Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rootkit?


  • Please log in to reply
12 replies to this topic

#1 qElijahq

qElijahq

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:45 PM

Posted 02 January 2010 - 12:01 PM

I recently was infected with a nasty virus that caused one of the machines at our office to start spamming like crazy. As a result, our companies IP address has been added to a bunch of RBL's and we can't send email out. I think I've managed to clean everything up, but things came back and I had to battle all over again. I thought I had a rootkit and made a bunch of attempts to clean that up and think it's gone. Except mbr.exe -t is reporting the following:

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, hxxp://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pc
iide.sys PCIIDEX.SYS
kernel: MBR read successfully
user & kernel MBR OK
copy of MBR has been found in sector 0x02E933E00
malicious code @ sector 0x02E933E03 !
PE file found in sector at 0x02E933E19 !


It looks to me like I still have something going on and if I try to run GMER, the machine scans for a little bit then just reboots. Please help me.

ALso, I forgot to mention that when I attempted to boot in safe mode, it blue screened. Not sure if that's relevant, but figured I'd mention all of the symptoms I'm having right now.

Edited by qElijahq, 03 January 2010 - 02:29 AM.


BC AdBot (Login to Remove)

 


#2 qElijahq

qElijahq
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:45 PM

Posted 03 January 2010 - 01:46 PM

I hate to sound impatient, but will someone please, please help me? We were put on RBL's and one of them won't take us off of their RBL list for 7 days after this mess is cleaned up and the others are only giving us 48 hours off before they stick us back on. I have been forced to completely remove the machine from the internet for now to keep us going, but I know I'm gonna hear all kinds of crap come Monday from everyone in our office if I don't get this mess cleaned up sometime soon.

I guess I'm just worried that maybe I put this in the wrong forum or that maybe I didn't follow some proper protocol to get help. Hopefully it's just the fact that it's a weekend(and a holiday weekend at that) and I'm just waiting in a line and it's not just some stupid mistake on my fault. Please, I guess, just let me know if I did something wrong that will keep me from getting help. Thanks.

Edited by qElijahq, 03 January 2010 - 01:54 PM.


#3 trev47

trev47

  • Members
  • 113 posts
  • OFFLINE
  •  
  • Local time:12:45 AM

Posted 07 January 2010 - 11:26 PM

qElijahq,
If this is a business PC, i would format it and reload it. Then you know the infection is taken care of. But you can continue to try and remove the malware if you like. There is still something nasty on there. Try the following:

Try downloading rkill to your desktop from one of the following links. Double click the file and a black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully. If it does not work try the next file.
try this one http://download.bleepingcomputer.com/grinler/rkill.pif
or this http://download.bleepingcomputer.com/grinler/rkill.scr
or this http://download.bleepingcomputer.com/grinler/rkill.exe
or this http://download.bleepingcomputer.com/grinler/rkill.com

Download atf cleaner from http://www.atribune.org/index.php?option=c...5&Itemid=25
run it, select all, and empty selected

Now, download Malwarebytes from http://malwarebytes.org/ update it and run a full scan. Post the results in your next reply.

Next run a scan at http://www.eset.com/onlinescan/ and post those results

Download Dr Web CureIt from http://www.freedrweb.com/cureit/?lng=en and run it

After the above steps try running gmer again or downloading Rootrepeal

When you reply to your topic, people think someone else is helping you.

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,590 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:45 AM

Posted 08 January 2010 - 08:45 AM

Since you say this a work computer, have you contacted and advised your IT Department? In most work environments, the IT staff implement specific policies and procedures for the use of computer equipment and related resources. In fact, many companies will require you to read those policies and sign a statement of understanding. These official procedures are designed and implemented to provide security and certain restrictions to protect the network. This allows all users to safely use business resources with minimum risk of malware infection, illegal software, and exposure to inappropriate Internet sites or other prohibited activity. We will not assist with attempts to circumvent those policies or security measures.

Our forums are set up to help the home computer user deal with issues and questions relating to personal computers. We are not equipped to involve ourselves in any legal issues that may arise due to loss of business data and loss of revenue as a result of malware infection or the disinfection process which in some instances require reformatting and reinstallation of the operating system.

A business IT staff generally has established procedures in place to deal with issues and infections on client machines on the network. As such, they may not approve of employees seeking help at an online forum or outside the business office as doing so could interfere or cause problems with their removal methods. Further, the malware you are dealing with may have infected the network. If that's the case, the IT Department needs to be advised right away so they can take the appropriate measures.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 qElijahq

qElijahq
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:45 PM

Posted 08 January 2010 - 09:32 AM

This is a work computer. We are a very small company(approx 25 employees) and I am the IT department. The person that was circumventing our company policies and surfing for porn and other things in our office has been fired and I'm left to clean up this mess. I'd love to just wipe this particular machine and start from scratch, but the owner of the company that just thinks I should be able to snap my fingers and fix it all without even one second of downtime is not allowing that. That's why I'm here begging for help. I've been in this industry for over 20 years and have never run into anything quite this persistent. Like I said, the machine seems to be completely clean...No more e-mails going out, no other odd behavior. The only thing that still persists is the report from mbr.exe saying that it finds malicious code. I'm not sure if that truly means there is something there or if it's some sort of false positive, but I am hoping someone here is knowledgeable enough to help me figure that piece of the puzzle out.

#6 qElijahq

qElijahq
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:45 PM

Posted 08 January 2010 - 09:59 AM

Thank you trev47 for your response. I am in the process of following all of the things you've recommended. So far, I've gotten through the step of running Malware Bytes(Which found nothing) and am in the process of runnung the ESET online scanner. It's found 6 items so far. Once finished with everything, I will report back. Again...Thank you for helping.

#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,590 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:45 AM

Posted 08 January 2010 - 10:24 AM

If this is a client machine, to prevent the malware from spreading to other clients on the network keep this system separated (isolated) from all others and disable network file and printer sharing until fully cleaned. Vista users can refer to these instructions.

If you're not sure about the source of infection, start by disconnecting (isolating) all client machines from the network. Check and disinfect each client individually by performing a full system scan with your anti-virus in Safe Mode to ensure it is clean before reconnecting. After that print out and follow these Instructions for using Malwarebytes Anti-Malware and perform a Quick Scan in normal mode, then reboot the system normally. Failure to reboot will prevent MBAM from removing any malware it found which you selected for removal.

Start with the server, then one at a time, do the same for each client machine until you ensure it is clean and can be reconnected. That is a tedious task, but it ensures each machine gets individual attention and a full system scan of all files and folders. Trying to do things remotely can result in missed detections. If scanning of a mapped drives only scans the mapped folders, it may not include all the folders on the remote computer. Further, if a malware file is detected on the mapped drive, the removal may fail if a program on the remote computer uses that file.

How to scan your network

On a network where the domain controller has been infected with a rootkit, you should clean the domain controller before cleaning the remaining computers on the network. See rootkit removal on a network with an infected domain controller.

If you were infected by malware that spreads to network shares or by a password stealing trojan, change the passwords for all important applications and set strong passwords for shared network resources.

The only thing that still persists is the report from mbr.exe saying that it finds malicious code. I'm not sure if that truly means there is something there or if it's some sort of false positive

Please post the results of your MBAM scan for review.

To retrieve the Malwarebytes Anti-Malware scan log information, launch MBAM.
  • Click the Logs Tab at the top.
    • The log will be named by the date of scan in the following format: mbam-log-date(time).txt
      -- If you have previously used MBAM, there may be several logs showing in the list.
  • Click on the log name to highlight it.
  • Go to the bottom and click on Open.
  • The log should automatically open in notepad as a text file.
  • Go to Edit and choose Select all.
  • Go back to Edit and choose Copy or right-click on the highlighted text and choose Copy from there.
  • Come back to this thread, click Add Reply, then right-click and choose Paste.
  • Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Logs are saved to the following locations:
-- In XP: C:\Documents and Settings\<Username>\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs
-- In Vista: C:\Documents and Settings\Users\All Users\Malwarebytes\Malwarebytes' Anti-Malware\Logs

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#8 qElijahq

qElijahq
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:45 PM

Posted 08 January 2010 - 10:41 AM

Here's the MBAM results.

Malwarebytes' Anti-Malware 1.44
Database version: 3513
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

1/8/2010 8:34:19 AM
mbam-log-2010-01-08 (08-34-19).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 361902
Time elapsed: 1 hour(s), 10 minute(s), 59 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#9 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,590 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:45 AM

Posted 08 January 2010 - 01:02 PM

The only thing that still persists is the report from mbr.exe saying that it finds malicious code.

Can you provide the results from mbr.log? I meant to include that in my previous comment but left it out. It should be saved to the root of the system drive (usually C:\).
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#10 qElijahq

qElijahq
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:45 PM

Posted 08 January 2010 - 01:07 PM

Sure...It's the same as what I originally posted, but here it is again. It's the only thing I've found recently that gives me an indication that I may still be infected. There are absolutely no other symptons that I can find other than the fact that Safe Mode blue screens.

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys
kernel: MBR read successfully
user & kernel MBR OK
copy of MBR has been found in sector 0x02E933E00
malicious code @ sector 0x02E933E03 !
PE file found in sector at 0x02E933E19 !

Edited by qElijahq, 08 January 2010 - 01:08 PM.


#11 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,590 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:45 AM

Posted 08 January 2010 - 02:29 PM

If the log results say both say both the user & kernel MBR are OK, its not considered an MBR infection even if it indicates detected hooks/malicious code. If the output said ...MBR rootkit code detected !...MBR rootkit infection detected ! Use: "mbr.exe -f" to fix., then you would need to be concerned about an infection. The presence of just malicious code and a PE file means that there was a infection but it has been cleaned and the MBR has been restored successfully.

Mebroot overwrites the MBR of the hard disk and uses rootkit techniques to hide itself. The installer of the rootkit writes the content of a malicious kernel driver to the last sectors of the disk, and then modifies sectors to include sector 0 (MBR). According to gmer, fixmbr restores only sector 0 (MBR) and as such, mbr.exe will always show all sectors that were related to Mebroot even after the infection is removed.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#12 qElijahq

qElijahq
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:45 PM

Posted 08 January 2010 - 02:41 PM

Ok...Thank you very much. Nothing has been going on and I've felt reasonably confident that everything was ok, but that malicious code line scared me a little. I feel reassured now that all is well and am going to put this issue to bed. Again, thank you for your help.

#13 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,590 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:45 AM

Posted 08 January 2010 - 03:04 PM

You're welcome.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users