Page 2 of 2 FirstFirst 12
Results 11 to 17 of 17

Thread: Malware and/or infected It's bad.

  1. #11
    Emeritus
    Join Date
    Nov 2005
    Location
    @localhost
    Posts
    6,066

    Default

    We will get two more downloads to run. Aswmbr and Tdsskiller.

    Please download aswmbr.exe to your desktop.

    Download aswMBR to your desktop.
    Double Right click the aswMBR.exe icon and select "run as Admin"
    For the question: Would you like to download latest Avast! virus definitions?" Click YES to download the additional files..then
    Click the "Scan" button to start scan.
    Once the scan is done click the"Save log", save it to your desktop and post it in your next reply.

    Next:
    Download Tdsskill.exe to your desktop.

    Right click on TDSSKiller.exe and chose "run as admin" , then click on Change parameters.
    Put a checkmark beside loaded modules box.
    A reboot will be needed to apply the changes. Please reboot at the prompt to apply the change.

    TDSSKiller will launch automatically after the reboot. Also your computer may seem very slow and unusable. This is normal. Give it enough time to load your background programs.
    Then click on Change parameters in TDSSKiller.
    Check all boxes then click OK.
    Click the Start Scan button.
    The scan should take no longer than 2 minutes.
    If a suspicious object is detected, the default action will be Skip, click on Continue.

    If malicious objects are found, they will show in the Scan results
    Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
    Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.
    more than one report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". The one that I need is the larger one. Please copy and paste the contents of that file here.
    How Can I Reduce My Risk?

  2. #12
    Member
    Join Date
    Jul 2007
    Posts
    39

    Default

    okay, I've pasted the two log files below. It did get stuck when rebooting after the Tdsskiller scan. It just kept saying "shutting down" for about 10 minutes, so I just forced the shut down and then rebooted.




    aswMBR version 0.9.9.1771 Copyright(c) 2011 AVAST Software
    Run date: 2013-07-13 10:28:20
    -----------------------------
    10:28:20.181 OS Version: Windows x64 6.1.7601 Service Pack 1
    10:28:20.181 Number of processors: 4 586 0x2A07
    10:28:20.181 ComputerName: DEC-PC UserName: Dec
    10:28:43.159 Initialize success
    10:35:13.395 AVAST engine defs: 13071300
    10:36:05.311 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
    10:36:05.311 Disk 0 Vendor: ST950032 D005 Size: 476940MB BusType: 3
    10:36:05.327 Device \Driver\iaStor -> MajorFunction fffffa8007de35e8
    10:36:05.327 Disk 0 MBR read successfully
    10:36:05.327 Disk 0 MBR scan
    10:36:05.343 Disk 0 Windows 7 default MBR code
    10:36:05.358 Disk 0 Partition 1 00 DE Dell Utility DELL 8.0 100 MB offset 2048
    10:36:05.358 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 15000 MB offset 206848
    10:36:05.389 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 461838 MB offset 30926848
    10:36:05.452 Disk 0 scanning C:\windows\system32\drivers
    10:36:19.897 Service scanning
    10:36:46.620 Modules scanning
    10:36:46.636 Disk 0 trace - called modules:
    10:36:46.651 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys >>UNKNOWN [0xfffffa8007de35e8]<<
    10:36:46.651 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8005bce060]
    10:36:46.651 3 CLASSPNP.SYS[fffff8800120143f] -> nt!IofCallDriver -> [0xfffffa8005906e40]
    10:36:46.651 5 ACPI.sys[fffff88000f7b7a1] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0xfffffa800590a050]
    10:36:46.667 \Driver\iaStor[0xfffffa8005ad9e70] -> IRP_MJ_CREATE -> 0xfffffa8007de35e8
    10:36:48.789 AVAST engine scan C:\windows
    10:36:53.469 AVAST engine scan C:\windows\system32
    10:40:13.461 AVAST engine scan C:\windows\system32\drivers
    10:40:29.326 AVAST engine scan C:\Users\Dec
    10:42:19.416 Disk 0 MBR has been saved successfully to "C:\Users\Dec\Desktop\MBR.dat"
    10:42:19.431 The log file has been saved successfully to "C:\Users\Dec\Desktop\aswMBR.txt"

  3. #13
    Member
    Join Date
    Jul 2007
    Posts
    39

    Default

    I'm having trouble uploading the tdsskiller log. It keeps saying too many characters or too big a file.

  4. #14
    Member
    Join Date
    Jul 2007
    Posts
    39

    Default

    okay I think I got it to upload as a zip file. hopefully you can see it.
    Attached Files Attached Files

  5. #15
    Emeritus
    Join Date
    Nov 2005
    Location
    @localhost
    Posts
    6,066

    Default

    ok thanks for the info: these items at the very end of the tdsskiller log you posted:


    10:53:05.0707 6632 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.c ) - User select action: Cure
    10:53:05.0707 6632 \Device\Harddisk0\DR0 ( TDSS File System ) - skipped by user
    10:53:05.0707 6632 \Device\Harddisk0\DR0 ( TDSS File System ) - User select action: Skip

    Rerun tdsskiller like you did before and this time change the options from Skip to Cure or Delete
    How Can I Reduce My Risk?

  6. #16
    Member
    Join Date
    Jul 2007
    Posts
    39

    Default

    okay, I re-ran and when it finished it only showed two of three files you noted above, so I told it delete the TDSS File System and Cure the Rootkit.boot.phar.c. It then asked me to reboot and I did and tdsskiller started to run again on re-start, so I did and this time there was one more TDSS File System, so I told it to delete.

    I've attached both logs.

    Also on reboot right now it keeps prompt me to allow Microsoft Windows Mailicious Software Removal to run, should I allow this?

    Thanks!
    Attached Files Attached Files

  7. #17
    Emeritus
    Join Date
    Nov 2005
    Location
    @localhost
    Posts
    6,066

    Default

    Go ahead and run it. you can also start it by Start>Run> mrt.exe

    Now for the bad news. You had a rootkit. Really, you can assume somebody has been all over the machine. Passwords, personal data, financial data could have been compromised. Tdsskiller has removed it. You should also consider reformatting the HD and reinstalling Windows.
    Just for good measure run Tdsskiller once more like you did. The references should be gone. You can also update and run your AV and Malwarebytes.
    How Can I Reduce My Risk?

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •