Botnet infection
I believe I have 2 hard drives infected with a Botnet Trojan.
Symptoms:
PC fan kicks into overdrive when computer is idle, and when in use. 100% CPU usage at all times.
PC takes a long time to shut down, or won’t shut down properly.
All programs are running very slowly, and Internet Explorer unstable and cannot download antivirus software updates / visit vendors’ websites.
Internet access slows to a crawl.
Cannot download operating system updates.
Windows Task manager shows programs with very cryptic names or descriptions, and multiple
"international resricted" connections.
This is what ACTIVE KILL DISK revealed about a hidden sector on my hard drive that it was unable to wipe:
Floppy Disk 0
NO NAME (A:)
NAME:
VERSION:
SERIAL:
DEVICE GEOMETRY:
MODE LBA: NO
CYLINDERS: 80
TRACKS PER CYLINDER: 2
SECTORS PER TRACK: 36
TOTAL SECTORS: 5760
BYTES PER SECTOR: 512
TOTAL SIZE: 2.813 MB (2949120 bytes)
Writing Block (00)
CANNOT OVERWRITE
ERROR WRITING SECTORS 1 - 5760
ON FLOPPY DISK 0
Below is Image view of Floppy Disk 0:
-<<ROOT>> +$ EXTEND .HS... (Hidden, system, MFT)
$ Extend +$ RECYCLE.BIN .HS... (Hidden, system)
+$ Recycle.bin +$ SYSTEM ~ 1 .HS... (Hidden, system, resident)
System Volume Inf + $ EXTRA.!!! (Found)
+!!! Extra Deleted $ mft 262144 .HS... (Hidden, system, MFT)
$ mftmirr 4096 .HS... (Hidden, system, MFT)
$ logfile 4194304 .HS... (Hidden, system, MFT)
$ volume 0 .HS... (Hidden, system, resident)
$ attrdef 2560 .HS... (Hidden, system, MFT)
$ bitmap 1976752 .HS... (Hidden, system, MFT)
$ boot 8192 .HS... (Hidden, system, MFT)
$ badclus 0 .HS... (Hidden, system, resident)
$ Secure 0 .HS... (Hidden, system, MFT)
$ upcase 131072 .HS... (Hidden, system, MFT)
$ Extend $ quota .HSA.. (Archive, hidden, system, resident)
$ objid .HSA.. (Archive, hidden, system, resident)
$ reparse .HSA.. (Archive, hidden, system, resident)
+$ RECYCLE.BIN + S - 1 -5 - ~ 1 .hs...
+ S - 1 -5 - ~ 2 .hs...
+ S - 1 -5 - ~ 3 .hs...
SYSTEM VOLUME INF Tracking.log .HSA.. (Archive, hidden, system)
+!!! EXTRA DELETED +Folder 29 (Found)
I believe this is the HIDDEN virus that has replaced the original MBR on my operating systems.
I have not been able to wipe this with multiple operating system reinstalls, or low level formatting.
I have tried multiple detection tools to no avail.
Can anyone provide some insight on how (If it is possible) to remove, or at least cripple this nasty Trojan?
Thanks!!
January 20th, 2012 11:11am
Have you tried running MalwareBytes on it? Since you can't download software on the infected computer, then you should use a flash drive to transfer the files over. Then update MBAM manually using their posted Rules.ref files if you can.
You'll find that information on the site. after that, run a full scan and ensure that all drives are selected. Then post the log that appears. MBAM should detect something.
Free Windows Admin Tool Kit Click here and download it now
January 21st, 2012 7:05am
Have you tried running MalwareBytes on it? Since you can't download software on the infected computer, then you should use a flash drive to transfer the files over. Then update MBAM manually using their posted Rules.ref files if you can.
You'll find that information on the site. after that, run a full scan and ensure that all drives are selected. Then post the log that appears. MBAM should detect something.
January 21st, 2012 10:57pm
Since you are looking to do an OS reinstall, boot with a Windows 7 DVD. At the first screen hit <SHIFT>+<F10> to open an elevated command prompt. Assuming you have only a singe HD in your computer, type the following:
diskpart
select disk 0
clean
Once disk is "cleaned," install as normal.
Free Windows Admin Tool Kit Click here and download it now
January 23rd, 2012 11:06pm
Hi,
Please boot in Safe Mode, end the processes which occupy the CPU and memory from Task Manager. Then use the antivirus program or removal tool to scan
for viruses. You can transfer the program or tool via flash drive.
Microsoft Safety Scanner
http://www.microsoft.com/security/scanner/en-us/default.aspx
If the viruses cannot be removed completely, I suggest contacting PCSafety support for help.
For support within the United States and Canada, call toll-free (866) PCSAFETY (727-2338).Niki Han
TechNet Community Support
January 25th, 2012 5:36am
Hi,
Please boot in Safe Mode, end the processes which occupy the CPU and memory from Task Manager. Then use the antivirus program or removal tool to scan for viruses.
You can transfer the program or tool via flash drive.
Microsoft Safety Scanner
http://www.microsoft.com/security/scanner/en-us/default.aspx
For information about Security updates, visit the Microsoft
Virus Solution and Security Center
for resources and tools to keep your PC safe and healthy. If you are having issues with installing the update itself, visit
Support for Microsoft Update
for resources and tools to keep your PC updated with the latest updates.
Niki Han
TechNet Community Support
Free Windows Admin Tool Kit Click here and download it now
January 25th, 2012 5:36am
Hi,
Please boot in Safe Mode, end the processes which occupy the CPU and memory from Task Manager. Then use the antivirus program or removal tool to scan
for viruses. You can transfer the program or tool via flash drive.
Microsoft Safety Scanner
http://www.microsoft.com/security/scanner/en-us/default.aspx
If the viruses cannot be removed completely, I suggest contacting PCSafety support for help.
For support within the United States and Canada, call toll-free (866) PCSAFETY (727-2338).Niki Han
TechNet Community Support
January 26th, 2012 9:28pm