using the Norton AV Firewall. I am getting messages during boot about the Google Installer being messed up. Occassionaly I am getting a big Wall paper background warning I have been hit with a virus attack.

I have 4 SATA drives and my boot drive is currently an IDE 160GB. I am currently out of work and all my job search records and resumes are on this PC. I also have a lot of professional and personal files on this PC and am worried the infection might have spread to all 5 drives. My E-mail (Outlook Express) will no longer connect on the network. I am writting this on my wife's notebook as the infected PC is all over the place when trying to go to a specific URL.

If I can get them to load and launch... I am going to try to run DDS and Root Repeal and post the results tomorrow morning.
Any help someone could offer would be appreciated.

I also have a HAL.DLL issue that I had been ignoring for a few weeks by booting off the Windows CD.

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,428 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:31 AM

Posted 01 September 2009 - 10:47 PM

Hello it appears that your best o[ption is to try posting those that you can or these in the HJT forum.
to run HJT/DDS.
Please follow this guide. go and do steps 6 and 7 ,, Preparation Guide For Use Before Using Hijackthis. Then go here HijackThis Logs and Virus/Trojan/Spyware/Malware Removal ,click New Topic,give it a relevant Title and post that complete log.

Let me know if it went OK.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 woofer-001

woofer-001
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:01:31 AM

Posted 02 September 2009 - 09:37 AM

Cannot execute DDS.SCR.
Script window opens then immediately closes while logged on as an ADMINISTRATOR.
Need some help to get DDS and RootKit files to run and log results.
Machine is randomly rebooting on me.
standing by...

Edited by woofer-001, 02 September 2009 - 10:12 AM.


#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,428 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:31 AM

Posted 02 September 2009 - 09:43 AM

If you cannot get DDS to work, please try this instead.

Please download RSIT by random/random and save it to your Desktop.
Note: You will need to run this tool while connected to the Internet so it can download HijackThis if it is not located on your system. If you get a warning from your firewall or other security programs regarding Rist attempting to contact the Internet, please allow the connection.
  • Close all applications and windows so that you have nothing open and are at your Desktop.
  • Double-click on RSIT.exe to start the program.
  • If using Windows Vista, be sure to Run As Administrator.
  • Click Continue after reading the disclaimer screen.
  • Leave the drop down box set to default: "List/folders created or modified in the last 1 month (30 days).
  • When the scan is complete, a text file named log.txt will automatically open in Notepad.
  • Save the log file to your desktop and copy/paste the contents into a new topic in the HijackThis Logs and Malware Removal forum, NOT here.
Important: Be sure to mention that you tried to follow the Prep Guide but were unable to get DDS to run.
If RSIT did not work, then reply back here.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 woofer-001

woofer-001
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:01:31 AM

Posted 02 September 2009 - 10:06 AM

Downloaded as instructed and the window opened and things started to get annotated then the window abruptly shuts down. No Notepad window.
Attempts to rerun produce this message

"Windows cannot acccess this specified device, path, or file. You may not have the appropriate permissions to access item"

Earlier when trying to unzip HiJackthis I got this message

"Extracting to "C:\Documents and Settings\All Users\Temp_HijackThis\"
Use Path: yes Overlay Files: no
Error: Access is denied.
Cannot create C:/Documents and Settings/All Users/Temp_HijackThis/HijackThis.exe""


#6 ComputerNutjob

ComputerNutjob

  • Banned
  • 125 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:31 AM

Posted 02 September 2009 - 10:25 AM

I also have a HAL.DLL issue that I had been ignoring for a few weeks by booting off the Windows CD.


"Open the pod bay door, HAL!"

" Error:Windows could not start because the following file is missing or corrupt:
<Windows root>\system32\hal.dll.
Please re-install a copy of the above file."

Edited by Amazing Andrew, 08 October 2009 - 01:27 AM.
Mod Edit: Removed Profanity - AA


#7 woofer-001

woofer-001
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:01:31 AM

Posted 02 September 2009 - 10:36 AM

Well at least my Booting off the CD gives me some stability in the face of this "Malware stew" boiling around in my PC. MY Hard Drive windows directory must be the fricken playground of hell's backyard!

Edited by woofer-001, 02 September 2009 - 10:37 AM.


#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,428 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:31 AM

Posted 02 September 2009 - 11:00 AM

Yes it will keeps cooking no stirring needed..
Let's run the VIPRE Rescue Program .

now hopefully we can run MBAM (MalwareBytes):

NOTE: Before saving MBAM please rename it to zztoy.exe....now save it to your desktop.

Please download Malwarebytes Anti-Malware and save it to your desktop.

alternate download link 2

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#9 woofer-001

woofer-001
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:01:31 AM

Posted 02 September 2009 - 11:33 AM

VIPR is running...!!
Will let you know what happens

#10 woofer-001

woofer-001
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:01:31 AM

Posted 02 September 2009 - 11:42 AM

Quick Scan completed
Scan time 00:09:11
Rootkits: 4465 scanned, 0 found
Processes: 19 scanned, 0 found
Modules: 1025 scanned, 15 found
Folders: 679 Scanned, 31 found
Files: 3569 Scanned, 215 found
Registry: 35479 Scanned, 97 found
Total:45236 scanned, 358 found
358 Threat Traces were detected

this is followed by three quarantine completed reboot needed entries
I confess I did not check deep scan or log...
I am going to reboot and run again

Edited by woofer-001, 03 September 2009 - 07:55 AM.


#11 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,428 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:31 AM

Posted 02 September 2009 - 02:40 PM

Ok see what you get.. Try the MBAM after too...
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#12 woofer-001

woofer-001
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:01:31 AM

Posted 03 September 2009 - 07:54 AM

Just a quick update...

VIPR is still running a deep scan for the last 21 hours. Will update the log summary when it finishes.
When they said "deep scan", they weren't kidding.

Yikes!

#13 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:01:31 AM

Posted 03 September 2009 - 08:24 AM

Just a quick update...

VIPR is still running a deep scan for the last 21 hours. Will update the log summary when it finishes.
When they said "deep scan", they weren't kidding.

Yikes!


I remember one time after my computer crashed and I was running chkdsk; took me two weeks to run. Obviously. . . I had hard drive failure. . . not malware, but I feel your pain about the long winded scans.

In addition to posting the VIPR log once the deep scan is finished, please try the following. Note that you must download a new copy of RootRepeal for this, and that you need to follow the instructions exactly as given. Otherwise you'll probably just get locked out again.

Please install RootRepeal
Note: Vista users ,, right click on desktop icon and select "Run as Administrator."Disconnect from the Internet or physically unplug your Internet cable connection.
Close all open programs, scheduling/updating tasks and background processes that might activate during the scan including the screensaver.
Temporarily disable your anti-virus and real-time anti-spyware protection.
After starting the scan, do not use the computer until the scan has completed.
When finished, re-enable your anti-virus/anti-malware (or reboot) and then you can reconnect to the Internet.
  • Extract RootRepeal.exe from the zip archive.
  • Open Posted Image on your desktop.
  • Click the "Drivers" tab, and then click the Posted Image button.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the Posted Image button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.
~Blade


back to you boop :thumbsup:

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#14 woofer-001

woofer-001
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:01:31 AM

Posted 03 September 2009 - 09:54 AM

One of the issues is that this damn virus locks the directories and says I don't have admin rights to them.
Example is the Malwarebytes' Anti-Malware folders.
Heck!... it is my home machine and I DO have an separate Admin account.
Is there anyway to re-inherit the access rights down through these folders and respective sub-folders?

#15 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,428 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:31 AM

Posted 03 September 2009 - 07:52 PM

This should help. How to take ownership of a file or a folder in Windows XP
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users