Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

firefox hijack + Trojan Rootkit + more: what next?


  • This topic is locked This topic is locked
5 replies to this topic

#1 try_and_fix_it

try_and_fix_it

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:06:15 PM

Posted 09 April 2010 - 01:27 PM

Hello,

I am dealing with a friend's computer which seem to have a bad case of various malware and possibly rootkit(s). She had some guests over and their 15 year old was the last person using the computer before the symptoms appeared, he either caught it from some online gaming site or possibly some pr0nsite (can't tell all history has been wiped).

The original symptoms were that the computer pretty much refused to do anything, she had a friend over to help and they did a full scan with AVG in safe mode, this found and removed a few of problems but not all:
  • Trojan Horse Downloader Generic.9.BNNG
  • Trojan Horse Crypt.SAF
  • Trojan Horse Cryptic.EA
  • Trojan Horse Rootkit-Agent.DI
Then I got involved, the obvious symptom now was this:
all search on google redirected to spurious other search pages which then redirected again to other pages (usually IP addresses instaed of URLs which seem related to the goored infection) containing malware payloads some of which were caught/flagged by AVG resident shield)
XP Firewall was disabled and notification turned off in the security centre.
Another full scan revealed nothing but while it was running the resident shield of AVG caught some infected files containing that last Rootkit-agent in the above list; the file was
C:\windows\system32\drivers\ndis.sys which could not be cleaned as the process involved was svchost.exe from the system32 folder once again.
I restarted from the XP cd and replaced that file with the one from the CD, to no avail it came up again flagged by the resident shield.

I disabled system restore did a cleanup with CCLeaner, installed malwarebytes which found and removed even more stuff.

Rescanned with AVG and malwarebytes once again.

Still no dice, the redirects from google have now stopped but firefox is opening random tabs which if not closed redirect to pages with malware payloads.
That ndis.sys file was flagged again this time as: C:\windows\system32\dllcache\ndis.sys
I downloaded GMER which flags C:\windows\system32\drivers\atapi.sys as having a suspicious modification and mousclass.sys in the same folder.
I am keeping her machine off the internet unless I need to download something else to fix the problem.

Am now at a loss for what the next step should be so I'll be waiting for instructions as to what to do next.
If needed I have a GMER and HJT logs ready to post.

The machine is running XP SP2.

BC AdBot (Login to Remove)

 


#2 try_and_fix_it

try_and_fix_it
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:06:15 PM

Posted 12 April 2010 - 05:36 AM

Hi again,

sorry for bumping but my friend is getting quite desperate to get her computer back and I am starting to consider just backing up her data then format and reinstalling from scratch, if no one can help could someone answer those questions maybe:
1- if I use a linux live CD to backup her important (no executables/scriptable) will I be able to see any of the windows hidden extensions (i read that some such as .pif are never visible within windows)
2- is it likely or unlikely that any iso images would get infected by malware?

I will wait until later today first to see if anyone has time to help.

#3 trollocks

trollocks

  • Members
  • 370 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:England
  • Local time:06:15 PM

Posted 12 April 2010 - 08:31 AM

I downloaded GMER which flags C:\windows\system32\drivers\atapi.sys as having a suspicious modification
If needed I have a GMER and HJT logs ready to post.

You have a rootkit and you will need to post your logs here
You seem to be in quite a rush so bear in mind that you may have to wait a few days for a reply.

#4 try_and_fix_it

try_and_fix_it
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:06:15 PM

Posted 12 April 2010 - 08:43 AM

I downloaded GMER which flags C:\windows\system32\drivers\atapi.sys as having a suspicious modification
If needed I have a GMER and HJT logs ready to post.

You have a rootkit and you will need to post your logs here
You seem to be in quite a rush so bear in mind that you may have to wait a few days for a reply.

Thanks for the reply,
I will posts my logs there, the reason for asking here was to see if I needed to do anything else or provide some other scans before actually posting.
It's my friend who is in a hurry my computer is fine and am running linux on there.

#5 try_and_fix_it

try_and_fix_it
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:06:15 PM

Posted 13 April 2010 - 05:34 AM

Hi again,

I have posted my gmer log in the correct forum and am waiting for help there, my friend is getting quite impatient with me though so just in case she pushes me to do a full reinstall before I can get help with fixing the problem I will have to back up her important documents, can someone tell me whether the following types of files risk having been infected/modified by the rootkit and other malware the machine has had:
.iso
.doc
.pdf
.xls

Also, I read in a post that certain types of extensions used to hide malware do not show in windows even with all the hidden files view enabled in the folder settings (I think it was .pif and .scr), the second question is then:
would these extensions show if viewed on a linux system?

Thank you all for helping.

#6 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 37,012 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:01:15 PM

Posted 13 April 2010 - 07:40 PM

Hello,

The answer to that question is dependent on the kind of infection you have. The folks in the Malware Removal Forum are better equipped to answer that.

Now that you have posted a log here: http://www.bleepingcomputer.com/forums/t/309335/rootkit-browser-hijack-maybe-more/ you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a MRT Team member, nor should you ask for help elsewhere. Doing so can result in system changes which may not show in the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the MRT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the MRT Team members are EXTREMELY busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the MRT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another MRT Team member is already assisting you and not open the thread to respond.

Please be patient. It may take several days to get a response but your log will be reviewed and answered as soon as possible. I advise checking your topic once a day for responses as the e-mail notification system is unreliable.

To avoid confusion, I am closing this topic. Good luck with your log.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users