Infected PC please help.

[Guest]

[EricJH]

Does anybody know if Dr. Web's Live CD is capable of removing a MBR rootkit?

[SiberLynx]

Does anybody know if Dr. Web's Live CD is capable of removing a MBR rootkit?

Hi EricJh,

As far as I know Dr. Web CurIt!  is capable of fighting and removing MBR rootkit. (so can Gmer)

Have a look at their site/forum - that would be the best place to ask.
Here is English Forum http://forum.drweb.com/index.php?showforum=27
I know that there is "Live CD" section in the Russian Section http://forum.drweb.com/
(if there are any questions with translation I can help)

At  the same time there is no way to guaranty unless all required information is provided and the certified professional review and analyze that information.

I am very surprised that it is not a 1st time users are posting HiJackThis report and they are not stopped doing that  

It is a big mistake to consider that HiJackThis (HJT) is a malware removal Tool.
No! by all means. It does what it does and basically is used for identifying browser hijackers ... no more than that. It can show some presence of malware which is different to the above, but you cannot fight it with HJT alone.

The respective site for removal of the suspected infection has to be visited and user has to supply all needed preliminary reports. HJT or HiJackFree by a-squared log files may be just a part of investigation.

But again answering your question - Yes - Dr. Web can help with MBR rootkit.

My regards

[comoder]

====================================================
comoder - This is not for you, but for a another expert about your computer problem

If reformatting the computer with a new reinstall fails   I was thinking maybe a MBR-Rootkit is a possibility.  What do you think of a ---{MBR repair kit}------??? like the one from here
http://www.free-av.com/en/tools/9/avira_boot_sector_repair_tool.html

I was also thinking a-squared free from download.com  Install, then change one of the options to add beta updates and then update then run in safe mode???
============================================================

thanks J I'd tried that tool and it found no rootkit infections. I'll explain more in my next post.

[comoder]

hi people, sorry for not keeping up . i got a bit busy,
i have quite a little story about the problem I'd mentioned.

that day i booted the computer again in from the avira rescue disk and scanned for malwares with the rename option on. it found hundreds of viruses and one Trojan horse which had created/downloaded all the viruses. i scanned with housecall after boot, i did this several times alternatively to get the system free from those malwares. the system was found to be infected with windows sality virus. more than 350 executables were corrupt.all applications had the virus code even CIS. however during this process of deletion of virus my CIS died. cmdagent was not running.

i thought going to safe mode might give me some insight and option and i tried to boot in safe mode, but it showed the same problem, it wont boot in safe mode. Then i opened msconfig tool and selected the computer to boot in safe mode. i restarted but the system wont boot, it said windows cant run in safe mode and would take me back to the OS choice menu, the bad part is that no matter what option i selected i'd be returned to that page again and again. the system wont boot in any mode. may be my mistake was to force the safe boot.

i inserted the windows xp disk and did a windows installation repair, but it was no use. it didnt work and windows wont start. so i reformatted(windows partition only), i didn't had much to lose so i did it... now im reinstalling everything again and the nightmare seems to have ended.(fingers crossed) however im still running a housecall online scan just to make sure no malware escaped hidden in any other drives.

i think its a good idea to keep your windows installation in a small partition, it could limit the growth of malwares and would prevent massive data loss in case you got in a situation with no way out but formatting.

the 2 things that really helped me were the Avira AntiVir Rescue System(burned on a cd)(thanks to omelet guy) :)and trend micros housecall, both work great.
these are a couple of very powerful tools to get a sick pc up and working again.

however *sigh* what i feel bad about the whole thing is that CIS missed the virus. Sality inst a very new virus. The realtime scanner didn't catch the malware when it got transferred to my pc from the phone i'd connectd it to. It makes me wonder would i still have to go with this pain had i been using Avira.

I thank everyone who reviewed my posts and once again im impressed with the forums prompt response system and the nice helping guys who hang here.

Sincere regards for your time and help.

[Jose_Lisbon]

Glad you solved it.

Just out of curiosity, was your CIS in Proactive Security Configuration? And was it the latest 3.12xxxxx560?


Jose.

[comoder]

Yes jose, CIS installation was the latest version (3.12.111745.560)and so were its definitions. i guess sality tampered with CIS and disabled the antivirus. i think a re installation would have solved the problem.
the comodo antivirus is overall very impressive however it still does need some more work.
i'm installing CIS again but would prefer avira over comodo antivirus for now.

Thank you.

[comoder]

The antivirus was set to on access and was in proactive updated mode.
D+ helped a lot by checking the spreading of the virus and alerting every time a new application(unknown) ran.

[SiberLynx]

The antivirus was set to on access and was in proactive updated mode.
D+ helped a lot by checking the spreading of the virus and alerting every time a new application(unknown) ran.

Hi Guys,

Hi comoder,

That was actually a bit strange that you were infected after all if you were in Proactive Mode having those alerts. Probably you did not answer appropriately.

Mainly, leaving AV behind - the Sality is not new as you said.
On the contrary - it is very old.
Sure, it does have variants (those could be a "bit newer")

It modifies a huge range of registry entries. It attempts to disable processes and services & so on...  so, basically what I am trying to say  the AV (any) can miss the variant (who cares about AV?   )

But the Defence+ should've acted appropriately.

It seems either it did not or you were allowing a lot of stuff.

 Then, you would definitely have more Alerts in case you have any Behavioural Blocker (BB) Are you using such. If not, please considers to choose & install BB

My regards

[Jose_Lisbon]

That was actually a bit strange that you were infected after all if you were in Proactive Mode having those alerts. Probably you did not answer appropriately.

   yeap...

[comoder]

yes may be i did allow something i shouldn't have.
isnt D+ a BB or something like that? if not than i don't have a Behavioral Blocker, could you suggest me a good one for xp.
does it take up much system resources, as mine are not high.
sorry for my ignorance about this.

[comoder]

Hi guys
i have a little question. Is there a virus/malware that can wipe off your file system? just curious.
Regards.

[Jose_Lisbon]

D+ is a HIPS. It' similar to a BB but not exactly the same (google around and check).
If you have your CIS in Proactive Security Configuration, the FW in Safe Mode and D+ in Clean PC Mode, you have no need for anything else. It can be a little difficult to work with. Watch the following video.

      http://www.youtube.com/watch?v=P-Nw2ySRVQs
     

It's too bad that you didn't post right after the scan with Avira rescue CD (with rename option).
Because I think that if, at that point, we had configured CIS for maximum performance (FW at Block all Mode and D+ at Paranoid Mode) we would have managed to have the PC booting in safe mode.

Jose.

[comoder]

may be that would have worked. i had no plans to reinstall windows. i didn't know forcing windows to boot in safe mode will render the pc useless. it was the last option for me as i couldn't get the windows to boot in any mode after forcing the safe mode.

thanks for posting the video but i already have CIS  installed and configured relevantly. CIS-comodo proactive security, D+-safe mode,firewall-safe mode.
i guess this is the worse virus infection I've had to face in 8 years of using computers. though this didnt cause much loss but was still a pain.

[Jose_Lisbon]

though this didnt cause much loss but was still a pain.

   I know what you mean. I once had my PC unable to boot (because of a stupid mistake of mine). I had to go for a system recovery from the partition disk. That was part of the reason I moved to CIS. At least something good came out of it.

Jose.

[Tags:]