Jump to content

quarantined and deleted successfully, but then...


Recommended Posts

I thought of e-mailing this directly, but decided to post on the forum instead. More along the lines of feedback, though any suggestions would be appreciated.

I "cleaned" an XP Home SP2 computer this morning using Anti-Malware. It found 5 infected folders and 22 infected folders, and quarantined and deleted them all successfully. I then re-ran the software and it came up clean. I then ran the usual antivirus software (BitDefender) and that also came up clean. I then plugged in the network cord and within a minute BitDefender had stopped 4 viruses from being launched and the constant stream of e-mails began again. I ran another deep system BitDefender scan and it came up with 2 infected files with No Action Possible. I ran Anti-Malware a third time and though BD had 2 positives, it found nothing. (I also ran GMER yesterday and they said the rootkit file is c:\windows\system32\drivers\Lqt24.sys. Unfortunately, I did not get this response from them before thinking the system was clean and plugging in the network cord.)

The initial viruses that came up on the scan way back on Friday were Trojan.Dropper.Delf.Crypt.O, Trojan.Kobcka, Trojan.Inject.IA, and another that I don't remember. For every scan, a different name comes up, it seems.

From the initial system scan of Anti-Malware I got the following 7 different positives:

Rogue.XPSecurityCenter

Rootkit.Agent (HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\tcpsr)

Security.Hijack

Trojan.Agent

Adware.Funweb

Malware.Trace

Trojan.FakeAlert

Two of the viruses that BD blocked after I plugged in the network cord were Trojan.Inject.JF and Trojan.Kobcka.DV. The Kobcka trojan was identified as being at C:\Windows\System32\drivers\tcpsr.sys. Is this merely a coincidence, or are they related? Again, Anti-Malware picked up nothing after this second BD scan which showed a No Action Possible result.

Did the rootkit "learn" to hide from Anti-Malware during the first two scans?

Link to post
Share on other sites

I thought of e-mailing this directly, but decided to post on the forum instead. More along the lines of feedback, though any suggestions would be appreciated.

I "cleaned" an XP Home SP2 computer this morning using Anti-Malware. It found 5 infected folders and 22 infected folders, and quarantined and deleted them all successfully. I then re-ran the software and it came up clean. I then ran the usual antivirus software (BitDefender) and that also came up clean. I then plugged in the network cord and within a minute BitDefender had stopped 4 viruses from being launched and the constant stream of e-mails began again. I ran another deep system BitDefender scan and it came up with 2 infected files with No Action Possible. I ran Anti-Malware a third time and though BD had 2 positives, it found nothing. (I also ran GMER yesterday and they said the rootkit file is c:\windows\system32\drivers\Lqt24.sys. Unfortunately, I did not get this response from them before thinking the system was clean and plugging in the network cord.)

The initial viruses that came up on the scan way back on Friday were Trojan.Dropper.Delf.Crypt.O, Trojan.Kobcka, Trojan.Inject.IA, and another that I don't remember. For every scan, a different name comes up, it seems.

From the initial system scan of Anti-Malware I got the following 7 different positives:

Rogue.XPSecurityCenter

Rootkit.Agent (HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\tcpsr)

Security.Hijack

Trojan.Agent

Adware.Funweb

Malware.Trace

Trojan.FakeAlert

Two of the viruses that BD blocked after I plugged in the network cord were Trojan.Inject.JF and Trojan.Kobcka.DV. The Kobcka trojan was identified as being at C:\Windows\System32\drivers\tcpsr.sys. Is this merely a coincidence, or are they related? Again, Anti-Malware picked up nothing after this second BD scan which showed a No Action Possible result.

Did the rootkit "learn" to hide from Anti-Malware during the first two scans?

Depending on the rootkit in question, it's entirely possible for it to hide... Yes. Cat and mouse game if you will.

If you would like to start a fresh thread in the hijackthis log forum, one of the helpers can hopefully get this resolved for you.

Link to post
Share on other sites

If you have GMER still click the file tab . Browse to drivers\Lqt24.sys , click it and then use the copy button on the right to copy it to your desktop as any file name other than what it actually is (it will instaly rehide if you do) .

Next tell GMER to kill the file , now reboot . The file will still be there but crippled beyond any ability to function .

Now take the copy you made earlier , zip it and attach it to your next post here .

As far as your question goes , this rootkit changes often and it seems that you caught one that we dont have (yet) .

Link to post
Share on other sites

If you have GMER still click the file tab . Browse to drivers\Lqt24.sys , click it and then use the copy button on the right to copy it to your desktop as any file name other than what it actually is (it will instaly rehide if you do) .

Next tell GMER to kill the file , now reboot . The file will still be there but crippled beyond any ability to function .

Now take the copy you made earlier , zip it and attach it to your next post here .

As far as your question goes , this rootkit changes often and it seems that you caught one that we dont have (yet) .

Eh... too late. I got tired of waiting for responses and with the OK from my boss (in case deleting the file corrupted the system) deleted the said Lqt24.sys from GMER since it wouldn't let me delete it from windows. So no file for anyone to examine, but so far so good on the computer. I'm still getting two "can't find file specified" random number and letter .sys files on GMER scans (such as 8d6aff.sys), in the c:\windows\system32\drivers directory though. (These so-named files appeared directly below the Lqt24.sys file in the original scans.) Are they remnants, or does this mean that I'm still infected? (I'm typing this from my connected-to-the-internet boss's computer, yay!)

Link to post
Share on other sites

  • Root Admin

Yes, there is probably still something on or wrong with the system and you should follow the instructions here: Pre- HJT Post Instructions

Then post the requested information here: Malware Removal - HijackThis Logs

We realize that this can be a frustrating and annoying time on your computer and were here to help, but please realize that it does take time and that everyone here is volunteering their time freely to assist others.

Thank you for using and visiting Malwarebytes.

.

Link to post
Share on other sites

We realize that this can be a frustrating and annoying time on your computer
Even more so since it's a business -- not like a home computer -- but needed for syncing calendars, etc. and that I've been re-living the old days of running back and forth with a flash drive! ;)
and were here to help, but please realize that it does take time and that everyone here is volunteering their time freely to assist others.
And you guys are doing great! Many thanks! :angry:
Link to post
Share on other sites

Even more so since it's a business -- not like a home computer -- but needed for syncing calendars, etc. and that I've been re-living the old days of running back and forth with a flash drive! ;)
I remember when stashing a floppy diskette in your shirt pocket was a sign of importance.
And you guys are doing great! Many thanks! :angry:
A big thank you for all of your perseverance.
Link to post
Share on other sites

Even more so since it's a business -- not like a home computer -- but needed for syncing calendars, etc. and that I've been re-living the old days of running back and forth with a flash drive! ;)

And you guys are doing great! Many thanks! :angry:

You need to follow the instructions given by AdvancedSetup and let someone help you.

Link to post
Share on other sites

I've had to do the cat and mouse deal, I'd run a scan then clean it, reboot and the rogue installers would do their thing. The people here know their job though to help you get back to normal ops. I took the time to actually educate my users on malware, even put up posters from our virus software company and it helped once I got my systems cleaned up.

Depending on your user requirements, how data is saved, network configuration, etc., I'd look into programs like Deep Freeze so you won't waste endless work hours on needless screw ups by your users.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.