Remove Bootkit.TDSS
I am unable to update newly installed Malwarebytes and Hitman Pro was unable to delete Bootkit.TDSS due to firewall setting. See attached screenshot. Found this info to manually remove - http://www.2-spyware.com/r
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I want to run sfc /scannow but have read - You may need your Windows XP CD so have it ready.
If you have Service Pack 2 (SP2) or SP3 installed, you will need the SP2 or SP3 version of the versioof the CD. This can be done with a borrowed CD, if you don't have one. I have a XP disk and both SP on disk...will this cause a problem should I need the CD?
Also Windows update is not working...researching the error code now. Error 0x80070424
If you have Service Pack 2 (SP2) or SP3 installed, you will need the SP2 or SP3 version of the versioof the CD. This can be done with a borrowed CD, if you don't have one. I have a XP disk and both SP on disk...will this cause a problem should I need the CD?
Also Windows update is not working...researching the error code now. Error 0x80070424
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
It's asking for Windows XP Professional Service Pack 3 CD...she has Windows XP Media Center Edition running, not Professional. Can I simply quit sfc /scannow and run combofix?
ASKER
Running Combofix now.
ASKER
Get message PEV.cfxxe has encountered a problem and needs to close????? Should I say don't send?? This happened during Stage 2 of Combofix. Thanks
ASKER
closed message...Combofix continuing
ASKER
Here is the Combofix log
Combofix-log.txt
Combofix-log.txt
ASKER
Still having issues.
Hi Mags,
The situation with XP Media Centre Edition - is it 2005 version?
I have this running still on an old PC, and face the same issue on most occasions where OS fix-up is necessary.
The Media Centre Edition 2005 operationg system comes on two disks. The first disk contains the operating system, the second contains the Media Centre app and its gubbins.
So when it asks for Windows XP SP3 disk, you want to use disk 1. HOWEVER, if that disk doesn't include SP3 then sfc may reject it.
Is that what's happening - you tried disk 1 and got nowhere?
Thanks,
The situation with XP Media Centre Edition - is it 2005 version?
I have this running still on an old PC, and face the same issue on most occasions where OS fix-up is necessary.
The Media Centre Edition 2005 operationg system comes on two disks. The first disk contains the operating system, the second contains the Media Centre app and its gubbins.
So when it asks for Windows XP SP3 disk, you want to use disk 1. HOWEVER, if that disk doesn't include SP3 then sfc may reject it.
Is that what's happening - you tried disk 1 and got nowhere?
Thanks,
ASKER
yes...it rejected every disk I tried...no XP disk has SP3 that I know of...is there a work around??
Can anyone figure out the combofix files (see above)...still having issues.
Can anyone figure out the combofix files (see above)...still having issues.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Ran combofix normal than just again in safe mode...attached is new log
Combofix-log-2.txt
Combofix-log-2.txt
ASKER
Already ran Kaspersky yesterday before combofix...found viruses
The reason you where having problems running combofix in regular mode is because of Microsoft Security Essentials.
Since your Ran combofix in safe mode are you still having problems?
Since your Ran combofix in safe mode are you still having problems?
ASKER
yes....still have the message
Windows Automatic updates are turned off. Security Center shows they are off but Automatice updates show they are on.
Does anyone know anything about Norton Power Easer? Norton wants to charge me $99 to resolve my issue. Contacted them about question about Norton Ghost which my client has.
Windows Automatic updates are turned off. Security Center shows they are off but Automatice updates show they are on.
Does anyone know anything about Norton Power Easer? Norton wants to charge me $99 to resolve my issue. Contacted them about question about Norton Ghost which my client has.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Hi MagsMcKinley14,
It sounds like a bit of a 'mare :)
If you are still getting nowhere with the main problem of removing the malware despite the advice of those who have already posted, then try this:
http://www.sophos.com/products/free-tools/sophos-anti-rootkit.html
I have had some success with this - the other specific anti-TDSS tools are very useful, but (apart from ComboFix) are unlikely to handle a "blended" threat well, which might be what you're seeing here.
To my knowledge the only way to get past this issue with sfc would be to use something like Microsoft Deployment Tooklit 2010 to "slipstream" the Service Pack needed. However it cannot be done with Windows MCE Edition 2005... at all, according to Mcirosoft. :(
There are so many inter-dependencies in MCE 2005 that it is in practice an unreliable OS IMHO - I spent more time reinstalling the system running it than I did using it, sadly, mostly due to MS updates for .Net and MSXML parsers whose dependencies were either not set correctly, or whose initial revision was broken and subsequently borked the entire system during install (the Media Centre app is very dependent on .Net).
Your best bet - and it's never entirely satisfactory - is to clean up this malware and confirm it is gone, then perform a "reinstall" (over the top) of the existing Windows install. Thatn will retain user accounts and settings (including Media Center channel listings etc.) but you will lose all patches to the OS, and need to re-do them (I suggest directly installing SP3 at this stage if you go this route).
If I can help further please post back.
It sounds like a bit of a 'mare :)
If you are still getting nowhere with the main problem of removing the malware despite the advice of those who have already posted, then try this:
http://www.sophos.com/products/free-tools/sophos-anti-rootkit.html
I have had some success with this - the other specific anti-TDSS tools are very useful, but (apart from ComboFix) are unlikely to handle a "blended" threat well, which might be what you're seeing here.
To my knowledge the only way to get past this issue with sfc would be to use something like Microsoft Deployment Tooklit 2010 to "slipstream" the Service Pack needed. However it cannot be done with Windows MCE Edition 2005... at all, according to Mcirosoft. :(
There are so many inter-dependencies in MCE 2005 that it is in practice an unreliable OS IMHO - I spent more time reinstalling the system running it than I did using it, sadly, mostly due to MS updates for .Net and MSXML parsers whose dependencies were either not set correctly, or whose initial revision was broken and subsequently borked the entire system during install (the Media Centre app is very dependent on .Net).
Your best bet - and it's never entirely satisfactory - is to clean up this malware and confirm it is gone, then perform a "reinstall" (over the top) of the existing Windows install. Thatn will retain user accounts and settings (including Media Center channel listings etc.) but you will lose all patches to the OS, and need to re-do them (I suggest directly installing SP3 at this stage if you go this route).
If I can help further please post back.
Hi MagsMcKinley14,
It sounds like a bit of a 'mare :)
If you are still getting nowhere with the main problem of removing the malware despite the advice of those who have already posted, then try this:
http://www.sophos.com/products/free-tools/sophos-anti-rootkit.html
I have had some success with this - the other specific anti-TDSS tools are very useful, but (apart from ComboFix) are unlikely to handle a "blended" threat well, which might be what you're seeing here.
To my knowledge the only way to get past this issue with sfc would be to use something like Microsoft Deployment Tooklit 2010 to "slipstream" the Service Pack needed. However it cannot be done with Windows MCE Edition 2005... at all, according to Mcirosoft. :(
There are so many inter-dependencies in MCE 2005 that it is in practice an unreliable OS IMHO - I spent more time reinstalling the system running it than I did using it, sadly, mostly due to MS updates for .Net and MSXML parsers whose dependencies were either not set correctly, or whose initial revision was broken and subsequently borked the entire system during install (the Media Centre app is very dependent on .Net).
Your best bet - and it's never entirely satisfactory - is to clean up this malware and confirm it is gone, then perform a "reinstall" (over the top) of the existing Windows install. Thatn will retain user accounts and settings (including Media Center channel listings etc.) but you will lose all patches to the OS, and need to re-do them (I suggest directly installing SP3 at this stage if you go this route).
If I can help further please post back.
It sounds like a bit of a 'mare :)
If you are still getting nowhere with the main problem of removing the malware despite the advice of those who have already posted, then try this:
http://www.sophos.com/products/free-tools/sophos-anti-rootkit.html
I have had some success with this - the other specific anti-TDSS tools are very useful, but (apart from ComboFix) are unlikely to handle a "blended" threat well, which might be what you're seeing here.
To my knowledge the only way to get past this issue with sfc would be to use something like Microsoft Deployment Tooklit 2010 to "slipstream" the Service Pack needed. However it cannot be done with Windows MCE Edition 2005... at all, according to Mcirosoft. :(
There are so many inter-dependencies in MCE 2005 that it is in practice an unreliable OS IMHO - I spent more time reinstalling the system running it than I did using it, sadly, mostly due to MS updates for .Net and MSXML parsers whose dependencies were either not set correctly, or whose initial revision was broken and subsequently borked the entire system during install (the Media Centre app is very dependent on .Net).
Your best bet - and it's never entirely satisfactory - is to clean up this malware and confirm it is gone, then perform a "reinstall" (over the top) of the existing Windows install. Thatn will retain user accounts and settings (including Media Center channel listings etc.) but you will lose all patches to the OS, and need to re-do them (I suggest directly installing SP3 at this stage if you go this route).
If I can help further please post back.
Hi MagsMcKinley14,
It sounds like a bit of a 'mare :)
If you are still getting nowhere with the main problem of removing the malware despite the advice of those who have already posted, then try this:
http://www.sophos.com/products/free-tools/sophos-anti-rootkit.html
I have had some success with this - the other specific anti-TDSS tools are very useful, but (apart from ComboFix) are unlikely to handle a "blended" threat well, which might be what you're seeing here.
To my knowledge the only way to get past this issue with sfc would be to use something like Microsoft Deployment Tooklit 2010 to "slipstream" the Service Pack needed. However it cannot be done with Windows MCE Edition 2005... at all, according to Mcirosoft. :(
There are so many inter-dependencies in MCE 2005 that it is in practice an unreliable OS IMHO - I spent more time reinstalling the system running it than I did using it, sadly, mostly due to MS updates for .Net and MSXML parsers whose dependencies were either not set correctly, or whose initial revision was broken and subsequently borked the entire system during install (the Media Centre app is very dependent on .Net).
Your best bet - and it's never entirely satisfactory - is to clean up this malware and confirm it is gone, then perform a "reinstall" (over the top) of the existing Windows install. Thatn will retain user accounts and settings (including Media Center channel listings etc.) but you will lose all patches to the OS, and need to re-do them (I suggest directly installing SP3 at this stage if you go this route).
If I can help further please post back.
It sounds like a bit of a 'mare :)
If you are still getting nowhere with the main problem of removing the malware despite the advice of those who have already posted, then try this:
http://www.sophos.com/products/free-tools/sophos-anti-rootkit.html
I have had some success with this - the other specific anti-TDSS tools are very useful, but (apart from ComboFix) are unlikely to handle a "blended" threat well, which might be what you're seeing here.
To my knowledge the only way to get past this issue with sfc would be to use something like Microsoft Deployment Tooklit 2010 to "slipstream" the Service Pack needed. However it cannot be done with Windows MCE Edition 2005... at all, according to Mcirosoft. :(
There are so many inter-dependencies in MCE 2005 that it is in practice an unreliable OS IMHO - I spent more time reinstalling the system running it than I did using it, sadly, mostly due to MS updates for .Net and MSXML parsers whose dependencies were either not set correctly, or whose initial revision was broken and subsequently borked the entire system during install (the Media Centre app is very dependent on .Net).
Your best bet - and it's never entirely satisfactory - is to clean up this malware and confirm it is gone, then perform a "reinstall" (over the top) of the existing Windows install. Thatn will retain user accounts and settings (including Media Center channel listings etc.) but you will lose all patches to the OS, and need to re-do them (I suggest directly installing SP3 at this stage if you go this route).
If I can help further please post back.
Hi MagsMcKinley14,
It sounds like a bit of a 'mare :)
If you are still getting nowhere with the main problem of removing the malware despite the advice of those who have already posted, then try this:
http://www.sophos.com/products/free-tools/sophos-anti-rootkit.html
I have had some success with this - the other specific anti-TDSS tools are very useful, but (apart from ComboFix) are unlikely to handle a "blended" threat well, which might be what you're seeing here.
To my knowledge the only way to get past this issue with sfc would be to use something like Microsoft Deployment Tooklit 2010 to "slipstream" the Service Pack needed. However it cannot be done with Windows MCE Edition 2005... at all, according to Mcirosoft. :(
There are so many inter-dependencies in MCE 2005 that it is in practice an unreliable OS IMHO - I spent more time reinstalling the system running it than I did using it, sadly, mostly due to MS updates for .Net and MSXML parsers whose dependencies were either not set correctly, or whose initial revision was broken and subsequently borked the entire system during install (the Media Centre app is very dependent on .Net).
Your best bet - and it's never entirely satisfactory - is to clean up this malware and confirm it is gone, then perform a "reinstall" (over the top) of the existing Windows install. Thatn will retain user accounts and settings (including Media Center channel listings etc.) but you will lose all patches to the OS, and need to re-do them (I suggest directly installing SP3 at this stage if you go this route).
If I can help further please post back.
It sounds like a bit of a 'mare :)
If you are still getting nowhere with the main problem of removing the malware despite the advice of those who have already posted, then try this:
http://www.sophos.com/products/free-tools/sophos-anti-rootkit.html
I have had some success with this - the other specific anti-TDSS tools are very useful, but (apart from ComboFix) are unlikely to handle a "blended" threat well, which might be what you're seeing here.
To my knowledge the only way to get past this issue with sfc would be to use something like Microsoft Deployment Tooklit 2010 to "slipstream" the Service Pack needed. However it cannot be done with Windows MCE Edition 2005... at all, according to Mcirosoft. :(
There are so many inter-dependencies in MCE 2005 that it is in practice an unreliable OS IMHO - I spent more time reinstalling the system running it than I did using it, sadly, mostly due to MS updates for .Net and MSXML parsers whose dependencies were either not set correctly, or whose initial revision was broken and subsequently borked the entire system during install (the Media Centre app is very dependent on .Net).
Your best bet - and it's never entirely satisfactory - is to clean up this malware and confirm it is gone, then perform a "reinstall" (over the top) of the existing Windows install. Thatn will retain user accounts and settings (including Media Center channel listings etc.) but you will lose all patches to the OS, and need to re-do them (I suggest directly installing SP3 at this stage if you go this route).
If I can help further please post back.
ASKER
Should these scans be run in safemode?
I also wanted to let you know that In the past I have had to unistall all .net framework and reinstall to get rid of some bad infections.
ASKER
meko72:
Known issue with Dial-a-fix:
If you have a Documents folder in your C:\ drive (as C:\Documents) this folder and anything inside (such as C:\Documents\Reports) will be deleted due to a critical, unpatched bug. XP has C:\Documents and Settings...Should that all be backed up?
Known issue with Dial-a-fix:
If you have a Documents folder in your C:\ drive (as C:\Documents) this folder and anything inside (such as C:\Documents\Reports) will be deleted due to a critical, unpatched bug. XP has C:\Documents and Settings...Should that all be backed up?
Yes back those Items up to be on the safe side. I have used this utility for the last 2 yrs with out any problems.
[MODERATOR: Could you please remove the previous multiple duplicate posts attributed to me on this question? I believe our proxy serevr causes this, but we have never found the root cause. My apologies to anyone trying to follow the topic]
Hi MagsMacKinley14,
The advice is to run Sophos Anti-Rootkit in normal mode - it will find more if all Windows services are up and running, including those "boot-start" kernel-mode drivers which are responsible for "sentinel" operations on a rootkit.
Look forward to hearing how it goes...
Hi MagsMacKinley14,
The advice is to run Sophos Anti-Rootkit in normal mode - it will find more if all Windows services are up and running, including those "boot-start" kernel-mode drivers which are responsible for "sentinel" operations on a rootkit.
Look forward to hearing how it goes...
ASKER
Hapexamendios:
Sophos is running now...in normal mode
meko72:
I will backup those files should Sophos not resolve the issue.
Thanks Guys!!
Sophos is running now...in normal mode
meko72:
I will backup those files should Sophos not resolve the issue.
Thanks Guys!!
Not a problem, let us know of the outcome !
Happy to be of help, Mags - fingers crossed :)
ASKER
OK...sophos is finished...how can I tell what I should check. Attached are screen shots for Sophos, as well as SuperAnti Spyware and TDSKiller. Drive L is my Flash Drive.
My fingers are sooooo crossed!
Sophos-Scan-Results.bmp
SuperAnti-Spyware.bmp
TDSKiller-scan.bmp
My fingers are sooooo crossed!
Sophos-Scan-Results.bmp
SuperAnti-Spyware.bmp
TDSKiller-scan.bmp
Stating the obvious but I reckon you have to go with that last screenshot.
Will the software above allow you to remove the item it has detected, or does it ask for payment before doing so?
Will the software above allow you to remove the item it has detected, or does it ask for payment before doing so?
The Kaspersky utility that she used should not ask for a Fee.
ASKER
SuperAnti Spyware and Kaspersky were free and already dealt with what they could...just wanted to show you what they found.
Hapexamendios: What do I do with what Sophos showed...what do I check to have it clean up? I need to resolve that before I can backup her Document file and possibly run Dial-a-fix.
Thanks again guys!!
Hapexamendios: What do I do with what Sophos showed...what do I check to have it clean up? I need to resolve that before I can backup her Document file and possibly run Dial-a-fix.
Thanks again guys!!
Hi Mags,
The output from Sophos Anti-Rootkit looks OK to me - the listing of files you see is its "err towards paranoia" approach to detection. Most if this looks like SAR doesn't like those files' hidden status. However we'd need to manually checksum each one individually against a known good, current version to be certain of its integrity.
I'd get rid of the setup_av_free.exe in the "_Downloads-Save" folder - whilst it's possibly AVAST! it's location in a non-standad folder is what makes me suspicious.
Also the multiple copies of the MS Message Queuing binary all pulling the same trigger - mqtgsvc.exe - is suspicious.
I'm gently urging you towards a rebuild Mags, as it's going to be difficult to verify the health of this machien to reasonable satisfaction. Assuming you want to continue though, and wish to verify each of these files, try this:
http://www.sunbeltsecurity.com/sandbox/
The above link is to SunBelt Labs Sofwtare's CWSandbox, which does malware profiling. You submit a sample of e.g. mqtgsvc.exe to the site, and it will send you a report of the processes, threads and registry entries created by the malware (if it is malware). You can then check for those processes/registry keys to see if the file is part of your infection.
Recommendation: when you come to use Dial-A-Fix, do your backup of Documents and Settings using another operating system if at all possible. This limits the chance of your backup media getting infected if the TDSS malware variant present includes worm-like behaviour.
Keep asking if you think I can still help!
The output from Sophos Anti-Rootkit looks OK to me - the listing of files you see is its "err towards paranoia" approach to detection. Most if this looks like SAR doesn't like those files' hidden status. However we'd need to manually checksum each one individually against a known good, current version to be certain of its integrity.
I'd get rid of the setup_av_free.exe in the "_Downloads-Save" folder - whilst it's possibly AVAST! it's location in a non-standad folder is what makes me suspicious.
Also the multiple copies of the MS Message Queuing binary all pulling the same trigger - mqtgsvc.exe - is suspicious.
I'm gently urging you towards a rebuild Mags, as it's going to be difficult to verify the health of this machien to reasonable satisfaction. Assuming you want to continue though, and wish to verify each of these files, try this:
http://www.sunbeltsecurity.com/sandbox/
The above link is to SunBelt Labs Sofwtare's CWSandbox, which does malware profiling. You submit a sample of e.g. mqtgsvc.exe to the site, and it will send you a report of the processes, threads and registry entries created by the malware (if it is malware). You can then check for those processes/registry keys to see if the file is part of your infection.
Recommendation: when you come to use Dial-A-Fix, do your backup of Documents and Settings using another operating system if at all possible. This limits the chance of your backup media getting infected if the TDSS malware variant present includes worm-like behaviour.
Keep asking if you think I can still help!
ASKER
Thanks Hapexamendios: for your advice. I ran Sophos on a couple of files that had Malware written all over them after researching them, the 2 WildTangents and got rid of the ones in "My Documents", manually deleted the Advast.exe then backed up her files to an external drive after I scanned it. Is there a way to test it again to verify no virus or should I pull the drive and make another backup?
Also she has the primary drive mirrored but I would assume it would bring over the virus as well. I see no real advantage to mirroring a drive if it continues to update and you get a virus...would you agree?
She has a backup on an external drive that I will check for viruses now.
I am starting to agree with you about a rebuild or she may want to upgrade her computer as it is getting old.
Let me know about the backup I did and then I'll run Dial-A-Fix.
Do you know anything about Norton Power Easer?
Also she has the primary drive mirrored but I would assume it would bring over the virus as well. I see no real advantage to mirroring a drive if it continues to update and you get a virus...would you agree?
She has a backup on an external drive that I will check for viruses now.
I am starting to agree with you about a rebuild or she may want to upgrade her computer as it is getting old.
Let me know about the backup I did and then I'll run Dial-A-Fix.
Do you know anything about Norton Power Easer?
I confess not to knowing much abotu Norton Power Eraser - however I'm very wary of utilities that automate the deletion of things, especially registry entries (I believe it does these things?)
You're right about the RAID mirroring - undoubtedly a great facility, but adds an extra layer of complexity where a virus that utilies raw commands to access disks is involved...!
I'm thinking that scanning her backup (and any USB flash/pen drives she might have used with this system prior to your support work starting) is a must - do this either using a completely separate computer with up-to-date AV -OR- boot her computer into another non-Windows OS (which can't be infected by Win32 PE code). Once yo've verified those items are clean, you could optionally retain one of the disks from the mirror set (just for ultra-caution against some obscure piece of data you haven't yet backed up) and then you're in place to start again.
You mentioned maybe upgrading the PC - I'd say if nothing else, please oh please ensure new HDDs are used! If you ever need to access the old disk with the mirror on it, again slave it to anotehr machine or use another OS when accessing it.
How's this sounding so far Mags - have I missed any of the questions you asked?
You're right about the RAID mirroring - undoubtedly a great facility, but adds an extra layer of complexity where a virus that utilies raw commands to access disks is involved...!
I'm thinking that scanning her backup (and any USB flash/pen drives she might have used with this system prior to your support work starting) is a must - do this either using a completely separate computer with up-to-date AV -OR- boot her computer into another non-Windows OS (which can't be infected by Win32 PE code). Once yo've verified those items are clean, you could optionally retain one of the disks from the mirror set (just for ultra-caution against some obscure piece of data you haven't yet backed up) and then you're in place to start again.
You mentioned maybe upgrading the PC - I'd say if nothing else, please oh please ensure new HDDs are used! If you ever need to access the old disk with the mirror on it, again slave it to anotehr machine or use another OS when accessing it.
How's this sounding so far Mags - have I missed any of the questions you asked?
I would suggest using raid 1 (Mirroring) because it provide redundancy. If one drive goes bad just pop out the bad drive and Install new one and let the raid controller rebuild the array.
meko72:
I would suggest using raid 1 (Mirroring) because it provide redundancy. If one drive goes bad just pop out the bad drive and Install new one and let the raid controller rebuild the array.
which would include any malware that was within the logical volumes in the mirror set... You see the difficulty? I wasn't "dissing" RAID 1 or 1+0 - it's brilliant - but not helpful here as it adds yet another thing to scan, and you can't easily slave said disk to another machine for scanning (though I know it's not impossible, just an extra hassle).
ASKER
Hapexamendios: and meko72: are you here...I'm really nervous about running Dial-A-Fix.
I am here! what do you need?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks meko72:
I backup up her Document folder but not all her app data...will that all go away? Should I backup the entire Documents and Settings...I've pulled the drive so it would be easy.
I backup up her Document folder but not all her app data...will that all go away? Should I backup the entire Documents and Settings...I've pulled the drive so it would be easy.
Hapexamendios: Once the user cleans the Harddrive Both Hardrives (Mirrors) are clean.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Things are looking good, Dial-a-fix did a ton. More scans to do to double check, autoupdate working...didn't lose Document folder...Yeah!! You all are awesome!!!!!!!!!!!!!!!!!
ASKER
MSE did find an axxxxx (don't remember the actual name...I'm exhaused) virus, UGGGGGHHH! It says it has removed before? The machine is running sooooooo much better, I'll look again with fresh eyes in the early morning (MST). Thanks again for all your help.
Any sugguestions? I will look at upon waking...sugguested scans??? Or is this the beginning of the end?? I hate to give up!!!!!!!!!!!!!!!! Dial-a-fix was amazing!!
I just ran Rogue Killer on another machine...what do you think for this situation?
Any sugguestions? I will look at upon waking...sugguested scans??? Or is this the beginning of the end?? I hate to give up!!!!!!!!!!!!!!!! Dial-a-fix was amazing!!
I just ran Rogue Killer on another machine...what do you think for this situation?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
@meko72:
Let's not spoil a good effort by arguing; I accept what you say at face value, but I think you might be underestimating the complexity of modern rootkits. They use kernel-mode, often undocumented API calls and other techniques to directly create a little portion of disk space especially for themselves on the physical disk. This is achieved by talking directly to the disk controller, lopping a tiny amount (1MB or less) off the free space on a disk.
It wouldn't take much to do this on "x" disks, where "x" is the number of disks, and adjust the array's byte count of each drive so that the volume(s) are never seen. Do you see what I mean? In effect the data involved is therefore not part of the mirroring. These tiny 1MB partitions are how this stuff survives a reboot - and when the compuiter comes up, the code removes the volume and all files on disks, heading into memory reserved for kernel-mode, and stealthing itself by constantly copying itself to new memory regions on a pseudo-random basis.
That's my understanding anyway, and makes me less likely to offer advice that it should be OK. And of course none of what I've said here applies to stuff that IS visible on your disks and in your partitions; that would of course work exactly as you have described it.
Peace... :)
Mags
In the past I have had to Unistall all of the .Net Framework and reboot to get a virus off of a machine.
I would go ahead and run SuperAnti Spyware and Malwarebytes..
There is another utillity called Rkill. When you run it it will find any Backdoors,Malware, Trojens and Rookits that might be running and kill them.
I use this application after I have cleaned a machine just to make sure. The link is Below.
http://www.bleepingcomputer.com/forums/topic308364.html
In the past I have had to Unistall all of the .Net Framework and reboot to get a virus off of a machine.
I would go ahead and run SuperAnti Spyware and Malwarebytes..
There is another utillity called Rkill. When you run it it will find any Backdoors,Malware, Trojens and Rookits that might be running and kill them.
I use this application after I have cleaned a machine just to make sure. The link is Below.
http://www.bleepingcomputer.com/forums/topic308364.html
ASKER
meko72: Will uninstalling .Net Framework interfer with the running of any programs...I assume I would reinstall afterward.
@Mags
Removing .Net from an MCE 2005 Edition computer will sadly trash it completely. If others can say different I bow to their expertise and wait for their advice eagerly.
My MCE 2k5 machine is still offline after two years because I got tired of issues with .Net framework patches!
I'm curious as to why uninstalling it might be needed, though. I guess some of these things are .Net based naturally?
Not good in this specific case though :(
What's current status, Mags? Is MSE or other generating fresh alerts?
Removing .Net from an MCE 2005 Edition computer will sadly trash it completely. If others can say different I bow to their expertise and wait for their advice eagerly.
My MCE 2k5 machine is still offline after two years because I got tired of issues with .Net framework patches!
I'm curious as to why uninstalling it might be needed, though. I guess some of these things are .Net based naturally?
Not good in this specific case though :(
What's current status, Mags? Is MSE or other generating fresh alerts?
ASKER
No...things are running well. I got a blue screen error related to a driver issue...with HPProductAssistant needing a disk????? I uninstalled and reinstalled the new printer software they just recently added.
They needed the computer back so I will run a couple more scans remotely. I should have things completed by tomorrow…then will close the event.
They are still considering a clean reinstall or a new computer as a safety precaution.
They needed the computer back so I will run a couple more scans remotely. I should have things completed by tomorrow…then will close the event.
They are still considering a clean reinstall or a new computer as a safety precaution.
Sounds good - accept what is a low risk in the short term, and maybe, for similar features, go up to Win 7?
wait to hear what comes, then.
Cheers,
wait to hear what comes, then.
Cheers,
If the Machines is running fine, Then I wouldnt unistall / reinstall net framework if you dont have to.
I have cleaned handfull of Infected machines in the past and the final steps for me towards success was to unistall and reinstall Netframework.
I have cleaned handfull of Infected machines in the past and the final steps for me towards success was to unistall and reinstall Netframework.
ASKER
SSharma: in your post on 3/21 ID: 35183210 you sent instructions to run Windows Recovery Console. When I ran Combofix did that do the same thing?
When you first run Combofix if the recovery console is not installed it will prompt you to install it.
Is the machine running better, when you run scans are they coming up clean??
Is the machine running better, when you run scans are they coming up clean??
ASKER
As far as I know...I wanted to rerun a couple scans but I will need to do that remotely...have not heard when that will be convenient. Thanks everyone...I feel like I have been to Virus Removal Bootcamp!
ASKER
After running futher scans everything is coming up clean, computer is running well and printer is reinstalled!
Thank you so much for all your assistance!!! It is greatly appreciated!
Warm regards,
Mags
Thank you so much for all your assistance!!! It is greatly appreciated!
Warm regards,
Mags
ASKER
Unable to perform system restore.
After reviews I decided to run TDSSKiller, which removed the Bootkit.TDSS. Ran Hitman Pro...gone...it found another virus and would activate. I will continue to do my thing...will let you know what else I find.