Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

bcd symbolic link remote hack virus pagefile swapfile


  • Please log in to reply
48 replies to this topic

#1 malyousef

malyousef

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:01:38 PM

Posted 17 November 2013 - 07:17 AM

hi

 

thank you

 

I need your help with a very stubborn rootkit/boot sector/mbr pagefile swapfile

 

I am sure what it is called however I have been struggling with it for the last 6 months and even with a full format and hard drive change it is still there...

 

I am not sure what to do and thought i'll try with you guys the expert volunteers maybe we get lucky

 

thank you



BC AdBot (Login to Remove)

 


#2 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:09:38 AM

Posted 17 November 2013 - 07:42 AM

What exactly is the issue?

If you are concerned about the pagefile.sys file, it should be in the root of drive C: any other place it would be considered malicious.

Please download TDSSKiller exe version to your desktop.
Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
Vista/Windows 7 users right-click and select Run As Administrator.

Click on Change Parameters and click Detect TDLFS File System.
    Click the Start Scan button.
    Do not use the computer during the scan
    If the scan completes with nothing found, click Close to exit.
    If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
    Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
    Note: If Cure is not an option, Skip instead, do not choose Delete unless instructed.
    A TDSSKiller text file would be saved in Local Disk C.
    Copy and paste the contents of that file in your next reply.


ADW Cleaner


Please download AdwCleaner by Xplode onto your desktop.
  • Close all open programs and internet browsers.
  • Double click on adwcleaner.exe to run the tool.
  • Click on Clean.
  • Confirm each time with Ok.
  • You will be prompted to restart your computer. A text file will open after the restart.
  • Please post the contents of that logfile with your next reply.
  • You can find the logfile at C:\AdwCleaner[S1].txt as well.
thisisujrt.gif Please download Junkware Removal Tool to your desktop.
  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.
p22002970.gif Please download Farbar Service Scanner (FSS) and run it on the computer with the issue.
  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center/Action Center
    • Windows Update
    • Windows Defender
    • Other Services
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.


#3 malyousef

malyousef
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:01:38 PM

Posted 17 November 2013 - 09:09 AM

ok will do well it seems like a webkit downloading modules and hackers logging in remotely... maybe thru active directory and eaphost just to give ya a heads up ill send the report as advised thank you

#4 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:09:38 AM

Posted 17 November 2013 - 09:14 AM

Active Directory is only in use in small businesses and major enterprise as a means to authenticate users and to grant system level permissions to people. So if you are not in a business then you are not using active directory.

EAP deals with wireless networks http://technet.microsoft.com/en-us/magazine/2007.05.cableguy.aspx

#5 malyousef

malyousef
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:01:38 PM

Posted 17 November 2013 - 09:17 AM

Removed unsolicited HJT log...this and similar logs are not worked in this forum.  Please supply requested information, do not improvise since this may result in just worsening your computer situation - Hamluis.


Edited by hamluis, 17 November 2013 - 09:45 AM.


#6 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:09:38 AM

Posted 17 November 2013 - 09:17 AM

Please remove the hijack this log file as I did not request it please perform the scans I Have listed above.

#7 malyousef

malyousef
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:01:38 PM

Posted 17 November 2013 - 09:17 AM

I think it is @%systemroot% maybe that is the name of this beast...

#8 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:09:38 AM

Posted 17 November 2013 - 09:18 AM

Please rmeove the hijack this logs and post the logs in a readable format.

#9 malyousef

malyousef
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:01:38 PM

Posted 17 November 2013 - 09:19 AM

thisisudax.org ill try to get it from the net let me search

#10 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:09:38 AM

Posted 17 November 2013 - 09:27 AM

Also %systemroot% is away to let programmers program that into system code to reference c:\windows so that it is easier to do so across different windows versions.

it is no indication of any infection.

#11 malyousef

malyousef
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:01:38 PM

Posted 17 November 2013 - 12:35 PM

Thank you sir.
You are correct.

@%systemroot%

Is the alias.

Ok. It's infected efi partition hidden. And in secure boot in bios I think it managed to lock the keys and the path in efi boot can't be changed.

So a sword of both sharp edges. 1. If u boot it took control and if u are in the system u just are wasting time as when u reboot boom back again.

That's what I've been doing for a whole as I didn't know the source.

Anyhow plz help and a assist if possible. As I can't flash the bios and not sure what's the trick. Have another iMac and got infected too.

Thanks
Thank you sir.
You are correct.

@%systemroot%

Is the alias.

Ok. It's infected efi partition hidden. And in secure boot in bios I think it managed to lock the keys and the path in efi boot can't be changed.

So a sword of both sharp edges. 1. If u boot it took control and if u are in the system u just are wasting time as when u reboot boom back again.

That's what I've been doing for a whole as I didn't know the source.

Anyhow plz help and a assist if possible. As I can't flash the bios and not sure what's the trick. Have another iMac and got infected too.

Thanks

#12 malyousef

malyousef
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:01:38 PM

Posted 17 November 2013 - 01:05 PM

Well I just found out today. It's an ego infection.

So with adwcleaner n hijack this n malware bytes n malware rootkit n trend security n stscleaner from tend micro n zone alarm all together In an hour or so that volume from bios or virtual efi got mounted off.

So I flashed bios from windows and didn't help as keys couldn't erase.

So I changed hard disk. And disabled secure boot. Used diskpart clean all and reinstalled.

Let's see

#13 malyousef

malyousef
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:01:38 PM

Posted 18 November 2013 - 03:41 PM

well still here

 

any ideas



#14 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:09:38 AM

Posted 18 November 2013 - 06:12 PM

The %systemroot% is no infection, and nothing shall be done. Regardless of what you or I do or anyone for that matter %systemroot% cannot be removed.

WHat other issues are you having?

#15 malyousef

malyousef
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:01:38 PM

Posted 18 November 2013 - 06:18 PM

Well can you plz help me remove a bios virus?
How can I flash from dos Asus g75vx

Any ideas

I'll try to reflash just incase I have it
Then put a password on bios
Then see this mbr virus

Can you help ? Thanks




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users