Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected computer, suspect rootkit, am total PC noob.


  • Please log in to reply
12 replies to this topic

#1 darthjennifer

darthjennifer

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:09:13 PM

Posted 28 September 2009 - 10:09 PM

I'd like to preface this post with this disclaimer: I am a total noob when it comes to PC maintenance. The closest I've ever come to troubleshooting is when I finally managed to tweak the graphics settings enough to get Age of Conan to work on my computer. If you kindly decide to reply to my post, please feel free to explain things to me the same way you would explain them to a third grader. With head trauma.

I have an Acer Aspire on which I'm running Windows XP. When I first got it, I was running Norton Antivirus and continued to do so for two years. Recently I decided I wanted to switch to Kaspersky and tried to uninstall Norton. I don't know what I did wrong, but it turned into a complete mess. I ended up uninstalling practically everything on it, including all security programs, to try and fix the problem and make sure I had gotten all of Norton out. I had only limited internet access while I did these things.

Unfortunately, when I figured Norton to be absolutely gone and attempted to install Kaspersky, I found that I could not run antivirus programs on the computer. It would install and set up, but when I tried to update definitions or scan my system, the thing would shut down and go inaccessible. (Even the icons in the, uh, bottom right-hand corner were grayed out.) I tried uninstalling and reinstalling several times, but had the same results. I looked into the program folder and found that every time Kaspersky shut itself down, a dummy main .exe file was created with the same file name that I could neither delete nor get to do anything. Uninstalling the whole thing was the only way to delete the dummy file.

I tried the same routine with a couple other free antivirus programs, all with the same results. I Googled the symptoms and came up with several free online virus scanners, including Kaspersky and Trend Micro. I ran all of them separately and they came up with several viruses or trojans to delete but not much else. The problems did not go away. I think at one point Trend Micro actually came up with a rootkit as one of its results on the earliest attempt, but then I ran virus removal without saving the scan results and I haven't seen it since.

I've also attempted to run RootRepeal (Reveal? Reduce? Re-something?), with the exact same reaction as with an antivirus program. I've tried a couple of other rootkit-specific tools (all the names of which I've forgotten, I just remember that they were free and I got the links from either this site or pctools), with zero effect. Everything keeps getting disabled.

At this point, I've also lost drag and drop ability on the system and now the internet goes in and out, mostly out. I've gotten so desperate I actually considered paying Geek Squad take a look at my baby. (But they want one-fifty! Just to look at it! Srsly?)

It's almost impossible to get online from that computer now, and I can't copy anything from flash drives or CDs. I can't think of a way to get anything off of the computer, and I'm also afraid of infecting my new computer with the same virus (rootkit? Is that possible?) if I try anything.

My primary goal here is to just get some of my files off of that computer. I've resigned myself to reformatting and have no problems with that, as it could probably use a wipe or two anyway. I've already removed superfluous programs and do not have anything particularly important or critical on that system.

I just spent such a long time saving those image and music files. My iTunes folder was a work of art. My fanart folder was organized by category, theme, and title! I think I'm gonna cry.

Is there anything I can try?

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,565 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:13 PM

Posted 28 September 2009 - 10:35 PM

I think you should try starting here with the VIPRE Rescue Program.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 darthjennifer

darthjennifer
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:09:13 PM

Posted 29 September 2009 - 12:21 AM

Downloaded VIPRE, got it onto the affected computer via flash drive, and ran it. With the first scan, it detected 30 (!) threat traces, 12 of which were rootkits, 12 were modules, and 6 were files. It automatically attempted to clean them and two objects were quarantined before VIPRE just...stopped working. I attempted to rerun it with the same file, only to find that the program had been disabled, just like all the other antivirus programs.

I then deleted it wholesale from the computer and ran it from the flash drive again. It worked, the scan went through, and 28 threat traces were detected, 12 rootkits, 12 modules, and 4 files. This time, it didn't even get to quarantine anything before I was back at the C:\VIPRERESCUE> command line. The program has again been disabled.

I attempted to look in the program folder for a log, but saw nothing likely. (Maybe the .csv or .xml files?) I also tried to run the /log command from the line, but was unable to execute since the program is disabled by the time I have a chance.

Insert tears of frustration here...?

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,565 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:13 PM

Posted 29 September 2009 - 09:20 AM

Can we run MBAM now?
If you cannot use the Internet,you will need access to another computer that has a connection.
From there save mbam-setup.exe to a flash,usb,jump drive or CD. Now transfer it to the infected machine, then install and run the program.
If you cannot transfer to or install on the infected machine, try running the setup (installation) file directly from the flash drive or CD by double-clicking on mbam-setup.exe so it will install on the hard drive.
***
Manually Downloading Updates:
Manually download them from HERE and just double-click on mbam-rules.exe to install. Alternatively, you can update through MBAM's interface from a clean computer, copy the definitions (rules.ref) located in C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware from that system to a usb stick or CD and then copy it to the infected machine.


MBAM (MalwareBytes):

NOTE: Before saving MBAM please rename it to zztoy.exe....now save it to your desktop.

Please download Malwarebytes Anti-Malware and save it to your desktop.

alternate download link

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 darthjennifer

darthjennifer
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:09:13 PM

Posted 29 September 2009 - 10:03 PM

I saved mbam_setup.exe (as zztoy.exe) and mbam_rules.exe to my flash drive and installed the program on the computer. Before launching it, I ran mbam_rules.exe to manually update definitions. I checked Perform Quick Scan and then hit Scan. MBAM was immediately shut down and disabled and wouldn't run from any icon, same as previous antivirus programs.

Did I do something wrong?

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,565 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:13 PM

Posted 30 September 2009 - 11:58 AM

It;s the malware still has many things screwed up. Let's see if we can fix the policies and get stuff to work. Just in case do you have an install CD as you may be so fouled that that will be neccessary.
FixPolicies
Download FixPolicies.exe,by Bill Castner, MS-MVP to your Desktop.

Double-click FixPolicies.exe.
Click the Install button on the bottom toolbar. This will create a new folder called FixPolicies.
Double-click to Open the new Folder, and then double-click the file within: Fix_Policies.cmd.
A black box will briefly appear and then close.
The active malware may revert these changes at your next startup. You can safely run the utility again.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 darthjennifer

darthjennifer
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:09:13 PM

Posted 30 September 2009 - 03:06 PM

I actually don't have the install CD. My Windows is genuine, but I seem to have lost the disk that came with the computer a couple of years ago. I was going to look into replacing the CD (I'm looking at the instructions on the Microsoft support page), but wanted to fix the malware problem beforehand. Now I'm not sure what to do.

If I try to move stuff off of my infected computer as it is now, is there a chance the malware will come with it? I really only want to get my music and files off of there before I format, so if I can do it safely now I may just go ahead. (Actually, now that I think about it, I think the malware disables my ability to move files around on the system, so this may be a moot question...) I've also been using a USB flash drive between the new computer and the old one. Am I putting my new computer at risk of infection?

Will dl and run FixPolicies as soon as I get home.

And I just wanted to say, thanks a whole bunch, boopme. I was completely at a loss for what to do and I really appreciate the time you're taking to help me. :D

#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,565 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:13 PM

Posted 30 September 2009 - 03:32 PM

I have more info if we have to reinstall. but this will help for now.
2 guidelines/rules when backing up

1) Backup all your important data files, pictures, music, work etc... and save it onto an external hard-drive. These files usually include .doc, .txt, .mp3, .jpg etc...
2) Do not backup any executables files or any window files. These include .exe/.scr/.htm/.html/.xml/.zip/.rar files as they may contain traces of malware. Also, .html or .htm files that are webpages should also be avoided.

You're welcome!
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#9 darthjennifer

darthjennifer
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:09:13 PM

Posted 30 September 2009 - 09:13 PM

OK, got Fix_Policies on the computer and ran the .cmd file. Black box flashed briefly onscreen. Then I...wasn't sure what to do, so installed and attempted to run MBAM again.

Results remain the same.

...?

#10 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,565 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:13 PM

Posted 30 September 2009 - 10:08 PM

Ok let's give this a go.
1. Uninstall Malwarebytes' Anti-Malware using Add/Remove programs in the control panel.
2. Restart your computer (very important).
3. Download and run this utility. Mbam clean
4. It will ask to restart your computer (please allow it to).
5. After the computer restarts, install the latest version from here. http://www.malwarebytes.org/mbam-download.php
Note: You will need to reactivate the program using the license you were sent.
Note: If using Free version, ignore the part about putting in your license key and activating.
Launch the program and set the Protection and Registration.
Then go to the UPDATE tab if not done during installation and check for updates.
Restart the computer again and verify that MBAM is in the task tray and run a Quick Scan and post that log.



Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make sure that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#11 darthjennifer

darthjennifer
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:09:13 PM

Posted 30 September 2009 - 10:57 PM

Ran MBAM_clean and rebooted computer. Installed the newest MBAM (following your link) and updated. However, after restart I noticed that MBAM was not in the task tray. Attempted to run MBAM anyway, was shut down. Uninstalled and ran MBAM_clean again.

Then I went to Kaspersky and tried the online scan. It seemed to go well until it tried to update definitions. Then I received an error:

"Update has failed! The program could not be started. Please close the window of Kaspersky Online Scanner 7.0 and start the program again from the web site of Kaspersky Lab.

Successful updating of Kaspersky Online Scanner 7.0 and scanning of your computer requires uninterrupted Internet connection. Please make sure that the Internet connection is established. [ERROR: key file creation date is invalid. Check the system date.]"

I checked my connection, which was fine. (Unusually fine.) Then I attempted the scan again, three times. I received the same error again and again.

Am I making an error somewhere in here?

#12 darthjennifer

darthjennifer
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:09:13 PM

Posted 07 October 2009 - 07:14 PM

OK, it's been a week, so...if the malware infection is completely hopeless and there's pretty much nothing I can do but format...is there any danger in moving files off of that computer first? By files I mean images, music, and documents (mostly .jpgs, mp3s and iTunes, and OpenOffice docs).

Can I move those onto a flash drive and carry them over safely, or do I risk also bringing the viruses/rootkits/wrath of God along?

#13 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,565 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:13 PM

Posted 07 October 2009 - 07:38 PM

Not an unwise decision to make and the one I would choose in this situation. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired. Wiping your drive, reformatting, and performing a clean install of the OS or doing a factory restore removes everything and is the safest action but I cannot make that decision for you.

Reformatting a hard disk deletes all data. If you decide to reformat, you can back up all your important documents, data files and photos. The safest practice is not to backup any autorun.ini or .exe files because they may be infected. Some types of malware may disguise itself by adding and hiding its extension to the existing extension of files so be sure you take a close look at the full name. After reformatting, as a precaution, make sure you scan these files with your anti-virus prior to copying them back to your hard drive.

The best proceedure is a low level format. This completely wipes the drive. Then reinstall the OS.
Use the free version of Active@ KillDisk.
Or Darik's Boot And Nuke

The best sources of Information on this are
Reformatting Windows XP
Michael Stevens Tech

Of course also feel free to ask anything on this in the XP forum. They'd be glad to help.

==============================

2 guidelines/rules when backing up

1) Backup all your important data files, pictures, music, work etc... and save it onto an external hard-drive. These files usually include .doc, .txt, .mp3, .jpg etc...
2) Do not backup any executables files or any window files. These include .exe/.scr/.htm/.html/.xml/.zip/.rar files as they may contain traces of malware. Also, .html or .htm files that are webpages should also be avoided.

Download Belarc Advisor - builds a detailed profile of your installed software and hardware, including Microsoft Hotfixes, and displays the results in your Web browser.
Run it and then print out the results, they may be handy.

Since we don't know exactly which infections we're dealing with here, we should take some precautions before we attempt to move files from the infected machine. Run the following on your clean computer, and make sure you insert your flash drives at the prompt.
Download and Run FlashDisinfector

Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives. Please do so and allow the utility to clean up those drives as well.
  • Hold down the Shift key when inserting the drive until Windows detects it to keep autorun.inf from executing if it is present.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: As part of its routine, Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive that was plugged in when you ran it. Do not delete this folder...it will help protect your drives from future infection by keeping the autorun file from being installed on the root drive and running other malicious files.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users