Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Think I have a rootkit infection, but can't prove it [Logs attached]


  • This topic is locked This topic is locked
14 replies to this topic

#1 battlescar

battlescar

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:13 AM

Posted 28 April 2013 - 02:20 PM

I have a laptop that I let my children use, and it's behaving *awkwardly* - some of the file associations are unusual (keeps recommending the wrong programs to open files) and it keeps terminating antivirus scans. I think that one of my children might have installed some software unwittingly, but I can't seem to find anything they have installed...

 

Despite the terminating Antivirus scans, I managed to circumvent this by disabling UAC in Windows Vista, and I finally managed to get a series of programs (including MalwareBytes, HijackThis, RogueKiller etc. ) to run a series of searches. Nothing seemed to come up, but I have a particularly strong gut feeling that there's something going on...

 

MalwareBytes Log:

 

Internet Explorer 9.0.8112.16421
Admin :: STORMBREAKER [administrator]
21/04/2013 17:04:28
mbam-log-2013-04-21 (17-04-28).txt
Scan type: Full scan (C:\|D:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 401060
Time elapsed: 1 hour(s), 31 minute(s), 36 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 0
(No malicious items detected)
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 0
(No malicious items detected)
(end)

    © 2013 Microsoft
    Terms
    Privacy & cookies
    Developers
    English (United Kingdom)

    © 2013 Microsoft
    Terms
    Privacy & cookies
    Developers
    English (United Kingdom)

 

Attached Files



BC AdBot (Login to Remove)

 


#2 battlescar

battlescar
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:13 AM

Posted 28 April 2013 - 02:22 PM

[Post 2 with further attachments]
 
hxxxttps://mega.co.nz/#!6VglHLYC!XVFKA0KHz3kO7ld_L9wr3Hc4ue1P2HRnI7RNoCcERbQ

Attached Files


Edited by nasdaq, 29 April 2013 - 07:49 AM.
Link obfuscated.


#3 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:03:13 AM

Posted 02 May 2013 - 07:45 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.

  • Please subscribe to this topic, if you haven't already. Click the Watch This Topic button at the top on the right.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.

The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks :thumbup2:


Posted Image
m0le is a proud member of UNITE

#4 battlescar

battlescar
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:13 AM

Posted 04 May 2013 - 02:16 PM

Hi - I can confirm that I am still here...



#5 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:03:13 AM

Posted 04 May 2013 - 07:59 PM

Please run aswMBR, which will scan for rootkit activity

 

Please download aswMBR ( 511KB ) to your desktop.

  • Double click the aswMBR.exe icon to run it
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.


Posted Image
m0le is a proud member of UNITE

#6 battlescar

battlescar
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:13 AM

Posted 05 May 2013 - 08:00 AM

Hi, please find the log attached

Attached Files



#7 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:03:13 AM

Posted 06 May 2013 - 07:47 PM

One more check

 

For x32 (x86) bit systems download Farbar Recovery Scan Tool and save it to a flash drive.
For x64 bit systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:

  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.
  • To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.
  • On the System Recovery Options menu you will get the following options:
    Startup Repair
    System Restore
    Windows Complete PC Restore
    Windows Memory Diagnostic Tool
    Scan your computer's memory for errors.
    Command Prompt
  • Select Command Prompt
  • In the command window type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
    Note: Replace letter e with the drive letter of your flash drive.
  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) on the flash drive. Please copy and paste it in your next reply.

 


Posted Image
m0le is a proud member of UNITE

#8 battlescar

battlescar
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:13 AM

Posted 07 May 2013 - 02:50 PM

Hi - thanks for the advice; I have attached the FRST.exe log to this message.

Attached Files

  • Attached File  FRST.txt   18.73KB   2 downloads


#9 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:03:13 AM

Posted 07 May 2013 - 06:16 PM

That looks fine too. Perhaps we need to see if any remnants are still lodged in the machine

 

I'd like us to scan your machine with ESET OnlineScan

  • Hold down Control and click on this link to open ESET OnlineScan in a new window.
  • Click the esetonlinebtn.png button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the esetsmartinstaller_enu.png
      icon on your desktop.
  • Check "YES, I accept the Terms of Use."
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Under scan settings, check "Scan Archives" and "Remove found threats"
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click List Threats
  • Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Click the Back button.
  • Click the Finish button.

 


Posted Image
m0le is a proud member of UNITE

#10 battlescar

battlescar
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:13 AM

Posted 09 May 2013 - 04:43 PM

Hi m0le,

 

Thanks for your previous message - at last we might have found something! Have run the scan, and it appears that there were 3 pieces of malware (or at least things identified as malware) lurking on the computer - have attached the log to this message...

Attached Files

  • Attached File  ESET.txt   344bytes   3 downloads


#11 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:03:13 AM

Posted 10 May 2013 - 06:44 PM

The top two have been flagged but are probably okay. The BLZ trojan though looks promising. It can be used to steal email addresses and causes some of the symptoms of a rootkit - though it's much less stealthy.

Has anything changed on the machine?
Posted Image
m0le is a proud member of UNITE

#12 battlescar

battlescar
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:13 AM

Posted 15 May 2013 - 03:35 PM

As far as I can tell, nothing massively different appears to have changed - it seems to run slightly quicker, but nothing I could tangibly verify. That said, if I were to re-enable UAC and try opening an anti-virus that the trojan shut down, would that be a good way of determining whether or not something was still present?



#13 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:03:13 AM

Posted 15 May 2013 - 07:16 PM

I think that would be a good idea but don't assume that this would mean malware shut down the program.

try it though, battlescar, and let me know what you did and what happened

Edited by m0le, 18 May 2013 - 09:07 PM.

Posted Image
m0le is a proud member of UNITE

#14 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:03:13 AM

Posted 18 May 2013 - 09:08 PM

Anything to report?
Posted Image
m0le is a proud member of UNITE

#15 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:03:13 AM

Posted 19 May 2013 - 07:46 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users