Help removing Backdoor-awq!rootkit.b

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by joesmo2009, Mar 13, 2008.

  1. joesmo2009

    joesmo2009 Private E-2

    I downloaded a file, then installed a program that made macAfee go crazy. After running Windows (MRT) and MacAfee it still shows a trojan (backdoor-awq!rootkit.b). I disconnect the computer from the internet and ran (MRT) it also found win/vundo.gen:A. I ran MRT again and no Vundo, I also ran Vundo remover and it found nothing. When I reconnected online and ran windows live virus scan I had mischivious webpages poping up, I rerean MRT and it found more Vundo. Currently the computer is offline and is still showing backdoor-awq!rootkit.b in MacAfee. I removed Windows Messanger and here's my analysis this from Mctools. Thanks for your assistance. I learned my lesson.
     

    Attached Files:

  2. Lev

    Lev MajorGeek

  3. joesmo2009

    joesmo2009 Private E-2

    I followed the instructions and here is my logs. MacAfee is still detecting the same thing as before. Thanks in advance for the help. I feel like this should be a 3 credit college class.
     

    Attached Files:

  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Your logs are not really showing anymore obvious problems other than what was removed already by the scans. Where exactly is McAfee reporting the problem? What file and in what folder? Is it just in System Restore or a Registry entry?

    What are the below folder and file for that are new?
    Code:
    2008-03-11 19:00 . 2008-03-11 19:00 <DIR> d-------- C:\temp\ext45874
    2008-03-11 16:55 . 2008-03-11 16:55 33 --a------ C:\WINDOWS\system32\400e5d10
     
    Three comments though about your HJT log.
    1. I'm not sure why you need the below to run at each startup:
      • O4 - HKCU\..\Run: [Ecxtra] E:\setup.exe min
    2. What is the below for?
    3. What is the below for?
     
  5. joesmo2009

    joesmo2009 Private E-2

    I removed all the items you listed. Still getting the following in MacAfee 8.5:
    (unknown):0x5F040F5A >memory\ntterminateprocess backdoor_AWQ!rootkit(trojan) Prior to me downloading the bad file in the first place, MacAfee alway ran clean.


    Thanks again to all of the fantastic people who support us Malware infected PC people who post here.
     
  6. joesmo2009

    joesmo2009 Private E-2

    I would also add that the virus shows up immediately in MacAfee when I start the scan. MacAfee starts with "Memory for Rootkits". It happens fast is looks like it is search in windows\system32. Crashes before services.exe
     
  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

  8. joesmo2009

    joesmo2009 Private E-2

    Here's the gmer log. Thanks for your help. I will contact MacAfee. Is their a Virus Scan software that would have dealt with this better?
     

    Attached Files:

  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    It's clean.

    Unknown. I still see no evidence of a real problem. If a trojan/rootkit is really being found in memory, there should be a file or process that is loading it and McAfee should be detecting it if it truly exists. Do you have all of your current updates? If not, get updated and scan again. Also try scanning in safe boot mode and see what happens.
     
  10. joesmo2009

    joesmo2009 Private E-2

    Updated MacAfee manually. That was the trick. No longer showing virus detected. I can't get out to the internet though. The intranet works but seems like it has a TCP/IP service not running. Thanks for all of your help.
     
  11. joesmo2009

    joesmo2009 Private E-2

    Ok, got internet to work by downloading winsockxpfix from this website. Thanks again.
     
  12. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome.

    If you are not having any other malware problems, it is time to do our final steps:
    1. If we used ComboFix then UNINSTALL COMBOFIX (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN
      • Now type combofix /u in the runbox and click OK.
      • Note: The space between the X and the /U, it must be there.
    2. You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip
    3. If you are running Windows XP or Windows ME, do the below:
      • Refer to the cleaning steps in the READ ME for your Window version and see the steps to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    4. After doing the above, you should work thru the below link:
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds