Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Rootkit - tough to remove


  • Please log in to reply

#31
ferrux

ferrux

    Member

  • Topic Starter
  • Member
  • PipPip
  • 25 posts
Hi
I live close to Pisa, today I was commuting from my home to my fiance infected pc :-)
I send you some P.M. (don't want to off topic ) and some pics of the area where I live,
ciao
Ferrux
  • 0

Advertisements


#32
ferrux

ferrux

    Member

  • Topic Starter
  • Member
  • PipPip
  • 25 posts
Hi Ron,
within saturday I will send the other files, meanwhile from google images I retrieved
a very similar screenshot I see everytime I boot the pc, the original screen is localized in italian language, unfortunately I cannot reach the that pc now, I say similar because I am not sure if it says tidserv or tidserv.b, I recall tidserv in my mind. I will confirm anyway in the next days.

When I see this message I open the rightside combo list box
there is another entry saying 'request attention' or something similar
I choose that entry then click OK and it says that threats are defeated,clicking
'Apply all' does the same thing of OK button.

Hope this helps.

Bye for now.

Regards,
Ferrux

Attached Thumbnails

  • virusscreen.jpg
  • norton1.png

Edited by ferrux, 29 December 2011 - 02:13 PM.

  • 0

#33
RKinner

RKinner

    Malware Expert

  • Expert
  • 20,001 posts
  • MVP
What does it say if you click on the Detailed Results tab? That might have some more information.
  • 0

#34
ferrux

ferrux

    Member

  • Topic Starter
  • Member
  • PipPip
  • 25 posts
I will tell you asap (saturday) abot details, menawhile here is the gmer log, running Gmer
I forgot to untick some flags on the right pane of gmer window, so all checkboxes in the left column were ticked,
it took 30 mins to compile alla the infos, scrolling thru the tabs I saw a lot of freshly generated info, but saving the log it seems to be concise... strange, hope it is sufficient:

---

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2011-12-29 22:44:52
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 ST3200826AS rev.3.03
Running: gmer.exe; Driver: C:\DOCUME~1\HP_PRO~1\IMPOST~1\Temp\kfliaaod.sys


---- System - GMER 1.0.15 ----

SSDT 86B13610 ZwAlertResumeThread
SSDT 86B14DF0 ZwAlertThread
SSDT 86B16380 ZwAllocateVirtualMemory
SSDT 86BB45D8 ZwAssignProcessToJobObject
SSDT 86BD9218 ZwConnectPort
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwCreateKey [0xF3DDB710]
SSDT 86681748 ZwCreateMutant
SSDT 86A10D30 ZwCreateSymbolicLinkObject
SSDT 86B1D2F8 ZwCreateThread
SSDT 86C8F278 ZwDebugActiveProcess
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteKey [0xF3DDB990]
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteValueKey [0xF3DDBEF0]
SSDT 86B2CD68 ZwDuplicateObject
SSDT 86B435E0 ZwFreeVirtualMemory
SSDT 86B115D0 ZwImpersonateAnonymousToken
SSDT 86B13478 ZwImpersonateThread
SSDT 86E94158 ZwLoadDriver
SSDT 86B1CD08 ZwMapViewOfSection
SSDT 86B10FD0 ZwOpenEvent
SSDT 869FB248 ZwOpenProcess
SSDT 86B365F8 ZwOpenProcessToken
SSDT 86CBD498 ZwOpenSection
SSDT 86B277D0 ZwOpenThread
SSDT 86BDD990 ZwProtectVirtualMemory
SSDT 8667C140 ZwResumeThread
SSDT 8667B4A8 ZwSetContextThread
SSDT 86B02780 ZwSetInformationProcess
SSDT 86CBD460 ZwSetSystemInformation
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwSetValueKey [0xF3DDC140]
SSDT 86B0ECD0 ZwSuspendProcess
SSDT 8667BC40 ZwSuspendThread
SSDT 86B43590 ZwTerminateProcess
SSDT 86A13468 ZwTerminateThread
SSDT 86B2F110 ZwUnmapViewOfSection
SSDT 86B5B148 ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.15 ----

? SYMDS.SYS Impossibile trovare il file specificato. !
? SYMEFA.SYS Impossibile trovare il file specificato. !

---- User code sections - GMER 1.0.15 ----

.text C:\Programmi\Mozilla Firefox\firefox.exe[2336] ntdll.dll!LdrLoadDll 7C92632D 5 Bytes JMP 0121B750 C:\Programmi\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Programmi\Mozilla Firefox\plugin-container.exe[2540] USER32.dll!GetWindowInfo 7E3AC49C 5 Bytes JMP 1046C909 C:\Programmi\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Programmi\Mozilla Firefox\plugin-container.exe[2540] USER32.dll!TrackPopupMenu 7E3E531E 5 Bytes JMP 1046CEBD C:\Programmi\Mozilla Firefox\xul.dll (Mozilla Foundation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----

Edited by ferrux, 29 December 2011 - 04:18 PM.

  • 0

#35
RKinner

RKinner

    Malware Expert

  • Expert
  • 20,001 posts
  • MVP
GMER didn't find anything.
  • 0

#36
ferrux

ferrux

    Member

  • Topic Starter
  • Member
  • PipPip
  • 25 posts
Hi Ron
I checked the detail information tab in the Norton screenshot but it was empty, no info available :-(

In the next days I will try again to fixboot and fixmbr from a recovery from a winxp cd,
could not generate the pc'own set, I found another genuive Winxp professional cd, do you think there will problems
recreating the boot record and fixing mbr with this pro version instead of home version.

Other infos, could not be relate or could give a hint:
the pc owner said that yesterday while watching some videos streamed from an airplane site ( don't remember the name
but it is a famous site similar to airliners.net, the norton messagge was popping out more many times and not only once at boot time.

This pc 3,4 weeks ago recovered from a 'system fix' nightmare but it recovered with tha malwarebytes tutorial.

Thank you for your comments.

Bye
Ferrux
  • 0

#37
RKinner

RKinner

    Malware Expert

  • Expert
  • 20,001 posts
  • MVP
It should work OK with any Windows XP disk.

I'm wondering about this stuff:
FF - prefs.js..network.proxy.backup.ftp: "192.104.67.250"
FF - prefs.js..network.proxy.backup.ftp_port: 8080
FF - prefs.js..network.proxy.backup.gopher: "192.104.67.250"
FF - prefs.js..network.proxy.backup.gopher_port: 8080
FF - prefs.js..network.proxy.backup.socks: "192.104.67.250"
FF - prefs.js..network.proxy.backup.socks_port: 8080
FF - prefs.js..network.proxy.backup.ssl: "192.104.67.250"
FF - prefs.js..network.proxy.backup.ssl_port: 8080
FF - prefs.js..network.proxy.ftp: "12.180.54.219"
FF - prefs.js..network.proxy.ftp_port: 1080
FF - prefs.js..network.proxy.gopher: "12.180.54.219"
FF - prefs.js..network.proxy.gopher_port: 1080
FF - prefs.js..network.proxy.http: "12.180.54.219"
FF - prefs.js..network.proxy.http_port: 1080
FF - prefs.js..network.proxy.share_proxy_settings: true
FF - prefs.js..network.proxy.socks: "12.180.54.219"
FF - prefs.js..network.proxy.socks_port: 1080
FF - prefs.js..network.proxy.ssl: "12.180.54.219"
FF - prefs.js..network.proxy.ssl_port: 1080

Do you know what all of this proxy stuff is? It doesn't look like the typical malware proxy but I don't see it in IE.

We could try uninstalling Norton and installing Avast temporarily. Then run the boot-time scan and see if it finds anything.

Download and Save the free Avast installer.
http://www.avast.com...ivirus-download
Download and save the norton removal tool
ftp://ftp.symantec.com/public/english_us_canada/removal_tools/Norton_Removal_Tool.exe
Uninstall Symantec (save the product license key in case you decide to reinstall it:http://us.norton.com/support/kb/web_view.jsp?wv_type=public_web&docurl=20080710133834EN&ln=en_US)

Run the Norton Removal tool.

Reboot

Install Avast.

Click on the Avast ball. Then click on Scan Computer, then on
Boot-Time Scan then on Settings. Change the Ask at the bottom to Move to Chest. OK then Schedule Now. Reboot and let it run a scan. It may take 6 hours.
Once it finishes it should load windows. Click on the Avast ball and then on Scan Logs, select the Boot-time scan report then View Results. Did it find anything?


I've got a new tool we can try. It's still in beta but it looks at the mbr. http://eric71.geekst...ols/MbrScan.exe
Some antiviruses detect it as a virus. See if you can run it then:
Double click the tool, then click "DumpMBR", select a disk from the list and click "Dump Selected"

in cases where the MBR is hidden or falsified, you can dump the two (the original is marked "Old" in the list)

It will also make a report. Please copy and paste.



I'm going on a 10 day trip today. Not sure when I will have Internet access so expect delays.
  • 0

#38
RKinner

RKinner

    Malware Expert

  • Expert
  • 20,001 posts
  • MVP
Also have a new French tool:
http://tigzy.geeksto...RogueKiller.exe

Download RogueKiller on the desktop (use the link above)
Close all the running processes
Under Vista/Seven, right click -> Run as Administrator
Otherwise just double-click on RogueKiller.exe
When prompted, type 1 (SCAN) and then Enter
A report should open, give its content to your helper. (RKreport could also be found next to the executable)
If RogueKiller has been blocked, do not hesitate to try a few times more. If really won't run, rename in winlogon.exe (or winlogon.com) and try again

RogueKiller can now send automatically the reports to the developer, in order to better improve the tool. By using RogueKiller, you accept these reports to be sent.
  • 0

#39
ferrux

ferrux

    Member

  • Topic Starter
  • Member
  • PipPip
  • 25 posts
Hi Ron,
thank you for your email, meanwhile I booted from a windows XP PRO CD and fixboot-ed and fixmbr-ed
but the virus is still there.

I will make your tests and let you know in the next days, meanwhile enjoy your holiday.

Regards,
Ferrux

p.s.
I don't know about
---
FF - prefs.js..network.proxy.backup.ftp: "192.104.67.250"
FF - prefs.js..network.proxy.backup.ftp_port: 8080
FF - prefs.js..network.proxy.backup.gopher: "192.104.67.250"
FF - prefs.js..network.proxy.backup.gopher_port: 8080
FF - prefs.js..network.proxy.backup.socks: "192.104.67.250"
FF - prefs.js..network.proxy.backup.socks_port: 8080
FF - prefs.js..network.proxy.backup.ssl: "192.104.67.250"
FF - prefs.js..network.proxy.backup.ssl_port: 8080
FF - prefs.js..network.proxy.ftp: "12.180.54.219"
FF - prefs.js..network.proxy.ftp_port: 1080
FF - prefs.js..network.proxy.gopher: "12.180.54.219"
FF - prefs.js..network.proxy.gopher_port: 1080
FF - prefs.js..network.proxy.http: "12.180.54.219"
FF - prefs.js..network.proxy.http_port: 1080
FF - prefs.js..network.proxy.share_proxy_settings: true
FF - prefs.js..network.proxy.socks: "12.180.54.219"
FF - prefs.js..network.proxy.socks_port: 1080
FF - prefs.js..network.proxy.ssl: "12.180.54.219"
FF - prefs.js..network.proxy.ssl_port: 1080

Edited by ferrux, 06 January 2012 - 05:04 AM.

  • 0

#40
RKinner

RKinner

    Malware Expert

  • Expert
  • 20,001 posts
  • MVP
In FireFox, (Tools or the Firefox button), Options, Advanced, Settings, check No Proxy then OK. Close Firefox and restart Firefox.

There is a new version of aswMBR out so please delete your current version and download a new version. Run it, don't uncheck anything and let it download the avast stuff. Copy and paste the log.
  • 0

Advertisements


#41
ferrux

ferrux

    Member

  • Topic Starter
  • Member
  • PipPip
  • 25 posts
Hi Ron
thanks for your email and effort, it was very important and formative to me,
yesterday I run a full scan from bitdefender live cd with the latest signature and found no threat,
I just wondered how could be that possible since Norton keeped on alerting me.

I read some Norton forums and discovered an old but still present bug in the software, that is the unresolved threat history,
in some cases like this may cause false positives, I have no words, I am so sorry I paid for such a crap software,
however I did clean the history and now magically I get no more annoying alert on booting phase.

Hope this may of some help to other people not to waste their and your time :-)

Please consider this incident closed, it was a pleasure, hope to talk to you in future for 'lighter' issues :-)))

Best regard.
Ferrux
  • 0

#42
RKinner

RKinner

    Malware Expert

  • Expert
  • 20,001 posts
  • MVP
OK. Thanks for the heads up.

When the subscription expires, try the free Avast:

http://www.avast.com...ivirus-download



You can uninstall or delete any tools we had you download and their logs.
To uninstall combofix, copy the next line:

"%userprofile%\Desktop\combofix.exe" /Uninstall

Start, All Programs, Accessories then right click on Command Prompt and Run As Administrator.
then right click, Paste, then hit Enter.

OTL has a cleanup tab if you go there it will remove itself and its logs.

To hide hidden files again (OTL may do it for you):

Vista or Win7

# Open the Control Panel menu and click Folder Options.
# After the new window appears select the View tab.
# Remove the check in the checkbox labeled Display the contents of system folders.
# Under the Hidden files and folders section select the radio button labeled Do not Show hidden files and folders.
# Check the checkbox labeled Hide protected operating system files.
# Press the Apply button and then the OK button and exit My Computer.

Also make sure you have the latest versions of any adobe.com products you use like Shockwave, Flash or Acrobat.

Whether you use adobe reader, acrobat or fox-it to read pdf files you need to disable Javascript in the program. There is an exploit out there now that can use it to get on your PC. For Adobe Reader: Start, All Programs, Adobe Reader, Edit, Preferences, Click on Javascript in the left column and uncheck Enable Acrobat Javascript. OK Close program. It's the same for Foxit reader except you uncheck Enable Javascript Actions.

To help keep your programs up-to-date you should download and run the UpdateChecker:
http://www.filehippo.../updatechecker/
(You don't need to download Betas and if there is a program you don't use you can just uninstall it rather than update it. Exception is MSN messenger which appears to be part of Windows.)
If you get a blocked program notice after installing updatechecker then change it to not run at start then manually run it once a week.

If you use Firefox then get the AdBlock Plus Add-on. WOT (Web of Trust) is another you might want to try.
The equivalent to AdBlock Plus for IE is called Simple Adblock and you should install it too: http://simple-adblock.com/
The free version only blocks 200 ads a day so another reason to use Firefox or Chrome.

If Firefox is slow loading make sure it only has the current Java add-on. Then download and run Speedy Fox.
http://www.crystalidea.com/speedyfox . You can run it any time that Firefox seems slow.

Be warned: If you use Limewire, utorrent or any of the other P2P programs you will almost certain be coming back to the Malware Removal forum. If you must use P2P then submit any files you get to http://virustotal.com before you open them.


If you have a router, log on to it today and change the default password! If using a Wireless router you really should be using encryption on the link. Use the strongest (newest) encryption method that your router and PC wireless adapter support especially if you own a business. See http://www.king5.com...-120637284.html and http://www.seattlepi...ted-1344185.php for why encryption is important. If you don't know how, visit the router maker's website. They all have detailed step by step instructions or a wizard you can download.

Ron
  • 0

#43
ferrux

ferrux

    Member

  • Topic Starter
  • Member
  • PipPip
  • 25 posts
Thank you very much for your precious information :-)

I will follow all :-)

Best regards.
Ferrux
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP