Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Rootkit - Vista - Credit Card hit :( [Solved]


  • This topic is locked This topic is locked

#16
urbansound

urbansound

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
Just a bump to indicate the request for Dr. Web is noted.

Had to pick up a new thumb drive and been distracted here with holiday demands and catching up.

Should have results of Dr. Webb later today.

Urban
  • 0

Advertisements


#17
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Thank you for the update :) Whenever you get the time
  • 0

#18
urbansound

urbansound

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
Thanks,

Looks like it will be the weekend some time.

The holiday past overturned a VPS provider I'm using that has no stateful LVM snapshots and lost two servers on me. :( I'm being yanked from crisis to crisis at the moment. Thanks for your patience.

Mike
  • 0

#19
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Whenever you are ready :)
  • 0

#20
urbansound

urbansound

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
Hi,

I followed the indicated links for Dr. Web Cure it, which appear to have changed and are updated now to Dr. Web Live CD, with the USB boot option.

However the options it makes available did not match the menu options prescribed in your reference.

I was able to run a full external Dr. Web scan from a new USB stick, which did show a couple of less intrusive references. Unfortunately I never succeeded in finding an option that would permit me to save the scan results to send. I did a manual remove on those things found successfully, after which a second scan confirmed the issues were removed.

I think the system seems to be running properly now at this point. In the end, the many efforts did locate and remedy what appeared to be a fairly tenacious hidden keylogger / server MsEssentials, SAS and MBAM could not see. I can only assume this was the likely cause of the Credit Card breach we dealt with. Our CC provider did refund the exposures, so no significant loss was sustained. While there's never an assurance of perfection in having removed a rootkit without a harsh drive scrub, there has been no indication it was hooked at the MBR or anything with enough depth to suggest the clean up didn't succeed. The kernel code modifications indicated by KernelDetective seem to be consistent on my other copies of Vista and a few other references I found on the web, so I assume this to be an MS implementation for low level operation, perhaps even the MS malicious intervention process or SP2 hook for virtualization.

Unless you would suggest any final checks or maintenance / security steps, I'm fairly ready to cleanup the workspace. I have a commercial license for Kaspersky 2013 Internet suite I'm going to install in place of MS Essentials, hoping the KAS web link and email monitoring will provide better protection from casual browsing / phishing exposures on top of doing nearly all browsing in virtual mode at this point to reduce some of the potential for deeper infection, all be it I have seen KAS become compromised in the past as well, at least it alerts the user verbosely if it loses integrity.

I am still concerned if not simply curious why such a standard and vital staple as SFC, (System File Checker), would not properly manage desktop.ini files from its own OS. While many suggest the behavior is benign, it strikes me odd there is very little supporting information on this from MS or anyone else accurately identifying why SFC fails to handle desktop.ini. This too may reflect back to OS hardening attempts by MS leaving SFC in the dark on this aspect of desktop.ini, since these files appear to have an integral presence between the desktop, gui and kernel integration MS continues to fight with among their exposed kernel/user design.

Last, I would like to say "Thank you" for the patience and assistance from those having helped here. I tend to be relatively comfortable dealing with most malware having numerous 24 hour activities online for some years. However, the benefits of those who focus on assisting others with managing malware from a more intensive effort serve an irreplaceable role of competency, dedication and assurance we all benefit from when the lines of reliability become smeared among more serious threats and zero-day exposures.

Thank you sincerely to those dedicated to helping the less knowledgeable. :blush:

If there is no further reply, please feel free to close the thread [RESOLVED SUCCESSFULLY]

Regards,

Urban
  • 0

#21
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
OK I will need to run Dr Web again and update my instructions... They do change quite a lot.

As to the desktop.ini it is my understanding that resetting to default does affect the folder behaviour and appearance to such a degree that MS has decided not to repair that element, is it a security loophole, possibly.

Kaspersky is a good choice for a paid AV and is generally more hardened than the others

Subject to no further problems :)

I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems

Now the best part of the day ----- Your log now appears clean :thumbsup:

A good workman always cleans up after himself so..The following will implement some cleanup procedures as well as reset System Restore points:

Remove ComboFix
  • Hold down the Windows key + R on your keyboard. This will display the Run dialogue box
  • In the Run box, type in ComboFix /Uninstall
    (Notice the space between the "x" and "/")
    then click OK

    Posted Image
  • Follow the prompts on the screen
  • A message should appear confirming that ComboFix was uninstalled

Run OTL and hit the cleanup button. It will remove all the programmes we have used plus itself.

Clear Restore Points

Go Start > All Programmes > Accessories > System tools
Right click Disc Cleanup and select run as administrator
When it pops up at the first prompt select OK after it has done some calculations the tabs will appear
Select More Options tab
Press Sytem Restore and Shadow Copies Cleanup button

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:

Malwarebytes.

Update and run weekly to keep your system clean

Download and install FileHippo update checker and run it monthly it will show you which programmes on your system need updating and give a download link

If you use on-line banking then as an added layer of protection install Trusteer Rapport

It is critical to have both a firewall and anti virus to protect your system and to keep them updated. To keep your operating system up to date visit
To learn more about how to protect yourself while on the internet read our little guide How did I get infected in the first place ?Keep safe :wave:
  • 0

#22
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP