Jump to content

Nasty Rootkit


Recommended Posts

Per response to my previous post of the same topic title (see below), I have performed the scans and attached the requested scan files.

(Malwarebytes would not run and Defogger did not cause a reboot but seemed to finish ok.)

(zipped log files of all scans attached)

Here is my original post:

I seem to have picked up a particularly nasty rootkit.

I hope someone can help because I have been scouring the web for two full days now and I have not turned up anything that works.

It will not let me do much as far as running AV programs.

It will Not let me run Malwarebytes nor Hijack this.

It will not let me run Avast nor Nod AV programs.

It will not let me run Regcure nor Registrybooster

I also noticed a strange new file in my C:\Documents and Settings\xxx\Local Settings\temp directory named "jggsw.old". I can delete it but it immediately comes back again. I suspect this is related to whatever I have caught.

I was able to run Spybot and it picked up something called "UACd.sys" which I found out from a web search is a virus.

It was located here:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\UACd.sys (and in several more ControlSets)

With this key:

\systemroot\system32\drivers\UACssibivkdiv.sys

I took a chance and deleted all references to this in my registry and after a reboot things seemed to work again. However, later (after a second reboot) the problem seemed to return and I am no longer able to run these programs once again.

I searched the registry once again for traces of UACd.sys but did Not get any hits this time.

I am beginning to suspect it is a mutating rootkit.

Thanks for your assistance.

Attach.zip

Link to post
Share on other sites

  • Staff

Hi,

It looks like you're dealing with a combination of the TDSS rootkit + Daonol/gumblar variant. Especially this second one locks/blocks all knows removal tools..

First of all, I want to test if our modified version of malwarebytes works here, so Please try this version of malwarebytes: Click the link here

Save it on your desktop. You'll see it will have a random name, and will look similar like this: mbamrandom.gif

Doubleclick on it, so it will extract the files and will start Malwarebytes automatically.

In case the installer (random named file) won't run either, rename it to EXPLORER.EXE and try again.

When Malwarebytes opens, click the "Update" tab FIRST and select to check for updates in order to get the latest updates.

In case Malwarebytes doesn't open, search for the folder mbam-installer on your desktop, open it and doubleclick the file winlogon.exe which will be present in there. This should launch Malwarebytes.

Then perform a scan and let it remove what it found. Reboot afterwards (important).

After reboot, post the malwarebytes log together with a new HijackThislog.

In case you're having problems with above instructions, let me know. Or if Malwarebytes still won't launch, let me know as well... Then we'll deal with it in another way. :lol:

Link to post
Share on other sites

  • 3 weeks later...
  • Staff

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.