Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

ROOTKIT TAKING OVER MY SYSTEM


  • This topic is locked This topic is locked
35 replies to this topic

#1 b.chung

b.chung

  • Members
  • 68 posts
  • OFFLINE
  •  
  • Local time:09:51 AM

Posted 18 June 2012 - 11:35 AM

Hello,

My computer has been doing weird things for the past 2 weeks. I can't even finish my work without having it crash. I feel someone is key-logging my activities! The BSOD is random and I get different numberous STOP codes. I can't even download the latest .NET Framework patch from Windows Update center.

I am also worried too because I dealing with patient medical records etc. as a physician assistant, I wouldn't want their personal information to be compromised

The lastest STOP code I got was "atapi.sys" BSOD. I have scanned this computer with multiple anti-virus programs such as Spybot S&D, Malwarebytes, and among others, and none of them showed any infections. However I know some ROOTKITS are made in Stealth mode so its hard to detect.

Looking forward to a response

Thank in advanced,
B.CHUNG

Edited by b.chung, 18 June 2012 - 11:40 AM.


BC AdBot (Login to Remove)

 


#2 Blind Faith

Blind Faith

  • Malware Response Team
  • 4,101 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:07:51 PM

Posted 18 June 2012 - 01:44 PM

Hello and welcome to BleepingComputer! :)



I am Elle and I will be helping you out with your problem. Firstly, you should know that we are working with specific tools which are used to identify the possible threats present on your system so I will analyze the results they produce.


As a start we need to have some more up-to-date logs than the ones you have already provided. The current state of the files on your system might have changed so we need to get a clear look on that aspect. DO NOT bring any changes to the system except the ones I tell you to as that may produce more damage than helping us.

If you will encounter a delay of over 2 days from me, please don't hesitate and private message me (link in the signature).
Do not forget to check your topic periodically and subscribe to it so that you can receive notifications regarding my replies.



Please generate another DDS log (download it from here if you haven't already) and post it in your next reply along with other changes that may have occured since you last posted.
Also download and run GMER from this link: GMER download link.



Thank you very much for your patience.




Regards,

Elle
Can you hear it?It's all around!

Tomar ki manè acchè?
Yadi thakè, tahalè
Ki kshama kartè paro
?



If I haven't replied in 48 hours, please feel free to send me a PM.



Posted Image

#3 b.chung

b.chung
  • Topic Starter

  • Members
  • 68 posts
  • OFFLINE
  •  
  • Local time:09:51 AM

Posted 18 June 2012 - 08:35 PM

Hello,

Thanks for your reply. I think I really have a bad infected computer. Both DDS and GMER halt during scans. What to do now?

:(

#4 b.chung

b.chung
  • Topic Starter

  • Members
  • 68 posts
  • OFFLINE
  •  
  • Local time:09:51 AM

Posted 19 June 2012 - 11:39 PM

Can someone please help me with this issue. I tried contacting Elle via PM, but its telling me she is not accepting new messages.

I really want to get this issue FIX ASAP

#5 Blind Faith

Blind Faith

  • Malware Response Team
  • 4,101 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:07:51 PM

Posted 20 June 2012 - 10:28 AM

Hi there,


Please have patience, I will come back ASAP with a reply.



Elle
Can you hear it?It's all around!

Tomar ki manè acchè?
Yadi thakè, tahalè
Ki kshama kartè paro
?



If I haven't replied in 48 hours, please feel free to send me a PM.



Posted Image

#6 Blind Faith

Blind Faith

  • Malware Response Team
  • 4,101 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:07:51 PM

Posted 20 June 2012 - 02:43 PM

Hi there,


Have you tried running the scans in Safe Mode?


This can be done tapping the F8 key as soon as you start your computer
You will be brought to a menu where you can choose to boot into safe mode.
Make sure you choose the option without networking support.
Please see here for additional details.



Elle
Can you hear it?It's all around!

Tomar ki manè acchè?
Yadi thakè, tahalè
Ki kshama kartè paro
?



If I haven't replied in 48 hours, please feel free to send me a PM.



Posted Image

#7 b.chung

b.chung
  • Topic Starter

  • Members
  • 68 posts
  • OFFLINE
  •  
  • Local time:09:51 AM

Posted 20 June 2012 - 03:30 PM

Elle,

Yes i have tried this in safe mode and it still halts :(

#8 Blind Faith

Blind Faith

  • Malware Response Team
  • 4,101 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:07:51 PM

Posted 21 June 2012 - 02:51 PM

Hi there,


Ok, we will try something else then.


We need to create an OTL Report
  • Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized




Elle
Can you hear it?It's all around!

Tomar ki manè acchè?
Yadi thakè, tahalè
Ki kshama kartè paro
?



If I haven't replied in 48 hours, please feel free to send me a PM.



Posted Image

#9 b.chung

b.chung
  • Topic Starter

  • Members
  • 68 posts
  • OFFLINE
  •  
  • Local time:09:51 AM

Posted 21 June 2012 - 07:34 PM

Elle,

Attach is copy of the OTL.txt file

I did not see EXTRA.txt file open.

Attached Files

  • Attached File  OTL.Txt   117.77KB   8 downloads


#10 Blind Faith

Blind Faith

  • Malware Response Team
  • 4,101 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:07:51 PM

Posted 23 June 2012 - 11:28 AM

Hi there,



Firstly, I do not recommend that you have more than one anti-virus product installed and running on your computer at a time. The reason for this is that if both products have their automatic (Real-Time) protection switched on, then those products which do not encrypt the virus strings within them can cause other anti-virus products to cause "false alarms". It can also lead to a clash as both products fight for access to files which are opened again this is the resident/automatic protection. In general terms, the two programs may conflict and cause:
1) False Alarms: When the anti virus software tells you that your PC has a virus when it actually doesn't.
2) System Performance Problems: Your system may lock up due to both products attempting to access the same file at the same time.
There, please uninstall ONE of the products, either AVG or McAfee by clicking downloading (preferably on the desktop) and running their uninstallers:


Download AVG Remover 32-bit

Download McAfee Consumer Product Removal Tool


==================================================================================================================


We need to run an OTL Fix
  • Please reopen Posted Image on your desktop.
  • Copy and Paste the following code into the Posted Image textbox.
    :OTL
    [2011/08/08 17:21:45 | 000,000,120 | ---- | C] () -- C:\WINDOWS\Sduhobiqobac.dat
    [2011/08/08 17:21:45 | 000,000,000 | ---- | C] () -- C:\WINDOWS\Lpobisijihafewoq.bin
    [2011/08/10 11:03:12 | 000,013,968 | -HS- | C] () -- C:\Documents and Settings\user\Local Settings\Application Data\4278454859
    [2011/08/10 10:57:28 | 000,014,014 | -HS- | C] () -- C:\Documents and Settings\user\Local Settings\Application Data\1444934879
    [2011/08/10 10:57:24 | 000,014,082 | -HS- | C] () -- C:\Documents and Settings\user\Local Settings\Application Data\q5fueb4sop1sxo8lldd35yh1w8m57ec0mth7i36523
    [2011/08/10 10:56:50 | 000,015,468 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\q5fueb4sop1sxo8lldd35yh1w8m57ec0mth7i36523
    [2011/08/10 10:56:49 | 000,015,468 | -HS- | C] () -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\q5fueb4sop1sxo8lldd35yh1w8m57ec0mth7i36523
    [2011/06/29 02:38:21 | 000,005,115 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\mtbjfghn.xbe
  • Push Posted Image
  • OTL may ask to reboot the machine. Please do so if asked.
  • Click the OK button.
  • A report will open. Copy and Paste that report in your next reply.






Elle
Can you hear it?It's all around!

Tomar ki manè acchè?
Yadi thakè, tahalè
Ki kshama kartè paro
?



If I haven't replied in 48 hours, please feel free to send me a PM.



Posted Image

#11 b.chung

b.chung
  • Topic Starter

  • Members
  • 68 posts
  • OFFLINE
  •  
  • Local time:09:51 AM

Posted 23 June 2012 - 01:51 PM

Elle,

Attach is the log file (removed). I have removed the AVG anti-virus.


Thanks,
BC

Edited by b.chung, 23 June 2012 - 02:32 PM.


#12 Blind Faith

Blind Faith

  • Malware Response Team
  • 4,101 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:07:51 PM

Posted 23 June 2012 - 02:00 PM

Have you noticed any change to the current state of the computer after running the fix?




Elle
Can you hear it?It's all around!

Tomar ki manè acchè?
Yadi thakè, tahalè
Ki kshama kartè paro
?



If I haven't replied in 48 hours, please feel free to send me a PM.



Posted Image

#13 b.chung

b.chung
  • Topic Starter

  • Members
  • 68 posts
  • OFFLINE
  •  
  • Local time:09:51 AM

Posted 23 June 2012 - 02:03 PM

Elle,

Is there any rootkits or virus? The computer is still doing weird thing, such as the screen flinches and disappears, and sometimes, the screen will go blank in different colors like grey, orange, green, blue... reminds me of a bowl of Fruity Pebbles. Also the wireless turns off a random times... really annoying. I guess time to invest in a new laptop.

EDIT: I tried to run GMER again to see if the problem will still arise, and surely it did. During the scan, it halted mid-way and BSOD happened.


b.chung

Edited by b.chung, 23 June 2012 - 02:22 PM.


#14 Blind Faith

Blind Faith

  • Malware Response Team
  • 4,101 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:07:51 PM

Posted 24 June 2012 - 01:38 PM

Hi there,



Could you please access Safe Mode again and tell us if you encounter the same problems? (BSODs, colour changes, etc.)

The thing is, we do not suspect you are infected but on the other hand we suspect you have a video card problem or at least a hardware problem. Therefore, we need to investigate deeper to be able to confirm it.


Please open OTL again and select the black coloured "NONE" button. Please look under the Extra Registry section and change from the "None" option to "Use Safelist" so that the Extras.txt log is produced. :)





Elle
Can you hear it?It's all around!

Tomar ki manè acchè?
Yadi thakè, tahalè
Ki kshama kartè paro
?



If I haven't replied in 48 hours, please feel free to send me a PM.



Posted Image

#15 b.chung

b.chung
  • Topic Starter

  • Members
  • 68 posts
  • OFFLINE
  •  
  • Local time:09:51 AM

Posted 24 June 2012 - 04:18 PM

GMER still halts in safe mode. How do you know this pc is not infected if I can't even run GMER and DDS as requested in the first place? :\

Attach is Extra.txt

Attached Files


Edited by b.chung, 24 June 2012 - 05:07 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users