Previous Thread
Index
Next Thread
Print Thread
Go To
Page 1 of 3 1 2 3
#110661 04/05/11 03:07 AM
Off-Topic
Joined: Jul 2007
Posts: 996
Expert
OP Offline
Expert
Joined: Jul 2007
Posts: 996
a little off topic I know, but we're talking about my music studio PC so I hope that covers me.

My desktop PC appears to be infected with some form of rootkit virus.
System:
OS: Windows XP SP3
Protection: BitDefender IS 2009

Symptoms:
- frequent redirects to highly suspicious looking web sites (non only from Google searches but also from Bing and Yahoo searches)
- Google Chrome browser: all pages unresponsive, including settings
- application tdsskiller.exe (widely recommended as a tool for removing rootkits) does not run

Solutions attempted so far
- scans in normal and safe mode using Spyware Doctor, Malware Bytes, Spybot S&D, Emmisoft

Having considered my options, they seem to boil down to the following:
1 Opt straight away for a clean Windows installation

2 Attempt to rid myself of the virus (by using one of the log-posting fora where approved’ moderators offer assistance

3 Mount an image backup I made a few months ago using Macrium Reflect (although I have made regular image backups, I have never attempted to mount one)

My data is backed up on an external HD.

I’d be particularly grateful for the thoughts of highly experienced Windows users/installers and, of course, IT professionals.

Thanks,

Marc

mglinert #110662 04/05/11 05:51 AM
Off-Topic
Joined: Dec 2007
Posts: 1,439
Expert
Offline
Expert
Joined: Dec 2007
Posts: 1,439
G'day Marc,
try this root kit killer from Sophos. My staff have had good success with it and it's free:
http://www.sophos.com/products/free-tools/sophos-anti-rootkit.html

Another thing we regularly do is mount the drive in a clean machine and scan from there. Finally, there are quite a number of linux Live CD's that have AV software specifically for cleaning up infected PC's.

Last edited by Lawrie; 04/05/11 05:53 AM.

--=-- My credo: If it's worth doing, it's worth overdoing - just ask my missus, she'll tell ya laugh --=--
You're only paranoid if you're wrong!
Lawrie #110663 04/05/11 06:11 AM
Off-Topic
Joined: May 2003
Posts: 8,021
Veteran
Offline
Veteran
Joined: May 2003
Posts: 8,021
As far as I'm concerned the only way is via a Linux live CD or mount the drive elsewhere as Lawrie says. Anything else is a crap shoot. You can reformat of course.It's a good chance to get a nice fresh install.


John
ESI Gigaport HD+
Lenovo Turion II /4 Gig Ram/ Win7x64 be
15.6" Monitor
"The only Band is a Real Band"
www.wintertexaninfo.com/BANDS/JohnnyD.php
Off-Topic
Joined: Jul 2007
Posts: 996
Expert
OP Offline
Expert
Joined: Jul 2007
Posts: 996
Many thanks for that Lawrie and John.
Will try Sophos.
I know nothing whatsoever about Linux. Would you have any specific recommendations as to which CD to use?

On the same issue, is it normal to have iexplore.exe running (I have two instances of it in Task Manager) if there is no active Internet Explorer session?

mglinert #110665 04/05/11 09:17 AM
Off-Topic
Joined: May 2000
Posts: 21,609
Veteran
Offline
Veteran
Joined: May 2000
Posts: 21,609
In Win 7, Task manager shows 2 instances of IE running when it is open. Previous Windows versions showed one listing.

If IE is closed, you should not see those in task manager..


Make your sound your own!
.. I do not work here, but the benefits are still awesome
mglinert #110666 04/05/11 09:46 AM
Off-Topic
Joined: Dec 2003
Posts: 8,987
Veteran
Offline
Veteran
Joined: Dec 2003
Posts: 8,987
marc, you may want to try security tango. it solved my issues in win xp.

forgot to include link: http://securitytango.com/

mariod suggested this to me and it got my bacon out of the fire more than once. it is time-consuming and must be followed exactly but it beats re-formatting your hard drive.

Last edited by Don Gaynor; 04/05/11 09:57 AM.
mglinert #110667 04/05/11 10:10 AM
Off-Topic
Joined: Jul 2006
Posts: 1,126
Expert
Offline
Expert
Joined: Jul 2006
Posts: 1,126
If you have no previous experience with Linux and a live CD, think it over carefully. Success requires that you understand the fundamentals of your specific Windows release, plus a working knowledge of Linux and Live CDs - for instance, how to do an md5sum integrity confirmation of your download.

Another option (and I would only recommend this to someone who does not intend to learn open-source software tools) - AVG and some open-source developers have come up with this; basically a "live CD for dummies"...
- http://www.avg.com/us-en/avg-rescue-cd -

I use software that is pure open-source Linux, so have no experience with this tool, but it should be the most accessible solution to your problems. If you need assistance with deploying it, send me a PM.


just looking for clues...
Oren.
http://www.masteringmatters.com
Off-Topic
Joined: May 2003
Posts: 8,021
Veteran
Offline
Veteran
Joined: May 2003
Posts: 8,021
You can also DL the Kaspersky tool that is Linux based so when you deploy it windows doesn't start. Real easy.Don't need any Linux experience at all. Kaspersky Rescue Disc

Last edited by silvertones; 04/05/11 10:51 AM.

John
ESI Gigaport HD+
Lenovo Turion II /4 Gig Ram/ Win7x64 be
15.6" Monitor
"The only Band is a Real Band"
www.wintertexaninfo.com/BANDS/JohnnyD.php
Off-Topic
Joined: May 2000
Posts: 21,609
Veteran
Offline
Veteran
Joined: May 2000
Posts: 21,609
So you understand, a lot of the difficulty with these infections is the fact that the infected program runs at startup in windows. This makes it difficult for some antivirus programs to fix. If the program is already running, it is difficult to get a hold of, and then many, when told to close, will clone themselves to start again on startup, so even what appears to be a successful removal really wasn't

That's the idea of starting in safe mode; so fewer things start up and there is a better chance of getting truly cleaned.

By using a Linux CD, windows does not boot at all, so the files are much easier to remove because the program is not running, and windows commands, such as cloning itself when closed or deleted, will often not work in the Linux environment (unless the coder specifically thought of that, which is unlikely since it would clash with windows when running).
The Live CD's are not too difficult to grasp, as they act like windows for the most part, unless you start looking for specific files, then the file system is different.
John's suggested Kapersky version may be a good one for you start with, since it is designed for this purpose, and has a nice selection of instructions right there on the download page. I strongly suggest reading that, as there is a slight chance of file system corruption if not started correctly. (If Kapersky asks to restart or continue, select restart for safer operation)

Last edited by rharv; 04/05/11 12:41 PM.

Make your sound your own!
.. I do not work here, but the benefits are still awesome
rharv #110670 04/06/11 02:23 AM
Off-Topic
Joined: Jul 2007
Posts: 996
Expert
OP Offline
Expert
Joined: Jul 2007
Posts: 996
Quote:

In Win 7, Task manager shows 2 instances of IE running when it is open. Previous Windows versions showed one listing.

If IE is closed, you should not see those in task manager..




Thanks for this Bob. One small point is that I believe the difference (one or two instances of iexplore.exe running) is due to the version of IE and not to the change in OS.

Off-Topic
Joined: Jul 2007
Posts: 996
Expert
OP Offline
Expert
Joined: Jul 2007
Posts: 996
Quote:

marc, you may want to try security tango. it solved my issues in win xp.





Many thanks Don.
I would just question the recommendation to disable Windows Restore.

This may be sound advice, but if I had taken it I would still be looking at the rogue maltware 'WindowsRepair' which confronted me at the beginning of this infection.

By using System restore, I was at least able to get back to a point where I could use the PC.

Lawrie #110672 04/06/11 03:03 AM
Off-Topic
Joined: Jul 2007
Posts: 996
Expert
OP Offline
Expert
Joined: Jul 2007
Posts: 996
Quote:

G'day Marc,
try this root kit killer from Sophos. My staff have had good success with it and it's free:
http://www.sophos.com/products/free-tools/sophos-anti-rootkit.html





G'day Lawrie,
Many thanks for your post.

I downloaded and ran Sophos yesterday.
In normal mode:
- the tool found 6 or 7 hidden files (most in temp folders) but did not recommend cleaning them

[“Files tagged as Removable: Yes (but clean up not recommended for this file)”]

I followed this advice and then scanned in safe mode.
This was more interesting.
First of all, a warning and yellow triangle informing me :
Error: Could not initialize kernel driver memsweep.sys.
The tool did however continue with its scan!

In addition to the hidden files it found in normal mode, it also returned a number of locked registry keys which it could not remove.

This time I cleaned up the files tagged as Removable and rebooted to normal mode.

For some reason, I did not get the promised log:
“Once you have restarted your computer, a dialog box displays the files you selected for removal and the action taken.”

No time then to properly test the effects of this operation, but I did note that:
- apparently the unexplained instances of iexplore.exe when IE is closed are not starting up
- there were no web site redirects (but I only tried one of two searches, all using the Opera/Google combination)
- the strongly recommended Kaspersky rootkit removal app. which could not be executed (tdsskiller.exe) would still not run, even if renamed and with BitDefender AV disabled.
-

mglinert #110673 04/06/11 04:30 AM
Off-Topic
Joined: Dec 2007
Posts: 1,439
Expert
Offline
Expert
Joined: Dec 2007
Posts: 1,439
G'day Marc,
sounds like a good start. I find it a little disturbing that the log did not show up AND that the Kaspersky app still would not run.

The locked registry keys may be of concern depending on what they are. If you noted them it would be worth looking into them, if you did not, a re-run of the rootkit killer is in order as it will probably find them again...


--=-- My credo: If it's worth doing, it's worth overdoing - just ask my missus, she'll tell ya laugh --=--
You're only paranoid if you're wrong!
Lawrie #110674 04/06/11 04:45 AM
Off-Topic
Joined: May 2003
Posts: 8,021
Veteran
Offline
Veteran
Joined: May 2003
Posts: 8,021
Marc,
Did you DL and run the Kaspersky Rescue Disc? You're not going to get this thing with Windows running.If you do I wouldn't be confident. The only way is you've got to get it when Windows is down.


John
ESI Gigaport HD+
Lenovo Turion II /4 Gig Ram/ Win7x64 be
15.6" Monitor
"The only Band is a Real Band"
www.wintertexaninfo.com/BANDS/JohnnyD.php
Off-Topic
Joined: Jul 2007
Posts: 996
Expert
OP Offline
Expert
Joined: Jul 2007
Posts: 996
Quote:

Marc,
Did you DL and run the Kaspersky Rescue Disc? You're not going to get this thing with Windows running.If you do I wouldn't be confident. The only way is you've got to get it when Windows is down.




Not yet John. Thanks for the advice. The thing is I'm not confident at all using an alternative OS so my plan is to try everything possible in an environment I'm familiar with before I go to the live CD option.

I also have an image backup -made with Reflect- which I could attempt to mount.

Lawrie #110676 04/06/11 05:44 AM
Off-Topic
Joined: Jul 2007
Posts: 996
Expert
OP Offline
Expert
Joined: Jul 2007
Posts: 996
Quote:

G'day Marc,
sounds like a good start. ...




Yes, Lawrie, we're not winning yet but we're probably not losing either.
Will have a good look this eve and note down those registry keys.

Assuming - and it is a big assumption - that the web site redirect problem and the unsolicited iexplore.exes no longer occur, it will be hard to know whether I still have the infection (or traces of it) or just a series of unrelated anomalies. (all pages nonresponsive in Google Chrome,tsddkiller.exe failing to run...)

Anyway many thanks mate...

mglinert #110677 04/06/11 05:57 AM
Off-Topic
Joined: Jul 2000
Posts: 6,080
Veteran
Offline
Veteran
Joined: Jul 2000
Posts: 6,080
I've never done it for a virus, but I've restored my disk from a Norton Ghost image when installing buggy try-out software, and it's easy and works like a charm.

If your imaging software makes a true disk image, I see it as the easy way to get rid of the malware.

Whichever way you choose, good luck!

Notes ♫


Bob "Notes" Norton smile Norton Music
https://www.nortonmusic.com

100% MIDI Super-Styles recorded by live, pro, studio musicians for a live groove
& Fake Disks for MIDI and/or RealTracks
Off-Topic
Joined: Dec 2004
Posts: 603
Journeyman
Offline
Journeyman
Joined: Dec 2004
Posts: 603
Quote:


If your imaging software makes a true disk image, I see it as the easy way to get rid of the malware.




Agreed, Bob.

Macrium Reflect (by the way) is a first-rate imaging program, as good as any available. Like others, it will restore this machine's boot image in 18 minutes total. I used it yesterday solely to get rid of video drivers that did not work out. Nothing else is so certain, nor really any faster at getting back to Square One. This should not be a last resort.


Larry
______
mglinert #110679 04/06/11 08:08 AM
Off-Topic
Joined: May 2003
Posts: 8,021
Veteran
Offline
Veteran
Joined: May 2003
Posts: 8,021
Quote:

Quote:

Marc,
Did you DL and run the Kaspersky Rescue Disc? You're not going to get this thing with Windows running.If you do I wouldn't be confident. The only way is you've got to get it when Windows is down.




Not yet John. Thanks for the advice. The thing is I'm not confident at all using an alternative OS so my plan is to try everything possible in an environment I'm familiar with before I go to the live CD option.

I also have an image backup -made with Reflect- which I could attempt to mount.



Marc,
It's a specific tool and although it is Linux based you won't even know it. The instructions are very simple.
1.Just download the program
2. Burn an iso image to a CD
3. In the BIOS set the first boot device to CD
4. Insert the CD into the drive
5. Reboot the computer.
The computer will now boot with the Kaspersky CD and Windows will not load.
6. Follow the instructions on the screens.


John
ESI Gigaport HD+
Lenovo Turion II /4 Gig Ram/ Win7x64 be
15.6" Monitor
"The only Band is a Real Band"
www.wintertexaninfo.com/BANDS/JohnnyD.php
Off-Topic
Joined: Aug 2006
Posts: 7,784
R
Veteran
Offline
Veteran
R
Joined: Aug 2006
Posts: 7,784
What i worry about is that most of these type viruses do not go away with simple methods, and even restore to an earlier point will many times not erase them. They are very elusive. I had this on a computer at work, and the tech at the shop that fixed it said sometimes even reformat willnot fix it, and that there a a couple of these that enbedd into the hard drive and a format goes around them, and they resurface when you least expect it. My last problem prompted me to go full linux on my internet computer, due to it kept coming back, even after two formats and four different AV assaults.

Darned viruses they just suck the fun out of it sometimes!


Lenovo Win 10 16 gig ram, Mac mini with 16 gig of ram, BiaB 2022, Realband, Harrison Mixbus 32c version 9.1324, Melodyne 5 editor, Presonus Audiobox 1818VSL, Presonus control app, Komplete 49 key controller.
Previous Thread
Next Thread
Go To
Page 1 of 3 1 2 3

Link Copied to Clipboard
ChatPG

Ask sales and support questions about Band-in-a-Box using natural language.

ChatPG's knowledge base includes the full Band-in-a-Box User Manual and sales information from the website.

PG Music News
Convenient Ways to Listen to Band-in-a-Box® Songs Created by Program Users!

The User Showcase Forum is an excellent place to share your Band-in-a-Box® songs and listen to songs other program users are creating!

There are other places you can listen to these songs too! Visit our User Showcase page to sort by genre, artist (forum name), song title, and date - each listing will direct you to the forum post for that song.

If you'd rather listen to these songs in one place, head to our Band-in-a-Box® Radio, where you'll have the option to select the genre playlist for your listening pleasure. This page has SoundCloud built in, so it won't redirect you. We've also added the link to the Artists SoundCloud page here, and a link to their forum post.

We hope you find some inspiration from this amazing collection of User Showcase Songs!

Congratulations to the 2023 User Showcase Award Winners!

We've just announced the 2023 User Showcase Award Winners!

There are 45 winners, each receiving a Band-in-a-Box 2024 UltraPAK! Read the official announcement to see if you've won.

Our User Showcase Forum receives more than 50 posts per day, with people sharing their Band-in-a-Box songs and providing feedback for other songs posted.

Thank you to everyone who has contributed!

Video: Volume Automation in Band-in-a-Box® 2024 for Windows®

We've created a video to help you learn more about the Volume Automation options in Band-in-a-Box® 2024 for Windows.

Band-in-a-Box® 2024: Volume Automation

www.pgmusic.com/manuals/bbw2024full/chapter11.htm#volume-automation

Video: Audio Input Monitoring with Band-in-a-Box® 2024 for Windows®

We've created this short video to explain Audio Input Monitoring within Band-in-a-Box® 2024, and included some tips & troubleshooting details too!

Band-in-a-Box® 2024: Audio Input Monitoring

3:17: Tips
5:10: Troubleshooting

www.pgmusic.com/manuals/bbw2024full/chapter11.htm#audio-input-monitoring

Video: Enhanced Melodists in Band-in-a-Box® 2024 for Windows®!

We've enhanced the Melodists feature included in Band-in-a-Box® 2024 for Windows!

Access the Melodist feature by pressing F7 in the program to open the new MultiPicker Library and locate the [Melodist] tab.

You can now generate a melody on any track in the program - very handy! Plus, you select how much of the melody you want generated - specify a range, or apply it to the whole track.

See the Melodist in action with our video, Band-in-a-Box® 2024: The Melodist Window.

Learn even more about the enhancements to the Melodist feature in Band-in-a-Box® 2024 for Windows at www.pgmusic.com/manuals/bbw2024upgrade/chapter3.htm#enhanced-melodist

Band-in-a-Box® 2024 DAW Plugin Version 6: New Features Specifically for Reaper®

New with the DAW Plugin Version 6.0, released with Band-in-a-Box® 2024 for Windows: the Reaper® Panel!

This new panel offers built-in specific support for the Reaper® DAW API allowing direct transfer of Band-in-a-Box® files to/from Reaper® tracks!

When you run the Plugin from Reaper®, there is a panel to set the following options:
-BB Track(s) to send: This allows you to select the Plugin tracks that will be sent Reaper.
-Destination Reaper Track: This lets you select the destination Reaper track to receive media content from the Plugin.
-At Bar: You can select a bar in Reaper where the Plugin tracks should be placed.
-Start Below Selected Track: This allows you to place the Plugin tracks below the destination Reaper track.
-Overwrite Reaper Track: You can overwrite previous content on the destination Reaper track.
-Move to Project Folder: With this option, you can move the Plugin tracks to the Reaper project folder.
-Send Reaper Instructions Enable this option to send the Reaper Instructions instead of rendering audio tracks, which is faster.
-Render Audio & Instructions: Enable this option to generate audio files and the Reaper instructions.
-Send Tracks After Generating: This allows the Plugin to automatically send tracks to Reaper after generating.
-Send Audio for MIDI Track: Enable this option to send rendered audio for MIDI tracks.
-Send RealCharts with Audio: If this option is enabled, Enable this option to send RealCharts with audio.

Check out this video highlighting the new Reaper®-specific features: Band-in-a-Box® DAW Plugin Version 6: New Features Specifically for Reaper®

Band-in-a-Box® 2024 DAW Plugin Version 6: New Features Video

The new Band-in-a-Box VST DAW Plugin Verion 6 adds over 20 new features!

Watch the new features video to learn more: Video: Band-in-a-Box® 2024 - DAW Plugin Version 6 New Features

We also list these new features at www.pgmusic.com/bbwin.plugin.htm.

Forum Statistics
Forums66
Topics81,393
Posts732,477
Members38,441
Most Online2,537
Jan 19th, 2020
Newest Members
zagrajbarke, Ernest J, Izzy, BenChaz, Csofi
38,440 Registered Users
Top Posters(30 Days)
MarioD 195
Al-David 124
DC Ron 113
dcuny 87
rsdean 83
Today's Birthdays
CeeDee, SethMould
Powered by UBB.threads™ PHP Forum Software 7.7.5