Very good reason to believe I've been infected with a rootkit/remote control 'hack'

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by Mave, Nov 27, 2012.

  1. Mave

    Mave Private E-2

    Recently I banned one of my forum members because he kept annoying other members.
    Since I banned him he has been on a revenge-spree.
    My server has been attacked with multiple DDOS attacks, my home phone got pretty bad calls,...

    Now he is claiming to someone else (he does now know that I know this) that he can access my PC. (my thought was a rootkit)
    Of course I can't be sure if this is true or not. That's where I need you awesome guys.

    Attached you'll find all the required logs for you guys to make a judgement and what to do with certain files.
    Thank you.

    PS: Until this morning, I couldn't change the Windows Firewall settings (it said "Windows firewall can't change some of your settings")
    I googled around and this could be an indication of a malware. I have applied a windows fix for this, and now it works though.
     

    Attached Files:

  2. Mave

    Mave Private E-2

    Re: Very good reason to believe I've been infected with a rootkit/remote control 'hac

    I can't edit my post anymore so I need to reply to add this information:

    I scanned with GMER and the log returned this:

     
  3. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Re: Very good reason to believe I've been infected with a rootkit/remote control 'hac

    Welcome to Major Geeks!

    Do you know what the below is?
    It does not look like malware is your problem based on your logs. There is some minor adware junk to clean up from Babylon and a couple searchscopes. But there are no real malicious malware items unless the above MTool_new.exe file is not something you know about. My opinion is that this looks like a problem. Exe files should not be running from here.


    Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Make sure that you tell me if you receive a success message about adding the above
    to the registry. If you do not get a success message, it definitely did not work.



    Now please download Junkware Removal Tool to your desktop.
    • Shut down your protection software now to avoid potential conflicts.
    • Run the tool by double-clicking it. If you are using Windows Vista or Seven, right-mouse click it and select Run as Administrator.
    • The tool will open and start scanning your system.
    • Note: That JRT may reset your home page to a google default so you will need to restore your home page setting if this happens.
    • Please be patient as this can take a while to complete depending on your system's specifications.
    • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
    • Attach JRT.txt to your next message.
     
    Last edited: Nov 28, 2012
  4. Mave

    Mave Private E-2

    Re: Very good reason to believe I've been infected with a rootkit/remote control 'hac

    Thanks for your answer!
    I will do the steps you provided me with :)
    I have no idea what the .exe is, how do I remove it safefully?
     
  5. Mave

    Mave Private E-2

    Re: Very good reason to believe I've been infected with a rootkit/remote control 'hac

    Sorry to double post, but I can't seem to edit my last message anymore..

    Anyway the registry keys were added successfully!
    The JRT.txt log is attached.

    One last question though, how do I remove the M_tool exe safely?
     

    Attached Files:

    • JRT.txt
      File size:
      3.3 KB
      Views:
      4
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Re: Very good reason to believe I've been infected with a rootkit/remote control 'hac

    You're welcome.


    Uninstall the below very old versions of software:
    Java(TM) 6 Update 22

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista or Win 7, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.chatzum.com/
    O2 - BHO: Blog This in Windows Live - {2adefb8e-b923-35e6-86e2-2b7841f5d6a4} - mscoree.dll (file missing)
    O4 - HKCU\..\Run: [MTool] C:\Users\Mave\AppData\Roaming\MCommon\MTool_new.exe
    O4 - HKCU\..\Run: [uTorrent] "C:\Program Files (x86)\uTorrent\uTorrent.exe" /MINIMIZED

    After clicking Fix, exit HJT.

    Please download OTM by Old Timer and save it to your Desktop.
    • Right-click OTM.exe and select Run as administrator to run it.
    • Copy the lines from the below codebox to the clipboard by highlighting ALL of them and pressing CTRL + C
      (or, after highlighting, right-click and choose Copy): Do not include the word Code: which is just a title line of
      the code box
    Code:
    :Processes
    explorer.exe
     
    :Files
    C:\Users\Mave\AppData\Roaming\MCommon\MTool_new.exe
    C:\Users\Mave\AppData\Roaming\MCommon
    C:\Users\Mave\AppData\Local\Temp\*.*
    
    :Reg
    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
    "MTool"=-
    "uTorrent"=-
    [HKEY_USERS\S-1-5-21-2496646587-1129865938-1767376005-1001\Software\Microsoft\Windows\CurrentVersion\run]
    "MTool"=-
    "uTorrent"=-
     
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2adefb8e-b923-35e6-86e2-2b7841f5d6a4}]
    [-HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}]
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes]
    "DefaultScope"="{0633EE93-D776-472f-A0FF-E1416B8B2E3A}"
    [-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}] 
    [-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{96bd48dd-741b-41ae-ac4a-aff96ba00f7e}]
    [-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{A23C2257-A14F-489B-9ACB-CC0BEF6D82AF}]
    [-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{E34C99DB-EFEA-468B-AF8A-E1E6E9560BF4}] 
    :Commands
    [purity]
    [EmptyTemp]
    [start explorer]
    [Reboot]
    • Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar
      ) and choose Paste.
    • Now click the large [​IMG] button.
    • If OTM asks to reboot your computer, allow it to do so. The report should appear in Notepad after the reboot.
    • Close OTM.
    Now navigate to the C:\_OTM\MovedFiles folder ( assuming your Windows drive is C). This is where your log will be
    saved in the form of Date and Time mmddyyyy_hhmmss.log. Just look for the most recent .log file. Attach
    this log file to your next message.


    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:
    • the C:\_OTM\MovedFiles log
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
  7. Mave

    Mave Private E-2

    Re: Very good reason to believe I've been infected with a rootkit/remote control 'hac

    I uninstalled 2 old Java 6 updates (though I still have Java 7 Update 9)
    I applied the HJT fixes.
    I executed the OTM codes and rebooted.
    The three logs are in attachment now.

    Looking forward to your next reply, hopefully saying that I'm 100% clean now :)
     

    Attached Files:

  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Re: Very good reason to believe I've been infected with a rootkit/remote control 'hac

    Your logs are clean.


    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep Malwarebytes Anti-Malware for scanning/removal of malware.
    2. Go back to step 4 oof the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
    3. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    4. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    5. If running Vista or Win 7, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    6. Go to add/remove programs and uninstall HijackThis. If you don't see it or it will not uninstall, don't worry about it. Just move on to the next step.
    7. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
      related to MGtools and some other items from our cleaning procedures.
    8. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures pointed to by step 6 of the READ ME
        for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    9. After doing the above, you should work thru the below link:
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds