Jump to content

rootkit infection

MohavePC

By MohavePC
in Resolved Malware Removal Logs

 Share

Recommended Posts

MohavePC

MohavePC

Posted
Posted

Hello All

I have an XP home SP2 machine that has a root kit infection that I cannot Identify or remove. When I try to run a tool such as Malwarebytes or Superantyspyware the program closes as soon as it catches a glimps of something. I have run several programs including Mbam, Superantispyware portable, Hijackthis, tdsskiller, rkill all have been run in safe mode with command prompt from both desktop of infected pc and from a flash drive. Tdsskiller finds a rootkit named vbma1a1f.sys and will only quarantine it not delete it but it returns immediately. rkill closes Svchost.exe that immediately restarts. I cannot post a log as I cannot get anything to run long enough to get a log.Have done a windows repair install to get it out of a no boot situation that was missing the host.dll Any help would be appriciated

Hello All

I have an XP home SP2 machine that has a root kit infection that I cannot Identify or remove. When I try to run a tool such as Malwarebytes or Superantyspyware the program closes as soon as it catches a glimps of something. I have run several programs including Mbam, Superantispyware portable, Hijackthis, tdsskiller, rkill all have been run in safe mode with command prompt from both desktop of infected pc and from a flash drive. Tdsskiller finds a rootkit named vbma1a1f.sys and will only quarantine it not delete it but it returns immediately. rkill closes Svchost.exe that immediately restarts. I cannot post a log as I cannot get anything to run long enough to get a log.Have done a windows repair install to get it out of a no boot situation that was missing the host.dll Any help would be appriciated

As a note to this I was able to get Superantispyware to run long enough to give me a possible source. it said i had an infection of "Trojan.Dropper/SVCHost-Fake" However it cannot run long enough to remove it

Link to post
Share on other sites
kahdah

kahdah

Posted
Posted

Okay please do the following.

Place the cd in the drive then reboot the computer.

Press any key when the prompt comes up.

This will boot the machine from the cd itself.

Once the setup screen appears let it go through it's process then click the R to Enter the Recovery Console.

Once in the Recovery Console you will have to type in a number that corresponds to your Windows installation. This is normally just 1. Press Enter and then type in the Administrator password.

If no password then leave it blank then hit enter.

It should look like this recoveryconsole-thumb.png

Then type in the following:

disable vbma1a1f then hit Enter.

then type the following:

ren C:\Windows\system32\drivers\vbma1a1f.sys vbma1a1f.vir then hit Enter.

then type the following:

ren C:\Windows\assembly\GAC\__AssemblyInfo__.ini __AssemblyInfo__.old then hit Enter.

When that completes type in exit then the system will restart.

Makes sure you type in exactly like it is on the screen underscore's and spaces matter.

================

Then do the following:

Download ComboFix from one of these locations:

Link 1

Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

==========

If none of these things happen correctly let me know and we will do something else.

Link to post
Share on other sites
MohavePC

MohavePC

Posted
  • Author
Posted

"C:\Windows\assembly\GAC\__AssemblyInfo__.ini" Was not located

Combofix will not run

it goes through the first little window that says" Combofix" then dissapears. tried in safe mode as well with no luck

waited for several minutes for the second window to appear and checked processes it's not running

Link to post
Share on other sites
MohavePC

MohavePC

Posted
  • Author
Posted
something pops up for a moment in Process viewer called NirCmd something .dll but I cannot see exactly what it is as it's too fast. Looks like this NirCmd_xx.dll the x's are what I cannot catch

The file is "NirCmd_cfxx.dll" also N.pif and creg.dll and NirCmdcxxf.dll

Link to post
Share on other sites
kahdah

kahdah

Posted
Posted

All of those are Combofix processes.

See if you can get these to run:

  • Download OTL to your desktop.
  • Double click on OTL to run it.
  • Under the Standard Registry box change it to All.
  • Under the Services box change it to All.
  • Check the boxes beside LOP Check and Purity Check.
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply.

====================

Download This file. Note its name and save it to your root folder, such as C:\.

  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security program drivers will not conflict with this file.
  • Click on this link to see a list of programs that should be disabled.
  • Double-click on the downloaded file to start the program. (If running Vista, right click on it and select "Run as an Administrator")
  • Allow the driver to load if asked.
  • You may be prompted to scan immediately if it detects rootkit activity.
  • If you are prompted to scan your system click "Yes" to begin the scan.
  • If not prompted, click the "Rootkit/Malware" tab.
  • On the right-side, all items to be scanned should be checked by default except for "Show All". Leave that box unchecked.
  • Select all drives that are connected to your system to be scanned.
  • Click the Scan button to begin. (Please be patient as it can take some time to complete)
  • When the scan is finished, click Save to save the scan results to your Desktop.
  • Save the file as Results.log and copy/paste the contents in your next reply.
  • Exit the program and re-enable all active protection when done.

Link to post
Share on other sites
MohavePC

MohavePC

Posted
  • Author
Posted
OTL Closes immediatly apon clicking the scan button. Gmer hangs with an hourglass so far it has been 25 minutes without any signs of scanning.

gmer scan never copleted as the macine rebooted itself. tried the steps again in safe mode with command prompt and a security warning pops up saying "Specific path not found, you may not have permission to access this file" Re downloaded the files and back in safe mode with Cmd Prmpt and both scanns quit immediately. This machine has no net access now as I have removed it. I can still use a flash drive to transfer files from a working machine.

Link to post
Share on other sites
kahdah

kahdah

Posted
Posted

Please re run Tdsskiller and choose delete on the vbma*sys file again reboot then rerun tdsskiller and see if the same entry is present.

Delete it and reboot once more if it is there again manually look for this file C:\Windows\assembly\GAC\__AssemblyInfo__.ini then delete that file.

Then rerun tdsskiller again delete the service then reboot and it should be gone.

AT that point delete Combofix and redownload and run it.

Post the log when it completes.

Link to post
Share on other sites
MohavePC

MohavePC

Posted
  • Author
Posted
C:\Windows\assembly\GAC\__AssemblyInfo__.ini the GAC image is not showing in the assembly folder

I will slave the drive and look again

vbma1a1f.sys is present in tdsskiller at each run no matter if I delete or quarantine

did a search with both show system files unchecked and show hidded

GAC nor __AssemblyInfo__.ini can be found

Link to post
Share on other sites
MohavePC

MohavePC

Posted
  • Author
Posted
did a search with both show system files unchecked and show hidded

GAC nor __AssemblyInfo__.ini can be found

as another side note I decided to pull the data and format. however 2 things occur. 1. I cannot access the Documents and settings folder even with the drive slaved and trying to change permissions. 2. Cannot see the drive with the xp home cd in format and install mode. back to square 1

going to try to boot the machine from a live linux cd and see what if anything I can do with that

Link to post
Share on other sites
MohavePC

MohavePC

Posted
  • Author
Posted
as another side note I decided to pull the data and format. however 2 things occur. 1. I cannot access the Documents and settings folder even with the drive slaved and trying to change permissions. 2. Cannot see the drive with the xp home cd in format and install mode. back to square 1

going to try to boot the machine from a live linux cd and see what if anything I can do with that

was able to get into the GAC folder from linux live cd and deleted the assembly file from above but no change in behavour as far as not being able to run scans

Link to post
Share on other sites
MohavePC

MohavePC

Posted
  • Author
Posted

I was able to resolve this issue using a live linux cd and deleting __AssemblyInfo__.ini as well as all temp files. I found a folder called ghHyGyG in the C: root folder and deleted it as well. After that and a boot up to safe mode with Command Prompt I was able to run Malwarebytes as well as Superantispyware and hijackthis which I used to remove a few entries in the reg that were in reference to the __AssemblyInfo__.ini file and the ghHyGyG folder. Booted into normal setup and am now running another Malwarebytes scan. AVG will be updated next.

Thanks for your Help

Have a Great Thanksgiving

Link to post
Share on other sites
MohavePC

MohavePC

Posted
  • Author
Posted
I was able to resolve this issue using a live linux cd and deleting __AssemblyInfo__.ini as well as all temp files. I found a folder called ghHyGyG in the C: root folder and deleted it as well. After that and a boot up to safe mode with Command Prompt I was able to run Malwarebytes as well as Superantispyware and hijackthis which I used to remove a few entries in the reg that were in reference to the __AssemblyInfo__.ini file and the ghHyGyG folder. Booted into normal setup and am now running another Malwarebytes scan. AVG will be updated next.

Thanks for your Help

Have a Great Thanksgiving

will post logs Friday if your around if not whenever you get back

Link to post
Share on other sites
kahdah

kahdah

Posted
Posted

Great that file only regenerates the service.

Once you delete the .ini file you will then be able to remove the service.

The reason for you not being able to get into the userprofile folder when you slaved the drive is because you have a password on the account if not then that would be strange.

Post all of the logs you have please.

Link to post
Share on other sites
MohavePC

MohavePC

Posted
  • Author
Posted

Hello kahdah:

Let me start by saying thank you. I am a tech in a store that I own in Lake Havasu City, Az. I have not run accross such a Nasty infecion before and let me tell you I was ready to wipe it had I been able to read the User files. Not as lucky with a different machine running win7 and getting the av8 infection. that one had no choice but to format. it started infecting all profiles. the win7 wouldn't even recognize the hard drive as formated. I used linux again and pulled all the data and used clamwin to test them. Tux is getting quite the workout these days. I will be making a few copies of that live cd :^)

I won't be posting logs as I was able to clear out the infections. There was no password on the user profile I was trying to gain access to but I found that the infection was AV8 and it had not only modified permissions but mucked up the permissions file to be unreadable. had to be rebuild first after I removed it with Linux. A windows repair install fixed 80% of the issues then all the scans with Malwarebytes, Superanti, Avg and the like cleaned it up pretty good. Had an Issue with IE not running but I installed IE7 then IE8 then removed IE8. did the trick. Not a fan of IE8 on an XP systems. Seems to give a lot of Outlook and Printer issues. and so thats why I took IE8 back off. I ran Hijackthis and the logs apper to be sparking clean. If I need help again I'll try to post it in the right section.

Again Thank you for your time

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.