Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

rootkit attack


  • This topic is locked This topic is locked
33 replies to this topic

#1 Dave Supon

Dave Supon

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Location:western NY
  • Local time:11:52 AM

Posted 11 November 2009 - 04:11 PM

Referred from here: http://www.bleepingcomputer.com/forums/t/269635/malware-infected/ ~ OB

Pasting in additional information from other topic. ~ OB

I keep getting warnings that my files are corrupted and cannot be read. Most of the time it involves AppData\roaming files. The message usually says to run chkdsk, which I have done sevaral times at startup with Task Scheduler. No effect. My email will not connect. I can use Explorer but it will not connect to websites that require a password and sometimes others as well. An IT person says I have a malware issue. I have downloaded ComboFix and have saved the text report for someone who is willing to help me.

End of added information. ~ OB

here is my text file result:

Attached File  Win32kDiag.txt   1.6KB   12 downloads

Edited by Orange Blossom, 11 November 2009 - 10:10 PM.


BC AdBot (Login to Remove)

 


#2 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,772 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:06:52 PM

Posted 20 November 2009 - 05:41 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

Please include a clear description of the problems you're having, along with any steps you may have performed so far.

Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.

Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.
  • Please download OTL from following mirror:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized
ComboFix is an extremely powerful tool which should only be used when instructed to do so by someone who has been properly trained.
It is intended by its creator to be used under the guidance and supervision of a Malware Removal Expert, not for private use.
Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.

Please do not run Combofix on your own

Since you already ran I would like to see the log from it, to see what happened on your PC.
In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. I suggest you do this and select Immediate E-Mail notification and click on Proceed. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#3 Dave Supon

Dave Supon
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Location:western NY
  • Local time:11:52 AM

Posted 20 November 2009 - 01:08 PM

I have to download the files on another laptop and transfdr to the computer that is not working. When I start my computer I get a message that my logonUI.exe file is corrupt and to run chkdsk. I enter my password and windows does start up. I then switch on my wireless internet connection and I get the file sprtcmd.exe is corrupt. I have no way to use the internet or email as they will not connect. The wait while I'm busy circle just keeps spinning and the programs do not respond. Outlook willnot accept either of my two email accounts passwords.

Your email responses are going to my other computer email so I can stay in touch with you. So far the transferring of files to my broken machine is working ok.

I ran the OTL file and here are the results.

Thank you for taking the time to help!

Attached Files



#4 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,772 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:06:52 PM

Posted 22 November 2009 - 11:25 AM

Hi,

I see you have run Combofix on your system.
ComboFix is an extremely powerful tool which should only be used when instructed to do so by someone who has been properly trained.
It is intended by its creator to be used under the guidance and supervision of a Malware Removal Expert, not for private use.
Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.

Please do not run Combofix on your own

Please check if C:\combofix.txt is present on your PC, if so, please post the content of the file in your next reply.

Have you run chkdsk on your system as indicated by the error message? If not please try to do so now and let me know if that fixes (some of) your problems. Could you provide a log?


Please also run a scan with gmer:
Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#5 Dave Supon

Dave Supon
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Location:western NY
  • Local time:11:52 AM

Posted 24 November 2009 - 11:06 AM

Hi Myrti,

I have used chkdsk repeatedly as a start up task with no error or other messages. I do not observe any positive changes as a result.

I'm attaching the text reports from running the gmer and combofix programs.

Incidentally, scans by both PC-Cillin and Windows Defender show no signs of an attack.

Thanks.

Attached Files



#6 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,772 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:06:52 PM

Posted 24 November 2009 - 03:49 PM

Hi,

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Please click this link-->Jotti

When the jotti page has finished loading, click the browse button and navigate to the files you mentioned before:

logonUI.exe
sprtcmd.exe

then click Submit. You will only be able to have one file scanned at a time.

Please post back the results of the scan in your next post.

If Jotti is busy, try the same at Virustotal: http://www.virustotal.com/

Do you have your Windows-CD handy, we might need it?

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#7 Dave Supon

Dave Supon
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Location:western NY
  • Local time:11:52 AM

Posted 24 November 2009 - 05:40 PM

Myrti,

I've changed the view hidden files. I've tried both programs but I can't get a scan. I receive a message saying the file is not accessable.

I do have my Windows CD.

Dave

#8 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,772 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:06:52 PM

Posted 24 November 2009 - 05:48 PM

Can you please try to copy the file from it's location onto your desktop and rename it to file.ext and upload it once more?

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#9 Dave Supon

Dave Supon
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Location:western NY
  • Local time:11:52 AM

Posted 24 November 2009 - 05:59 PM

myrti, I can't get to the file logonUI.exe because "tabletextservice is corrupt and unreadable". I can't get to the file sprtcmd.exe because" the file or directory is corrupt and unreadable".

#10 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,772 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:06:52 PM

Posted 24 November 2009 - 06:13 PM

Hi,

ok, we are going to try to run a system file integrity check. For which you may need your CD. This should fix all corrupt or broken files.

Please run a system file check.

Click Start > All Programs > Accessories then right-click Command Prompt and then click Run as Administrator. Then type in this command

sfc /scannow

Make sure to include the space between the first "c" and the "/".

This will run the System File checker and it will scan for corrupt or missing files. It may prompt you to insert the CD if it needs to obtain files.

Please post back when it has finished letting me know what it has reported.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#11 Dave Supon

Dave Supon
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Location:western NY
  • Local time:11:52 AM

Posted 24 November 2009 - 06:46 PM

myrti,

under start > all programs > accessories I do not have Command Prompt. I also do not have Notepad, Blue Tooth File Transfer Wizard, or Run. Maybe others!

Can I get to a cmd prompt another way?

#12 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,772 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:06:52 PM

Posted 24 November 2009 - 06:54 PM

Hi,

can you please press the windows-key and R and tell me if this brings up the run command?

Otherwise please try to show the run command in your start menu using the following instructions:
If you do not have the run-command in your Start menu:
Please right click on your taskbar, select Properties, select the Start Menu tab, click on Customize and tick the Display Run checkbox and click OK.

Honestly speaking though, I think your best option here is a repair install. This will replace all system files and leave your data and programs alone. It should be the quickest and easiest solution, cause there seems to be something very wrong with most of your operating system.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#13 Dave Supon

Dave Supon
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Location:western NY
  • Local time:11:52 AM

Posted 24 November 2009 - 07:10 PM

Myrti,

Pressing the Windows key and R does bring up the run command window. I typed in sfc /scannow and for a split second the command prompt window came on but the vanished immediately. I know because of the black background in the box. I tried several times with the same result each time.

I did place the run command in the start menu.

What now?

#14 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,772 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:06:52 PM

Posted 24 November 2009 - 07:18 PM

Hi,

sorry I forgot about the need of elevated rights. This is the reason it is not working.

Do you still have the search option in windows start menu? If so please type cmd.exe into it. You should get the cmd.exe listed as a result, if so please right-click it and select run as administrator.

Once you have the elevated command prompt, please type in sfc /scannow once more, this should now work.

regarsd myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#15 Dave Supon

Dave Supon
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Location:western NY
  • Local time:11:52 AM

Posted 24 November 2009 - 09:31 PM

myrti,

I was able to do what you suggested and I got the command prompt to work. Here is what it said:

c:\windows\system32>sfc /scannow
Beginning system scan. This process will take some time.
Beginning verification phase of system scan.
Verification 41% complete.
Windows Resource Protection could not perform the requested operation.

Dave




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users