Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

infected with boot.pihar, but I just ran new scan...gone????


  • This topic is locked This topic is locked
16 replies to this topic

#1 ntoolate

ntoolate

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:05:22 AM

Posted 21 May 2013 - 07:03 PM

dds logs attached!!

 

Just ran new NOrton scan and boot.pihar was not found as it had been in a couple prior scans.  Does that mean it is partially gone or simply adapted???

 

XP sp3 system.  System is stable and operating even though Norton says that the infection is there, but Norton cannot remove it.

 

I have also used SuperAntiSpyware, Norton Power Eraser, and I think I ran Malwarebytes.  These did not detect any problem at all. 

 

My computer has remained stable with no visible problems with functionablity. 

 

In recent weeks I had become slothful regarding windows updates so I did apply many old updates.  Don't know if that affected the scan I just took that revealed no infection.

 

 

Since new scan did not reveal existence of infection, just wonder if it is smart enough to adapt to avoid detection or did I have false positives or did Power Eraser work when I restarted????????

 

But, here are the logs:    dds.txt  and attach.txt  attached.

 

Thanks for the assistance.

 

see also:   http://www.bleepingcomputer.com/forums/t/495240/bootpihar-infection-norton-name/

Attached Files


Edited by ntoolate, 22 May 2013 - 06:23 PM.


BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:10:22 AM

Posted 22 May 2013 - 08:33 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. Click the Watch This Topic button at the top on the right.
  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.
  • Please reply to this post so I know you are there.

The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

----------------------------------------------

Please download aswMBR ( 511KB ) to your desktop.
  • Double click the aswMBR.exe icon to run it
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

Posted Image
m0le is a proud member of UNITE

#3 ntoolate

ntoolate
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:05:22 AM

Posted 23 May 2013 - 06:04 AM

Hi m0le,  I'm here.   Cannot watch computer all day because of work schedule, but will reply daily.  Thanks.

 

I'm sure you noticed the dds logs that I attached to first posting.

 

And, your post said that the avast download was 511kb, but it was 4.5mb.  Did I download the right thing???


Edited by ntoolate, 23 May 2013 - 06:08 AM.


#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:10:22 AM

Posted 23 May 2013 - 06:16 PM

Yes, it's the right thing but it's been updated many times and the size of it has leapt up. Thanks for flagging that up.

Please run the program and let's see if Pihar comes up
Posted Image
m0le is a proud member of UNITE

#5 ntoolate

ntoolate
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:05:22 AM

Posted 23 May 2013 - 06:37 PM

OK.  Here's the first scan log.   The program asked me if I wanted to download the AVAST Anti virus with its additional definitions which I did not do.

 

I simply used the stand alone aswMBR tool.

Attached Files



#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:10:22 AM

Posted 23 May 2013 - 06:55 PM

Please now run TDSSKiller
  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.
  • Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

    "%userprofile%\Desktop\TDSSKiller.exe" -l report.txt

  • Now click Start Scan.
  • If Malicious objects are found, ensure Cure is selected then click Continue > Reboot now.
  • Click Close
  • Finally press Report and copy and paste the contents into your next reply. If you've rebooted then the log will be found at C:\

Posted Image
m0le is a proud member of UNITE

#7 ntoolate

ntoolate
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:05:22 AM

Posted 23 May 2013 - 08:12 PM

Here's the report.txt from the tdsskiller.exe scan.

 

I assume it says same as what I saw on the screen.  Clean!   or No Threats found.  I started to suggest a conclusion.  I guess I better leave that to you.    As I said in the first post.  I did run a rootkit scanner again...a second time...after my first post here.  The second time, it appeared to be gone, but I wanted confirmation that it was no "hiding".

Attached Files



#8 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:10:22 AM

Posted 24 May 2013 - 08:38 PM

Yes, all variants of Pihar get picked up by TDSSKiller so you look clear. Just need an ESET scan to make sure there's no remnants left over

 

I'd like us to scan your machine with ESET OnlineScan

  • Hold down Control and click on this link to open ESET OnlineScan in a new window.
  • Click the esetonlinebtn.png button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the esetsmartinstaller_enu.png
      icon on your desktop.

  • Check "YES, I accept the Terms of Use."
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Under scan settings, check "Scan Archives" and "Remove found threats"
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology

  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click List Threats
  • Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Click the Back button.
  • Click the Finish button.


Posted Image
m0le is a proud member of UNITE

#9 ntoolate

ntoolate
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:05:22 AM

Posted 26 May 2013 - 09:01 PM

m0le,  don't know if I am allowed to ask questions, but.............that is me, I like to ask questions. 

 

I have run Malwarebytes, Superantispyware, Norton Power Eraser, TDSSKiller and the normal NIS security which is installed on my computer.  Plus, created dds logs and aswMBR logs.

 

Would you mind telling me what ESET will do that the others cannot or fail to do?.  What additional facet or functionality does ESET provide?   I have already ran it on two other computers.  So, this question is not about my reluctance to run it, it is simply a clinical question regarding its capabilities vs these other providers and tools.

 

BTW.  when I accessed ESET the way you asked in your post by pressing the control key, the tabs turned green in color.  On the two other computers on which I have already run ESET, I don't think there were green tabs.  Do you know what that may mean.  I am running XP on this puter.

 

Thank you.


Edited by ntoolate, 26 May 2013 - 09:04 PM.


#10 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:10:22 AM

Posted 27 May 2013 - 06:27 PM

You can certainly ask questions.
 

Would you mind telling me what ESET will do that the others cannot or fail to do?.  What additional facet or functionality does ESET provide?

ESET targets malware remnants and also looks for copies of malware in places that other tools don't look in. In malware hidey-holes like system restore and Java cache folders, for instance. Some of these seemingly innocuous files can, if not removed, regenerate the malware after a reboot or can continue to affect the PC performace.
 

when I accessed ESET the way you asked in your post by pressing the control key, the tabs turned green in color.  Do you know what that may mean.

I'm running Windows 7 so I can't really test that. The tab stayed non-green for me. I don't think it's anything to be concerned by.
Posted Image
m0le is a proud member of UNITE

#11 ntoolate

ntoolate
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:05:22 AM

Posted 27 May 2013 - 06:49 PM

Thanks.  going to run scan now.  BTW. I mentioned that I ran ESET on two computers already.

One was my laptop which was clean!!  Usually keep my puters cleaned up.

 

The other was a friends that was "stuck".  I booted up in safe mode.  Ran the ESET.  It identified almost dozen adware type programs and addons that had the computer clogged/stuck.  They were removed by ESET and all additional scans were clean.

 

The computer I am going to run it on now is my oldest tower.  It has seen alot of use over the last decade.  I will not be suprised to see some stuff that it wants to remove althought I usually keep it clean and updated.  Interestingly, I had just recently gotten slack on updates and scans when I got this boot.pihar.

 

Thanks.



#12 ntoolate

ntoolate
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:05:22 AM

Posted 28 May 2013 - 06:30 AM

Somewhat surprised. Clean. No threats found. So, no threat file generated. I did not run it in safe mode and i did not disable norton internet security. Would that make a difference? The scan took over 4 hours.

#13 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:10:22 AM

Posted 28 May 2013 - 08:14 PM

That looks to be fairly conclusive then :)

Any issues that are still worrying you?
Posted Image
m0le is a proud member of UNITE

#14 ntoolate

ntoolate
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:05:22 AM

Posted 28 May 2013 - 09:02 PM

Not at this time.  Thanks for the assistance.  Unless you want to give me your opinion or removing  questionable services like ALcxmntr.exe (sp) or jusched.exe.   Since these are planted by reputable programs, just wondering if removal is driven by being overly cautious, paranoia or smart! 

 

But, that is a different discussion.   Thanks again.   The battle continues.



#15 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:10:22 AM

Posted 29 May 2013 - 06:08 PM

I suggest you take our advice in the Startup list with regards these types of files

http://www.bleepingcomputer.com/startups/

Cheers :)
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users