Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

rootkit removal pc hijack


  • Please log in to reply
11 replies to this topic

#1 Tacohouse

Tacohouse

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:53 AM

Posted 11 October 2016 - 05:33 PM

Hi I'm new here I really need help with fixing my desktops I tried fresh installs and what I believe to be a rootkit just continues to reinstall itself after wiping partitions I put the OS disk in and the command prompt opens and closes very quickly and when the OS install is complete when I make changes the rootkit or whatever it is changes everything back I can run anything as administrator and the rootkit has already taken full control I haven't plugged the router into the desktops but I fear my network could possibly be at risk please help


Edited by Chris Cosgrove, 11 October 2016 - 05:38 PM.
Moved from Win 10 to 'Am I infected?'


BC AdBot (Login to Remove)

 


#2 TsVk!

TsVk!

    penguin farmer


  • Members
  • 6,239 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Antipodes
  • Local time:07:53 PM

Posted 11 October 2016 - 06:04 PM

Hi Tacohouse,

 

Let's get you cleaned and reinstalled then.

 

First thing to do is make sure you have your re-installation media ready. Please locate your Windows disk. If you do not have a disk follow the instructions on this link to download an image to burn to disk. You will require your Windows key to download the disk image. You can locate this by running Produkey. Please print or write down the key carefully and double check it.

 

When the Windows download is complete burn the ISO image to disk.

 

2qu0lqs.jpg Please goto the Seatools for DOS page.

 

Follow the instructions to create a CD.

  • Boot from the disk
  • Select the graphical version
  • Click "I accept" to proceed
  • Select "Erase Track ZERO" from the "Advanced Features"
  • then from the same menu do a "Timed Erase" for 10 seconds

4672-3.jpg

  • Follow the prompts
  • When completed remove the CD, insert your Windows disk and reboot to disk.

 

Then...

 

Install Windows normally. When the installer looks for a drive to install to it will see your drive as unformatted and will prompt you to format it, agree to this.

 

When your machine is back up you will need to install drivers. If you don't have a machine specific OEM disk or need help locating and installing the drivers please let me know.

 

Next, reattach to network and install Windows updates. This will take a long time and you will need to restart several times.

 

Whilst that is going on you can install an anti-virus solution. Good free solutions include BitDefender Free, Avira and AVG. When that's done you may like to install a more secure browser like Chrome or Firefox.

 

If you have any problems please let me know.

 

TsVk!



#3 Tacohouse

Tacohouse
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:53 AM

Posted 12 October 2016 - 10:46 PM

It didn't work I tried to run seatools for dos but it had 2 invalid opcode and I tried another program called hdderase recommended by the manufacturer but it said aborted something to do with write protection

#4 TsVk!

TsVk!

    penguin farmer


  • Members
  • 6,239 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Antipodes
  • Local time:07:53 PM

Posted 12 October 2016 - 11:06 PM

Please download Parted Magic and burn the image to disk. (CD is fine)

 

Boot from the disk

 

Click on the monitor with a black screen in the taskbar to bring up a terminal

 

Now to remove the problem....

 

For x = device you're targeting, use the following HDPARM command to show if you have an HPA enabled. (probably sda if you have only one hard drive attached to the machine)

# hdparm -N /dev/sdx

It will spit back something like the following if you have an HPA defined:

/dev/sdx:
max sectors   = 78125000/78165360, HPA is enabled

If HPA is not enabled you can skip down to using GParted.

 

To remove the HPA and expand the visible area out to the full size of the drive use the denominator in the above report (visible area/max sectors):

# hdparm -N p78165360 /dev/sdx

It will spit back a report that the visible area is equal to the max sectors and that the HPA is disabled.

/dev/sdx:
setting max visible sectors to 78165360 (permanent)
max sectors   = 78165360/78165360, HPA is disabled

Then use GParted inside Parted Magic to delete all existing partitions, and then execute the action.

 

Reboot to your Windows install media and install Windows as normal. Windows will detect the HDD as blank and ask you to format it, follow the prompts.

 

How did you go?

 

TsVk!

 

 



#5 Tacohouse

Tacohouse
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:53 AM

Posted 13 October 2016 - 01:59 AM

Alright I wiped the drive but once I put the windows disk in when the license terms of windows setup showed I saw the command prompt open and close real fast so I'm not sure if it worked or not but even tho its an actually windows disk not a burnt copy could it have gotten infected?I'm pretty sure I did the parted magic process right I removed the ram and reset cmos before the OS install to wipe the extra cache

#6 TsVk!

TsVk!

    penguin farmer


  • Members
  • 6,239 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Antipodes
  • Local time:07:53 PM

Posted 13 October 2016 - 03:55 AM

No your optical disk could not have got infected, it is a closed disk and cannot be written to.

 

Did the hparm command detect HPA?

 

With what you have done there is no logical way that the system can still be infected. If the infection occurs again you will have to start looking at the rest of the network, starting the your router.

 

It is also of the greatest importance that you put in place anti-virus software immediately and update Windows fully.

 

TsVk!



#7 Tacohouse

Tacohouse
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:53 AM

Posted 13 October 2016 - 07:19 AM

When I entered the HPA command and hit enter all that popped up was a list of commands A-Z and a few others also I only had the internet plugging into pc long enough to download the programs I needed then I unplugged it before running parted magic and didn't plug it back in until after OS install I have a ubee router the only thing I've done is get into the web interface and make a user name and password any recommendations as to how to setup the options in the router interface there is no downloadable software for it in pretty sure they take care of the updates themselves

#8 Tacohouse

Tacohouse
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:53 AM

Posted 13 October 2016 - 10:03 PM

Tried to set up but wifi driver was disabled USB won't pick up devices other than mouse and keyboard as soon as I started updates for antivirus and activation before they could finish the wifi was disabled the safe mode msconfig boot option still keeps changing the settings I need to do a diagnostic boot so I must assume I'm still infected maybe I didn't run parted magic right and or needed to reset the network back to default I guess or maybe bios is infected?

#9 TsVk!

TsVk!

    penguin farmer


  • Members
  • 6,239 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Antipodes
  • Local time:07:53 PM

Posted 13 October 2016 - 10:14 PM

There's also a possibility that your router is infected.

 

At this stage I recommend you look for specialized help in our malware removal forum.

 

Follow the steps from step 6 on this page. 

 

Please mention or link this thread for reference.

 

TsVk!



#10 Tacohouse

Tacohouse
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:53 AM

Posted 13 October 2016 - 10:40 PM

I open command prompt and ran attrib and there are a shiz load of exe and other random file types

#11 TsVk!

TsVk!

    penguin farmer


  • Members
  • 6,239 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Antipodes
  • Local time:07:53 PM

Posted 13 October 2016 - 11:10 PM

Yes, perhaps something went wrong when you re-formatted or something on your network is re-infecting you.

 

I highly recommend you seek help in the in the forum I linked earlier. There we can run applications we don't run here.


Edited by TsVk!, 13 October 2016 - 11:11 PM.


#12 Tacohouse

Tacohouse
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:53 AM

Posted 14 October 2016 - 08:12 PM

All drivers internet and disk drive is disabled I can't access the net from either PC I have so its hard to boot the driver I need to do the steps you provided




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users