
Challenging Rootkit
Started by
rootkits-r-evil
, Aug 20 2011 04:03 PM
#226
Posted 27 August 2011 - 12:30 AM

#227
Posted 27 August 2011 - 12:32 AM

And somehow I missed the post you put at the end. The stuff about fixed exploits and such. So maybe it was that, and it was just a new pest I picked up somehow. But it seems to me there was a little bit badness left over, and it jumped it when it saw the chance.
But what I'm really looking forward to, is when you tell me what happened? :-)
But what I'm really looking forward to, is when you tell me what happened? :-)
#228
Posted 27 August 2011 - 01:13 AM

This appears to be a new one. TDL4. You can try the Fix button in aswMBR if you like. (Not the FixMBR button). It should be able to fix it.
Usually we run TDSSKiller and it takes care of it. Download TDSSKiller:
http://support.kaspe.../tdsskiller.exe
Save it to your desktop then run it.
Double click on TDSSKiller.exe
If TDSSKiller alerts you that the system needs to reboot, please consent.
When done, a log file should be created on your C: drive named "TDSSKiller.txt" please copy and paste the contents in your next reply.
Your problem is that you are still running XP SP2. You really need to upgrade to SP3. Is this an Intel or AMD processor? (I'm sure you must have told me the make and model of the thing but I'm not going to look back through the 100+ posts to find it.) If it's an Intel CPU then you can go ahead and do it. With an AMD you need to download and install a patch before you install SP3.
Ron
Usually we run TDSSKiller and it takes care of it. Download TDSSKiller:
http://support.kaspe.../tdsskiller.exe
Save it to your desktop then run it.
Double click on TDSSKiller.exe
If TDSSKiller alerts you that the system needs to reboot, please consent.
When done, a log file should be created on your C: drive named "TDSSKiller.txt" please copy and paste the contents in your next reply.
Your problem is that you are still running XP SP2. You really need to upgrade to SP3. Is this an Intel or AMD processor? (I'm sure you must have told me the make and model of the thing but I'm not going to look back through the 100+ posts to find it.) If it's an Intel CPU then you can go ahead and do it. With an AMD you need to download and install a patch before you install SP3.
Ron
#229
Posted 27 August 2011 - 01:17 AM

This appears to be a new one. TDL4.
I am a rootkit magnet. No doubt about it.
You can try the Fix button in aswMBR if you like. (Not the FixMBR button). It should be able to fix it.
Usually we run TDSSKiller and it takes care of it. Download TDSSKiller:
http://support.kaspe.../tdsskiller.exe
Save it to your desktop then run it.
Double click on TDSSKiller.exe
If TDSSKiller alerts you that the system needs to reboot, please consent.
When done, a log file should be created on your C: drive named "TDSSKiller.txt" please copy and paste the contents in your next reply.
Will do. Coming right up.
Your problem is that you are still running XP SP2. You really need to upgrade to SP3.
Now you're talking. That, and fix those Adobe and Java exploits situations.
Is this an Intel or AMD processor? (I'm sure you must have told me the make and model of the thing but I'm not going to look back through the 100+ posts to find it.) If it's an Intel CPU then you can go ahead and do it. With an AMD you need to download and install a patch before you install SP3.
Not sure. Intell I would guess. It's a Dell Vostro laptop.
I am a rootkit magnet. No doubt about it.
You can try the Fix button in aswMBR if you like. (Not the FixMBR button). It should be able to fix it.
Usually we run TDSSKiller and it takes care of it. Download TDSSKiller:
http://support.kaspe.../tdsskiller.exe
Save it to your desktop then run it.
Double click on TDSSKiller.exe
If TDSSKiller alerts you that the system needs to reboot, please consent.
When done, a log file should be created on your C: drive named "TDSSKiller.txt" please copy and paste the contents in your next reply.
Will do. Coming right up.
Your problem is that you are still running XP SP2. You really need to upgrade to SP3.
Now you're talking. That, and fix those Adobe and Java exploits situations.
Is this an Intel or AMD processor? (I'm sure you must have told me the make and model of the thing but I'm not going to look back through the 100+ posts to find it.) If it's an Intel CPU then you can go ahead and do it. With an AMD you need to download and install a patch before you install SP3.
Not sure. Intell I would guess. It's a Dell Vostro laptop.
#230
Posted 27 August 2011 - 01:29 AM

This appears to be a new one. TDL4.
Yup. Sure enough. (See log file.)
Fffft. TDL4 is child's play compared to NoAccess. :-)
Yup. Sure enough. (See log file.)
Fffft. TDL4 is child's play compared to NoAccess. :-)
Attached Files
#231
Posted 27 August 2011 - 01:31 AM

#232
Posted 27 August 2011 - 01:38 AM

I always run TDSSKiller again after the reboot to make sure it worked.
If you run aswMBR again (change a-v scan to None so it goes faster) then the Fix button should no longer be lit.
We need to clean up System Restore. Follow Jim's procedure here:
http://aumha.net/vie...581099691bf108f
You can uninstall or delete any tools we had you download and their logs.
To uninstall combofix, copy the next line:
"%userprofile%\Desktop\combofix.exe" /Uninstall
Start, Run, cmd, OK then right click, Paste, then hit Enter.
OTL has a cleanup tab so if you run it again and select cleanup it will remove itself and its backup files.
To hide hidden files again:
XP
# Close all programs so that you are at your desktop.
# Double-click on the My Computer icon.
# Select the Tools menu and click Folder Options.
# After the new window appears select the View tab.
# Uncheck the checkbox labeled Display the contents of system folders.
# Under the Hidden files and folders section select the 'Hide protected operating system files (recommended)' option.
# Check the checkbox labeled Hide protected operating system files.
# Press the Apply button and then the OK button and shutdown My Computer.
You probably do not have the latest Java (Java™ 6 Update 26 or maybe even 7 Update 0 by now). Get the latest at:
http://www.java.com/en/
Save it to your PC then close all browsers and install it.
Once you install it, go into Control Panel, Add/Remove Software and remove any old versions (which may call themselves: Java Runtime, Runtime Environment, Runtime, JRE, Java Virtual Machine, Virtual Machine, Java VM, JVM, VM, J2RE, J2SE)
If you use Firefox go into tools, Add-ons and make sure that older consoles are not enabled. CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA or possibly CAFEEFAC-0017-0000-0000-ABCDEFFEDCBA is OK but any others should be disabled or uninstalled. Java seems to have a real problem removing the old consoles from Firefox. Having multiple Java consoles will make Firefox very sluggish and slow to start.
Also make sure you have the latest versions of any adobe.com products you use like Shockwave, Flash or Acrobat.
Whether you use adobe reader, acrobat or fox-it to read pdf files you need to disable Javascript in the program. There is an exploit out there now that can use it to get on your PC. For Adobe Reader: Start, All Programs, Adobe Reader, Edit, Preferences, Click on Javascript in the left column and uncheck Enable Acrobat Javascript. OK Close program. It's the same for Foxit reader except you uncheck Enable Javascript Actions.
To help keep your programs up-to-date you can download and run the UpdateChecker:
http://www.filehippo.../updatechecker/
(You don't need to download Betas and if there is a program you don't use you can just uninstall it rather than update it. Exception is MSN messenger which appears to be part of Windows.)
If you use Firefox then get the AdBlock Plus Add-on. WOT (Web of Trust) is another you might want to try.
The equivalent to AdBlock Plus for IE is called Simple Adblock and you should install it too: Adhttp://simple-adblock.com/
If Firefox is slow loading make sure it only has the current Java add-on. Then download and run Speedy Fox.
http://www.crystalidea.com/speedyfox . It seems to work best if you reboot right after running it. You can run it any time that Firefox seems slow.
Be warned: If you use Limewire, utorrent or any of the other P2P programs you will almost certain be coming back to the Malware Removal forum. If you must use P2P then submit any files you get to http://virustotal.com before you open them.
If you have a router, log on to it today and change the default password! If using a Wireless router you really should be using encryption on the link. Use the strongest (newest) encryption method that your router and PC wireless adapter support especially if you own a business. See http://www.king5.com...-120637284.html and http://www.seattlepi...ted-1344185.php for why encryption is important. If you don't know how, visit the router maker's website. They all have detailed step by step instructions or a wizard you can download.
Make sure you open IE then Tools, Windows Update or Security then Windows Update. Get all of the critical updates before you go surfing again.
Ron
If you run aswMBR again (change a-v scan to None so it goes faster) then the Fix button should no longer be lit.
We need to clean up System Restore. Follow Jim's procedure here:
http://aumha.net/vie...581099691bf108f
You can uninstall or delete any tools we had you download and their logs.
To uninstall combofix, copy the next line:
"%userprofile%\Desktop\combofix.exe" /Uninstall
Start, Run, cmd, OK then right click, Paste, then hit Enter.
OTL has a cleanup tab so if you run it again and select cleanup it will remove itself and its backup files.
To hide hidden files again:
XP
# Close all programs so that you are at your desktop.
# Double-click on the My Computer icon.
# Select the Tools menu and click Folder Options.
# After the new window appears select the View tab.
# Uncheck the checkbox labeled Display the contents of system folders.
# Under the Hidden files and folders section select the 'Hide protected operating system files (recommended)' option.
# Check the checkbox labeled Hide protected operating system files.
# Press the Apply button and then the OK button and shutdown My Computer.
You probably do not have the latest Java (Java™ 6 Update 26 or maybe even 7 Update 0 by now). Get the latest at:
http://www.java.com/en/
Save it to your PC then close all browsers and install it.
Once you install it, go into Control Panel, Add/Remove Software and remove any old versions (which may call themselves: Java Runtime, Runtime Environment, Runtime, JRE, Java Virtual Machine, Virtual Machine, Java VM, JVM, VM, J2RE, J2SE)
If you use Firefox go into tools, Add-ons and make sure that older consoles are not enabled. CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA or possibly CAFEEFAC-0017-0000-0000-ABCDEFFEDCBA is OK but any others should be disabled or uninstalled. Java seems to have a real problem removing the old consoles from Firefox. Having multiple Java consoles will make Firefox very sluggish and slow to start.
Also make sure you have the latest versions of any adobe.com products you use like Shockwave, Flash or Acrobat.
Whether you use adobe reader, acrobat or fox-it to read pdf files you need to disable Javascript in the program. There is an exploit out there now that can use it to get on your PC. For Adobe Reader: Start, All Programs, Adobe Reader, Edit, Preferences, Click on Javascript in the left column and uncheck Enable Acrobat Javascript. OK Close program. It's the same for Foxit reader except you uncheck Enable Javascript Actions.
To help keep your programs up-to-date you can download and run the UpdateChecker:
http://www.filehippo.../updatechecker/
(You don't need to download Betas and if there is a program you don't use you can just uninstall it rather than update it. Exception is MSN messenger which appears to be part of Windows.)
If you use Firefox then get the AdBlock Plus Add-on. WOT (Web of Trust) is another you might want to try.
The equivalent to AdBlock Plus for IE is called Simple Adblock and you should install it too: Adhttp://simple-adblock.com/
If Firefox is slow loading make sure it only has the current Java add-on. Then download and run Speedy Fox.
http://www.crystalidea.com/speedyfox . It seems to work best if you reboot right after running it. You can run it any time that Firefox seems slow.
Be warned: If you use Limewire, utorrent or any of the other P2P programs you will almost certain be coming back to the Malware Removal forum. If you must use P2P then submit any files you get to http://virustotal.com before you open them.
If you have a router, log on to it today and change the default password! If using a Wireless router you really should be using encryption on the link. Use the strongest (newest) encryption method that your router and PC wireless adapter support especially if you own a business. See http://www.king5.com...-120637284.html and http://www.seattlepi...ted-1344185.php for why encryption is important. If you don't know how, visit the router maker's website. They all have detailed step by step instructions or a wizard you can download.
Make sure you open IE then Tools, Windows Update or Security then Windows Update. Get all of the critical updates before you go surfing again.
Ron
#233
Posted 27 August 2011 - 01:39 AM

Got it. Thanks so much.
Do you know where I can download SP3?
I'll do that and the other things you suggested, the adobe and java updates, and then I should be good for a while.
Until I beta test TDL5. ;-)
Do you know where I can download SP3?
I'll do that and the other things you suggested, the adobe and java updates, and then I should be good for a while.
Until I beta test TDL5. ;-)
#234
Posted 27 August 2011 - 01:48 AM

http://technet.micro...indows/bb794714
If you can't get it from Windows Update then click on the Stand Alone version.
Judging from your history it would probably be wise to also install the free Online Armor fire wall for a little more protection.
http://www.online-ar...-armor-free.php
and if you use Firefox perhaps the No-script add-on would be wise. http://noscript.net/
Bed time for me.
Ron
If you can't get it from Windows Update then click on the Stand Alone version.
Judging from your history it would probably be wise to also install the free Online Armor fire wall for a little more protection.
http://www.online-ar...-armor-free.php
and if you use Firefox perhaps the No-script add-on would be wise. http://noscript.net/
Bed time for me.
Ron
#235
Posted 27 August 2011 - 02:15 AM

Judging from your history...
Yep, that's me alright.
Bed time for me.
Nighty, night.
And thank you so much. :-)
Yep, that's me alright.
Bed time for me.
Nighty, night.
And thank you so much. :-)
Similar Topics
1 user(s) are reading this topic
0 members, 1 guests, 0 anonymous users
As Featured On:






