Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help me check if my Win Xp PC have Torpig


  • Please log in to reply
11 replies to this topic

#1 Asle

Asle

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:04:06 AM

Posted 27 September 2013 - 04:19 AM

Hi

 

I have a computer that have Linux Mint and Win XP running in dual boot

 

The PC was running only WinXP before, but since my ISP informed me that I had Torpig

I decided to install Linux Mint to be on the safe side.

But I would love to check if WinXP has Torpig or not and get it removed.

 

Asle

 

 



BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,917 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:06 PM

Posted 27 September 2013 - 02:39 PM



Hello Asle, Let's take a look.

Please download aswMBR.exe and save it to your Desktop.
  • Double click on aswMBR.exe to run it. Vista/Windows 7 users right-click and select Run As Administrator
.
  • Click the Scan button to start scan.

    aswMBR1.png
  • On completion of the scan click, click the Save log button and save it to your Desktop.
  • Do not select any Fix options at this time.
  • Copy and paste the contents of that log in your next reply.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 Asle

Asle
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:04:06 AM

Posted 28 September 2013 - 04:11 AM

aswMBR version 0.9.9.1771 Copyright© 2011 AVAST Software

Run date: 2013-09-28 10:25:18
-----------------------------
10:25:18.390    OS Version: Windows 5.1.2600 Service Pack 3
10:25:18.390    Number of processors: 2 586 0x2B01
10:25:18.390    ComputerName: GAMING-SERVER  UserName: Asle
10:25:19.218    Initialize success
10:31:29.609    AVAST engine defs: 13092800
10:32:33.234    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\00000070
10:32:33.234    Disk 0 Vendor: ST3320620AS 3.AAJ Size: 305244MB BusType: 3
10:32:33.328    Disk 0 MBR read successfully
10:32:33.328    Disk 0 MBR scan
10:32:33.328    Disk 0 Win32:MBRoot-J [Trj]
10:32:33.328    Disk 0 Partition 1 80 (A) 07    HPFS/NTFS NTFS       166893 MB offset 63
10:32:33.343    Disk 0 Partition - 00     05     Extended            138350 MB offset 341798910
10:32:33.359    Disk 0 Partition 2 00     82   Linux swap              4836 MB offset 341798912
10:32:33.359    Disk 0 Partition - 00     05     Extended            133514 MB offset 351703040
10:32:33.375    Disk 0 MBR [Win32:MBRoot]  **ROOTKIT**
10:32:33.406    Disk 0 scanning C:\WINDOWS\system32\drivers
10:32:46.234    Service scanning
10:33:01.859    Modules scanning
10:33:05.718    Disk 0 trace - called modules:
10:33:05.750    ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll nvata.sys 
10:33:05.750    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8adcaab8]
10:33:05.750    3 CLASSPNP.SYS[f74e7fd7] -> nt!IofCallDriver -> \Device\00000071[0x8ae0fe10]
10:33:05.750    5 ACPI.sys[f735e620] -> nt!IofCallDriver -> \Device\00000070[0x8adca030]
10:33:06.062    AVAST engine scan C:\WINDOWS
10:33:21.906    AVAST engine scan C:\WINDOWS\system32
10:36:46.031    AVAST engine scan C:\WINDOWS\system32\drivers
10:37:02.343    AVAST engine scan C:\Documents and Settings\Asle
10:47:00.343    Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Asle\Desktop\Logs\MBR.dat"
10:47:00.359    The log file has been saved successfully to "C:\Documents and Settings\Asle\Desktop\Logs\aswMBR.txt"
 
 
aswMBR version 0.9.9.1771 Copyright© 2011 AVAST Software
Run date: 2013-09-28 10:25:18
-----------------------------
10:25:18.390    OS Version: Windows 5.1.2600 Service Pack 3
10:25:18.390    Number of processors: 2 586 0x2B01
10:25:18.390    ComputerName: GAMING-SERVER  UserName: Asle
10:25:19.218    Initialize success
10:31:29.609    AVAST engine defs: 13092800
10:32:33.234    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\00000070
10:32:33.234    Disk 0 Vendor: ST3320620AS 3.AAJ Size: 305244MB BusType: 3
10:32:33.328    Disk 0 MBR read successfully
10:32:33.328    Disk 0 MBR scan
10:32:33.328    Disk 0 Win32:MBRoot-J [Trj]
10:32:33.328    Disk 0 Partition 1 80 (A) 07    HPFS/NTFS NTFS       166893 MB offset 63
10:32:33.343    Disk 0 Partition - 00     05     Extended            138350 MB offset 341798910
10:32:33.359    Disk 0 Partition 2 00     82   Linux swap              4836 MB offset 341798912
10:32:33.359    Disk 0 Partition - 00     05     Extended            133514 MB offset 351703040
10:32:33.375    Disk 0 MBR [Win32:MBRoot]  **ROOTKIT**
10:32:33.406    Disk 0 scanning C:\WINDOWS\system32\drivers
10:32:46.234    Service scanning
10:33:01.859    Modules scanning
10:33:05.718    Disk 0 trace - called modules:
10:33:05.750    ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll nvata.sys 
10:33:05.750    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8adcaab8]
10:33:05.750    3 CLASSPNP.SYS[f74e7fd7] -> nt!IofCallDriver -> \Device\00000071[0x8ae0fe10]
10:33:05.750    5 ACPI.sys[f735e620] -> nt!IofCallDriver -> \Device\00000070[0x8adca030]
10:33:06.062    AVAST engine scan C:\WINDOWS
10:33:21.906    AVAST engine scan C:\WINDOWS\system32
10:36:46.031    AVAST engine scan C:\WINDOWS\system32\drivers
10:37:02.343    AVAST engine scan C:\Documents and Settings\Asle
10:47:00.343    Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Asle\Desktop\Logs\MBR.dat"
10:47:00.359    The log file has been saved successfully to "C:\Documents and Settings\Asle\Desktop\Logs\aswMBR.txt"
10:56:45.703    AVAST engine scan C:\Documents and Settings\All Users
11:00:46.359    Scan finished successfully
11:04:47.281    Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Asle\Desktop\Logs\MBR.dat"
11:04:47.296    The log file has been saved successfully to "C:\Documents and Settings\Asle\Desktop\Logs\aswMBR.txt"


#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,917 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:06 PM

Posted 01 October 2013 - 09:14 AM

Hello, sorry we had an emergency.. Did that scan offer for you to click the FIX Or FIXMBR button?


How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 Asle

Asle
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:04:06 AM

Posted 02 October 2013 - 07:30 PM

I think so, but I did not click it since you told me not to do so.



#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,917 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:06 PM

Posted 02 October 2013 - 07:34 PM

Then please run it again and click it.
 
Re-Run aswMBR
  • Click Scan
  • On completion of the scan, click the FIXMBR or FIX button
  • There is a slight pause after clicking the FIXMBR or FIX button.
  • Wait for the tool to report 'Infection fixed successfully', now reboot the machine.
  • Rebooting the machine prematurely, before seeing this line will result in an incomplete fix.

Note:After the 'Infection fixed successfully' message appears, the machine may became unresponsive. You may have to do a hard boot of your machine. That may be a side effect from the fix. All will be well after the reboot.

  • Save the log as before and post in your next reply.

Edited by boopme, 02 October 2013 - 07:36 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 Asle

Asle
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:04:06 AM

Posted 03 October 2013 - 05:22 AM

aswMBR version 0.9.9.1771 Copyright© 2011 AVAST Software
Run date: 2013-10-03 09:11:46
-----------------------------
09:11:46.878    OS Version: Windows 5.1.2600 Service Pack 3
09:11:46.878    Number of processors: 2 586 0x2B01
09:11:46.878    ComputerName: GAMING-SERVER  UserName: Asle
09:11:47.597    Initialize success
09:16:40.554    AVAST engine defs: 13100201
09:17:01.895    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\00000070
09:17:01.910    Disk 0 Vendor: ST3320620AS 3.AAJ Size: 305244MB BusType: 3
09:17:01.988    Disk 0 MBR read successfully
09:17:01.988    Disk 0 MBR scan
09:17:01.988    Disk 0 Win32:MBRoot-J [Trj]
09:17:02.004    Disk 0 Partition 1 80 (A) 07    HPFS/NTFS NTFS       166893 MB offset 63
09:17:02.004    Disk 0 Partition - 00     05     Extended            138350 MB offset 341798910
09:17:02.020    Disk 0 Partition 2 00     82   Linux swap              4836 MB offset 341798912
09:17:02.020    Disk 0 Partition - 00     05     Extended            133514 MB offset 351703040
09:17:02.035    Disk 0 MBR [Win32:MBRoot]  **ROOTKIT**
09:17:02.051    Disk 0 scanning C:\WINDOWS\system32\drivers
09:17:14.611    Service scanning
09:17:30.312    Modules scanning
09:17:33.859    Disk 0 trace - called modules:
09:17:33.874    ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll nvata.sys 
09:17:33.890    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8adcaab8]
09:17:33.890    3 CLASSPNP.SYS[f74e7fd7] -> nt!IofCallDriver -> \Device\00000071[0x8ae0fe10]
09:17:33.890    5 ACPI.sys[f735e620] -> nt!IofCallDriver -> \Device\00000070[0x8adca030]
09:17:34.202    AVAST engine scan C:\WINDOWS
09:17:49.981    AVAST engine scan C:\WINDOWS\system32
09:21:14.639    AVAST engine scan C:\WINDOWS\system32\drivers
09:21:30.090    AVAST engine scan C:\Documents and Settings\Asle
09:41:25.529    AVAST engine scan C:\Documents and Settings\All Users
09:45:52.982    Scan finished successfully
12:16:00.287    Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Asle\Desktop\Logs\MBR.dat"
12:16:00.287    The log file has been saved successfully to "C:\Documents and Settings\Asle\Desktop\Logs\aswMBR2.txt"
 
 
aswMBR version 0.9.9.1771 Copyright© 2011 AVAST Software
Run date: 2013-10-03 09:11:46
-----------------------------
09:11:46.878    OS Version: Windows 5.1.2600 Service Pack 3
09:11:46.878    Number of processors: 2 586 0x2B01
09:11:46.878    ComputerName: GAMING-SERVER  UserName: Asle
09:11:47.597    Initialize success
09:16:40.554    AVAST engine defs: 13100201
09:17:01.895    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\00000070
09:17:01.910    Disk 0 Vendor: ST3320620AS 3.AAJ Size: 305244MB BusType: 3
09:17:01.988    Disk 0 MBR read successfully
09:17:01.988    Disk 0 MBR scan
09:17:01.988    Disk 0 Win32:MBRoot-J [Trj]
09:17:02.004    Disk 0 Partition 1 80 (A) 07    HPFS/NTFS NTFS       166893 MB offset 63
09:17:02.004    Disk 0 Partition - 00     05     Extended            138350 MB offset 341798910
09:17:02.020    Disk 0 Partition 2 00     82   Linux swap              4836 MB offset 341798912
09:17:02.020    Disk 0 Partition - 00     05     Extended            133514 MB offset 351703040
09:17:02.035    Disk 0 MBR [Win32:MBRoot]  **ROOTKIT**
09:17:02.051    Disk 0 scanning C:\WINDOWS\system32\drivers
09:17:14.611    Service scanning
09:17:30.312    Modules scanning
09:17:33.859    Disk 0 trace - called modules:
09:17:33.874    ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll nvata.sys 
09:17:33.890    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8adcaab8]
09:17:33.890    3 CLASSPNP.SYS[f74e7fd7] -> nt!IofCallDriver -> \Device\00000071[0x8ae0fe10]
09:17:33.890    5 ACPI.sys[f735e620] -> nt!IofCallDriver -> \Device\00000070[0x8adca030]
09:17:34.202    AVAST engine scan C:\WINDOWS
09:17:49.981    AVAST engine scan C:\WINDOWS\system32
09:21:14.639    AVAST engine scan C:\WINDOWS\system32\drivers
09:21:30.090    AVAST engine scan C:\Documents and Settings\Asle
09:41:25.529    AVAST engine scan C:\Documents and Settings\All Users
09:45:52.982    Scan finished successfully
12:16:00.287    Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Asle\Desktop\Logs\MBR.dat"
12:16:00.287    The log file has been saved successfully to "C:\Documents and Settings\Asle\Desktop\Logs\aswMBR2.txt"
12:16:42.801    Verifying
12:16:52.801    Disk 0 Windows 501 MBR fixed successfully
12:18:18.675    Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Asle\Desktop\Logs\MBR.dat"
12:18:18.690    The log file has been saved successfully to "C:\Documents and Settings\Asle\Desktop\Logs\aswMBR2.txt"


#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,917 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:06 PM

Posted 03 October 2013 - 04:14 PM

Ok, no good, we need to use stronger tools to find and kill the rootkit.

Please follow this Preparation Guide, do steps 6,7 and 8 and post in a new topic.
Let me know if all went well.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#9 Asle

Asle
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:04:06 AM

Posted 07 October 2013 - 05:06 AM

I Had to reinstall the boot loader for dual booting Linux and Win XP after fixing the mbr

This is how the aswMBR log looks now, if you still think there is a virus I will go on with following the Prep Guide like you posted above.
 

aswMBR version 0.9.9.1771 Copyright© 2011 AVAST Software
Run date: 2013-10-07 11:16:15
-----------------------------
11:16:15.562    OS Version: Windows 5.1.2600 Service Pack 3
11:16:15.562    Number of processors: 2 586 0x2B01
11:16:15.562    ComputerName: GAMING-SERVER  UserName: Asle
11:16:21.109    Initialize success
11:23:21.293    AVAST engine defs: 13100700
11:29:33.779    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\00000070
11:29:33.779    Disk 0 Vendor: ST3320620AS 3.AAJ Size: 305244MB BusType: 3
11:29:33.889    Disk 0 MBR read successfully
11:29:33.889    Disk 0 MBR scan
11:29:33.920    Disk 0 unknown MBR code
11:29:33.936    Disk 0 Partition 1 80 (A) 07    HPFS/NTFS NTFS       166893 MB offset 63
11:29:33.936    Disk 0 Partition - 00     05     Extended            138350 MB offset 341798910
11:29:33.951    Disk 0 Partition 2 00     82   Linux swap              4836 MB offset 341798912
11:29:33.967    Disk 0 Partition - 00     05     Extended            133514 MB offset 351703040
11:29:33.982    Disk 0 scanning sectors +625139712
11:29:34.029    Disk 0 scanning C:\WINDOWS\system32\drivers
11:29:47.559    Service scanning
11:30:03.932    Modules scanning
11:30:07.760    Disk 0 trace - called modules:
11:30:07.775    ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll nvata.sys 
11:30:07.791    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8adcaab8]
11:30:07.791    3 CLASSPNP.SYS[f74e7fd7] -> nt!IofCallDriver -> \Device\00000071[0x8ae0fe10]
11:30:07.791    5 ACPI.sys[f735e620] -> nt!IofCallDriver -> \Device\00000070[0x8adca030]
11:30:08.072    AVAST engine scan C:\WINDOWS
11:30:23.945    AVAST engine scan C:\WINDOWS\system32
11:33:52.967    AVAST engine scan C:\WINDOWS\system32\drivers
11:34:10.887    AVAST engine scan C:\Documents and Settings\Asle
11:53:53.895    AVAST engine scan C:\Documents and Settings\All Users
11:58:24.138    Scan finished successfully
12:00:07.395    Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Asle\Desktop\Logs\MBR.dat"
12:00:07.395    The log file has been saved successfully to "C:\Documents and Settings\Asle\Desktop\Logs\aswMBR3.txt"


#10 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,917 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:06 PM

Posted 07 October 2013 - 08:57 AM

Good, looks good..

Lets just run RKill,its quick.

Please download Rkill by Grinler and save it to your desktop.
  • Link 1
  • Link 2
    • Double-click on the Rkill desktop icon to run the tool.
    • If using Vista, right-click on it and Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
    • If the tool does not run from any of the links provided, please let me know.
  • Do not reboot the computer, you will need to run the application again.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#11 Asle

Asle
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:04:06 AM

Posted 20 December 2013 - 07:33 PM

Sorry for the long time no see

 

I have run RKill

then it told me to download hosts-permbat so I did and ran it.

 

Asle



#12 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,917 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:06 PM

Posted 21 December 2013 - 09:00 PM

Cool, so all is good now.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users