Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

search engines are not available, and AVG has detected a potential rootkit


  • Please log in to reply
3 replies to this topic

#1 duffnut

duffnut

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:10:12 AM

Posted 03 April 2012 - 12:45 PM

Hello,

I am trying to help a friend, and I am not sure if this is the result of an actual virus or not.

Although my computer on their network is having no problems resolving google etc, their computer will not connect to search websites.
I have tried changing their dns settings to 8.8.8.8 to no avail.
Their computer is running Windows XP with automatic updates turned on and service pack 3 installed.

They are running AVG 2012 Free, with all updates applied till today 03/April/2012
A full computer scan popped up one instance of a generic trojan, but this was supposedly solved by the anti-virus.
A rootkit scan shows:
"";"<unknown>";"Corrupted section atapi.sys[.text] +0x6852, size 1 bytes";"Object is hidden"

Is this actually a virus?

Thanks for any help,

Donat

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,573 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:12 AM

Posted 03 April 2012 - 03:12 PM

Please download aswMBR ( 511KB ) to your desktop.
  • Double click the aswMBR.exe icon to run it
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 duffnut

duffnut
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:10:12 AM

Posted 19 June 2012 - 12:26 PM

Thanks for the help, here is the log:

aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-06-19 17:54:45
-----------------------------
17:54:45.296    OS Version: Windows 5.1.2600 Service Pack 3
17:54:45.296    Number of processors: 2 586 0xF0D
17:54:45.296    ComputerName: LENOVO  UserName: Diana
17:54:46.718    Initialize success
17:56:54.312    AVAST engine defs: 12061900
17:57:31.359    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
17:57:31.359    Disk 0 Vendor: Hitachi_HDS721616PLA380 P22OABBA Size: 152627MB BusType: 3
17:57:31.375    Disk 0 MBR read successfully
17:57:31.375    Disk 0 MBR scan
17:57:31.468    Disk 0 unknown MBR code
17:57:31.484    Disk 0 Partition 1 80 (A) 07    HPFS/NTFS NTFS       147754 MB offset 63
17:57:31.500    Disk 0 Partition 2 00     12  Compaq diag MSDOS5.0     4871 MB offset 302600340
17:57:31.515    Disk 0 scanning sectors +312576705
17:57:31.609    Disk 0 scanning C:\WINDOWS\system32\drivers
17:58:23.328    Service scanning
17:58:24.125    Service ACPI C:\WINDOWS\system32\DRIVERS\ACPI.sys **LOCKED** 32
17:59:07.781    Modules scanning
17:59:24.812    Disk 0 trace - called modules:
17:59:24.859    ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys >>UNKNOWN [0x86b7e129]<<
17:59:24.859    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86f52ab8]
17:59:24.875    3 CLASSPNP.SYS[f76befd7] -> nt!IofCallDriver -> \Device\00000064[0x86f88338]
17:59:24.875    5 ACPI.sys[f7555620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x86f87940]
17:59:26.546    AVAST engine scan C:\WINDOWS
17:59:47.296    AVAST engine scan C:\WINDOWS\system32
18:03:05.515    AVAST engine scan C:\WINDOWS\system32\drivers
18:03:22.625    AVAST engine scan C:\Documents and Settings\Diana
18:14:05.265    File: C:\Documents and Settings\Diana\Local Settings\Temp\xtw3A6.tmp  **INFECTED** Win32:Downloader-LBL [Trj]
18:14:05.343    File: C:\Documents and Settings\Diana\Local Settings\Temp\xtw3A7.tmp  **INFECTED** Win32:Delf-OXZ [Trj]
18:16:51.484    AVAST engine scan C:\Documents and Settings\All Users
18:21:02.109    Scan finished successfully
18:23:41.671    Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Diana\My Documents\My Downloads\MBR.dat"
18:23:41.671    The log file has been saved successfully to "C:\Documents and Settings\Diana\My Documents\My Downloads\aswMBR.txt"

I scanned the Trojan infected files with AVG and told it to remove them when it confirmed them as infected.

Otherwise I have done nothing. It would seem that I am able to access search engines again. How should I proceed.

Edited by duffnut, 19 June 2012 - 12:36 PM.


#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,573 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:12 AM

Posted 19 June 2012 - 02:17 PM

Lets do these next and see how it is.


Please download TDSSKiller.zip and and extract it.
  • Run TDSSKiller.exe.
  • Click Start scan.
  • When it is finished the utility outputs a list of detected objects with description.
    The utility automatically selects an action (Cure or Delete) for malicious objects.
    The utility prompts the user to select an action to apply to suspicious objects (Skip, by default). Let the options as it is and click Continue
  • Let reboot if needed and tell me if the tool needed a reboot.
  • Click on Report and post the contents of the text file that will open.

    Note: By default, the utility outputs the log into system disk (it is usually the disk with installed operating system, C:\) root folder. The Log has a name like: TDSSKiller.Version_Date_Time_log.txt.



If TDSSKiller does not run, try renaming it. To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to these[/color] instructions. In some cases it may be necessary to redownload TDSSKiller and randomly rename it before downloading and saving to the computer.




I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Under scan settings, check Posted Image and check Remove found threats
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image


[color="#8B0000"]NOTE: In some instances if no malware is found there will be no log produced.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users