Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Quite possible rootkit infection


  • This topic is locked This topic is locked
22 replies to this topic

#1 Jeff UIT

Jeff UIT

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:11:56 PM

Posted 02 January 2013 - 03:50 PM

This has happened once before on a different machine...

System is XP Professional SP3.

Browser is unable to connect to most web sites - the URL is mangled into something that looks like "http:///" no matter what is entered. Windows Update and the like are unable to run, Norton does not even start up. Oddly enough, iTunes/Safari/QT were able to update cleanly...

This is only seen in "regular" mode - if you boot into Safe Mode with Networking, these results are not seen.

Any suggestions on finding the offending process? Thanks in advance!

j

Edited by hamluis, 03 January 2013 - 06:07 PM.
Moved from Am I Infected to Malware Removal Logs - Hamluis.


BC AdBot (Login to Remove)

 


#2 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:12:56 AM

Posted 02 January 2013 - 06:27 PM

Please do the following:

Please download DDS from either of these links

LINK 1
LINK 2

and save it to your desktop.
  • Disable any script blocking protection
  • Double click dds to run the tool.
  • When done, two DDS.txt's will open.
  • Save both reports to your desktop.
---------------------------------------------------
Please include the contents of the following in your next reply:

DDS.txt
Attach.txt.


NEXT

Please download aswMBR to your desktop.
  • Double click the aswMBR.exe icon to run it
  • When asked if you want to download Avast's virus definitions please select Yes.
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.
  • You will also notice another file created on the desktop named MBR.dat. Right click that file and select Send To>Compressed (zipped) file. Attach that zipped file in your next reply as well

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#3 Jeff UIT

Jeff UIT
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:11:56 PM

Posted 04 January 2013 - 11:46 AM

Attaching the DDS files. I will run aswMBR later today (not at the computer right now).

Thanks again!

j (after fixing my email address)

Attached Files



#4 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:12:56 AM

Posted 04 January 2013 - 08:07 PM

ok, thanks

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#5 Jeff UIT

Jeff UIT
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:11:56 PM

Posted 07 January 2013 - 10:01 AM

Ran aswMBR and it died. Boom. I selected the "use avast" feature and it just went noplace.

I then, on my own, ran a new copy of GMER. I have attached the logs to this. It found lots of services with names of my AV and Scan products (Symantec, MBAM, aswMBR), along with modules attached to a path of:
\??\C\Documents And Settings\{temp directories within my profile}

So I suspect that that is where we're hitting the issues.

Just so that I can't be accused of being lazy, I re-ran the aswMBR in Safe Mode With Networking. It ran complete, so those files are also attached. :-)

Thanks again!

j

Attached Files



#6 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:12:56 AM

Posted 07 January 2013 - 10:31 AM

Please do the following:

Please download TDSSKiller.zip
  • Extract it to your desktop
  • Double click TDSSKiller.exe
  • when the window opens, click on Change Parameters
  • under ”Additional options”, put a check mark in the box next to “Detect TDLFS File System”
  • click OK
  • Press Start Scan
    • If Malicious objects are found then ensure Cure is selected
    • If TDLFS File System is found then ensure Cure is selected (if Cure is not available, select Skip)
    • Then click Continue > Reboot now
  • Copy and paste the log in your next reply
    • A copy of the log will be saved automatically to the root of the drive (typically C:\)



NEXT



Download ComboFix from the following location:

Link 1

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
  • Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

  • Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#7 Jeff UIT

Jeff UIT
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:11:56 PM

Posted 08 January 2013 - 12:02 PM

Ran TDSS the way I was asked. It found nothing (log attached). I then ran it again, selecting the "loaded modules" option. It asked to reboot, which I did. The system shutdown cleanly, started up, and crashed halfway through the reboot! It rebooted again automatically, and I brought it up in "Normal Mode" and scanned again (ZIPped log attached). In both cases, there was nothing to cure.

Ran the ComboFix process as well - it deleted some files (as reported on the screen) but the initial issues (no browser connectivity, no A/V starting up) are still present.

j

Attached Files



#8 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:12:56 AM

Posted 08 January 2013 - 12:28 PM

Please do the following:

Please download Farbar Service Scanner and run it
  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center
    • Windows Update
    • Windows Defender
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.



NEXT


Please download MiniToolBox, save it to your desktop and run it.

Place a checkmark in the following checkboxes:
  • Flush DNS
  • Report IE Proxy Settings
  • Reset IE Proxy Settings
  • Report FF Proxy Settings
  • Reset FF Proxy Settings
  • List content of Hosts
  • List IP configuration
  • List Winsock Entries
  • List last 10 Event Viewer log
  • List Installed Programs
  • List Users, Partitions and Memory size.
  • List Minidump Files
Click Go and post the result (Result.txt). A copy of Result.txt will be saved in the same directory the tool is run.

Note: When using the "Reset FF Proxy Settings" option, Firefox should be closed.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#9 Jeff UIT

Jeff UIT
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:11:56 PM

Posted 09 January 2013 - 01:24 PM

Logs are attached.

j

Attached Files



#10 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:12:56 AM

Posted 09 January 2013 - 08:07 PM

are you still having issues with your connection?

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#11 Jeff UIT

Jeff UIT
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:11:56 PM

Posted 11 January 2013 - 04:35 PM

Yes, nothing has changed. When the machine boots, none of the AV applications start (both Norton and MalwareBytes). If I am in an IE window, I try to connect to a site, I see either a "Host Not Available" message, or if it's a "well known" host, (such as Google, MSFT, etc), I see the same erroe, but the URL changes to "http:///" in the URL bar. When I use Safari, it always shows "Host Not Available" messages.

Unable to update most applications - things like aswMBR was unable to get the avast downloads, MBAM won't connect to their database for updates.

Oddly enough, if I do this and look at netstat, I don't see any remote connections open or fail. It always tries to connect to localhost or the "machinename" of my PC.

Could this be a DNS sort of affliction? I know that one tool was able to connect via IP addresses and I've never tried to go that route myself...

Is it worth going through the whole process again in Safe Mode? I know in Safe Mode, there are no issues at all (so whatever is kicking over comes in as we go to full multi-user mode).

j

#12 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:12:56 AM

Posted 11 January 2013 - 07:33 PM

It may be the Norton settings that have become corrupt

try uninstalling it completely (using the Norton Removal Tool)

then see if your connection re-establishes itself ( you may have to re-set winsock and flush the DNS)

  • Download the appropriate Norton Removal Tool from HERE and save it to your desktop.
  • Next Double click on Norton_Removal_Tool.exe to run the tool.
  • Follow the on-screen instructions.
  • Your computer may be restarted more than once, and you may be asked to repeat some steps after the computer restarts.


next

Click Start and type cmd in Start Search.

When cmd.exe populates in the window above, right click it and select Run as Administrator to open an elevated command prompt.

Type in the following commands in the command prompt and press Enter after each command:


netsh int ip reset reset.log

netsh winsock reset catalog

IPconfig /release (Note the space between the "g" and the slash / it needs to be there)

IPconfig /Renew


ipconfig /flushdns

type exit to close the command window


Reboot and see if your connection is repaired

Edited by CatByte, 11 January 2013 - 07:35 PM.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#13 Jeff UIT

Jeff UIT
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:11:56 PM

Posted 14 January 2013 - 12:10 PM

Strange enough, after removing the AV software and running those extra commands (and the related reboots), the system is back to the way it should be. Browser works, and I can get to Microsoft, Google, etc. I can even connect to my office's VPN host. In other words, we're back on track, and it's with thanks to you.

j

#14 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:12:56 AM

Posted 14 January 2013 - 07:05 PM

that's good to hear

download and install Microsoft Security Essentials so you are not without an AV

http://www.microsoft.com/security_essentials/

then please do the following:

Please download Junkware Removal Tool to your desktop.
  • Shutdown your antivirus to avoid any conflicts.
  • Right-mouse click JRT.exe and select Run as administrator
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message


NEXT


Download AdwCleaner from here and save it to your desktop.
  • Run AdwCleaner and select Delete
  • Once done it will ask to reboot, allow the reboot
  • On reboot a log will be produced, please attach the content of the log to your next reply


NEXT

  • Please open your MalwareBytes AntiMalware Program
  • Click the Update Tab and search for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected. <-- very important
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.



NEXT


Go here to run an online scanner from ESET.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activeX control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • When the scan completes, press the LIST OF THREATS FOUND button
  • Press EXPORT TO TEXT FILE , name the file ESETSCAN and save it to your desktop
  • Include the contents of this report in your next reply.
  • Press the BACK button.
  • Press Finish

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#15 Jeff UIT

Jeff UIT
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:11:56 PM

Posted 16 January 2013 - 11:22 PM

JRT and AdwCleaner logs are attached. Rest will follow...

j

Attached Files


Edited by Jeff UIT, 16 January 2013 - 11:25 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users