[Cdn_Red]

Hi,

I ran ComboFix in safe mode without networking. It still detects rootkit activity in the same files. There is also no log file created either.

Thanks again

[Advertisements]

Ok,

Not done yet. Sorry for the late response, got stuck in work and couldn't get online.

OK then two programmes to download

FIRST

ISOBurner this will allow you to burn Dr Web ISO to a cd and make it bootable. Just install the programme, from there on in it is fairly automatic. Instructions

SECOND

Dr Web Live CD Download this and using ISOBurner burn to CD. Usage instructions are here

Having made the bootable CD set your system to boot from CD - Do you know how to do this ?

Once Dr Web starts select Dr.Web LiveCD (Default)

When the system is loaded, check disks or folders you want to scan and press Start

Notes :

The Midnight Commander file manager is used to work with files you need to copy to a safe location. I.e if you need to back them up to a USB storage device

If the operating system failed to configure access to your network, you can do it manually using Networks Configure Manager. Start->Settings->Networks Configure manager. This will enable you to get online if needed

[chamber]

Ok,

Not done yet. Sorry for the late response, got stuck in work and couldn't get online.

OK then two programmes to download

FIRST

ISOBurner this will allow you to burn Dr Web ISO to a cd and make it bootable. Just install the programme, from there on in it is fairly automatic. Instructions

SECOND

Dr Web Live CD Download this and using ISOBurner burn to CD. Usage instructions are here

Having made the bootable CD set your system to boot from CD - Do you know how to do this ?

Once Dr Web starts select Dr.Web LiveCD (Default)

When the system is loaded, check disks or folders you want to scan and press Start

Notes :

The Midnight Commander file manager is used to work with files you need to copy to a safe location. I.e if you need to back them up to a USB storage device

If the operating system failed to configure access to your network, you can do it manually using Networks Configure Manager. Start->Settings->Networks Configure manager. This will enable you to get online if needed

[Cdn_Red]

Hi,

I ran the scan and it deleted all the files it found. Should the computer now restart normally or should I boot it from the CD again?

Thanks

[chamber]

Hi Cdn_Red,

Can you try to boot into normal mode now?

If you can then lets try and run ComboFix again.

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

• If you are using Firefox, make sure that your download settings are as follows:
  
  • Tools->Options->Main tab
  • Set to "Always ask me where to Save the files".
• During the download, rename Combofix to Combo-Fix as follows:
  
  
  
  
  
  
• It is important you rename Combofix during the download, but not after.
• Please do not rename Combofix to other names, but only to the one indicated.
• Close any open browsers.
• Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  

  -----------------------------------------------------------

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    

    -----------------------------------------------------------

  • Close any open browsers.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

  -----------------------------------------------------------

• Double click on combo-Fix.exe & follow the prompts.
• When finished, it will produce a report for you.
• Please post the "C:\Combo-Fix.txt" along with a new HijackThis log for further review.

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

If you still cannot get into normal mode then lets see if we can get ComboFix running in safe mode at least.

[Cdn_Red]

Hi,

I am still unable to boot into normal mode. I ran ComboFix again in safe mode and it still finds the same rootkit activity. I also still don't have a log file.

[chamber]

Hi Cdn_Red,

This is a tricky little blighter, can you describe exactly what happens after ComboFix tells you that it has discovered rootkits? Does it just re boot?

Due to the fact this appears so tricky, we're going to try another method of renaming ComboFix, lets try this and if that fails I'm working on something for you at the minute.

First, delete the copy that you have.

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

• If you are using Firefox, make sure that your download settings are as follows:
  
  • Tools->Options->Main tab
  • Set to "Always ask me where to Save the files".
• During the download, rename Combofix.exe to winlogon.exe
  
  
  
  
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    

    -----------------------------------------------------------

  • Close any open browsers.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

  -----------------------------------------------------------

• Double click on winlogon.exe & follow the prompts.
• When finished, it will produce a report for you.
• Please post the "C:\Combo-Fix.txt"

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

[Cdn_Red]

Hi,

When ComboFix detects rootkits it give me a warning popup. When you click "OK", it finishes its process then automatically reboots the computer.

Today, I had stepped away briefly. It rebooted into normal mode (!) but then all the programs started crashing and I kept getting a protocol host error. Screenshot:


I was going to try to disable my antivirus so I could run ComboFix again but the Programs dialogue wouldn't open. Then Windows crashed. When the computer restarted, it couldn't start and automatically ran the system recovery tool. It found some problems that may mean something. I couldn't get a screenshot so I took a picture instead. I had to take two images - the second is merely a continuation of the first.



The computer is back to booting only in safe mode and renaming ComboFix as you instructed didn't change anything - no log file.

[chamber]

Hi Cdn_Red,

Here are a few ideas to try out, hopefully one will work out.

1) Idea 1

Download the following file and save to your desktop.

Process Explorer

Rename the file to winlogon.exe and then run it.




Locate the following file : a random named file with 8 numeric characters and it may have a shield icon it will probably be running under explorer

Right click and select kill process



Then re-run Combofix

2) Idea 2

Navigate to the folder - C:\Documents and Settings\All users\Application Data
Look for a recently created folder whose name comprises of 8 numeric characters - eg. 32365894
Drag (not delete) the folder to desktop
Then reboot.

3) Idea 3

Download THIS FILE to the desktop and run.

After this please try to run ComboFix again.

Let me know what you are able to do, we will kill this thing!

Edited by chamber, 27 July 2009 - 05:01 PM.

[Cdn_Red]

Hi,

I tried all three of there ideas and unfortunately none of them worked. When I ran Process Explorer, I had no random files with numeric characters. Ditto in C:\Documents and Settings. In fact, explorer couldn't even find that folder.

The third program didn't seem to do anything. It flashed a command prompt-style window then disappeared. I reran ComboFix and it acted the same way, found rootkit activity and did not produce a log file.

Thanks

[chamber]

Hi Cdn_Red,

We're not done yet!

Delete the copy of ComboFix that you have an re download it, do not run it yet though.

1) CFScript

We are going to get ComboFix running in a different way

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

KillAll::

Rootkit::
C:\Windows\System32\drivers\UACivjwnmitrcwprrsny.sys
C:\Windows\System32\UACtbcrhoeoujhenprtn.dll
C:\Windows\System32\UACgbrxtpotauhqvobag.dll
C:\Windows\System32\UACpifxmvkbiibbniltl.dat
C:\Windows\System32\UACykfepsqolpfyfxuqg.dll
C:\Windows\System32\UACvruvixowiqdemaigk.dll

Folder::

Registry::

Driver::
UACivjwnmitrcwprrsny

Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

2) RootRepeal

RootRepeal has been updated now and should be able to run,

Download RootRepeal from one of the following locations:

• Location 1 (Zip File)
• Location 2 (Zip File)
• Location 3 (RAR File)
• Location 4 (Zip File)
• Location 5 (RAR File)

Unzip it to your Desktop.

• Double click RootRepeal.exe to start the program
• Click on the Report tab at the bottom of the program window
• Click the Scan button
• In the Select Scan dialog, check:
  • Drivers
  • Files
  • Processes
  • SSDT
  • Stealth Objects
  • Hidden Services
  • Shadow SSDT
• Click the OK button
• In the next dialog, select all drives showing
• Click OK to start the scan
  

  Note: The scan can take some time. DO NOT run any other programs while the scan is running

• When the scan is complete, the Save Report button will become available
• Click this and save the report to your Desktop as RootRepeal.txt
• Go to File, then Exit to close the program

If the report is not too long, post the contents of RootRepeal.txt in your next reply. If the report is very long, it will not be complete if you post it, so please attach it to your reply instead.

To attach a file, do the following:

• Click Add Reply
• Under the reply panel is the Attachments Panel
• Browse for the attachment file you want to upload, then click the green Upload button
• Once it has uploaded, click the Manage Current Attachments drop down box
• Click on to insert the attachment into your post

In your reply I would like to see copied and pasted,

1) ComboFix log
2) RootRepeal log

[Cdn_Red]

Hi,

We had a little progress (?) today. The machine kept trying to boot into regular mode, then getting the blue screen with the error message that windows couldn't start and then would keep rebooting itself. The upside is that I reran ComboFix despite not being able to disable my antivirus in safe mode and lo and behold I had a log file! Problem is... every time I try to open the file, Notepad tells me the process cannot open the file because it is in use by another process, though I have completely rebooted and I have no other programs running. I also don't see any processes in task manager that would be running it. I have also deleted ComboFix and rebooted. I still cannot access the log file (but at least it's there!)

I tried downloading RootRepeal from a couple of the locations. Each time, it gave me an "unable to locate boot sector" error then loaded. When I clicked "Scan", I simply got a listing of files/paths within the program - no dialogue box.

[chamber]

Hi Cdn_Red,

Making some sort of progress. Have you tried using process explorer from HERE and see if anything is using notepad, it would give you a better idea than task manager.

If you could get a screenshot of the active processes and post it back here for me that would be great as well.

[Cdn_Red]

I hadn't thought of using Process Explorer. I just did but I see nothing using Notepad. Here is the screenshot of the active processes (I am still unable to open the log file).

[chamber]

Hi Cdn_Red,

Have you tried right clicking on the file and trying to open it with wordpad?

[Cdn_Red]

Wordpad won't open it either. It appears that it's the file that's in use by another process, not the program. I cannot tell for the life of me which one, though.