magliery

Sorry, yes, I did the fixmbr and then installed Win 7. I'm building the system now. I completely re-partitioned and formatted the drive. The only thing I'm still concerned about is what will happen when I restore the data from back-up. I have MSE and MBAM up and running, and I will probably change MSE to ESET (my parents have a subscription through 9/2013), so it should be as well protected as possible. What do you recommend I do to check it out after I restore the data (besides a full MBAM and ESET scan)? I guess we can cross that bridge when I get to it. I'll let you know when I do. I do appreciate your help, and I am getting MBAM Pro for all my computers... Thanks, Tom

Hi, OK, just to be clear: 1. Those directions will clean any infection from the MBR and boot sector? 2. I take it after I do that, I should use a Win 7 disk to format and install, right? 3. I didn't understand what you said before. Will it be safe to leave the DATA partition alone, install the system, install ESET and MBAM, and then access any data on the DATA drive? Or are you saying I should format the WHOLE drive and put the data back from the external backup? 4. How do I know if the external backup is OK? How can I check? 5. Is my USB drive that I just used for the above OK? How can I check? Thanks a lot, Tom

Looks like this is how it got in: 2012-08-04 20:48 - 2010-09-25 17:30 - 00000732 ____A C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk That's the day ESET found the infection.

Hi, this laptop is running WinXP Pro SP3, so there are no System Recovery Options. For some reason I had created a BartPE CD before, so I used that to boot and ran FRST. The log is attached. Two notes. (1) I am behind an Linksys router firewall, so I assume these brief online sessions are not too dangerous. (2) Is this USB stick now garbage, or is there some way for me to know it hasn't been infected? I'm worried its MBR could also be infected (if that's a think that happens to USB sticks...?). Thanks, Tom FRST.txt

Hi Maniac, Thanks for the reply. Yes, my parents do use this PC for electronic banking and other purposes with sensitive personal data. I am totally fine with re-formatting and reinstalling. My questions would be this: 1. Do we have to remove the infection first from the MBR so that it doesn't re-infect the PC? If so, how do I do this? Is it possible to be sure about this, or should I consider replacing the HDD ($60 is pretty cheap for this kind of peace of mind). What would you do? 2. The physical drive is partitioned into Programs and Data drives. If we can clean the MBR, would it be OK to wipe only the C: Programs drive, or is it likely that there would still be an infection buried in the D: drive somewhere? ESET does not detect any infected files, only operating memory, but that seems impossible (it must be executing code from somewhere?). 3. ESET first detected the infection on Aug. 4 at 6:46 pm. However, there are also DNS cache poisonings on May 30 and July 25; I don't know if they are related. The last backup to an external drive (using Genie Backup Manager) was July 22-24 (for some reason it took 38 hours?). Is that data likely to be trojan-free? Is that external drive like to be infected (for example, in its MBR)? What should I do with it? The bottom line is that I do need to be able to get to the data somehow, so I probably need to clean it to the extent necessary to make that safe. Yes, I have a USB flash drive. I am working from another PC now; the laptop is offline and I'm keeping it off in between times I've tried to work on it. It was also off from the 4th to the 11th. I was out of town, and when my parents told me about the ESET detection, I told them to turn it off until I could look at it. Hopefully we minimized the damage. Thanks, Tom

My parents' laptop seems to have a nasty trojan infection and I'm in over my head on fixing it. It's a Lenovo 3000 N100 running Win XP Pro SP3. ESET detected two trojans in memory, Win32/Olmasco.O associated with a svchost.exe process and Win32/Olmarik.TDL4 which is not associated with anything. Neither can be cleaned. I could kill the process which eliminated the Olmasco.O detection. I found a suspicious entry to start Messenger in the HKCU Run area, and deleting it eliminated the Olmasco.O on startup (although I guess that means that file has been hijacked?). Here's what ESET sees now (memory and boot sector scan): Scan Log Version of virus signature database: 7377 (20120811) Date: 8/11/2012 Time: 5:27:39 PM Scanned disks, folders and files: Operating memory;C:\Boot sector;E:\Boot sector Operating memory - Win32/Olmarik.TDL4 trojan - unable to clean Number of scanned objects: 655 Number of threats found: 1 Number of cleaned objects: 0 Time of completion: 5:28:22 PM Total scanning time: 43 sec (00:00:43) A bunch of ugly things happened from the infection: the computer is slow, saving files takes forever, all of the icons disappeared from the Start Menu and Desktop, etc. I'm not even sure what all I did not, but I think some combination of Malwarebytes Anti-Malware and ERARemover recovered the Desktop and Start Menu. The other symptoms remain. Most of the anti-rootkit stuff has been ineffective. TDSSKiller and aswMBR just won't run even if I rename them. GMER gives and LoadDriver error in kglyypod.sys (0xC000010E) when it starts (something about a stable subkey) and can only do some of its scans (Services, Registry, Files): GMER 1.0.15.15641 - http://www.gmer.net Rootkit scan 2012-08-11 17:12:09 Windows 5.1.2600 Service Pack 3 Running: 7pbixleu.exe; Driver: C:\DOCUME~1\Frank\LOCALS~1\Temp\kglyypod.sys ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\0016cef1e350 Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\0016cef1e350 (not active ControlSet) Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15 Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000 Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90 Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000 ---- EOF - GMER 1.0.15 ---- Panda Anti-Rootkit found nothing. MBRCheck says that the MBR is faked. I backed it up and let it over-write, but is said the same thing when I restarted. I'm not sure this really worked, though, since the Lenovo recovery screen still came up. I also tried to run Combofix, but it crashes after about 5 min. into the part that it says will take 10 min, and you have to re-start. No log file gets produced. It did install the recovery console. Sadly, DDS.com also will not run. It goes though many ##'s, gives and error about js.prefs, and then a few #'s later the computer crashes. Has to be restarted, no logs. So the best I can figure out to send is the HiJackthis log, which follows at the end of this. I am not averse to formatting the drive and starting over (might as well put Win7 on I guess), but my understanding is that if the MBR is infected, it will just immediately re-infect when I install again. So I guess I need help with that. Suggestions? Thanks a lot. I forgot to mention that the service running inside the svchost.exe that was infected was Dnscache, in case that helps. Tom mbam-log-2012-08-11 (13-57-27).txt MBRCheck_08.11.12_19.10.00.txt hijackthis.log ESET.log gmer.log