Jump to content

Unknown, persistent malware (3rd System)


pallino
 Share

Recommended Posts

Since I'll be travelling till next Tuesday I upload also the logs of my first laptop (I hope it helps if not, pls forgive me if I already started AVZ) , the one that alarmed me at the beginning....hitmanpro.alert told me firefox is compromised, DISF command gave error 87, sfc scannow gave errors, e.g. beep.sys, TDSSkiller found first unsigned files, then no more...proxy appaired in configs......slow at boot, most after password is inputted....

 

I'm really concerned and I'm sorry if it's just "paranoia".....I really appreciate your help, patience and time!!!

 

thank you!!!

a2scan_150102-112944.txt

Addition.txt

FRST.txt

virusinfo_syscheck.zip

Link to comment
Share on other sites

Copy the below code to Notepad; Save As fixlist.txt to your Desktop.

HKU\S-1-5-21-1094131024-318668930-3021465862-1000\...\MountPoints2: H - H:\AutoRun.exe
HKU\S-1-5-21-1094131024-318668930-3021465862-1000\...\MountPoints2: {0d7ecc8e-0add-11e2-9521-20107a274802} - G:\AutoRun.exe
HKU\S-1-5-21-1094131024-318668930-3021465862-1000\...\MountPoints2: {29dd296d-1521-11e2-94ea-001e101f8aaa} - G:\AutoRun.exe
HKU\S-1-5-21-1094131024-318668930-3021465862-1000\...\MountPoints2: {c80cc177-0a40-11e2-9cfc-20107a274802} - G:\AutoRun.exe
HKU\S-1-5-21-1094131024-318668930-3021465862-1000\...\MountPoints2: {cb932e8e-1699-11e2-aa63-001e101f8924} - H:\AutoRun.exe
HKU\S-1-5-21-1094131024-318668930-3021465862-1000\...\MountPoints2: {e4025b9a-098b-11e2-9761-082e5f866291} - G:\AutoRun.exe
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\AutorunsDisabled ()
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = 
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL = 
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = 
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL = 
SearchScopes: HKU\S-1-5-21-1094131024-318668930-3021465862-1000 -> {D944BB61-2E34-4DBF-A683-47E505C587DC} URL = 
Toolbar: HKU\S-1-5-21-1094131024-318668930-3021465862-1000 -> No Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} -  No File
Toolbar: HKU\S-1-5-21-1094131024-318668930-3021465862-1000 -> No Name - {9C65D12D-CF9D-454D-8049-61965D8C6FFF} -  No File
C:\Users\Guest\AppData\Local\Temp\vlc-2.1.5-win32.exe
AlternateDataStreams: C:\Users\andrea\Downloads\2012 Paid Holidays for U.S. TIers.eml:OECustomProperty
AlternateDataStreams: C:\Users\andrea\Downloads\ashampoo_winoptimizer_2014_1.0.0_16444.exe:BDU
AlternateDataStreams: C:\Users\andrea\Downloads\ashampoo_winoptimizer_free_1.0.0_sm.exe:BDU
AlternateDataStreams: C:\Users\andrea\Downloads\download-ninja.exe:BDU
AlternateDataStreams: C:\Users\andrea\Downloads\herdProtectScan_Setup.exe:BDU
AlternateDataStreams: C:\Users\andrea\Downloads\leaktest.exe:BDU
AlternateDataStreams: C:\Users\andrea\Downloads\mbae-setup-1.03.1.1220.exe:BDU
AlternateDataStreams: C:\Users\andrea\Downloads\MBRCheck.exe:BDU
AlternateDataStreams: C:\Users\andrea\Downloads\MicrosoftFixit.dvd.MATSKB.Run.exe:BDU
AlternateDataStreams: C:\Users\andrea\Downloads\OCCleanupTool.exe:BDU
AlternateDataStreams: C:\Users\andrea\Downloads\okayfreedomintdle11.exe:BDU
AlternateDataStreams: C:\Users\andrea\Downloads\revosetup.exe:BDU
AlternateDataStreams: C:\Users\andrea\Downloads\RevoUninProSetup.exe:BDU
AlternateDataStreams: C:\Users\andrea\Downloads\ScanNowUPnP.exe:BDU
AlternateDataStreams: C:\Users\andrea\Downloads\SD1.4.0.519_Setup.exe:BDU
AlternateDataStreams: C:\Users\andrea\Downloads\SecurityKISSsetup.exe:BDU
AlternateDataStreams: C:\Users\andrea\Downloads\SetupAnyDVD7490.exe:BDU
AlternateDataStreams: C:\Users\andrea\Downloads\sp63258.exe:BDU
AlternateDataStreams: C:\Users\andrea\Downloads\strap.exe:BDU
AlternateDataStreams: C:\Users\andrea\Downloads\VMware-workstation-full-10.0.2-1744117.exe:BDU
AlternateDataStreams: C:\Users\andrea\Downloads\wlsetup-web.exe:BDU
Close Notepad.

NOTE: It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST64 and press the Fix button just once and wait.

If the tool needed a restart please make sure you let the system to restart normally and let the tool complete its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.

Note: If the tool warns you about an outdated version please download and run the updated version.

Close all windows then double click on AVZ.exe

  • Click File > Custom scripts
  • Copy & paste the below code in to the text box in the program

    Note: When you run the script, your PC will be restarted

    Close all windows then double click on AVZ.exe
    [LIST]
    [*]Click [b]File[/b] > [b]Custom scripts[/b][/*]
    [*]Copy & paste the below code in to the text box in the program
    Note: When you run the script, your PC will be restarted
    [code][/code][/*]
    [*]Click [b]Run[/b][/*]
    [*]Restart your PC if it doesn't do it automatically.[/*]
    [/LIST]
    Attach a fresh AVZ log.
    
    Let me know of any problems you may have encountered with the above instructions and also [b]let me know how things are running now![/b]
  • Click Run
  • Restart your PC if it doesn't do it automatically.
Attach a fresh AVZ log.

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!

Link to comment
Share on other sites

Close all windows then double click on AVZ.exe

  • Click File > Custom scripts
  • Copy & paste the below code in to the text box in the program

    Note: When you run the script, your PC will be restarted

    begin
    SetAVZGuardStatus(True);
    SearchRootkit(true, true);
     DeleteService('vhjrap');
     DeleteService('icquni');
     DeleteFile('icquni.sys','32');
     DeleteFile('vhjrap.sys','32');
    ExecuteSysClean;
    RebootWindows(true);
    end.
  • Click Run
  • Restart your PC if it doesn't do it automatically.
Attach a fresh AVZ log.

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!

Link to comment
Share on other sites

Hello Kevin,

 

I attached the new AVZ report.

What did you/AVZ find before? What were the acquni and the vhjrap?

 

I think it starts a little bit faster, but still not as "before".

Today when I restarted the laptop, before running the script, I got a message that asked me if I wanted to change a startup entry (apparently ccleaner).

Since I didn't install anything in the last days (I was travelling) I denied. At next reboot, the laptop started with an explorer page open at c:/program files/............./"AutorunsDisabled".....

 

Thank you again for your help!

virusinfo_syscheck.zip

Addition.txt

FRST.txt

Link to comment
Share on other sites

AutoRuns is by default in all Windows systems since XP SP3. So, there is no need to do anything special to disable AutoRuns.

Close all windows then double click on AVZ.exe

  • Click File > Custom scripts
  • Copy & paste the below code in to the text box in the program

    Note: When you run the script, your PC will be restarted

    begin
     DelBHO('AutorunsDisabled');
    ExecuteSysClean;
    end.
  • Click Run
  • Restart your PC if it doesn't do it automatically.
Attach a fresh AVZ log.

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!

Link to comment
Share on other sites

Windows starts now with an explorer page open at C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\AutorunsDisabled (snap  shot attached)...don't know why...

Tried to update windows: since 31-12 available only defender definition. During download Windows update page froze.

Did I get a rootkit or what did you find?

Thank you

 

post-34031-0-43479400-1420764972_thumb.png

Addition.txt

FRST.txt

virusinfo_syscheck.zip

Link to comment
Share on other sites

Copy the below code to Notepad; Save As fixlist.txt to your Desktop.

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\AutorunsDisabled
Handler: AutorunsDisabled - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll (Microsoft Corporation)
Handler-x32: AutorunsDisabled - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Microsoft Corporation)
Filter: AutorunsDisabled - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
Filter-x32: AutorunsDisabled - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
AlternateDataStreams: C:\Users\andrea\Downloads\2012 Paid Holidays for U.S. TIers.eml:OECustomProperty
Close Notepad.

NOTE: It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST64 and press the Fix button just once and wait.

If the tool needed a restart please make sure you let the system to restart normally and let the tool complete its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.

Note: If the tool warns you about an outdated version please download and run the updated version.

Link to comment
Share on other sites

I forgot one question...

AVZ's info below from scan report  is normal?

 

1.1 Searching for user-mode API hooks
 Analysis: kernel32.dll, export table found in section .text
 Analysis: ntdll.dll, export table found in section .text
Function ntdll.dll:NtAllocateVirtualMemory (198) intercepted, method - APICodeHijack.JmpTo[74A18CE6]
Function ntdll.dll:NtFreeVirtualMemory (311) intercepted, method - APICodeHijack.JmpTo[74A18E96]
Function ntdll.dll:NtProtectVirtualMemory (396) intercepted, method - APICodeHijack.JmpTo[74A18D76]
Function ntdll.dll:ZwAllocateVirtualMemory (1450) intercepted, method - APICodeHijack.JmpTo[74A18CE6]
Function ntdll.dll:ZwFreeVirtualMemory (1562) intercepted, method - APICodeHijack.JmpTo[74A18E96]
Function ntdll.dll:ZwProtectVirtualMemory (1646) intercepted, method - APICodeHijack.JmpTo[74A18D76]
 

Thank you!

Link to comment
Share on other sites

System is running better but still not "smooth", sometimes it is slow to respond (e.g to close a window)....

What where the Service('vhjrap') and Service('icquni')as the files ('icquni.sys','32')and ('vhjrap.sys','32') you deleted before?

 

Can I use this laptop again for online banking or is it still not safe/risky?

What can I do now?

thank you

Link to comment
Share on other sites

yes, please.....

Now it's too late to upload the file for analysis, correct?

Would have liked to know the name of the trojan that passed" all the defences"  I had on my laptop....and managed to stay hidden to all tools/AV I used and Know.....Do you know what kind of trojan it was? Could it infect other devices on the same network? or the router?

What should i do now?

 

thank you!

Link to comment
Share on other sites

Trojans open backdoors to the computer, that allow unfettered access to the system. They are not infecters themselves, but can be used to download and infecter.

Read carefully and follow these steps.

  • Download TDSSKiller and save it to your Desktop.
  • Double-click on TDSSKiller.exe to run the application.

    tdss1.png

  • Click Change parameters

    settings20121003115955.png

  • Check the boxes next to Verify Driver Digital Signature and Detect TDLFS file system, then click OK

    tdss3.png

  • Click on the Start Scan button to begin the scan and wait for it to finish.

    NOTE: Do not use the computer during the scan!

  • During the scan it will look similar to the image below:

    tdss4.jpg

  • When it finishes, you will either see a report that no threats were found like below:

    tdss5.jpg

    If no threats are found at this point, just click the Report selection on the top right of the form to generate a log. A log file report will pop which you can just close since the report file is already saved.

  • If any infection or suspected items are found, you will see a window similar to below:

    tdss7.jpg

    • If you have files that are shown to fail signature check do not take any action on these. Make sure you select Skip. I will tell you what to do with these later. They may not be issues at all.
    • If Suspicious objects are detected, the default action will be Skip. Leave the default set to Skip.
    • If Malicious objects are detected, they will show in the Scan results. TDSSKiller automatically selects an action (Cure or Delete) for malicious objects
    • Make sure that Cure is selected. Important! - If Cure is not available, please choose Skip instead. Do not choose Delete unless instructed to do so.
  • Click Continue to apply selected actions.
  • A reboot may be required to complete disinfection. A window like the below will appear:

    tdss6.jpg

    Reboot immediately if TDSSKiller states that one is needed.

  • Whether an infection is found or not, a log file should have already been created on your C: drive (or whatever drive you boot from) in the root folder named something like TDSSKiller.2.1.1_27.12.2009_14.17.04_log.txt which is based on the program version # and date and time run.
  • Attach this log to your next reply.
Link to comment
Share on other sites

Hello Kevin,

 

some infos/summary that I hope might help........my doubts started mid September 2014 when Bitdefender IS 2015 told me a virus was found in a file in Emsisoft folder on this laptop....I scanned the laptop with all I had and knew I could use(bitdefender, emsisoft EK, Malwarebytes, Hitmanpro, Norton Power eraser, TDSSkiller, ASWmbr, Malwarebytes antirootkit, Emsisofts MBRceck beta, ESET online scan...I also scanned with some AV boot cds created with another laptop)....nothing was found....online I found it was/could have been a false alarm of Bitdefender.

.....I kept on scanning but no AV ever found/ alerted about  the Service('vhjrap') and Service('icquni')as the files ('icquni.sys','32')and ('vhjrap.sys','32') you found last week .....

 

 

I still have the first TDsskiller reports from that time, does it help if I upload them? To save time I upload the first ones....

 

thank you!

TDSSKiller.3.0.0.42_13.01.2015_17.40.27_log.txt

TDSSKiller.3.0.0.40_14.09.2014_14.30.01_log.txt

TDSSKiller.3.0.0.40_14.09.2014_14.16.57_log.txt

TDSSKiller.3.0.0.40_13.09.2014_00.16.38_log.txt

Link to comment
Share on other sites

The TDSSKiller log looks fine.

Changing tools.

Download ComboFix from Link

Save as Combo-Fix.exe during the download. ComboFix must be renamed before you download to your Desktop

!!! IMPORTANT !!! Save ComboFix to your Desktop

NOTE: ComboFix is an advanced utility, and is not like traditional automated tools. It will delete anything that it knows is bad without asking for confirmation, it will save backup copies in it's quarantine automatically, it will restart your computer, and it will produce a log that allows me to analyze and determine if there is anything left over. This log will not contain any personal information, or information about any of your documents, pictures, music, videos, etc. It only compiles information on which applications/drivers/etc were installed within the last 30 days, any applications that have certain properties that could be used for malicious purposes, and most of the load points on your system that can be abused by malicious software. If there is a false positive, and something gets deleted that should not, then I can write a script for ComboFix that will tell it to restore specific items that it deleted.

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

    See HERE for help

  • Double click on Combo-Fix & follow the prompts.
When finished, ComboFix will produce a log.

NOTE:

1. Do not mouseclick combofix's window while it's running. That may cause it to stall!

2. Remember to re-enable your anti-virus and anti-spyware before reconnecting to the Internet.

3. If you get a message that states "illegal operation attempted on a registry key that has been marked for deletion" restart your computer.

Attach logs for: (USE THE "MORE REPLY OPTIONS" BUTTON TO BE ABLE TO DO THIS)

  • ComboFix (C:\combofix.txt)
Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!
Link to comment
Share on other sites

I'll check with combofix asap....thank you!

Yesterday I was thinking that at the moment you found something associated with a trojan horse but we don't know what it was.

I was thinking at my other pcs and laptops and at my backups created before today and at how I/we can figure out what trojan it was and if the other HDs are infected too or not since AV and antirootkits didn't fount these trojans until now.

I remembered that I created a backup with windows, with Macrium reflect and with paragon backup free.....I have to check if I created the backups before the cleaning or after...I think it was before...

How and where can I look for the deleted trojan files? I would like to upload them so that you can analyze them and add detection in Emsisoft....

With what tool/program can I check the usb HDs for this infection (I wouldn't like to reinfect the laptop again)?

 

thank you as usual for your help!

Link to comment
Share on other sites

I have good and bad news..

The good news are that the backups were created on 19 and 20th of November....the "bad" that EMSI IS (paranoia mode, custom scan with direct access) doesn't find anything suspect nor infected.

Where, in what folder should vhjrap.sys and icquni.sys and other suspect file be?

 

I run Combofix, please find attached the new report.

How does it look like?

What do we do now?

thank you!

 

 

 

 

ComboFix.txt

Link to comment
Share on other sites

As soon as I restarted Kaspersky on this laptop I got alerted that a new program  c:\newtool\pv.3exe wanted to connect to internet...I cannot see it nor the folder in explorer and I blocked it.... :o:(

Checked the report and other files were blocked or added to restricted..

That is part of ComboFix.

You have significant system damage to critical system files.

Link to comment
Share on other sites

Very very strange..this would be the 3rd system with damaged files or corrupted ones in 6 months..and this laptop is 2 years old!!!!...was it like this in the previous logs?

Can t it be malware not discovered yet?

What about the files deleted by combofix in c and in windows folder?

What do we do now? What can I scan with now????

I don t think we had any signs of corrupted files before...........windows was working fine till now, no alerts from any AV, windows scannow command reported only a problem with beep.sys.......very strange and worrying situation.....

Please, let me know what I can scan with over the weekend!!!

thank you

Link to comment
Share on other sites

After running combofix and restarting the laptop, after all the alerts from KIS I run  AVZ.   I might have restarted the system one more time before running AVZ.   First it stopped working with " rich edit line insert error", then with "out of memory while expanding memoru steam"...then one log was created (attached log15-1-15)

Today  I could run it .... I attached  the log.

 

Thank you!

 

 

virusinfo_syscheck 15-1-15.zip

virusinfo_syscheck.zip

Link to comment
Share on other sites

Close all windows then double click on AVZ.exe

  • Click File > Custom scripts
  • Copy & paste the below code in to the text box in the program

    Note: When you run the script, your PC will be restarted

    begin
    SetAVZGuardStatus(True);
    SearchRootkit(true, true);
     DelBHO('AutorunsDisabled');
     DeleteService('GDKBFlt');
     DeleteService('GDKBBlocker');
     BC_DeleteFile('c:\program files (x86)\g data\usb keyboard guard\gd2ndkbb.exe');
     DeleteFile('C:\Windows\system32\drivers\GDKBBlocker64.sys','32');
     DeleteFile('C:\Windows\system32\drivers\GDKBFlt64.sys','32');
     DeleteFile('C:\Program Files (x86)\G DATA\USB KEYBOARD GUARD\GD2NDKBB.exe','32');
     DeleteFile('C:\Program Files (x86)\G Data\InternetSecurity\AVK\AVKWCtlX64.exe','32');
     DeleteFile('C:\Program Files (x86)\G Data\InternetSecurity\Firewall\GDFwSvcx64.exe','32');
     RegKeyParamDel('HKEY_LOCAL_MACHINE','Software\Microsoft\Windows\CurrentVersion\Run','GDataUsbProtection');
     DeleteFile('C:\Users\andrea\Downloads\programmi\antivirus\gdata','32');
     DeleteFile('C:\Windows\system32\Tasks\{FFC0F1DA-D755-4C90-AF81-5AF9159BF37C}','64');
     DeleteFile('C:\Users\andrea\Downloads\programmi\antivirus\gdata\INT_R_FUL_2015_IS.exe','32');
    ExecuteSysClean;
    RebootWindows(true);
    end.
  • Click Run
  • Restart your PC if it doesn't do it automatically.
Attach a fresh AVZ log.

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!

Link to comment
Share on other sites

Hello Kevin,

 

is  this program not a legit one, Gdata's Usb Keyboard guard?

Is this a false positive?

 

https://www.gdatasof...-keyboard-guard

 

Just to be sure before I delete it... :)

 

I checked the backups I have but I cannot find the older 2 deleted files, nor in windows/system32/drivers ,nor in system 32, nor in windows...Where, in what folder should vhjrap.sys and icquni.sys and other suspect file be? 

 

Would they get copyed by a backup program? Wha program coud I use to see them if hidden to winsdows explorer?

 

Thank you

Link to comment
Share on other sites

Thank you!

What can we scan the laptop with now?

What can we use as a 2nd or 3rd opinion software?

 

What can we do now?

 

I checked the backups I have but I cannot find the older 2 deleted files, nor in windows/system32/drivers ,nor in system 32, nor in windows...Where, in what folder should vhjrap.sys and icquni.sys and other suspect file be? 

 

Would they get copyed by a backup program? Wha program coud I use to see them if hidden to winsdows explorer?

 

 

 

thank you!

Link to comment
Share on other sites

I checked the backups I have but I cannot find the older 2 deleted files, nor in windows/system32/drivers ,nor in system 32, nor in windows...Where, in what folder should vhjrap.sys and icquni.sys and other suspect file be?

Both of those should be in the AVZ backup folder.

We have not run RogueKiller yet.

Download RogueKiller from one of the following links and save it to your desktop:

  • Link 1
  • Link 2
    • Close all programs and disconnect any USB or external drives before running the tool.
    • Double-click RogueKiller.exe to run the tool (Vista or 7 users: Right-click and select Run As Administrator).
    • Once the Prescan has finished, click Scan.
    • Once the Status box shows "Scan Finished", just close the program. <--Don't fix anything!
    • Attach the RogueKiller report to your next reply.
      • The log can also be found on your desktop labeled (RKreport[X]_S_xxdatexx_xtimex)
      • The highest number of [X], is the most recent Scan
Link to comment
Share on other sites

Hello Kevin,

 

thank you!

I checked AVZ infected and quarantined folder (file/open infected, quarantined files" but both were empty.....Is this normal?

Did AVZ find and deleted them or were these ramdom names and "disappeared"?

 

How/where can I find them?

 

What do we do now?

 

Thank you!

Addition.txt

FRST.txt

RKreport_SCN_01212015_003641.log

virusinfo_syscheck.zip

Link to comment
Share on other sites

This might be the best solution but I m still concerned since we don t know what I had since I cannot find the 2 files and the fact that suddenly corrupted files or 0 byte files appeared is very very very very strange.

It would be helpful to find the 2 files and to give the malware a name and to know how to detect it in other devices if present there too , eg external usb backup drives.

Can we do this before reinstalling windows?

thank you

Link to comment
Share on other sites

This laptop didn't have system problems till few days ago (it is almost 3 yeas old now ) and I didn't do anything apart than scan and update....and after the file problems only chkdsk and sfc/ scannow...

 

Can't it be that there is still some undetected malware/rootkit??  :mad:  :(  Can we (keep)check(ing) this if possible ? thank you!

Please let me know what to do now.

 

thank you

Link to comment
Share on other sites

Before I start, any other tool/program/beta/ "experimental" tool you want to (we can)  test on this laptop?

 

Is it worth trying a rescue disk? If yes, which one do you recommend?

 

 

I have a macrium reflect back up, a paragon backup and a windows backup..any preference whih one to use?

 

Why would this help to find a still unknown malware?

 

Thank you! :)

Link to comment
Share on other sites

We can try the KAV Rescue CD.

Read all these directions before proceeding.

When you have the .ISO file downloaded, you need to create a bootable disk or flash drive with it, using a clean PC to do that. The .ISO file is a disk image. It should NOT be burned as a regular file. You need a program like ImgBurn that can burn an .ISO image. I think a CD is best as there is no way anything can write on it after it is made, but the USB may be more convenient and easier.

Be sure to read these:

Download Kaspersky Rescue Disk 10

How to record Kaspersky Rescue Disk 10 to an USB device and boot my computer from it?

How to record Kaspersky Rescue Disk 10 to a CD/DVD and boot my computer from the disk?

Summarizing:

  • Go to a clean PC.
  • Download the .iso image file.
  • Create a CD (or flash drive if you prefer).
  • At the infected PC: put the disk in the drive and reboot.
Follow the directions here, but you will find some differences.

Familiarize yourself with How to create a report file in Kaspersky Rescue Disk 10?

Print the following directions:

Boot from Kaspersky Rescue Disk 10:

  • Restart your computer and put the disk in the drive while booting.
  • Press any key. A loading wizard will start (you will see the menu to select the required language). If you do not press any key in 10 seconds, the computer boots from hard drive automatically.
  • Select the required interface language using the arrow-keys on your keyboard.
  • Press the Enter key on the keyboard.
  • In the start up wizard window that opens, select the Kaspersky Rescue Disk. Graphic Mode
  • Click Enter.
  • Click 'A' to accept the agreement.
  • Select operating system from dropdown menu (select Windows whatever)
  • Select Objects to scan: check Disk boot sectors, Hidden startup objects, C:
  • Click My Update Center and update if any available
  • Back to other tab and click Start Object Scan. (This could take several hours to finish)
  • When scan has completed save a report:
    • On the upper part of the Kaspersky Rescue Disk window, click on the Report link.
    • On the bottom right hand corner of the Protection status - Kaspersky Rescue Disk window, click on the Detailed Report button.
    • On the upper right hand corner of the Detailed report window, click on the Save button.
    • After clicking Detailed Report and 'SAVE', a browse window opens.
    • Double-click on the \
    • Click 'disks'.
    • All your drives will be shown and you can easily double-click C and save the report to C:\KasperskyRescueDisk10.txt.
    • Click on the Save button.
    • The report has been saved to the file.
  • Remove the disk from the drive (or disconnect USB) and reboot normally.
Link to comment
Share on other sites

I m scanning with KIs...the update of definition from 11.11.14 took 26 min...too long, or?...

I have a macrium reflect back up, a paragon backup and a windows backup..any preference whih one to use?

 

Why would this help to find a still unknown malware?

Thank you

Link to comment
Share on other sites

Update after the router question above.

I cannot complete the scan with Kaspersky rescue disk...when I check after some time the window with the scan "disappeared"....I cannot start a new scan, nor kaspersky rescue, nor exit linux..I double click but nothing happens....but I can use the file manager.....

What do you think?

What do we do? Do we try another rescue disk or restore windows to November 2014?

Pls let me also know what you think about the router, thank you!

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...