Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with RootKit?


  • This topic is locked This topic is locked
35 replies to this topic

#1 LISpeedyG

LISpeedyG

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:02:08 PM

Posted 21 December 2009 - 09:11 PM

Hi,

First time here..
Unfortunately, I come bearign a problem. My computer goes through a complete start up and then hangs and am unable to run any programs.

I have included the requested text files (zipped) from DDS and RootRepeal.

Please let me know what actions to take. At the moment I can only use the computer in Safe Mode.

Thank You.
Gus

Attached Files



BC AdBot (Login to Remove)

 


#2 1972vet

1972vet

  • Malware Response Team
  • 1,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midwest U.S.A.
  • Local time:01:08 PM

Posted 21 December 2009 - 10:26 PM

Greetings LISpeedyG and Welcome to the Forums,

I've noted that you have Acronis True Image installed and that it schedules backup images for you automatically. It would be wise to disable this software until we finish cleaning your computer...as you yourself have stated, the system does have a rootkit infection.

You should also keep in mind that any images of this system that you have already saved may also contain this rootkit infection and should be removed AFTER we finish with the cleanup.

I should also mention that one or more of the applications you have installed may have come bundled with the ASK Toolbar. I know "Foxit" is one (among many) programs that bundle the ask toolbar with it. That toolbar is spyware and should be uninstalled. Whichever program it was that bundled it will still work just fine without it.

I will also need you to disable your Ad-Watch protection...it is known for causing interference with some malicious software removal efforts. To disable it:
1. Right click on the Ad-Watch icon in the system tray and select "Restore Ad-Watch".
2. At the bottom of the screen there will be two checkable items called "Active" and "Automatic".Active: Switches Monitoring On or Off without closing
Automatic: Switches Automatic Blocking On or Off
3. Uncheck (red X) both items.

Remember when we have completed cleaning your machine to turn them back on using the same steps but this time select ONLY Active. Ad-Watch will prompt you to accept those registry changes that were made in the cleanup. They must be accepted.

Next, please download DeFogger to your desktop.

Double click DeFogger to run the tool.
  • When the utility opens click the Disable button to disable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK
IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.

Do not re-enable these drivers until the instruction is given.

...On your next reply, please include the "Attach.txt" log from your DDS scan and please run a fresh gmer scan and post back THAT log as well. Thanks!

Disabled Veteran, U.S.C.G. 1972 - 1978
mvpsigpic.jpg
2009 - 2013

Member: U.N.I.T.E.
Performance and Maintenance for Windows XP, Windows Vista and Windows Seven


#3 LISpeedyG

LISpeedyG
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:02:08 PM

Posted 21 December 2009 - 11:23 PM

Hi, and thanls 1972Vet..

1. I have included the new files you indicated.. I presumed you wanted me tu re-run the RootRepeal tool, i.e., GMER?
2. I have disabled AdAware completely until the repairs are completed.
3. FYI.. I am running all the tasks in Safe Mode w/Networking (I truat that it's ok)
4. I have always unistalled the ASK tool bars. Are they still active?

Thanks again for your help.

Gus

Attached Files



#4 LISpeedyG

LISpeedyG
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:02:08 PM

Posted 22 December 2009 - 08:41 AM

Hi,

After thinking on what I posted last... I decided to look for GMER on this site and run it also in case my assumptions was incorrect (per my last post).

However, every time I try to run GMER it crashes. So, I hope the last attachments were acceptable.

Thanks Again for your help..
Gus

#5 1972vet

1972vet

  • Malware Response Team
  • 1,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midwest U.S.A.
  • Local time:01:08 PM

Posted 22 December 2009 - 10:31 AM

1. I have included the new files you indicated.. I presumed you wanted me tu re-run the RootRepeal tool, i.e., GMER?
Sorry...rootrepeal will do.

...3. FYI.. I am running all the tasks in Safe Mode w/Networking (I truat that it's ok)
No, it's indeed NOT ok. Please perform these steps in your normal windows user mode unless directed otherwise. The reasoning for this is because some malware actually will not run in safe mode...probably not always a real issue, but could be in your case. Normal mode will cause the tools we use to see what is running when you log on to windows.

4. I have always unistalled the ASK tool bars. Are they still active?
Yes but I'm not surprised. Junkware isn't written by the best programmers so it stands to reason that an uninstall attempt is incomplete.

...After thinking on what I posted last... I decided to look for GMER on this site and run it also in case my assumptions was incorrect (per my last post).

However, every time I try to run GMER it crashes. So, I hope the last attachments were acceptable.

You did fine. I am interested in your statement about GMER not running for you since you had indicated you performed all these tasks in safe mode. Please confirm on your next reply, that you did indeed run GMER in safe mode. GMER is one utility that is supposed to run just fine in a safe mode environment while other rootkit scanning tools will not. I will analyze these logs later today and get back to you with more instructions. Thanks!

Disabled Veteran, U.S.C.G. 1972 - 1978
mvpsigpic.jpg
2009 - 2013

Member: U.N.I.T.E.
Performance and Maintenance for Windows XP, Windows Vista and Windows Seven


#6 LISpeedyG

LISpeedyG
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:02:08 PM

Posted 22 December 2009 - 10:57 AM

I have, indeed, been running in safe mode w/Networking.

After your last comment, I rebooted into Safe Mode wo/Networking. And, still GMER crashed as it was scanning. I saved the error message it wanted to send to Microsoft and am including it here.

Please let me know how to proceed.

Thanks,
Gus

Attached Files



#7 1972vet

1972vet

  • Malware Response Team
  • 1,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midwest U.S.A.
  • Local time:01:08 PM

Posted 22 December 2009 - 12:55 PM

Defogger and Rootrepeal looks to have interfered...reboot the system and from your normal windows user mode, try running gmer once more. Post back the results.

Disabled Veteran, U.S.C.G. 1972 - 1978
mvpsigpic.jpg
2009 - 2013

Member: U.N.I.T.E.
Performance and Maintenance for Windows XP, Windows Vista and Windows Seven


#8 LISpeedyG

LISpeedyG
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:02:08 PM

Posted 22 December 2009 - 01:00 PM

I don't believe that I will be able to boot normally.. Each time I have tried (before your intervention) the computer freezes. But, I will try now..

#9 LISpeedyG

LISpeedyG
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:02:08 PM

Posted 22 December 2009 - 01:34 PM

Ok.. I managed to startup in Normal Mode after I disabled all network connections.
Unfortunately, GMER still failed. I zipped up the error report here.

Please let me know how to proceed.

Thanks for your help,
Gus

Attached Files



#10 1972vet

1972vet

  • Malware Response Team
  • 1,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midwest U.S.A.
  • Local time:01:08 PM

Posted 22 December 2009 - 02:34 PM

OK, let's just put gmer aside for the time being and deal with what's more pressing currently. The "Attach.txt" log shows software on the system that, in my opinion, is directly responsible for your current issues. These programs below, although can be used for legitimate purposes, I firmly believe are used most often for illegal purposes...they are:
BitLord 1.1
PeerGuardian 2.0


On occasion I will run into a user who had no idea before I told them, that those type programs are both, used illegitimately, and likely to be the culprit behind 90% of infected systems.

There are however legitimate reasons for having and using them. Can you tell me:
1) Did you install them
2) Do you use them
3) ...and if yes to 1 & 2, then for what purpose

Regardless of your answer though, I will need to have you uninstall them until we finish with this cleanup session. Next, the program SpyHunter is on the SpywareWarrior's list of rogue/suspect anti-spyware applications. Those type programs are most often either loaded with malware when downloaded, or downloads problems for you after you install them...additionally, that type of malware is written with the intent of taking your computer hostage for ransom. The program would continuously pop up warnings regarding problems it found and usually require that you PAY money before it allegedly fixes those problems. Some of these are uninstallable. Try to locate an uninstall string for your SpyHunter and remove it.

Next, all of these are out dated and exploited:
J2SE Development Kit 5.0 Update 4
J2SE Runtime Environment 5.0 Update 4
Java™ 6 Update 14
...which means that some web sites you may visit (or be directed to) can take advantage of the exploit and cause more security problems for you when you visit them. Please uninstall them as well. We will install the latest version of Java only AFTER we are conviced that the system is cleaned.

When you finish with all of the above, please run another DDS scan and post back the resulting log along with the "Attach.txt" log. Thanks!

Disabled Veteran, U.S.C.G. 1972 - 1978
mvpsigpic.jpg
2009 - 2013

Member: U.N.I.T.E.
Performance and Maintenance for Windows XP, Windows Vista and Windows Seven


#11 LISpeedyG

LISpeedyG
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:02:08 PM

Posted 22 December 2009 - 04:37 PM

Ok.. I have uninstalled all the programs and their associated files. Also, I have taken the liberty to unistall several others that might be problematic (on in particulat was uTorrent).

This computer was a recyled laptop from a cousin that recently bought a new one and was unable to resolve this machine's problems. It was donated to me since I have been out of work for almost 2 years and am trying to make a go at a consulting business..

I have attached the new files as you asked.

Thanks,
Gus

Attached Files



#12 1972vet

1972vet

  • Malware Response Team
  • 1,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midwest U.S.A.
  • Local time:01:08 PM

Posted 22 December 2009 - 04:50 PM

Thanks for that information LISpeedyG,

Since this was given to you for your personal use now, please take the time needed to go through your Add/Remove programs listing so you can uninstall all of the software that your cousin had installed, which you believe you will not be using. Post back when you finish and run a fresh DDS scan. Post back THAT log now, along with the Attach.txt. Thanks!

Disabled Veteran, U.S.C.G. 1972 - 1978
mvpsigpic.jpg
2009 - 2013

Member: U.N.I.T.E.
Performance and Maintenance for Windows XP, Windows Vista and Windows Seven


#13 LISpeedyG

LISpeedyG
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:02:08 PM

Posted 24 December 2009 - 10:36 PM

Hi Again,

Well, it's taken me days to remove just a few applications. The computer is so slow that it literally took me an entire day just to remove 1 application. And, now it takes me over 40 minutes just to boot up. And once it boots up (if the screen is not blank) it freezes to the point that I need to manually power off the computer and try to restart.. It now feels like the problems are getting worse and not better.

I am just about ready to give upon this. Can you please give me some ideas as to where to go from here? I cannot keep up this endless rebooting and waiting. If you cannot help me with this any further please let me know.

Thanks and have a happy holiday.
Gus

#14 1972vet

1972vet

  • Malware Response Team
  • 1,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midwest U.S.A.
  • Local time:01:08 PM

Posted 25 December 2009 - 06:13 AM

Post back when you finish and run a fresh DDS scan. Post back THAT log now, along with the Attach.txt. Thanks!

I need to see those two logs I requested now to compare with your originals so we can continue. Thanks for your patience and understanding in this matter.

Disabled Veteran, U.S.C.G. 1972 - 1978
mvpsigpic.jpg
2009 - 2013

Member: U.N.I.T.E.
Performance and Maintenance for Windows XP, Windows Vista and Windows Seven


#15 LISpeedyG

LISpeedyG
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:02:08 PM

Posted 26 December 2009 - 11:17 AM

Thanks.. Attached are the logs. Please let me know if you can help.

Attached Files






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users