ARRRGGHH Rootkits!!!

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by semtexsy, Dec 16, 2007.

  1. semtexsy

    semtexsy Private E-2

    need help with rootkits looked over other posts and downloaded Sophies anti-rootkit i have attched log file could anybody take a look at it please.

    A little info first i am runnin mcafee's and in the firewall program perm. i have blocked several progs from running which is what alerted me to the prob in the first place 1.perf.exe
    2.routing.exe
    3.ndt2.sys
    4.Indt2.sys
    Like i said i have blocked them all but i dont want there even if they are blocked obviously.
    I do have a blog which i run adds throough adsense is that what it is because i know they install some spy progs. on your cpu to keep you from clicking your own ads :p


    could some one help cause i dont want to screw anything up i.m not a noob when it comes to this stuff but as always i differ to the MajorGeek Gods

    :confused

    thanx
     

    Attached Files:

  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    There is nothing of concern in the log from Sophos.

    If you are having malware problems, please follow the instructions in the below link and attach the requested logs when you finish these instructions.

    READ & RUN ME FIRST. Malware Removal Guide
     
  3. semtexsy

    semtexsy Private E-2

    it was actually the first thing i did when i joined the site
    but i will go over it again
    thanx maybe i am just being paranoid
     
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    If you did the READ & RUN ME and you are still having problems, you are supposed to attach the requested logs along with your message requesting help. Otherwise we consider the READ ME as not completed. Just blocking programs from running in your firewall does not remove them from your PC.
     
  5. semtexsy

    semtexsy Private E-2

    ok when i try to run msconfig i get this error msg"Windows cannot find msconfig"

    i searched for it in config folder but its not there??:confused
     
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    So now you are saying you did not run the READ ME?????

    What Windows OS do you have?
     
  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    If your OS has it then it is not in a config folder. It is here:

    C:\WINDOWS\PCHealth\HelpCtr\Binaries
     
  8. semtexsy

    semtexsy Private E-2

    got it thanx
     
  9. semtexsy

    semtexsy Private E-2

    sorry bout the double post but woaa when I rebooted it said there are 2 op sys on this computer ,a little history quickly I bought this computer second hand from a buddy he obviously knows nothing about cpu's (well at least less than me)because even i know you shouldnt be running 2 op sys unless u want 2!
    what should i do?
     
  10. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    We are going to work on any malware problems you have in this forum. If you want to discuss you operating system you can do that in the Software Forum; however there is nothing wrong with have multiple OS's. Many people have dual or multi-boot platforms.
     
  11. semtexsy

    semtexsy Private E-2

    well i guess i didnt do it properly :eek:
    but anyways here is the log
     

    Attached Files:

  12. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    And you still haven't! You were supposed to run ComboFix and AVG Antispyware before MGtools.exe. You did not run them. You need to run them and attach the logs from them that were requested in the READ ME. Then we need to get you started on part of your fix since you have couple of serious backdoor trojans services installed.

    • Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.
    • On the page that opens, scroll down to Symantec Lic NetConnect service
    • then right click the entry, select Properties and press Stop Service.
    • When it shows that it is stopped, next please set the Start-up Type to 'Disabled'.
    • Now repeat the above to Stop and Disable the below two Services (if you do not find them or get any errors, just continue):
      • perfmons Service
      • Routing Service
    • Click OK until you get back to Windows.
    • Next, run HJT, but instead of scanning, click on the None of the above, just start the program button at the bottom of the choices.
    • At the lower right, click on the Config button
    • Then click the Misc tools button
    • Select Delete an NT Service
    • Copy/paste CLTNetCnService into the box that opens, and press OK
    • If you receive any error messages just ignore them and continue.
    • Now repeat the above to delete the below two Services (if you do not find them or get any errors, just continue):
      • perfmons
      • Routing
    • Now exit HJT and reboot when it tells you it needs to.
    After reboot, run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created.
     
  13. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Also delete the below files (if found) after you do the previous procedure:

    C:\WINDOWS\system32\perfs.exe
    C:\WINDOWS\system32\routing.exe
     
  14. semtexsy

    semtexsy Private E-2

    and finally here are the logs requested :banghead
     

    Attached Files:

    Last edited by a moderator: Dec 17, 2007
  15. semtexsy

    semtexsy Private E-2

    sorry i may have posted the old MGlog you have to forgive me i have been stuck on stupid since my divorce you would figure i would be sharper now that i don't have the grinning ma of Evil Otto staring at me 24/7 but..... anyways here it is again i am sorry and i really appreciate you taking the time to help me with this
     

    Attached Files:

  16. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Was the new MGlogs.zip file obtained before or after following my instructions to remove those services. Looks like before.
     
  17. semtexsy

    semtexsy Private E-2

    after .should i run it again and attach?
     
  18. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    No! I see we were posting at the same time. I was referring to your previous log. Not the one you last posted. I'm creating a fix for you now. Hang around.
     
  19. semtexsy

    semtexsy Private E-2

    sweet thanks i appreciate this
     
  20. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Uninstall the below old versions of software:
    J2SE Runtime Environment 5.0 Update 6

    Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

    After clicking Fix, exit HJT.

    Now download The Avenger by Swandog46, and save it to your Desktop.
    • Extract avenger.exe from the Zip file and save it to your desktop
    • Run avenger.exe by double-clicking on it.
    • Check the 'Input script manually' box.
    • Click on the magnifying glass icon.
    • Copy everything in the Quote box below, and paste it in the box that opens:
    • Now click the 'Done' button.
    • Click on the traffic light icon and OK the prompt.
    • You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
    • A log file from Avenger will be produced at C:\avenger.txt
    Now run Ccleaner!

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and also attach the log from Avenger.

    Make sure you tell me how things are working now!
     
  21. semtexsy

    semtexsy Private E-2

    I'm telling you this is one of the happiest moments in my post ex-wife life :cry
    my tears are tears of joy everything is gone but i do have one last question that logonhook.exe that is in there should it be????
    if it is well I'm off to another thread to give the software gut a headache in regards to my dual xp systems that are running

    so thanx again i will be singing your praises for years to come rolleyes
    no really i will
     

    Attached Files:

    Last edited by a moderator: Dec 17, 2007
  22. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome.

    I assume you meant the below which is for McAfee and not a problem.

    O4 - HKLM\..\Run: [MBkLogOnHook] C:\Program Files\McAfee\MBK\LogOnHook.exe

    Your logs are clean.

    If you are not having any other malware problems, it is time to do our final steps:
    1. If we used Pocket Killbox during your cleanup, do the below
      • Run Pocket Killbox and select File, Cleanup, Delete All Backups
    2. If we used ComboFix, you can delete the ComboFix.exe file, C:\ComboFix folder, C:\QooBox folder, C:\WINDOWS\nircmd.exe, C:\combofix.txt and C:\ComboFix-quarantined-files.txt logs that was created.
    3. If we user SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
    4. If we used SmitFraudFix, you can delete all files and folders related to it now including the c:\rapport.txt log.
    5. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
    6. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
    7. If we had you run Avenger, you can delete all files related to Avenger now.
    8. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    9. You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip
    10. If you are running Windows XP or Windows ME, do the below:
      • Refer to the cleaning steps in the READ ME for your Window version and see the steps to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    11. After doing the above, you should work thru the below link:
     
  23. semtexsy

    semtexsy Private E-2

    thats great thanx again
     
  24. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome. Surf safely!
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds