BleepingComputer.com: Probable Rootkit infection

Hello,

I'm following the instructions in the Bleeping manual, after my daughter downloaded an infected streaming video on my machine a week ago.


I have downloaded the necessary tools, have run Defogger, but I am having a problem running dds.scr. When I click on it, I get a momentary flash as if a box is appearing on the screen (gone too fast to read, almost to fast to register). I am running Nod32, but that shouldn't (I believe) interfere with running a script. Is it possible that the infection is interfering with it? Suggestions would be appreciated.

Per instructions, I am posting the GMER log, which shows (I think) a rootkit

I wanted to list most of the issues of which I am aware

1. Periodic intense bursts of Internet activity, Comodo recording up to 1000 outbound connections.

2. A few times a day, several times when there has been no browser or similar software going (and when it has), NOD32 will note that it has disconnected a dangerous connection. Also, the log shows several trojans caught yesterday and today:

5/1/2011 7:26:21 PM HTTP filter file http://torpeda.cx.cc/fgdtshjdkyfhxtgstre.jar multiple threats connection terminated - quarantined NT AUTHORITY\SYSTEM Threat was detected upon access to web by the application: C:\WINDOWS\system32\svchost.exe.
5/1/2011 7:26:20 PM HTTP filter file http://torpeda.cx.cc/fgdtshjdkyfhxtgstre.jar multiple threats connection terminated - quarantined NT AUTHORITY\SYSTEM Threat was detected upon access to web by the application: C:\WINDOWS\system32\svchost.exe.
5/1/2011 7:26:18 PM HTTP filter archive http://execvp.ipq.co/QQkFBg0MBAEDAAABEkcJBQcEAAYADAANBQ== JS/Exploit.Agent.NCQ trojan connection terminated - quarantined NT AUTHORITY\SYSTEM Threat was detected upon access to web by the application: C:\WINDOWS\system32\svchost.exe.
5/1/2011 7:26:08 PM HTTP filter archive http://execvp.ipq.co/QQkFBg0MBAEDAAABEkcJBQcEAAYADAANBQ== JS/Exploit.Agent.NCQ trojan connection terminated - quarantined NT AUTHORITY\SYSTEM Threat was detected upon access to web by the application: C:\WINDOWS\system32\svchost.exe.
5/1/2011 11:11:57 AM HTTP filter archive http://vwpassccmsrk.in/QQkFBg0NBgYDDAABEkcJBQcEBw0CAQQGDQ== JS/Exploit.Agent.NCQ trojan connection terminated - quarantined NT AUTHORITY\SYSTEM Threat was detected upon access to web by the application: C:\WINDOWS\system32\svchost.exe.

3. Windows Update and Internet Explorer are not working; AV programs (like Spybot) that "call home" cannot connect (as noted, in consequence I cannot run that scan).

4. A curiosity; when this happened, several programs vanished from my hard drive. One was Acrobat Pro 8.2.6. Now, when I delete a file, instead the install procedure for that programs starts, though I can delete the file I want once I have cancelled out of the install.

5. I have kept a stable XP system, carefully maintained, for five or six years, until my daughter ran the infected stream.

6. A local computer repair person ran a decontamination scanner on Saturday night (the infection was Friday AM). He found much malware but clearly his scanners (which included malwarebytes and others run from a bootable CD) did not catch one or more infections.

7. The computer has (touch wood) continued to be usable. I am very reluctant to reformat. I would lose much that I do not wish to lose, and I strongly suspect that the malware can be rooted out, though it is beyond my ability.

I have downloaded the tools, run Defogger, but I am having a problem running dds.scr. When I click on it, I get a momentary flash as if a box is appearing on the screen (gone too fast to read, almost to fast to register). I am running Nod32, but that shouldn't (I believe) interfere with running a script. Is it possible that the infection is interfering with it? Suggestions would be appreciated.

Per instructions, I am posting the GMER log, which shows a rootkit.

Thanks so much.

Edward

P.S. In the note above, I mention Comodo as my firewall. After a connectivity problem (which may have been more virus than Comodo), I had to remove it, and am using ZoneAlarm Free instead.

Hello Edward ,



Let's see if the easiest works first.

Download TDSSKiller.zip

• Extract it to your desktop
  
• Double click TDSSKiller.exe
  
• Press Start Scan
  
  • If Malicious objects are found then ensure Cure is selected
    
  • Then click Continue > Reboot now
  
  
• Copy and paste the log in your next reply
  
  • A copy of the log will be saved automatically to the root of the drive (typically C:\)

Thanks,
tea

Thank you, tea. Speedy response.

TDSSKiller did run (I haven't been unable to get it to to so before, yay). I attach the log.

I had to force a reboot after.

On reboot Nod32 popped up an alarm that it had found win32/olmarik.AJL trojan in (I think) Boot sector 0. When I tried to clean it I got an "error while cleaning; operation unavailable.


Thanks for the help so far. What next?

Best,

Edward

HI there,

You're most welcome.

I'm not worried about Nod32 really....it could very well be finding it, but within a restore point, etc......does that make sense?

Please see if you can run DDS now, and let's see what gmer has to say with another run. Post the reports in your reply. How is it running now?

tea

Hello again,

The system's running quieter (the fan had kept coming in, a function of a large number of outgoing connections, I believe--before I had to remoce Comodo, it was showing at times 1000). Yech.

DDS will still not run.

Next GMER run coming up as soon as it completes.

Regards,

Edward

Good to know it's better. Not really worried about DDS.....every once in a while it does this. Out of curiosity, did you try a fresh download this time, or the same one you had already? I'd like to see if there's anything else going on here without running anything intrusive. DDS is the best way to do this.

Post when you're ready.

I used the same download from earlier this evening. I'll try a fresh one. GMER is still rolling along. I may run out of steam shortly. It's been a long week (I commute about five hours a day).

I like your "error reading poptart: delete kids y/n" sig, given that it was my elder daughter who was responsible for this mess. I've told her many, many times not to download from "non-official" sites.

She has been very apologetic, poor kid, so I'm not rubbing it in.

Get some sleep if you need to. I understand. My Dad used to leave for Dallas at 3 am and not get back home until 4 pm......for 30 years.

The sig is....appropriate. I have 6 kids and have seen about everything. From m&ms in the ears, beads up the nose, to digging out CDs because a football accidentally smashed into the drive.

I've had parents here that were so mad that they made the responsible kiddo stand there every step of the way while we were fixing it, and then some. Most of the time they just don't understand until they learn the hard way, and they are very sorry. Most of the time it's enough. I hope she understands how lucky you were this time to get off so light. Some folks are hit so hard they lose everything and have to start over.

I'll be notified of any replies you make, when you make them, so just post when you're ready.

I'm up at 5 and back at 8, so not far off your Dad's record! It's worth it--I do something I enjoy, though high stress.

The GMER scan's still running (much longer run this time, so maybe it got hung up on malware the first time around), so I am heading up to bed. Goodnight and thank you.

Edward

Night night......you're welcome.

Good morning,

Rested and up, 9AM EST.

Here's the current GMER scan. Still no DDS joy.

Thanks!

Edward

Hello there,

Glad you got some sleep.

The gmer log looks good.....no sign of the rootkit in this one. How is it running today?

See if you can get this from Trend Micro. It's not quite as thorough, but I'll have a better idea of what and where to check to be sure you're okay now : http://free.antivirus.com/hijackthis/

Download the version 2.0.4, not the beta. Choose to run a scan and save a log. No fixing necessary right now.

Thanks,
tea

Good morning!

Still a few aberrations, but the system's running much better. Since the Windows Security Center had been down but is now up again, it did download and install a number of updates. I've noticed a tendency for the Windows Firewall to keep getting set to off, but that could be from ZoneAlarm--not sure if they "play nice." I ran a full Nod32 Scan (which I do once a week anyhow) and that shows nothing, but then it didn't show anything even with the system infection. Nod32 did stop a couple of nasties, so there may still be something on the system calling to them.

Attached is the scan you request

This post has been edited by erduggan: 07 May 2011 - 12:38 PM

Hello hello

Glad so much is better.......still some things to clean up :

Run HijackThis and choose run a system scan only.

[*]Close all programs leaving only HijackThis running. Place a check against each of the following, making sure you get them all and not any others by mistake:

O2 - BHO: DealioBHO Class - {6A87B991-A31F-4130-AE72-6D0C294BF082} - C:\Program Files\Dealio\kb106\Dealio.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - G:\acrobat\Acrobat\AcroIEFavClient.dll (file missing)
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O8 - Extra context menu item: Compare Prices with &Dealio - C:\Program Files\Dealio\kb106\res\DealioSearch.html
O9 - Extra button: Dealio - {E908B145-C847-4e85-B315-07E2E70DECF8} - C:\Program Files\Dealio\kb106\Dealio.dll
O24 - Desktop Component MRI_DISABLED: (no name) - (no file)

Click on Fix Checked when finished and exit HijackThis.

Delete the following folder : C:\Program Files\Dealio

Please download Malwarebytes Anti-Malware and save it to your desktop.

Download Link 1
Download Link 2

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.

• Make sure you are connected to the Internet.
  
• Double-click on mbam-setup.exe to install the application.
  For instructions with screenshots, please refer to the How to use Malwarebytes' Anti-Malware Guide.
  
• When the installation begins, follow the prompts and do not make any changes to default settings.
  
• When installation has finished, make sure you leave both of these checked:
  • Update Malwarebytes' Anti-Malware
    
  • Launch Malwarebytes' Anti-Malware
  
  
• Then click Finish.

MBAM will automatically start and you will be asked to update the program before performing a scan.

• If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  
• If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.

On the Scanner tab:

• Make sure the "Perform Quick Scan" option is selected.
  
• Then click on the Scan button.
  
• If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  
• The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  
• When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  
• Click OK to close the message box and continue with the removal process.

Back at the main Scanner screen:

• Click on the Show Results button to see a list of any malware that was found.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When removal is completed, a log report will open in Notepad.
  
• The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  
• Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  
• Exit MBAM when done.

Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

Not sure about the firewall issue. It's quite possible that ZA is disabling the default Windows firewall.

Let me know how it's running.

Thanks,
tea