Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rootkit in my system, weird Trojans keep popping in and out.


  • This topic is locked This topic is locked
70 replies to this topic

#1 zhoos

zhoos

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Local time:05:13 PM

Posted 08 October 2009 - 02:39 AM

Hello all,

I am having some serious problems with my comp. I previously posted in another thread about a suspicious file called tgzuuf.exe in my system processes, that keeps appearing all the time. After posting my problems and following some diagnostic steps, I was referred to come over to here.

Previous thread: http://www.bleepingcomputer.com/forums/t/261677/help-weird-things-are-happening/

So now I ran DDS.scr and here are my two logs.

Attached File  Attach.txt   8.1KB   16 downloads Attached File  DDS.txt   22.55KB   25 downloads

Problem now comes when I run Root Repeal, I left it running for over 2 days (!) and it seems to be stuck! I cannot seem to move past the Windows directory, and nothing happens. I cannot seem to generate a log.

I also tried GMER, but after the first initial scan, when I tried complete scan it scans for a short while then the application hangs.
This is the initial log after the initial scan. Attached File  GMER.log   1.06KB   17 downloads

Some weird symptoms with my computer now:
1. AVG SOMETIMES randomly detects a Trojan infection (trojan horse generic 14.bueo), but can't seem to get rid of it. It only happens sometimes, and sometimes doesn't.
2. Sometimes I can't seem to launch anything after a reboot or start-up. All I get is the circle loading icon. Even Task Manager cannot open... I press CRTL-ALT-DEL and when I press task manager, the application cannot open.

Please help - I have no idea what to do next.

Edited by zhoos, 08 October 2009 - 02:42 AM.


BC AdBot (Login to Remove)

 


#2 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:11:13 AM

Posted 08 October 2009 - 03:30 AM

Hi zhoos,

Welcome to BC HijackThis forum. I am farbar. I am going to assist you with your problem.

Please refrain from making any changes to your system (updating Windows, installing applications, removing files, etc.) from now on as it might prolong handling your log and make the job for both of us more difficult.
  • Open your Malwarebytes' Anti-Malware.
    • First update it, to do that under the Update tab press "Check for Updates".
    • Under Scanner tab select "Perform Quick Scan", then click Scan.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Make sure that everything is checked, and click Remove Selected.
    • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
    • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    • Copy&Paste the MBAM log.
    Extra Note:
    If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.


  • Go to start > Run copy/paste the following line in the run box and click OK.

    cmd /c dir /a/s "%systemdrive%\tgzuuf.*" >log.txt&log.txt

    A command window opens. Wait until a log.txt file opens. Please post the content to your reply.

  • We need to run GMER with the following settings:
    Delete you GMER.exe and download GMER Rootkit Scanner from here or here.
    • Extract the contents of the zipped file to desktop.
    • Temporarily disable any real-time active protection so your security program drivers will not conflict with gmer's driver.
    • Click on this link to see a list of programs that should be disabled.
    • Disconnect from the Internet and close all running programs.
    • Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent .
    • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.
    • In the right panel, you will see several boxes that have been checked. Make sure the following are unchecked:
    • Sections
    • IAT/EAT
    • Drives/Partition other than C:\ drive (C:\ drive should remain checked)
    • Show All (don't miss this one)
  • Then click the Scan button & wait for it to begin. (Please be patient as it can take some time to complete).
  • When the scan is finished, you will see the scan button appears again. Click Save to save the scan results to your Desktop.
  • Save the file as gmer.log and copy/paste the contents in your next reply.


#3 zhoos

zhoos
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Local time:05:13 PM

Posted 08 October 2009 - 04:14 AM

Thanks Farbar! I really appreciate the help!

I'm gonna be posting the results one by one, because my previous foray with MAM resulted in crashes.

Here's step 1, after MAM's Quick Scan.

Malwarebytes' Anti-Malware 1.41
Database version: 2922
Windows 6.0.6001 Service Pack 1

10/8/2009 5:12:34 PM
mbam-log-2009-10-08 (17-12-34).txt

Scan type: Quick Scan
Objects scanned: 92839
Time elapsed: 4 minute(s), 17 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Edited by zhoos, 08 October 2009 - 04:18 AM.


#4 zhoos

zhoos
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Local time:05:13 PM

Posted 08 October 2009 - 04:18 AM

I'm having problems running Step 2.

I cannot seem to get a command box to stay open if I copy the entire link. I opens a quick box and immediately closes. No log files are generated.

I can get a command box to open if I type in <cmd>. BUT if I type in <cmd /c> a box opens and immediately closes. No log files are found.

What should I do as a work around?

-------------------

Okay I typed in CMD and input the entire line typing. It scanned for awhile, but this is what happens:

FILE NOT FOUND

Volume in drive C is Marsk Harddisk1
Volume Serial Number is ECF1-072C

Edited by zhoos, 08 October 2009 - 04:29 AM.


#5 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:11:13 AM

Posted 08 October 2009 - 04:30 AM

Okay open the command window by typing cmd then copy and paste the following and press Enter:

dir /a/s "%systemdrive%\tgzuuf.*" >log.txt&log.txt

#6 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:11:13 AM

Posted 08 October 2009 - 04:46 AM

I saw your edition by chance. If I haven't seen it you would have waited for days for a reply from me. Please avoid to edit the post. When you post a new reply I will be notified by email. But if you edit the post I get no notification. And since I have already posted a reply then I wait until the next notification.

#7 zhoos

zhoos
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Local time:05:13 PM

Posted 08 October 2009 - 09:37 AM

Hello again

I did the above steps for GMER, and unchecked the things u told me to. Then I ran a scan, and ina few short seconds, GMER crashes and has a "gmer.exe has stopped working" window.

:(

What can I do next?

#8 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:11:13 AM

Posted 08 October 2009 - 10:04 AM

I saw you had run ComboFix. Combofix is a powerful tool and it is not recommended to run it without the supervision of a trained helper.
Let's take a look at the Combofix log:

Please go to start -> Run. Copy and paste the bold line in the run-box and click OK:

C:\ComboFix.txt

If a text file opens up, copy and paste the content to your reply.

#9 zhoos

zhoos
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Local time:05:13 PM

Posted 08 October 2009 - 10:19 AM

Hi

I tried doing that but there isn't a ComboFix.txt...

There is however, in my C: a file called ComboFix but there is no extension. Clicking on it hangs my explorer window...

#10 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:11:13 AM

Posted 08 October 2009 - 10:22 AM

I need to see the ComboFix.txt from the first run. Please copy/paste the log the first run located at C:\Qoobox\combofixX.txt where X is a number. Please post the log with the highest number.

#11 zhoos

zhoos
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Local time:05:13 PM

Posted 08 October 2009 - 10:25 AM

i went to the directory, but there isn't any TXT files inside.

I remembered when I tried running ComboFix the program actually crashed, and hence no log file was generated.

#12 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:11:13 AM

Posted 08 October 2009 - 10:43 AM

We need to disable your Windows Defender Real-time Protection as it may interfere with the fixes that we need to make.
  • Open Windows Defender.
  • Click on Tools, Options.
  • Scroll down the list of options to select "Real-time Protection Options."
  • Uncheck "Use Real-Time Protection (Recommended)".
  • After you uncheck this, click on the Save button and close Windows Defender.

    Note:After all of the fixes are complete and I give you the clean sign you enable Real-time Protection again.

Download and run Win32kDiag:

#13 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:11:13 AM

Posted 08 October 2009 - 10:45 AM

Sorry the instruction was for XP.

We need to disable your Windows Defender Real-time Protection as it may interfere with the fixes that we need to make.
  • Go to Start > Control Panel > Windows Defender.
  • Open Windows Defender.
  • Click on Tools, Options.
  • At the bottom of the Window Defender's page, under Administrator Options uncheck "use Windows Defender" and then Save.
  • Click Close.
Note:When everything is done and your log is clean again, you can enable it again.

Edited by farbar, 08 October 2009 - 10:46 AM.


#14 zhoos

zhoos
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Local time:05:13 PM

Posted 08 October 2009 - 11:03 AM

I'm not sure if the below is a good thing, but here is the stuff:

------------------

Running from: C:\Users\Marsk\Desktop\Win32kDiag.exe

Log file at : C:\Users\Marsk\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\Windows'...



Cannot access: C:\Windows\bthservsdp.dat

[1] 2009-10-08 04:26:06 12 C:\Windows\bthservsdp.dat ()



Cannot access: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTDiagLog.etl

[1] 2009-10-08 23:17:02 64 C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTDiagLog.etl ()



Cannot access: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-Application.etl

[1] 2009-10-08 14:37:24 0 C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-Application.etl ()



Cannot access: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventlog-Security.etl

[1] 2009-10-08 23:16:46 64 C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventlog-Security.etl ()



Cannot access: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-System.etl

[1] 2009-10-08 23:16:46 64 C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-System.etl ()



Cannot access: C:\Windows\winsxs\Temp\PendingRenames\e517b536b540ca01f605000098068407.PresentationFontCache.cat

[1] 2009-09-29 11:30:38 7307 C:\Windows\winsxs\Temp\PendingRenames\e517b536b540ca01f605000098068407.PresentationFontCache.cat ()



Cannot access: C:\Windows\winsxs\Temp\PendingRenames\ff121d28b540ca01f505000098068407.GlobalUserInterface.CompositeFont

[1] 2009-09-29 11:30:13 37665 C:\Windows\winsxs\Temp\PendingRenames\ff121d28b540ca01f505000098068407.GlobalUserInterface.CompositeFont ()





Finished!

#15 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:11:13 AM

Posted 08 October 2009 - 11:18 AM

  • Click on this link--> virustotal

    Click the browse button. Copy and paste the line in bold in the open box, then click Send File.

    C:\Windows\System32\alg.exe

    If the file is analyzed before, click Reanalyse File Now button.
    Please copy and paste the results of the scan in your next post.

  • Please download mbr.exe from the following link and save it to your desktop: http://www2.gmer.net/mbr/mbr.exe
  • Double click mbr.exe to run it. You will see a very flash of a "dos" box then disappears. This is normal.
  • The tool creates a log (mbr.log) on your desktop. Copy and paste the content of that log to your reply.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users