Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

WindowsUpdate Rootkit


  • Please log in to reply
3 replies to this topic

#1 MadDog927ca

MadDog927ca

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:10:39 PM

Posted 14 May 2010 - 09:09 PM

I have a workstation at my office running ESET NOD32 and Windows Defender that managed to get malware and a rootkit installed without detection. I submitted the asam.exe file to ESET who enabled its detection by their next update. I was able to remove the virus by booting the workstation with Mini XP from the Hiren's BootCD on a flash drive, but I don't know how to go after the rootkit. I tried tdsskiller, which kept detecting a trojan in atapi.sys, but couldn't do anything about it after a number of reboots. I tried tdss remover, which located some hidden registry keys that I was able to delete, but that was as far as that one got. GMER detects a rootkit, but doesn't provide a way to remove it. I followed another post and have gotten as far as running ComboFix. The problem isn't fixed, but I'm hopefull the combofix.txt log file will provide the final means to eliminate this thing.

What it's doing is trying to connect to https websites in Russia, Hong Kong and elsewhere. My firewall appliance is preventing Internet access and logging the IP addresses to which it is trying to connect. This rootkit, from what I observed so far, prevents the word 'windowsupdate' from being used in the address bar or the searchbar, in both IE 8 and the latest Firefox portable, even in safe mode. As you type w-i-n-d-o-w-s-u-p-a-t in the search bar (without the hyphens), search suggestions appear below the box including 'windowsupdate'. As soon as you type in the e at the end of 'windowsupdate', the search suggestions are replaced with 'an error has occurred'. If I navigate to www.microsoft.com and follow the menu items to go to the Microsoft Update site, as soon as the URL appears with the word windowsupdate in it, the page cannot be displayed. I have reset my TCPIP protocol stack (Windows XP Pro), I just don't know how to go after a rootkit.

These are some of the recent sites the rootkit is trying to connect to:

96.7.204.111:443
61.61.20.132:443
70.37.129.134:80
70.37.129.32:80
112.121.181.26:443
173.223.68.111:443

Here is my ComboFix.txt log:

ComboFix 10-05-14.06 - Administrator 05/14/2010 18:31:25.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.2.1033.18.495.173 [GMT -4:00]
Running from: c:\util\ComboFix\ComboFix.exe
AV: ESET NOD32 Antivirus 4.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Downloaded Program Files\f3initialsetup1.0.0.8-2.inf
c:\windows\Downloaded Program Files\popcaploader.dll
c:\windows\Downloaded Program Files\popcaploader.inf
c:\windows\herjek.config
c:\windows\system32\geyekrfhmqtpux.dat
c:\windows\system32\geyekrsqhoovjj.dat
c:\windows\system32\tmp.reg

Infected copy of c:\windows\system32\drivers\afd.sys was found and disinfected
Restored copy from - Kitty had a snack :p
.
((((((((((((((((((((((((( Files Created from 2010-04-14 to 2010-05-14 )))))))))))))))))))))))))))))))
.

2010-05-14 19:17 . 2010-05-14 20:56 52736 ----a-w- c:\windows\system32\drivers\rk_remover.sys
2010-05-14 15:11 . 2010-05-14 20:27 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-05-13 00:51 . 2010-05-13 00:51 -------- d-sh--w- c:\documents and settings\Administrator.XP32\PrivacIE
2010-05-13 00:51 . 2010-05-13 00:51 -------- d-sh--w- c:\documents and settings\Administrator.XP32\IETldCache
2010-05-13 00:20 . 2010-05-13 00:20 388096 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-05-13 00:20 . 2010-05-13 00:20 -------- d-----w- c:\program files\HiJack
2010-05-12 15:07 . 2010-05-12 15:07 -------- d-----w- c:\documents and settings\Administrator\Application Data\Research In Motion
2010-05-11 20:38 . 2010-05-11 20:38 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\ESET
2010-05-11 19:28 . 2007-01-18 12:00 3968 ----a-w- c:\windows\system32\drivers\AvgArCln.sys
2010-05-11 17:38 . 2010-05-14 22:31 -------- d-----w- c:\windows\system32\CatRoot2
2010-05-11 16:53 . 2008-04-14 00:12 116224 ----a-w- c:\windows\system32\dllcache\xrxwiadr.dll
2010-05-11 16:53 . 2001-08-18 02:36 23040 ----a-w- c:\windows\system32\dllcache\xrxwbtmp.dll
2010-05-11 16:53 . 2008-04-14 00:12 18944 ----a-w- c:\windows\system32\dllcache\xrxscnui.dll
2010-05-11 16:53 . 2001-08-18 02:37 4608 ----a-w- c:\windows\system32\dllcache\xrxflnch.exe
2010-05-11 16:53 . 2001-08-18 02:37 27648 ----a-w- c:\windows\system32\dllcache\xrxftplt.exe
2010-05-11 16:53 . 2001-08-18 02:37 99865 ----a-w- c:\windows\system32\dllcache\xlog.exe
2010-05-11 16:53 . 2001-08-17 16:11 16970 ----a-w- c:\windows\system32\dllcache\xem336n5.sys
2010-05-11 16:53 . 2004-08-04 05:29 19455 ----a-w- c:\windows\system32\dllcache\wvchntxx.sys
2010-05-11 16:53 . 2004-08-04 05:29 12063 ----a-w- c:\windows\system32\dllcache\wsiintxx.sys
2010-05-11 16:53 . 2008-04-14 00:12 8192 ----a-w- c:\windows\system32\dllcache\wshirda.dll
2010-05-11 16:51 . 2008-04-13 18:45 26112 ----a-w- c:\windows\system32\dllcache\usbser.sys
2010-05-11 16:50 . 2001-08-18 02:36 53760 ----a-w- c:\windows\system32\dllcache\sw_wheel.dll
2010-05-11 16:49 . 2001-08-17 17:53 6784 ----a-w- c:\windows\system32\dllcache\serscan.sys
2010-05-11 16:48 . 2008-04-13 18:41 17664 ----a-w- c:\windows\system32\dllcache\ppa3.sys
2010-05-11 16:47 . 2001-08-17 18:56 91488 ----a-w- c:\windows\system32\dllcache\n9i3disp.dll
2010-05-11 16:46 . 2001-08-17 17:52 7424 ----a-w- c:\windows\system32\dllcache\mammoth.sys
2010-05-11 16:45 . 2001-08-17 17:49 26624 ----a-w- c:\windows\system32\dllcache\irstusb.sys
2010-05-11 16:44 . 2001-08-17 17:28 50751 ----a-w- c:\windows\system32\dllcache\hsf_tone.sys
2010-05-11 16:43 . 2001-08-17 16:11 11850 ----a-w- c:\windows\system32\dllcache\f3ab18xj.sys
2010-05-11 16:42 . 2001-08-18 02:36 419357 ----a-w- c:\windows\system32\dllcache\dgconfig.dll
2010-05-11 16:41 . 2001-08-17 17:28 714698 ----a-w- c:\windows\system32\dllcache\cbmdmkxx.sys
2010-05-11 16:40 . 2001-08-17 16:49 23552 ----a-w- c:\windows\system32\dllcache\atixbar.sys
2010-05-11 16:39 . 2001-08-17 18:56 66048 ----a-w- c:\windows\system32\dllcache\s3legacy.dll
2010-05-11 16:24 . 2010-05-14 18:12 -------- d-----w- C:\UTIL
2010-05-11 15:08 . 2010-05-11 15:08 -------- d-sh--w- c:\documents and settings\Administrator\IECompatCache
2010-05-11 15:08 . 2010-05-11 15:08 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2010-05-11 15:07 . 2010-05-11 15:21 96968 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-05-11 11:44 . 2010-05-11 11:44 -------- d-sh--w- c:\documents and settings\NetworkService\PrivacIE
2010-05-10 16:42 . 2010-05-10 16:44 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-04-26 14:13 . 2010-04-26 14:13 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2010-04-22 13:07 . 2010-04-22 13:07 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2010-04-21 16:56 . 2010-05-06 14:36 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-04-21 16:55 . 2010-04-21 16:55 -------- d-----w- c:\program files\Windows Defender

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-14 22:25 . 2003-03-31 05:00 138496 ----a-w- c:\windows\system32\drivers\AFD.sys
2010-05-14 18:56 . 2004-07-29 06:38 96512 ----a-w- c:\windows\system32\drivers\atapi.sys.old
2010-05-05 17:57 . 2008-07-04 13:08 256 ----a-w- c:\windows\system32\pool.bin
2010-03-24 18:13 . 2008-11-20 14:21 -------- d-----w- c:\program files\FileZilla FTP Client
2010-03-10 06:15 . 2003-03-31 05:00 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-02-25 06:24 . 2004-08-24 00:32 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-24 13:11 . 2003-03-31 05:00 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-16 14:08 . 2003-03-31 05:00 2146304 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25 . 2002-08-28 18:04 2024448 ----a-w- c:\windows\system32\ntkrnlpa.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2003-05-29 790528]
"IgfxTray"="c:\windows\System32\igfxtray.exe" [2003-04-07 155648]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2003-04-07 114688]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2009-11-16 2054360]
"BlackBerryAutoUpdate"="c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe" [2010-03-11 648536]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2009-07-08 236016]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-03 866584]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe [2008-9-11 82026]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 --sh--w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]
2009-07-08 17:31 236016 ----a-w- c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2008-05-28 12:11 68856 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [09/11/2009 8:23 am 108792]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [09/11/2009 8:26 am 96408]
R2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [11/16/2009 10:04 am 735960]
R2 MrHealthyService;MrHealthy;c:\program files\Norton PC Checkup\executables\mrHealthy\MrHealthy.exe -service --> c:\program files\Norton PC Checkup\executables\mrHealthy\MrHealthy.exe -service [?]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/03/2006 7:19 pm 13592]
R3 FastNIC;SMC EZ Card 10/100 (SMC1244TX V2);c:\windows\system32\drivers\FastNIC.sys [07/29/2004 2:48 am 38528]
S3 rk_remover-boot;rk_remover-boot;c:\windows\system32\drivers\rk_remover.sys [05/14/2010 3:17 pm 52736]
.
Contents of the 'Scheduled Tasks' folder

2010-05-14 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 23:20]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Connection Wizard,ShellNext = [removed for confidentiality]/
.
- - - - ORPHANS REMOVED - - - -

Toolbar-Locked - (no file)
SafeBoot-klmdb.sys
AddRemove-HijackThis - c:\documents and settings\[username]\Desktop\service\HijackThis\HijackThis.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-14 18:51
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x85D84AC8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf76faf28
\Driver\ACPI -> ACPI.sys @ 0xf766dcb8
\Driver\atapi -> atapi.sys @ 0xf75ff852
IoDeviceObjectType -> ParseProcedure -> ntoskrnl.exe @ 0x80578f7a
\Device\Harddisk0\DR0 -> ParseProcedure -> ntoskrnl.exe @ 0x80578f7a
NDIS: SMC EZ Card 10/100 (SMC1244TX V2) -> SendCompleteHandler -> NDIS.sys @ 0xf750db0a
PacketIndicateHandler -> NDIS.sys @ 0xf7518a21
SendHandler -> NDIS.sys @ 0xf750d949
user & kernel MBR OK

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-4205215304-2350471395-3446520642-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,d9,62,55,8d,b3,01,dc,4a,8b,70,59,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,d9,62,55,8d,b3,01,dc,4a,8b,70,59,\
"6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,d9,62,55,8d,b3,01,dc,4a,8b,70,59,\

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,d9,62,55,8d,b3,01,dc,4a,8b,70,59,\
"6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,d9,62,55,8d,b3,01,dc,4a,8b,70,59,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(416)
c:\windows\system32\WININET.dll

- - - - - - - > 'lsass.exe'(476)
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(756)
c:\windows\system32\WININET.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\IEFRAME.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Norton PC Checkup\executables\mrHealthy\MrHealthy.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\Analog Devices\SoundMAX\SMAgent.exe
c:\program files\Intel\Intel® Active Monitor\imonnt.exe
c:\windows\System32\wbem\unsecapp.exe
.
**************************************************************************
.
Completion time: 2010-05-14 18:59:23 - machine was rebooted
ComboFix-quarantined-files.txt 2010-05-14 22:59
ComboFix2.txt 2009-07-14 13:50

Pre-Run: 17,983,471,616 bytes free
Post-Run: 17,889,603,584 bytes free

- - End Of File - - CCF59E6967798BD00DA78B131BFD10D6

Edited by MadDog927ca, 14 May 2010 - 09:24 PM.


BC AdBot (Login to Remove)

 


#2 mpascal

mpascal

    Math Nerd


  • Members
  • 1,653 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Canada
  • Local time:09:39 PM

Posted 15 May 2010 - 12:56 PM

Hi MadDog927ca,

Welcome to Bleeping Computer.

My name is mpascal, and I will be helping you fix your problem.

Before we begin, I would like to make a few things clear so that we can fix your problem as efficiently as possible:
  • Be sure to follow all my instructions carefully! If there is anything you don''t understand, don''t hesitate to ask.
  • Please do not do anything or perform other steps unless I have asked you to do so.
  • Please make sure you post all logs I ask you to, and make sure that the entire log gets posted.
  • Don't attach any logs unless asked. Posting them in the forums will make them easier to analyze.
  • If you are unsure of how to reply, or need help with anything regarding the website, please look here.
STEP 1 - Preparation Guide

Please follow the instructions in the Preparation Guide until you have reached step 6. You may stop once you have finished step 6 and continue with the instructions here.

STEP 2 - MBAM

Please download Malwarebytes Anti-Malware (v1.44) and save it to your desktop.MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
    For instructions with screenshots, please refer to the How to use Malwarebytes' Anti-Malware Guide.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

STEP 3 - GMER

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.


  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and be sure to re-enable your anti-virus, Firewall and any other security programs you had disabled.
-- If you encounter any problems, try running GMER in safe mode.
-- If GMER crashes or keeps resulting in a BSODs, uncheck Devices on the right side before scanning
.

STEP 4 - OTL

Download OTL to your desktop.
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • In the Custom Scans box, copy and paste the following:
    CODE
    netsvcs
    safebootminimal
    %SYSTEMDRIVE%\*.*
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\System32\config\*.sav
    %systemroot%\system32\drivers\*.sys /90
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows. OTListIt.Txt and Extras.txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of the files, and post it with your next reply.

STEP 5 - Reply

Please reply with the following logs:
  • MBAM Log
  • GMER Log
  • OTL Log

Posted Image

Stay with your topic! Topics that go 4 days without a reply will be closed. PM me to reopen.

Please don't PM asking for support. Post on the forums instead.

My help is free, but if you wish to donate and help continue my fight against malware, click here: Posted Image


#3 MadDog927ca

MadDog927ca
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:10:39 PM

Posted 16 May 2010 - 09:24 AM

My concern with the first step is giving the computer Internet access, given that the malware continues to try and contact:

61.61.20.132:443
96.7.204.111:443
112.121.181.26:443

every 15 minutes or so. The lastest version on Malwarebytes' site is 1.46 (posted April 30) as of today. If I run this version, do I still require Internet access on the infected workstation?

#4 mpascal

mpascal

    Math Nerd


  • Members
  • 1,653 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Canada
  • Local time:09:39 PM

Posted 16 May 2010 - 09:38 AM

Nope, as long as you can download the most recent version and transfer it to that computer it should be fine.

Posted Image

Stay with your topic! Topics that go 4 days without a reply will be closed. PM me to reopen.

Please don't PM asking for support. Post on the forums instead.

My help is free, but if you wish to donate and help continue my fight against malware, click here: Posted Image





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users