Malware, possibly a rootkit

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by oakleyg97, Sep 4, 2011.

  1. oakleyg97

    oakleyg97 Private E-2

    Hello,
    I recently updated something on Adobe (possibly Flash) about two weeks ago. Through my research, it seems other has the same problem as this update had a security hole in it. I have been slowly trying to work through it.

    I cannot copy and paste, cannot connect through Firefox or IE. I can run some programs, but not others. I have gone through the READ & RUN ME FIRST as best I can and here is what has resulted from this.

    SuperAntiSpyware - I have attached three logs in a zip file. First two cleaned items and third was a clean system.
    Malwarebytes - Error on install and error on attempting to run "Error 372"
    ComboFix - cannot install, error about "ComboFix NSIS installer has encountered a problem and needs to close".
    RootRepeal - log is attached
    MGTools - logs are attached, I saved them as MG_All_Logs.zip due to not being able to copy and paste.

    Please if you need anything else....just let me know! I appreciate all help!
    Thanks!
    Gabe
     

    Attached Files:

    oakleyg97, Sep 4, 2011
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Major Geeks!

    You need to attach the log we requested which is not one that you created. Please attach the C:\MGlogs.zip file.


    Also complete the below instructions.



    Goto the below link and follow the instructions for running TDSSKiller from Kaspersky
    • Be sure to attach your log from TDSSKiller
    Now please also download MBRCheck to your desktop.


    See the download links under this icon http://forums.majorgeeks.com/chaslang/images/MGDownloadLoc.gif
    • Double click MBRCheck.exe to run (vista and Win 7 right click and select Run as Administrator)
    • It will show a Black screen with some information that will contain either the below line if no problem is found:
      • Done! Press ENTER to exit...
    • Or you will see more information like below if a problem is found:
      • Found non-standard or infected MBR.
      • Enter 'Y' and hit ENTER for more options, or 'N' to exit:
    • Either way, just choose to exit the program at this point since we want to see only the scan results to begin with.
    • MBRCheck will create a log named similar to MBRCheck_07.16.10_00.32.33.txt which is random based on date and time.
    • Attach this log to your next message. (See: HOW TO: Attach Items To Your Post )
    And also please download and run Win32kDiag per the below instructions:
    • Download this Win32kDiag and save to C:\Win32kDiag.exe. You must save it here!!!!
    • Click on Start->Run, and copy-paste the following command (the bolded text) into the "Open" box, and click OK. When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please attach this log
    C:\win32kdiag.exe -f -r
     
    chaslang, Sep 5, 2011
    #2
  3. oakleyg97

    oakleyg97 Private E-2

    Thanks for your quick reply!

    I tried running MGTools again and still no log. It is not creating a zip at the root of C: I have to run it from a flash drive because I cannot copy and paste the MGTools to the C: drive. There is no ZIP file on the flash drive either.

    I have attached my TDSS log.

    I have atttached my MBR log.

    I cannot complete the Win32kDiag step because I don't have an Internet connection and I cannot copy and paste to the root of C: The directions say that it must be there.
     

    Attached Files:

    oakleyg97, Sep 5, 2011
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    TDSSKiller attempted to fix a problem. Has it helped at all?

    It will not run properly from there. It must be saved and run from the drive that Windows is installed on. Let's see if the below works.

    Please click Start, Run, and enter cmd and click OK. This will open a command prompt window. Enter the below commands at the command prompt each followed by the enter key. The bold black are commands. The purple is merely informational.

    cd \MGtools <-- this changes to the MGtools folder and the prompt should change to C:\MGtools>
    nwktst<-- this will try to run all one scan from MGtools. Tell me what error messages, if any, you see.
    analyse <-- this will try to run TrendMicro Hijackthis. Click Twice on the Accept button to accept the license agreement if it shows. Then run a scan and save a log. Tell me what error messages, if any, you see.
    GetRunKey <-- this will try to run all one scan from MGtools. Tell me what error messages, if any, you see.
    ShowNew <-- this will try to run all another scan from MGtools. Tell me what error messages, if any, you see.

    Now look for the C:\MGlogs.zip file and attach it no matter what happened while doing the above.


    Okay then try saving it to your Desktop and using the below instructions.

    Click on Start->Run, and copy-paste the following command (the bolded text) into the "Open" box, and click OK.

    "%userprofile%\desktop\win32kdiag.exe" -f -r

    When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with notepad and post the contents here.
     
    chaslang, Sep 5, 2011
    #4
  5. oakleyg97

    oakleyg97 Private E-2

    TDSSKiller did not do anything that I noticed, still same problems.

    I remembered some "old school" DOS commands when you suggested running the files. So, I copied MGTools and Win32kdiag to the Desktop (through the cmd window) and ran them as directed earlier.

    I have attached those logs.

    Thanks again!
     

    Attached Files:

    oakleyg97, Sep 5, 2011
    #5
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Uninstall the below old versions of software:
    Java(TM) 6 Update 15
    Java(TM) 6 Update 5

    Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Make sure that you tell me if you receive a success message about adding the above
    to the registry. If you do not get a success message, it definitely did not work.


    Now download The Avenger by Swandog46, and save it to your Desktop.
    See the download links under this icon http://www.majorgeeks.com/images/dll.gif
    • Extract avenger.exe from the Zip file and save it to your desktop
    • Run avenger.exe by double-clicking on it.
    • Do not change any check box options!!
    • Copy everything in the Quote box below, and paste it into the Input script here: part of the window:
    • Now click the Execute button.
    • Click Yes to the prompt to confirm you want to execute.
    • Click Yes to the Reboot now? question that will appear when Avenger finishes running.
    • Your PC should reboot, if not, reboot it yourself.
    • A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

    After reboot, now install the current version of Sun Java from: Sun Java Runtime Environment

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:
    • C:\avenger.txt
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    chaslang, Sep 5, 2011
    #6
  7. oakleyg97

    oakleyg97 Private E-2

    I cannot remove the two Java versions, either in Normal or Safe Mode. The error messages says that "The Windows Installer Service could not be accessed."

    I did receive a success message on adding those two lines to the registry.

    avenger.txt is attached.

    I tried to install the new Java, same as removing the old...error message says "The Windows Installer Service could not be accessed."

    MGlogs.zip is also attached. I guess it only zipped one log this time? The window never closed but the zip file was created.

    Thanks again for your time....I really do appreciate it!
     

    Attached Files:

    oakleyg97, Sep 5, 2011
    #7
  8. oakleyg97

    oakleyg97 Private E-2

    I forgot to add that nothing seems to have changed. I still cannot copy and paste and no Internet connection.
     
    oakleyg97, Sep 5, 2011
    #8
  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Now please rerun Win32KDiag just like you did previously. Do not edit or modify the log file. Just attach the unmodified log file to your next message.



    Now download Junction,zip to your Windows folder
    • Please download Junction.zip and save it to your Windows folder (i.e, C:\Windows\Junction.zip This assumes C:\ is your Windows boot drive.)
    • Now unzip it and put junction.exeinto the Windows folder (i.e., C:\Windows\junction.exe)
    • Do not try to run it right now. We will run something that uses it later.

    Now we need to reset the permissions altered by the malware on some files.
    • Download and save inhertit.exe to your Desktop: Inherit.exe
    • It must be in your Desktop or the below fix will not work!
    Now run the C:\MGtools\FixPerm.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).
    • A command prompt window opens and also a license agreement from SysInternals will appear for Junction.
    • Accept the license agreement and the scan will begin.
    • Wait until it finishes we can take a while to run since it scans your whole harddisk. e patient and don't do anything else while it is scanning.
    • The command prompt window should close when it finishes.
    • While this is running, you will get several/many popups that have a title Finish and say OK. Just click the OK button each time. This is an indication that it has found a file and has attempted to fix permissions. Depending on how many files that need to be fixed, you could get only a few or many of these popups.
    Now rerun the below instructions.

    click Start, Run, and enter cmd and click OK. This will open a command prompt window. Enter the below commands at the command prompt each followed by the enter key. The bold black are commands. The purple is merely informational.

    cd \MGtools <-- this changes to the MGtools folder and the prompt should change to C:\MGtools>
    nwktst<-- this will try to run all one scan from MGtools. Tell me what error messages, if any, you see.
    analyse <-- this will try to run TrendMicro Hijackthis. Click Twice on the Accept button to accept the license agreement if it shows. Then run a scan and save a log. Tell me what error messages, if any, you see.
    GetRunKey <-- this will try to run all one scan from MGtools. Tell me what error messages, if any, you see.
    ShowNew <-- this will try to run all another scan from MGtools. Tell me what error messages, if any, you see.

    Now look for the C:\MGlogs.zip file and attach it no matter what happened while doing the above. Attach this log.


    And one more scanning tool I want to use to collect more information is OTL per the below.



    Please download OTL by Old Timer to your desktop.
    See the download links under this icon: http://forums.majorgeeks.com/chaslang/images/MGDownloadLoc.gif
    1. Double-click OTL.exe to run (Vista and Win7 right click and select Run as Administrator)
    2. When OTL opens, change the Output (at the top-right portion of the program) to Minimal Output.
    3. Put check-marks in LOP Check and Purity Check.
    4. Now click the http://img171.imageshack.us/img171/2405/runscanotl.png button.
    • When the scan is complete, two logs entitled OTL.txt and Extras.txt will be created on your desktop.
    • Attach both of these logs to your next message.
     
    chaslang, Sep 7, 2011
    #9
  10. oakleyg97

    oakleyg97 Private E-2

    Win32KDiag log is attached

    I copied Junction as instructed.
    I also copied Inherit but never ran it.

    I ran FixPerm.bat and the screen was black for a bit and then closed...no popups.

    I ran nwktst, analyse, getrunkey, and shownew, but had to run them in safe mode. One of them froze the first time in normal mode, I think it was nwktst.

    MGlogs.zip is attached
    OTL.txt and Extras.txt are also both attached.

    HiJack this opened and scanned this time. I don't think it saved a log in MGlogs, so I saved the log and will attach in in a seperate message.

    Thanks!
     

    Attached Files:

    oakleyg97, Sep 7, 2011
    #10
  11. oakleyg97

    oakleyg97 Private E-2

    Here is the Hijack this log file.
     

    Attached Files:

    oakleyg97, Sep 7, 2011
    #11
  12. oakleyg97

    oakleyg97 Private E-2

    While running OTL, I did get an error, see attached image. I was able to continue on by clicking the "continue" button several times.

    Sorry, I forgot to add this earlier.
     

    Attached Files:

    oakleyg97, Sep 7, 2011
    #12
  13. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    There is a possibility that both Symantec and Spybot have become infected and we may need to uninstall them to get them out of our way. We will see, but first let's try the below.



    Please run the following:
    • please download GrantPerms.zip and save it to your desktop.
    • Unzip the file and run GrantPerms.exe
    • Copy and paste the following into the edit box of GrantPerms:
    Code:
    c:\Avenger
c:\Program Files\Kodak\AiO\Center\EKAiOHostService.exe
c:\Program Files\Symantec AntiVirus\Rtvscan.exe
c:\Program Files\Symantec AntiVirus\VPC32.exe
c:\WINDOWS\$NtUninstallKB28257$
c:\WINDOWS\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a
C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790
c:\WINDOWS\assembly\GAC_MSIL\IEExecRemote\2.0.0.0__b03f5f7f11d50a3a
C:\WINDOWS\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0.0_x-ww_6e57c34e
c:\WINDOWS\system32\svchost.exe
C:\Documents and Settings\Shaunté\Desktop\OTL.exe
C:\Program Files\SUPERAntiSpyware\SASCore.exe
C:\WINDOWS\junction.exe
C:\Documents and Settings\Shaunté\Desktop\ComboFix.exe
C:\Win32kDiag.exe
C:\Documents and Settings\Shaunté\Desktop\Win32kDiag.exe
C:\Documents and Settings\Shaunté\Desktop\Inherit.exe
C:\Documents and Settings\Shaunté\Desktop\avenger.exe
    • Now Click Unlock.
    • When it is done click "OK".
    • Now click List Permissions and attach the which is the Perms.txt file that pops up.
    • A copy of Perms.txt will be saved in the same directory from where the tool is run.
    Now double-click OTL.exe to start the program.

    • Copy and Paste the following code into the Custom Scans/Fixes textbox. Do not include the word Code
      Code:
      :processes
:otl
FF - prefs.js..browser.search.defaultenginename: "MyStart Search"
FF - prefs.js..browser.search.defaultthis.engineName: "Coupons.com Customized Web Search"
FF - prefs.js..browser.search.defaulturl: "[URL]http://search.conduit.com/ResultsExt.aspx?ctid=CT2559647&SearchSource=3&q={searchTerms[/URL]}"
FF - prefs.js..browser.search.selectedEngine: "MyStart Search"
:services
:reg
:files
@Alternate Data Stream - 150 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:27EEEB5C
@Alternate Data Stream - 149 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:5F538558
@Alternate Data Stream - 149 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:0651F96C
@Alternate Data Stream - 147 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:C3B04546
@Alternate Data Stream - 144 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:95B7F1EC
@Alternate Data Stream - 144 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:89123481
@Alternate Data Stream - 142 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:C25C9263
@Alternate Data Stream - 136 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:A696643D
@Alternate Data Stream - 135 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:B85E5267
@Alternate Data Stream - 122 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:D05E7A8B
@Alternate Data Stream - 120 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:42C1964D
C:\Documents and Settings\Shaunt‚\Desktop\setup.exe
C:\WINDOWS\$NtUninstallKB28257$
C:\Documents and Settings\Shaunt‚\Desktop\setup.exe
C:\WINDOWS\$NtUninstallKB28257$
C:\Documents and Settings\Shaunt‚\Local Settings\Temp\15.dir
C:\Documents and Settings\Shaunt‚\Local Settings\Temp\34.dir
C:\Documents and Settings\Shaunt‚\Local Settings\Temp\ge3192
C:\Documents and Settings\Shaunt‚\Local Settings\Temp\ge4884
C:\Documents and Settings\Shaunt‚\Local Settings\Temp\ish14363171
C:\Documents and Settings\Shaunt‚\Local Settings\Temp\ish3200062
C:\Documents and Settings\Shaunt‚\Local Settings\Temp\ish3249390
C:\Documents and Settings\Shaunt‚\Local Settings\Temp\ish3392546
C:\Documents and Settings\Shaunt‚\Local Settings\Temp\ish3407062
C:\Documents and Settings\Shaunt‚\Local Settings\Temp\ish440687
C:\Documents and Settings\Shaunt‚\Local Settings\Temp\ish441828
C:\Documents and Settings\Shaunt‚\Local Settings\Temp\ish462593
C:\Documents and Settings\Shaunt‚\Local Settings\Temp\ish481406
C:\Documents and Settings\Shaunt‚\Local Settings\Temp\ish791453
C:\Documents and Settings\Shaunt‚\Local Settings\Temp\ish9681531
C:\Documents and Settings\Shaunt‚\Local Settings\Temp\nsj9.tmp
C:\Documents and Settings\Shaunt‚\Local Settings\Temp\nsmE.tmp
C:\Documents and Settings\Shaunt‚\Local Settings\Temp\nso8.tmp
C:\Documents and Settings\Shaunt‚\Local Settings\Temp\nsp7.tmp
C:\Documents and Settings\Shaunt‚\Local Settings\Temp\nstC.tmp
C:\Documents and Settings\Shaunt‚\Local Settings\Temp\nsy17.tmp
C:\Documents and Settings\Shaunt‚\Local Settings\Temp\svc0.tmp
C:\Documents and Settings\Shaunt‚\Local Settings\Temp\TCD1D8.tmp
C:\Documents and Settings\Shaunt‚\Local Settings\Temp\{E9C1E0AC-C9B2-4c85-94DE-9C1518918D02}.tlb
:commands
[PURITY]
[EMPTYTEMP]
[RESETHOSTS]
[REBOOT]
    • Then click the Run Fix button at the top.
    • Click the OK button.
    • OTL may ask to reboot the machine. Please do so if asked.
    • The report should appear in Notepad after the reboot. Just close notepad and attach this log form OTL to your next message.
     
    chaslang, Sep 8, 2011
    #13
  14. oakleyg97

    oakleyg97 Private E-2

    You are a freakin GENIUS!! :)

    Many thanks! It all seems to be working so far! I also updated and am scanning with Malwarebytes right now.

    Attached is my Perms.txt and OTL.txt

    I am just running the Malwarebytes, but if I need to run anything else...please advise!

    Thanks again!
     

    Attached Files:

    oakleyg97, Sep 8, 2011
    #14
  15. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome. Sounds alot better. Let's just repeat the below. Redownload it anyway and overwrite any copy you may have.

    Download and run Win32kDiag per the below instructions:
    • Download this Win32kDiag and save to C:\Win32kDiag.exe. You must save it here!!!!
    • Click on Start->Run, and copy-paste the following command (the bolded text) into the "Open" box, and click OK. When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please attach this log
    C:\win32kdiag.exe -f -r
     
    chaslang, Sep 10, 2011
    #15
  16. oakleyg97

    oakleyg97 Private E-2

    Here you are!
     

    Attached Files:

    oakleyg97, Sep 10, 2011
    #16
  17. oakleyg97

    oakleyg97 Private E-2

    After my last post, I received an error that is on the top left of the attached picture. The one in the middle was hiding behind it. Since the fix, I have been getting exception errors like this. Any ideas why?

    I also tried to open Photoshop to edit the attached picture, but you can see the error for that one as well.

    I will format this machine soon, but just wanted to get important pictures off first and make sure all remnants were gone. I was afraid that something might go with the pictures or other files that I copied.

    Thanks again for your help!
     

    Attached Files:

    oakleyg97, Sep 10, 2011
    #17
  18. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Yes. The infection you had has corrupted permissions on many files and folders that are on your PC. Thus you may see more and more issues like this over a period of time. Try to find and fix all of them inorder to make your PC reliable can be quite a task.

    If you plan to format anyway, that may be a faster solution and your PC will in turn, be more reliable again. However you could first try running the below which may or may not help;


    Resetting Registry and File Permissions
     
    chaslang, Sep 10, 2011
    #18
  19. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Also you could test to see if ComboFix from the READ & RUN ME FIRST will run now. It could possible find and remove more issues.
     
    chaslang, Sep 10, 2011
    #19

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds