Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

A possible solution to the Rootkit problems


  • Please log in to reply
1 reply to this topic

#1 shatrunj

shatrunj

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:02:51 PM

Posted 22 October 2010 - 10:35 PM

Hello All,

First of thanks to all those folks who provide your time, help and service. I was facing a problem where all of my search results would end up generating weird pop ups with no link to what I searched for. I want to describe the steps I took before and after coming to this web site so that others can benefit from my experience.

First some software specs: Windows XP with SP2. I use McAfee Security, SpyBot, Adaware, Malwarebytes Anti Malware, and Bill Patrol. I got this rootkit infection despite these set of tools. McAfee is on at all times. I use realtime protection from Malwarebytes when launching IE or Firefox. Once a week I ran Adaware, Spybot.

Things began to gohaywire this morning when I was searching for an academic paper relevant to my work when I noticed the search results when I clicked would go to non sense sites. Here are the steps.

Before coming to this website:
1. Disconnected from Internet.
2. Ran Quick Scan with MBAM, found a trojan and quarantined it. Then ran Spybot. No matches. Ran McAfee Security Quick Scan - Found 2 infected objects and removed them. Ran a full scan. Nothing more. Reboot.
3. Saw a "Unhandled Exception" error with ASMagent.exe - first ever I saw something like that. Ignored it and launched IE with MBAM IP and realtime protection enabled. Same errors again.

After registering here:
1. Read all the different solutions suggested the good folks here.
2. Downloaded Super Anti Spyware; GMER, ERUNT, RKUnhookerLE, TDSSKiller, ComboFix
3. Ran SAS. It detected 5 or 7 objects. Rebooted and found the same problems. I was hoping it was not a root kit. :thumbsup: ):
4. Ran ERUNT and backed up registry.
5. Ran RKUnhookerLE and the report showed possible Rootkit activity
6. Ran GMER and this confirmed the Rootkit activity.
7. Ran TDSSKiller. Created a folder after unzipping this archive onto the desktop as per instructions adn ran it. Choose the Cure option. It removed the rootkit.
8. Rebooted the laptop. Reran GMER to check if Rootkit presence is detected. Success :flowers: :trumpet:. All Clean
9. Rebooted the laptop. Reran RKUnhookerLE and no root kit. Ran TDSSKiller again and no infected objects.
10. Launched IE and input search item and could now click on the links without a problem.
11. Shutdown IE. Disconnected internet. Reran GMER, RKUnhookerLE and TDSSKiller - no infections found.
12. Post this info in the forum.

I have to say my thanks to the moderators/admins named Gringo, Teacup1, OrangeBlossom. I hope this is helpful.

Zach

BC AdBot (Login to Remove)

 


#2 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:03:51 PM

Posted 23 October 2010 - 12:20 AM

Hello shatrunj and :flowers: to BleepingComputer.

First, let me say that I am glad you resolved your issues. :thumbsup:

Secondly, though you were successful, for both your future benefit and the benefit of others who may read this thread please take note of the following:

Regarding RKUnhookerLE and GMER:

Rootkit scans often produce false positives, and often don't have conclusive results at all. It requires a trained eye to be able to read and interpret ARK logs accurately and determine the safest way to remove any malware present. It is not advised that users attempt to take action on their own.

Regarding TDSSKiller:

Due to the constantly changing nature of the TDSS/TDL*/Alureon rootkit, the unsupervised use of TDSSKiller carries some inherent risk. On more than one occasion TDSSKiller has incorrectly removed an infection when dealing with a new variant of the malware. Because of how the infection operates, the most common effect of an incorrect removal is a computer that will no longer boot properly. Due to this inherent risk it is not advised that users attempt to use TDSSKiller without expert guidance so that, if something does go wrong, the helper will be able to quickly diagnose the problem and provide assistance in restoring the computer to a functional state.

Please feel free to let me know if you've any questions.

~Blade

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users