|
Log in to post
|
Print Thread |
|
|
|
|
|
Off-Topic
|
Joined: Jul 2007
Posts: 996
Expert
|
OP
Expert
Joined: Jul 2007
Posts: 996 |
a little off topic I know, but we're talking about my music studio PC so I hope that covers me.
My desktop PC appears to be infected with some form of rootkit virus.
System:
OS: Windows XP SP3
Protection: BitDefender IS 2009
Symptoms:
- frequent redirects to highly suspicious looking web sites (non only from Google searches but also from Bing and Yahoo searches)
- Google Chrome browser: all pages unresponsive, including settings
- application tdsskiller.exe (widely recommended as a tool for removing rootkits) does not run
Solutions attempted so far
- scans in normal and safe mode using Spyware Doctor, Malware Bytes, Spybot S&D, Emmisoft
Having considered my options, they seem to boil down to the following:
1 Opt straight away for a clean Windows installation
2 Attempt to rid myself of the virus (by using one of the log-posting fora where approved’ moderators offer assistance
3 Mount an image backup I made a few months ago using Macrium Reflect (although I have made regular image backups, I have never attempted to mount one)
My data is backed up on an external HD.
I’d be particularly grateful for the thoughts of highly experienced Windows users/installers and, of course, IT professionals.
Thanks,
Marc
|
|
|
|
|
|
|
|
|
|
|
|
|
Off-Topic
|
Joined: Dec 2007
Posts: 1,439
Expert
|
|
Expert
Joined: Dec 2007
Posts: 1,439 |
G'day Marc, try this root kit killer from Sophos. My staff have had good success with it and it's free: http://www.sophos.com/products/free-tools/sophos-anti-rootkit.htmlAnother thing we regularly do is mount the drive in a clean machine and scan from there. Finally, there are quite a number of linux Live CD's that have AV software specifically for cleaning up infected PC's.
Last edited by Lawrie; 04/05/11 05:53 AM.
--=-- My credo: If it's worth doing, it's worth overdoing - just ask my missus, she'll tell ya  --=--You're only paranoid if you're wrong!
|
|
|
|
|
|
|
|
|
|
|
|
|
Off-Topic
|
Joined: May 2003
Posts: 8,021
Veteran
|
|
Veteran
Joined: May 2003
Posts: 8,021 |
As far as I'm concerned the only way is via a Linux live CD or mount the drive elsewhere as Lawrie says. Anything else is a crap shoot. You can reformat of course.It's a good chance to get a nice fresh install.
|
|
|
|
|
|
|
|
|
|
|
|
|
Off-Topic
|
Joined: Jul 2007
Posts: 996
Expert
|
|
OP
Expert
Joined: Jul 2007
Posts: 996 |
Many thanks for that Lawrie and John.
Will try Sophos.
I know nothing whatsoever about Linux. Would you have any specific recommendations as to which CD to use?
On the same issue, is it normal to have iexplore.exe running (I have two instances of it in Task Manager) if there is no active Internet Explorer session?
|
|
|
|
|
|
|
|
|
|
|
|
|
Off-Topic
|
Joined: May 2000
Posts: 22,540
Veteran
|
|
Veteran
Joined: May 2000
Posts: 22,540 |
In Win 7, Task manager shows 2 instances of IE running when it is open. Previous Windows versions showed one listing.
If IE is closed, you should not see those in task manager..
I do not work here, but the benefits are still awesome
Make your sound your own!
|
|
|
|
|
|
|
|
|
|
|
|
|
Off-Topic
|
Joined: Dec 2003
Posts: 8,987
Veteran
|
|
Veteran
Joined: Dec 2003
Posts: 8,987 |
marc, you may want to try security tango. it solved my issues in win xp. forgot to include link: http://securitytango.com/mariod suggested this to me and it got my bacon out of the fire more than once. it is time-consuming and must be followed exactly but it beats re-formatting your hard drive.
Last edited by Don Gaynor; 04/05/11 09:57 AM.
|
|
|
|
|
|
|
|
|
|
|
|
|
Off-Topic
|
Joined: Jul 2006
Posts: 1,126
Expert
|
|
Expert
Joined: Jul 2006
Posts: 1,126 |
If you have no previous experience with Linux and a live CD, think it over carefully. Success requires that you understand the fundamentals of your specific Windows release, plus a working knowledge of Linux and Live CDs - for instance, how to do an md5sum integrity confirmation of your download. Another option (and I would only recommend this to someone who does not intend to learn open-source software tools) - AVG and some open-source developers have come up with this; basically a "live CD for dummies"... - http://www.avg.com/us-en/avg-rescue-cd - I use software that is pure open-source Linux, so have no experience with this tool, but it should be the most accessible solution to your problems. If you need assistance with deploying it, send me a PM.
|
|
|
|
|
|
|
|
|
|
|
|
|
Off-Topic
|
Joined: May 2003
Posts: 8,021
Veteran
|
|
Veteran
Joined: May 2003
Posts: 8,021 |
You can also DL the Kaspersky tool that is Linux based so when you deploy it windows doesn't start. Real easy.Don't need any Linux experience at all. Kaspersky Rescue Disc
Last edited by silvertones; 04/05/11 10:51 AM.
|
|
|
|
|
|
|
|
|
|
|
|
|
Off-Topic
|
Joined: May 2000
Posts: 22,540
Veteran
|
|
Veteran
Joined: May 2000
Posts: 22,540 |
So you understand, a lot of the difficulty with these infections is the fact that the infected program runs at startup in windows. This makes it difficult for some antivirus programs to fix. If the program is already running, it is difficult to get a hold of, and then many, when told to close, will clone themselves to start again on startup, so even what appears to be a successful removal really wasn't
That's the idea of starting in safe mode; so fewer things start up and there is a better chance of getting truly cleaned.
By using a Linux CD, windows does not boot at all, so the files are much easier to remove because the program is not running, and windows commands, such as cloning itself when closed or deleted, will often not work in the Linux environment (unless the coder specifically thought of that, which is unlikely since it would clash with windows when running).
The Live CD's are not too difficult to grasp, as they act like windows for the most part, unless you start looking for specific files, then the file system is different.
John's suggested Kapersky version may be a good one for you start with, since it is designed for this purpose, and has a nice selection of instructions right there on the download page. I strongly suggest reading that, as there is a slight chance of file system corruption if not started correctly. (If Kapersky asks to restart or continue, select restart for safer operation)
Last edited by rharv; 04/05/11 12:41 PM.
I do not work here, but the benefits are still awesome
Make your sound your own!
|
|
|
|
|
|
|
|
|
|
|
|
|
Off-Topic
|
Joined: Jul 2007
Posts: 996
Expert
|
|
OP
Expert
Joined: Jul 2007
Posts: 996 |
Quote:
In Win 7, Task manager shows 2 instances of IE running when it is open. Previous Windows versions showed one listing.
If IE is closed, you should not see those in task manager..
Thanks for this Bob. One small point is that I believe the difference (one or two instances of iexplore.exe running) is due to the version of IE and not to the change in OS.
|
|
|
|
|
|
|
|
|
|
|
|
|
Off-Topic
|
Joined: Jul 2007
Posts: 996
Expert
|
|
OP
Expert
Joined: Jul 2007
Posts: 996 |
Quote:
marc, you may want to try security tango. it solved my issues in win xp.
Many thanks Don.
I would just question the recommendation to disable Windows Restore.
This may be sound advice, but if I had taken it I would still be looking at the rogue maltware 'WindowsRepair' which confronted me at the beginning of this infection.
By using System restore, I was at least able to get back to a point where I could use the PC.
|
|
|
|
|
|
|
|
|
|
|
|
|
Off-Topic
|
Joined: Jul 2007
Posts: 996
Expert
|
|
OP
Expert
Joined: Jul 2007
Posts: 996 |
Quote:
G'day Marc,
try this root kit killer from Sophos. My staff have had good success with it and it's free:
http://www.sophos.com/products/free-tools/sophos-anti-rootkit.html
G'day Lawrie,
Many thanks for your post.
I downloaded and ran Sophos yesterday.
In normal mode:
- the tool found 6 or 7 hidden files (most in temp folders) but did not recommend cleaning them
[“Files tagged as Removable: Yes (but clean up not recommended for this file)”]
I followed this advice and then scanned in safe mode.
This was more interesting.
First of all, a warning and yellow triangle informing me :
Error: Could not initialize kernel driver memsweep.sys.
The tool did however continue with its scan!
In addition to the hidden files it found in normal mode, it also returned a number of locked registry keys which it could not remove.
This time I cleaned up the files tagged as Removable and rebooted to normal mode.
For some reason, I did not get the promised log:
“Once you have restarted your computer, a dialog box displays the files you selected for removal and the action taken.”
No time then to properly test the effects of this operation, but I did note that:
- apparently the unexplained instances of iexplore.exe when IE is closed are not starting up
- there were no web site redirects (but I only tried one of two searches, all using the Opera/Google combination)
- the strongly recommended Kaspersky rootkit removal app. which could not be executed (tdsskiller.exe) would still not run, even if renamed and with BitDefender AV disabled.
-
|
|
|
|
|
|
|
|
|
|
|
|
|
Off-Topic
|
Joined: Dec 2007
Posts: 1,439
Expert
|
|
Expert
Joined: Dec 2007
Posts: 1,439 |
G'day Marc,
sounds like a good start. I find it a little disturbing that the log did not show up AND that the Kaspersky app still would not run.
The locked registry keys may be of concern depending on what they are. If you noted them it would be worth looking into them, if you did not, a re-run of the rootkit killer is in order as it will probably find them again...
--=-- My credo: If it's worth doing, it's worth overdoing - just ask my missus, she'll tell ya --=--You're only paranoid if you're wrong!
|
|
|
|
|
|
|
|
|
|
|
|
|
Off-Topic
|
Joined: May 2003
Posts: 8,021
Veteran
|
|
Veteran
Joined: May 2003
Posts: 8,021 |
Marc,
Did you DL and run the Kaspersky Rescue Disc? You're not going to get this thing with Windows running.If you do I wouldn't be confident. The only way is you've got to get it when Windows is down.
|
|
|
|
|
|
|
|
|
|
|
|
|
Off-Topic
|
Joined: Jul 2007
Posts: 996
Expert
|
|
OP
Expert
Joined: Jul 2007
Posts: 996 |
Quote:
Marc,
Did you DL and run the Kaspersky Rescue Disc? You're not going to get this thing with Windows running.If you do I wouldn't be confident. The only way is you've got to get it when Windows is down.
Not yet John. Thanks for the advice. The thing is I'm not confident at all using an alternative OS so my plan is to try everything possible in an environment I'm familiar with before I go to the live CD option.
I also have an image backup -made with Reflect- which I could attempt to mount.
|
|
|
|
|
|
|
|
|
|
|
|
|
Off-Topic
|
Joined: Jul 2007
Posts: 996
Expert
|
|
OP
Expert
Joined: Jul 2007
Posts: 996 |
Quote:
G'day Marc,
sounds like a good start. ...
Yes, Lawrie, we're not winning yet but we're probably not losing either.
Will have a good look this eve and note down those registry keys.
Assuming - and it is a big assumption - that the web site redirect problem and the unsolicited iexplore.exes no longer occur, it will be hard to know whether I still have the infection (or traces of it) or just a series of unrelated anomalies. (all pages nonresponsive in Google Chrome,tsddkiller.exe failing to run...)
Anyway many thanks mate...
|
|
|
|
|
|
|
|
|
|
|
|
|
Off-Topic
|
Joined: Jul 2000
Posts: 6,493
Veteran
|
|
Veteran
Joined: Jul 2000
Posts: 6,493 |
I've never done it for a virus, but I've restored my disk from a Norton Ghost image when installing buggy try-out software, and it's easy and works like a charm.
If your imaging software makes a true disk image, I see it as the easy way to get rid of the malware.
Whichever way you choose, good luck!
Notes ♫
Bob "Notes" Norton  Norton Music
https://www.nortonmusic.com
100% MIDI Super-Styles recorded by live, pro, studio musicians for a live groove
& Fake Disks for MIDI and/or RealTracks
|
|
|
|
|
|
|
|
|
|
|
|
|
Off-Topic
|
Joined: Dec 2004
Posts: 603
Journeyman
|
|
Journeyman
Joined: Dec 2004
Posts: 603 |
Quote:
If your imaging software makes a true disk image, I see it as the easy way to get rid of the malware.
Agreed, Bob.
Macrium Reflect (by the way) is a first-rate imaging program, as good as any available. Like others, it will restore this machine's boot image in 18 minutes total. I used it yesterday solely to get rid of video drivers that did not work out. Nothing else is so certain, nor really any faster at getting back to Square One. This should not be a last resort.
Larry
______
|
|
|
|
|
|
|
|
|
|
|
|
|
Off-Topic
|
Joined: May 2003
Posts: 8,021
Veteran
|
|
Veteran
Joined: May 2003
Posts: 8,021 |
Quote:
Quote:
Marc,
Did you DL and run the Kaspersky Rescue Disc? You're not going to get this thing with Windows running.If you do I wouldn't be confident. The only way is you've got to get it when Windows is down.
Not yet John. Thanks for the advice. The thing is I'm not confident at all using an alternative OS so my plan is to try everything possible in an environment I'm familiar with before I go to the live CD option.
I also have an image backup -made with Reflect- which I could attempt to mount.
Marc,
It's a specific tool and although it is Linux based you won't even know it. The instructions are very simple.
1.Just download the program
2. Burn an iso image to a CD
3. In the BIOS set the first boot device to CD
4. Insert the CD into the drive
5. Reboot the computer.
The computer will now boot with the Kaspersky CD and Windows will not load.
6. Follow the instructions on the screens.
|
|
|
|
|
|
|
|
|
|
|
|
|
Off-Topic
|
Joined: Aug 2006
Posts: 8,730
Veteran
|
|
Veteran
Joined: Aug 2006
Posts: 8,730 |
What i worry about is that most of these type viruses do not go away with simple methods, and even restore to an earlier point will many times not erase them. They are very elusive. I had this on a computer at work, and the tech at the shop that fixed it said sometimes even reformat willnot fix it, and that there a a couple of these that enbedd into the hard drive and a format goes around them, and they resurface when you least expect it. My last problem prompted me to go full linux on my internet computer, due to it kept coming back, even after two formats and four different AV assaults.
Darned viruses they just suck the fun out of it sometimes!
HP Win 11 12 gig ram, Mac mini Sonoma with 16 gig of ram, BiaB/RB 2026, Reaper 7, Harrison Mixbus 11 , Presonus Audiobox USB96
|
|
|
|
|
|
|
|
|
|
|
|
Ask sales and support questions about Band-in-a-Box using natural language.
ChatPG's knowledge base includes the full Band-in-a-Box User Manual and sales information from the website.
|
|
|
|
|
|
|
|
|
|
|
Band-in-a-Box® 2025 for Mac® users: Build 904 now available!
If you're already using Band-in-a-Box® 2025 for Mac®, make sure to grab the latest update! Build 904 is now available for download and includes the newest additions and enhancements from our team.
Band-in-a-Box® 2026 for Windows® users: Build 1237 is now available!
Already a Band-in-a-Box 2026 for Windows user? Stay up to date and download the build 1237 to get all the latest additions and enhancements.
PowerTracks Pro 2026 for Windows is Here!
PowerTracks 2026 is here—bringing powerful new enhancements designed to make your production workflow faster, smoother, and more intuitive than ever.
The enhanced Mixer now shows Track Type and Instrument icons for instant track recognition, while a new grid option simplifies editing views. Non-floating windows adopt a modern title bar style, replacing the legacy blue bar.
The Master Volume is now applied at the end of the audio chain for consistent levels and full-signal master effects.
Tablature now includes a “Save bends when saving XML” option for improved compatibility with PG Music tools. Plus, you can instantly match all track heights with a simple Ctrl-release after resizing, and Add2 chords from MGU/SGU files are now fully supported... and more!
Get started today—first-time packages start at just $49.
Already using PowerTracks Pro Audio? Upgrade for as little as $29 and enjoy the latest improvements!
Order now!
Band-in-a-Box 2026 for Windows Special Offers End Tomorrow (January 15th, 2026) at 11:59 PM PST!
Time really is running out! Save up to 50% on Band-in-a-Box® 2026 for Windows® upgrades and receive a FREE Bonus PAK—only when you order by 11:59 PM PST on Thursday, January 15, 2026!
We've added many major new features and new content in a redesigned Band-in-a-Box® 2026 for Windows®!
Version 2026 introduces a modernized GUI redesign across the program, with updated toolbars, refreshed windows, smoother workflows, and a new Dark Mode option. There’s also a new side toolbar for quicker access to commonly used windows, and the new Multi-View feature lets you arrange multiple windows as layered panels without overlap, making it easier to customize your workspace.
Another exciting new addition is the new AI-Notes feature, which can transcribe polyphonic audio into MIDI. You can view the results in notation or play them back as MIDI, and choose whether to process an entire track or focus on specific parts like drums, bass, guitars/piano, or vocals. There's over 100 new features in Band-in-a-Box® 2026 for Windows®.
There's an amazing collection of new content too, including 202 RealTracks, new RealStyles, MIDI SuperTracks, Instrumental Studies, “Songs with Vocals” Artist Performance Sets, Playable RealTracks Set 5, two RealDrums Stems sets, XPro Styles PAK 10, Xtra Styles PAK 21, and much more!
Upgrade your Band-in-a-Box for Windows to save up to 50% on most Band-in-a-Box® 2026 upgrade packages!
Plus, when you order your Band-in-a-Box® 2026 upgrade during our special, you'll receive a Free Bonus PAK of exciting new add-ons.
If you need any help deciding which package is the best option for you, just let us know. We are here to help!
Band-in-a-Box® 2026 for Windows® Special Offers Extended Until January 15, 2026!
Good news! You still have time to upgrade to the latest version of Band-in-a-Box® for Windows® and save. Our Band-in-a-Box® 2026 for Windows® special now runs through January 15, 2025!
We've packed Band-in-a-Box® 2026 with major new features, enhancements, and an incredible lineup of new content! The program now sports a sleek, modern GUI redesign across the entire interface, including updated toolbars, refreshed windows, smoother workflows, a new dark mode option, and more. The brand-new side toolbar provides quicker access to key windows, while the new Multi-View feature lets you arrange multiple windows as layered panels without overlap, creating a flexible, clutter-free workspace. We have an amazing new “AI-Notes” feature. This transcribes polyphonic audio into MIDI so you can view it in notation or play it back as MIDI. You can process an entire track (all pitched instruments and drums) or focus on individual parts like drums, bass, guitars/piano, or vocals. There's an amazing collection of new content too, including 202 RealTracks, new RealStyles, MIDI SuperTracks, Instrumental Studies, “Songs with Vocals” Artist Performance Sets, Playable RealTracks Set 5, two RealDrums Stems sets, XPro Styles PAK 10, Xtra Styles PAK 21, and much more!
There are over 100 new features in Band-in-a-Box® 2026 for Windows®.
When you order purchase Band-in-a-Box® 2026 before 11:59 PM PST on January 15th, you'll also receive a Free Bonus PAK packed with exciting new add-ons.
Upgrade to Band-in-a-Box® 2026 for Windows® today! Check out the Band-in-a-Box® packages page for all the purchase options available.
Happy New Year!
Thank you for being part of the Band-in-a-Box® community.
Wishing you and yours a very happy 2026—Happy New Year from all of us at PG Music!
Season's Greetings!
Wishing everyone a happy, healthy holiday season—thanks for being part of our community!
The office will be closed for Christmas Day, but we will be back on Boxing Day (Dec 26th) at 6:00am PST.
Team PG
|
|
|
|
|
|
|
|
|
|
|
|
Forums57
Topics86,060
Posts799,583
Members40,024
| |
Most Online44,367
Mar 4th, 2026
|
|
|
|
|
|
|
|
|
Dansk
Deutsch - Windows
Español
Français - Windows
Italiano - Windows
Nederlands
Polski
Português
Svenskt
русский
Japanese
Simplified Chinese
Traditional Chinese
Korean