Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help please, Rootkit causing network problems


  • This topic is locked This topic is locked
20 replies to this topic

#1 Annanymous

Annanymous

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:05:58 PM

Posted 22 July 2012 - 06:50 PM

A couple days ago, my network connection suddenly stopped working, and network troubleshooter couldn’t provide any help. I tried System Restore to resolve the problem, and this made it so that every time the computer started, I received the Blue Screen of Death with the error being:
SRTSPL64.sys

PAGE_FAULT_in_NONPAGED_AREA


After some research, I concluded that this was a Symantec-related file that had been corrupted. Additionally, upon starting Malwarebytes in Safe Mode, it displayed a message stating that it was corrupted as well.

From a forum suggestion, I ran Scannow at a Command Prompt which led to me having to replace the file tcpmon.ini following the guidance provided from the forum.
After restoring the file, my internet connection resumed working properly. I also uninstalled Symantec and re-installed Malwarebyets successfully. About a day later, my internet cut out again.

Convinced I had a virus of some type, I ran Malwarebytes to see if it could find anything, and it found no malicious items. From there, I concluded it was probably a Rootkit, so I ran TDSSKiller, which found nothing. From there, I installed and ran ComboFix from the desktop (I have the log if needed). Ultimately ComboFix stated that there was an infected System file which was c:\windows\SysWow64\drivers\ntfs.sys

ComboFix attempted to create a replacement for the infected System file, but said it could not and needed to conduct an intensive search. After about 5 minutes, my computer restarted and rebooted with a message stating C:\Windows\System32\GfxUI.exe could not run because a file related to it was not running properly.

After this restart, Windows wanted to update upon Shut Down, so I let it, and when it rebooted the previous Dialogue box about C:\Windows\System32\GfxUI.exe did not appear. Then, I ran Rkill to see if ComboFix had deleted the Rootkit or not, and it stated C:\Windows\SysWOW64\rundll32.exe process was terminated, so I assumed not. I gave ComboFix another shot (I also have that log).

I ran Rkill again after Combofix scanned, and it said it terminated the same process as before. Can someone help me clarify what the problem is how I can resolve it? I’m completely out of ideas. Thanks.
-Anna

Edited by hamluis, 22 July 2012 - 06:53 PM.
Moved from Win 7 to Am I Infected - Hamluis.


BC AdBot (Login to Remove)

 


#2 Eric Bennett

Eric Bennett

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Granby, MA (United States)
  • Local time:05:58 PM

Posted 22 July 2012 - 07:24 PM

Hello Annanonymous,
The problem that you are having sounds like a combination of problems. When the root kit infected your computer, it appears to have caused Internet issues and attempted to disable your Symantec antivirus software. When you started noticing issues, you ran a system restore. The system restore process may have tried to restore some drivers back to a previous version, but in this case, it appears that the rootkit may have locked the driver files so system restore couldn't restore the files. I would recommend that you run a windows system recovery from your installation media, but I don't know if you have a disk. If you need one, I would be more than happy to send one via mail. Also, Is the operating system 32 bit or 64 bit? Meanwhile I will search for a solution.

I also suggest that you download the Bitdefender Rescue CD amusing you have a functioning computer and optical media. Then you can boot off of the CD and scan the computer with the Bitdefender program, or you could run the automated command line repair program by following these instructions. I hope this solves any issues you have ;)

Regards,
Eric Bennett
(ebthepcguy)
Posted Image

Edited by Eric Bennett, 22 July 2012 - 07:45 PM.

Eric Bennett (ebthepcguy) | Helping People One Post At A Time | YouTube Twitter Facebook Email me | Forum Rules Homepage | My Profile


#3 Annanymous

Annanymous
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:05:58 PM

Posted 22 July 2012 - 08:35 PM

Eric,
I failed to mention that I tried a System Recovery Disk and Start-up Recovery right after System Restore, and both could not help me.

To answer your question, my operating system is Windows 7 Home Premium 64 bit.

Also, I think I forgot to add that I can boot Windows normally without any crashes, so would you still recommend the Bitdefender Rescue program?
Thank you for the reply,
-Anna

#4 Eric Bennett

Eric Bennett

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Granby, MA (United States)
  • Local time:05:58 PM

Posted 22 July 2012 - 09:16 PM

Annanonymous,
I would recommend that you run ESET Sysinspector and create a snapshot of your machine. Once done, right click and select "export" and save the (.xml) file, then upload the (*.xml) file through email and send it to me here so that I can further assist you.

Best of luck,
Eric Bennett
(ebthepcguy)

Eric Bennett (ebthepcguy) | Helping People One Post At A Time | YouTube Twitter Facebook Email me | Forum Rules Homepage | My Profile


#5 Annanymous

Annanymous
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:05:58 PM

Posted 22 July 2012 - 10:00 PM

Eric,
I sent the file via e-mail. Thanks for all your help.
-Anna

#6 Eric Bennett

Eric Bennett

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Granby, MA (United States)
  • Local time:05:58 PM

Posted 23 July 2012 - 09:21 AM

Hi Annanonymous,
Sorry I have sent you on a wild goose chase, but unfortunately, ESET Sysinspector did not find any suspicious items. This doesn't however suggest you don't have a rootkit, as rootkits are very covert and are very hard to find. The only other thing that I can suggest is downloading TeamViewer and allowing me to remotely connect to your infected machine and attempt to repair it. If you want to contact me privately when you download and install the software, I'll be more than happy to help you with this problem. I wish you the best of luck!

Regards,
Eric Bennett
(ebthepcguy)

Eric Bennett (ebthepcguy) | Helping People One Post At A Time | YouTube Twitter Facebook Email me | Forum Rules Homepage | My Profile


#7 Eric Bennett

Eric Bennett

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Granby, MA (United States)
  • Local time:05:58 PM

Posted 23 July 2012 - 10:16 AM

It appears the admin deleted my post, bare with me here...

Eric Bennett (ebthepcguy) | Helping People One Post At A Time | YouTube Twitter Facebook Email me | Forum Rules Homepage | My Profile


#8 Annanymous

Annanymous
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:05:58 PM

Posted 23 July 2012 - 10:21 AM

I had read the previous post before it had been deleted.

#9 Eric Bennett

Eric Bennett

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Granby, MA (United States)
  • Local time:05:58 PM

Posted 23 July 2012 - 10:24 AM

I have deleted my post as remote connectivity is not allowed.

Edited by Eric Bennett, 23 July 2012 - 11:16 AM.

Eric Bennett (ebthepcguy) | Helping People One Post At A Time | YouTube Twitter Facebook Email me | Forum Rules Homepage | My Profile


#10 Eric Bennett

Eric Bennett

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Granby, MA (United States)
  • Local time:05:58 PM

Posted 23 July 2012 - 10:29 AM

I have deleted my post as remote connectivity is not allowed.

Edited by Eric Bennett, 23 July 2012 - 11:15 AM.

Eric Bennett (ebthepcguy) | Helping People One Post At A Time | YouTube Twitter Facebook Email me | Forum Rules Homepage | My Profile


#11 Annanymous

Annanymous
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:05:58 PM

Posted 23 July 2012 - 10:41 AM

Eric,
For now I'll decline your suggestion of Remote Connectivity. I'd like to see if I can get the problem resolved on the forums before I try anything else.
Thanks again,
-Anna

#12 Eric Bennett

Eric Bennett

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Granby, MA (United States)
  • Local time:05:58 PM

Posted 23 July 2012 - 10:46 AM

Ok, I fully understand. But without actually seeing the environment your in on your computer, it is very difficult to talk you through repairing your computer. Could you post some screen shots of the errors when they occur? Otherwise, the only thing I could suggest is a complete system recovery from installation media. I hope this problem is fixed soon!

Regards,
Eric Bennett
(ebthepcguy)

Eric Bennett (ebthepcguy) | Helping People One Post At A Time | YouTube Twitter Facebook Email me | Forum Rules Homepage | My Profile


#13 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:05:58 PM

Posted 23 July 2012 - 10:48 AM

You have used combofix without an expert help.We do not analyze combofix logs here

Read the guide here on preparing logs

http://www.bleepingcomputer.com/forums/topic34773.html

and create a topic here

http://www.bleepingcomputer.com/forums/forum22.html

Good luck

#14 Eric Bennett

Eric Bennett

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Granby, MA (United States)
  • Local time:05:58 PM

Posted 23 July 2012 - 10:56 AM

Narenxp,
I believe she was using combo fix at her own descresion to attempt to find and solve the problem. I don't see a log here.

Regards,
Eric Bennett
(ebthepcguy)

Eric Bennett (ebthepcguy) | Helping People One Post At A Time | YouTube Twitter Facebook Email me | Forum Rules Homepage | My Profile


#15 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:05:58 PM

Posted 23 July 2012 - 10:58 AM

I believe she was using combo fix at her own descresion to attempt to find and solve the problem. I don't see a log here.


Thats the problem.We dont have a log to analyze what actually happened and we dont want the user to post it here.That's the reason I suggest the user to post in a forum where it can be reviewed

Edited by narenxp, 23 July 2012 - 11:00 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users