Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Virus returns after secure erase, reformats and windows reinstalls

  • This topic is locked This topic is locked
3 replies to this topic

#1 Avolate


  • Members
  • 11 posts
  • Local time:08:03 PM

Posted 05 November 2013 - 03:59 AM

I have horrible virus I cannot get rid off. I've been trying to remove it for about a month.

And I'm about to throw my computer in the trash !

I reinstalled windows about eight freaking times.

And every single time the hacker returns. He is logging onto my origin account and I'm aware every time he logs in, Origin tells me he logged on from another computer.

I don't understand where this virus is hiding that it can return after I secure erased my SSD drive.

I also tried to unplug my SSD and instead tried to use a 1 tb hard drive but the virus still returned.

I've tried flashing my bios but that also did not help.

It's not possible that I am re infecting myself because I am doing a complete and total refresh from start with none of my saved data. Not using a USB.

I've been reformatting windows over and over to try and remove the virus. Let me explain my last reformat, and re install.

I saw that the hacker logged onto my origin account, so I turned off my PC. I unplugged it from the internet. I opened it up and unplugged my 1 tb HDD, then I loaded up parted magic though bios and used it to secure erase my SSD. I left my HDD totally disconnected this time but it was also formatted with dban.

I installed windows on my secure erased SSD with the PC disconnected from the Internet. Then I used the CD from the manufacturer to install my local area network. I plugged in the PC to the Internet and started doing windows updates.

The only programs I installed were my graphics drivers from Nvdia, Firefox, winrar, AVG and Origin.

I used origin to change my password. Then went to bed.

I've just woken up and the hacker is already on my origin account.

Please tell how this is even possible or I will have to buy a new computer.

BC AdBot (Login to Remove)


#2 Avolate

  • Topic Starter

  • Members
  • 11 posts
  • Local time:08:03 PM

Posted 05 November 2013 - 05:07 AM

 I just did a scan with GMER just after logging onto origin and this is what it showed.


 GMER 2.1.19163 - http://www.gmer.net
Rootkit scan 2013-11-05 05:06:08
Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-4 M4-CT128M4SSD2 rev.000F 119.24GB
Running: p36j21dm.exe; Driver: C:\Users\Avolate\AppData\Local\Temp\ugdiqfod.sys

---- User code sections - GMER 2.1 ----

.text  C:\Program Files (x86)\Origin\Origin.exe[2944] C:\Windows\syswow64\USER32.dll!SetWindowPos               00000000763f8e4e 5 bytes JMP 000000016e663340
.text  C:\Program Files (x86)\Origin\Origin.exe[2944] C:\Windows\syswow64\USER32.dll!ShowWindow                 0000000076400dfb 5 bytes JMP 000000016e6632d0
.text  C:\Program Files (x86)\Origin\Origin.exe[2944] C:\Windows\syswow64\USER32.dll!SetFocus                   0000000076402175 5 bytes JMP 000000016e663320
.text  C:\Program Files (x86)\Origin\Origin.exe[2944] C:\Windows\syswow64\USER32.dll!SetActiveWindow            0000000076403208 5 bytes JMP 000000016e663390
.text  C:\Program Files (x86)\Origin\Origin.exe[2944] C:\Windows\syswow64\USER32.dll!BringWindowToTop           0000000076407b3b 5 bytes JMP 000000016e663230
.text  C:\Program Files (x86)\Origin\Origin.exe[2944] C:\Windows\syswow64\USER32.dll!SetForegroundWindow        000000007641f170 5 bytes JMP 000000016e663200
.text  C:\Program Files (x86)\Origin\Origin.exe[2944] C:\Windows\syswow64\USER32.dll!SwitchToThisWindow         00000000764390fc 5 bytes JMP 000000016e663260
.text  C:\Program Files (x86)\Origin\Origin.exe[2944] C:\Windows\syswow64\USER32.dll!ShowWindowAsync            0000000076457d97 5 bytes JMP 000000016e663280
.text  C:\Program Files (x86)\Origin\Origin.exe[2944] C:\Windows\syswow64\ole32.dll!DoDragDrop                  00000000766fa827 5 bytes JMP 000000016e6631e0
.text  C:\Program Files (x86)\Origin\Origin.exe[2944] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69   0000000076391465 2 bytes [39, 76]
.text  C:\Program Files (x86)\Origin\Origin.exe[2944] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155  00000000763914bb 2 bytes [39, 76]
.text  ...                                                                                                      * 2

---- EOF - GMER 2.1 ----




 A scan with aswmbr showed nothing.


 This is its log:


aswMBR version Copyright© 2011 AVAST Software
Run date: 2013-11-05 05:11:43
05:11:43.424    OS Version: Windows x64 6.1.7601 Service Pack 1
05:11:43.424    Number of processors: 4 586 0x2A07
05:11:43.425    ComputerName: AVOLATE-PC  UserName: Avolate
05:11:43.568    Initialize success
05:11:55.254    AVAST engine defs: 13110403
05:12:01.316    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-4
05:12:01.317    Disk 0 Vendor: M4-CT128M4SSD2 000F Size: 122104MB BusType: 11
05:12:01.334    Disk 0 MBR read successfully
05:12:01.336    Disk 0 MBR scan
05:12:01.338    Disk 0 Windows 7 default MBR code
05:12:01.339    Disk 0 Partition 1 80 (A) 07    HPFS/NTFS NTFS          100 MB offset 2048
05:12:01.341    Disk 0 Partition 2 00     07    HPFS/NTFS NTFS       122002 MB offset 206848
05:12:01.376    Disk 0 scanning C:\Windows\system32\drivers
05:12:03.456    Service scanning
05:12:08.546    Modules scanning
05:12:08.553    Disk 0 trace - called modules:
05:12:08.559    ntoskrnl.exe CLASSPNP.SYS disk.sys ataport.SYS PCIIDEX.SYS hal.dll msahci.sys
05:12:08.563    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa800721e060]
05:12:08.892    3 CLASSPNP.SYS[fffff880018aa43f] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP2T0L0-4[0xfffffa8007009550]
05:12:09.009    AVAST engine scan C:\Windows
05:12:09.363    AVAST engine scan C:\Windows\system32
05:13:07.884    AVAST engine scan C:\Windows\system32\drivers
05:13:10.184    AVAST engine scan C:\Users\Avolate
05:13:12.627    AVAST engine scan C:\ProgramData
05:13:13.787    Scan finished successfully
05:13:20.490    Disk 0 MBR has been saved successfully to "C:\Users\Avolate\Desktop\MBR.dat"
05:13:20.492    The log file has been saved successfully to "C:\Users\Avolate\Desktop\aswMBR.txt"




 Also tdss killer found nothing.

Edited by Avolate, 05 November 2013 - 05:15 AM.

#3 nasdaq


  • Malware Response Team
  • 40,749 posts
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:03 PM

Posted 08 November 2013 - 09:59 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.

  • Download & SAVE to your Desktop RogueKiller for 32bit or Roguekiller for 64bit
  • Quit all programs that you may have started.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista or Windows 7, right-click and select "Run as Administrator to start"
  • For Windows XP, double-click to start.
  • Wait until Prescan has finished ...
  • Then Click on "Scan" button
  • Wait until the Status box shows "Scan Finished"
  • click on "delete"
  • Wait until the Status box shows "Deleting Finished"
  • Click on "Report" and copy/paste the content of the Notepad into your next reply.
  • The log should be found in RKreport[1].txt on your Desktop
  • Exit/Close RogueKiller+

Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Click the Report button and the report will open in Notepad.
  • If you click the Clean button all items listed in the report will be removed.
If you find some false positive items or programs that you wish to keep, Close the AdwCleaner windows.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Check off the element(s) you wish to keep.
  • Click on the Clean button follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleaner[Sn].txt (n is a number).
thisisujrt.gif Please download
Junkware Removal Tool to your Desktop.
  • Please close your security software to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista or 7, right-mouse click it and select Run as administrator.
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete, depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your Desktop and will automatically open.
  • Please post the contents of JRT.txt into your reply.

Please download ComboFix from any of the links below, and save it to your desktop. For information regarding this download, please visit this web page: Turorial
Link 1
Link 2

IMPORTANT !!! Save ComboFix.exe to your Desktop

1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
3. Do not install any other programs until this if fixed.

How to : Disable Anti-virus and Firewall...

Double click on ComboFix.exe and follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt
Note: Do not mouse click ComboFix's window while it's running. That may cause it to stall

Note: If you have difficulty properly disabling your protective programs, refer to this link --> http://www.bleepingcomputer.com/forums/topic114351.html

Note: If after running ComboFix you get this error message "Illegal operation attempted on a registry key that has been marked for deletion." when attempting to run a program all you need to do is restart the computer to reset the registry.

Third party programs if not up to date can be the cause of infiltration an infection.

Please restart the computer before running this security check.

Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
If the SecurityCheck program fails to run for any reason, run it as an Administrator.

Please paste the logs in your next reply DO NOT ATTACH THEM.
Let me know what problem persists.

#4 nasdaq


  • Malware Response Team
  • 40,749 posts
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:03 PM

Posted 14 November 2013 - 09:33 AM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users