recent rootkit infection.. is it gone?

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by cptnick, Jun 6, 2011.

  1. cptnick

    cptnick Private E-2

    hi, our server computer at work has been/was infected by some sort of Rootkit virus. This server computer is the main brain for our POS system at our restaurant.
    It was badly messed up on Friday to the point it was unusable. I spent 5 hours working on it and I believe I was able to remove some or all of it however it's still not acting right. The POS software in the restaurant was working fine Friday night after I worked on it and all of Saturday. I went to start it up today and the software won't load at the terminals. I checked the server computer and the network connection was out. I unplugged the power to the router, plugged it back in and the connection came back on. The terminals still weren't sensing the server upon multiple reboots.

    Here's how this all started on Friday. I should note that I have a lot of experience fixing computers but have never dealt with a rootkit virus.

    Friday morning, while I wasn't using it, I noticed the server computer started playing some random audio ads for Lysol, etc, then a bunch of weird ads popped up. I ran Malwarebytes like usual to try and fix the issue. Malwarebytes went through and found 39 infections, removed them and the system rebooted. Things seemed fine, I could tell something was still on there because Malwarebytes was still blocking a program trying to access the internet, and after about 5 minutes the computer crashed to bluescreen and rebooted. I tried rebooting in safe mode and running Malwarebytes again but it found nothing. I tried running CCleaner, it fixed over 200 issues in the registry, yet the problem still continued. I tried booting to safe mode again and running combofix on it, it detected the rootkit virus, rebooted, attempted to go through the steps and it couldn't get through them without the computer crashing yet again. I began searching for more programs to use against this thing, and I downloaded GMER and TDSS Killer by Kaspersky. GMER detected the infection, and I used the 'resolve' command to destroy the infection. GMER then rebooted the computer, I rescanned and it couldn't find any sign of infection. I emailed a log to the people at GMER, they said it looked clean. Just to be sure I used TDSS Killer, and it couldn't find anything either. Problem is, like I said, it's still not acting right, and the POS system is unusable. We open in about 24 hours for business. Where do I go from here?

    thanks in advance,
    Mike
     
    cptnick, Jun 6, 2011
    #1
  2. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    TimW, Jun 6, 2011
    #2
  3. cptnick

    cptnick Private E-2

    thanks.. I am working on getting the logs together right now. Right now the POS system is running, I rebooted everything, and it seems to be ok for now. The only thing is I am getting low memory warnings from time to time and this server has 2 GBs of RAM.
     
    cptnick, Jun 7, 2011
    #3
  4. cptnick

    cptnick Private E-2

    ok here are the logs.. I will attach the MGLogs on the next post because the limit is 4
     

    Attached Files:

    cptnick, Jun 7, 2011
    #4
  5. cptnick

    cptnick Private E-2

    thanks in advance..


    Mike
     

    Attached Files:

    cptnick, Jun 7, 2011
    #5
  6. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Looks good, just a few things to remove:

    * Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
    If it is not on your Desktop, the below will not work.
    * Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    * If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
    * Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):
    Code:
    KILLALL::

File::
c:\windows\bclm.exe
c:\windows\r2p3.exe
c:\windows\eu2i.exe
c:\windows\Tasks\At1.job
c:\windows\Tasks\At2.job
c:\windows\Tasks\At4.job
c:\windows\Tasks\At5.job
c:\windows\Tasks\At6.job
c:\windows\Tasks\At8.job
    * Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    * At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    * You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    If it asks you to overide the previous file with the same name, click YES.
    * Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
    * Follow the prompts.
    * When it finishes, a log will be produced named c:\combofix.txt
    * I will ask for this log below

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:

    * C:\ComboFix.txt
    * C:\MGlogs.zip

    Make sure you tell me how things are working now!
     
    TimW, Jun 7, 2011
    #6
  7. cptnick

    cptnick Private E-2

    hi Tim, I stopped by at work last night to try and do what you said, the server computer was running so slow I could barely do anything. I looked at the processes in the task manager and iexplorer had about 5 or 6 copies of itself and that pvvc.something also had a bunch of copies sapping the RAM(I think it was part of combofix). I tried again this morning and the computer seemed fine. I copied the CFscript.txt to combofix.exe and it went thru like you said it would and made the log. I did notice that the CFscript extension was listed as CFscript.txt.txt in the combofix log, does that matter? I am attaching it and the MGtools log. Thanks in advance.
     

    Attached Files:

    cptnick, Jun 8, 2011
    #7
  8. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    I see you are also working with BeepingComputer. It is a waste of our resources to be using two different websites to address your issue.

    I am not finding any malware in your logs. But you can tell me what this is:
    C:\Users\User\Desktop\xbhe8gvb.exe??

    Also, use windows explorer to find and delete:
    C:\Users\User\AppData\Roaming\CleanMyPC Software

    If you are not having any other malware problems, it is time to do our final steps:

    1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no real time protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.We recommend them for doing backup scans when you suspect a malware infection.
    2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /uninstall
        • Notes: The space between the combofix" and the /uninstall, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.


    3. Go back to step 6 of the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
    4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    7. Go to add/remove programs and uninstall HijackThis.
    8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
    9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures pointed to by step 7 of the READ ME
        for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.

    10. After doing the above, you should work thru the below link:


    Malware removal from a National Chain = $149
    Malware removal from MajorGeeks = $0

    Help Support MajorGeeks
    Buy Discounted Software @ Majorgeeks Store. Giveaways Too!

    Majorgeeks Geek Wear. Hats, T-Shirts, Hoodies

    MajorGeeks on FaceBook
     
    TimW, Jun 8, 2011
    #8
  9. cptnick

    cptnick Private E-2

    sorry Tim, I didn't mean to mislead you. When they suggested formatting all the hard drives I decided to look elsewhere for help.

    That suspicious looking file on my desktop is just GMER. I'm not sure why they chose to name it that.

    Do you have any idea why the computer got so bogged down last night? That seemed strange.

    I deleted the folder you pointed out, I did notice the time and date the file was modified, and it was the exact time when the problems started. I have to say I'm pretty shocked over this whole thing, I've never had a computer get attacked before remotely, nor have I even talked to anyone that has had this happen, unless it was their own fault because they downloaded something they weren't supposed to. I will follow the steps in the guide you posted, though I have to wait until early tomorrow morning when we are closed again.

    You guys are the best, thank you so much for your help!

    Mike
     
    cptnick, Jun 8, 2011
    #9
  10. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    I can't answer your question as to why it got bogged down. But hopefully what we did remove has cleared your system. I can understand why you looked for alternatives when told to reformat the disc's. Do let me know if you have any other issues.

    And you are most welcome. Safe surfing. :)
     
    TimW, Jun 8, 2011
    #10
  11. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    So that it gets around malware that blocks programs like this from running! ;)
     
    Kestrel13!, Jun 8, 2011
    #11
  12. cptnick

    cptnick Private E-2

    Tim, I was wondering, as an expert that I'm sure sees this stuff all the time, if you could give me your opinion as to the 'why' this happened. I am rather intriqued has to the events of the previous week. Let me give you the history in detail.

    On Friday around noon, I noticed that the server computer, which sits 10 feet from my desk, began playing music directly from the tower. I could see that nothing was running, but the screen saver was not on. Very puzzled and concerned I immediately went over to it, and ran Malwarebytes. I think from one of my previous posts you know what happened next. I spent 5 or 6 hours trying to fix the computer that day. There was no firewall turned on because the company that sold us the POS system has been regularly making changes to our menu remotely using LogMeIn software.

    The next day, at approximately 10am my laptop computer at home also came down with a rootkit virus. I was completely shocked by this. Nobody was using it, the screen saver was on, messages began popping up that the hard drive was compromised, blah blah blah, this particular one was called "windows vista recovery virus." After using the same tools I used on this server computer I was able to remove it, and now the laptop is back to normal.

    Is this simply a bizarre coincidence? Could it be there are cyberattacks going on in this area? I will also add that I use the same internet service provider, Time Warner Cable, at home as is used at work. My laptop at home runs Vista, the server computer here uses Windows7. Also windows firewall is active on my laptop at home.

    Yesterday just before I removed that folder that you recommended deleting, I did notice that the .ini file inside the folder had a date and time stamp(file modified) of Friday, 6/3, at 12:39pm. That was right around the time that the problems started. Are rootkit viruses commonly used in cyberattacks? Your input is important, because if you feel it was a cyberattack, I think that it's my duty to warn the POS company that for any new clients(and current ones)they may get, to keep the firewall on at all times and if they need to remotely access their clients computers they should ask them to turn it off first.

    thanks again,
    Mike
     
    cptnick, Jun 9, 2011
    #12
  13. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Any time the firewall is disabled, malware can get into your system. Here is a general statement about getting infected:
     
    TimW, Jun 9, 2011
    #13

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds