Jump to content

couldn't run MB, suspect rootkits


Recommended Posts

Hi

I'm running Vista 32-bit Home Premium on a Toshiba laptop. I couldn't run MalwareBytes, HijackThis, or other programs for a while. I had connectivity issues as well.

I finally was able to run UnHackMe from partizan and it cleaned up some things. I can now run MWB and after quick and full-scans, it found and removed many items.

I am still getting problems that I believe are rootkit related.

What can I provide for you that would help to diagnose this problem.

Thanks for your help.

Cam

Link to post
Share on other sites

Hi Cam, Welcome to Malwarebytes :(

  1. Download RootRepeal from the following location and save it to your desktop.

[*]Rar Mirrors - Only if you know what a RAR is and can extract it.

[*]Extract RootRepeal.exe from the archive.

[*]Open rootRepealDesktopIcon.png on your desktop.

[*]Click the reportTab.png tab.

[*]Click the btnScan.png button.

[*]Check all seven boxes: checkBoxes2.png

[*]Push Ok

[*]Check the box for your main system drive (Usually C:), and press Ok.

[*]Allow RootRepeal to run a scan of your system. This may take some time.

[*]Once the scan completes, push the saveReport.png button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.

Link to post
Share on other sites

Thanks for the reply!

Here is my RootRepealreport.

ROOTREPEAL © AD, 2007-2009

==================================================

Scan Start Time: 2009/08/09 19:31

Program Version: Version 1.3.3.0

Windows Version: Windows Vista SP1

==================================================

Drivers

-------------------

Name: 耀

Image Path: 耀

Address: 0x97CCE000 Size: 172032 File Visible: No Signed: -

Status: Hidden from the Windows API!

Name: bowser

Image Path: \FileSystem\bowser

Address: 0x97DDB000 Size: 102400 File Visible: No Signed: -

Status: Hidden from the Windows API!

Name: cdfs

Image Path: \FileSystem\cdfs

Address: 0x999DA000 Size: 90112 File Visible: No Signed: -

Status: Hidden from the Windows API!

Name: dump_atapi.sys

Image Path: C:\Windows\System32\Drivers\dump_atapi.sys

Address: 0x8F468000 Size: 32768 File Visible: No Signed: -

Status: -

Name: dump_dumpata.sys

Image Path: C:\Windows\System32\Drivers\dump_dumpata.sys

Address: 0x8F45D000 Size: 45056 File Visible: No Signed: -

Status: -

Name: mrxsmb

Image Path: \FileSystem\mrxsmb

Address: 0x99803000 Size: 126976 File Visible: No Signed: -

Status: Hidden from the Windows API!

Name: mrxsmb10

Image Path: \FileSystem\mrxsmb10

Address: 0x99822000 Size: 233472 File Visible: No Signed: -

Status: Hidden from the Windows API!

Name: mrxsmb20

Image Path: \FileSystem\mrxsmb20

Address: 0x9985B000 Size: 98304 File Visible: No Signed: -

Status: Hidden from the Windows API!

Name: rootrepeal.sys

Image Path: C:\Windows\system32\drivers\rootrepeal.sys

Address: 0x9858A000 Size: 49152 File Visible: No Signed: -

Status: -

Name: secdrv

Image Path: \Driver\secdrv

Address: 0x999C4000 Size: 40960 File Visible: No Signed: -

Status: Hidden from the Windows API!

Name: srv2

Image Path: \FileSystem\srv2

Address: 0x99873000 Size: 159744 File Visible: No Signed: -

Status: Hidden from the Windows API!

Name:

Link to post
Share on other sites

You're welcome.

Please download ComboFix from

Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

  1. If you are using Firefox, make sure that your download settings are as follows:
    • Tools->Options->Main tab
    • Set to "Always ask me where to Save the files".

[*]During the download, rename Combofix to Combo-Fix as follows:

CF_download_FF.gif

CF_download_rename.gif

[*]It is important you rename Combofix during the download, but not after.

[*]Please do not rename Combofix to other names, but only to the one indicated.

[*]Close any open browsers.

[*]Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

-----------------------------------------------------------

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

    -----------------------------------------------------------


  • Close any open browsers.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

-----------------------------------------------------------

[*]Double click on combo-Fix.exe & follow the prompts.

[*]When finished, it will produce a report for you.

[*]Please post the "C:\Combo-Fix.txt" for further review.

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

Link to post
Share on other sites

Here is the Combo-Fix log.

I had to transfer the log.txt to another computer because I couldn't start IE after running Combo-Fix. I get an error:

"Illegal operation attempted on a registry key that has been marked for deletion."

I get the same error when trying to run "notepad.exe".

Anyway, here is the log output:

ComboFix 09-08-10.01 - Ryan R & Hannah R 08/10/2009 16:34.1.2 - NTFSx86

Microsoft

Link to post
Share on other sites

Hi cammac725,

Launch Malwarebytes' Anti-Malware

  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.

Link to post
Share on other sites

Malwarebytes' Anti-Malware 1.40

Database version: 2551

Windows 6.0.6001 Service Pack 1

8/10/2009 10:22:21 PM

mbam-log-2009-08-10 (22-22-21).txt

Scan type: Quick Scan

Objects scanned: 89158

Time elapsed: 6 minute(s), 13 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 3

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\SpywareRemover2009 (Rogue.SpywareRemover) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\cleaner2009 freeware (Rogue.Cleaner2009) -> Quarantined and deleted successfully.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Link to post
Share on other sites

  • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)
Link to post
Share on other sites

Download TFC by OldTimer to your desktop

  • Please double-click TFC.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • It will close all programs when run, so make sure you have saved all your work before you begin.
  • Click the Start button to begin the process. Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two. Let it run uninterrupted to completion.
  • Once it's finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.

No AntiVirus Onboard

I see no evidence of an AntiVirus program on your system. This must be resolved. Here are a few very good free Antivirus products which are available:

Select one of these, or another of your choice. Download, install, and update definitions.

Also, how is your computer running?

Link to post
Share on other sites

You're welcome.

Your log looks clean, Great Job :(

Follow these steps to uninstall Combofix and tools used in the removal of malware

  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    CF_Cleanup.png

Now for some cleanup..

Please download OTC and save it to Desktop.

  • Please make sure you are connecting to the Internet
  • Double-click OTC.exe
  • Click the CleanUp! button.
  • Select Yes when the "Begin cleanup Process?" prompt appears.
  • If you are prompted to Reboot during the cleanup, select Yes

Set a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since System Restore is a protected directory, your tools can not access it to delete these bad files which sometimes can reinfect your system. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:

  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then go to Start > Run and type: Cleanmgr
  • Click "OK".
  • Click the "More Options" Tab.
  • Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.
  • Make your Internet Explorer more secure - This can be done by following these simple instructions:
    1. From within Internet Explorer click on the Tools menu and then click on Options.
    2. Click once on the Security tab
    3. Click once on the Internet icon so it becomes highlighted.
    4. Click once on the Custom Level button.
      1. Change the Download signed ActiveX controls to Prompt
      2. Change the Download unsigned ActiveX controls to Disable
      3. Change the Initialize and script ActiveX controls not marked as safe to Disable
      4. Change the Installation of desktop items to Prompt
      5. Change the Launching programs and files in an IFRAME to Prompt
      6. Change the Navigate sub-frames across different domains to Prompt
      7. When all these settings have been made, click on the OK button.
      8. If it prompts you as to whether or not you want to save the settings, press the Yes button.

  • Next press the Apply button and then the OK to exit the Internet Properties page.




    • Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
    • Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.
      No Firewall Onboard
      You don't seem to have a firewall program installed. Using a firewall will allow you to allow/deny access for applications that want to go online. Select one of these, or another of your choice:

    [*]Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

    [*]Install SpywareBlaster - SpywareBlaster will add a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

    [*]Install SpywareGuard - SpywareGuard offers realtime protection from spyware installation attempts. Make sure you are only running one real-time anti-spyware protection program or there will be a conflict.

    [*]Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically.

here are some additional utilities that will enhance your safety

  • McAfee Site Advisor <= McAfee Site Advisor protects your browser against malicious sites and warns you when you go to one.
  • MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
  • Winpatrol <= Download and install the free version of Winpatrol. a tutorial for this product is located here:
    Using Winpatrol to protect your computer from malicious software
Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.