Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected by a Rootkit [Moved]


  • Please log in to reply
2 replies to this topic

#1 Enternal

Enternal

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:08:34 AM

Posted 27 July 2009 - 08:15 PM

I have been trying to get rid of a bunch of stuff for the last 24 hours and this and a couple other small malware is the only thing left. I let my guard down while visiting some site using a beta version of Opera to test it and apparently was hit by a bomber. Not only that, I also disable UAC to test out one of my other apps.

Anyway, I tried to use Spybot, Systernals Autoruns, Gmers, Malwarebytes, and many other tools for viruses, rootkits, and malware and they were all shut down by the rootkit. Gmer actually worked a bit but after letting it scan for some time, it was forcefully shutdown so Gmers only worked if you don't scan so the registry, modules, and etcetera still works. The only one that worked was SuperAntispyware and AVG so I used that and removed many spyware and malware that I was hit with including quite a bit of viruses. I then proceed to use SIW or System Information for Windows since it's one of those apps that was not affected by the rootkit and it seems that all of the apps so far that have been shutdown all had a library file that is located at \\?\globalroot\device\__max++>\*random8characters*.x86.dll attatched to them and it is also the only one that the name changed whenever I tried to mess around with it using avenger2 scripts but avenger2 does not seem to work with unc path because it returns "an object cannot have this name". Now I no longer know what I need to do and would really like a way to get access to that unc directory or something to remove it. I am not sure of where the loading point of it is also. Thank you.

Sadly, I can't really post the dds log because it seems that the rootkit blocks it as well. Instead, I will post logs that is made using SIW (System Information for WIndows) that shows the loaded DLL only as well as a full log of my computer if asked. I actuall have a log from Gmer as well but that was made by scanning each part by part because that's the only way which prevents Gmer from being killed by the rootkit.

What is interesting about this rootkit is that if you run any of the security software or rootkit revealers, it will then forfully close that application and then hide the application executable from the system. Therefore, if it's in the program folder, you won't find the executable anymore unless you use gmer to show the hidden file or use ubuntu live cd. If it's on the desktop already, then you can still see it but can't acccess it displaying an error about can't finding the file or something about no permission to access the file. When I first start fighting the rootkit, i had many executable on my desktops that were not longer usable as they were all forcefully closed and hidden so I had to use ubuntu, Avenger2, or ComboFix script to remove them and clear up some spaces. I now use a flash drive which as a read only switch on it to prevent the rootkit from hiding the file although it still forcefully closes the program when run even after I renamed it randomly on a different computer.

Edited by Enternal, 28 July 2009 - 02:23 PM.


BC AdBot (Login to Remove)

 


#2 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 37,046 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:10:34 AM

Posted 27 July 2009 - 11:27 PM

As no logs have been posted, I am shifting this topic from the specialized HiJack This forum to the Am I Infected forum.

==>PLEASE DO NOT NOW POST LOGS<== unless a log is specifically requested.
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Internet Security, NoScript Firefox ext.


animinionsmalltext.gif

#3 garmanma

garmanma

    Computer Masochist


  • Members
  • 27,809 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cleveland, Ohio
  • Local time:11:34 AM

Posted 28 July 2009 - 07:58 PM

Try Root Repeal
They just released an updated version
Please download
HERE, and download RootRepeal.zip to your Desktop.
Tutorial with images ,if needed >> L@@K.
Unzip that,(7-zip tool if needed) and then click RootRepeal.exe to open the scanner.
Next click on the Report tab, now click on Scan. A Window will open asking what to include in the scan. Check all of the below and then click OK.

Drivers
Files
Processes
SSDT
Stealth Objects
Hidden Services


Now you'll be asked which drive to scan. Check C: and click OK again and the scan will start. Please be patient as the scan runs. When the scan has finished, click on Save Report.
Name the log RootRepeal.txt and save it to your Documents folder (it should automatically save it there).
Please copy and paste that into your next reply.
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users