GMER detected rootkit; now what?

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by eliewriter, Dec 17, 2008.

  1. eliewriter

    eliewriter Private E-2

    Hi there,

    Please bear with my newbie status, both on starting a thread and dealing with computer issues. Feel free to dumb any responses waaayyyy down.

    GMER detected a rootkit that is affecting my desktop computer system. I tried to copy the info into a file but it didn't say much more than process (***hidden***) 3608.

    It's been increasingly difficult to left-click with the mouse lately and the last couple times I tried to print a page it was blank. Also my computer's been excruciatingly slow, all factors that now I'm thinking must be related to this.

    Please help if you can. I tried running rootkitbuster after GMER but it didn't detect it. Since I have Vista, I'm not finding other programs that appear to eradicate this rootkit.

    Thanks in advance--

    EL
     
  2. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Welcome to Major Geeks!

    Please follow the instructions in the below link and attach the requested logs when you finish these instructions.


    • If something does not run, write down the info to explain to us later but keep on going.
    • Do not assume that because one step does not work that they all will not.
    READ & RUN ME FIRST. Malware Removal Guide

    Notes:

    1. If you run into problems trying to run the READ & RUN ME or any of the scans in normal boot mode. You can running steps in safe boot mode but make sure you tell us what you did later when you post logs. See the below if you do not know how to boot in safe mode:
    2. If you have problems downloading on the problem PC, download the tools on another PC and burn to a CD. Then copy them to the problem PC. You will have to skip getting updates if (and only if) your internet connection does not work. Yes you could use a flash drive too but flash drives are writeable and infections can spread to them.
     
  3. eliewriter

    eliewriter Private E-2

    Hi there,

    Thanks for your help. I've been going through the steps with a few problems, as noted in the log I kept below. I've also attached the logs that were requested except for ComboFix, which I wasn't able to run.

    I ran SpyBot but not the fix, since the problem looked like something to do with Internet Explorer and I was afraid I couldn't get back online. I'm guessing the problem's been going on about three weeks but can't say for sure. Thanks so much for your help, I bought my parents a digital frame and really want to get my computer working to get photos organized for them!

    Here are the steps I followed:
    --no listed malware programs on uninstall list
    --downloaded java update; saved to desktop
    --removed java 6 update 7
    --installed new java update
    --must already be in normal startup; under system config/general it didn't offer the "apply" options, just OK.
    --Emptied AVG virus vault
    --nothing in recycle bin
    --downloaded/ran CC cleaner, rebooted in safe mode, ran again as administrator
    --rebooted in normal mode
    --changed settings
    --downloaded SUPERAntiSpyware, saved to desktop
    --downloaded SpyBot, saved to desktop
    --uninstalled current version of MalwareBytes (not working)restarted computer
    NOTE:(in addition to other new icons, there's two faint icons that seem identical, both named desktop.ini, these don't show up when I look at desktop different ways, not sure if that's a big deal) now java 6 update 7, which I thought I removed, is showing up in programs, says installed 7-08. attempted to uninstall but computer is asking me about unidentified program that wants control of my computer, so I cancelled (don't remember this question to uninstall previous programs).
    --downloaded malwarebytes, saved to desktop
    --MG tools,windows firewall, don't see the "always ask me where to save files" option but it says it can make an exception for a port, I need the port number, whatever that is. so i downloaded to desktop, won't let me save anywhere else.
    --turned off user control, restarted
    --followed remaining instructions on page, went to SUPERAntiSpyware, followed all instructions, including unplugging cable and scanning. showed no detected viruses, rebooted
    --Copied SAS log into file.
    --Did SpyBot scan as per instructions, showed one problem: Microsoft.Windows.Security.InternetExplorer.(didn't fix it because I wasn't sure if I could get back online. couldn't see any way to get log from this program)
    --(Note here, sorry, I was copying down info by hand and was thinking I was on MG tools step, should have been doing MalwareBytes step, am returning to do that and will continue sequence).
    --Ran MalwareBytes, detected three infections, created log as MBlog, will attach.
    --Tried to follow ComboFix instructions, starting with going to Windows Recovery Environment. Problem because don't have a Windows DVD, tried to F8, gave option of system repair but wouldn't let me in because i don't have password. Didn't do Combo Fix, am re-enabling firewall/AVG/WinPatrol before getting back online.
    --Ran GMER again (GMER originally detected the Rootkit) to see if it still showed up. I can attach that log if you want to see it too.
    --Tried to run MGTools from desktop (see above, didn't see any way to get it into C, haven't been able to drag items), think the scan ran, will attach log as C:\MGlogs.zip
    --Re-enabled user account control
    --wasn't sure if I'm supposed to do anything with the toggle function yet or not.

    Thanks again, I greatly appreciate your help--

    eliewriter
     

    Attached Files:

  4. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    I am not seeing any malware in your logs. Have you applied the latest patch to IE that covers a security hole?

    What problems are you now having?
     
  5. eliewriter

    eliewriter Private E-2

    Hi Tim,

    That's a relief that you're not seeing malware. I didn't see "rootkit" mentioned in the second GMER scam either but wasn't sure how to interpret any of the logs.

    My computer seemed to speed up and do better about halfway through the process. I'm still having major left-click problems and am unable to drag anything with the mouse, but I suppose that could be all related to my mouse?

    Also those faint desktop.ini icons, I'm not sure what they mean. Can I put those in the recycle bin?

    Thanks a million. I can't believe you guys take the time to help out like this, but I definitely appreciate it!

    eliewriter
     
  6. eliewriter

    eliewriter Private E-2

    Hi Tim,

    I'm going to Microsoft to check on the update. Other than my mouse having big problems with left-clicking and dragging my computer seems to be working better (does that sound like a mouse-only problem?). Things improved after I started the "Read..." process.

    I didn't see the word "rootkit" on the second GMER log but wasn't sure how to interpret that or any of the logs.

    Do I need to be concerned about the desktop.ini icon that's showing up very faintly on my desktop and in my picture files?

    Thanks for taking the time to help, I definitely appreciate it!

    eliewriter
     
  7. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    No need to be concerned.....our procedures force the showing of hidden files and folders. That will go away when we do the final cleanup.

    Have you tried a different mouse? Perhaps you should post in the software section for that issue.


    If you are not having any other malware problems, it is time to do our final steps:

    1. We recommed you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no real time protection. They are useful as backup scanners. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /u
        • Notes: The space between the combofix" and the /u, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.

      • Delete the C:\combofix folder from combofix (if it exists)

    3. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    4. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    5. Go to add/remove programs and uninstall HijackThis.
    6. You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip
    7. If you are running Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning steps in the READ ME for your Window version and see the steps to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.

    8. After doing the above, you should work thru the below link:

     
  8. eliewriter

    eliewriter Private E-2

    Thanks Tim,

    I uninstalled Hijack This, CC Cleaner and Spybot, then deleted some files from C, (including old Spyblaster and Ad Aware) plus MGTools and MGlog.zip.

    I couldn't find MGTools.exe but maybe that's because I originally downloaded MGTools to my desktop? (it wouldn't let me save it anywhere else)

    I've got ComboFix saved to my desktop and would like to unload it but I can't get to a "run" option after I get into "start" on Vista. Sounds dumb I know but I tried different ways and couldn't remember how I should do it, can you help?

    Also, I haven't done the system restore step since I haven't uninstalled ComboFix yet.

    Thanks for the idea about checking the software forum re: the mouse, I'll check that out.

    I appreciate your patience, Tim!

    eliewriter
     
  9. eliewriter

    eliewriter Private E-2

    Addendum: I found MGTools under a different file in C and was able to delete. I see ComboFix.exe in there too; can I delete it from that file ?
    {it's in C, users, office depot (where I bought computer as floor model), desktop}
     
  10. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Yes you can delete it from there as well as the ComboFix folder, C:\QooBox folder, C:\WINDOWS\nircmd.exe, C:\combofix.txt and C:\ComboFix-quarantined-files.txt logs or where every they are located. :)

    And you are most welcome.
     
  11. eliewriter

    eliewriter Private E-2

    Awesome, Tim, thanks tons! You guys rock!

    eliewriter
     
  12. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    No problem....be safe. :)
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds