Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible Rootkit infection, Even After Recover of system


  • Please log in to reply
9 replies to this topic

#1 ChrisR67

ChrisR67

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:55 AM

Posted 28 September 2010 - 05:39 PM

Hello, I am new to Bleeping Computer. Thanks for taking time to help. I am using Windows XP Home Edition 2002 (SP2) on a Compaq Presario V2000 Laptop, circa 2007. A couple of weeks ago, it was infected by a virus or malware that causes redirect from the IE and Mozilla Search Bar (the one up by the Browser Bar). Searches are OK straight from Google and other search pages.

Also, I was getting frequent svchost.exe errors, and an Error Box about Gen Windows Services 32 has encountered an error and must shut down. When that shut down, I lost USB Port functionality and sound.

PLUS, I got a popup for a Fake Spyware removal program.

Scanned with Malaware Bytes and Ad-Aware, found and cleaned a few things, then nothing. Problem persisted.

As last resort, did the Destructive Recovery from the Compaq D Drive.

And, I still have issues. Still have the redirect. So far, have not has a svchost.exe error.

Cannot get to Windows Update web page to load.

I did commit a Bleeping Computer No-No, before I knew it was a No-No. Read about, Downloaded and ran ComboFix. Log says it found Rootkit activity.

Still have the issues after running ComboFix. I also have downloaded HiJack This and run it, will post the log if requested.

Any thoughts?

Thanks,

Chris

Edited by Budapest, 28 September 2010 - 07:48 PM.
Moved from XP ~BP


BC AdBot (Login to Remove)

 


#2 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:55 PM

Posted 28 September 2010 - 05:42 PM

Try checking the DNS settings on your router as they may have been changed by the Malware.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#3 ChrisR67

ChrisR67
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:55 AM

Posted 28 September 2010 - 05:47 PM

Thanks for the quick reply. How do I check those settings and know they are incorrect?

I only get redirected when using the search bar built into the browser, IE and Mozilla. But, not within a search site itself.

#4 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:55 PM

Posted 28 September 2010 - 05:51 PM

You can try to reset the router to its default configuration. This can be done by inserting something tiny like a paper clip end or pencil tip into a small hole labeled "reset" located on the back of the router. Press and hold down the small button inside until the lights on the front of the router blink off and then on again (usually about 10 seconds).
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#5 Gabrial

Gabrial

  • Members
  • 468 posts
  • OFFLINE
  •  
  • Local time:03:55 AM

Posted 28 September 2010 - 06:33 PM

When you did the destructive recovery, were there any errors in the process, like a CRC error or anything? I'm wondering if your recovery archive could have gotten infected. Did you create a Recovery CD/DVD set when you got your computer? Recovering from this DVD set would be safer than recovering from the hard drive recovery partition.

Edited by Gabrial, 28 September 2010 - 06:34 PM.


#6 ChrisR67

ChrisR67
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:55 AM

Posted 28 September 2010 - 06:49 PM

Nope. All that did was make me have to run the Network Setup again. Only the infected laptop is having the issues, no other computers used on the wireless network redirect. Just a wicked bug. I expect I'll end up doing a total wipe and installing Windows again, instead of the Recovery from the D Partition.

Thanks anyway.

#7 ChrisR67

ChrisR67
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:55 AM

Posted 28 September 2010 - 06:51 PM

No errors that I recall. If I made a set of recovery disks, I can't find them. I was prompted to make them when I did this recent Recovery, but didn't.

#8 Gabrial

Gabrial

  • Members
  • 468 posts
  • OFFLINE
  •  
  • Local time:03:55 AM

Posted 28 September 2010 - 07:38 PM

It's possible you have a master or partition boot record infection, or that the boot loader is infected on the restore partition.

Try deleting the windows partition from the drive then doing the recovery so it doesnt take any short cuts and leave data on an existing partition.

#9 ChrisR67

ChrisR67
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:55 AM

Posted 28 September 2010 - 07:51 PM

If I delete the D Partition, won't it delete the recovery files and prevent it from recovering. I have copied that drive contents to an external HD. Can I somehow use that?

If I make recovery disks now, are they likely to capture the current infection?

And, Question 3: Could I used a Dell Desktop Windows XP disc to reinstall windows to the Compaq if I do a complete disk reformat?

#10 ChrisR67

ChrisR67
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:55 AM

Posted 28 September 2010 - 09:52 PM

went ahead and wiped it clean! New Windows Install... well, inasmuch as a Windows XP Home Edition from the early 2000's is new. Wonder what'll happen next.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users