Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

SENEKA Rootkit and repeated blue screens


  • This topic is locked This topic is locked
34 replies to this topic

#1 Teach2reach

Teach2reach

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Local time:01:23 PM

Posted 25 January 2009 - 12:28 PM

At Orange Blossom's request, I ran the diagnostic tool and am posting my logs for your review. I am also posting a link to the issues I have been having as well as what I have done with Chewy's help to fix them up to this point. Here is the link to the original thread:
http://www.bleepingcomputer.com/forums/t/197626/repeated-blue-screen-of-death/

To give a shortened version, I have had repeated blue screens since Tuesday of this past week. I have run Malware and the Super scans and my updated virus, and the only issue remaining is that I cannot run a complete Super scan in Safe Mode, the system sends a NT System Error shut down message and then reboots. There has been one instance of freezing as well, but no blue screens since I ran the quick scan of the Super and the Malware.

Any help you can give would be greatly appreciated.

Thank you.

Attached Files



BC AdBot (Login to Remove)

 


#2 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:23 PM

Posted 26 January 2009 - 04:03 PM

Hello. :thumbup2:

My name is Extremeboy (or EB for short), and I will be helping you with your log.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a description of your problem, along with any steps you may have performed so far.

If you do not make a reply in 5 days, we will need to close your topic.

You may want to keep the link to this topic in your favourites. Alternatively, you can click the Posted Image button at the top bar of this topic and Track this Topic. The topics you are tracking can be found here.

Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean". We do not want to clean you part-way, only to have the system re-infect itself.
  • Please reply using the Posted Image button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply.
  • Old topics are closed after 3 days with no reply, and working topics are closed after 5 days. If for any reason you cannot complete instructions within that time, that's fine, just post back here so that we know you're still here.


I have taken a look at the Am I infected forum and seems you have a very nasty infection here. I believe you do not want to reinstall or format since you posted a topic over here? Let's begin. Please understand I am very busy this week so there WILL be some delays in my response. I hope you can understand.

Next time you get the BSOD please give me the error code message please. More information on BSOD can be found over here

Install Recovery Console and Run ComboFix

Download Combofix from any of the links below, and save it to your desktop.

Link 1
Link 2
Link 3
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Close any open windows, including this one.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • If you did not have it installed, you will see the prompt below. Choose YES.
  • Posted Image
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Note:The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you
should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    Posted Image
  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running.
ComboFix will restart your computer if malware is found; allow it to do so.


Note: Please Do NOT mouseclick combofix's window while its running because it may call it to stall.

Download and Run Scan with GMER

We will use GMER to scan for rootkits.
  • Download gmer.zip and save to your desktop.
    Alternate Download Site 1
  • Unzip/extract the file to its own folder. (Click here for information on how to do this if not sure. Win 2000 users click here.
  • When you have done this, disconnect from the Internet and close all running programs.
    There is a small chance this application may crash your computer so save any work you have open.
  • Double-click on Gmer.exe to start the program.
  • Allow the gmer.sys driver to load if asked.
  • If it gives you a warning at program start about rootkit activity and asks if you want to run a scan...click NO.
  • Click the >>>
  • Click on Settings, then check the first five settings:
    • System Protection and Tracing
    • Processes
    • Save created processes to the log
    • Drivers
    • Save loaded drivers to the log
  • You will be prompted to restart your computer. Please do so.
After the reboot, run Gmer again and click on the Rootkit tab.
  • Look at the right hand side (under Files) and uncheck all drives with the exception of your C drive.
  • Make sure all other boxes on the right of the screen are checked, EXCEPT for Show All.
  • Click on the Scan and wait for the scan to finish.
    Note: Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan. You will know that the scan is done when the Stop buttons turns back to Scan.
  • When completed, click on the Copy button and right-click on your Desktop, choose New>Text document. Once the file is created, open it and right-click again and choose Paste. Save the file as gmer.txt and copy the information in your next reply.
If GMER doesn't work in Normal Mode try running it in Safe Mode

Important!:Please do not select the Show all checkbox during the scan..

Post back with:
-Combofix log
-GMER log
-BSOD error code/message once you get one..


Tell me how it goes and if there were any problems.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#3 Teach2reach

Teach2reach
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Local time:01:23 PM

Posted 26 January 2009 - 04:57 PM

Thank you so much for getting back to me. Yes, I am still having the problem, though I did not have it at all yesterday or the day before. I came home this afternoon to the same BS error code of driver issues. I am actually on my way out to class right now, but when I come home, I will give you the exact code wording and also run the scans you requested. I really hope we can get this off of my system enough for me to continue to use it, so welcome any and all help you can give.

I will check back in tonight around 9.

Karen

#4 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:23 PM

Posted 26 January 2009 - 05:03 PM

Hello.

Thanks for letting me know. Post back the results whenever you are ready. I need to leave soon as well so see you when you get back :thumbup2:

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#5 Teach2reach

Teach2reach
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Local time:01:23 PM

Posted 26 January 2009 - 09:21 PM

Extreme,
Quick question before I begin. I installed Combo in November. Do I need to reinstall it or just update it? ( I was a bad teacher who did not follow directions and ran it myself, fortunately with no issues, but know now that it should have been done under close supervision by someone from here.)

#6 Teach2reach

Teach2reach
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Local time:01:23 PM

Posted 26 January 2009 - 09:48 PM

Extreme,
I am in the Event Viewer and have looked everywhere and cannot find anything that looks like the error message I am getting. The only thing that is coming up is application hangs, nothing in security.
I did a search for .dmp files and there are records of all of them since this started last week, but it will not allow me to open them at all.
Please let me know what to do as well as the Combofx installation question.

Thanks so much,
Karen

#7 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:23 PM

Posted 26 January 2009 - 09:56 PM

Hello.

I'll reply before going to bed. :thumbup2:

Forget about the BSOD for now, I will explain that in more details later on. Just note that once you do get a BSOD, please write down the error code and everything on paper and post it back to me please so I can take a look at.

Regarding the Combofix. Please delete Combofix.exe you have on your desktop. Then re-download it and run it as instructed. Follow any prompts.

Once it's complete it will give you the Combofix log. Please post that one to me and the GMER log.

Thanks.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#8 Teach2reach

Teach2reach
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Local time:01:23 PM

Posted 26 January 2009 - 09:57 PM

Doing it now. Thanks for getting back to me.

#9 Teach2reach

Teach2reach
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Local time:01:23 PM

Posted 26 January 2009 - 10:26 PM

Extreme,
Jere is the Combofix log. I also had an error code come up at the end of the log post:
"The file or directory c:/windows/temp/perflib_perfdata_620.dat is corrupt and unreadable. Please run the CHKDSK utility.

Attached Files



#10 Teach2reach

Teach2reach
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Local time:01:23 PM

Posted 26 January 2009 - 11:49 PM

Here is the GMER log..the only issue I had was it did crash the computer the first time, but I have to say, the second time around, and ever since, things have been running on here faster than ever, and I do not know if anything was even fixed yet.

Here is that log.

I will be at work all day tomorrow and will be back on tomorrow after 5, so I will check back with you then.
Thanks so incredibly much for everything you are doing for me.

#11 Teach2reach

Teach2reach
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Local time:01:23 PM

Posted 26 January 2009 - 11:50 PM

Oops, did not attach, sorry about that. :thumbup2:

Attached Files

  • Attached File  gmer.txt   21.77KB   27 downloads


#12 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:23 PM

Posted 27 January 2009 - 04:14 PM

Hello again.

Looks good, still some work to do. The rootkit keys and files were removed. :thumbup2:

Run ComboFix with CFScript

We will run ComboFix again. This time, the instructions are slightly different.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are unsure how.
  • Open notepad (Start>Run>"notepad") and copy/paste the text in the quotebox below into it:
    File::
    c:\program files\Common Files\lenibod.dl
    c:\windows\ukofydigi.exe
    c:\documents and settings\All Users\Application Data\qocykap.pif
    c:\windows\system32\sani.reg
    c:\documents and settings\All Users\Application Data\nizugydy.dat
    c:\documents and settings\JEFF\Application Data\nosobo.reg
    c:\documents and settings\JEFF\Application Data\vire.scr
    c:\windows\system32\AA23C27F5B.sys
    
    Registry::
    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusDisableNotify"=dword:00000000
    "UpdatesDisableNotify"=dword:00000000
    Save this as CFScript.txt, in the same location as ComboFix.exe. (This should be your desktop.)
    Posted Image
    Refering to the picture above, drag CFScript into ComboFix.exe.
When finished, it shall produce a log for you at "C:\ComboFix.txt". Post back with that log.

Do not mouseclick ComboFix's window while it's running. That may cause it to stall

Just because I am curious I want to see what happened when you previously ran Combofix. Navigate to the folder C:\Qoobox<- This folder

In that folder you should see a text files called ComboFix2.txt <- Post the contents of this in your next reply please as well as the new Combofix.tx you ran with CFScript.

Download and run MalwareBytes Anti-Malware(Full Scan)

Please download Malwarebytes Anti-Malware and save it to your desktop if you lost your copy and need to install it, otherwise skip the installation step and continue with the Full Scan.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on Download_mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Full Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

For complete or visual instructions on installing and running Malwarebytes Anti-Malware please read this link

Run ChkDsk using the Command Prompt

Please run Chkdsk using the CMD method.

Information on running ChkDsk using the Command Prompt/CMD can be found in this article.

Restart your computer afterwards.

Post back with:
-Combofix.txt
-Combofix2.txt
-MBAM log
-New DDS log


I won't be able to reply on Friday until I come back in the afternoon on Saturday due to an exam.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#13 Teach2reach

Teach2reach
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Local time:01:23 PM

Posted 27 January 2009 - 07:29 PM

extremeboy,

Here are the logs, only I am having one issue. I am not able to get a complete chkdsk scan. The last info I received after a scan said that it found errors and cannot proceed in read-only mode. I am not sure what you want me to do now; do you want me to repair errors or ??

Other than that, here are the requested logs.

Attached Files


Edited by Teach2reach, 27 January 2009 - 07:32 PM.


#14 Teach2reach

Teach2reach
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Local time:01:23 PM

Posted 27 January 2009 - 07:31 PM

Forgot another log.

Attached Files



#15 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:23 PM

Posted 28 January 2009 - 03:49 PM

Hello.

You didn't run Combofix using the CFScript or you didn't post back with the correct Combofix log.. From what I see, the Combofix log you provided was ran from your desktop: c:\documents and settings\JEFF\Desktop\ComboFix.exe

Did you drag CFScript.txt onto Combofix.exe? I don't think you did.. If you did then it should be in C:\Combofix.txt <- If this is the same one you attached than you probably didn't use the CFScript. Please refer to back to my previous post.

If you did not run Combofix with CFScript, please do so now and post back with the Combofix log once it's complete.. Also post back with a new DDS log. You didn't provide this in your last responses..

Also, don't attach logs unless I specified you to attach it. If I say Post, please post it for me. Thanks.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users