Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Possible Rootkit Infection?


  • This topic is locked This topic is locked

#16
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
I definitely need to look in the affected user account as that is where the problem appears to lie... Lets try a different analysis tool from that account. This is a command version of the programme so hopefully it will run from the affected account

Download OTS to your Desktop and double-click on it to run it
  • Make sure you close all other programs and don't use the PC while the scan runs.
  • Select All Users
  • Under additional scans select the following
    Reg - Disabled MS Config Items
    Reg - Drivers32
    Reg - NetSvcs
    Reg - SafeBoot Minimal
    Reg - Shell Spawning
    Evnt - EventViewer Logs (Last 10 Errors)
    File - Lop Check
  • Under the Custom Scan box paste this in

    netsvcs
    %SYSTEMDRIVE%\*.exe
    /md5start
    explorer.exe
    winlogon.exe
    Userinit.exe
    svchost.exe
    /md5stop
    %systemroot%\*. /mp /s
    hklm\software\clients\startmenuinternet|command /rs
    hklm\software\clients\startmenuinternet|command /64 /rs
    CREATERESTOREPOINT
  • Now click the Run Scan button on the toolbar. Make sure not to use the PC while the program is running or it will freeze.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Please attach the log in your next post.

  • 0

Advertisements


#17
rvold7871

rvold7871

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 153 posts
I tried running the program but I received the error message saying the program failed to execute after the scan completed. That said, no log was produced. I'm going to try and run it again though.
  • 0

#18
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
OK lets be really sneaky and use a very old analysis programme - the malware may not recognise it :)

From the infected account

Please RIGHT-CLICK HERE and Save As (in IE it's "Save Target As", in FF it's "Save Link As") to download Silent Runners.
  • Save it to the desktop.
  • Run Silent Runner's by doubleclicking the "Silent Runners" icon on your desktop.
  • You will receive a prompt:
    • Do you want to skip supplementary searches?
      click NO
  • If you receive an error just click OK and double-click it to run it again - sometimes it won't run as it's supposed to the first time but will in subsequent runs.
  • You will see a text file appear on the desktop - it's not done, let it run (it won't appear to be doing anything!)
  • Once you receive the prompt All Done!, open the text file on the desktop, copy that entire log, and paste it here.
*NOTE* If you receive any warning message about scripts, please choose to allow the script to run.
  • 0

#19
rvold7871

rvold7871

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 153 posts
The old scanner didn't seem to work. I never got the prompt to skip the supplementary searches...? I let it run for over a half hour and it didn't do anything. I did run the OTS in safe mode on the admin account, and I'll attach that log right now.

Attached Files

  • Attached File  OTS.Txt   315.33KB   105 downloads

Edited by rvold7871, 08 June 2011 - 06:06 PM.

  • 0

#20
rvold7871

rvold7871

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 153 posts
Nevermind. I went to Andrew's website and I downloaded the .zip file. It's working as we speak :)
  • 0

#21
rvold7871

rvold7871

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 153 posts
When I tried running the script, a dialogue box appeared, saying "Some files extracted from Silent Runners.zip were modified or new files were created. Do you wish to put them in the archive? When I click yes, WinRAR: Diagnostic messages window appears, saying C:\Documents and Settings\Nutrition City\Local Settings\Temp\Silent Runners.zip: Cannot create C:\Documents and Settings\Nutrition City\Local Settings\Temp\Silent Runners.zip; Access is Denied. When I click close, more of the first messages appear, and if I click no, nothing happens. All of a sudden, I get a dialogue box with the dreaded red X titled "Windows Script Host" and here's what it says:

Script: C:\DOCUME~1\NUTRIT~1\LOCALS~1\Temp\Rar$DI92.000\Silent Runners.vbs
Line: 6128
Char: 6
Error: Not enough storage is available to complete this operation.
Code: 8007000E
Source: SWbemObjectEx

With an OK button on the bottom.

Now I'm also getting the all-to-familiar window titled "firefox.exe - Bad Image" which says, "The application or DLL C:\Program Files\Mozilla Firefox\xul.dll is not a valid Window image. Please check this against your installation diskette.

THEN, I get a window without a title, with the dreaded red X saying,

Script: C:\DOCUME~1\NUTRIT~1\LOCALS~1\Temp\Rar$DI12.3609\Silent Runners.vbs
Line: 726
Char: 3
Error: The system cannot find the file specified.
Code: 80070002
Source: (null)

With an OK button on the bottom.

Now most of my applications, when I double-click the icons, come up with an error message titled, "enter title of window here" with the familiar red X, saying:
Automation error
Insufficient system resources exist to complete the requested service.

With an OK button on the bottom.

Other programs give the error message, "C:\Program Files\"enter title here"\"enter title here"\.exe is not a valid Win32 application.
  • 0

#22
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Apart from the affected account, how is the rest of the computer running. As this looks more like a corrupted user account now, and the only cure for that would be deletion
  • 0

#23
rvold7871

rvold7871

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 153 posts
The rest of the computer seems to work fine, so it's probably a corrupted user account? What should I do from there? Is there an easy way to backup everything to a new account?
  • 0

#24
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
It just so happens that MS has a solution for this full details here

Once you are happy let me know and I will remove my tools and tidy you up
  • 0

#25
rvold7871

rvold7871

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 153 posts
Will do. Thank you so much for helping me out! I'll have the report by Wednesday I'm thinking.
  • 0

Advertisements


#26
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Ok let me know how it goes
  • 0

#27
rvold7871

rvold7871

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 153 posts
I can't find an "advanced" tab in the "create user account menu"...?
  • 0

#28
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Are you logged in as administrator ? As that is the only one with the necessary permissions
  • 0

#29
rvold7871

rvold7871

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 153 posts
Yes. I've tried every account - they're all administrators but I can't access any "advanced" options in the User Account window.

It should also be noted that I uninstalled uTorrent and the attacks have stopped :) but the computer is still extremely slow and unresponsive at times.
  • 0

#30
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Could you delete your current copy of combofix by right clicking

Then download and run a fresh copy please

Download ComboFix from one of these locations:


Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop


  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on ComboFix.exe & follow the prompts.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP