Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

remove external hard drive before malware removal?


  • Please log in to reply
10 replies to this topic

#1 claygirl

claygirl

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:57 AM

Posted 10 May 2010 - 05:17 PM

Hi everyone...I am getting ready to follow all the steps in your tutorial to clean up my system. I had been using spybot but couldn't run some of the programs they asked me to without locking up, so I have uninstalled spybot and am starting over.

My question is...if there is a root kit...would it also be on the external harddrive that I use for backup? It is always connected and backs up with Norton. Should I disconnect from it before proceeding or does it not matter?

Thanks!

BC AdBot (Login to Remove)

 


#2 hamluis

hamluis

    Moderator


  • Moderator
  • 55,883 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Killeen, TX
  • Local time:04:57 AM

Posted 10 May 2010 - 05:39 PM

If you have a rootkit...you ought to be posting at BC Am I Infected Forum, as a first step to attempting to overcome it, IMO.

Louis

#3 claygirl

claygirl
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:57 AM

Posted 10 May 2010 - 06:04 PM

I see that...I'm starting at the beginning with the cleaning, are you sure its malware, etc. I think I have a rootkit because spybot wouldn't load, and that's what they said it was, but I was unable to use several of the programs they wanted me to run. Shouldn't I got through the steps first? I'm fairly computer literate, I just didn't know if the rootkit would be in the external drive as well, or should I unplug it before continuing with disk cleanup, etc.

#4 hamluis

hamluis

    Moderator


  • Moderator
  • 55,883 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Killeen, TX
  • Local time:04:57 AM

Posted 10 May 2010 - 06:50 PM

I'm certainly no authority on malware...but, before I did anything...I would check with the folks in the forum I linked to.

To my way of thinking...an infected system makes all connected drives/systems...fair game...but, as I said, the folks at Am I Infected can provide better guidance regarding such.

Louis

#5 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,616 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:57 AM

Posted 11 May 2010 - 01:41 PM

Hi claygirl,
The short answer to your question--if you can call it short--is that whether or not your external drive is connected or not is not likely to affect whether an installed rootkit runs or not. For the most part, they are tied to your operating system and its registry, so it runs when the OS runs. To run the malware it is hiding--rootkits are basically cloaking devices and not malware in and of themselves--it might call on files stored on any drive, but the rootkit itself will be "on" your drive that Windows is installed on, which is C for most people.

Any time you clean up an infected system, whether it is a rootkit based infection or not, it is imperative that you leave all drives connected so that you can find malicious and related files. If you disconnect your external before cleanup, then clean your system, when you re-connect you could well re-infect your now clean computer. Either from an autorun infection, that re-infects pretty much as soon as you plug the drive back in, or because you backed up malicious files that get reactivated one way or another--very easily done if your backups are images of the entire drive instead of selected data.

What you do want to disconnect from--before a cleanup--are other computers on a network. They have their own operating systems and so could be programmed to reinfect you while you are in the process of cleaning up. Depending on the severity of the infection, this could also apply to being connected to the internet.

So I agree with Louis that you should get some help. Please don't take offense, but I can tell by your posts that you shouldn't try cleanup by yourself, even tho you are fairly computer literate. Today's malware is much too sophisticated and dangerous to be fooled around with lightly. On the other hand, both the Am I Infected and the malware removal forums are extremely busy and thus slow to respond on average. If you would allow me to do some pre-screening, I may be able to save you some worry and our helpers some time, because it is not at all clear to me why you suspect you have a rootkit. So please answer the following questions in as much detail as possible.

1. What specific tutorial are you referring to that you have been trying to follow? Please post a link to it. I can't seem to find a pinned topic that recommends installing Spybot S&D. In the early days of the forum Spybot was used a lot but most people now don't recommend it and I no longer use it, personally. There are much more effective tools available now that are also more user friendly.

2. What symptoms have you experienced in the first place that made you suspect a rootkit and to search for a tutorial to possibly clean it up?

3. What antivirus are you running and has a full system scan found anything of concern?

4. What other programs have you tried so far? You said, "I was unable to use several of the programs they wanted me to run. Shouldn't I got through the steps first?" This is another reason I would like to know what tutorial you are referring to--there may be other reasons programs aren't running, such as an older tutorial that recommends programs and tools that are now obsolete. The malware arena is very dynamic--severe infections come and go, as do the tools designed to deal with them and it is very difficult to keep all information updated to reflect that.

The thing about people

is they change

when they walk away.--Mipso


#6 claygirl

claygirl
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:57 AM

Posted 11 May 2010 - 04:25 PM

Thanks so much for responding to my query. I was already using Spybot, and went to run it and it wouldn't open. A search on their website took me to this FAQ: http://www.safer-networking.org/en/faq/67.html The gmer.exe, & rootrepeal both repeatedly locked up my system. I just got so frustrated I uninstalled everything I had downloaded. I got the impression from the FAQ in the link that if spybot won't open, I have a root kit. I have an older pc, running Windows XP, but its just for home use. Its just gotten really slow.

Norton 360 - hasn't found anything.

The tutorial I was referring to is on this website.."preparation Guide for Use Before Using Malware Removal Tools and Requesting Help" under Item #2 there is a link called "Slow Computer/browser? Check Here first: It may not be malware"

I haven't gotten very far..I've done chkdsk, cleaned, and a couple of other things. I also have discovered combofix on my computer which I am sure I didn't intentionally download. So I don't KNOW if i have a rootkit, or malware, just want to be sure. Thanks for your help.

#7 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,616 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:57 AM

Posted 12 May 2010 - 01:22 AM

Well, you're welcome for the help and thank you for giving complete answers to my questions--that is actually kind of rare so you did a good job at that.

Judging from the page you were looking at on the Spybot site I can certainly see why you would think you could have a rootkit. In my opinion, it is a bit of a jump to conclude that a rootkit is the cause without more information. From that one set of circumstances alone it is possible but I would say it isn't as likely--and if it is caused by an infection it could be malware alone and not necessarily malware hidden by a rootkit.

Spybot not running could be caused by other, non-malware issues. A prime suspect would be that Norton 360 is interfering in some way. It is a very large and comprehensive program and the more complex something like that is, the more that can go wrong. That could explain why GMER and Root Repeal also do not run. Antivirus and other security software has to be very aggressive to deal with today's malware and often mistake one another for something malicious. This is why victims are often asked to disable their protection programs while doing a cleanup. The following thread was created for that reason: http://www.bleepingcomputer.com/forums/t/114351/how-to-temporarily-disable-your-anti-virus-firewall-and-anti-malware-programs/

And if not Norton, a bad update from Spybot itself could cause problems. I've looked tonight at the Spybot support forums and don't see an obvious trend of reports of one bad update--there are a few that may or may not be related to your problem, but one caught my eye: http://forums.spybot.info/showthread.php?t=57262

Question: When did Spybot first refuse to run? Was it any time around May5?
More questions: What happens when you try to run it? Do you get any errors or other messages and if so what exactly is the message?

Did you try to run System Restore to a time before the problem with Spybot? If not I would give this a try first.

Altho rootkitted malware could be truly stealthed--it would remain hidden so that you never know it's there--the malware it hides usually gives itself away as an infected computer will exhibit a list of symptoms. Some common symptoms:
1. System tools that help you find and deal with infections become inaccessible--such as msconfig, Task Manager, regedit, Security Center, Control Panel applets, etc.
2. You are blocked from accessing security related websites. For example, you would not be able to visit any Symantec website, or Safer networking (Spybot) and sometimes even BC.
3. If you do manage to download other security tools, you could be blocked from installing them or, if installed, they cannot be run.
4. When you search on Google or other search engines, you get redirected to something else.

There are others, but the point is if you don't have more of these obvious symptoms than what you've told me so far, then you are probably looking at something besides a malware issue. A slow computer is another sign, but it is usually a sudden slow down, not a gradual one. My computer is old too and has slowed down on me, even tho I keep it pretty clean--that's normal unless you've done a good deal of upgrading. I understand you want to be sure, so lets try a few things first that might rule out malware. Then if you still want to proceed with a rootkit search that would be up to you.

First, try the System Restore I alluded to earlier. Let me know what happens or if there are special circumstances in your case, such as having System Restore turned off. Also check that your system tools such as msconfig, Task Manager, etc., are still functioning.

Second, try disabling Norton, according to the instructions in the thread linked to above and see if you can get Spybot to run. You might also try running Spybot in safe mode. This may not help tho, as Norton could have self-protection mechanisms in place that allow it to interfere whether in safe mode or not and you may not be able to disable it easily. If it were me, I would uninstall Norton completely, run Norton's removal tool, then install a lighter free AV, such as AntiVir, if only temporarily.

Third, download install and run both Malwarebytes' Anti-Malware and SuperAntispyware. Refer to this tutorial to run MBAM:
http://www.bleepingcomputer.com/virus-remo...alware-tutorial

SAS is here: http://www.superantispyware.com/?rid=3324

Let me know if you have any problems installing and running these programs--and you may need to try both with and without Norton enabled. If they run and any malware is found, post the logs here please.

Lastly, try running Spybot according to the instructions here: http://forums.spybot.info/showthread.php?t=50194
At the end of it, don't worry about posting at their malware removal forum as you have already requested help here. However, if we determine that this is mostly an issue with Spybot, posting to their support forum might get you better help and let others with the same issues know what is up. You may notice that the instructions are very similar to what you were looking at on the Spybot website. The difference is that this this thread correctly notes that malware could be the problem, rather than a rootkit only, and the webpage you were looking at is gathering data for email support. It's been my experience that you get better support from forums than those developers.

As far as ComboFix, I don't see why any malware would have downloaded it to your computer. So last question is, have you had anyone over to have a look at your computer? I.E., you've asked someone to help you out that sat at the keyboard? Or does anyone at all besides you have access to your computer?

Edited by Papakid, 12 May 2010 - 02:05 PM.

The thing about people

is they change

when they walk away.--Mipso


#8 claygirl

claygirl
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:57 AM

Posted 12 May 2010 - 06:37 AM

Wow...thank you so much for the research and help. I guess I'm not as "literate" as I thought. :0). I have completely uninstalled spybot, I had this problem once before and sent them some logs, and then it worked, but I didn't really change anything, so I don't know what that was about. I hadn't run it in about a month, so I did try a system restore. The message I received was that the system could not be restored. I've had that happen before, and never understood why.

When loading spybot it would just hang on the loading screen, I never got a message or anything. I didn't disable Norton prior to running GMER or rootrepeal, so maybe that was it, but I never got a message, my computer would just lock up.

Maybe I'm just dealing with an old computer...I do NOT have any of the symptoms you describe, it just takes a long time to open email, access the internet, go from page to page on the internet, or bring up Word or Excel. I'm wired to DSL with a wireless router for laptop use in the house and they are lightning fast, but also newer.

Should I go ahead and do the malware bytes stuff you suggest or re-download spybot and go with that? I'm leaving for work shortly so I won't get to it until this evening, but I will follow your instructions. Also, can I uninstall combofix?

This is a great forum THANK YOU.

#9 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,616 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:57 AM

Posted 12 May 2010 - 01:59 PM

Hi, my apologies for the slow response--I am notoriously slow anyway but I'm also a bit under the weather which makes it worse.

Yes, please, when you get in this evening, run MBAM and follow my previous instructions. Except for trying to run Spybot. If MBAM and SAS don't find anything serious and given you have no other symptoms, I would suggest you leave them installed as a replacement for Spybot. They are much less of a headache.

System Restore not working could be caused by Norton. I'm short on time right now, but in my notes there is a link to a page somewhere that shows that Norton does not get along with System Restore--something to do with Norton's self protection. I'll try to find it when I get back on myself this evening. Windows' caches of Restore Points is also easily corrupted which would cause your System Restore to fail. I would like for you to also perform a test of SR and we can troubleshoot it a bit later if need be. Go here for instructions: http://bertk.mvps.org/html/tips.html#3

BTW, you may find the info on Norton and SR on that site--lots of good information there. Just do the test and let me know what happens before doing any other troubleshooting.

Let's not uninstall ComboFix just yet, but we will soon. I may be able to get some information from it--in the meantime let me know if it's possible another family member or whoever may have run it.

The thing about people

is they change

when they walk away.--Mipso


#10 claygirl

claygirl
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:57 AM

Posted 12 May 2010 - 03:49 PM

I'm sorry you're under the weather...hope you're feeling better soon. My dad is in the hospital and I probably won't get to this stuff tonight, so don't worry about getting back to me quickly. The only person I am aware of whos been on my computer is my computer geek son in law. I can't imagine why he would download anything - he can't use it in any remote way can he? That was probably 6 months ago? I appreciate your suggestions and will definitely sit down and follow all the steps when I have some uninterrupted time. We're getting ready to have a MAJOR Thunderstorm so I'm getting off here now!! Thanks again.

#11 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,616 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:57 AM

Posted 14 May 2010 - 12:41 AM

Hope everything is OK on your end. Whatever is going on with your father is much more important than anything we do here so no rush from me either, just give us an update as soon as you get a chance.

A computer geek son in law is exactly the type of person that would run ComboFix--he shouldn't unless he's been trained at a malware removal forum but it happens all the time.

Again, I hope your father's visit to the hospital wasn't for anything really serious--here's wishing you all the best.

The thing about people

is they change

when they walk away.--Mipso





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users