Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Security Guard and rootkit issue


  • This topic is locked This topic is locked
11 replies to this topic

#1 JBurmingham

JBurmingham

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:32 AM

Posted 27 April 2010 - 12:23 PM

It seems I have a computer that is infected by Security Guard and at least 1 rootkit.

I followed the directions for the Malware Removal Tool. Ran the rkill.com and then installed the Malwarebytes' Anti-Malware tool, but it cannot launch. The MBAM.exe file keeps coming up missing.

I decided to go through the process of the data files required. Below you will see the information they found.

Also, GMER reported a rootkit on the 2nd run. The first time I ran GMER it crashed.
GMER msg -> Warning!!!! GMER has found system modification caused by ROOTKIT activity.

The log files were created after I did the rkill and tried to install / run MBAM.
Attached are DDS.txt, Attach.txt and ark.txt.

Thanks,

Attached Files



BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:06:32 AM

Posted 01 May 2010 - 07:25 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks thumbup2.gif
Posted Image
m0le is a proud member of UNITE

#3 JBurmingham

JBurmingham
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:32 AM

Posted 01 May 2010 - 08:49 PM

Mole,

Thank you for the reply post. I have been checking daily and avoiding the urge to self bump my post.
I am still here.
I have not done anything with the computer since my post. I turned it off after I gathered the log files.

Let me know if there is anything more I can provide.

Thank you again for looking into this.

#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:06:32 AM

Posted 02 May 2010 - 03:55 AM

The Gmer log gives me all the info I need for this. You have the TDL3 rootkit.

Please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop making sure you rename it comfix.exe
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Comfix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Posted Image
m0le is a proud member of UNITE

#5 JBurmingham

JBurmingham
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:32 AM

Posted 03 May 2010 - 08:19 AM

I just ran the comfix.
It did not create a log file.
I had this error pop up on the screen:

Windows - Delayed Write Failed
Windows was unable to save all the data for the file C:\Comfix\mbr.log. The data has been lost. This error may be caused by a failure of your computer hardware or network connection. Please try to save the file elsewhere.

This pop up showed up three times. I clicked the "OK" each time.

Ok this is the 4th time and I just noticed the file is different. This time it is C:\$Mft.
5th time, file name is C:\WINDOWS\Media.

I assumed this pop up was related to the ComboFix, but am starting to think I screwed up by clicking on them before the blue combo fix window went away.

6th time, file name is C:\WINDOWS\system32.
I am also noticing that this error pop up window is NOT "in focus" it still has the Combifix window "in focus".
7th time, file name is C:\$BitMap.

I figure I did something wrong and will have to run combo fix again.
I am waiting for it to finish. I am not clicking on the "OK" any more.

#6 JBurmingham

JBurmingham
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:32 AM

Posted 03 May 2010 - 10:57 AM

Ok, latest information.
I ended up powering off the computer when the comfix wouldn't finish.
I then rebooted.
Check disk (?) ran. Fixed a bunch of files.

Upon reload of windows, I get two DLL errors. Both cannot be found.
hogelopo.dll
c:\windows\system32\razusula.dll (note, that window's folder is NOT in caps)

I re-ran comfix. It took about 30-45 minutes to run this time. Errored before the reboot, but I closed the error and it rebooted.
Upon reboot I still have the missing dll files, and comfix did not relaunch.

It looks good at this time, but I don't know.
I don't know what to do about those dll's either.
I am powering off the computer. I will await further instructions.

Thank you.

#7 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:06:32 AM

Posted 03 May 2010 - 11:20 AM

Please rerun Gmer so we can check if Combofix did kill the rootkit.

After that we can deal with the error messages - the last two files are part of the Vundo trojan (hogelopo.dll
c:\windows\system32\razusula.dll). Please run OTL to generate a log for this part.
  • Download OTL to your desktop.
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • Under the Standard Registry box change it to All.
  • Check the boxes beside LOP Check and Purity Check.
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply.

Posted Image
m0le is a proud member of UNITE

#8 JBurmingham

JBurmingham
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:32 AM

Posted 04 May 2010 - 08:07 PM

m0le, thank you for your patience and hard work. This is driving me crazy. I am now to the point where I can't do anything as you can see from this post. BTW, I create my posts from a different computer since the one with this issue is a notebook and not my main system.

As soon as GMER launched (the saved version that was on the computer) AKM Antivirus 2010 Pro popped up with a bunch of splash BS screens. I closed and declied all options.

Control Commander has a shortcut on the desktop now as well as AKM Antivrius 2010 Pro. I know neither of these are things I installed.

Once I went to the web and to my shortcut for bleepingcomputers I received the following.

Security Warning from the toolbar
"There are critical system files on your computer that were modified by malcious program.
It will cause unstable work of your system and permanent data loss.
Clic here to undo performed modifications and remove malicious software (Highly recommended).

And while that was visible, Windows Security Center popped up. This computer does NOT have a Virus software, so I imagine this is a true popup.

While I am going through the thread on bleepingcomputers to navigate to the GMER download another warning popped up from the status bar.

Warning: Infection is Detected
Windows has found spyware infections on your computer!
Click her to update your Windows antivirus software...

svchost.exe "crashed" at this point. Windows 'send error report' window.
I ignored and continued.

I then re-downloaded GMER.zip

When I tried to launch it I reveived a error message:
Warning!
Running of application is impossible.
The file C:\Documents adn Settings\Administratior\Desktop\Jim for Firuses\Gmer\gmer.exe is infected.
Please activate your antivirus program.

(Yes, I know the instruction say to put everything on the desktop. I just created a folder on the desktop to store everything so I didn't get it confused with any other shortcuts or icons)

At this point GMER will not launch. I re-booted.

Upon reboot and login some program "control center Best PC health components" launched and started to "scan" the computer. This software made me change the settings so it would close. Desktop is not even visible at this time. I got out of control Center and now AKM has launched. Desktop still is not visible.

Finaly closed out of AKM

3 minutes pass and now "Security Center" has popped up. I closed this window, and am still waiting for the desktop.

3 more minutes pass and now the windows crash message for svchost.exe has popped up.
This is how it reads.
svchost.exe
svchost.exe has encountered a problem and needs to close. We are sorry for the inconvenience.
If you were in the middle of something, the information you were working on might be lost.
Please tell Microsft about this problem.
We have created an erro rreport that you can send to us. We will treat this report as confidential and anonymous.
To see what data this error report contains, click here.
Debug Send Error Report Fix It (these last three are buttons)
I clicked the X in the top of the window.
AKM nag screen pops up.
Still no desktop at this point.

It has been 5 minutes since the last thing popped on the screen. Still no desktop. I am powering down the notebook to await further instructions.



#9 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:06:32 AM

Posted 05 May 2010 - 11:35 AM

These fake notices are all part of the malware plan.

ISOBurner this will allow you to burn OTLPE ISO to a cd and make it bootable. Just install the program, from there on in it is fairly automatic. Instructions

Second
  • Download OTLPE.iso and burn to a CD using ISO Burner. NOTE: This file is 292Mb in size so it may take some time to download.
  • When downloaded double click and this will then open ISOBurner to burn the file to CD
  • Reboot your system using the boot CD you just created.

    Note : If you do not know how to set your computer to boot from CD follow the steps here
  • Your system should now display a REATOGO-X-PE desktop.
  • Double-click on the OTLPE icon.
  • When asked "Do you wish to load the remote registry", select Yes
  • When asked "Do you wish to load remote user profile(s) for scanning", select Yes
  • Ensure the box "Automatically Load All Remaining Users" is checked and press OK
  • OTL should now start. Change the following settings
    • Change Drivers to Use Safelist
  • Press Run Scan to start the scan.
  • When finished, the file will be saved in drive C:\OTL.txt
  • Copy this file to your USB drive if you do not have internet connection on this system
  • Please post the contents of the OTL.txt file in your reply.

Posted Image
m0le is a proud member of UNITE

#10 JBurmingham

JBurmingham
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:32 AM

Posted 06 May 2010 - 07:58 AM

Got the ISO burned.
Rebooted and ran the OTLPE.
But, this "OS" doesn't give me permission to connect a USB or access the internet.
Any suggestions how to get the OTL.txt file?
I even tried booting the notebook into safe mode, but that doesn't work.
There is no floppy drive on this system either.

The only solution I have is to try and physically copy it (look at txt on notebook, and create new on desktop).

Thanks,

#11 JBurmingham

JBurmingham
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:32 AM

Posted 06 May 2010 - 12:06 PM

m0le, I want to thank you for all your help and effort on this issue.

I spoke to my buddy today (who's notebook it is) and he told me to no longer worry about any data on there and to just wipe it clean and re-install the OS.

I am at that step now.

I am sorry for taking up so much time.

Thanks again for all the help.

#12 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:06:32 AM

Posted 06 May 2010 - 02:50 PM

Since this issue appears to be resolved ... this topic has been closed. Glad we could help. smile.gif

If you're the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users