Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I have 4 rootkits!!! help


  • Please log in to reply
11 replies to this topic

#1 pharcyde503

pharcyde503

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:04:19 PM

Posted 13 May 2009 - 01:22 PM

Yes I have 4. AVG will not fix them. I dl malwarebytes. I had to copy the exe file and rename it just to acsess the scan.
Now I get about 2min into scan before it freezes and will not respond. PLEASE HELP ME!!!! I know im so close.

Sorry if this is in wrong section. PLEASE HELP

BC AdBot (Login to Remove)

 


#2 pharcyde503

pharcyde503
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:04:19 PM

Posted 13 May 2009 - 01:40 PM

Let me explain better. AVG scan detected 4 rookits,but it cant delete them. I googled a bit and came across malwarebytes.
I downloaded it but I couldnt get it to run. I finally copied the exe file and renamed it,aparently this bleeper knew the malewarebytes file name and wouldnt let me run it. I tricked it , but now it has the last laugh. About two min into the scan malewarebytes scan freezes and will not respond. Ive reboot like 7 times and tried scaning again. Same result, It freezes and wont respond. I gotta fix this before my wife gets home and finds out I bleeped up her laptop. She will skin me alive


PLEASE HELP ME I AM SOOOO STUCK


EDIT: Almost forgot. This rootkits does this. Every time I open IE, I get a pop up that windows cant run globalroot\systemroot\system32\qcvccrntflocxcxxasubg. or it has been installed wrong.


I picked this up dowloading a DVDrip. AVG diddnt detect anything wrong with the file, or else I would have never downloaded it

Edited by pharcyde503, 13 May 2009 - 02:12 PM.


#3 KoanYorel

KoanYorel

    Bleepin' Conundrum


  • Staff Emeritus
  • 19,461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:65 miles due East of the "Logic Free Zone", in Md, USA
  • Local time:07:19 PM

Posted 13 May 2009 - 01:54 PM

Moved from VISTA forum to the more appropriate.
The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)

#4 pharcyde503

pharcyde503
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:04:19 PM

Posted 13 May 2009 - 02:05 PM

Sorry for posting in the wrong place, thaks for moving. Maybe I will get some help now.

#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:19 PM

Posted 13 May 2009 - 02:22 PM

Please download and scan with Dr.Web CureIt - alternate download link.
Follow these instructions for performing a scan in "safe mode" after running ATF-Cleaner.
-- Post the log in your next reply.

Scanning with Malwarebytes Anti-Malware in safe or normal mode will work but removal functions are not as powerful in safe mode. MBAM is designed to be at full power when malware is running so safe mode is not necessary when using it. In fact, it loses some effectiveness for detection & removal when used in safe mode because the program includes a special driver which does not work in safe mode. Further, scanning in safe mode prevents some types of malware from running so it may be missed during the detection process. For optimal removal, normal mode is recommended so it does not limit the abilities of MBAM. If you cannot use or complete a scan in normal mode, then try performing a Quick Scan in "safe mode". After reboot, click the Logs tab and copy/paste the contents of the new report in your next reply.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#6 pharcyde503

pharcyde503
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:04:19 PM

Posted 13 May 2009 - 02:54 PM

In the middle of drweb scan. I seem to be stuck at only 30 files scaned. It says process in memory. How does this help malwarebytes work?.

#7 groovicus

groovicus

  • Security Colleague
  • 9,963 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Centerville, SD
  • Local time:05:19 PM

Posted 13 May 2009 - 02:59 PM

Here is the problem. You can never be sure that you have completely removed a rootkit. Ever. Even tools that claim to be able to remove rootkits can in no way guarantee that all traces of a rootkit have been removed. As a developer, it is trivial for me to alter a rootkit slightly in order to prevent automated tools from working.

Regardless of how much stuff on your system that you can't afford to lose, reformat. Especially if you use your system for online banking, or making purchases, or even logging in to use a website. Once you reformat, change all of your passwords because somebody else has them.

#8 pharcyde503

pharcyde503
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:04:19 PM

Posted 13 May 2009 - 03:11 PM

Damn, that sucks. this laptop is brad new , we dont bank or shop on line at all. I just really want to get rid of the bleeping window that pops up every time I open IE. How come evry thing I download fails while scaning. how do I get malwarebytes to scan with out freezing.

#9 groovicus

groovicus

  • Security Colleague
  • 9,963 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Centerville, SD
  • Local time:05:19 PM

Posted 13 May 2009 - 03:16 PM

how do I get malwarebytes to scan with out freezing.


If there is a rootkit on there that is preventing it from running, the answer would be you don't.

#10 pharcyde503

pharcyde503
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:04:19 PM

Posted 13 May 2009 - 03:26 PM

I think thats what I have, cuz like I said I had to change the name of the exe file just so I could run malwarebytes. So this thing is smart. Ouch.........

#11 pharcyde503

pharcyde503
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:04:19 PM

Posted 13 May 2009 - 04:18 PM

Any other Ideas besides reformating?

#12 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:19 PM

Posted 13 May 2009 - 09:34 PM

I have to agree with groovicus.

I like to see confirmation of reported rootkits. Didn't notice you edited your second reply a half hour later to mention the issue with globalroot\systemroot\system32\qcvccrntflocxcxxasubg which is a sure sign of a nasty variant of the TDSSSERV rootkit.

DrWebCureIt sometimes is able to remove just enough of the infected files so that MBAM will run but its not a guarantee to work.

To expand on what groovicus said. Rootkits, backdoor Trojans, Botnets, and IRCBots are very dangerous because they compromise system integrity by making changes that allow it to by used by the attacker for malicious purposes. Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. Remote attackers use backdoors as a means of accessing and taking control of a computer that bypasses security mechanisms. This type of exploit allows them to steal sensitive information like passwords, personal and financial data which is send back to the hacker. To learn more about these types of infections, you can refer to:If your computer was used for online banking, has credit card information or other sensitive data on it, you should disconnect from the Internet. All passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised and change each password using a clean computer and not the infected one. If not, an attacker may get the new passwords and transaction information. Banking and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read:Although the rootkit has been identified and may be removed, your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume the computer is secure even if the malware appears to have been removed. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired so you can never be sure that you have completely removed a rootkit. The malware may leave so many remnants behind that security tools cannot find them. Many experts experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users