Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malware Found, Vista Shuts Down, Restarts at Random Before Scans Finish, Possible Bootkit/Rookit? What Do I Do?


  • Please log in to reply
5 replies to this topic

#1 ChicagoSuperFan

ChicagoSuperFan

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:14 AM

Posted 24 January 2013 - 11:56 AM

Over the past week my office and kids (both run Vista) PCs have had serious problems getting Vista to run. I have 2 additional PCs on my home network, one of which had error messages around the same time these two PCs started to become problematic, however, it was easily resolved. My kids’ PC was unable to restart Vista, even to do a restore; I ended up restoring the PC to its factory condition (it's an HP and used a partition on the HD to restore Vista to its original factory shipped state); it’s now running fine (although I'm uncertain if that process reformats the hard drive or if it merely installs Vista over the previous installation which I realize could mean the problems are still there).

In the week that has passed my office PC -- the main subject of this post, but I wanted to give background on the other PCs on my network to give insights into the problem -- has stayed on for around 10 -30 minutes and then goes into a series of shutdowns and restarts (it always follows the same pattern) -- only staying on for seconds before restarting. It sometimes starts with the date reset to 2002 and Norton anti-virus and firewall disabled (or one of them disabled) when I finally am able to get the machine to restart. However, I cannot run a full scan -- and often I cannot even run a quick scan -- as the machine turns off and goes into a series of shut offs and restarts, often only lasting seconds and not booting up Vista. The best I’ve been able to do is wait several minutes and restart my machine. I’ve ran PC-Doctor and it runs around 50 checks and commonly stops up to 70 or 80% into the hard drive tests and has repeatedly found the processors, motherboard and memory as working fine and passing all test before the machine shuts off.

I’ve installed Malwarebytes and SuperAntiSpyware (and other malware removers), bootkit and rootkit removers and have found numerous trojans and other malware including Gen-Sirefef (2), Gen-Kryptik, Gen-Cryptic, Gen-FakeAlert[HotFix] and more. I ran TDSSKiller, which didn’t find anything. Avast indicated that DasBootD looks suspicious. Yesterday, I was amazed that I was able to get Malwarebytes Rootkit to actually finish a quick scan and it found and removed 15 pieces of Malware. Kaspersky Stinger did not find anything. The computer turns off before Gmer can even finish a quickscan.

What do you recommend? I’m suspecting the only solution is reformating the hard drives (my machine has two HDs and the second one (the one without the OS) had malware on it too. Ftr, I'm fairly IT/computer savvy, but don't know how to code or know my way around bios beyond being able to follow directions carefully.

Edited by ChicagoSuperFan, 24 January 2013 - 12:10 PM.


BC AdBot (Login to Remove)

 


#2 ChicagoSuperFan

ChicagoSuperFan
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:14 AM

Posted 24 January 2013 - 12:33 PM

I should add, I've tried Norton's Power Eraser (both the Windows app and via a boot disk) and the machine shuts down shortly after it starts. I've mostly ran the machine in Safe Mode. I tried using Kaspersky Rescue Disk 10, which stays on for no longer than 10 minutes before my machine shuts itself down and goes into a series of reboots that each last a few seconds or more before shutting the machine down again. As Kaspersky Rescue Disk 10 uses Linux and not Windows, it was when I ran this and the machine still shut down that I started to consider that there was a bootkit/rootkit.

Edited by ChicagoSuperFan, 24 January 2013 - 12:34 PM.


#3 ChicagoSuperFan

ChicagoSuperFan
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:14 AM

Posted 26 January 2013 - 11:20 PM

Can anyone provide any pointers? I've tried everything I can think of. I've followed this guide (http://www.selectrealsecurity.com/malware-removal-guide) and done everything up until the virus scanner, HitmanPro. I am not able to complete a scan with Hitman Pro before the computer shuts down. Not only that, but I find when the computer restarts -- and, strangely, it does it on its own without me pressing the on button -- the exe file for Hitman Pro and other programs listed on the malware page are gone, yet the folders still remain and my firewall (Norton) is disabled. I'm guessing someone or a group of someones have access to my machine from a remote location. I successfully got TDSSKiller, FixTDSS, MalwareBytes and AntiSpywarePro to run prior to the last shutdown (I can no longer get the PC to stay on long enough to run them again) and none of them found malware (they did find cookies, that's about it). But the fact that files are missing on the reboot and the firewall is disabled makes me extremely suspicious. I actually enabled Windows Firewall after the last time my computer shut down and that was disabled when my machine restarted too.

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,489 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:14 AM

Posted 02 February 2013 - 10:52 PM

Hello can you run these ... Avoid using Hitman..

If needed..
Reboot into Safe Mode with Networking
How to enter safe mode(XP/Vista)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode with Networking using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode
.


MiniToolBox
Please download MiniToolBox, save it to your desktop and run it.Checkmark the following checkboxes:
  • Flush DNS
  • Report IE Proxy Settings
  • Reset IE Proxy Settings
  • Report FF Proxy Settings
  • Reset FF Proxy Settings
  • List content of Hosts
  • List IP configuration
  • List Winsock Entries
  • List last 10 Event Viewer log
  • List Installed Programs
  • List Users, Partitions and Memory size.

Click Go and post the result (Result.txt). A copy of Result.txt will be saved in the same directory the tool is run. Note: When using "Reset FF Proxy Settings" option Firefox should be closed.




Please download Rkill by Grinler and save it to your desktop.Link 1
Link 2
  • Double-click on the Rkill desktop icon to run the tool.
  • If using Vista, right-click on it and Run As Administrator.
  • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
  • If not, delete the file, then download and use the one provided in Link 2.
  • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
  • If the tool does not run from any of the links provided, please let me know.
Do not reboot the computer, you will need to run the application again.




ADW Cleaner

Please download AdwCleaner by Xplode onto your desktop.

  • Close all open programs and internet browsers.
  • Double click on adwcleaner.exe to run the tool.
  • Click on Delete.
  • Confirm each time with Ok.
  • You will be prompted to restart your computer. A text file will open after the restart.
  • Please post the contents of that logfile with your next reply.
  • You can find the logfile at C:\AdwCleaner[S1].txt as well.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 ChicagoSuperFan

ChicagoSuperFan
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:14 AM

Posted 02 February 2013 - 11:09 PM

Thanks for the reply, but after a week without a reply to my original post, I decided (yesterday) to take my PC in to the local Microsoft store and have them deal with it. Consequently, the moderator can delete this thread.

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,489 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:14 AM

Posted 02 February 2013 - 11:32 PM

Thank you and sorry we missed your post.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users