Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virus remains after clean install of xp


  • This topic is locked This topic is locked
26 replies to this topic

#1 displayname0516

displayname0516

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:03:23 PM

Posted 26 April 2011 - 10:48 PM

I have a virus that i have not been able to delete off my computer after multiple clean installs of xp. Last week i downloaded a windows update that popped up in my system tray. After that my pc would not boot at all (press F1 to retry, press F2 for setup). So i tried to fix it by going thru the recovery console. No dice. Then I installed my old hard drive on my pc so i could access the files on my current hard drive and put them on an external drive. Then i did a clean install on both the hard drives. After running the clean install i downloaded the dell drivers from the dell resource cd. I ran combofix after that (before even updating xp). It would show that i had a infected file c:\windows\system32\qmgr.dll, and it said that it disinfected it. I ran combo fix again and it still showed that same file as infected and disinfected. Then i just went ahead and ran all the updated for xp off the microsoft website. After that i ran combofix and it found a rootkit activity. So now i've done multiple clean installs of xp on both hard drives, i even ran "western digital's data lifegaurd diagnostics" low level format on each hard drive and did a clean install after that. And still after i run the clean install of xp and run combofix "c:\windows\system32\qmgr.dll" is coming up infected, and after i run the xp updates off the microsoft website then rootkit activity is found. i have no idea what to do. So i went ahead and did a final clean install of xp on the hard drive i want to use and loaded the drivers off the dell resource cd. Then ran combofix. i attached the combofix log. imma stop there.... any help? thanks in advance.

Attached Files

  • Attached File  log.txt   2.46KB   14 downloads

Edited by hamluis, 27 April 2011 - 06:35 AM.
Moved from XP to Malware Removal Logs.


BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:08:23 PM

Posted 04 May 2011 - 06:48 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. Click the Watch This Topic button at the top on the right.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks :thumbup2:
Posted Image
m0le is a proud member of UNITE

#3 displayname0516

displayname0516
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:03:23 PM

Posted 06 May 2011 - 01:53 PM

Hi m01e,
thanks for the help. I'm just gonna give u a little more detail on what's goin on. i'm pretty sure i got this virus from a pdf editing program i downloaded a couple weeks ago. After i downloaded the program it said i needed a .NET framework 4(?) family package (or something close to that). so i downloaded it. then the next day a yellow windows update popped up in my system tray sayin it was ready to install. when i clicked the update it showed .NET framework 4 family upgrade (dont exactly remember the name) and it downloaded. then the next time i tried to reboot was when xp would not boot at all. i tried to do the fixboot and fixmbr through recovery console ( i know i prolly shouldn't have tried that), then started goin through the clean install and everything i explained in the first post. so anyway, right now i have my old hdd with xp sp1 and no updates and the log for that is what i attatched to the first post. The hdd i use has xp with all the updates and i went ahead and put ubuntu on it too just in case. Is it possible that a virus could jump between hdd's if they arent connected at the same time? Or does combofix come up with false positives? anyway... i'll wait for instructions. oh yeah.... and when i have updates turned on for xp it sometimes show the yellow update icon in the system tray, and when i go to microsoft's website to see if i do need updates and none show up the icon disappears from the system tray. thanks again.

#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:08:23 PM

Posted 06 May 2011 - 08:41 PM

Well, first let's see if the file is infected.

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Go to Jotti

When the jotti page has finished loading, click the Browse button and navigate to the following file and click Submit.

c:\windows\system32\qmgr.dll

Please post back the results of the scan in your next post.

If Jotti is busy, try the same at VirusTotal


Next, the confusion over the Combofix log comes down to the fact that you shouldn't be running it without assistance.

You should not run ComboFix unless you are specifically asked to by a helper. Also, due to the power of this tool it is strongly advised that you do not attempt to act upon any of the information displayed by ComboFix without supervision from someone who has been properly trained. If you do so, it may lead to problems with the normal functionality of your computer.


Did Combofix provide you any details of the rootkit activity that it had detected?
Posted Image
m0le is a proud member of UNITE

#5 displayname0516

displayname0516
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:03:23 PM

Posted 07 May 2011 - 12:08 AM

i attached the combofix log that came came up after it found rootkit activity, and i copied and pasted the jotti results at the end of the combofix log. thanks again

Attached Files



#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:08:23 PM

Posted 07 May 2011 - 08:26 AM

The logs both show a clean bill of health,.

Please run MBAM next

Please download Posted Image Malwarebytes Anti-Malware and save it to your desktop.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application or, if you are using Vista, right-click and select Run As Administrator on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
    If MBAM won't update then download and update MBAM on a clean computer then save the rules.ref folder to a memory stick. This file is found here: 'C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware' then transfer it across to the infected computer.
  • On the Scanner tab:
    • Make sure the "Perform Full Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes, they may alert you after scanning with MBAM. Please permit the program to allow the changes.
Posted Image
m0le is a proud member of UNITE

#7 displayname0516

displayname0516
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:03:23 PM

Posted 07 May 2011 - 11:28 AM

the mbam scan came up clean. it was just that combfix rootkit activity that was worrying me. i know i shouldnt run it on my own, but a couple months ago i ran it and it found a rootkit activity and removed it, then it came up clean after running it again. anyway, thanks for lookin it over.


Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6526

Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512

5/7/2011 12:17:51 PM
mbam-log-2011-05-07 (12-17-51).txt

Scan type: Full scan (A:\|C:\|D:\|E:\|F:\|)
Objects scanned: 185817
Time elapsed: 17 minute(s), 0 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#8 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:08:23 PM

Posted 07 May 2011 - 02:22 PM

What you are saying is that Combofix ran, removed the rootkit and then when you ran it again it didn't find it. Sounds like you got rid of it.

Is there anything after that that has aroused suspicion that you are infected still?
Posted Image
m0le is a proud member of UNITE

#9 displayname0516

displayname0516
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:03:23 PM

Posted 08 May 2011 - 12:22 PM

no, it was that combofix would say that it removed the rootkit, but then if i ran it again it would find the rootkit again and say that it removed it again. cause the first time i used combofix a couple months ago i ran it, it found rootkit activity, removed it, and would not find rootkit activity after that. now it finds the rootkit activity, shuts down, then comes up clean right after it reboots and continues the scan. but if i run combofix again it does the same, like it never actually got rid of the rootkit activity. i don't know if u get what i'm saying, but if that makes sense, that's what my concern is. it's prolly just that i don't understand combofix.

#10 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:08:23 PM

Posted 08 May 2011 - 01:04 PM

Okay, now I understand.

Please download aswMBR ( 511KB ) to your desktop.
  • Double click the aswMBR.exe icon to run it
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

Posted Image
m0le is a proud member of UNITE

#11 displayname0516

displayname0516
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:03:23 PM

Posted 08 May 2011 - 01:12 PM

aswmbr log

Attached Files



#12 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:08:23 PM

Posted 08 May 2011 - 01:16 PM

Not the latest MBR infection then.

Run MBRCheck to see what unknown MBR that is

Please download MBRCheck to your desktop.

1. Double click MBRCheck.exe to run it (Right click and run as Administrator for Vista).
2. It will open a black window, please do not fix anything (if it gives you an option).
3. Exit that window and it will produce a log (MBRCheck_date_time).
4. Please post that log when you reply.
Posted Image
m0le is a proud member of UNITE

#13 displayname0516

displayname0516
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:03:23 PM

Posted 08 May 2011 - 01:21 PM

mbrcheck

Attached Files



#14 displayname0516

displayname0516
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:03:23 PM

Posted 08 May 2011 - 01:23 PM

i don't know if this matters but i do have ubuntu installed on this hdd

#15 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:08:23 PM

Posted 08 May 2011 - 01:27 PM

I think now would be a good time to see if Combofix is still flagging the rootkit. Your copy of Combofix should be uninstalled

Uninstall ComboFix

Remove Combofix now that we're done with it.
  • Disable any realtime antivirus or antispyware programs.
  • Please press the Windows Key and R on your keyboard. This will bring up the Run... command.
    (For Vista/Windows 7 please click Start -> All Programs -> Accessories -> Run)
  • Now type in Combofix /Uninstall in the runbox and click OK. (Notice the space between "Combofix" and "/")
  • Please follow the prompts to uninstall Combofix.
  • You will then receive a message saying Combofix was uninstalled successfully once it's done uninstalling itself.
This will uninstall Combofix and anything associated with it.


Now use a fresh copy


Please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop making sure you rename it comfix.exe
  • Disable your AntiVirus and AntiSpyware applications including Firewalls, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Comfix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users