Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Need rootkit help


  • Please log in to reply
4 replies to this topic

#1 cblack1980

cblack1980

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:10:08 PM

Posted 03 June 2010 - 07:55 AM

1st off Hello. I'm new to the forums as a member but have used you guys before for references to help track down some bugs before. I've got one now that has me a bit stumped though. Honestly thought about just going ahead and wiping the machine but I'd rather use it for a learning process. So anyway here goes.

Problem originally was reported as no keyboard functions. Mouse worked but no keyboard. Keyboard functions fine in BIOS and safe mode. I'll skip all the troubleshooting there because it eventually lead me down the path of infection. But one key note is that a lot of necessary services(IE Computer Browser, Network Connections) are not running and will not start.

Started out with a malwarebytes scan in safe mode which resulted in only a couple of traces found and removed which didn't help the problem at all. They were minimal threats anyway. Sorry don't have the log from that as I didn't have any intentions initially of turning to help. smile.gif

So that brings us to last night. Ran combofix which stated it found a rootkit and needed to reboot. After the reboot and the rest of the scan I was then able to start my services as normal. Rebooted to test for keyboard and still nothing. Booted back to safe mode and services are off again and can't be restarted so I'm obviously missing something.

I went ahead and ran a DDS and GMER scan per your site's request and am positing those logs along with my combofix log from last night.

Also of note I'm only able to function in safemode at the moment and have no internet access from the machine so online scanners are currently not an option. I can easily xfer tools and logs to the machine via flash drive though.

I believe I've covered all of the basics, if you need any further info or scans/logs please let me know and I'll gladly post.

Attached Files

  • Attached File  Logs.zip   41.65KB   5 downloads


BC AdBot (Login to Remove)

 


#2 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:08 PM

Posted 05 June 2010 - 09:41 PM

Hi and welcome. smile.gif

My name is Extremeboy (or EB for short), and I will be helping you with your log. I apologize for the delay.

If you still require assistance we would like to see the current condition of your system so please post a new set of DDS Logs as well as a GMER log and a description of any remaining problems or symptoms you may still have please.

If for any reason you did not post a DDS log or GMER log please refer to this page and in step #6 and Step #7 and Step #8 for further instructions on downloading and running DDS & GMER. If you have any problems when running the tools or unable to produce a report for any reason, just let me know in your next reply.


For your next reply I would like to see:
-The DDS logs
---DDS.txt and Attach logs
-GMER log
-Description of any remaining problems you may still have.


With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#3 cblack1980

cblack1980
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:10:08 PM

Posted 08 June 2010 - 10:42 AM

My apologies for taking so long to get back. Yes the system is still infected. The logs I attached to my inital post do represent it's current state. The description of it's problems also currently stand as stated.

#4 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:08 PM

Posted 09 June 2010 - 06:19 PM

Hello.

We're going to run Combofix again, but please disable your security programs and delete the one you had.

Download and Run ComboFix

Note to readers of this post other than the starter of this thread:
ComboFix is a VERY POWERFUL tool which should NOT BE USED without guidance of an expert.

Download Combofix from any of the links below, and save it to your desktop.
Link 1
Link 2

Please refer to this page for full instructions on how to run ComboFix.
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Double click ComboFix.exe to start the program. Agree to the prompts.
  • When ComboFix is finished, a log report (C:\ComboFix.txt) will open. Post back with it.
Leave your computer alone while ComboFix is running.

ComboFix will restart your computer if malware is found; allow it to do so.


Note: Please Do NOT mouseclick combofix's window while its running because it may call it to stall.

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#5 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:08 PM

Posted 17 June 2010 - 08:38 PM

You still there?
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users