Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Removal of rootkit and possibly other malware


  • Please log in to reply
5 replies to this topic

#1 AllisonPJ

AllisonPJ

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:09:23 PM

Posted 16 February 2009 - 06:11 PM

Hello,

Yesterday, my computer seems to have been walloped with something nasty. I can't remember now what first alerted me to it, but at one point I realized my IE kept resetting its options and turning off images. Annoying, so I started searching for what would do that. Then I realized that I had a redirect that was sending most google link clicks to windowsclicks.com, and making other searches not work at all (blank results screens). I looked that up and found a solution here: http://www.myantispyware.com/2009/01/24/ho...uacdsys-trojan/

I tried the Avenger step and got an error message. But I was able to install malwarebytes and did a scan. It found over 20 things, removed/cleaned them, and I rebooted. All I remember now was that Vundo/Virtumonde was in there. I recognized it because I've been hit with that one before. The others I just don't remember. I thought it had saved a log, but now I can't find it. Argh. I wasn't expecting to need to ask for help, otherwise I would have paid closer attention to the details.

At some point (again, I'm foggy now on what happened when. Sorry!) Windows XP (Media Center SP2) started asking for my password when it would start up. Instead of the usual full-screen startup, it would give me a smaller classic login window (I've always had it set to autologon, so this was strange). I hit enter, since I have no password, and would then get a Data Execution Prevention Error on the logon. I closed that, could hear my computer finishing the rest of its startup sequence (scanner comes on, etc.), but never got anything but my desktop wallpaper. No taskbar, no icons, nothing. And if I tried to ctrl-alt-del, I got the same DEP for taskmanager. All I could do is force it to shut down.

Again, at some point in the middle of this, McAfee popped up a warning about a Win32 trojan. I ended up finally getting into safe mode to run the scan, and it found over 400 infected files. It quarantined then and removed the viruses and trojans. Some were backdoors, others were trojans or viruses. Again, I wish now I'd paid more attention to what they were called.

I rebooted back into safe mode again and did another scan to make sure everything was gone. This time, it found 130 infected files in the restore folder (stupid me, I forgot to disable system restore first, and now I'm hesitant to do so because it will delete all my old restore points, and I'm not sure if I'll need them or not) and 4 in the memory. I had a new name now for it: Generic!dxrootkit.

After work today, I tried booting up again. Windows worked. It still asked for my password, which is annoying, but it let me in. I suspected it still wasn't gone, since my searching came up with quite a few mentions of how nasty and persistent it is. Following other instructions I found about that specific rootkit, I downloaded SDFix and installed it, then went back into safe mode as instructed, but couldn't run it. It just kept saying it couldn't find the file, even though it's right there, and I can see it. And now, I'm having the same old problems with XP not letting me in again. DEP errors every time unless I'm in safe mode. I got the login prompt to go away by doing CONTROL USERPASSWORD2, but the DEP is still t I haven't done another scan yet. I was going to run malwarebytes, but when I try to open it, it says it can't find the file. I don't know what happened to it. I'll run McAfee's for now, but it takes forever, so I figured I'd post my problem here in the meantime. Maybe by the time my scan is done, someone will be around to help.

Also, I just noticed a new folder on my C drive that I'm pretty sure wasn't there before: C:\32788R22FWJFW I'm not deleting it yet just in case it's important, but I suspect it's bad. I also have Viewpoint in my Add/Remove Programs. I thought I'd uninstalled it in the past, but maybe I have a program now that needs it? I don't know. I'm erring on the side of caution for now and leaving it alone.

Hopefully someone will be able to help me fix this. I'd really rather avoid having to do a reinstall/recovery. I have so much on here, even if I backed everything up to an external drive, I'm sure there are programs and things I'll miss, or won't be able to reinstall. I will if I have to, obviously, but would like to leave that as an absolute last resort! (Plus, I don't trust that my HP CDs or D: drive will even work properly, and then I'll end up with nothing.)

Thanks in advance for your help, and sorry if I was too long-winded. I wanted to be thorough!
Allison

PS: Spyware Doctor happened to be doing its daily autoscan while I typed this. In the results, it lists Trojan-SpyFlux, RogueAntiSpyware.WinSpyWareProtect, Trojan-DownloaderAgent.OGP, and Trojan-DownloaderAgent.SY. I'm going to tell it to remove them, then do the McAfee scan.

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,762 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:23 PM

Posted 17 February 2009 - 12:09 AM

It appears that some tools were run imprperly and there is damage to the system. There are two comments I feel important to pass along here.
First:
One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.

Second: If you decide to clean....
We need to run HJT.
Please follow this guide. Preparation Guide For Use Before Using Hijackthis. Then go here HijackThis Logs and Virus/Trojan/Spyware/Malware Removal ,click New Topic,give it a relevant Title and post that complete log.

Let me know it it went OK !
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 AllisonPJ

AllisonPJ
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:09:23 PM

Posted 17 February 2009 - 09:44 AM

Thank you for your help. I had seen a similar answer to someone else's question the other day and had hoped that wouldn't be me. I actually did unplug my computer from the Internet for a while, but unfortunately, I plugged it back in later so I could do some more searching.

What worries me the most is that I did my taxes online (at H&R Block) earlier in the day, before any warnings started popping up in McAfee. I don't know how long these things hang around before making themselves known, so I'm definitely putting fraud alerts on my accounts. Thanks for the link about that.

I was able to see my credit report after filing the fraud alert with Experian, and so far it looks like there hasn't been any activity there, so that's good. But I don't want to take any chances. I'll go buy an external hard drive after work, unplug my computer from the Internet, and back up all my files so I can do a system recovery. I'm curious about that, though: if my computer is infected, is it possible for the backdoor to travel in my regular files when I back them up? I really can't stand to lose all that information (I'm a graphic designer, and all my work is there - all my fonts and graphics). I have a lot of music files (all purchased from Rhapsody - I don't use peer sharing or other free sites for that) and writing files and such, and want to keep all the saved mail in my Outlook, etc. Am I taking a risk by doing that, or is the backdoor only in the Windows stuff now?

I'll also be getting a better Security program, because clearly the free McAfee one I had from AOL wasn't working!

I may have some other questions about the reformatting/recovery process when the time comes, but thank you for your help so far! I'm freaked out, but I'm glad I know and can now take the necessary steps to protect myself!

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,762 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:23 PM

Posted 17 February 2009 - 11:14 AM

To have more confidence in what you backup and to have them give you a report on the state of the PC after they have thoroughly inspected it refer to the HJT instructions above and let them look.

In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired. Wiping your drive, reformatting, and performing a clean install of the OS or doing a factory restore removes everything and is the safest action but I cannot make that decision for you.

Reformatting a hard disk deletes all data. If you decide to reformat, you can back up all your important documents, data files and photos. The safest practice is not to backup any autorun.ini or .exe files because they may be infected. Some types of malware may disguise itself by adding and hiding its extension to the existing extension of files so be sure you take a close look at the full name. After reformatting, as a precaution, make sure you scan these files with your anti-virus prior to copying them back to your hard drive.

The best procedure is a low level format. This completely wipes the drive. Then reinstall the OS.
Use the free version of Active@ KillDisk.

The best sources of Information on this are
Reformatting Windows XP
Michael Stevens Tech

Of course also feel free to ask anything on this in the XP forum. They'd be glad to help.

Edited by boopme, 17 February 2009 - 11:16 AM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 AllisonPJ

AllisonPJ
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:09:23 PM

Posted 17 February 2009 - 04:10 PM

Thank you again for your help.

I'm definitely going to re-format and re-install. I don't trust just trying to clean it at this point. So I'll backup all my files (not .exes) to an external hard drive and just hope I don't lose too much!

I have some questions about this, so I'll take your advice and start a new post over in the XP forum.

Thanks again!

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,762 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:23 PM

Posted 17 February 2009 - 05:06 PM

You're very welcome and I fee; you mad e the right choice. I'd have done that had it been me. We are nearing completion of a comprehensive tutorial on this and if it is completed today or tomorrow I will alert you to it.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users