Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virus Will Not Go Away


  • This topic is locked This topic is locked
3 replies to this topic

#1 mr_pickles

mr_pickles

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:08:21 AM

Posted 29 September 2010 - 03:06 PM

Hi Gang,

I'm having some real trouble here. Recently I was infected with what I believe to be some sort of rootkit. My computer would start crashing because of a generic win32 process. I started to look into it and noticed svchost.exe using lots of memory. So I did a command (cmd): netstat -on
Sure enough, svchost.exe was sending requests to all sorts of IPs.

Started to do some more searching on the Internet, came across all sorts of tools. Some ran well, others did not. When running ComboFix, I would see an entry in my log under the gmer section:
called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys >>UNKNOWN [0x8A7c7c76]<<

So I started searching, and found information here on this site.
When I run GMER by itself with all the items ticked as shown in your preparation guide, my computer eventually crashes. I watch all the services running increase in memory usage until the machine just freezes. So ran them individually. I haven't finished running the Files scan in GMER yet, but wanted to get some input from you guys before I go too much further. I've been trying to clean this for several days now and it just keeps coming back.

I've uninstalled my JRE and even Java updates all together in hopes it would help. It didn't, I'm still infected.

I am running Windows XP SP3.

Any help would be greatly appreciated.

EDIT: I didn't post logs because I saw in a recent post gringo_pr asked the user not to do that. Since it conflicted with the Preparation guide, I decided I better not until someone asks for them.

Thanks for the response Orange Blossom.

Here are the DDS and ComboFix logs.
I haven't had a chance to get a good log from GMER yet.
As soon as I can, I will post that as well.

Thanks again!

Merged posts and removed my reply. ~ OB

Hello,

I have a GMER log now that I ran in Safe Mode.
It does not contain IAT/EAT or Files.
I tried running separate scan for Files, looked like it completed, but would not save.
I tried to copy, but couldn't get Notepad to open up and my system just froze.
I was able to scroll through the log, but it only had entries for Visual Studio.NET and Sonic Disc Burning stuff, so I don't think it was complete.

I am still unable to get any Windows Updates or hit the Windows Update site.
I no longer have a mysterious browser window popping up with consumernews24.com though - so I guess that's good.
I downloaded a trial version of Kaspersky Anti-Virus 2011, it didn't find anything.
I've run Malwarebytes, originally it found 2 Trojans, but it no longer finds anything either.
I've checked my LAN settings, no proxy has been setup or anything like that, it looks good.

Any help would greatly be appreciated.
(Sorry if this is a bump, but I wanted to provide the GMER log and give more information)

EDIT: Another post merged ~BP

Attached Files


Edited by Budapest, 02 October 2010 - 03:22 PM.


BC AdBot (Login to Remove)

 


#2 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,088 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:04:21 PM

Posted 04 October 2010 - 05:50 AM

Hello ,
And welcome.gif to the Bleeping Computer Malware Removal Forum
. My name is Elise and I'll be glad to help you with your computer problems.


I will be working on your malware issues, this may or may not solve other issues you may have with your machine.

Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.
  • The cleaning process is not instant. Logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen.
  • Please reply using the Add/Reply button in the lower right hand corner of your screen. Do not start a new topic.
  • The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one.
You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications. The topics you are tracking are shown here.
-----------------------------------------------------------

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

If you have already posted a log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Quick Scan button.
  • Two reports will open, copy and paste them in a reply here:
    • OTListIt.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

Please download Rootkit Unhooker and save it to your Desktop
  • Double-click on RKUnhookerLE to run it
  • Click the Report tab, then click Scan
  • Check Drivers, Stealth and uncheck the rest
  • Click OK
  • Wait until it's finished and then go to File > Save Report
  • Save the report to your Desktop
Copy the entire contents of the report and paste it in a reply here.

Note - you may get this warning it is ok, just ignore: "Rootkit Unhooker has detected a parasite inside itself!
It is recommended to remove parasite, okay?"


-------------------------------------------------------------
In the meantime please, do NOT install any new programs or update anything unless told to do so while we are fixing your problem

If you still need help, please include the following in your next reply
  • A detailed description of your problems
  • A new OTL log (don't forget extra.txt)
  • RKU log

Thanks and again sorry for the delay.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#3 mr_pickles

mr_pickles
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:08:21 AM

Posted 05 October 2010 - 09:41 AM

Hello elise025.
Thank you for the response.
I have finally found the issue and it has been resolved.
Basically, I ran so many different scans, I lost track of which of them I ran in Safe Mode and which I ran in Normal Mode.
I ran TDSSKiller again in normal mode and it indeed found:
Rootkit.Win32.TDSS.tdl4
MBR
Name: \HardDisk0\MBR

It fixed the issue, I ran some cleaners again after and now I am back in full working order.

Thanks again!

#4 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,088 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:04:21 PM

Posted 05 October 2010 - 11:11 AM

Thank you for letting me know. smile.gif

Since this issue is resolved, I will close this topic. If you need it reopened, please send me a PM.

Everyone else, please start a new topic.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users