Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rootkit, Malware, Tapi.nfo, Google Redirect, Can't open anit-malware


  • This topic is locked This topic is locked
38 replies to this topic

#1 yuukanna

yuukanna

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:09:29 PM

Posted 27 August 2009 - 04:57 PM

I recently got a new client who needed help with his computer. It was silly of me to think it would be simple. I was up all night working on it.

His initial problem was that windows would hang on "Loading personal preferences" and would only boot in safe mode. It wasn't the page file, or any of the usual things... though I did start to notice that normal Windows functions didn't work properly, from MsPaint to IExplorer. I tried to run Autoruns.exe and Hijackthis and they shutdown as soon as they were opened. IExplorer wouldn't load pages and firefox would pop up and load the pages instead.

I thought I should just repair windows, which I tried to do and accidentally installed a second copy of windows on the same partition... I then deleted the second windows installation (windows.0), but after that windows would boot fine without safe mode. That was only the beginning though. I found the google redirect on there, a bunch of old adware and a mess of a disorganized computer.

The system also booted and gave a tapi.nfo error, I searched for this and got nowhere. So I went to regedit and deleted the line causing it. It doesn't pop up anymore, but that didn't solve anything.

I looked further into the situation and found that many others are having trouble with rootkit malware that shuts down anti-malware software.

I tried loading malwarebytes, etc, and even renaming the files and the extensions. It still all shuts down immediately when its loaded.

Since IE wasn't working I downloaded a new copy of IE8 and transferred it from my computer to the clients computer and installed it. IE8 worked fine but it of course didn't solve anything. I continued using my personal computer to transfer programs and utilities like malwarebytes to the client computer.

Today my personal computer started acting up... I'm guessing that the malware traveled on my flash drive?

I can't give you any log files, because I can load a program to generate one. Any thoughts?

Oh, and wiping it clean isn't really an option to the client... he's go no backups and he has alot of sensitive work related data. Nor does he have a copy of windows or software that came with his computer... I'm not sure what to tell him.

BC AdBot (Login to Remove)

 


#2 doctorphibes

doctorphibes

  • Members
  • 81 posts
  • OFFLINE
  •  
  • Local time:10:29 PM

Posted 27 August 2009 - 07:07 PM

have you tried root repeal? it sounds to me like you've read that post.








Rerun Rootrepeal. After the scan completes, go to the files tab and find this file:

C:\WINDOWS\system32\drivers\UACxpqhxbvttn.sys

Then use your mouse to highlight it in the Rootrepeal window.
Next right mouse click on it and select *wipe file* option only.
Then immediately reboot the computer.

Then run a quick-scan with Malwarebytes. Keep rebooting and running quick-scans with Malwarebytes until it shows zero infections. If after 3 scans it is still not clean post the final log.

this isn't my post so I can't take credit for it but apparently it works
good luck either way. the entire post is called AntiSpy Protector 2009 you should check it out before trying this, good luck
I am enough of the artist to draw freely upon my imagination. Imagination is more important than knowledge. Knowledge is limited. Imagination encircles the world. Albert Einstein

#3 yuukanna

yuukanna
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:09:29 PM

Posted 27 August 2009 - 08:38 PM

DDS wont run, it shuts down as soon as it opens. Root Repeal will work somewhat, I cannot do a full scan for a full report (shuts down same as anything else), but I may be able to save the reports a piece at a time, as I can scan "drivers" and save a report there... haven't tried the other tabs yet.

#4 yuukanna

yuukanna
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:09:29 PM

Posted 27 August 2009 - 08:42 PM

I tried scanning in all tabs, the only scan I can't do in RootRepeal is the scan in the "files" tab

Should I post these reports individually excluding the files report?

#5 doctorphibes

doctorphibes

  • Members
  • 81 posts
  • OFFLINE
  •  
  • Local time:10:29 PM

Posted 27 August 2009 - 08:43 PM

are you able to get online at all?
I am enough of the artist to draw freely upon my imagination. Imagination is more important than knowledge. Knowledge is limited. Imagination encircles the world. Albert Einstein

#6 yuukanna

yuukanna
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:09:29 PM

Posted 27 August 2009 - 08:45 PM

It seems to be able to connect at the moment... I don't know what would make it different from before though.

#7 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:10:29 PM

Posted 27 August 2009 - 08:45 PM

Hello yuukanna and :thumbsup: to BleepingComputer.

Please post the drivers and hidden services logs from RootRepeal.

~Blade

Edited by Blade Zephon, 27 August 2009 - 08:46 PM.

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#8 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:10:29 PM

Posted 27 August 2009 - 08:47 PM

Even without a rootrepeal log it's fairly certain that this infection will require expert assistance in the HJT forum which a huge backlog of posters waiting for help.

Many or most security forums frown on helping a professional clean a client's computer, some refuse to.

I would have extracted the guy's data and reloaded with a generic disk, many infections are incurable or so damage windows that a clean install is best, not to mention that any computer infected with backdoor trojans and rootkits can not be trusted for sensitive use.
Chewy

No. Try not. Do... or do not. There is no try.

#9 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:10:29 PM

Posted 27 August 2009 - 08:48 PM

Also. . . this should be immediately done on your personal computer and flash drives to protect yourself.

Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives. Please do so and allow the utility to clean up those drives as well.
  • Hold down the Shift key when inserting the drive until Windows detects it to keep autorun.inf from executing if it is present.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: As part of its routine, Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive that was plugged in when you ran it. Do not delete this folder...it will help protect your drives from future infection by keeping the autorun file from being installed on the root drive and running other malicious files.

~Blade

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#10 doctorphibes

doctorphibes

  • Members
  • 81 posts
  • OFFLINE
  •  
  • Local time:10:29 PM

Posted 27 August 2009 - 08:53 PM

try dr.web.com male sure you get "their" and download cureit it's free but I've had good success with it. it will give you quick scan at first (about 5 min ) then offer full scan do full scan, if it will let you you might be surprised at the outcome. It's russian company that puts out pretty good stuff. it's saved me a lot of times ....here link work fast

http://www.freedrweb.com/cureit/
I am enough of the artist to draw freely upon my imagination. Imagination is more important than knowledge. Knowledge is limited. Imagination encircles the world. Albert Einstein

#11 yuukanna

yuukanna
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:09:29 PM

Posted 27 August 2009 - 08:54 PM

Thank you, will do... gotta log in on the other computer. Do you want the logs as attachments or a dump?

I'll have to close my own virus scanner to download the flash disinfector... it doesn't like it.

#12 doctorphibes

doctorphibes

  • Members
  • 81 posts
  • OFFLINE
  •  
  • Local time:10:29 PM

Posted 27 August 2009 - 08:56 PM

sorry for the typos it's dark in here
I am enough of the artist to draw freely upon my imagination. Imagination is more important than knowledge. Knowledge is limited. Imagination encircles the world. Albert Einstein

#13 doctorphibes

doctorphibes

  • Members
  • 81 posts
  • OFFLINE
  •  
  • Local time:10:29 PM

Posted 27 August 2009 - 08:58 PM

do what it takes bro good luck
I am enough of the artist to draw freely upon my imagination. Imagination is more important than knowledge. Knowledge is limited. Imagination encircles the world. Albert Einstein

#14 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:10:29 PM

Posted 27 August 2009 - 09:02 PM

Just copy/paste the logs into a reply, please do not attach them.

~Blade

Edited by Blade Zephon, 27 August 2009 - 09:02 PM.

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#15 doctorphibes

doctorphibes

  • Members
  • 81 posts
  • OFFLINE
  •  
  • Local time:10:29 PM

Posted 27 August 2009 - 09:02 PM

cureit won't save logs, won't even let you copy and paste but if you find the culprit just type it in the forum
I am enough of the artist to draw freely upon my imagination. Imagination is more important than knowledge. Knowledge is limited. Imagination encircles the world. Albert Einstein




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users