Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help please. Rootkit max++?


  • This topic is locked This topic is locked
5 replies to this topic

#1 FrogmanMickey

FrogmanMickey

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:08:58 AM

Posted 04 November 2009 - 11:34 PM

Hi

Based on what I have read on this forum and Major Geeks, I believe my wife's computer may have a Rootkit infection, perhaps max ++? The effects are that anti-virus programs such as Spybot and Malwarebytes are disabled and return an error message: "Windows cannot access the specified device, path or file. You may not have the appropriate permissions to access the item" and Internet Explorer browser re-directs when trying to access various web sites via Google(although it hasn't hijacked the home page). I was able to run Ad-aware, but it did not find anything.

Since the installed virus scanners would not work, I used my "clean" laptop to download some rootkit scanners to a flash drive and ran them on the wife's computer. Norman scanner is updated daily and claims to find and eradicate rootkit infections, but it didn't find anything. However, there were a number of "access denied" entries in the log it generated. fseasyclean just crashed. Sophos Anti-Rootkit found 360 hidden files, but for every one of them it said "clean up not recommended for this file", so I took no action. Helios Lite wouldn't run. RegRun Reanimator identified a max ++ infection and I followed the instructions to get rid of it, but after going through the routine and reboot, the way the computer behaves did not change. If anything, it was worse. Not only were Malwarebytes and Spyot still disabled, so was Reanimator! And Google links still re-direct. So it seems that there is no simple fix to this like "download and run this utility and your problem will be solved".

For past problems, I have typically been able to apply advice given to others on forums like this one to cure them myself. But for this one, it seems that each person who has inquired has had to be led through a step-by-step series of actions to finally eliminate this infection. So I am writing to ask if you can please lead me on this journey also. I am contacting you on my own clean computer so as not to risk interference from the virus. The steps you advise I will apply to the wife's computer. She is running Windows Vista 32-bit OS. It is an HP laptop and has a partition containing HP_RECOVERY, if anything in there might be of value.

To avoid interference from virus protection software, I have removed all of them from her computer except AVG (free version). I have read the instructions on temporarily disabling AVG, and will do so when you advise.

Based on advice I have already read on this forum, Major Geeks and Spybot forum, I have downloaded the following programs to a flash drive using my clean computer and can deploy them if, when and how you advise.

Win32kDiag.exe
peek.bat
erunt-setup.exe
SystemLook.exe
Inherit.exe
Combofix.exe (fake named C2OkMuByO2FcIrXs)
GMER (fake named G2MkEuRy6b3s.exe)
avenger.exe
junction.exe
dds.scr
mbam-clean.exe
ATF-Cleaner.exe
OTC.exe
rkill.exe
RootkitBuster.exe
DarkSpy_EN.exe
Helios Lite.exe
PAVARK.exe
Rootkit_Detective.exe

I am not particularly looking forward to this expedition but I appreciate your guidance in successfully navigating it. Shall we begin?

To expedite matters, based on other posts I read, I ran Win32Diag.exe on the infected computer and generated a log. I attempted to copy and paste the log here to give you something to work with, but I got an error message saying that the post was too long. So you will have to advise how I can get the log into your hands without exceeding the post size limitation.

Cheers.
Frogman Mickey

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,567 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:58 AM

Posted 04 November 2009 - 11:47 PM

Hello take that log

Next please go here HijackThis Logs and Virus/Trojan/Spyware/Malware Removal ,click New Topic,give it a relevant Title and post the above Win32kDiag.exe log.
use multiple posts if needed.

Let me know how that went.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 neilmac

neilmac

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:08:58 AM

Posted 05 November 2009 - 03:47 PM

personally when i run into these types of problems where all else fails. first try booting into safe mode with networking and downloading avira antivir at www.avira.com they have the best i've ever seen in free antivirus that doesn't hog up all your resources and has an excellant detection rate it finds viruses that all others fail to find. better than avg by far. by booting into safe mode u stop a virus from running itself and its effects. it runs windows with the bare minimum of drivers needed. to boot into safe mode either press F8 repeatedly as soon as the computer switches on or when u see the windows loading splash screen switch off the computer because windows fails to load u get the extended boot menu. if this doesnt work then i attach a drive to the infected computer backup all the files i want to save, clickfree at www.goclickfree.com offers a reliable easy to use backup drive and software for backing up everything but the operating system unless u want it to. then once u have that done reinstall from scratch first finding out if u need to have a recovery disc created to use the partition or if u need to press certain keys at boot up to activate the partition. get a copy of your network modem etc... drivers on a usb stick if they are rar or zip formats then download winrar or 7zip etc.. too and put that onto the usb stick too. once you have reinstalled the operating system and gotten the internet to work and before u do any other installing of software or copying the backed up items onto the system install avira and run a full update and system scan. then scan the backup drive u have your backed up files on. then u can reinstall all of your programs etc... once you have this done you can if u wish download a copy of clonezilla and then clone a spare hdd that fits into your system like a primary drive then clone your drive in its entirety or that is big enough to store an image file of your hdd that can then be restored to your primary drive in the event of the same thing going down in the future, the plus to the image or complete cloning is that in the even of having to start from scratch u wont have to reinstall all your programs aswell which takes forever from experience. i have had to do what u have to before aswell. if u use firefox get the WOT (web of trust) addon it lets u know about the sites your visiting and how reputable they are. also adblock plus is good and get keyscrambler too so youre keystrokes are encrypted stopping keyloggers from getting a hold of your passwords. also if u have many sites u are subscribed too get lastpass it saves all your logins and autologins you to your subscribed sites manages passwords form fills etc.. its great. and you dont loose everything by reinstalling as its remotely saved all u do is install the addon and login with your master password and all your sites are back up. i hope this has been a help let me know if it has @ neilmaclennan555@gmail.com

#4 neilmac

neilmac

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:08:58 AM

Posted 06 November 2009 - 12:14 AM

i just reread what i wrote for u, sorry for all the bad grammar. i hope it didn't confuse u, post a reply if u need clarification on anything. i will keep coming back to check on your topic

#5 FrogmanMickey

FrogmanMickey
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:08:58 AM

Posted 06 November 2009 - 02:24 AM

To Moderator Boopme: You will find the log in the forum topic you advised. It's title is the same as this one: Help, please. Rootkit max++?

To neilmac: Thanks for taking the time to impart all of that good advice. I am going to print it out and study it to see what I can do to implement it. It sounds like an excellent way for a person to provide a way to recover from nasty messes like this one. I hate to contemplate wiping the hard drive and starting over from scratch, but if it turns out there is no other choice, you have provided some good guidance as to the steps to take. I will let the bleeping computer folks try to help me eradicate the virus without wiping the drive. Hopefully it can be done. Then I will see about implementing your suggestions for having a back up. The infected computer is a laptop, so there is no way to install another drive. But large external hard drives are easy enough to come by these days. I do have a small one already that we use for backing up our digital photos. I would have to get another that is as large as the hard drive in the computer, but they are not all that costly, considering what is at stake.

Cheers, all
Frogman Mickey

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,567 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:58 AM

Posted 06 November 2009 - 03:59 PM

Now that your log is properly posted, you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a HJT Team member, nor should you continue to ask for help elsewhere. Doing so can result in system changes which may not show it the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the HJT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the HJT Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

To avoid confusion, I am closing this topic.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users