IPB

Welcome Guest ( Log In | Register )

 
Reply to this topicStart new topic
> Rootkit.Boot.Pihar.b Keeps Coming Back
TZR916
post 9.03.2012 20:29
Post #1


Newbie
*

Group: Members
Posts: 4
Joined: 9.03.2012




Safe mode Kapersky TDSS rootkit removing tool


19:00:03.0725 7768 Detected object count: 1
19:00:03.0725 7768 Actual detected object count: 1
19:00:23.0634 7768 \Device\Harddisk0\DR0\# - copied to quarantine
19:00:23.0636 7768 \Device\Harddisk0\DR0 - copied to quarantine
19:00:23.0701 7768 \Device\Harddisk0\DR0\TDLFS\phm - copied to quarantine
19:00:23.0719 7768 \Device\Harddisk0\DR0\TDLFS\ph.dll - copied to quarantine
19:00:23.0723 7768 \Device\Harddisk0\DR0\TDLFS\phx.dll - copied to quarantine
19:00:23.0730 7768 \Device\Harddisk0\DR0\TDLFS\sub.dll - copied to quarantine
19:00:23.0737 7768 \Device\Harddisk0\DR0\TDLFS\subx.dll - copied to quarantine
19:00:23.0752 7768 \Device\Harddisk0\DR0\TDLFS\phd - copied to quarantine
19:00:23.0766 7768 \Device\Harddisk0\DR0\TDLFS\phdx - copied to quarantine
19:00:23.0770 7768 \Device\Harddisk0\DR0\TDLFS\phdata - copied to quarantine
19:00:23.0773 7768 \Device\Harddisk0\DR0\TDLFS\phs - copied to quarantine
19:00:23.0778 7768 \Device\Harddisk0\DR0\TDLFS\phld - copied to quarantine
19:00:23.0783 7768 \Device\Harddisk0\DR0\TDLFS\phln - copied to quarantine
19:00:23.0788 7768 \Device\Harddisk0\DR0\TDLFS\phlx - copied to quarantine
19:00:23.0923 7768 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.b ) - will be cured on reboot
19:00:23.0924 7768 \Device\Harddisk0\DR0 - ok
19:00:24.0388 7768 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.b ) - User select action: Cure


24 hours later it returns, I clean in safe mode, it comes back again. Done this 4 times. How do I keep it from coming back???


Also:

Malwarebytes:
Registry Keys Detected: 2
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{549B5CA7-4A86-11D7-A4DF-000874180BB3} (Trojan.Agent) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{549B5CA7-4A86-11D7-A4DF-000874180BB3} (Trojan.Agent) -> Quarantined and deleted successfully.
Files Detected: 1
C:\Users\Hammerdown\Local Settings\TempDIR\BetterInstaller.exe (PUP.BundleInstaller.Somoto) -> Quarantined and deleted successfully.


AVG popped up and caught this:
"3/7/2012, 2:47:18 PM";"NT AUTHORITY\SYSTEM";"IDP";"Process CSRDISP.EXE was quarantined."
"3/7/2012, 2:46:57 PM";"NT AUTHORITY\SYSTEM";"IDP";"Process QMKOEUCUOL.EXE was quarantined."
"3/7/2012, 2:46:54 PM";"NT AUTHORITY\SYSTEM";"IDP";"Process QMKOEUCUOL.EXE was detected."
"3/7/2012, 2:46:54 PM";"NT AUTHORITY\SYSTEM";"IDP";"Process QROCWMOEUIGIELKITHIYVWVEV.EXE was quarantined."
"3/7/2012, 2:46:51 PM";"NT AUTHORITY\SYSTEM";"IDP";"Process QROCWMOEUIGIELKITHIYVWVEV.EXE was detected."
"3/7/2012, 2:46:49 PM";"NT AUTHORITY\SYSTEM";"IDP";"Process CSRDISP.EXE was detected."
"3/7/2012, 2:46:48 PM";"NT AUTHORITY\SYSTEM";"IDP";"Process PHKVGLMBLQJKJCGF.EXE was quarantined."
"3/7/2012, 2:46:46 PM";"NT AUTHORITY\SYSTEM";"IDP";"Process PHKVGLMBLQJKJCGF.EXE was detected."
"3/7/2012, 2:46:46 PM";"NT AUTHORITY\SYSTEM";"IDP";"Process WFBEHXAEONXJZBGXOR.EXE was quarantined."
"3/7/2012, 2:46:27 PM";"NT AUTHORITY\SYSTEM";"IDP";"Process WFBEHXAEONXJZBGXOR.EXE was detected."
Go to the top of the page
 
+Quote Post
richbuff
post 10.03.2012 03:06
Post #2


Oldtimer
****************

Group: Moderators
Posts: 48597
Joined: 14.06.2007




Welcome. Please see the first Important topic. There, you will find instructions for the two preliminary logs.


Please see the small print that is located at the bottom of this message.


--------------------
Please see the Important topics, located at the top of this section, and at the top of other sections of this forum.
Go to the top of the page
 
+Quote Post
TZR916
post 10.03.2012 07:05
Post #3


Newbie
*

Group: Members
Posts: 4
Joined: 9.03.2012




Thanks. See Attached
Attached File(s)
Attached File  virusinfo_cure.zip ( 22bytes ) Number of downloads: 5
Attached File  GetSystemInfo_HAMMERVAIO_Hammerdown_2012_03_09_18_37_21.zip ( 263.23K ) Number of downloads: 3
 
Go to the top of the page
 
+Quote Post
richbuff
post 10.03.2012 07:32
Post #4


Oldtimer
****************

Group: Moderators
Posts: 48597
Joined: 14.06.2007




You're welcome. Vista Business SP1? Where is Service Pack 2?

Also, I noticed that you don't have Kaspersky installed. After you fix your Vista....

...If you don't have Kaspersky installed, please feel free to use the AVP Tool. It is linked in the first Important topic.
Attach its sysinfo.zip. Located at Desktop\Virus Removal Tool\LOG\avptool_sysinfo.zip


--------------------
Please see the Important topics, located at the top of this section, and at the top of other sections of this forum.
Go to the top of the page
 
+Quote Post
TZR916
post 10.03.2012 07:43
Post #5


Newbie
*

Group: Members
Posts: 4
Joined: 9.03.2012




Free AVP Tool version 10/11 download buttons do not work (tried from IE8 & Firefox10)

http://www.kaspersky.com/antivirus-removal-tool?form=1#



SP2 is over-rated (if the OS aint broke don't fix it)
Go to the top of the page
 
+Quote Post
richbuff
post 10.03.2012 08:18
Post #6


Oldtimer
****************

Group: Moderators
Posts: 48597
Joined: 14.06.2007




Please try this link: http://devbuilds.kaspersky-labs.com/devbui...03_09_09_09.exe

The current Service Pack contains reliability updates and functionality updates and critical security updates. Let me guess: you do not have Windows updates that come out on Patch Tuesday?

The surface of this planet is crammed to the rafters with security experts who lie awake sleepless all night, trying to figure out how to get people to install the current Service Pack and all Windows updates. But I am not going to spend more than two minutes on this effort at this juncture. If your next log does not show up-to-date Windows, then you can see if another moderator would like to continue with this topic. smile.gif


--------------------
Please see the Important topics, located at the top of this section, and at the top of other sections of this forum.
Go to the top of the page
 
+Quote Post
TZR916
post 10.03.2012 09:52
Post #7


Newbie
*

Group: Members
Posts: 4
Joined: 9.03.2012




I run Windows update every few days manually and take all security updates. I purposely have not installed SP2 because of incompatibilities with my laptop (VAIO) hardware. Going on three years after SP2 was released and not had a single problem running SP1. I won't be installing SP2 until I solve this rootkit and I do a Ghost of my clean system.
Go to the top of the page
 
+Quote Post

Reply to this topicStart new topic

 



Lo-Fi Version Time is now: 1.08.2014 03:40