Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with a Rogue AV, and possibly a rootkit.


  • Please log in to reply
17 replies to this topic

#1 esde

esde

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:05:53 AM

Posted 06 April 2010 - 02:31 PM

The pc is an eMachines E625, Microsoft Windows XP Home Edition SP2. The pc came to me with a Rogue AV, and no internet connectivity. I removed the proxy (127.0.0.1:5555), and still could not get an IP. I reset all IE settings, reset winsock, checked for restrictive policies, checked for registry proxy settings, uninstalled the NIC, reinstalled it, attempted to manually set an IP address with correct settings, and it still would not ping the gateway, or show any signs of connectivity. I ran MalwareBytes from the 3-31 rules.ref file and removed all the infections it found; but without connectivity I don't know how to update it manually. I am currently running gmer to check for rootkits and will post with the results once it is completed. Also, I attemped to run ComboFix and two things happened worth mentioning; there were 2 files it "got stuck" on deleting. One was a .sys file in %WinDir%\system32\drivers and the other was a .exe in %UserProfile%\start menu\programs\start up; both with random file names, also when it got to stage 50, it would not go any further. Not for lack of patience...I waited 6 hours. Any help is greatly appreciated.
I do not see why man should not be just as cruel as nature.
-Adolf Hitler

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:53 AM

Posted 06 April 2010 - 03:41 PM

Hello ,hold off on ComcFix and post GMER..

Let's also see if tere is anything in MBAm
Rerun MBAM (MalwareBytes) like this:

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan (normal mode).
After scan click Remove Selected, Post new scan log and Reboot into normal mode.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 esde

esde
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:05:53 AM

Posted 06 April 2010 - 03:57 PM

I can't connect to the internet on that pc, but I've heard about updating MBAM manually, will that suffice?
I do not see why man should not be just as cruel as nature.
-Adolf Hitler

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:53 AM

Posted 06 April 2010 - 04:02 PM

Sure it will...


If you cannot use the Internet,you will need access to another computer that has a connection.
From there save mbam-setup.exe to a flash,usb,jump drive or CD. Now transfer it to the infected machine, then install and run the program.
If you cannot transfer to or install on the infected machine, try running the setup (installation) file directly from the flash drive or CD by double-clicking on mbam-setup.exe so it will install on the hard drive.
***
Manually Downloading Updates:
Manually download them from HERE and just double-click on mbam-rules.exe to install. Alternatively, you can update through MBAM's interface from a clean computer, copy the definitions (rules.ref) located in C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware from that system to a usb stick or CD and then copy it to the infected machine.


Note: Mbam-rules.exe is not updated daily. Another way to get the most current database definitions if you're having problems updating through the program's interface or have already manually downloaded the latest definitions (mbam-rules.exe) shown on this page, is to do the following: Install MBAM on a clean computer, launch the program and update through MBAM's interface. Copy the definitions (rules.ref) to a USB stick or CD and transfer that file to the infected machine. Copy rules.ref to the location indicated for your operating system. If you cannot see the folder, then you may have to Reconfigure Windows to show it.
  • XP: C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware
  • Vista: C:\Documents and Settings\Users\All Users\Malwarebytes\Malwarebytes' Anti-Malware

Edited by boopme, 06 April 2010 - 05:18 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 esde

esde
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:05:53 AM

Posted 06 April 2010 - 04:07 PM

Sweet, I will do this first thing in the morning if not tonight, then report back afterwards. Also your final line of that template is missing a preceeding
[color]
tag.
I do not see why man should not be just as cruel as nature.
-Adolf Hitler

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:53 AM

Posted 06 April 2010 - 05:19 PM

Edited thanks.. post em when you got em.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 esde

esde
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:05:53 AM

Posted 06 April 2010 - 06:16 PM

Quick update, MBAM found three infections, one was in the root drive, randomly named exe. The other two were in Program Files\AVSoft, so it's safe to say the infection was Anti-Virus Soft.
I do not see why man should not be just as cruel as nature.
-Adolf Hitler

#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:53 AM

Posted 06 April 2010 - 07:08 PM

Very probable..
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#9 esde

esde
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:05:53 AM

Posted 06 April 2010 - 07:09 PM

I have removed what seems to be all infected files, but now I need to get the network connectivity restored...and I've tried just about everything I can think of.. ideas?
I do not see why man should not be just as cruel as nature.
-Adolf Hitler

#10 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:53 AM

Posted 06 April 2010 - 07:35 PM

I know you've done some but now that the malware is out....

Try this--open control, internet options, connections tab, lan settings, uncheck the box next to "use proxy...."
OR
Go to Start ... Run and type in cmd
A dos Window will appear.
Type in the dos window: netsh winsock reset
Click on the enter key.

Reboot your system to complete the process.


Go Start > Run > type: "cmd" In the window that appears type: "ipconfig /flushdns". Close the command box.


Please go to Start -> Control Panel, and choose Network Connections. Then right click on your default connection, usually Local Area Connection or Dial-up Connection if you are using Dial-up, and left click on properties. Double-click on the Internet Protocol (TCP/IP) item and select the radio button that says Obtain DNS servers automatically. Click OK twice, and restart your computer.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#11 esde

esde
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:05:53 AM

Posted 06 April 2010 - 07:43 PM

Just did all of the above, and I still can't get an IP.
I do not see why man should not be just as cruel as nature.
-Adolf Hitler

#12 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:53 AM

Posted 06 April 2010 - 08:46 PM

See step 4 here...
http://www.bleepingcomputer.com/virus-remo...-antivirus-soft
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#13 esde

esde
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:05:53 AM

Posted 06 April 2010 - 09:47 PM

Sorry, maybe I wasn't clear, I cannot get an IP Address. If the 127.0.0.1:5555 proxy was active I would be able to get an IP but not surf the web. Also, as implied and stated in my original post, I removed the proxy, then double checked once I removed the infections. The issue I am having is not being able to obtain an IP address from my DHCP server. I am stuck with the 169.254.XX.XXX IP.
I do not see why man should not be just as cruel as nature.
-Adolf Hitler

#14 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:09:53 AM

Posted 07 April 2010 - 04:53 AM

Is DHCP Client running?

#15 esde

esde
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:05:53 AM

Posted 07 April 2010 - 08:39 AM

Yes DHCP Client service is set to Automatic and it is started.
I do not see why man should not be just as cruel as nature.
-Adolf Hitler




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users