Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible Rootkit Infection?!?!


  • Please log in to reply
10 replies to this topic

#1 jjjonesee

jjjonesee

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:59 AM

Posted 16 May 2006 - 11:27 AM

I have an eMachine T1842, running Windows XP Home Edition, Version 2002, Service Pack 2.
I am changing internet providers, so I was copying and burning what I wanted to keep so I could re-install win xp for the new provider, besides the computer is pretty bogged down with useless junk.
In the process of doing this, I remembered an advert for spybot. I downloaded and installed and rebooted per instructions, and then did a scan. Something like 25 items were found, so I had spybot remove them. I then attempted to finish burning what I wanted to keep, but neither my cd burner or cdrom were/are being recognized.
So I thought that something I removed was somehow attached to the drives. So before I recovered any one of them I pulled up mozilla and did a search for each one, and they all came up as some sort of spyware or adware or some other malicous software. But nothing seemed to point out that it would attach itself to those drives. So one by one, I recovered and rebooted my machine until I put all 25 items back on my system, and I STILL don't have my drives back.
So I was asked to go to start, run, regedit.
Then system, currentcontrolset, enum, ide.
I see both drives here.
I was then asked to check for upperfilters and lowerfilters. There are only upperfilters.
Then asked for the values for the upperfilters. not exactly sure what that is, if it's what is listed under the data column, then they are redbook.
OK, this is where I am at and really would appreciate some help.
Thank you for your time.

-Jeff

Edited by jjjonesee, 16 May 2006 - 01:15 PM.


BC AdBot (Login to Remove)

 


#2 Albert Frankenstein

Albert Frankenstein

  • Members
  • 2,707 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Michigan, USA
  • Local time:04:59 AM

Posted 16 May 2006 - 02:46 PM

So I was asked

By whom? Who has been talking your through this issue? And did they come to any conclusion?

Several ideas come to mind. One is to try a system restore, restoring the computer to a date previous to when this started happening. Start > All Programs > Accessories > System Tools > System Restore.

So, you are planning on wiping this drive anyway, right? Do you have a second computer? If so you could always remove the hard drive and install it in another computer as a 'slave' drive. The working computer should still boot up from the 'good' Master hard drive, and then you will be able to navigate (Start > My Computer) to the slave drive and recover your data. More info on how to install a second drive can be found HERE.

That ought to get you started!

Geez, I almost forgot: Welcome to BC! :thumbsup:

Edited by Albert Frankenstein, 16 May 2006 - 02:47 PM.

ALBERT FRANKENSTEIN
I'M SO SMART IT'S SCARY!


Currently home chillin' with the fam and my two dogs!


#3 jjjonesee

jjjonesee
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:59 AM

Posted 16 May 2006 - 03:58 PM

Prior to finding this site I posted this same query at a very similar site. I posted the original in the operating systems of the forum and was asked to post in a malware removal, highjackthis logs with the same heading I have here. And it has been sitting there for a while with no response.
I still run the risk of re-infecting my computer with what-ever if I install these files and folders I have been burning, after I re-install win xp, yes?
I do have other computers in the house but have distributed throughout the family, so no "spares.
And thank-you for the welcome.

-Jeff

#4 jjjonesee

jjjonesee
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:59 AM

Posted 16 May 2006 - 04:37 PM

OK just tried to go to a restore point. So besides learning a valuable lesson, evidently I never created a restore point with the exception of yesterday and today, which doesn't help because I lost my drives last Thursday.
And without the drives I can't even re-install XP.
I am sorry for being so anxious just want the horror to end. lol


-Jeff

#5 Albert Frankenstein

Albert Frankenstein

  • Members
  • 2,707 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Michigan, USA
  • Local time:04:59 AM

Posted 16 May 2006 - 05:59 PM

And it has been sitting there for a while with no response.

That is quite common. Sometimes the logs pile up here at Bleeping Computer, too, and people wait for more than a week on occasion.

still run the risk of re-infecting my computer with what-ever if I install these files and folders I have been burning, after I re-install win xp, yes?

Absolutely, if your data contains the infection.

I do have other computers in the house

So, you can recover your data in the manner I have already described.

And without the drives I can't even re-install XP.

Have you tried to boot the computer with the XP disk in the drive yet? It should boot to the CD if the BIOS is set up to boot to the CD drives first, and the hard drive second. If it boots to the CD, then your drives work, and you probably have a software issue that will be taken care of by reinstalling Windows.

Personally, I recommend you wait until you get help with your HJT log. If it were me, I would want to know what I am infected with.

Also, be aware that some infections can survive a reformatting and reinstall of XP.

Good luck with whatever you decide. And if you do decide to reformat, please tell them at the other site that you have done so, so they won't waste time responding to your log.
ALBERT FRANKENSTEIN
I'M SO SMART IT'S SCARY!


Currently home chillin' with the fam and my two dogs!


#6 jjjonesee

jjjonesee
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:59 AM

Posted 17 May 2006 - 08:53 AM

I know that I am not the only one out here who needs help and I know that sometimes the answers I am looking for won't always be just a click away. As far as that other site, I haven't been asked to post a hijackthis log, not that I even know how to do that.
I did put the XP disk in and rebooted, nothing happened.
And if I were to put this hard drive into another computer as a slave drive, don't I run the chance of infecting the other computer if I am indeed infected with a virus?
Oh and when I did reboot I noticed that the windows update icon was in the tasbar, place curser over icon and it displays "downloading updates 0%" it doesn't change. and after a couple of minutes waved the curser over it again and it disapears.
And if I click on my computer and then c: some of the folder names are in blue instead of black. I have never seen anything like this before.
Also, I found this program called "CDgone" I installed that and rebooted, per instructions and that didn't help either.

And thank you for at least taking the time to explain things to me.

-Jeff

Edited by jjjonesee, 17 May 2006 - 11:45 AM.


#7 Albert Frankenstein

Albert Frankenstein

  • Members
  • 2,707 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Michigan, USA
  • Local time:04:59 AM

Posted 17 May 2006 - 12:19 PM

And if I were to put this hard drive into another computer as a slave drive, don't I run the chance of infecting the other computer if I am indeed infected with a virus?

Not if the computer boots to the OTHER hard drive. Your hard drive may contain viruses, but the won't be running. Thereby in this situation they should be harmless to your working computer. Get your data backup to CDs (don't copy your data to your working computer, because then you might be importing a virus).

I did put the XP disk in and rebooted, nothing happened.

One thing that will be helpful is if you are very explicit in your explanations. I don't know what the above quote means and it does not help me. "Nothing Happened"? No lights? No sounds? Did the computer boot normally? Error messages? Anything at all on the screen? If you could explain in more detail it would save us both time. :thumbsup:

You may have a bad CD drive, or perhaps your BIOS isn't set up to boot to the CD first. I don't know which yet. You could always remove a CD drive from your working computer and insert it into your other computer. It only takes 2 or maybe 4 screws, a data cable and a power cable, typically.
ALBERT FRANKENSTEIN
I'M SO SMART IT'S SCARY!


Currently home chillin' with the fam and my two dogs!


#8 jjjonesee

jjjonesee
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:59 AM

Posted 17 May 2006 - 12:47 PM

I appologize, I am not trying to waste anyone's time here and will try to be more detailed in the future.
The cd burner does not do a thing. The lights in the front do not blink, or go on at all, and the door will not open.
The cdrom's door will open and does not have any lights, but I do hear it. The only way I can explian it is, it sounds like it is trying to read the disk, maybe a 3-4 sec hum, then stops.
And if you couldn't already tell I am very hesitant about placing anything from this computer into another without at least tring to find out what is wrong first.
Why would all of a sudden I have a bad cd drive. I was using the burner not more than 1/2 hour prior to scanning and removing items with spybot. It was after that things went kapput.
What if I were to power down, unplug burner, power up and then down again and re-install the burner? Is it possible that it might get recognized that way?
If I am asking too much too quick just tell me where I need to focus. Usually I am right on top of all the updates, at least twice a week I am checking. I am just beside myself with frustration.

-Jeff

#9 Albert Frankenstein

Albert Frankenstein

  • Members
  • 2,707 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Michigan, USA
  • Local time:04:59 AM

Posted 17 May 2006 - 01:27 PM

And if you couldn't already tell I am very hesitant about placing anything from this computer into another without at least tring to find out what is wrong first.

and rightfully so! I and just trying to get you to your stated goal of reinstalling Windows. When we get to reinstalling Windows your data will be destroyed, so getting it backed up is the first thing on the list.

Why would all of a sudden I have a bad cd drive. I was using the burner not more than 1/2 hour prior to scanning and removing items with spybot. It was after that things went kapput.

The timing is curious to say the least. It is hard to beleive that the two are not related, but this theory can be tested by installing a different CD drive and see if the different drive works or not.

What if I were to power down, unplug burner, power up and then down again and re-install the burner? Is it possible that it might get recognized that way?

That usually would make no difference, but I don't know for sure as I am not looking at your computer. It is possible that a cable came loose, especially if the side of your computer is off. Again, I don't know as I can't see it. Try turning off the computer. Unplugging the cables to the CD drive, plug them back in, and then unplug and plug in the other end of the ribbon data cable from the CD drive at the motherboard. Reboot and see if all is well. If not, replace drive and test.

If I am asking too much too quick just tell me where I need to focus. Usually I am right on top of all the updates, at least twice a week I am checking. I am just beside myself with frustration.

You are doing fine! Computers are real frusterating when they don't work right! Just read my posts carefully, do all of the steps contain within, and report back accurately. Then we can go to the next step. :thumbsup:
ALBERT FRANKENSTEIN
I'M SO SMART IT'S SCARY!


Currently home chillin' with the fam and my two dogs!


#10 jjjonesee

jjjonesee
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:59 AM

Posted 17 May 2006 - 05:23 PM

What in the world.....?????
I had to step away from the computer and play my guitar, I was getting a bit stressed. I came back and the computer was off. I am not using any power scheme, so unless I shut things down, they stay on. Powered back up, and pulled up some music to play along with, from my hd and not the net. While I was switching songs I accidently closed my music file. So as I was pulling the file back up I glanced over and both my drives are there. I checked with a game and a music cd, in both, and they are both working.
I am no expert, by any stretch of the imagination, but I am definitely infected with something, right?

-Jeff

#11 Albert Frankenstein

Albert Frankenstein

  • Members
  • 2,707 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Michigan, USA
  • Local time:04:59 AM

Posted 18 May 2006 - 07:14 AM

Back up your data, RIGHT NOW!

Then I would like to refer you to the HiJack This (HJT) forum here at BleepingComputer.com:

First: Read the Preparation Guide found HERE. It is very important that you follow ALL of the instructions found within. (There are many important steps in this guide that may clean your computer.)

Second: Post your system information along with a brief description of the problems you are having, and your HJT log in the HJT forum found HERE.

NOTE: Please, after you post your HJT log DO NOT make another post in the HJT forum until it has been responded to by a member of the HJT Team. The first thing they look for, when looking for logs to reply to, is 0 replies. If you make another post there will be 1 reply. The team member glancing over the replies might think someone is already helping you out and will not respond. So, just make your post and let it sit there until a team member responds. The volunteers who work that forum are very busy, so please be patient and wait. It can sometimes take a few days for a response. If after 5 days you still have gotten no response, then post a link to your HJT log HERE.

Third: If, after finishing your work with the folks at the HJT forum you have issues with Windows related to the removal of the infection, then come to the other forums and let us help you get your computer back to normal.

You are in good hands! Good luck!
ALBERT FRANKENSTEIN
I'M SO SMART IT'S SCARY!


Currently home chillin' with the fam and my two dogs!





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users