Help
This is a bit embarrassing because I'm an information security consultant. While connecting to a hotel wireless spot using my laptop I believe my session was hijacked. I noticed in the next few days considerable slowdowns. I started watching ports through netstat and saw some strange ports. I watched traffic on another machine with wireshark and found that the infected laptop was remapping ports and connecting to blacklisted sites.
I tried using serveral rootkit discovery tools without much luck (MS, Rootkitbuster) and when I try to use GMER the laptop crashes. I've tracked the problem application to jqs.exe (Java Quick Starter). It's process ID is the one that starts all the trouble. Some other symptoms: dumprep is running alot but I disabled it quite a while ago and all local security alerts have been cleared with no new ones even though the service is running.
I'm running XP sp3 fully patched with norton AV.
Any suggestions on how to procede without being able to run GMER?
Thanks.
Page 1 of 1
Infected with rootkit; GMER crashes the machine
Back to top
#2
- OBleepin Investigator
-
- Group: Moderator
- Posts: 29,825
- Joined: 14-July 06
- Gender:Not Telling
- Location:Bloomington, IN
Posted 15 November 2010 - 07:28 PM
Hello,
See if you can disable Java QuickStart. You should be able to. I find that process totally unnecessary.
Please follow the instructions in ==>This Guide<==. If you cannot complete a step, skip it and continue.
Once the proper logs are created, then make a NEW TOPIC and post it ==>HERE<== Please include a description of your computer issues and what you have done to resolve them.
If you can produce at least some of the logs, then please create the new topic and explain what happens when you try to create the log(s) that you couldn't get. If you cannot produce any of the logs, then still post the topic and explain that you followed the Prep. Guide, were unable to create the logs, and describe what happens when you try to create the logs.
Orange Blossom
See if you can disable Java QuickStart. You should be able to. I find that process totally unnecessary.
Please follow the instructions in ==>This Guide<==. If you cannot complete a step, skip it and continue.
Once the proper logs are created, then make a NEW TOPIC and post it ==>HERE<== Please include a description of your computer issues and what you have done to resolve them.
If you can produce at least some of the logs, then please create the new topic and explain what happens when you try to create the log(s) that you couldn't get. If you cannot produce any of the logs, then still post the topic and explain that you followed the Prep. Guide, were unable to create the logs, and describe what happens when you try to create the logs.
Orange Blossom
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.
Orange Blossom
An ounce of prevention is worth a pound of cure
SuperAntiSpyware, SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript
Orange Blossom
An ounce of prevention is worth a pound of cure
SuperAntiSpyware, SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript
#3
- New Member
-
- Group: Members
- Posts: 2
- Joined: 15-November 10
Posted 15 November 2010 - 11:11 PM
I'm sorry, I should of explained myself better. I've done the preperation steps up to the point where GMER crashes my machine. When it crashes it is a freeze that forces a reboot. No error logs are available.
I'm unable to disable Java Quick Start as it shows it is already disabled. During the boot process, there are a few minutes where I can do nothing and the CPU and hardrvie are pegged. Several non-standard ports are listinging, if I place the laptop on the internet, connections are established to black-listed IP's and several more ports are opened. MS Applications such as outlook and groove get remapped to non-standard ports and my CPU and memory peg with over 90% resources showing idle.
I'm positive the machine is comprimised. I'm looking for a tools to expose the hack.
Should I still make a new post and if I do, what information would you need outside of the DDS logs? I have already listed some of the tools that I've tried.
Thanks for the advice before I start another topic.
I'm unable to disable Java Quick Start as it shows it is already disabled. During the boot process, there are a few minutes where I can do nothing and the CPU and hardrvie are pegged. Several non-standard ports are listinging, if I place the laptop on the internet, connections are established to black-listed IP's and several more ports are opened. MS Applications such as outlook and groove get remapped to non-standard ports and my CPU and memory peg with over 90% resources showing idle.
I'm positive the machine is comprimised. I'm looking for a tools to expose the hack.
Should I still make a new post and if I do, what information would you need outside of the DDS logs? I have already listed some of the tools that I've tried.
Thanks for the advice before I start another topic.
#4
- To Insanity and Beyond
-
- Group: Global Moderator
- Posts: 48,761
- Joined: 10-September 04
- Gender:Male
- Location:NJ USA
Posted 16 November 2010 - 05:10 PM
I would just post the DDS log now and skip GMer.
How do I get help? Who is helping me?
Staying Updated Calendar of Updates.
For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....
Become a BleepingComputer fan: Facebook
Staying Updated Calendar of Updates.
For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....
Become a BleepingComputer fan: Facebook
#5
- OBleepin Investigator
-
- Group: Moderator
- Posts: 29,825
- Joined: 14-July 06
- Gender:Not Telling
- Location:Bloomington, IN
Posted 16 November 2010 - 08:55 PM
Hello,
The new topic should include: a description of your computer issues and what you have done to resolve them and a description of what happens when you try to run GMER as well as the DDS logs. I know you posted a lot of that in this topic, but it needs to be in the new topic as well.
~ OB
The new topic should include: a description of your computer issues and what you have done to resolve them and a description of what happens when you try to run GMER as well as the DDS logs. I know you posted a lot of that in this topic, but it needs to be in the new topic as well.
~ OB
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.
Orange Blossom
An ounce of prevention is worth a pound of cure
SuperAntiSpyware, SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript
Orange Blossom
An ounce of prevention is worth a pound of cure
SuperAntiSpyware, SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript
Share this topic:
Page 1 of 1