Jump to content

Rootkit, infected with Rootkit.TDSS


Recommended Posts

Hi there. I don't often have to seek help from forums like this, and can usually manage removing whatever run of the mill stuff, but this time I've gotten kinda stuck trying to remove a rootkit from my girlfriend's computer, and I feel it'd be best to ask for some experienced help. I remember I once got some help from a similar tech support forum for my own computer, so now I feel that I should ask for similar help for my girlfriend's system here.

First, some backstory. A couple of days ago, we first noticed some malicious software, and ran AVG and Malwarebytes to try to get rid of it. For a day or two, things seemed better, but today it looks like it's still got something. When I run MBAM, it catches a few things and removes them, but then after a while the stuff comes back. I was trying to follow along with a similar post I saw on this forum, where someone else got Rootkit.TDSS, and downloaded that Kaspersky TDSSkiller, but it still seems to have come back. And when I tried to run ComboFix, it didn't want to run because of AVG, but for some reason AVG didn't let me uninstall it. I might have to try that again.

Anyway, so now I've run a quick scan on MBAM again, and have a recent log where it caught one instance of the Rootkit.TDSS. I also ran DDS and GMER, and I've got the logs here.

First, the MBAM log...

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 5185

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

11/24/2010 10:21:02 PM

mbam-log-2010-11-24 (22-21-02).txt

Scan type: Quick scan

Objects scanned: 154332

Time elapsed: 4 minute(s), 55 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\KDJ5F413\dm4[1].exe (Rootkit.TDSS) -> Quarantined and deleted successfully.

And here's the DDS log...

DDS (Ver_10-11-10.01) - NTFSx86

Run by user at 22:24:32.00 on Wed 11/24/2010

Internet Explorer: 8.0.6001.18702

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3327.2560 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\Program Files\AVG\AVG9\avgchsvx.exe

C:\Program Files\AVG\AVG9\avgrsx.exe

C:\Program Files\AVG\AVG9\avgcsrvx.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

C:\WINDOWS\RTHDCPL.EXE

C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

C:\PROGRA~1\AVG\AVG9\avgtray.exe

C:\WINDOWS\vsnp2uvc.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe

C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\AIM\aim.exe

C:\Program Files\Steam\Steam.exe

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe

svchost.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\AVG\AVG9\avgwdsvc.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\AVG\AVG9\avgnsx.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\WINDOWS\System32\svchost.exe -k HTTPFilter

C:\Documents and Settings\user\Desktop\dds.scr

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = *.local

uInternet Settings,ProxyServer = http=127.0.0.1:50370

uURLSearchHooks: AIM Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - c:\program files\aim toolbar\aimtb.dll

uURLSearchHooks: AOLSearchHook Class: {54eb34ea-e6be-4cfd-9f4f-c4a0c2eafa22} - c:\program files\aim search\AOLSearch.dll

mURLSearchHooks: AIM Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - c:\program files\aim toolbar\aimtb.dll

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll

BHO: AOLSearchHook Class: {54eb34ea-e6be-4cfd-9f4f-c4a0c2eafa22} - c:\program files\aim search\AOLSearch.dll

BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL

BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_03\bin\ssv.dll

BHO: AIM Toolbar Loader: {b0cda128-b425-4eef-a174-61a11ac5dbf8} - c:\program files\aim toolbar\aimtb.dll

TB: AIM Toolbar: {61539ecd-cc67-4437-a03c-9aaccbd14326} - c:\program files\aim toolbar\aimtb.dll

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [Aim] "c:\program files

Attach.zip

Link to post
Share on other sites

I will request this topic to be closed.

Oh, wait, I'd like one of these three copies of this thread to stay open.

Also, I've noticed that apparently all three copies of my forum thread had the bottom of the post cut off, so they are missing some of the second logfile. I guess I might as well post the rest of the log here. Or I could start a new thread or something, if this one gets closed, perhaps.

Anyway, here was the rest of that DDS logfile.

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = *.local

uInternet Settings,ProxyServer = http=127.0.0.1:50370

uURLSearchHooks: AIM Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - c:\program files\aim toolbar\aimtb.dll

uURLSearchHooks: AOLSearchHook Class: {54eb34ea-e6be-4cfd-9f4f-c4a0c2eafa22} - c:\program files\aim search\AOLSearch.dll

mURLSearchHooks: AIM Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - c:\program files\aim toolbar\aimtb.dll

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll

BHO: AOLSearchHook Class: {54eb34ea-e6be-4cfd-9f4f-c4a0c2eafa22} - c:\program files\aim search\AOLSearch.dll

BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL

BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_03\bin\ssv.dll

BHO: AIM Toolbar Loader: {b0cda128-b425-4eef-a174-61a11ac5dbf8} - c:\program files\aim toolbar\aimtb.dll

TB: AIM Toolbar: {61539ecd-cc67-4437-a03c-9aaccbd14326} - c:\program files\aim toolbar\aimtb.dll

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [Aim] "c:\program files\aim\aim.exe" /d locale=en-US

uRun: [steam] "c:\program files\steam\Steam.exe" -silent

uRun: [EA Core] "c:\program files\electronic arts\eadm\Core.exe" -silent

mRun: [sunJavaUpdateSched] "c:\program files\java\jre1.6.0_03\bin\jusched.exe"

mRun: [startCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun

mRun: [RTHDCPL] RTHDCPL.EXE

mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"

mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe

mRun: [snp2uvc] c:\windows\vsnp2uvc.exe

mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

...

(The forums don't seem to like me posting these lines in the middle here.)

...

Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~2\office12\GR99D3~1.DLL

Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll

Notify: AtiExtEvent - Ati2evxx.dll

Notify: avgrsstarter - avgrsstx.dll

SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\user\applic~1\mozilla\firefox\profiles\o6h1scsz.default\

FF - prefs.js: browser.search.defaulturl - hxxp://aim.search.aol.com/search/search?query={searchTerms}&invocationType=tb50-ff-aim-chromesbox-en-us

FF - prefs.js: browser.search.selectedEngine - Google

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com

FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50-ff-aim-ab-en-us&query=

FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npdnupdater2.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----

FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, falsec:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-12-4 216400]

R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-12-4 29584]

R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-12-4 243024]

R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-7-15 308136]

S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2009-9-2 1684736]

S3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;c:\program files\dragon age\bin_ship\daupdatersvc.service.exe [2009-12-15 25832]

S3 nenum13E;nenum13E;\??\c:\docume~1\user\locals~1\temp\nenum13e.sys --> c:\docume~1\user\locals~1\temp\nenum13E.sys [?]

=============== Created Last 30 ================

2010-11-20 20:19:38 -------- d-sh--w- c:\documents and settings\user\IETldCache

2010-11-20 20:06:07 -------- d-----w- c:\program files\MSXML 4.0

2010-11-20 20:05:13 13312 -c----w- c:\windows\system32\dllcache\iecompat.dll

2010-11-20 20:05:00 -------- d-----w- c:\windows\ie8updates

2010-11-20 20:04:55 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll

2010-11-20 20:04:55 602112 -c----w- c:\windows\system32\dllcache\msfeeds.dll

2010-11-20 20:04:55 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll

2010-11-20 20:04:55 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll

2010-11-20 20:04:55 1986560 -c----w- c:\windows\system32\dllcache\iertutil.dll

2010-11-20 20:04:55 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll

2010-11-20 20:04:55 11080192 -c----w- c:\windows\system32\dllcache\ieframe.dll

2010-11-20 20:03:39 -------- dc-h--w- c:\windows\ie8

2010-11-20 19:46:48 455680 -c----w- c:\windows\system32\dllcache\mrxsmb.sys

2010-11-20 19:44:53 2146304 -c----w- c:\windows\system32\dllcache\ntkrnlmp.exe

2010-11-20 19:44:52 2189952 -c----w- c:\windows\system32\dllcache\ntoskrnl.exe

2010-11-20 19:44:51 2024448 -c----w- c:\windows\system32\dllcache\ntkrpamp.exe

2010-11-20 19:40:57 272128 -c----w- c:\windows\system32\dllcache\bthport.sys

2010-11-20 19:40:57 272128 ------w- c:\windows\system32\drivers\bthport.sys

2010-11-20 19:39:00 5120 ----a-w- c:\windows\system32\xpsp4res.dll

2010-11-20 19:29:33 -------- d-----w- c:\windows\system32\PreInstall

2010-11-20 19:29:29 -------- d--h--w- c:\windows\$hf_mig$

2010-11-20 19:27:44 -------- d-----w- c:\windows\system32\SoftwareDistribution

2010-11-20 19:27:23 -------- d-s---w- c:\documents and settings\user\UserData

2010-11-07 03:14:50 -------- d-----w- c:\program files\The Guild 2 - Renaissance

==================== Find3M ====================

2010-09-20 00:55:51 43520 ----a-w- c:\windows\system32\CmdLineExt03.dll

2010-09-18 17:23:26 974848 ----a-w- c:\windows\system32\mfc42u.dll

2010-09-18 06:53:25 974848 ----a-w- c:\windows\system32\mfc42.dll

2010-09-18 06:53:25 954368 ----a-w- c:\windows\system32\mfc40.dll

2010-09-18 06:53:25 953856 ----a-w- c:\windows\system32\mfc40u.dll

2010-09-10 05:58:08 916480 ----a-w- c:\windows\system32\wininet.dll

2010-09-10 05:58:06 43520 ------w- c:\windows\system32\licmgr10.dll

2010-09-10 05:58:06 1469440 ------w- c:\windows\system32\inetcpl.cpl

2010-09-09 14:16:29 81920 ------w- c:\windows\system32\ieencode.dll

2010-09-01 11:51:14 285824 ----a-w- c:\windows\system32\atmfd.dll

2010-08-31 13:42:52 1852800 ----a-w- c:\windows\system32\win32k.sys

2010-08-27 08:02:29 119808 ------w- c:\windows\system32\t2embed.dll

2010-08-27 05:57:43 99840 ----a-w- c:\windows\system32\srvsvc.dll

=================== ROOTKIT ====================

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net

Windows 5.1.2600 Disk: WDC_WD6400AAKS-75A7B0 rev.01.03B01 -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-3

device: opened successfully

user: MBR read successfully

Disk trace:

called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8ABFF446]<<

_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8ac05504]; MOV EAX, [0x8ac05580]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }

1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x8AC2BAB8]

3 CLASSPNP[0xBA118FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\00000060[0x8AC6DF18]

5 ACPI[0xB9F7F620] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x8AC30940]

\Driver\atapi[0x8ACD2730] -> IRP_MJ_CREATE -> 0x8ABFF446

kernel: MBR read successfully

_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; PUSHA ; MOV CX, 0x137; MOV BP, 0x62a; ROR BYTE [bP+0x0], CL; INC BP; }

detected disk devices:

\Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskWDC_WD6400AAKS-75A7B0___________________01.03B01#5&291da68b&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found

detected hooks:

\Driver\atapi DriverStartIo -> 0x8ABFF292

user != kernel MBR !!!

sectors 1250263726 (+255): user != kernel

Warning: possible TDL4 rootkit infection !

TDL4 rootkit infection detected ! Use: "mbr.exe -f" to fix.

============= FINISH: 22:26:08.87 ===============

It seems to not let me post a few lines in the middle there. Weird. Anyway, I won't be available really for much of this weekend, as I'll be out of town for the holidays, but I wanted to get a thread started at least so someone could get a look at it. I'll be back by Sunday the 28th.

If all three of my threads are too screwy, I can post a new one or something. I think it was just screwing up because of some of the lines in the middle of that DDS log for some reason.

Link to post
Share on other sites

Sorry, my apologies, I intended to have two topics closed and reply to this one, but it looks like I didn't pay attention. -_-

Looks like you may have a rootkit infection preventing you from posting the logs.

BACKDOOR WARNING

------------------------------

One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.

COMBOFIX

---------------

Please download ComboFix from one of these locations:

Bleepingcomputer
ForoSpyware

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.

Query_RC.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

RC_successful.gif

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Link to post
Share on other sites

It's alright, thanks for the help. I've mentioned the issue to my girlfriend, and we'll think about what to do next. Since we're out of town now, I won't be able to do anything with the computer until Sunday or so anyway.

We think we might choose to wipe it and reinstall the OS, but that kinda depends on being able to find the reinstall disc. She's currently got XP, and we can find the reinstall disc for Vista, but we must have an XP disc around somewhere. But maybe we'll decide to try to clean it instead, I'm not sure yet. We'll figure it out by Sunday. I'll post again with what we decide to do.

Thanks again! Boy, I didn't realize this one would be so serious. I had noticed that the computer seemed to reset itself while using it a couple of times, and that was worrying, but we'll see what we do.

...Computers can't be turned ON remotely, can they? I can't imagine a backdoor would be fancy enough to allow a computer to be turned on remotely, but we didn't unplug the computer before leaving, it's just off. Hopefully it can't be turned on while we're gone, hah.

Link to post
Share on other sites

Okay, take your time. ;) In case you can't find the reinstall disk yet, you can always opt for the cleanup and reformat later.

The computer should stay turned off (if it hasn't an auto-power-on enabled of course). Malware cannot turn it on remotely.

Alright, we decided to format the hard drives and install Windows Vista fresh now. Sadly she will no longer have Windows XP, but, well, Vista's newer at least. Maybe less malware can affect it.

Anyway, with the Vista install disc, we formatted the hard drive (and a second, smaller partition, which I guess had system restore info on it or something) and we're installing AVG and such now.

Thanks for the advice. A shame it had the backdoor thing going on... but, well, she didn't have very much of importance on the computer, and was pretty willing to go ahead and clean it. So guess we won't need to worry about running ComboFix and so forth.

Thanks again! Any other advice you might offer would be appreciated, but since the hard drives have been formatted, I guess this issue is resolved now, anyway.

Link to post
Share on other sites

I'm glad to hear things are okay now. :) Find below some general prevention information.

Please read these advices, in order to prevent reinfecting your PC:

  1. Install and update the following programs regularly:
    • an outbound firewall. If you are connected to the internet through a router, you are already behind a hardware firewall and as such you do not need an extra software firewall.
      A comprehensive tutorial and a list of possible firewalls can be found here.
    • an AntiVirus Software
      It is imperative that you update your AntiVirus Software on regular basis.If you do not update your AntiVirus Software then it will not be able to catch the latest threats.
    • an Anti-Spyware program
      Malware Byte's Anti Malware is an excellent Anti-Spyware scanner. It's scan times are usually under ten minutes, and has excellent detection and removal rates.
      SUPERAntiSpyware is another good scanner with high detection and removal rates.
      Both programs are free for non commercial home use but provide a resident and do not nag if you purchase the paid versions.
    • Spyware Blaster
      A tutorial for Spywareblaster can be found here. If you wish, the commercial version provides automatic updating.
    • MVPs hosts file
      A tutorial for MVPs hosts file can be found here. If you would like automatic updates you might want to take a look at HostMan host file manager. For more information on thehosts file, and what it can do for you,please consult the Tutorial on the Hosts file

[*]Keep Windows (and your other Microsoft software) up to date!

I cannot stress how important this is enough. Often holes are found in Internet Explorer or Windows itself that require patching. Sometimes these holes will allow an attacker unrestricted access to your computer.

Therefore, please, visit the Microsoft Update Website and follow the on screen instructions to setup Microsoft Update. Also follow the instructions to update your system. Please REBOOT and repeat this process until there are no more updates to install!!

[*]Keep your other software up to date as well

Software does not need to be made by Microsoft to be insecure. You can use the Secunia Online Software occasionally to help you check for out of date software on yourmachine.

[*]Stay up to date!

The MOST IMPORTANT part of any security setup is keeping the software up to date. Malware writers release new variants every single day. If your software updates don't keep up, then the malware will always be one step ahead. Not a good thing.

Some more links you might find of interest:

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.