Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

zeroday worm?


  • This topic is locked This topic is locked
27 replies to this topic

#1 HelpMe0ut

HelpMe0ut

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:10:41 AM

Posted 18 April 2013 - 01:38 PM

This is all it would let me scan....the mbr was blotted out. 

 

DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 10.0.9200.16384
Run by andrew at 11:16:05 on 2013-04-18
#Option Extended Search is enabled.
Microsoft Windows 8  6.2.9200.0.1252.1.1033.18.8064.6621 [GMT -7:00]
.
AV: Kaspersky PURE 3.0 *Disabled/Updated* {C3113FBF-4BCB-4461-D78D-6EDFEC9593E5}
AV: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Kaspersky PURE 3.0 *Disabled/Updated* {7870DE5B-6DF1-4BEF-ED3D-55AD9712D958}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
FW: Kaspersky PURE 3.0 *Disabled* {FB2ABE9A-01A4-4539-FCD2-C7EA1246D49E}
.
============== Running Processes ===============
.
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\dwm.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE 3.0\avp.exe
C:\Program Files (x86)\Common Files\InfoWatch\CryptoStorage\ProtectedObjectsSrv.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskhostex.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe
C:\Program Files (x86)\Common Files\Microsoft Shared\Ink\TabTip32.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE 3.0\avp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
C:\Windows\System32\Macromed\Flash\FlashUtil_ActiveX.exe
C:\Windows\system32\vssvc.exe
C:\Windows\System32\svchost.exe -k swprv
C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE 3.0\x64\wmi64.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
mWinlogon: Userinit = userinit.exe
BHO: Kaspersky Passsword Manager Toolbar: {215BA832-75A3-426E-A4FC-7C5B58CE6A10} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE 3.0\Kaspersky Password Manager\spIEBho.dll
BHO: Content Blocker Plugin: {5564CC73-EFA7-4CBF-918A-5CF7FBBFFF4F} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE 3.0\IEExt\ContentBlocker\ie_content_blocker_plugin.dll
BHO: Virtual Keyboard Plugin: {73455575-E40C-433C-9784-C78DC7761455} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE 3.0\IEExt\VirtualKeyboard\ie_virtual_keyboard_plugin.dll
BHO: Safe Money Plugin: {9E6D0D23-3D72-4A94-AE1F-2D167624E3D9} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE 3.0\IEExt\OnlineBanking\online_banking_bho.dll
BHO: URL Advisor Plugin: {E33CF602-D945-461A-83F0-819F76A199F8} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE 3.0\IEExt\UrlAdvisor\klwtbbho.dll
TB: Kaspersky Passsword Manager Toolbar: {215BA832-75A3-426E-A4FC-7C5B58CE6A10} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE 3.0\Kaspersky Password Manager\spIEBho.dll
mRun: [AVP] "C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE 3.0\runner_avp.exe"
IE: Add to Anti-Banner - C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE 3.0\ie_banner_deny.htm
IE: {0C4CC089-D306-440D-9772-464E226F6539} - {0BA14598-4178-4CE5-B1F1-B5C6408A3F2E} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE 3.0\IEExt\VirtualKeyboard\ie_virtual_keyboard_plugin.dll
IE: {CCF151D8-D089-449F-A5A4-D9909053F20F} - {CCF151D8-D089-449F-A5A4-D9909053F20F} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE 3.0\IEExt\UrlAdvisor\klwtbbho.dll
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
TCP: NameServer = 192.168.1.1
TCP: Interfaces\{A4042458-C778-4218-84AB-0FB7EAF32912} : DHCPNameServer = 192.168.1.1
SSODL: WebCheck - <orphaned>
x64-BHO: Content Blocker Plugin: {5564CC73-EFA7-4CBF-918A-5CF7FBBFFF4F} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE 3.0\x64\IEExt\ContentBlocker\ie_content_blocker_plugin.dll
x64-BHO: Virtual Keyboard Plugin: {73455575-E40C-433C-9784-C78DC7761455} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE 3.0\x64\IEExt\VirtualKeyboard\ie_virtual_keyboard_plugin.dll
x64-BHO: Safe Money Plugin: {9E6D0D23-3D72-4A94-AE1F-2D167624E3D9} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE 3.0\x64\IEExt\OnlineBanking\online_banking_bho.dll
x64-BHO: URL Advisor Plugin: {E33CF602-D945-461A-83F0-819F76A199F8} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE 3.0\x64\IEExt\UrlAdvisor\klwtbbho.dll
x64-Run: [IgfxTray] C:\Windows\System32\igfxtray.exe
x64-Run: [HotKeysCmds] C:\Windows\System32\hkcmd.exe
x64-Run: [Persistence] C:\Windows\System32\igfxpers.exe
x64-Run: [Logitech Download Assistant] C:\Windows\System32\rundll32.exe C:\Windows\System32\LogiLDA.dll,LogiFetch
x64-IE: {0C4CC089-D306-440D-9772-464E226F6539} - {0BA14598-4178-4CE5-B1F1-B5C6408A3F2E} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE 3.0\x64\IEExt\VirtualKeyboard\ie_virtual_keyboard_plugin.dll
x64-IE: {CCF151D8-D089-449F-A5A4-D9909053F20F} - {CCF151D8-D089-449F-A5A4-D9909053F20F} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE 3.0\x64\IEExt\UrlAdvisor\klwtbbho.dll
x64-Notify: igfxcui - igfxdev.dll
x64-SSODL: WebCheck - <orphaned>
.
============= SERVICES / DRIVERS ===============
.
R0 CSCrySec;InfoWatch Encrypt Sector Library driver;C:\Windows\System32\Drivers\CSCrySec.sys [2013-4-17 98064]
R1 CSVirtualDiskDrv;InfoWatch Virtual Disk driver;C:\Windows\System32\Drivers\CSVirtualDiskDrv.sys [2013-4-17 67344]
R1 KLIM6;Kaspersky Anti-Virus NDIS 6 Filter;C:\Windows\System32\Drivers\klim6.sys [2012-8-2 28504]
R1 klwfp;klwfp;C:\Windows\System32\Drivers\klwfp.sys [2012-10-23 48472]
R1 kneps;kneps;C:\Windows\System32\Drivers\kneps.sys [2012-8-13 178008]
R2 AVP;Kaspersky Anti-Virus Service;C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE 3.0\avp.exe [2012-12-20 356968]
R2 CSObjectsSrv;CryptoStorage control service;C:\Program Files (x86)\Common Files\InfoWatch\CryptoStorage\ProtectedObjectsSrv.exe [2012-12-21 819040]
R3 klkbdflt;Kaspersky Lab KLKBDFLT;C:\Windows\System32\Drivers\klkbdflt.sys [2012-9-3 29016]
R3 klmouflt;Kaspersky Lab KLMOUFLT;C:\Windows\System32\Drivers\klmouflt.sys [2012-9-3 29528]
R3 RTL8168;Realtek 8168 NT Driver;C:\Windows\System32\Drivers\Rt630x64.sys [2012-6-2 589824]
S0 klelam;klelam;C:\Windows\System32\Drivers\klelam.sys [2012-7-27 29616]
.
=============== Created Last 60 ================
.
2013-04-18 17:57:19 17536 ----a-w- C:\ProgramData\Microsoft\windowssampling\Sqm\Manifest\Sqm3.bin
2013-04-18 03:37:46 -------- d-----w- C:\ProgramData\Sony Corporation
2013-04-18 03:28:32 -------- d-----w- C:\Windows\Panther
2013-04-18 03:17:52 64856 ----a-w- C:\Windows\System32\klfphc.dll
2013-04-18 03:17:44 98064 ----a-w- C:\Windows\System32\drivers\CSCrySec.sys
2013-04-18 03:17:44 67344 ----a-w- C:\Windows\System32\drivers\CSVirtualDiskDrv.sys
2013-04-18 03:17:20 -------- d-----w- C:\Program Files (x86)\Common Files\InfoWatch
2013-04-18 03:17:18 -------- d-----w- C:\ProgramData\Kaspersky Lab
2013-04-18 03:17:18 -------- d-----w- C:\Program Files (x86)\Kaspersky Lab
2013-04-18 03:17:10 89944 ----a-w- C:\Windows\System32\drivers\klflt.sys
2013-04-18 02:58:34 56832 ----a-w- C:\Windows\System32\OpenCL.DLL
2013-04-18 02:58:34 56320 ----a-w- C:\Windows\SysWow64\OpenCL.DLL
2013-04-18 02:58:34 -------- d-----w- C:\Intel
2013-04-18 02:58:25 -------- d-----w- C:\Windows\LastGood.Tmp
2013-04-18 02:58:17 -------- d-----w- C:\Program Files (x86)\ESET
2013-04-18 02:38:15 -------- d-----r- C:\Users\andrew\Searches
2013-04-18 02:38:15 -------- d-----r- C:\Users\andrew\Contacts
.
==================== Find6M  ====================
.
2013-01-12 02:02:34 64624 ----a-w- C:\Windows\System32\drivers\HECIx64.sys
2012-10-23 22:45:10 48472 ----a-w- C:\Windows\System32\drivers\klwfp.sys
.
============= FINISH: 11:16:12.70 ===============

 

 

 

 

 


 



BC AdBot (Login to Remove)

 


#2 Maurice Naggar

Maurice Naggar

    Eradicator de malware


  • Malware Response Team
  • 1,088 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:41 AM

Posted 20 April 2013 - 09:15 AM

Hello Helpmeout,

Tell me some detail on just what "zeroday" your refer to? How, what, when, how ?

Download aswMBR.exe ( 511KB ) to your desktop.
On Windows 7 / 8 or Vista, RIGHT click on aswMBR.exe and select Run As Administrator to start.
On Windows XP, double click the exe to start.

IF prompted to update Avast definitions, answer NO.
aswmbr-1_zps5bcff15d.gif

On the following screen:
aswmbr-2_zpse79f2c16.gif

uncheck trace disk IO calls at the bottom left :excl:

Now, Click the "Scan" button to start scan.
Have patience as it scans.

On completion of the scan (Note if the Fix button is enabled (not the FixMBR button) and tell me)
Now click save log, save it to your desktop and Copy & Paste in your next reply.
Do NOT click any Fix button.
EXIT the tool.
~Maurice Naggar
MS-MVP (Oct 2002 - Sept 2010)

#3 HelpMe0ut

HelpMe0ut
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:10:41 AM

Posted 02 May 2013 - 02:23 AM

I tried but avast crashed repeatedly. 

Problem signature:

Problem Event Name: APPCRASH

Application Name: aswMBR.exe

Application Version: 0.9.9.1771

Application Timestamp: 5147644e

Fault Module Name: ntdll.dll

Fault Module Version: 6.2.9200.16384

Fault Module Timestamp: 5010ae7a

Exception Code: c0000005

Exception Offset: 0004f44d

OS Version: 6.2.9200.2.0.0.768.101

Locale ID: 1033

Additional Information 1: 5861

Additional Information 2: 5861822e1919d7c014bbb064c64908b2

Additional Information 3: dac6

Additional Information 4: dac6c2650fa14dd558bd9f448e23afd1

 

At first I thought it was only the pdf/flash zeroday.  Now I think I am the victim of a Crime Tool Kit.  I have found files using the word "Tool Kit" to describe the tool used to hack me.  I have a rootkit, it infected my usb drives, D:\ drive, Bluetooth, moved and replaced my C:\ drive and is proving to be the hardest, stealthiest, infection I have came across.  I was hijacked via flash/pdf from a computer tech site claiming to have better ways to protect yourself from zeroday exploit.  I was transferred to the site from a google search about zeroday.  After my browser crashed, something downloaded a worm.  I don't remember it's name atm...Kaspersky went off, and split into multiple sections, when I opened and looked in the files, they had the names of different anti-viruses in them. like

AVG

REGKEY "42074c79d89-ff64379087cd075"

Avast

REGKEY "754dc86754f86543dd64ef"

examples(not literal) but close.

Which I though this odd.

 

It says to me I have admin rights, but I know for a fact I don't. Scan logs have confirmed this.  All my certificates are bogus.  They are outdated, and the hashes are wrong.  They are forged, using data from old legit certificates, some dating back to 1987 and 1996.  The kit explains what parts to take from each certificate, so that they pass as valid I read this in the log.  Also, something called a Microsoft Developer License Certificate is used it's part of the PS_ISE exploit.

 

I have found logs stating "how-to" use the "exploit kit".  I found help logs explaining how it uses my winRM service against me.  How it makes it so windows cant tell whether the service is activate or not.  I found a reference to PowerShell and PowerShell_ISE version 1.0 with exploit addins. I found logs explaining Admin rights having been restricted from local users, and only being available for remote users.  There is an unknown program that can only be opened with cscript.exe from a Remote Admin Profile.  There are references to someone trying to gain access by imitating me.  As in, something tries to bruteforce my pass, when it fails it uses a key dump technique, copying my profile and system credentials, then gains access this way, elevates its privileges and secretly monitors me.  I have found many files and logs, referring to how this is done.  I would love to post them, but some have valuable information about my system.  If there is a way to privately post these I would definitely like someone to look over these.  I also have some js files and what I think is VB scripts, that I believe are bad scripts.  I don't like posting what I believe to be source files, because I don't want ppl copy/pasting to use against others.  I'm not sure exactly what this is yet....I know its tough, I know it is a combination of viruses, worms, hack tools.  I had a database file of the 40 something servers hosting this infection.  Sadly I must have not put it on the flash drive before reinstalling.  I know 1 site on the list was http://mozilla.com or http://moz.com or something......... Other sites included fake Sophos site, fake windows sites, and some others...

 

Also, when I download an app right to the desktop, and go to run it, in the details it says I'm running it from Temp, and they sometimes have switches after the name like /* /-*s-*q.  Kaspersky Pure file analyzer (the one that show how many users have that process/program, shows all my windows process and programs as modified, they are not the same as they were before.  It don't say modified, it just shows the process as different now. The worm is broadcasting UDP I believe.  I tried zonealarm and set it to advanced user mode and watched as something kept trying to connect on UDP, also it tried calling out on HTTP, and HTTPS, port 443 on 135 I believe it was.  The question is not am I infected... The question is, what am I infected with, and how do I get rid of it... Not a lot of options with Win8 64b....

Also, I believe it enabled virtualization somehow.

 

I'm sorry it took so long to respond.  I Very Eagerly await your advice.



#4 HelpMe0ut

HelpMe0ut
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:10:41 AM

Posted 02 May 2013 - 02:45 AM

Im reformating and trying again without updating this time... Sorry I was in such a hurry to try this, I didnt follow your directions... I'll post resualts as soon as I'm done providing it dont crash.

#5 HelpMe0ut

HelpMe0ut
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:10:41 AM

Posted 02 May 2013 - 02:59 AM

Ok scanned w/out updating, still crashes. 

It crashed while trying to scan: Service WinDefend c:\Program Files      sys 

With this error:

Problem signature:

Problem Event Name: APPCRASH

Application Name: aswMBRr.exe

Application Version: 0.9.9.1771

Application Timestamp: 5147644e

Fault Module Name: ntdll.dll

Fault Module Version: 6.2.9200.16384

Fault Module Timestamp: 5010ae7a

Exception Code: c0000005

Exception Offset: 0004f44d

OS Version: 6.2.9200.2.0.0.768.101

Locale ID: 1033

Additional Information 1: 5861

Additional Information 2: 5861822e1919d7c014bbb064c64908b2

Additional Information 3: dac6

Additional Information 4: dac6c2650fa14dd558bd9f448e23afd1

Read our privacy statement online:

http://go.microsoft.com/fwlink/?linkid=190175

If the online privacy statement is not available, please read our privacy statement offline:

C:\Windows\system32\en-US\erofflps.txt

 

 

*******Also I forgot to mention.  ZoneAlarm told me A few process were malicious and blocked them.  1 was tabtip.exe.  ZA also warned me that the Infected process was being Accessed by my current antivirus.  I tried with Kaspersky, Trend Micro, and AVG.  By methods of cd format. install new AV, and install ZA.  Each time ZA reports My antivirus is trying to access the malicious file, and asks me if I want to block the action.  If I click "Yes" it says it blocked the action.  If I click "NO", My av doesn't quarantine or detect a threat, there is no change that I can detect.  This leads me to believe what ever this virus/worm/exploit kit is, it can use my AV against me.  Only thing I can think of to explain why my antiV are accessing this file. but not detecting it.  Maybe its using the antiV to spawn more process, or to shutdown services used to detect it.  I think it is attaching a debugger to the antivirus.   Also Kaspersky reports ie and a lot of other system process and applications, have hidden cmd lines, access/modify rules, hidden internet usage, etc....


Edited by HelpMe0ut, 02 May 2013 - 03:22 AM.


#6 Maurice Naggar

Maurice Naggar

    Eradicator de malware


  • Malware Response Team
  • 1,088 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:41 AM

Posted 02 May 2013 - 07:48 AM

You said you had "reformatted". How did you do that? You should have done a Windows 8 reset.

Backdoor trojan warning:

This is a point where you need to decide about whether to make a clean start.

According to the information provided in logs, one or more of the identified infections is a backdoor trojan. This allows hackers to remotely control your computer, steal critical system information, and download and execute files.
You are strongly advised to do the following immediately.
1. Contact your banks, credit card companies, financial institutions and inform them that you may be a victim of identity theft and ask them to put a watch on your accounts or change all your account numbers.
2. From a clean computer, change ALL your online passwords -- for email, for banks, financial accounts, PayPal, eBay, online companies, any online forums or groups.
3. Do NOT change passwords or do any transactions while using the infected computer because the attacker will get the new passwords and transaction information.These trojans leave a backdoor open on the system that can allow a hacker total and complete access to your computer. (Remote access trojan) Hackers can operate your computer just as if they were sitting in front of it. Hackers can watch everything you are doing on the computer, play tricks, do screenshots, log passwords, start and stop programs.

See this article on creating strong passwords http://www.microsoft.com/security/online-privacy/passwords-create.aspx

* Take any other steps you think appropriate for an attempted identity theft.

You should also understand that once a system has been compromised by a Trojan backdoor, it can never really be trusted again unless you completely reformat the hard drives and reinstall Windows fresh.
While we usually can successfully remove malware like this, we cannot guarantee that it is totally gone, and that your system is completely safe to use for future financial information and/or transactions.

Here is some additional information: What Is A Backdoor Trojan? http://www.geekstogo...backdoor-trojan
Danger: Remote Access Trojans http://www.microsoft...o/virusrat.mspx
Consumers – Identity Theft http://www.ftc.gov/b...mers/index.html
When should I re-format? How should I reinstall? http://www.dslreports.com/faq/10063

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud? http://www.dslreports.com/faq/10451


Let me know what you decide.
~Maurice Naggar
MS-MVP (Oct 2002 - Sept 2010)

#7 Maurice Naggar

Maurice Naggar

    Eradicator de malware


  • Malware Response Team
  • 1,088 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:41 AM

Posted 02 May 2013 - 07:59 AM

Since a Windows 8 Reset will result in the loss of all your personal files & documents, you will want to back them up / copy to Offline media beforehand.

For all the files, documents, personal stuff you back-up..... after all is done & you have the new Windows setup, and Antivirus installed, and MBAM.....
then I would scan any files you restore with 1) antivirus, 2) MBAM.

You may see & use this as a reference on how to do a Windows 8 reset:
How to perform a clean install of Windows 8 using Reset your PC
http://www.bleepingcomputer.com/tutorials/how-to-perform-a-clean-install-of-windows-8/
~Maurice Naggar
MS-MVP (Oct 2002 - Sept 2010)

#8 HelpMe0ut

HelpMe0ut
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:10:41 AM

Posted 02 May 2013 - 11:01 AM

There is nothing I want to save. Before I do this option, is this safe to do with an active rootkit infection? I dont want my pc to get stuck in cycle mode.

Update its reseting now... I'll let you know if it survived the wipe. I hope this works... Will this clear my bluetooth, usb, and D:\ drive as well?

Edited by HelpMe0ut, 02 May 2013 - 11:15 AM.


#9 Maurice Naggar

Maurice Naggar

    Eradicator de malware


  • Malware Response Team
  • 1,088 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:41 AM

Posted 02 May 2013 - 06:30 PM

If you have the Windows 8 DVD, set the pc to boot from it and then begin the process of doing the Reset.

Do NOT use any USB drives before completely scanning them first.

Take extreme care if you share USB-flash/thumb drives from other people {even from friends, roommates, relatives}
Don't plug in an unknown flash/thumb drive into your PC.
IF you must do so, hold down the SHIFT-key when you insert the drive.
Scan any file with your Antivirus prior to opening or using.
~Maurice Naggar
MS-MVP (Oct 2002 - Sept 2010)

#10 HelpMe0ut

HelpMe0ut
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:10:41 AM

Posted 02 May 2013 - 07:18 PM

Well it cleared my C:\ but not my D:\ the D:\ reinfected my C:\ drive. Im starting the process over again. Any idea how to clean the D:\ my usb and my bluetooth?

#11 Maurice Naggar

Maurice Naggar

    Eradicator de malware


  • Malware Response Team
  • 1,088 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:41 AM

Posted 03 May 2013 - 09:21 AM

Again, as long as you have the Windows DVD, then boot from the dvd and get to a Command prompt.

To enter System Recovery Options, by using Windows installation disc:

  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Select English as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.

On the System Recovery Options menu you will get the following options:

    • Startup Repair
    • System Restore
    • Windows Complete PC Restore
    • Windows Memory Diagnostic Tool
    • Command Prompt i_arrow-l.gif
  • Select Command Prompt

Delete the partition that has the C & D drive by using the DISKPART tool within the Command prompt.

type diskpart, and then click OK.
At the command prompt, type list disk, and then press ENTER. A list of available hard disks is displayed.
At the command prompt, type sel disk number, and then press ENTER. The hard disk is now selected.

Note number is the number of the hard disk that you want to clean.
At the command prompt, type det disk, and then press ENTER. A list of partitions on the hard disk is displayed. Use this information to verify that the correct disk is selected.
Make sure that the disk does not contain required data, type clean all at the command prompt, and then press ENTER to clean the disk. All the data and all the partitions on the disk are permanently removed.
Type exit, and then press ENTER.

 

You would then be set to redo the steps for a Windows 8 Reset.

 

For your USB flash, you will need to do a Format on it to reformat it.  Do NOT do that until well after your Antivirus is installed.

 

Do NOT re-use or plug in that infected USB flash-drive without taking extreme pre-caution.  hold down the SHIFT-key when you insert the drive.

 

Take extreme care if you share USB-flash/thumb drives from other people {even from friends, roommates, relatives}
Don't plug in an unknown flash/thumb drive into your PC.
IF you must do so, hold down the SHIFT-key when you insert the drive.
Scan any file with your Antivirus prior to opening or using.


Edited by Maurice Naggar, 03 May 2013 - 09:27 AM.

~Maurice Naggar
MS-MVP (Oct 2002 - Sept 2010)

#12 HelpMe0ut

HelpMe0ut
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:10:41 AM

Posted 03 May 2013 - 05:06 PM

How long does the clean all take? Its been sitting here doing nothing for 30 mins

#13 Maurice Naggar

Maurice Naggar

    Eradicator de malware


  • Malware Response Team
  • 1,088 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:41 AM

Posted 03 May 2013 - 06:28 PM

Depends on how large the HDD is.  It may take as much as 2 hours.


~Maurice Naggar
MS-MVP (Oct 2002 - Sept 2010)

#14 HelpMe0ut

HelpMe0ut
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:10:41 AM

Posted 05 May 2013 - 12:01 AM

Ok i have done all this and reinstalled... When im on the computer it shows im in C:\ But when I check with disk tools, it says volume 1 C:\ is only 350 mb And volume 2 D:\ is 931 gb... I dont have anything installed on D:\ Thats supposed to be my DVD Drive I believe... Shouldnt the terabyte/931gb be on the C:\ and not D:\? Or am I wrong on that? Also I was runningy Vaio in legacy mode when I was blasted... I dont know how to get back into the Bios... It boots to fast theres no option for f2 or f10 or f8 or esc etc.... In legacy mode the shift + reset doesnt give me the option to restart in bios mode like the UEFI win 8 mode did... I would like to switch out of legacy and back to UEFI mode... Any help with this? Also I will donate to you after we are done. Your site has helped me before... Or you can post a donate link and ill contribute now...

#15 HelpMe0ut

HelpMe0ut
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:10:41 AM

Posted 05 May 2013 - 12:04 AM

Sorry cant edit im on my iphone while trying to fix this.... After I did the factory wipe my Vaio button stopped working, which used to let me get into my bios and make changes...




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users