Rootkit activity, Invalid PE, hidden /Windows/Temp files

Discussion in 'Malware Help (A Specialist Will Reply)' started by Gink, Dec 10, 2009.

  1. Gink

    Gink Private E-2

    Hello,

    I'm having problems with NTVDM system error c0h, which locks up the machine about five minutes after some applications like yahoo messenger are run.

    ComboFix detected RootKit activity and rebooted before running.
    RootRepeal gave an "Invalid PE Image" error before running.

    There a few hidden files in /Windows/Temp: $$$dq3e $67we.$ xsw2

    I've read these are encrypted files where the trojan stores passwords, etc that it steals through a keylogger? They cannot be deleted as they are "in use".

    Will fixmbr -f wipe the trojan from the mbr? Or something like mbrwizard?

    If I used a Linux Live CD with ability to mount NTFS read/write could I remove the hidden temp files? Or is there a better way to get rid of this thing?

    Sorry for all the questions. Thanks for your help, logs attached.
     

    Attached Files:

    Gink, Dec 10, 2009
    #1
  2. Gink

    Gink Private E-2

    MGlogs
     

    Attached Files:

    Gink, Dec 10, 2009
    #2
  3. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Major Geeks!

    Yes this is a master boot record infection and you need to run fixmbr -f after booting to the Recovery Console to fix this. Deleting the files will not do you any good until the MBR infection is removed.

    After you do this, rerun MGtools and attach a new log.


    Also you are way out of date with your version of SUPERAntiSpyware.
    • Please uninstall your current version (this is necessary).
    • Then download this SUPERAntiSpyware
    • Install this new version. It may tell you that you need to reboot to complete the installation. You must reboot at this time.
    • After the reboot, run SUPERAntiSpyware and immediately click the Check for Updates button to get more updates for the database.
    • Now run a new full scan of your system. And attach this new log.
     
    chaslang, Dec 12, 2009
    #3

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds