Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rootkit - unable to run removers


  • This topic is locked This topic is locked
21 replies to this topic

#1 Techguy27

Techguy27

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:00 AM

Posted 26 April 2010 - 02:27 PM

Hello,

The laptop I am currently looking at is a Windows XP SP2 installation that I believe is infected with a rootkit I've seen before. Sadly, I don't have the name, but the symptom is that when you try to run a spyware removal tool it gives you the "Access denied" error. I have seen this multiple times on machines, and thanks to the fine people at Bleepingcomputer, I was able to remove it by using Avenger to copy logevent.dll to eventlog.dll and then run combofix.

In this case, I am not able to copy Avenger to the hard disk without receiving the "access denied" error. Safe mode will not boot without BSOD.
It appears I lack the necessary skill / utility to get Avenger to run combofix or move the logevent.dll file. I certainly would appreciate any help in getting to the next step of removing this rootkit.


History:

The person working on this machine before me decided to try a repair install. I have restored the registry hives via recovery console from the restore point of 4.22.10 and am now able to boot back into windows. I have also loaded minixp from the Hiren's boot cd to gain the ability of copying the latest versions of combofix, malwarebytes, HJT, and avenger to the HDD.

-Thank you

BC AdBot (Login to Remove)

 


#2 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,115 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:03:00 PM

Posted 26 April 2010 - 03:43 PM

I am not sure I understand at this point if you are able or not to boot this computer normally.

However, it makes no sense to use MBAM, Avenger or Combofix on the MiniXP environment; if you get them to work they are likely to do a lot more damage than good that way.

I think you are talking about the Max++ rootkit here; although I would be very surprised if that would be really the case since it hasn't been around for some time.

First of all, lets see if we are indeed dealing with Max++ here.

Download and run Win32kDiag:
  1. Download Win32kDiag from any of the following locations and save it to your Desktop.
  2. Double-click Win32kDiag.exe to run Win32kDiag and let it finish.
  3. When it states "Finished! Press any key to exit...", press any key on your keyboard to close the program.
  4. Double-click on the Win32kDiag.txt file that is located on your Desktop and post the entire contents of that log as a reply to this topic.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#3 Techguy27

Techguy27
  • Topic Starter

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:00 AM

Posted 26 April 2010 - 04:08 PM

QUOTE
I am not sure I understand at this point if you are able or not to boot this computer normally.

As mentioned above, after restoring the registry hives I was able to get the machine to boot into normal mode. The purpose of the restore was to undo the failed Repair loop that the previous "tech" had started.

QUOTE
However, it makes no sense to use MBAM, Avenger or Combofix on the MiniXP environment; if you get them to work they are likely to do a lot more damage than good that way.

As mentioned above, I only used minixp to copy the files to the local HDD. I was not able to get the files off of the CD I burned without the access denied errror. The purpose of pointing this out was to bypass any concern that the CDROM is failing or the disc is unreadable.

Win32KDiag -Below

Log file is located at: C:\Documents and Settings\John\Desktop\Win32kDiag.txt
WARNING: Could not get backup privileges!
Searching C:\Windows...

Finished!


-Thanks

Edited by Techguy27, 26 April 2010 - 04:08 PM.


#4 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,115 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:03:00 PM

Posted 27 April 2010 - 03:35 AM

Thanks for explaining that; it makes a lot more sense now.

Since you mentioned you copied Combofix to the HD, could you please run it and post me the resulting log?

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#5 Techguy27

Techguy27
  • Topic Starter

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:00 AM

Posted 27 April 2010 - 08:27 AM

No problem.

I tried to run Combofix, but the rootkit kills the process. I have tried running combofix after renaming it, but with no luck.

Edited by Techguy27, 27 April 2010 - 08:42 AM.


#6 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,115 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:03:00 PM

Posted 27 April 2010 - 09:41 AM

Well, then lets see if we can find out what rootkit we are dealing with here and get rid of it manually.

See if you can get GMER to work. If it crashes, try to run the scan with only the Sections option checked.

GMER
-------
Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.


  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.


In case this gives an error when starting (access denied or the like), we will have to get a scan from a PE. In that case I'll post additional instructions.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#7 Techguy27

Techguy27
  • Topic Starter

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:00 AM

Posted 27 April 2010 - 02:46 PM

Attached is the gmer.log

Attached Files

  • Attached File  gmer.log   3.16KB   11 downloads


#8 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,115 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:03:00 PM

Posted 28 April 2010 - 01:31 AM

Well, whatever it is what we are dealing with, it doesn't show up in GMER, so lets try an alternative approach.

OK this file is big Print these instruction out so that you know what you are doing

Two programs to download

First

ISOBurner this will allow you to burn OTLPE ISO to a cd and make it bootable. Just install the program, from there on in it is fairly automatic. Instructions

Second
  • Download OTLPE.iso and burn to a CD using ISO Burner. NOTE: This file is 292Mb in size so it may take some time to download.
  • When downloaded double click and this will then open ISOBurner to burn the file to CD
  • Reboot your system using the boot CD you just created.

    Note : If you do not know how to set your computer to boot from CD follow the steps here
  • Your system should now display a REATOGO-X-PE desktop.
  • Double-click on the OTLPE icon.
  • When asked "Do you wish to load the remote registry", select Yes
  • When asked "Do you wish to load remote user profile(s) for scanning", select Yes
  • Ensure the box "Automatically Load All Remaining Users" is checked and press OK
  • OTL should now start. Change the following settings
    • Change Drivers to Use Safelist
  • Press Run Scan to start the scan.
  • When finished, the file will be saved in drive C:\OTL.txt
  • Copy this file to your USB drive if you do not have internet connection on this system
  • Please post the contents of the OTL.txt file in your reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#9 Techguy27

Techguy27
  • Topic Starter

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:00 AM

Posted 28 April 2010 - 09:06 AM

Attached is the requested file.

Attached Files

  • Attached File  OTL.Txt   96.73KB   12 downloads


#10 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,115 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:03:00 PM

Posted 28 April 2010 - 11:57 AM

Hi, I was going to say no rootkits, but when making the fix I noticed some signs of an MBR rootkit. There is also a lot of normal malware hanging around, so lets first clean some malware, then run a rootkit fix.

OTL FIX
------------
We need to run an OTL Fix
  1. Please reopen from the CD.
  2. Copy and Paste the following code into the textbox. Do not include the word "Code"
    CODE
    :otl
    IE - HKLM\Software\Microsoft\Internet Explorer\Search,CustomSearch = http://red.clientapps.yahoo.com/customize/ie/defaults/cs/sbcydsl/*http://www.yahoo.com/search/ie.html
    IE - HKU\.DEFAULT\..\URLSearchHook: {0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL (Ask.com)
    IE - HKU\Saundra_ON_C\..\URLSearchHook: {0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL (Ask.com)
    O2 - BHO: (Ask Search Assistant BHO) - {0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL (Ask.com)
    O2 - BHO: (TBSB02751 Class) - {25875464-7327-417C-8264-902D99CF6FD1} - C:\Program Files\Search Enhancer Toolbar\enhancer.dll File not found
    O2 - BHO: (Gamevance Text) - {7370F91F-6994-4595-9949-601FA2261C8D} - C:\Program Files\Gamevance\gvtl.dll ()
    O2 - BHO: (Ask Toolbar BHO) - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL (Ask.com)
    O3 - HKLM\..\Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - No CLSID value found.
    O3 - HKLM\..\Toolbar: (Ask Toolbar) - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL (Ask.com)
    O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (Search Enhancer Toolbar) - {BFB5F154-9212-46F3-B547-AC6106030A54} - C:\Program Files\Search Enhancer Toolbar\enhancer.dll File not found
    O3 - HKU\HelpAssistant.WINTERROWDS_ON_C\..\Toolbar\WebBrowser: (Search Enhancer Toolbar) - {BFB5F154-9212-46F3-B547-AC6106030A54} - C:\Program Files\Search Enhancer Toolbar\enhancer.dll File not found
    O3 - HKU\HelpAssistant.WINTERROWDS_ON_C\..\Toolbar\WebBrowser: (Ask Toolbar) - {F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL (Ask.com)
    O3 - HKU\John_ON_C\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
    O3 - HKU\John_ON_C\..\Toolbar\WebBrowser: (Search Enhancer Toolbar) - {BFB5F154-9212-46F3-B547-AC6106030A54} - C:\Program Files\Search Enhancer Toolbar\enhancer.dll File not found
    O3 - HKU\John_ON_C\..\Toolbar\WebBrowser: (Ask Toolbar) - {F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL (Ask.com)
    4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
    O3 - HKU\Saundra_ON_C\..\Toolbar\WebBrowser: (Search Enhancer Toolbar) - {BFB5F154-9212-46F3-B547-AC6106030A54} - C:\Program Files\Search Enhancer Toolbar\enhancer.dll File not found
    O3 - HKU\Saundra_ON_C\..\Toolbar\WebBrowser: (Ask Toolbar) - {F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL (Ask.com)
    O4 - HKLM..\Run: [Gamevance] C:\Program Files\Gamevance\gamevance32.exe File not found
    O4 - HKLM..\Run: [zojuyikag] C:\WINDOWS\System32\jolujara.DLL ()
    O20 - HKLM Winlogon: Shell - (logon.exe) -  File not found
    O20 - Winlogon\Notify\nnnoMFXO: DllName - nnnoMFXO.dll -  File not found
    O21 - SSODL: bekugujih - {f48b0168-7efe-41c9-be58-40e3200bc81b} - C:\WINDOWS\System32\wavojami.dll File not found
    O21 - SSODL: domuhahiw - {af60a4b3-80ce-4c09-bf08-c8cd1589f19e} - C:\WINDOWS\System32\yewatofe.dll File not found
    O21 - SSODL: fegogegir - {01f4bcbb-d2a4-468a-b51e-3d5560b124df} - C:\WINDOWS\System32\yugutoyi.dll File not found
    O21 - SSODL: jehewilor - {d541a55e-5939-4e1f-82fe-1db59da36535} - C:\WINDOWS\System32\wibotelo.dll File not found
    O21 - SSODL: jumebagin - {2971c144-779f-4f98-b4d4-59a67e153488} - C:\WINDOWS\System32\tufolili.dll File not found
    O21 - SSODL: kabofediz - {e6dc5b89-5f35-4bc5-9918-5725696ae393} - CLSID or File not found.
    O21 - SSODL: kohikowos - {4798b7e3-3dc5-410c-90bf-26e62768a618} - C:\WINDOWS\System32\yugutoyi.dll File not found
    O21 - SSODL: luwitajaf - {1d44da51-052e-4758-a491-1b593c12c7ce} - C:\WINDOWS\System32\zotokohu.dll File not found
    O21 - SSODL: nafalobit - {8d53b365-dd86-4c73-9714-15fa9cd03f6d} - C:\WINDOWS\System32\jukabama.dll File not found
    O21 - SSODL: ruhubaliv - {c34feab5-7675-4320-a622-3bca24bcd1ef} - C:\WINDOWS\System32\wibotelo.dll File not found
    O21 - SSODL: sinuyifik - {810e469e-da05-4fca-bd57-d0f0282fd105} - C:\WINDOWS\System32\wibotelo.dll File not found
    O21 - SSODL: sufobizod - {33842507-640a-4f2c-8e5f-e6a1c78abf58} - C:\WINDOWS\System32\diduvohe.dll File not found
    O21 - SSODL: vewifiguv - {b6f9d2d2-1ff2-43d8-8624-ad8a2820fc2b} - C:\WINDOWS\System32\wibotelo.dll File not found
    O21 - SSODL: veyuzanig - {8dcc472b-a9de-4f6f-a7fe-09bce43bb47b} - C:\WINDOWS\System32\tufolili.dll File not found
    O21 - SSODL: vipatimol - {06335cb7-cee7-4f42-b2a5-18a2ff9fa502} - C:\WINDOWS\system32\jolujara.dll ()
    O21 - SSODL: vosanetoy - {26cd5948-09df-4483-8176-b99691fbf2d8} - C:\WINDOWS\System32\sebasale.dll File not found
    O21 - SSODL: yoweyumob - {7c8ec970-53dd-41cd-a6ee-909de346912d} - C:\WINDOWS\System32\doheyesi.dll File not found
    O21 - SSODL: zokikidud - {c2caab8a-66ca-41cd-96d2-cd94f7ad0b1e} - C:\WINDOWS\System32\bodizeya.dll File not found
    O22 - SharedTaskScheduler: {01f4bcbb-d2a4-468a-b51e-3d5560b124df} - mujuzedij - C:\WINDOWS\System32\yugutoyi.dll File not found
    O22 - SharedTaskScheduler: {06335cb7-cee7-4f42-b2a5-18a2ff9fa502} - gahurihor - C:\WINDOWS\system32\jolujara.dll ()
    O22 - SharedTaskScheduler: {1d44da51-052e-4758-a491-1b593c12c7ce} - kupuhivus - C:\WINDOWS\System32\zotokohu.dll File not found
    O22 - SharedTaskScheduler: {33842507-640a-4f2c-8e5f-e6a1c78abf58} - kupuhivus - C:\WINDOWS\System32\diduvohe.dll File not found
    O22 - SharedTaskScheduler: {4798b7e3-3dc5-410c-90bf-26e62768a618} - jugezatag - C:\WINDOWS\System32\yugutoyi.dll File not found
    O22 - SharedTaskScheduler: {7c8ec970-53dd-41cd-a6ee-909de346912d} - jugezatag - C:\WINDOWS\System32\doheyesi.dll File not found
    O22 - SharedTaskScheduler: {810e469e-da05-4fca-bd57-d0f0282fd105} - gahurihor - C:\WINDOWS\System32\wibotelo.dll File not found
    O22 - SharedTaskScheduler: {8d53b365-dd86-4c73-9714-15fa9cd03f6d} - tokatiluy - C:\WINDOWS\System32\jukabama.dll File not found
    O22 - SharedTaskScheduler: {b6f9d2d2-1ff2-43d8-8624-ad8a2820fc2b} - mujuzedij - C:\WINDOWS\System32\wibotelo.dll File not found
    O22 - SharedTaskScheduler: {c2caab8a-66ca-41cd-96d2-cd94f7ad0b1e} - jugezatag - C:\WINDOWS\System32\bodizeya.dll File not found
    O22 - SharedTaskScheduler: {c34feab5-7675-4320-a622-3bca24bcd1ef} - kupuhivus - C:\WINDOWS\System32\wibotelo.dll File not found
    O22 - SharedTaskScheduler: {d541a55e-5939-4e1f-82fe-1db59da36535} - mujuzedij - C:\WINDOWS\System32\wibotelo.dll File not found
    O22 - SharedTaskScheduler: {f48b0168-7efe-41c9-be58-40e3200bc81b} - mujuzedij - C:\WINDOWS\System32\wavojami.dll File not found
    [2099/01/01 12:00:00 | 000,000,001 | -HS- | M] () -- C:\WINDOWS\System32\wowidezo.dll
    [2099/01/01 12:00:00 | 000,000,001 | -HS- | M] () -- C:\WINDOWS\System32\gugasara.dll
    [2099/01/01 12:00:00 | 000,000,001 | -HS- | M] () -- C:\WINDOWS\System32\gohulayo.dll
    [2010/04/27 15:41:03 | 000,006,456 | -H-- | M] () -- C:\WINDOWS\System32\tewupuve
    [2010/04/27 15:00:07 | 000,000,296 | ---- | M] () -- C:\WINDOWS\tasks\ocoonjbq.job
    [2010/04/27 15:00:03 | 000,000,296 | ---- | M] () -- C:\WINDOWS\tasks\zbvwzbbx.job
    [2010/04/27 15:00:03 | 000,000,296 | ---- | M] () -- C:\WINDOWS\tasks\xsiurcgn.job
    [2010/04/27 15:00:00 | 000,000,296 | ---- | M] () -- C:\WINDOWS\tasks\moulecil.job
    [2010/03/30 08:43:59 | 000,000,000 | -HS- | M] () -- C:\WINDOWS\System32\riyibivo.dll
    [2010/03/29 20:42:54 | 000,008,192 | -HS- | M] () -- C:\WINDOWS\System32\bigitita.exe

    :commands
    [emptytemp]
    [resethosts]
  3. Push
  4. OTL may ask to reboot the machine. Please do so if asked.
  5. Click .
  6. A report will open. Copy and Paste that report in your next reply.

Now reboot your computer normally.


Please download HelpAsst_mebroot_fix.exe and save it to your desktop.
Close out all other open programs and windows.
Double click the file to run it and follow any prompts.
If the tool detects an mbr infection, please allow it to run mbr -f and shutdown your computer.
Upon restarting, please wait about 5 minutes, click Start>Run and type the following bolded command, then hit Enter.

helpasst -mbrt

Make sure you leave a space between helpasst and -mbrt !
When it completes, a log will open.
Please post the contents of that log.


*In the event the tool does not detect an mbr infection and completes, click Start>Run and type the following bolded command, then hit Enter.

mbr -f

Now, please do the Start>Run>mbr -f command a second time.
Now shut down the computer (do not restart, but shut it down), wait a few minutes then start it back up.
Give it about 5 minutes, then click Start>Run and type the following bolded command, then hit Enter.

helpasst -mbrt

Make sure you leave a space between helpasst and -mbrt !
When it completes, a log will open.
Please post the contents of that log.

**Important note to Dell users - fixing the mbr may prevent access the the Dell Restore Utility, which allows you to press a key on startup and revert your computer to a factory delivered state. There are a couple of known fixes for said condition, though the methods are somewhat advanced. If you are unwilling to take such a risk, you should not allow the tool to execute mbr -f nor execute the command manually, and you will either need to restore your computer to a factory state or allow your computer to remain having an infected mbr (the latter not recommended).

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#11 Techguy27

Techguy27
  • Topic Starter

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:00 AM

Posted 28 April 2010 - 01:24 PM

The OTL finished running and popped a log up. The entries said the file was moved or that the file was not found. I would post the log, but for some reason I closed it out without thinking and found that there was not a file on the root of C to post for you.

The MBR tool is currently sitting at "This may take a while" so I thought I'd take a moment to ask if you would care to explain how you identified the malware in the OTL log.

When looking at the log I saw it was similiar to a HJT log and was able to identify some of the spyware myself, but short of googling every .DLL how were you able to recognize what needed to be entered in the Custom Scan/Fix for OTL, and more importantly how there may be an MBR rootkit.

I appreciate the additional information. It certainly helps in fully understanding what the fix was so that I may be more equiped in the future.

-Thank you

#12 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,115 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:03:00 PM

Posted 28 April 2010 - 01:43 PM

Hi, let me first say this: the developpers of the tools we use, have requested that information about their tools stays in private forums only. I respect that decision, so I can't tell you anything specific. I hope you can understand this.

How I recognized the bad files is pretty easy smile.gif
QUOTE
but short of googling every .DLL how were you able to recognize what needed to be entered in the Custom Scan/Fix for OTL,
This is basically what we do, however with experience you can recognize an infection in an eyeblink. It was not hard for me to spot all vundo, and I didn't have to google any of those files.

When you know your malware, you know how it shows (or hides) itself.

As for the MBR rootkit, there was one small give-away as in the example below
QUOTE
O3 - HKU\HelpAssistant.WINTERROWDS_ON_C\..\Toolbar\WebBrowser:
The Helpassistant account usually is a pretty good indicative of an MBR infection.


Please post me the fix log when done (the one for the MBR rootkit).

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#13 Techguy27

Techguy27
  • Topic Starter

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:00 AM

Posted 28 April 2010 - 02:44 PM

I can understand keeping the source code or background processes private. I was hoping for more information in general on how to use the tool effectively, or forum suggestions/reading material on how to correctly identify spyware files.

Regardless, I appreciate your assitance and until I master the ability to spot spyware by eye I suppose I will continue to rely on the help of individuals such as you when I get stumped. Thank you again.

__________________

When the system booted back up, I started combo-fix just to see if it would run. I think I can handle it from here, but didn't want to jump the gun so I closed combofix after verifying that it would come up. If there is any other utility you would like me to run before the combofix/malwarebytes sweep I would be more than happy.

Attached Files



#14 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,115 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:03:00 PM

Posted 28 April 2010 - 02:54 PM

The MBR infection is not gone. Please run Combofix and allow it to install the Recovery console.

Post me the log afterwards and also test if you can enter the Recovery Console when booting.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#15 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,115 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:03:00 PM

Posted 04 May 2010 - 10:47 AM

Hi, are you still there?

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users