client's computer has at least two rootkits

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by yanqui, Jan 26, 2007.

  1. yanqui

    yanqui Private E-2

    according to Panda. This has been an interesting ride. We know that she needs SP2, but it won't install at this time; probably something to do with whatever's sitting on it. Java update won't, either. So here's where we are:

    Ran Symantec AV, but according to BitDefender, Symantec was infected in and of itself! Then ran Spybot, then AdAware, then AVG. Each was picking up stuff the other didn't. In Add/Remove, found RelevantKNowledge, uninstalled it. MSConfig has us in NOrmal mode right now. Nothing in NOrton Quarantine or any recycle bin. Ran CCleaner. Hidden and system files are exposed. I didn't run counter spy, because I had already downloaded and run AVG, hoping I wouldn't have to come here. (Not that I don't like coming here, I was just hoping it wasn't that bad.)

    With the BitDefender,I didn't see a tab for Detected Problems; I saved what I saw looked like a summary.

    files from bitdefender, panda, and runkeys are attached.
     

    Attached Files:

    Last edited: Jan 26, 2007
  2. yanqui

    yanqui Private E-2

    client's computer, part two:

    attached are the files from shownew and hijackthis.

    I think i followed all the instructions correctly. we've been battling this for two days and rootkits are not something we do in our shop.
     

    Attached Files:

  3. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Please attach the log from AVG spyware scan.
     
  4. yanqui

    yanqui Private E-2

    I will have to run again; for whatever reason, the log file didn't go anywhere I can find it. Can we get started without it?
     
  5. yanqui

    yanqui Private E-2

    AVG antivirus scan report from before; I did save it but couldn't find it before when you asked for it.

    The machine is running much faster, but I think we have some corrupted programs that are going to need reinstalled; office keeps trying to reinstall, and symantec was too until we just scrapped it altogether. after the cleanup is final she may want to get rid of avg and put the symantec back on it, but right now we have something that works.
     

    Attached Files:

  6. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Please go back and read the Read and Run Instructions again.
    You did not do the step to show hidden files and folders.
    You did not attach the bitdefender scan log properly (what you posted is useless to us).
    The GetRunKeys log is useless since you didn't "unhide" files and folders.

    Then re-attach all the logs as directed and in proper order.
     
  7. yanqui

    yanqui Private E-2

    Did you read what I wrote at all?

    I DID show hidden files and folders. I TOLD you that I did not see the tab you mentioned in Bit Defender.

    This is not the first time I've done this, and if this information is useless to you and you cannot exit your dres right dress mode and stop treating me like a child, I'll go elsewhere.

    Thanks for nothing.
     
  8. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Do a search and see if these still exist (Relevant Knowledge items):
    rlvknlg.exe
    rlls.dll

    Please copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

    Please uninstall this:
    c:\program files\zango\zango.exe


    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:


    R3 - URLSearchHook: (no name) - - (no file)
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
    O4 - HKLM\..\Run: [zango] "c:\program files\zango\zango.exe"
    O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe G
    O4 - HKLM\..\Run: [My Web Search Bar] rundll32 C:\PROGRA~1\MYWEBS~1\bar\1.bin\MWSBAR.DLL,S
    O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
    O16 - DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} - http://dm.screensavers.com/dm/installers/si/1/sinstaller.cab
    O20 - AppInit_DLLs:

    After clicking Fix, exit HJT.

    Now attach new logs for:

    * GetRunKey
    * ShowNew
    * HJT

    Be sure to tell us how things are running.
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds