Jump to content

Rootkit.Boot.Pihar.c


M1918A1
 Share

Recommended Posts

Report looks as it should. The vast majority are things we've already taken care of... but the infected files dated 2/2 are potentially problematic.

Can you run ESET online now?

If you cannot... then please run do the following:

Download SalityKiller to your desktop

 

Unzip it and then run SalityKiller.exe to run.

 

If it finds anything... run it a second time.

 

Then please try ESET again.

Edited by Tomk_
Link to comment
Share on other sites

Do me a favor. Run it before you go to bed tonight. Just let it run even if it appears to not be responding. Hopefully it will have completed by morning. I've seen it "hang" for an hour or so before.

 

Both Pihar and Sality block access to ESET. I'm not seeing any signs of them currently in your logs... but I would sure like to see that program run.

Link to comment
Share on other sites

You were right. It took quite a while but it finally did install.

 

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=8
# IEXPLORE.EXE=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6889
# api_version=3.0.2
# EOSSerial=8e4aff2e85829d4b88f2577be30ab3fc
# end=stopped
# remove_checked=false
# archives_checked=true
# unwanted_checked=false
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2013-02-03 03:27:33
# local_time=2013-02-02 10:27:33 (-0500, Eastern Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=3586 16764926 60 25 21406336 236947549 0 0
# scanned=62118
# found=8
# cleaned=0
# scan_time=4536
C:Documents and SettingsM1918A1Local SettingsApplication DataSunJavaDeploymentcache6.052587a09f4-406b47f1 multiple threats 11220BE4BF52A12C835FA4313FA7062AC6FB4607 I
C:Documents and SettingsM1918A1Start MenuProgramsStartupctfmon.lnk.disabled Win32/Reveton.J trojan 066A5C1927185A4B8A0C214FE9587854F8ECBF7A I
D:My Documents 3My Movies 3NAV 10Norton AntiVirus 2010 v17.0.0.136BOX_NTR_v1.4.0_BETA.EditionBOX_NTR2010_v1.4BE.rar Win32/RiskWare.HackAV.EX application 617BFBF997BECE082CF4EAD88E25C422168119DB I
D:My Documents 3My Movies 3Norton AntiVirus 2009 v16.0.0.125NAV2009_16.0.0.125_OEM902a.exe a variant of Win32/TrojanDropper.VB.NOO trojan 47130DFE5AD00CC422089D1263305C6E210112EB I
D:My Documents 3My Movies 3NAV10.17.0.0.136_[RH].rar Win32/RiskWare.HackAV.EX application 679CEF0E598E363DC4C2DADA8EFC99FB1C8896FE I
D:My Documents 3My Music 3Kneson Imaginer Photo Enlarger Professional 1.0.zip probably a variant of Win32/TrojanDownloader.Agent.GIYVPFA trojan 14921C433C2D9717B8C18AEA44B1B00307AF06D5 I
D:My Documents 3Programs 2007CD & DVDDVD Decoder NvidianVIDIA_PureVideo_Decoder_v1.02-177_KeyGen_ONLYkeygen.rar probably a variant of Win32/Agent.GLDXYYH trojan 89C8D23DB09E69E71A513766D3930D6CAE674478 I
D:My Documents 3Programs 2007Photo and PaintKneson Imaginer Photo Enlarger Professional 1.0.9Kneson Imagener Professional v1.0.9.exe probably a variant of Win32/TrojanDownloader.Agent.GIYVPFA trojan 2D3A0F389ADF7A516DCAE229CEF7D9EA47189178 I
# version=8
# IEXPLORE.EXE=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6889
# api_version=3.0.2
# EOSSerial=8e4aff2e85829d4b88f2577be30ab3fc
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=false
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2013-02-03 04:37:19
# local_time=2013-02-02 11:37:19 (-0500, Eastern Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# scanned=78795
# found=6
# cleaned=6
# scan_time=4110
C:Documents and SettingsM1918A1Local SettingsApplication DataSunJavaDeploymentcache6.052587a09f4-406b47f1 multiple threats (deleted - quarantined) 11220BE4BF52A12C835FA4313FA7062AC6FB4607 C
C:Documents and SettingsM1918A1Start MenuProgramsStartupctfmon.lnk.disabled Win32/Reveton.J trojan (cleaned by deleting - quarantined) 066A5C1927185A4B8A0C214FE9587854F8ECBF7A C
D:My Documents 3My Movies 3NAV 10Norton AntiVirus 2010 v17.0.0.136BOX_NTR_v1.4.0_BETA.EditionBOX_NTR2010_v1.4BE.rar Win32/RiskWare.HackAV.EX application (deleted - quarantined) 617BFBF997BECE082CF4EAD88E25C422168119DB C
D:My Documents 3My Movies 3Norton AntiVirus 2009 v16.0.0.125NAV2009_16.0.0.125_OEM902a.exe a variant of Win32/TrojanDropper.VB.NOO trojan (cleaned by deleting - quarantined) 47130DFE5AD00CC422089D1263305C6E210112EB C
D:My Documents 3My Movies 3NAV10.17.0.0.136_[RH].rar Win32/RiskWare.HackAV.EX application (deleted - quarantined) 679CEF0E598E363DC4C2DADA8EFC99FB1C8896FE C
D:My Documents 3My Music 3Kneson Imaginer Photo Enlarger Professional 1.0.zip probably a variant of Win32/TrojanDownloader.Agent.GIYVPFA trojan (deleted - quarantined) 14921C433C2D9717B8C18AEA44B1B00307AF06D5 C
# version=8
# IEXPLORE.EXE=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6889
# api_version=3.0.2
# EOSSerial=8e4aff2e85829d4b88f2577be30ab3fc
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2013-02-03 07:13:37
# local_time=2013-02-03 02:13:37 (-0500, Eastern Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# scanned=78951
# found=1
# cleaned=0
# scan_time=4170
C:Documents and SettingsM1918A1Local SettingsApplication DataSunJavaDeploymentcache6.05947363e7b-1a7cfed2 a variant of Java/JShrink.A application 06D315E206C62B3041C943EFC3A774CF3934CCDD I

Link to comment
Share on other sites

Great. :tup:

 

Active infections appear to be removed. What ESET found were infected downloads... many which appear to be pirated. I can tell you that it is just a fact... if you download pirated programs you will get infected. It isn't a question of "will I". No security program can protect you from yourself.

 

The Java version you have is version 7 update 5. Current is version 7 update 13. If you need java (most people don't), you need to get it updated. I don't run Java and many of my collegues haven't ran Java for years and haven't needed it. There have been a whole series of zero-day exploits of Java since November that you might have heard about in the news. It is a real vulnerability to your system. Here is a good program to help you remove all traces... and you can also download the current version if you need it.

 

Please download http://singularlabs.com/software/javara/javara-download/]JavaRa[/url] to your desktop.

  • Click the Download button next to Version 2.1 to download JavaRA-2.1.zip and save it to the desktop.
  • Close the Browser and all open windows.
  • Right click the JavaRA-2.1.zip file and click Extract All and unzip it to its own folder on the desktop.
  • Open the Java-2.1 folder
  • Open the JavaRA folder
  • Double click on the JavaRa.exe file to run the program. You will see a console like the one below:

    Posted Image
  • Click the Update JavaRa Definitions and update the definitions.
  • Click download
  • After download is complete - click back.
  • Click Remove Java Runtime

Step 1 will run Java's built in installers (See the image below):
  • JavaRa will automatically detect the available JRE uninstallers. The Run Uninstaller button will begin the removal process; which should be performed on all listed versions of the Java Runtime Environment. In some situations; Windows security features may interfere with this process, causing the Run Uninstaller button do to nothing. You will need to use the Add Or Remove Programs function in Windows if this occurs.

Posted Image

Then Step 2 will run. (See image below)

Step 2 will run the JRE Removal Routine

Posted Image

 

If you are going to try operating without Java... you can now "next" your way out and exit the program. Or, to install current:

Step 3 is Download New Version. Please don't click on Download. Instead, click on Java Manual Download at the top. This will take you to Java.com where you can download the current version.

You can go ahead and Next your way through JavaRa and close it.

Install the new Java program you downloaded.

 

With that done... How does your system seem to be running now?

Link to comment
Share on other sites

It does seem to be running ok now. Couldn't open Microsoft word documents before and they open fine now. It killed my antivirus though. I think I will still reformat at least the C drive. Never know if something is still in hiding. Got to go through and get rid of all the grandkid crap too. They all have internet at home now so I won't have to worry about them adding any more crap.

I already reformatted the other computer that got the same thing. At least I didn't lose anything on that one because I got lazy and let it sit for a year and never bothered installing anything. Probably still won't bother to install anything on it until I get a game that won't run on a single core CPU.

 

Thanks ever so much for the help. Its been so long since I gave up doing much work on computers that I just plain lost my touch. Never would have got it fixed without you. Thanks again.

Link to comment
Share on other sites

We need to do a little housekeeping before you go.

 

 

  • [*]Click
START then RUN [*] [*]Now type ComboFix /Uninstall in the runbox and click OK. [*]Note the space between the X and the U, it needs to be there. [*]Posted Image

The above procedure will:

  • [*]Implement some cleanup procedures. [*]Reset System Restore.

 

 

Note: If you don't have combofix anymore... then please download a new copy and run the uninstall routine.

 

Now to remove most of the tools that we have used in fixing your machine:

  • [*]Make sure you have an Internet Connection. [*]Download
OTC to your desktop and run it [*]A list of tool components used in the cleanup of malware will be downloaded. [*]If your Firewall or Real Time protection attempts to block OTC to reach the Internet, please allow the application to do so. [*]Click Yes to begin the cleanup process and remove these components, including this application. [*]You will be asked to reboot the machine to finish the cleanup process. If you are asked to reboot the machine choose Yes.

 

 

Anything left on there can be deleted.

Please re-enable any security that was disabled.

 


The following is my standard advice for the future. Use what you can and pat yourself on the back for what you're already doing.

Please take time to read Preventing Malware - Tools and Practices for Safe Computing. Very important information for your consideration is contained therein.

I would also suggest you read this:
So how did I get infected in the first place?
by Tony Klein


Also: "How to prevent malware"
by miekiemoes

Please respond back that you understand the above and let me know if you have any questions. Otherwise, this thread will be closed Resolved.

Link to comment
Share on other sites

 Share

×
×
  • Create New...