Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

rootkit ... ggktpfg .... nrktcvy .... winlogon .... xp problems


  • Please log in to reply
5 replies to this topic

#1 Reese_Reese

Reese_Reese

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:32 AM

Posted 01 October 2010 - 11:09 AM

hello everyone out there,

hope you all are doing better than me :thumbsup:

Now i will try to tell you detail what i know and lets see if anyone can tell me where exactly is the problem.

First of all i am running windows XP SP3 since forever and i dont want to change to win7 yet because my current machine wont be able to handle my next favorite windows 7 so i am still trying to work with winxp sp 3.

secondly my hardware is alright, it is xp and vista compliant and other than the slow speed of the optical drive i cant see nothing wrong with it. also i ran upteen checks on the harddrive and each test passed it as ok same with other parts.

my hardware is intel t2100 cpu (1.83ghz), intel chipset mobo, 977 fsb, 1 gb ram,toshiba 80 gb sata hd, intel lan, (its an ibm-lenove thinkpad)

IN A NUTSHELL : earlier my winxp sp3 would last about a week maximum and lately it even refuses to finish the installation.

ok now to get into the details of the problem, it was all kool and i was never worried much so i was not updating security or taking preventive measures and then around 7 or 8 july i was hit by the "ggktpfg.exe" error which with in minutes changed into an "nrktcvy.exe" error and the computer would boot to an empty desktop so i would press "ctrl-alt-del" to get the taskmanager and from the taskmanager i would start a new task ie open the browser and search the web for a solution, (and that's probably what made things this bad) and at that time only the prevx.com was offering a solution to the ggktpfg.exe but it wasnt a free download but they were selling their thing for like 30 or 40 $ so i went around looking for better options.

Later not so long after the computer refused to complete boot, ie it stops at the black screen with the windows logo on it and no the 3 blue bars do not scroll across to indicate its loading up. note that that screen is very pale. and in the safe mode it can be seen that files upto the mup.sys are loaded and then it all freezes.

And after a routine repartition and format initially all operating systems ( Win XP and 7) refused to be let installed onto my hard drive (as if it would be a too big an insult to them) {and then win98 and winme do not know what the heck sata is .... lol}

then i worked around and dug up a few tools ( like:
Active @ killdisk freeware bootable cd
Bart CD [v3 and v3.2]
Hiren CD [v5, v9.4, v10.6 and v11.0]
bootable PQ partitionmagic 8.0 cd

and soon i unpartitioned my drive and wiped it and then repartitioned it and then installed winxpsp3, well it would work for a week max before i would need to extensively clean the disk for a re-install .... BUT mind you that then with my upto date Norton Internet Security and upto date spybot installed, these two programs were never able to finish a scan, i mean when spybot was like 20% across when the laptop would start to go to sleep or turn off all together and same with norton. and it would keep doing that again and again till i and the program gave up.

Another thing since i got a toshiba disk so i tried the toshiba utility to do a low level format but somehow that option was never avilable to me and the other option of zero-fill drive i did many times, maybe that helped a bit but i yearn to be able to low level format my hd.

MY QUESTION TO THE EXPERTS : is low level formatting already a thing of the past?

all this time what i used to do was to delete everything and especially the MBR and the contents of the "System Volume Information" and the "recycler" , i have many times replaced the MBR and PBR using bootice, well for somedays something there used to work and then in those days i do not recollect seeing a part of the harddrive that the partitioner would not include in the partitions AND these days it hold back about 3MB which some programs show as unallocated whereas others show that the whole disk is used but i do use killdisk to wipe that little space too. i think i used to find junk in the system volume information folder of about 30 mb, just filenames and no extensions.

in later days i installed kaspersky virus removal tool and malware and then ran checks, first kaspersky reported an infected Java.exe and an infected firefox.exe and an infected opera.exe, that reminded me that my jre was of 2006 so i installed the newer versions of all three programs in an attempt to avoid the problems that Norton or spybot could not detect. then i ran the malware check and that clearly said that an infection of rootkit.agent.h was found and removed.

All this while i been getting various problems from variou programs but none is more persiting as the "winlogon" error which prevents the computer form booting. at times the computer would boot with errors attributed to live messenger, google messenger, the ATI CCC, etc etc and then shutdown due to that fatal error. all this while my computer would sleep or turn off whenever it wants to and especially if i gave it a virus check.

for a few days i was able to work my machine and try and get a solution but now that i know that its probably a rootkit virus plus another host of characters and i downloaded the necessary "Free rootkit downloads" my computer simply refuses to finish the installation and now i cant run anything.

and right now i am on the net after booting from Hiren 11.1, thank god for bootable cds otherwise we would not be able to look for the cure for what actually ails our computers.

other than that i do have a few usb drives that might be comtaminated and maybe its when i connect those that i get hit. btw one of those crives is repoting an error in its ntfs but since it runs ok and nothing seems to able to correct that so what can i do. some programs show it as damaged ntfs and one even called it an "experimental" ntfs but i am sure it all was good when i got it.

and i keep seeing a weird cookie <user>@bellcan.adbureau, it seems to be a bell canada cookie but i am not their customer for the past 4 years and i never go to any of their sites. also a "yeildmanager" cookie is what i cant understand.

and oh btw i have a fixed ip and i hate that coz that might be one of the problems. for the first time in 12 years of internet do i have a fixed ip, i prefer a floating ip.

Another Question: is there anyway to install the windows in the safe mode or something like it? coz normal isnt working.


BC AdBot (Login to Remove)

 


#2 Reese_Reese

Reese_Reese
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:32 AM

Posted 04 October 2010 - 01:42 AM

ADDENDUM

i must also mention that i am frightenned by the immense response that i got so far by posting for help at this site *joking* anyway i am going to post some keyword and lets see if get some replies then. :thumbsup:

and then i must clarify that between each installs in the past there was massive hard disk preparation required.

also back then i was able to run "gmer" and it would just suddenly disappear/shutdown. and "icesword" would stop somethings but that was not completely effective either.

to all the newbies out there, please let me tell you in complete confidence that no antivirus covers the rookits however almost all have a "free rootkit download" i mean sophos, mcafee, avg,panda, etc etc all have antirookits that can be downloaded for free and then there are other antirootkits by other people or organisations. and from what i read on the web already it seems a person should use atleast 4 antirootkit applications to catch the one that is plaguing you and that is because there is no rootkit standard or any antirootkit standard. by the way i have downloaded atleast 25 rootkit solutions already but my computer never boots from the harddrive so to me its all useless. and Be Careful about which rootkit program to run coz every hacker would love to market a rootkit and call it an antirootkit.

also another fact. a few days ago my google mail account informed me that about 2 days ago this account was accessed by someone far afar away from where i was logging in. like they kept a track of the logins and the places and then they asked me if that far away login was also me, that surprised me and i changed the password immediatly but later one day i witnessed a friend send me an email and i saw it arrive into my mailbox as white (unread mail) and then suddenly i was unable to access the account for 12 hours and twelve hours later when i entered the account it was no longer a white (unread email) message but a blue (already read ) message.

so i can safely conclude that i am in deep deep bleep.

and i guess anyone that gets rootkit-ed is caught between the devil and the deep blue sea. lol.

Also i must add that i have disabled my laptops sleep mode, i mean from the power management tab i had selected "never" as the sleep time but still it would go to sleep when it pleased or when a scan was running.

Question to the Experts : After the install of windows what's best to install, the anti virus and the antirootkit OR the drivers? coz the rootkits use the drivers very well too.

Also if you bought an antivirus then please do bother to configure it to the tightest security posible that it can do coz the default settings usually dont do much so please configure your antivirus to use the maximum heuristics and all that.

Also i would reccomend that users use the softwares to "wipe" or "cleanse" the harddrive in 5 or 6 turns but remember that after a few turns, power the computer off so as to delete the virus that might be in the memory and waiting to be written again as soon as the wipe or delete command is over.

I have just reinstalled windows after cleaning the disk with the disk manufacturer's utility since nothing else was working and then i installed the usual programs that are saved on the USB key and among those programmes is spybot 1.62, malwarebytes antimalware, norton 360 and kasperky virus removal tool... all these programmes are newer versions and updated but none of these programs ever completes a scan ... either the computer goes into the standby-mode (SLEEP) or it just shuts down. And if it goes into the sleep mode then it is supposed to wake up if i press "Fn" and "F4" together but i see that it wakes up just by pressing the "Fn" key .... weird!

well later on soon after i wrote the last paragraph, the computer refuses to boot and just before that i had just installed and updated SuperAntiSpyware and then it shutdown and remains so.

no software has been succesful on completing the scan , seems whatever it is, it is programmed right to avoid detection. btw my norton 360 version 4, which was updated to date, is off and it refuses to turn on, i dont know if its the norton account problem or just another doing of the virus or the rootkit i got .... btw avg antirootkit did not find anything. the rest of antirootkits i havent tried yet.





Keywords : incomplete installation , rootkit, rootkit.agent.h , does not boot , truther , 9/11 , evasive virus , winxp problem , winlogon error , various programs errors , USB infection ,


#3 Reese_Reese

Reese_Reese
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:32 AM

Posted 11 October 2010 - 10:08 AM

ok so i been waiting for replies or hints to my problems but i got none so far BUT i guess i'll just keep posting the newer details till some expert can tell me what is going on in my computer and my life these days ..

anyway again, so far my norton 360 v4 refuses to turn on and protect and all of norton things have failed it to get going. so i removed all of norton and then reinstalled the same but only this time i set a password to make it temperproof. AND i have done the same with windows ie set up a Administrator password so that sometimes my computer would litsen to me instead of some other guy who hasnt even paid for it.... lol

btw there is a chance that the computer might not boot OR there is also the chance that it would boot and then immediately go into "standby" OR later if forced out of "stand by" it might show the blue screen of death but if it all works fine then i was able to get norton to complete a complete scan for the first time in about 3 months and it was all clear and now i am trying to better or more updates that will atleast recognize my problem.

other than that malwarebytes antimalware found an incidence of rootkit.agent.h in the system32/drivers folder again. this time in a file by the name of 28110911.sys and then i found about 7 other files with the weird 7 or 8 digit filenames and the sys extension and i moved them all to another location. the files had all numbers 8 character names staring with 281, 401, or 791 and all were weird files. but then i put them back so that the computer would boot but sent samples to the "labs"
C:\windows\system32\drivers\2811091.sys
C:\windows\system32\drivers\28110912.sys
C:\windows\system32\drivers\4014490.sys
C:\windows\system32\drivers\40144901.sys
C:\windows\system32\drivers\40144902.sys
C:\windows\system32\drivers\7910611.sys
C:\windows\system32\drivers\79106111.sys
C:\windows\system32\drivers\79106112.sys

incidentally i have a few people who communicate to me about this issue so i send them the material that i deem suspicious. and so far i am just drudging along ,,,,,,,,,,, sick of repartitioning and formatting and zero filling the drive etc etc.

and for once i was able to run spybot and it found nothing but its scan finished far too sooner than usual so unless they tweaked the newer version then it must have take a short cut somewhere down the way..

superantispyware found a trojan.gen infections and it its 7 registry keys i think it was removed all too.

other than that still my machine is pretty much useless as i still have to boot from a disc to access the net and all BUT thank god and i thank all those people who made these booting disks that i can still look for a cure this possible coz these days my computer is like an "angry girlfriend" as it does as it damn well pleases or atelast i cant make any sense of its actions, whether its connected to the net or not it pretty much does damn well as it pleases.

AND its my presumption that since i am booting from a CD and using the net so then maybe the infected part is not being used or there is no risk of infecting it.

Also kaspersky is a good company in my books, its Kaspersky "virus removal tool " is great but lately it encounters "malfunctions" and cannot complete its scan but it solved a few problems before. Another good product is their "bootable antivirus rescue disk" that too seems a great idea but unfortunately they both malfunction on my machine BUT i dont think that other companies have marketed free products that are as effective as these an my guess is that on a "normal" sick machine they would work fine but its my guess that its just that my machine been sick for a long time and its been getting sicker by the day and so they couldnt do much.



#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,565 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:32 AM

Posted 11 October 2010 - 10:22 AM

Hello, the replies to yourself made it appear that you were being answered... Anyway looks like you still have a rootkit in some form.

Please go here....
Preparation Guide ,do steps 6 - 9.

Create a DDS log and post it in the new topic explained in step 9,which is here Virus, Trojan, Spyware, and Malware Removal Logs and not in this topic,thanks.
If Gmer won't run,skip it and move on.
Let me know if that went well.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 Reese_Reese

Reese_Reese
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:32 AM

Posted 12 October 2010 - 10:48 AM

Hiya boopme, Man, am i glad to see you !

hey all, hey the first thing i find here is that its so hard for me to get here, i mean logging in and then go thru the welcome window into another one and then find the header saying "my topics" to get to this page of mine, man its complicated to get here, unless you just bloody googled it.

BTW GMER is one of the applications that has never finished a complete scan. somewhere down the road it just disappears. BUT i'll be doing a DDS soon and lets what that shows. ... thanks boopme .

anyway in my case i do have here a "Lion" cagged , meaning i think i got it right where i want it, i mean i can go about my ways, using a bootable disk of hiren and then install the firefox 3.06.10 (or something) with the usual adobe flash player and i guess then one is good to go just about anywhere, except there is No sound or webcam. BUT i do hear that there is fully loaded winxpsp3 bootable cd out there too.

and yes right now my PC is nonfuctional but i can take a few days to play with it and find out where i got this bloody bad disease in my machine.

These days i just boot every few hours and see what the internet's got for the disease and then disconnect the cable despite that i got my norton 360 firewall and all working ( but not detecting anything either) BUT superantiSpywhere and malaware caught the bug twice and then we found a " trogan.gen.X " thing and i am just saying if you want a copy of which file you just let me know your email and i'll probably mail you a zip of which ever you want if you want a sample of this" ROOTKIT.AGENT.H "

other than that i guess i am pretty close to exterminating it , as i think i got it well cut off from the network, but i think i want to know more about it , if youre in it then lets see who gets to the bottom of this one. i am in a bit of a fix as i never learnt much about computers till it bloody breaks down and then i am forced to learn an update. otherwise i'd have prefered to know nothing of it except which icons can i hit.

the reason i want to kill this is because "I aint paying for your spying on me" and i think i am mature enough to know better. i want every megahertz (and that's MHz and not GHz mind you ...) that i paid for. i mean i WANT every megahertz that I paid for and I do NOT want to wait for some spy file on me to be prepared first before i can do my bleep.

and then here i am looking at this carcass of rootkit.agent.h but i bet there's worse out there and then remember that i still got the crime scene to investigate all the clues unlike in 9/11 they disposed of all evidence in a hurry.

And then i am thinking, if this an old disease then how bad can a newer "disease" be? AND yes I do shudder!

and i am curious if torrents can be also used as hacktools ? .... coz i always had one on.

keywords : story of rootkkit the rootkit life , working solution to a broken computer ,


#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,565 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:32 AM

Posted 13 October 2010 - 11:05 AM

Hello firstly, you may want to bookmark the link to this topic. That may make it easier.

Now you will need to post the DDS log to get all of this rootkit out. If you cannot run Gmer,skip it and mention that in the new topic.

Rootkits, backdoor Trojans, Botnets, and IRC Bots are very dangerous because they compromise system integrity by making changes that allow it to by used by the attacker for malicious purposes. Rootkits are used by Trojans to conceal its presence (hide from view) in order to prevent detection of an attacker's software and make removal more difficult. Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. They can disable your anti-virus and security tools to prevent detection and removal. Remote attackers use backdoors as a means of accessing and taking control of a computer that bypasses security mechanisms. This type of exploit allows them to steal sensitive information like passwords, personal and financial data which is send back to the hacker. To learn more about these types of infections, you can refer to:

What danger is presented by rootkits?
Rootkits and how to combat them
r00tkit Analysis: What Is A Rootkit
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users