Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Totally infected, fearing the worst rootkit infection


  • This topic is locked This topic is locked
12 replies to this topic

#1 huenshan

huenshan

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:18 PM

Posted 24 August 2012 - 01:02 AM

I have a Sony Vaio PCG-71211L with Windows 7 Home Premium x64. Using the computer in regular mode is DEAD SLOW, it's essentially unresponsive. I can't open any programs, I just get the spinning blue circle forever. DDS and GMER won't run, they simply hang or don't open at all. I don't even know how to show you how bad my machine is infected! Someone please help!

BC AdBot (Login to Remove)

 


#2 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:03:18 AM

Posted 24 August 2012 - 05:58 AM

Hello huenshan,

Welcome to the forum.

For x64 bit systems download Farbar Recovery Scan Tool 64-Bit and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.
To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.
On the System Recovery Options menu you will get the following options:
Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt
[*]Select Command Prompt
[*]In the command window type in notepad and press Enter.
[*]The notepad opens. Under File menu select Open.
[*]Select "Computer" and find your flash drive letter and close the notepad.
[*]In the command window type e:\frst64 and press Enter
Note: Replace letter e with the drive letter of your flash drive.
[*]The tool will start to run.
[*]When the tool opens click Yes to disclaimer.
[*]Press Scan button.
[*]It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.[/list]

#3 huenshan

huenshan
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:18 PM

Posted 24 August 2012 - 10:24 AM

Thank you Farbar, the frst.txt log is attached.

Attached Files

  • Attached File  FRST.txt   49.52KB   4 downloads

Edited by huenshan, 24 August 2012 - 10:24 AM.


#4 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:03:18 AM

Posted 24 August 2012 - 11:02 AM

Well done.

Pleas copy and paste the log unless it is otherwise requested. Thank you.

I don't see any sign of malware on the log. We take a look at the Combofix log you have run earlier and check a few things. It doesn't matter if you run TDSSKiller in normal mode or safe mode. So if you can't run it in normal mode please run it in safe mode. The safe applies to FRST, this one could be ran from anywhere, safe mode, normal mode or recovery mode.

  • Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it on the flashdrive as fixlist.txt

    start
    cmd: type C:\ComboFix.txt
    cmd: dir /a/s C:\Qoobox
    cmd: type C:\Qoobox\combo*.txt
    end
    

    NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

    Now please enter System Recovery Options and select Command Prompt.

    Run FRST and press the Fix button just once and wait.
    The tool will make a log on the flashdrive (Fixlog.txt) please attach it to your reply.
  • Please download TDSSKiller.zip and and extract it.
  • Run TDSSKiller.exe.
  • Click Start scan.
  • When it is finished the utility outputs a list of detected objects with description.
    The utility automatically selects an action (Cure or Delete) for malicious objects.
    The utility prompts the user to select an action to apply to suspicious objects (Skip, by default). Let the options as it is and click Continue
  • Let reboot if needed and tell me if the tool needed a reboot.
  • Click on Report and post the contents of the text file that will open.

    Note: By default, the utility outputs the log into system disk (it is usually the disk with installed operating system, C:\) root folder. The Log have a name like: TDSSKiller.Version_Date_Time_log.txt.


#5 huenshan

huenshan
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:18 PM

Posted 24 August 2012 - 11:44 AM

Thank you for your quick reply Farbar, the Fixlog and TDSS logs are attached.

Attached Files


Edited by Farbar, 25 August 2012 - 02:53 AM.


#6 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:03:18 AM

Posted 24 August 2012 - 12:14 PM

No serious infection.

Please uninstall Avast and see how the system is performing. We can install another antivirus later on.

#7 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:03:18 AM

Posted 24 August 2012 - 12:17 PM

Please don't miss my previous post.

You can download Avast Uninstall Utility and follow the instruction given there to remove Avast.

#8 huenshan

huenshan
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:18 PM

Posted 24 August 2012 - 06:43 PM

See edit in my last comment. It appears it was most likely Avast.

#9 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:03:18 AM

Posted 25 August 2012 - 02:56 AM

Please don't edit previous posts.

How is the system functioning after uninstalling Avast?

#10 huenshan

huenshan
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:18 PM

Posted 25 August 2012 - 03:18 PM

It's great, back to normal now. I never would have thought anti-virus software to have that profound an effect on performance. Avast is uninstalled and I am going with MS Security Essentials. Do you have an opinion on this anti-virus software?

#11 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:03:18 AM

Posted 25 August 2012 - 05:32 PM

Good choice. In fact I was going to recommend MS Security Essentials. Avast is a good antivirus but the performance varies from system to system. I think MSE and Malwarebytes make a good combination.

You are good to go now. :thumbup2:

Do you have any question before we round off?

#12 huenshan

huenshan
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:18 PM

Posted 25 August 2012 - 06:09 PM

Sweet! Hmm, I guess I'm curious how I would learn which tools to run and how to decipher these logs and all the rest. Can you point me to any resources? I am interested in finding and beating malware and wish I could help out on these boards if I become competent enough someday.

Oh, and I know my buddy posted something earlier in the week (that's how I heard about your awesome site!) and he is afraid his post slipped through the cracks. I think he said it's been like 4 days and he hasn't heard anything. I told him it says wait 5 days before bumping but he was just surprised mine got addressed before his. Anyway, here's his post: http://www.bleepingcomputer.com/forums/topic466061.html

Thanks so much Farbar - you ROCK!!!

#13 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:03:18 AM

Posted 26 August 2012 - 04:49 AM

You are most welcome huenshan.:)

Please delete FRST tool as we don't need it any more. Also go to C:\FRST and delete the entire FRST folder.

As far as learning to use tools, decipher logs and helping out others concerns you can apply to join Malware Removal Training Program

There are still some people waiting before your friend. There is no need to pump the topic. Your topic was picked up in this case because the computer was so slow that was not workable and you couldn't even provide the initial logs. There was a mixture of little bit of challenge and curiosity attached to it. For unusual, not workable or unbootable systems we have no waiting time. Beside that some helpers might prefer one area upon another or feel more comfortable about removing some malware.


This thread will now be closed since the issue seems to be resolved.

If you need this topic reopened, please send me a Private Message and I will reopen it for you.

If you should have a new issue, please start a new topic.

Every one else should start a new topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users