New
#81
Run MS Standalone System Sweeper from CD or flashstick, plus Malwarebytes from Safe Mode if necessary.
Replace AVG with MSE or Avast 6.
sweeper is running... but avg detected 29 rootkits alone(in the MBR) was the main "Rootkit.TDSS.TDL4" and the rest were named after their eploit of choice in win32 - ie file lock, driver change, etc... I grabbed a screen shot but no way I'm signing on to send it now.
so Im guessing that this is the c:\ci.dll corruptor in the boot area and when I found a way around the lock out by using a mode that doesnt allow/need ci.dll, it let me in, but then i guess it went nuclear since they all ran at bootup (malware) w/ startup.exe names
sound close?
greg
oh, and i cant get in safe mode because ci.dll is utilized (only exceptions is the driver sig ignore mode and the debugger mode for the kernal, so i guess antimalwarebytes shold just be run from one of those two modes
Last edited by rubyrubyroo; 08 Oct 2011 at 15:40.
I would offload my files to strict quarantine DVD/flash stick for repeat disinfection using all known rootkit killers. Our Security forum can help you with that.
Then I would wipe the HD with Diskpart Clean All command to overwrite all code, especially in the boot sector: SSD - HDD Optimize for Windows Reinstallation
Then I would clean reinstall following these exact steps to get a perfect baseline reinstall: Reinstalling Windows 7
Then hope that the BIOS was not infected which can be a fatal infection to the mobo.
greg,
all that, while your paddling on a board?!?!
but seriously, I know your right, the only true 100% certian malware removal is a complete wipe and reinstall no cleaned files carried over, but I prefer your 98.4% odds to keep these files!
I hate to do it but I just might.... im on the fence about thisone being day 5 or 6 and nearly 10 clients waiting for me to look at their computers. It's a tough call, but maybe it isn't....
thanks
mike
The only question to me is whether you should reimport those files even after repeat disinfection. I'd ask in Security forum for the odds on doing so.
You may risk infecting the BIOS if you try to juggle such a badly infected system. The experts there will know this with certainty.
Suggest you keep the briefing for Security experts as brief as possible as they are very busy and not to be trifled with.
greg,
to put it lightly, i have to put the files back - i'll use radiation if i have to. they belong to a very good friend of mine who only trusts me to even touch these files! I am no longer feeling so special by now!
every client file is on that computer (a peer network "server") I have sold him probibly 2 ext hdd's every year or two but he agrees to back up and has never done so, and I cannot find a single backed up file in his office on any media for the 36 years he has been practicing law. his office is literally closed this week waiting for me, thats a big financial loss for him - and he could get disbarred and/or got to fed prison if the files are considered negelected. but he is truely the nicest man i know, and i'd do this for him for free to be honest.
I obviously advocate his interests, but it that feeding the family, staying out of trouble, probibly the later, but it adds a layer of complexity and several of pepto to my stomach!
I tend to agree w/ you and will probibly take that path.
thanks again!
mike
system sweeper finished a full scan and located 2 high risk "lvl 2" pot.harmful.software:
1.) Trojan: win32/Alureon.DX, and
2.) Trojan: DOS/Alureon.A
where #1 is a file in win\sys32 dir and #2 is locatedat boot//./PHYSICALDRIVE0\(MBR)
I went ahead and askd it to remove them both and they were both removed sucessfully according to the sweeper prog. I am rerunning another full scan, and for fun I'll check what AVG does have to say about a new scan results, finally I'll tocuh base with the Security forum for additional steps i should take or be told i sholdn't have done that! Thenmaybe antimalwarebytes and change out my avg, probibly with avast... but I probibly also need to re-repair that ci.dll file so windows will boot - maybe 3 rounds of startup repair.