• 0

New HP laptop with infected Svchost file..


Question

A friend of mine brought over his new HP laptop and wanted me to fix his virus issue. so after a few attempts and different programs finding more and more crap even after it has all removed I decided to just run the pre install image and restore the machine. He didnt have anything on it anyways.

So I did that loaded up AVG. And left it doing windows updates on my bench, When i came bake in to look at it the thing was already infected.

AVG as well as Microsoft's own utility found infections. Nothing else in installed other than Firefox.

4.jpg

hpimagevirus2.jpg

I am redoing it all jst to make sure. But what gives? what do you all make mf that.

And check out some of the file names in this screen capture.

hpimagevirus.jpg

Link to comment
Share on other sites

Recommended Posts

  • 0

The iso's that I linked to above will allow for a full wipe and reinstall.

I don't think anyone disagreed with you in the past few posts. That's a great link but imo a wate of time when a simple one minute scan would suffice.

Link to comment
Share on other sites

  • 0

Put it in a sandbox or into a linux or mac box and do a low level format and/or zero-write. Probably something in the boot sector or partition table. BIOS virii, while rare, are also a possibility. Try updating the BIOS from usb/fdd. Might lose the recovery partition...oh well.

Link to comment
Share on other sites

  • 0

Put it in a sandbox or into a linux or mac box and do a low level format and/or zero-write. Probably something in the boot sector or partition table. BIOS virii, while rare, are also a possibility. Try updating the BIOS from usb/fdd. Might lose the recovery partition...oh well.

Sounds quite a bit like the recovery partition isn't worth a whole lot anyway... If the boot sector is burned the recovery partition is most likely also.

Link to comment
Share on other sites

  • 0

I am clearly capable of wiping the drives and installing windows 7 from scratch, but i did want to avoid that if at all possible.

The computer is still under warranty from where they bought it from. they want to charge them $200 just to look at it and told them it would take several weeks to get it back. I will try the scan posted above and if that doesnt do it i will redo the entire thing from scratch. with my windows 7 disc.

thanks for the advice guys.

Link to comment
Share on other sites

  • 0

Even though your USB stick showed up clean, I would HIGHLY recommend you buy yourself a USB stick with a write protection switch and have that stick set to read only when it is inserted into any machine other than your own.

As far as reformatting goes, the computer will run so much better on a clean install minus all the crapware. If you are reinstalling from a Regular Windows 7 disc I would recommend removing all partitions from the drive even the recovery partition.

Link to comment
Share on other sites

  • 0

right now i have the ESET online scanner running and it is finding something. But like AVG continues to find stuff I don't know if it will remove it for good or not. This is definitely coming from the hp restore partition. I have never had this happen before. When i confronted the owner with the possibility of their worthless extended warranty being voided if i really format the drive and install Win7 for real. They don't want that to happen.

SO.. they will be coming to pick it up the way it is this evening. she needs it for her school assingement and then she will have it done correctly later. This is all for a family friend so i am not charging them anything for the work.

If were mine i would have erased it ourt of the box and installed it the correct way from day 1.

If this ESET finishes quickly enough i will run the anti-rootkit utilty tdsskiller as well. Or maybe I'll stopo this and run that anyways.. It doesnt really matter anymore.

Link to comment
Share on other sites

  • 0

I ran the TDS killer it found a couple things. Rebooted I ran it twice more and now it does not find anything.

Now i am running ESET again just for kicks.

Malewarebytes and Sbybot are also on the machine and have been run. If i have time before it gets picked up I will run them as well.

we will see what happens..

Link to comment
Share on other sites

  • 0

This thing is hopeless..

So far ESET has found 16 Threats and it is at 46% and this is after running TDS killer twice and rebooting. And it is on a clean network. That much I know for sure.

win64/Olmarik.X trojan

win64/Olmarik.X trojan AWO trojan

win64/Olmarik.X trojan AF trojan

win32 rootkit.kryptik.kb.trojan

and many more like this, and still going.

Link to comment
Share on other sites

  • 0

Hello,

Winxx/Olmarik is ESET's name for a rootkit known variously as Alureon, TDL3, TDL4, TDSS and so forth. ESET has a standalone remover for it that you can download from this page on their knowledgbase web site: ESET KB #2372: Stand-alone malware removal tools. Their tech support should be able to help you with remove the rootkit. You can give them a call toll-free at +1 (866) 343-3738.

Regards,

Aryeh Goretsky

Link to comment
Share on other sites

  • 0

Ugh. Alureon. That's the worst of the worst right there. That puts the owner in a difficult bind.

Link to comment
Share on other sites

  • 0

Second if you connect to the internet you can get instantly infected by simply going to a site that has been hacked or a site that has malicious code. Takes all of 15 seconds to get infected.

With some viruses like Blaster, Sasser and MyDoom, there is no need to access a website to get infected. As soon as the internet is accessed, they get into a computer in about 15s. Then they display a message saying they are going to shutdown a computer. Before you can download a virus scanner the computer is off. They appear to search IP numbers to find an unprotected computer. Installing XP SP3 for example appears to stop them until windows update can be run.

I ran TDSS Killer and found Rootkit.Boot.Sinowal.b

Time to reboot.

Link to comment
Share on other sites

  • 0

Tell them to buy an external hard drive and image the hard drive in it's origonal factory state, partitions and all. Then format the bitch and reinstall windows. Then if it has to get returned, pull the drive, backup the data, and put the origonal partion back and send it in. :)

Link to comment
Share on other sites

  • 0

With some viruses like Blaster, Sasser and MyDoom, there is no need to access a website to get infected. As soon as the internet is accessed, they get into a computer in about 15s. Then they display a message saying they are going to shutdown a computer. Before you can download a virus scanner the computer is off. They appear to search IP numbers to find an unprotected computer. Installing XP SP3 for example appears to stop them until windows update can be run.

I ran TDSS Killer and found Rootkit.Boot.Sinowal.b

Time to reboot.

correct, however when is it common to hook directly to the internet? In most cases people are behind a nat router and will block that from occuring.

ther are other rootkit tools as well.

http://www.sophos.co...ti-rootkit.aspx

gmer (which is what part of what is in combofix and the only antirootkit in combofix)

http://www.gmer.net/

If you think you are good you can try dds and otl and see if you can find anything in the log files yourself

http://download.blee...om/sUBs/dds.scr

http://www.geekstogo...timers-list-it/ (download and run the quick scan)

Link to comment
Share on other sites

  • 0

Dude honestly i pointed this out many posts ago but your ego is getting in the way, for someone who has 20 years exp. please just format the drive and freaking reinstall windows. Either use a windows 7 iso or create the recovery media, nuke the drive completely and reinstall using discs.

Link to comment
Share on other sites

  • 0

Use the mvps host file before you do anything online it blocks tons of malucipus sites at a stronger lvl than abp

Link to comment
Share on other sites

  • 0

I did what i could running the various tools i already had and some of what ya'all suggested. it remained the same. If it were mine as i said i would have just formatted it in the first place and installed my own copy of 7.

the owner had a school thing to finish and then was going to send it in to have her extended warranty deal with it. I'm sure i will see it again when she gets it back and it's still infected.

Thanks for the suggestions.

Link to comment
Share on other sites

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.