Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible rootkit


  • Please log in to reply
8 replies to this topic

#1 Giga

Giga

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:12:31 PM

Posted 07 August 2010 - 03:26 PM

Hi,

I was told by a friend that I have a rootkit virus. My computer is incredibly slow and locks up half the time. I've removed as many programs as I could thinking it might speed everything up, I've defragged, everything I could think of. Half of my programs won't uninstall for one reason or another, and being infected sounds about right from past experiences.

Can a trained professional please guide me in a method to detect if I am indeed infected? I've read the posts about not doing anything until instructed to do so, so here I am, please instruct me.

I've had a rootkit successfully removed here once before, so I very much appreciate your help. Just let me know what you'd like me to do and I'll do it asap.

BC AdBot (Login to Remove)

 


#2 Giga

Giga
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:12:31 PM

Posted 10 August 2010 - 09:43 PM

I know you are busy, but my accounts are now becoming compromised. I've lost my Facebook, Twitter and Gmail account. This is the only computer I'm using. I use this computer for banking as well, so this is now a big issue.

Edited by Giga, 10 August 2010 - 09:47 PM.


#3 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,591 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:31 PM

Posted 11 August 2010 - 10:39 AM

Please download TFC (Temp File Cleaner) by Old Timer and save it to your desktop.
alternate download link
  • Save any unsaved work. TFC will close ALL open programs including your browser!
  • Double-click on TFC.exe to run it. If using Vista or Windows 7, right-click on the file and choose Run As Administrator.
  • Click the Start button to begin the cleaning process and let it run uninterrupted to completion.
  • TFC will clear out all temp folders for all user accounts (temp, IE temp, Java, FF, Opera, Chrome, Safari), including Administrator, All Users, LocalService, NetworkService, and any other accounts in the user folder.
  • Important! If TFC prompts you to reboot, please do so immediately. If not prompted, manually reboot the machine anyway to ensure a complete clean.
Note: It is normal for the computer to be slow to boot after running TFC cleaner the first time.

Please download Malwarebytes Anti-Malware (v1.46) and save it to your desktop.Download Link 1
Download Link 2
MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
    For instructions with screenshots, please refer to the How to use Malwarebytes' Anti-Malware Guide.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#4 Giga

Giga
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:12:31 PM

Posted 12 August 2010 - 09:36 PM

Thank you.

I've already downloaded 3 or 4 malware / antivirus programs and ran them last night before I saw this post. I downloaded them from the BP page suggesting clean programs to use, each of them seemed to find a lot. I first downloaded mbam which found 3-4, and the remaining programs found much more.

I re-downloaded mbam and ran the scan as requested, after using tfc and rebooting. The quick scan didn't find anything, so I ran a full scan.

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4422

Windows 6.0.6001 Service Pack 1
Internet Explorer 8.0.6001.18928

8/12/2010 7:36:29 PM
mbam-log-2010-08-12 (19-36-29).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 298436
Time elapsed: 1 hour(s), 21 minute(s), 3 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,591 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:31 PM

Posted 13 August 2010 - 06:24 AM

Try doing an online scan to see if it finds anything else (i.e. remanants) that the other scans may have missed.

Please perform a scan with Eset Online Antiivirus Scanner.
This scan requires Internet Explorer to work. Vista/Windows 7 users need to run Internet Explorer as Administrator.
To do this, right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run As Administrator from the context menu.
  • Click the green Posted Image button.
  • Read the End User License Agreement and check the box:
  • Check Posted Image.
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Check Remove found threats and Scan potentially unwanted applications. (If given the option, choose "Quarantine" instead of delete.)
  • Click the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer.
  • If offered the option to get information or buy software at any point, just close the window.
  • The scan will take a while so be patient and do NOT use the computer while the scan is running. Keep all other programs and windows closed.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop as ESETScan.txt.
  • Push the Posted Image button, then Finish.
  • Copy and paste the contents of ESETScan.txt in your next reply.
Note: A log.txt file will also be created and automatically saved in the C:\Program Files\EsetOnlineScanner\ folder.
If you did not save the ESETScan log, click Posted Image > Run..., then type or copy and paste everything in the code box below into the Open dialogue box:

C:\Program Files\ESET\EsetOnlineScanner\log.txt
  • Click Ok and the scan results will open in Notepad.
  • Copy and paste the contents of log.txt in your next reply.
-- Some online scanners will detect existing anti-virus software and refuse to cooperate. You may have to disable the real-time protection components of your existing anti-virus and try running the scan again. If you do this, remember to turn them back on after you are finished.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#6 Giga

Giga
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:12:31 PM

Posted 13 August 2010 - 04:27 PM

Nothing was found. Is this a green flag? Or are there other programs I can use to be absolutely positive?

#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,591 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:31 PM

Posted 13 August 2010 - 05:41 PM

I've already downloaded 3 or 4 malware / antivirus programs and ran them

What specifically did you use?

The scans are not showing anything thus far. I'd be more concerned you were experiencing other signs of infection like strange audio ads, unwanted pop-ups, bogus security alerts, and browser redirects but you are only advising slowness.

There are many reasons for slowness. You may have too many applications loading at startup when Windows boots. Almost all applications you install want to startup when Windows loads. If you allow all these startups, they will compete for and use system resources resulting in poor performance and a slow system. Many of these programs are not needed and disabling them can save resources and improve performance as they can be accessed from Start > Programs or an icon on the desktop if needed. Other reasons for slowness include disk fragmentation, disk errors, corrupt system files, unnecessary services running, too many browser Add-ons/toolbars, failure to clear browser cache, not enough RAM, dirty hardware components, etc.

I know you said you already did some of the above but you may want to look at other suggestions in the Slow Computer/Browser? Check here first; it may not be malware thread.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#8 Giga

Giga
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:12:31 PM

Posted 14 August 2010 - 12:58 AM

I'm very familiar with fixing a slow computer. I used Avast, Clam AntiVirus, HouseCall, SpyBot S&D, Maleware, and Auslogics Defrag.

There were 2 trojans and a ton of malware that were removed from the above, I just hope there's no remnants left over.

Edited by Giga, 14 August 2010 - 12:59 AM.


#9 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,591 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:31 PM

Posted 14 August 2010 - 08:03 AM

There are many free anti-rootkit (ARK) tools but some require a certain level of expertise and investigative ability to use so they are intended for advanced users or to be used under the guidance of an expert. Arks are powerful tools and using them incorrectly could lead to disastrous problems with your operating system. Most of the more effective ARK tools should only be utilized by advanced users as they generate logs which must be interpreted and investigated before taking any removal action.

Why? Not all hidden components detected by ARKs are malicious. It is normal for a Firewall, some Anti-virus and Anti-malware software (ProcessGuard, Prevx1, AVG AS), sandboxes, virtual machines and Host based Intrusion Prevention Systems (HIPS) to hook into the OS kernal/SSDT in order to protect your system. SSDT (System Service Descriptor Table) is a table that stores addresses of functions that are used by Windows. Whenever a function is called, Windows looks in this table to find the address for it. Both Legitimate programs and rootkits can hook into and alter this table. You should not be alarmed if you see any hidden entries created by legitimate programs after performing a scan.

Some files are locked by the operating system or running programs during use for protection, so scanners cannot access them. When the scanner finds such a file, it makes a note and then just skips to the next one. API Kernel hooks are not always bad since some system monitoring software and security tools use them as well. If no hooks are active on a system it means that all system services are handled by ntoskrnl.exe which is a base component of Windows operating systems and the process used in the boot-up cycle of a computer.

In most cases further investigation is required after the initial ARK scan to analyze and identify the files which were detected so they can be removed during a subsequent scan (or with other specialized tools) if found to be malicious.

These are a few of the easier ARKS for novice users:Malwarebytes Anti-Malware uses a proprietary low level driver (similar to some ARK detectors) to locate hidden files and special techniques which enable it to detect a wide spectrum of threats including active rootkits. SUPERAntiSpyware Free offers technology to deal with rootkit infections as well.

Before performing an anti-rootkit (ARK) scan it is recommended to do the following to ensure more accurate results and avoid common issues that may cause false detections.
  • Disconnect from the Internet or physically unplug you Internet cable connection.
  • Clean out your temporary files.
  • Close all open programs, scheduling/updating tasks and background processes that might activate during the scan including the screensaver.
  • Temporarily disable your anti-virus and real-time anti-spyware protection.
  • After starting the scan, do not use the computer until the scan has completed.
  • When finished, re-enable your anti-virus/anti-malware and then you can reconnect to the Internet.
If you are using a CD Emulator (Daemon Tools, Alchohol 120%, Astroburn, AnyDVD, etc) be aware that they use rootkit-like techniques to hide from other applications. When dealing with a malware infection, CD Emulators can interfere with investigative or anti-rootkit (ARK) tools. This interference can produce misleading or inaccurate scan results, false detection of legitimate files, cause unexpected crashes, BSODs, and general dross. This 'dross' often makes it hard to differentiate between genuine malicious rootkits and the legitimate drivers used by CD Emulators. In some cases, the drivers related to such tools can cause crashes or system hanging when attempting to boot into safe mode. Since CD Emulators use a hidden driver which can be seen as a rootkit and interfere with providing accurate results or cause other problems, it is recommended that they be removed or disabled until disinfection is completed.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users