Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Challenging Rootkit


  • Please log in to reply

#211
rootkits-r-evil

rootkits-r-evil

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 168 posts
Did you ever go to the Dell site and put in your service tag?


Fact is, the service tag just tells them who you are, so when they realize it's out of warranty they can call you by your first name over and over as they try to get your credit card number. :-)

"Yes, Ron, thank you Ron , for being so patient and holding, Ron. Now I must explain to you Ron, that you need a service contract for this service, and I can take a major credit card, Ron. Will that be Visa or Mastercard, Ron?"

After holding for half an hour and realizing you're getting squeezed for moola, just turn the tables. "Hold on, Raj, while I get it." Then go out to the kitchen and make a sandwich. Pour a cold beer. Then come back and tell them the cat's eaten your credit card, and could we barter instead?
  • 0

Advertisements


#212
RKinner

RKinner

    Malware Expert

  • Expert
  • 20,029 posts
  • MVP
You don't talk to them on the phone. You just go to their website and when you put in the tag they show you what drivers will work on your PC.
  • 0

#213
RKinner

RKinner

    Malware Expert

  • Expert
  • 20,029 posts
  • MVP
If you haven't already run Combofix you might try downloading it again. The latest versions has some changes added just for the zeroaccess rootkit. Remove the old version first:

To uninstall combofix, copy the next line:

"%userprofile%\Desktop\combofix.exe" /Uninstall

Start, Run, cmd, OK then right click, Paste, then hit Enter.

(Or you can rename the new combofix.exe to george.exe before you put it on the desktop.)

Bedtime for me.
  • 0

#214
rootkits-r-evil

rootkits-r-evil

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 168 posts
I am posting this from the formerly infected laptop. Yay! It still has some issues, like for example the S-Video output doesn't work after all that. Now sure why, but I'll get it. (Prolly something on that utilities disk I'm guessing.( I could always pay tech support in India to help me for a few hundred dollars. :-)



Thank you so much for all your help. You're the best.
  • 0

#215
RKinner

RKinner

    Malware Expert

  • Expert
  • 20,029 posts
  • MVP
We need to clean up System Restore. Follow Jim's procedure here:
http://aumha.net/vie...581099691bf108f


You can uninstall or delete any tools we had you download and their logs.
To uninstall combofix, copy the next line:

"%userprofile%\Desktop\combofix.exe" /Uninstall

Start, Run, cmd, OK then right click, Paste, then hit Enter.

OTL has a cleanup tab so if you run it again and select cleanup it will remove itself and its backup files.

To hide hidden files again:

XP

# Close all programs so that you are at your desktop.
# Double-click on the My Computer icon.
# Select the Tools menu and click Folder Options.
# After the new window appears select the View tab.
# Uncheck the checkbox labeled Display the contents of system folders.
# Under the Hidden files and folders section select the 'Hide protected operating system files (recommended)' option.
# Check the checkbox labeled Hide protected operating system files.
# Press the Apply button and then the OK button and shutdown My Computer.

You probably do not have the latest Java (Java™ 6 Update 26 or maybe 7 Update 0 by now). Get the latest at:

http://www.java.com/en/

Save it to your PC then close all browsers and install it.

Once you install it, go into Control Panel, Add/Remove Software and remove any old versions (which may call themselves: Java Runtime, Runtime Environment, Runtime, JRE, Java Virtual Machine, Virtual Machine, Java VM, JVM, VM, J2RE, J2SE)


Also make sure you have the latest versions of any adobe.com products you use like Shockwave, Flash or Acrobat. Adobe is fond of foisting GetPlus on you. You can let them install it and then afterwards, go into Control Panel, Add/Remove Software and remove it. It probably doesn't hurt to leave it but I don't see the need for it and it has caused problems in the past.

Whether you use adobe reader, acrobat or fox-it to read pdf files you need to disable Javascript in the program. There is an exploit out there now that can use it to get on your PC. For Adobe Reader: Start, All Programs, Adobe Reader, Edit, Preferences, Click on Javascript in the left column and uncheck Enable Acrobat Javascript. OK Close program. It's the same for Foxit reader except you uncheck Enable Javascript Actions.

To help keep your programs up-to-date you can download and run the UpdateChecker:
http://www.filehippo.../updatechecker/

If you use Firefox then get the AdBlock Plus Add-on. WOT (Web of Trust) is another you might want to try.
The equivalent to AdBlock Plus for IE is called Simple Adblock and you should install it too: Adhttp://simple-adblock.com/

If Firefox is slow loading make sure it only has the current Java add-on. Then download and run Speedy Fox.
http://www.crystalidea.com/speedyfox . It seems to work best if you reboot right after running it. You can run it any time that Firefox seems slow.

Be warned: If you use Limewire, utorrent or any of the other P2P programs you will almost certain be coming back to the Malware Removal forum. If you must use P2P then submit any files you get to http://virustotal.com before you open them.

If you have a router, log on to it today and change the default password! If using a Wireless router you really should be using encryption on the link. Use the strongest (newest) encryption method that your router and PC wireless adapter support especially if you own a business. See http://www.king5.com...-120637284.html and http://www.seattlepi...ted-1344185.php for why encryption is important. If you don't know how, visit the router maker's website. They all have detailed step by step instructions or a wizard you can download.

Ron
  • 0

#216
rootkits-r-evil

rootkits-r-evil

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 168 posts
's BAAAAAACK.

I kid you not. I've got something nasty in there, and it has a lot of the properties of ZeroAccess. Worst of all, I think our pal Mr. Hidden E:/ Drive is back.

The details:

I finally got everything back to normal. I was just sitting there, reading something online, when I started to get fake anti-virus popups out of nowhere.

So I opened up Task Manager to shut the thing down, and Task Manager shut down. It can start up for a second or two- then it shuts down. I poked around in the usual places, and I found the exe file for the malware. Deleted it. Then I tried to run Malwarebytes , the Spypbot. Both found some nasties and said they would fix it. Re-boot, no change.

At this point I did know to disconnect from the Internet.

Ran Malwarebytes and Spybot, same nasties.

--------

Finally ran a system restore, and here is where it gets "hairy" as you put it.

Went to restore it to yesterday. And I got this popup....


"Changes made to Drive E:\ after this point cannot be reversed because the drive was either excluded from system restore monitoring or was turned off or removed".


Yikes! How would it know to say that- unless it's now been put back? How do I see if that hidden drive is back?

Well the system restore did take, and at first Task Manager did work. But then it stopped, and now it won't stay on.


Problems right now:

1.) Can't run Task Manager. Shuts right off.

2.) As before, some programs won't run- I get the "you may not have permission" popup. (That also makes me think Drive E is back.)


Combofix won't run. Or it runs and then just at the end it quits. I do have a version that runs in a DOS Window. When I try to run it, I get the "you don't have permission" thing. But then it did run, in a "reduced capacity" mode.

At the end it gave me this log, which I tried to post but it was too long.

What should I do?
  • 0

#217
rootkits-r-evil

rootkits-r-evil

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 168 posts
Note: It seems task manager is back, and maybe Combofix shut it off that time?
  • 0

#218
rootkits-r-evil

rootkits-r-evil

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 168 posts
I'm tellin' ya....

I really think it's back, although not in a horrible form. I have a program called "rkill", that I think looks for rootkits. (One of the progs left over from the other day.) It's one of those deals that runs in DOS mode.

I ran it, and it shut down pretty quickly and displayed a log file, which said something to the effect of,

"Processes shut down by rkill or while rkill was running:

rkill"


Does that mean it shut itself off and called it a day when it tried to run? Isn't that one of the hallmarks of ZeroAccess- the "tripwire" that tells anti-virus to shut itself off?


Am I being paranoid and I just got a run of the mill fake anti-virus deal and got rid of it when I rolled back the PC to yesterday and system restore? Or is there a virus on the Grassy Knoll? (24 bottle of beer in a case. 24 hours in a day. Coincidence?)
  • 0

#219
RKinner

RKinner

    Malware Expert

  • Expert
  • 20,029 posts
  • MVP
I was afraid this would happen. I didn't really think we were done.

You know how to remove the E:\ drive. Recovery Console. map, diskpart
just like before.

Can you attach the combofix log? Can you run an OTL log?

Ron
  • 0

#220
rootkits-r-evil

rootkits-r-evil

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 168 posts
I'll try to attach logs. Coming right up. (Could be worse- there could be a hurricane bearing down on us...)
  • 0

Advertisements


#221
rootkits-r-evil

rootkits-r-evil

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 168 posts
I didn't really think we were done.

I did. Because you are The Man.
  • 0

#222
rootkits-r-evil

rootkits-r-evil

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 168 posts
Here they are.

Attached Files

  • Attached File  log.txt   12.95KB   34 downloads
  • Attached File  OTL.Txt   133.78KB   26 downloads

  • 0

#223
rootkits-r-evil

rootkits-r-evil

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 168 posts
I'm less nervous.

see if you can get into the Recovery Console. Start, Settings, Control Panel, System, Advanced,
Startup and Recovery -Settings,
and change the Time to Display the List of Operating Systems from two to 10 seconds. OK


Now Reboot.
When it gives you a choice between your regular XP and the Recovery Console,
hit the down arrow to select the Recovery Console then Enter.



This is the point where last time it asked me which Windows version i wanted "C", or "E".

Just now, it only offered "C". There is no "E".

You should get a black screen with a C:\> prompt. Type with an Enter after each line:

map

(This one is supposed to show you all the partitions on your drive.
ZeroAccess is supposed to make a hidden partition.
Do you see anything besides your C: and F: drives and maybe your CD/DVD?)

exit



Same thing. Everything looks OK.
  • 0

#224
RKinner

RKinner

    Malware Expert

  • Expert
  • 20,029 posts
  • MVP
Copy the text between the lines of stars by highlighting and Ctrl + c.

******************************************

Killall::

DirLook::
C:\Program Files\Common
%user%\library

File::
c:\windows\TEMP\1DB.tmp
c:\windows\Tasks\RegCure Program Check.job
c:\documents and settings\steve\Start Menu\Programs\Startup\_uninst_90142563.lnk
c:\windows\pss\_uninst_90142563.lnkStartup
c:\documents and settings\steve\Desktop\sdsetup_revwire207.exe
C:\WINDOWS\2363981562

Firefox::
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 51677

Driver::
380014DB-5CCC-4339-A514AAAB6A3B43B8

Folder::
c:\program files\Common Files\Symantec Shared
c:\program files\SUPERAntiSpyware


RegLock::
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{380014DB-5CCC-4339-A514AAAB6A3B43B8}]

Registry::
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{380014DB-5CCC-4339-A514AAAB6A3B43B8}]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"tscuninstall"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"=

******************************************

Now open notepad (Start, Run, notepad, OK) and Ctrl + V to paste the text into Notepad. Make sure you got it all then File, SAVE AS, (to your Desktop), CFScript , OK. Close notepad. (Overwrite the old one if it's still there.) You should see a file CFScript.txt on your desktop.

Pause your anti-virus.

Drag CFScript.txt over to Combofix and let go Combofix should start on its own.

Post the new log.

Download aswMBR.exe ( 511KB ) to your desktop.

Double click the aswMBR.exe to run it

change the a-v scan to None.

Click the "Scan" button to start scan

On completion of the scan (Note if the Fix button is enabled and tell me) click save log, save it to your desktop and post in your next reply


Download

http://ad13.geekstogo.com/MBRCheck.exe

Save it and run it. It will produce a log MBRCheck(date).txt on your desktop. Copy and paste it into a reply.


Ron
  • 0

#225
rootkits-r-evil

rootkits-r-evil

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 168 posts
"On completion of the scan (Note if the Fix button is enabled and tell me) click save log, save it to your desktop and post in your next reply"

Enabled. (Is that good? Somehow I don't thinks so.)

Attached Files


  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP