Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rootkit Infection, Various bits of malware


  • This topic is locked This topic is locked
11 replies to this topic

#1 Chanct

Chanct

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:49 PM

Posted 27 November 2011 - 04:08 AM

Hi experts,
i'm not especially new to these forums over here just the dreaded first time i would be posting here. I think i have a TDSS rootkit or some type of rootkit somewhere in my system, i've tried using tdsskiller from kaspersky, the scans come up negative, the same for sophos. Malwarebytes was disabled quite early on i think so when various bits of malware started popping up i had to use Super anti Spyware to get them.

Reasons why i think i have a rootkit:
1. Browsers blocked, no internet access whatsoever yet almost 500mbs gone from my c drive (restored registry keys from FixEXE to go on the internet)
2. Privacy protection malware/ rogue anti-virus program popped up. Booted in safe mode ran Super anti spyware and rkill nothing found but when i booted up normally again, it was gone?!?!?! seems it was deleted by something i didnt do!)
3. Computer has been EXTREMELY slow recently at times where i can't launch / click on anything for about 5-10 seconds
4. Random restarts and shutdowns. i always interrupt these by hitting the power button and doing a force shutdown i.e. holding the power button for 10 seconds.
5. Forgot to mention, i've been getting strange redirects to ebay and other strange sites from search links from google

I've run sophos anti-rootkit, AVG anti-rootkit (though this was disabled soon after the initial scan)and tdsskiller. Aside from that Sup. Anti Spyware for the malware and FixEXE to get my pre-rootkit registry keys back. Oh i also forgot to mention i used combofix in safe mode and let it run for the night but when i woke up this morning my computer was frozen and the malware (Privacy centre) was gone. N.B i did this yesterday night before i came to bleeping computer. i had no idea i wasnt supposed to use it

Hope you can take some time to reply to this soon,

Edited by Chanct, 27 November 2011 - 04:20 PM.


BC AdBot (Login to Remove)

 


#2 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 37,011 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:04:49 PM

Posted 27 November 2011 - 03:01 PM

Hello,

Please follow the instructions in ==>This Guide<== starting at step 6. If you cannot complete a step, skip it and continue.

Once the proper logs are created, then post them in a reply to this topic by using the Add Reply button.

If you can produce at least some of the logs, then please create the post and explain what happens when you try to create the log(s) that you couldn't get. If you cannot produce any of the logs, then still post the reply and explain that you followed the Prep. Guide, were unable to create the logs, and describe what happens when you try to create the logs.

Please note that I am not a member of the Malware Removal Team and will not be assisting you in removing the infection. I'm simply helping you to post the information they need in order to assist you.

If HelpBot replies to your topic, PLEASE follow Step One so it will report your topic to the team members.

Orange Blossom :cherry:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#3 Chanct

Chanct
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:49 PM

Posted 27 November 2011 - 05:02 PM

Thanks for the reply orange blossom. Nice to there's people like you helping eventhough you're not part of the malware removal team. Good on you!

Anyway back to the point. Another force restart... I was running GMER under an alias when it happened. One thing I noticed though. Almost a whole Gb was gone from my hard drive. From what my computer told me' anyway. So after the reboot my taskbar disappears and I get a warning message about my computer being locked blah blah new Scotland yard ... It's got my ip address and everything. Not hard to find... It wants 100 to unlock it. Obviously this is a fake seeing as the Scotland yard badge looks like something outta doctor who. Yes by now if you haven't figured out I live in the uk. So Internet explorer opens up just after the task bar is hidden from view and a page loads from hxxp://95.211.55.108 ( just saying in case you have a liason with the police or something lol)
The page loaded is literally the same as the one that now looks like my screen saver. I managed to circumvent the disappearing taskbar last time by pressing the power button and letting half of the apps close and then pressing cancel when force restart pops up( this was when I had the privacy centre malware stuff on my computer) it worked this time as well. Yet browsers don't work yet. Probably going to get rid of the malware and then restore my registry then post the logs. This I will have to do tomorrow however as I need to sleep soon.

Oh also just so you know I'm using my phone for internet right now. So sorry if my paragraphs are a little long winded.

Edited by Chanct, 27 November 2011 - 05:04 PM.


#4 Chanct

Chanct
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:49 PM

Posted 29 November 2011 - 04:18 PM

Here are the logs. Managed to get past the fake page by the above method. Now to wait... B)

Attached Files



#5 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:49 PM

Posted 02 December 2011 - 04:10 AM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

Posted Image In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/429520 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

Posted Image If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS and GMER log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows you will not be able to run GMER and you may skip this step.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice


Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#6 nasdaq

nasdaq

  • Malware Response Team
  • 40,213 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:49 PM

Posted 02 December 2011 - 10:57 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.
===

Reset the proxy settings.

In Internet Explorer go to Tools - Internet Options - Connections Tab - Lan Settings and remove the reference to 127.0.0.1:51414 if found, then uncheck "Use a proxy server" and check "Automatically detect settings".
===

If you use Firefox in Tools Menu > Options... > Advanced Tab > Network Tab > Connection > Settings. Select the Auto-detect proxy settings for this network option. Or no proxy if you do not need it.
===

If you use Firefox remove the proxy settings also.
http://support.mozilla.com/en-US/kb/Firefox+cannot+load+websites+but+other+programs+can?s=proxy+settings&as=s
===

Please download Malwarebytes Anti-Malware and save it to your desktop.
  • alternate download link 2
    • Make sure you are connected to the Internet.
    • Double-click on Download_mbam-setup.exe to install the application.
    • When the installation begins, follow the prompts and do not make any changes to default settings.
    • When installation has finished, make sure you leave both of these checked:[list]
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

For complete or visual instructions on installing and running Malwarebytes Anti-Malware please read this link

Post back with the Malwarebytes Anti-Malware log once it's complete.
===

Please post the log and let me know what problem persists.

#7 Chanct

Chanct
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:49 PM

Posted 02 December 2011 - 03:41 PM

Hi Nasdaq,

Thank you for the response, here's the Mbam log. Also, thanks to Mbam (i'm guessing) previously disabled A/V software is popping up again. So maybe it wasn't a rootkit? The annoying thing is that i had Mbam on my computer before this but it was disabled and i forgot all about it -sigh- . Could've saved a lot of time and effort on both sides. I remembered another thing as well. A host of malware programs, nothing large i think , were plaguing my computer at the same time the forced restarts were happening... they wouldn't let me run task manager or a group of other such programs (rkill etc) yet I quite easily disabled them via msconfig. However i'm still missin approx. 3 Gb off of my hard drive. I'm going to run Perfect disk and Ccleaner and see what happens.

EDIT: I would also like to mention that the problem with my browsers was based in the registry. I think. Since none of my browsers were launching i entered bleeping computer on explorer and it came up with an error saying that there was an error sending the command to the registry, so i restored my registry from FixExe.reg file i think i got off this website a year ago. Browsers worked fine

---------------------------------------------------------------------

Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 8292

Windows 6.1.7601 Service Pack 1
Internet Explorer 8.0.7601.17514

02/12/11 8:20:05 PM
mbam-log-2011-12-02 (20-20-05).txt

Scan type: Quick scan
Objects scanned: 192131
Time elapsed: 6 minute(s), 22 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\ciXQsNIAE33 (Trojan.CTRLRedir.Gen) -> Value: ciXQsNIAE33 -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Privacy Protection (Rogue.PrvacyProtect) -> Value: Privacy Protection -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\Windows\System32\drivers\wvchatts.exe645 (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Windows\SysWOW64\drivers\wvchatts.exe645 (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Users\Acer\AppData\Local\Temp\0.7303736646455108.exe (Trojan.Zbot.CBCGen) -> Quarantined and deleted successfully.
c:\Users\Acer\AppData\Roaming\microsoft\Windows\start menu\Programs\Startup\0.7303736646455108.exe.lnk (Backdoor.Agent) -> Quarantined and deleted successfully.
c:\Users\Acer\AppData\Local\EpTF2z\cixqsniae33.cpl (Trojan.CTRLRedir.Gen) -> Quarantined and deleted successfully.

Edited by Chanct, 02 December 2011 - 03:44 PM.


#8 Chanct

Chanct
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:49 PM

Posted 02 December 2011 - 04:02 PM

Hi nasdaq,

Sorry for the double post, but i found a rather strange file when running CCleaner. it's titled ntbtlog and its a text file. I found it in the windows log section but the weird thing is that its just under 1 Gb... Now i'm pretty sure an application would have to run for a VERY long time for it to compile 1 Gb of text data so i guess its safe to assume its not a .txt ? notepad can't handle it when i try to open it and i'm not willing to try and open it with a different program just in case. Any ideas? I googled it but all that came up was a file related to booting issues with Win2000. I'm running Win 7 64-bit Ultimate just in case you didn't read the dds log, if that's what the dds log tells you anyway.

#9 nasdaq

nasdaq

  • Malware Response Team
  • 40,213 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:49 PM

Posted 03 December 2011 - 08:07 AM

i found a rather strange file when running CCleaner. it's titled ntbtlog and its a text file. I found it in the windows log section but the weird thing is that its just under 1 Gb


How to Analyze Boot Logs
http://sourcedaddy.com/windows-7/how-to-analyze-boot-logs.html

You can disable this Boot log analysis by reversing the action shown here.
http://windows7themes.net/enable-boot-logging-in-windows-7.html
===

quote from this article: http://www.techrepublic.com/article/understanding-safe-mode-options/5033697

The file is continuous, so multiple logs will be written to it unless you delete the current version and allow a new one to be created. To avoid confusion, you should delete the Ntbtlog.txt file before starting the system with the Enable Boot Logging option set. You can use Safe Mode to perform such a task, if the file has not previously been deleted.


I would disable the boot log, go to safe mode and delete the file.

You decide if you want to enable that boot analysis for now.

===

Good work.


Let see what else we can clean.

Please download ComboFix from any of the links below, and save it to your desktop. For information regarding this download, please visit this web page: http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop

IMPORTANT....

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Do not install any other programs until this if fixed.


How to : Disable Anti-virus and Firewall...
http://www.bleepingcomputer.com/forums/topic114351.html

Double click on ComboFix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt
Note:
Do not mouse click ComboFix's window while it's running. That may cause it to stall


Note: If you have difficulty properly disabling your protective programs, refer to this link --> http://www.bleepingcomputer.com/forums/topic114351.html
===

Third party programs if not up to date can be the cause infiltration of an infection.

Please run this security check for my review.

Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
===

Please post the logs for my review.

#10 Chanct

Chanct
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:49 PM

Posted 07 December 2011 - 02:14 PM

Hi nadaq,

Sorry i'm just posting this to tell you that i'm still alive... i've been swamped with work and exams so i didn't run combofix like you asked. I'll try to find some time tomorrow but it will likely be up to chance whether i'll be able to sit by my laptop for more than half an hour. The last time i ran combofix i ran it in safe mode and my computer froze.

Thanks again

#11 nasdaq

nasdaq

  • Malware Response Team
  • 40,213 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:49 PM

Posted 07 December 2011 - 02:26 PM

I'll be here.

#12 nasdaq

nasdaq

  • Malware Response Team
  • 40,213 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:49 PM

Posted 13 December 2011 - 01:27 PM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users