Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Post rootkit problem


  • Please log in to reply
11 replies to this topic

#1 dmbfanindy

dmbfanindy

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:32 AM

Posted 19 April 2010 - 02:11 PM

Hello all. I had a nasty rootkit back in January that disabled everything. I worked through that with some stealthy google searches and ended up being sucessful using root repeal. Now I have a problem with google searches where sometimes, not all the time, redirects me to an adwordsearch page then when I hit refresh and go back to the search page sometimes all the links webpages have different names. This does not happen all the time but, its getting more frequent. I view myself as pretty computer savy but, can't get this one. I have ran MBAM, AVG, HITMAN, TREND MICRO HOUSE CALL, SPYBOT AND ADAWARE, and nothing is finding anything! Below are the MBAM and Hijack this logs. Any help would be more than appreciated!


Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Database version: 4007

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

4/19/2010 1:53:43 PM
mbam-log-2010-04-19 (13-53-43).txt

Scan type: Quick scan
Objects scanned: 179073
Time elapsed: 22 minute(s), 28 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Hi-jack this log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:07:13 PM, on 4/19/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Microsoft Office\Office\MSACCESS.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

EDITED HJT log as they are not to posted here

Edited by boopme, 19 April 2010 - 03:39 PM.


BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,416 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:32 AM

Posted 19 April 2010 - 03:41 PM

Hello, the HJT log is to be posted elsewhere. We will if needed. Run these 2 please.

Please read and follow all these instructions very carefully.
  • Please download GooredFix and save it to your Desktop.
  • Double-click GooredFix.exe to run it.
  • A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called Goored.txt).


ESET
Please perform a scan with Eset Online Antiivirus Scanner.
(Requires Internet Explorer to work. If given the option, choose "Quarantine" instead of delete.)
Vista users need to run Internet Explorer as Administrator. Right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run as Administrator from the context menu.
  • Click the green ESET Online Scanner button.
  • Read the End User License Agreement and check the box: YES, I accept the Terms of Use.
  • Click on the Start button next to it.
  • You may receive an alert on the address bar that "This site might require the following ActiveX control...Click here to install...". Click on that alert and then click Insall ActiveX component.
  • A new window will appear asking "Do you want to install this software?"".
  • Answer Yes to download and install the ActiveX controls that allows the scan to run.
  • Click Start.
  • Check Remove found threats and Scan potentially unwanted applications.
  • Click Scan to start. (please be patient as the scan could take some time to complete)
  • If offered the option to get information or buy software. Just close the window.
  • When the scan has finished, a log.txt file will be created and automatically saved in the C:\Program Files\EsetOnlineScanner\ folder.
  • Click Posted Image > Run..., then copy and paste this command into the open box: C:\Program Files\EsetOnlineScanner\log.txt
  • The scan results will open in Notepad. Copy and paste the contents of log.txt in your next reply.
Note: Some online scanners will detect existing anti-virus software and refuse to cooperate. You may have to disable the real-time protection components of your existing anti-virus and try running the scan again. If you do this, remember to turn them back on after you are finished.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 dmbfanindy

dmbfanindy
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:32 AM

Posted 20 April 2010 - 09:52 AM

Thanks for your quick response. Here is the information requested. I will await further instructions if needed.


Gooredfix Log

GooredFix by jpshortstuff (08.01.10.1)
Log created at 10:43 on 20/04/2010 (curtish)
Firefox version [Unable to determine]

========== GooredScan ==========


========== GooredLog ==========

C:\Program Files\Mozilla Firefox\extensions\
(none)

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
"{20a82645-c095-46ed-80e3-08825760534b}"="c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\" [08:05 06/08/2009]
"{ABDE892B-13A8-4d1b-88E6-365A6E755758}"="c:\program files\real\realplayer\browserrecord\firefox\ext" [19:14 26/01/2010]
"jqs@sun.com"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff" [18:55 10/02/2009]

-=E.O.F=-


Eset online scanner log

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=8254162729f4c24c808d5ad8e2146861
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-04-20 02:33:15
# local_time=2010-04-20 10:33:15 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=1024 16777215 100 0 982749 982749 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=139162
# found=2
# cleaned=2
# scan_time=8601
C:\Documents and Settings\HelpAssistant\Local Settings\Temporary Internet Files\Content.IE5\9YV8PCM4\oU230d9c2eH9da6364fV0100f070006R82c24785102Td6c39aa3201l0409K09f1e7da317[1].pdf JS/Exploit.Pdfka.ASD trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\HelpAssistant\Local Settings\Temporary Internet Files\Content.IE5\YM2M4EKO\KAV3[1].htm JS/Exploit.Agent.NBA trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,416 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:32 AM

Posted 20 April 2010 - 11:08 AM

I see 2 potential issue ..
Which JAVAis installed?
Go into Control Panel>Add Remove Programs. Be sure the 'Show Updates' box is checked. Go down the list and tell me what Java applications are installed and their version. (Highlight the program to see this).

Help Assistant may return ,if so we will have to do something else.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 dmbfanindy

dmbfanindy
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:32 AM

Posted 20 April 2010 - 11:15 AM

This is what I could find:

There are 3 listed

Java ™ 6 UPDATE 3
Java ™ 6 UPDATE 7
Java ™ 6 UPDATE 18

I will await further instructions.

Thanks again!

Edit:

Also in the windows task manager there is a jqs.exe running. Is this something that can be turned off via the processes?

Edited by dmbfanindy, 20 April 2010 - 11:19 AM.


#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,416 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:32 AM

Posted 20 April 2010 - 11:33 AM

Hello,see Note at bottom on Java Quick Starter jqs.exe

Your version of Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Look for "JDK 6 Update 20 (JDK or JRE)".
  • Click the "Download JRE" button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u20-windows-i586.exe to install the newest version.
  • If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
  • When the Java Setup - Welcome window opens, click the Install > button.
  • If offered to install a Toolbar, just uncheck the box before continuing unless you want it.
-- Starting with Java 6u10, the uninstaller incorporated in each new release uses Enhanced Auto update to automatically remove the previous version when updating to a later update release. It will not remove older versions, so they will need to be removed manually.
-- Java is updated frequently. If you want to be automatically notified of future updates, just turn on the Java Automatic Update feature and you will not have to remember to update when Java releases a new version.


Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click Ok and reboot your computer.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 dmbfanindy

dmbfanindy
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:32 AM

Posted 20 April 2010 - 12:25 PM

Hello. All previous outdated versions of Java have been removed and new version update 20 has been installed. What is the next step in fixing this issue?

Thanks in advance.

#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,416 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:32 AM

Posted 20 April 2010 - 12:37 PM

You're welcome!!
Now let's see if there's anmbr rootkit active.

To check for and confirm the MBR rootkit,

Please download mbr.exe and save it to the root directory, usually C:\ <- (Important!).
  • Go to Start > Run and type: cmd.exe
  • press Ok.
  • At the command prompt type: c:\mbr.exe >>"C:\mbr.log"
  • press Enter.
  • The process is automatic...a black DOS window will open and quickly disappear. This is normal.
  • A log file named mbr.log will be created and saved to the root of the system drive (usually C:\).
  • Copy and paste the results of the mbr.log in your next reply.
If you have a problem using the command prompt, you can just double-click on mbr.exe to run the tool.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#9 dmbfanindy

dmbfanindy
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:32 AM

Posted 20 April 2010 - 01:00 PM

Hello. Not sure if this is the results you were looking for but, I followed your directions to the T. I didn't see a black dos box pop up quickly like you had said it would. Here you go. Let me know if something else is needed.

Thanks again. You are very very helpful and very direct.



Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK

#10 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,416 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:32 AM

Posted 20 April 2010 - 03:51 PM

Looks clear ,any thing else on this machine?
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#11 dmbfanindy

dmbfanindy
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:32 AM

Posted 21 April 2010 - 06:03 AM

It seems to run ok. I still have the google redirect though. I have a work around for it by not using the tool bar or the main google search page but, I instead use the advance search page for google and it works fine then. Other than that the only issue I have is the past few days AVG has stalled my PC during scan which is at 2am when I'm usually not doing anything on it. Should I contact AVG on this? I can run it manually during the day and it will complete it just fine.

The redirect is really my big concern. I would like for it to go away but, can't get rid of it. Do you suggest running anything else to try and catch it. I haven't tried to run the SuperAntiSpyware yet. Shall I try that?


Thanks for all your help!

Edited by dmbfanindy, 21 April 2010 - 06:06 AM.


#12 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,416 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:32 AM

Posted 21 April 2010 - 12:32 PM

Ok,we should get a DDS log
We need a deeper look. Please go here....
Preparation Guide ,do steps 6 - 9.

Create a DDS log and post it in the new topic explained in step 9,which is here Virus, Trojan, Spyware, and Malware Removal Logs and not in this topic,thanks.
If Gmer won't run,skip it and move on.
Let me know if that went well.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users