Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Win 32 Rootkit Infection


  • Please log in to reply
6 replies to this topic

#1 SamarthT

SamarthT

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:48 AM

Posted 06 September 2012 - 10:00 AM

Hi Guys ,
I have a user who's machine is badly infected with a Win32 Rootkit . I have tried running Combofix but it freezes and the Computer becomes non Responsive . Here are the steps that i have tried -

1 - Renamed Combofix and then ran it - Combofix and the computer both freeze 5 mins after Combofix Box appears on the Screen )
2 - Downloaded TDSS Killer - ( Unable to Launch TDSS , Renamed it as well )
3 - Tried running Avast Root Kit Remover - ( Same Problem as TDSS and it wont open at all )
4 - Ran Malware Bytes , Super Antispyware - ( Both only detected Multiple Trojans which were removed )
5 - Ran Microsoft Fix it as Computer kept giving " Low Virtual Memory Error " - ( The Issue still persists and at random times the error still comes up , I am guessing its related to the rootkit too )
6 - As soon as Computer starts user also gets a " Hardware Install Prompt " - ( Dunno why because i have checked with Device Manager and none of the drivers are missing )
7 - I have also ran Kaspersky Virus Removal - ( the Tool detects a Rootkit and when you click on " Yes " to delete it , the scan shows no " Infected Files FOund "

Also i would like to mention that before the Rootkit infection came up the same users machine was infected and all the files were hidden . I was able to remove the Trojans by simply turning them off and deleting them as these exe files were located under User Profile > App Data . I ran a Malware Bytes Scan after the removal and it showed the Machine was not infected anymore .

I also used Unhide to recover all Hidden files and everything worked fine for a day before the Rootkit Infection was detected and started freezing up the Machine

Please let me know if you need the rootrepel file , Didnt attach the log file without permission

Thanks a lot

BC AdBot (Login to Remove)

 


#2 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:05:48 AM

Posted 06 September 2012 - 10:02 AM

We do not troubleshoot combofix issues here.Do not run the tool without expert help

Read the guide here on preparing logs

http://www.bleepingcomputer.com/forums/topic34773.html

and create a topic here with logs

http://www.bleepingcomputer.com/forums/forum22.html

Good luck

#3 SamarthT

SamarthT
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:48 AM

Posted 06 September 2012 - 12:28 PM

Hi ,

I Followed the instructions , in the post as stated above but i am facing difficulties

- Defogger - When i try to Disable with Defogger ( running it as a Admin ) , it Pops up with the error Defogger Cannot create File

- DDS - When i run DDS , a Black Screen Pops up . 5 mins into DDS Scan the whole Computer Freezes .

- I do have GMER Log File , Can i create a new Post based on -

GMER , Hijack This and Root Repel Logs ?

I am attempting to log into normal mode and will run the files again after renaming them to see if it helps because GMER was named Randomly and not GMER.exe and was able to run fine . Ill update the post accordingly

Edited by SamarthT, 06 September 2012 - 12:33 PM.


#4 SamarthT

SamarthT
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:48 AM

Posted 06 September 2012 - 12:51 PM

Ok i have tried Renaming the Files and Run them but still the Computer Freezes. Although i Can Alt +Tab between windows i cant Click on them with Mouse.

Also i have noticed that in GMER it keeps giving me error ( Unable to Create Subkey under Volatile Key ) and not all the options of GMER are available i only see 3 options that GMER can Scan

DDS - Still freezes but i have been able to disable CD Emulation

- Can i create a new Topic with HiJackthis Log File , Root Appeal and GMER ( Partial Log as i cant select all options )

#5 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:05:48 AM

Posted 06 September 2012 - 01:10 PM

yes

#6 SamarthT

SamarthT
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:48 AM

Posted 06 September 2012 - 02:35 PM

Thanks for the Prompt reply ,

I am running a Scan with Emisoft Emergency Kit , I downloaded it from the tools section and thought the USB boot scan would help . After Updating Emisoft . I am currently running a Scan and have found 4 Rootkit Infections . I will attempt to run DDS and GMER after the scan to check if the issue is resolved . I will post the full logs or the Partial ones depending on how the Machine works after the Emisoft is done scanning .

Hopefully the Log files will help Root Cause

#7 SamarthT

SamarthT
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:48 AM

Posted 06 September 2012 - 03:00 PM

The Problem still persists i am adding Scan Logs aswell




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users