Help, Will DOS Solve My Problem, And How?

I'm new, so please forgive my lack of knowledge.

From a previous thread (my first) http://forums.majorgeeks.com/showthread.php?t=209509&page=2 I asked for help, getting rid of a suspected virus or hi-jack.

There are files reported as "Invisible to the Windows API!"about a third of the way down the "RootRepeal Log", that I want to get rid of, and block the source that put them on my computer.

How can I do this?

Attached: my RootRepeal Log

 

Here's the attached RootRepeal Log.

 

Not sure what your question is. If you followed the Read and Run Me First in the malware section, you will have downloaded cCleaner. Running that will get rid of temp and other unnecessary files. I run it daily.

Does that solve your issue?:wave

 

I have files reported on my external drive that Windows XP SP2 cannot see.
I want to delete them, and block them from comming back.

Will DOS commands allow me to view, delete and block these unwanted files?

I have read and run the malware section, (see my first post to this thread with the link). If Windows cannot see these files, windows can't delete or block them.

 

Okay, I see all those files on it.

If in Explorer, you right click on it, drive E, then open, then go to Tools, folder options, view, then select to show hidden files and show system files. Can you see them now?

You can also format the drive when you right click on E. That would also get rid of those files.

 

Could you tell us the make and model of your "E" drive (if it isn't just another partition on your main hard drive)?

Is it internal or an external box, if it's external, did it come with any software ready loaded?

Can you post an up to date RR log for us please?

 

Clicking on tools and changing the view DIDN'T make those files visible.

I don't know how to make the y symbol with the two dots over it. It's probably in the alternate keyboards. I think that DOS commands will allow me to view those directories or files, but I'd have to buy a book on DOS and learn how to use it.

That external drive is my backup drive with my Norton Ghost 12 program, and I really don't want to re-format it. Too, I'm concerned that those files are on a hidden partion.

I'm really concerned and scared that I can't get rid of them without wiping out my backup.

 

My "E" Drive is a "My Passport Elite 320GB-EX USB 2.0" bought Dec 2008. An example can be seen at http://www.amazon.com/Western-Digital-Passport-Portable-WDML3200TN/dp/B0015LTBG2?tag=dogpile-20.

 

The Western Digital software was preloaded.

 

Here's the up to date RootRepeal Log.

 

I found the "y" with two dots over it at http://pluto.huji.ac.il/~msyfalk/Tools.html under "Tools for Linguistic Word Processing".

 

I might be wrong, but I think that "BabelMap" will help me create the needed characters for those files. Check out this source http://www.babelstone.co.uk/Software/BabelMap.html.

 

My first guess is malware is still present, as evident by the MBR Rootkit entry:

It would explain why you are not able to see files as all the info on the disc basically contained in the MBR on the E:\ drive (all the index pointers). My first try would be to try and replace the MBR with a good one:

http://technet.microsoft.com/en-us/library/bb457122.aspx#EFAA
http://technet.microsoft.com/en-us/library/bb457122.aspx#EEAA

http://www.prevx.com/blog/84/MBR-Rootkit-new-tricks-added.html
http://www.f-secure.com/weblog/archives/00001393.html

 

Thanks. I'm going to have to read this and get some rest. I'll go through this tomorrow.

 

I just don't know how to do that. I think I have a lot to learn.:-o

 

It could be malware but I'm wondering if there's any encryption involved here ... ?

If this is correct then resetting the MBR may cause all data to be lost?

Does anyone know how the WD Sync or Smartware works?

 

Online Armor++ AV scan found todaythe following infected file, that wasn't found in yesterday's scan.

Status: Ask
File Name: C:|\WINDOWS\$NtUinstallKB826939$\hh.exe
Detection: Infected
Infection: Trojan.Win32.Genome.ctto!A2
​

Should I try to find an uninfected copy of this file at Microsoft Windows Online Site, and paste it over the one that's infected.

Or should I just delete the infected file?
That's the only choice that Online Armor++ gives me.

 

Under "E" Drive "Properties", if I run "Tools","Error Checking" and "Defragment Now", will that help?

 

Judging by the file location, I'm guessing that is likely to be a false positive; can you upload that hh.exe to www.virustotal.com to examine and give us a link to the results page please? NB., if you see a popup saying that the file has been tested before, opt to rescan the file please.

Error checking may help but if encryption is involved and there is a disk error, you may make things worse not better.

 

Here is the RootRepeal File Log I had to "Force Delete", since "Wipe" Option wasn't allowed.

I don't understand. I couldn[t insert any drivers to that link.

I disconnected the external "E" drive. Then right after I "Force Deleted" those files in Safe Mode, I hit the power button to do a shut down and then turned it back on.

Should I run RootRepeal again?:confused

 

I tried to upload the file both in "Normal Mode and in "Safe Mode", but even as the Administrator in Safe mode, the computer told me that I was NOT ALLOWED ACCESS to do that.

What do I do?

 

Hmm, OA is locking it, try to allow access to it using the Online Armor software, just restoring it from the Quarantine might work.

If that failed, I'd turn off all of the Online Armor software temporarily using MSconfig, reboot and try the upload again, if it works, copy the resulting page URL to a .txt file on your Desktop, close your browser, re-enable OA and reboot normally to upload the link back here for confirmation (or not) of infection.

 

After the reboot from below http://forums.majorgeeks.com/showpost.php?p=1458300&postcount=22
I was able to upload the file and here's the link http://www.virustotal.com/vt/en/recepcion?413bba153b028da96105c8587916b765 for the current "WINDOWS\$NtUinstallKB826939$\hh.exe" file.

I'm not sure I did it correctly.

 

The link didn't work, but here's what it said.

 

Ok, as it's a backup of a previously installed Windows Update, it should be safe to ignore it - I regularly delete those $UpdateBackups anyway .

Does Ghost still see your backup ok on the external drive?

 

I rerun RootRepeal File agian and here's the log. Here's the content.

Should I try to unlock the "hiberfil.sys" file?
Or should I just leave it alone?

 

Norton Ghost 12.0 sees the Recovery Point Sets under "Manage Backup Destination" Option, after I plugged "E" drive back into the USB port.

 

Here is the latest RootRepeal Log.

Can I "Force Delete" the folder

in the RootRepeal Files?

Do you think that action would rid "E" Drive of these problems?:confused

 

Hiberfile.sys, you can remove that simply by telling Windows not to use Hibernation (usually Display properties > Power), set it off, reboot and no hiberfil.sys until you re-enable Hibernation, when it will be created as an empty file ready for the contents of your RAM to be dumped there when you next choose to hibernate the PC.

 

Can you look at my latest RootRepeal Log http://forums.majorgeeks.com/attachment.php?attachmentid=132354&d=1266980836 see http://forums.majorgeeks.com/showpost.php?p=1458371&postcount=30 and tell me if I can "Force Delete" the folder

and get rid of the suspected problem?:confused

 

These ''problems'' maybe the result of the inbuilt software; mounting a virtual CD on connection allows Explorer to ''see'' the files contained in the (encrypted?) backup. RR scans the drive, sees the backup and other ''real'' files then checks with Explorer and finds it reporting virtual files.

Spend some time looking over the WD site for how their software works, try here for some info and here for some interesting comments.

I wouldn't delete anything until I'd copied my backup to a safe place and tested my disaster recovery plans first.

 

Just curious as to why that would be??

 

I tried to "Force Delete" the folder, and it locked up.
I tried to "Force Delete" it again, and it disappeared, but came back as "E:\ÿÿ" folder.
I wiped that folder out and it disappeared.
I rebooted and the original "E:\ÿÿÿÿMy.***" folder came back.

I suspect the

I don't know how to solve this problem without reformating the whole "E" drive.
If I reformat "E" drive, I might not be able to use it since the WD software is on it.

I am currently doing a Disk Defragmentation of that drive after I Error-Checked it and found no errors.

I still feel instinctively that, if I knew how to use DOS I could get rid of this folder and solve the sector mismatch. But I don't know DOS and I might be wrong.

What to do ... what to do...?:confused

 

I read all your links in post #13 http://forums.majorgeeks.com/showpost.php?p=1458048&postcount=13 and I believe this is my problem, a MBR Rootkit.

How would YOU solve this problem?

 

I Defragmented my external drive in "Safe Mode with Networking" and then ran RootRepeal again.

Here is that log.
Should I try to "WIPE" or "Force Delete" these problems in Safe Mode?
My instincts tells me that the "Bm" folder might stand for Bootmaster.:confused

 

Your ''problems'' look like they are an expected effect of the software installed on the external drive, there is no sign of any infection.

 

I need help. Something keeps changing my "Hosts" list, that I've deleted several times.
It keeps unprotecting many profiles on "Spybot, Search and Destroy."

I believe I have a "MBR Rootkit" and, from what I've read, DOS won't get rid of it.

 

Zip and attach your hosts file, please.

List ALL 'security' software installed.

There's no evidence that you have any MBR or rootkit infection.

 

Satrow,
Sorry for the delay. I've lost internet service twice in 24 hours, due to something changing my IP address for internet service.

Here are the requested files, first the "localhosts only" file, and then the one right after I made the change and rebooted that loaded all the "Global hosts" without my permission.

In my "Spybot, Search and Destroy", I can "Immunize" my computer, and then run "check again", and I get 13124 unprotected hosts.

May I refer you to smoe information that "Online Armor++" just e-mailed me to check out.

Check out

at http://www.rootkit.com/newsread.php?newsid=902.

Their link took me to "RapidShare.com" and I don't know anything about them at http://rapidshare.com/files/136965760/RkU3.8.341.552.rar.html. I'll probably download their free version, a one month trial, after I think about it.

I called a local computer specialist company, and they said they were experiencing alot of virus problems and were familiar with MBR Rootkit problems, and offered a "cleaning" for $75.00 to $100.00.

As ATT was helping me get back online, they said that most of the MBR Rootkit problems they had seen, were requiring a complete re-load of data from the original factory disk, to solve.

My Norton Ghost backup are on my external hard drive and RootRepeal is detecting a MBR Rootkit and filed and folders windows cannot see, also attached.

P.S. HELP! I don't know HOW to ZIP a file?:confused

 

RootRepeal is NOT detecting any rootkit or MBR problem, it's detecting the software methods used by the built-in WD application that mounts your data as a virtual CD/DVD drive. Virtual file = seen by Windows API but not on disk ...

Hosts file, right click it and choose the Send to > compressed (zip) folder option.

 

TimW,
I think I understand how a self-loading folder to operate the extrernal drive would have a Master Boot Record (MBR) Rootkit.

But a MBR rootkit that generates folders named "Bm" and "ÿÿÿÿMy.*ss" with encrypted file names, I just don't trust. Especially when I read

Don't you see the problem?

 

Here is the zipped files using WinZip (Evaluation Version).:confused

 

RootRepeal and other anti-rootkit logs have no bearing on this, read the earlier posts.

These are not the full contents of any hosts file that I recall from any Windows PC, the tail end of, yes - please attach the correct file.

Reread earlier posts, I'd like full details of ALL security software installed on your PC, now and historically, to ascertain why the hosts file appears to be reset on reboot or changes to it are denied.

 

I'm sorry if I gave you the wrong files.
Here's the current "Host" file. I renamed the file after I pasted it to Notepad from "C:\WINDOWS\system32\drivers\etc". I can use "Hostman" and delete all and then add just one localhost, but these host keep re-appearing.

My current security software is "Online Armor++".
I also have "SUPERAntiSpyware Free Edition" and "Malwarebytes' Anti-Malware"

Before the problem was noticed, in December I was using "SpyWare Terminator" with a "real time" firewall. I was also using the paid version of "Advanced SystemCare Pro 3.5.0" until it expired, and I couldn't afford to renew it until after Feb 1st. Other programs I filtered my computer with were "SpywareBlaster" and "Spybot, Search and Destroy". I sometimes used "CC Cleaner". I have "All In One Cleaner" loaded on my computer, but I don't use it.

 

Do you have any recommendations for a free "file zip and decompression program"?

 

Here's some more information titled Rootkit battle: Rootkit Revealer vs. Hacker Defender. I hope this adds to the knowledge base.

 

Here's the current Microsoft Windows program to fight rootkits.
Microsoft® Windows® Malicious Software Removal Tool (KB890830)