Rootkit Problem

Discussion in 'Malware Help (A Specialist Will Reply)' started by them, Feb 11, 2011.

  1. them

    them Private E-2

    The other day AVG's daily scan picked up 25 items labeled as rootkits. It wasn't able to delete them, so I ran through the steps in the read & run me first guide. I wasn't able to download mgtools for some reason, so I couldn't run that part. The link to it appears to be broken.

    I've attached the logs, and after running another rootkit scan with avg, it now shows 99 items under rootkits(i just reinstalled it after combofix was finished). I realize that I'm probably going to have to format the hard drive, but I wanted to at least try fixing it to avoid having to reinstall everything. If there's no point in trying to clean it, tell me and I'll just reformat it. I'd rather not waste your time with this unless it might get rid of the infection.

    Thank you for your time

    Zach
     

    Attached Files:

    them, Feb 11, 2011
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    What do you have installed from Comodo?

    Uninstall AVG and leave it uninstall until 100% finished with any cleaning that may be necessary. Then reboot your PC. After reboot, download and run MGtools and attach the C:\MGlogs.zip file from MGtools.
     
    chaslang, Feb 11, 2011
    #2
  3. them

    them Private E-2

    I am using the firewall, and defense+ which I believe is part of the firewall.

    I uninstalled avg again, I reinstalled it because I didn't want the computer to be vulnerable to infections... although it's already compromised so I guess that actually doesn't make any sense.

    The link to download mgtools still does not work for me, i get a page (http://forums.majorgeeks.com/chaslang/files/MGtools.exe) that says this:

    The page cannot be found

    The page you are looking for might have been removed, had its name changed, or is temporarily unavailable

    * If you are unable to load any pages, check your computer's network connection.

    * Check the address for typing errors

    * If you are unable to load any pages, check your computer's network connection.

    * If your computer or network is protected by a firewall or proxy, make sure web browser is permitted to access the Web.
     
    them, Feb 11, 2011
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    That link is perfectly fine. Try shutting down your firewall and try again. Comodo may be blocking you from downloading it.
     
    chaslang, Feb 12, 2011
    #4
  5. them

    them Private E-2

    I disabled Comodo, but the link still sends me to the same page.

    I can get a blank page by typing "http://forums.majorgeeks.com/chaslang/files/"

    If I capitalize the T and remove the .exe I get a download, but it's a zip file and there's no MGtools.exe: "http://forums.majorgeeks.com/chaslang/files/MGTools"

    Anything else, such as "http://forums.majorgeeks.com/chaslang/files/MGTools.exe" gives me this page:
    http://img193.imageshack.us/img193/3172/error1uq.jpg


    The original link still comes up with this:
    http://img842.imageshack.us/img842/2389/error2ev.jpg

    Should I just reformat and forget about trying to clean this?
     
    them, Feb 12, 2011
    #5
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Try using Internet Explorer instead of Firefox.

    Also note that it is not MGTools nor MGTools.exe. It is case sensitive and is MGtools.exe. Just use the link in the READ & RUN ME or the below:

    MGtools

    If that does not work, it may be your college network blocking the download.
     
    chaslang, Feb 12, 2011
    #6
  7. them

    them Private E-2

    You're right, my college's network appears to have been the issue. Downloaded and ran MGtools fine from off-campus, so here are the logs. Thank you for being so patient :)
     

    Attached Files:

    them, Feb 12, 2011
    #7
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    There is nothing of concern in any of your logs. Where was AVG telling you there was a problem? Was it in a System Volume Information folder which is System Restore?

    You should uninstall SpywareGuard as it is not really that useful anymore since it is way out of date. In addition, you have Windows Defender already included as part of Windows 7.

    What is the purpose of the below from BestBuy?
    O4 - .DEFAULT User Startup: Best Buy pc app.lnk = C:\ProgramData\Best Buy pc app\ClickOnceSetup.exe (User 'Default user')
     
    chaslang, Feb 12, 2011
    #8
  9. them

    them Private E-2

    The bestbuy entry would probably be something leftover from a bestbuy app that came pre-installed. I got rid of it after I got the laptop, I guess that's leftover from the uninstaller.

    I don't think the problem was in system volume information or system restore, it said the objects were hidden. Here's the entries from the scan(it wont let me upload the log's file type to the forum):

    Rootkits
    ;"File";"Infection";"Result"
    ;"<unknown>";"Inline hook kernel32.dll VirtualProtect+0x8 -> 0x180036820";"Object is hidden"
    ;"<unknown>";"Inline hook kernel32.dll MoveFileExW -> 0x180036820";"Object is hidden"
    ;"<unknown>";"Inline hook kernel32.dll CopyFileW -> 0x180036820";"Object is hidden"
    ;"<unknown>";"Inline hook kernel32.dll CreateProcessAsUserW -> 0x18000BDD0";"Object is hidden"
    ;"<unknown>";"Inline hook kernel32.dll DeleteFileW+0x8 -> 0x180036820";"Object is hidden"
    ;"<unknown>";"Inline hook kernel32.dll LoadLibraryExA -> 0x180036820";"Object is hidden"
    ;"<unknown>";"Inline hook kernel32.dll DeleteFileA+0x8 -> 0x180036820";"Object is hidden"
    ;"<unknown>";"Inline hook kernel32.dll CreateFileW -> 0x180036820";"Object is hidden"
    ;"<unknown>";"Inline hook kernel32.dll CopyFileExW -> 0x180036820";"Object is hidden"
    ;"<unknown>";"Inline hook kernel32.dll LoadLibraryExW -> 0x180036820";"Object is hidden"
    ;"<unknown>";"Inline hook kernel32.dll CreateProcessW -> 0x18000BDD0";"Object is hidden"
    ;"<unknown>";"Inline hook kernel32.dll LoadLibraryW -> 0x180036820";"Object is hidden"
    ;"<unknown>";"Inline hook kernel32.dll GetModuleHandleA+0x8 -> 0x180036820";"Object is hidden"
    ;"<unknown>";"Inline hook kernel32.dll LoadLibraryA -> 0x180036820";"Object is hidden"
    ;"<unknown>";"Inline hook kernel32.dll CreateFileA -> 0x180036820";"Object is hidden"
    ;"<unknown>";"Inline hook kernel32.dll GetProcAddress+0x8 -> 0x180036820";"Object is hidden"
    ;"<unknown>";"Inline hook kernel32.dll GetModuleHandleW+0x8 -> 0x180036820";"Object is hidden"
    ;"<unknown>";"Inline hook kernel32.dll OpenFile -> 0x180036820";"Object is hidden"
    ;"<unknown>";"Inline hook kernel32.dll MoveFileWithProgressW -> 0x180036820";"Object is hidden"
    ;"<unknown>";"Inline hook kernel32.dll MoveFileW -> 0x180036820";"Object is hidden"
    ;"<unknown>";"Inline hook kernel32.dll MoveFileWithProgressA -> 0x180036820";"Object is hidden"
    ;"<unknown>";"Inline hook kernel32.dll MoveFileExA -> 0x180036820";"Object is hidden"
    ;"<unknown>";"Inline hook kernel32.dll MoveFileA -> 0x180036820";"Object is hidden"
    ;"<unknown>";"Inline hook kernel32.dll CopyFileExA -> 0x180036820";"Object is hidden"
    ;"<unknown>";"Inline hook kernel32.dll CopyFileA -> 0x180036820";"Object is hidden"
    ;"<unknown>";"Inline hook kernel32.dll CreateProcessA -> 0x18000BDD0";"Object is hidden"
    ;"<unknown>";"Inline hook kernel32.dll LoadModule -> 0x180036820";"Object is hidden"
    ;"<unknown>";"Inline hook kernel32.dll WinExec -> 0x180036820";"Object is hidden"
    ;"<unknown>";"Inline hook user32.dll RegisterRawInputDevices -> 0x18000BDD0";"Object is hidden"
    ;"<unknown>";"Inline hook user32.dll SystemParametersInfoA -> 0x18000BDD0";"Object is hidden"
    ;"<unknown>";"Inline hook user32.dll SetParent -> 0x18000BDD0";"Object is hidden"
    ;"<unknown>";"Inline hook user32.dll PostMessageA -> 0x18000BDD0";"Object is hidden"
    ;"<unknown>";"Inline hook user32.dll EnableWindow -> 0x18000BDD0";"Object is hidden"
    ;"<unknown>";"Inline hook user32.dll MoveWindow -> 0x18000BDD0";"Object is hidden"
    ;"<unknown>";"Inline hook user32.dll GetAsyncKeyState -> 0x18000BDD0";"Object is hidden"
    ;"<unknown>";"Inline hook user32.dll RegisterHotKey -> 0x18000BDD0";"Object is hidden"
    ;"<unknown>";"Inline hook user32.dll PostThreadMessageA -> 0x18000BDD0";"Object is hidden"
    ;"<unknown>";"Inline hook user32.dll SendMessageA -> 0x18000BDD0";"Object is hidden"
    ;"<unknown>";"Inline hook user32.dll SendNotifyMessageW -> 0x18000BDD0";"Object is hidden"
    ;"<unknown>";"Inline hook user32.dll SystemParametersInfoW -> 0x18000BDD0";"Object is hidden"
    ;"<unknown>";"Inline hook user32.dll SetWindowsHookExW -> 0x18000BDD0";"Object is hidden"
    ;"<unknown>";"Inline hook user32.dll PostThreadMessageW -> 0x18000BDD0";"Object is hidden"
    ;"<unknown>";"Inline hook user32.dll SetWinEventHook -> 0x18000BDD0";"Object is hidden"
    ;"<unknown>";"Inline hook user32.dll GetKeyState -> 0x18000BDD0";"Object is hidden"
    ;"<unknown>";"Inline hook user32.dll SendMessageCallbackW -> 0x18000BDD0";"Object is hidden"
    ;"<unknown>";"Inline hook user32.dll SendMessageTimeoutW -> 0x18000BDD0";"Object is hidden"
    ;"<unknown>";"Inline hook user32.dll PostMessageW -> 0x18000BDD0";"Object is hidden"
    ;"<unknown>";"Inline hook user32.dll SendMessageW -> 0x18000BDD0";"Object is hidden"
    ;"<unknown>";"Inline hook user32.dll SendDlgItemMessageW -> 0x18000BDD0";"Object is hidden"
    ;"<unknown>";"Inline hook user32.dll GetClipboardData -> 0x18000BDD0";"Object is hidden"
    ;"<unknown>";"Inline hook user32.dll SetClipboardViewer -> 0x18000BDD0";"Object is hidden"
    ;"<unknown>";"Inline hook user32.dll SendNotifyMessageA -> 0x18000BDD0";"Object is hidden"
    ;"<unknown>";"Inline hook user32.dll mouse_event -> 0x18000BDD0";"Object is hidden"
    ;"<unknown>";"Inline hook user32.dll GetKeyboardState -> 0x18000BDD0";"Object is hidden"
    ;"<unknown>";"Inline hook user32.dll SendMessageTimeoutA -> 0x18000BDD0";"Object is hidden"
    ;"<unknown>";"Inline hook user32.dll SetWindowsHookExA -> 0x18000BDD0";"Object is hidden"
    ;"<unknown>";"Inline hook user32.dll SendInput -> 0x18000BDD0";"Object is hidden"
    ;"<unknown>";"Inline hook user32.dll BlockInput -> 0x18000BDD0";"Object is hidden"
    ;"<unknown>";"Inline hook user32.dll ExitWindowsEx -> 0x18000BDD0";"Object is hidden"
    ;"<unknown>";"Inline hook user32.dll EndTask -> 0x18000BDD0";"Object is hidden"
    ;"<unknown>";"Inline hook user32.dll keybd_event -> 0x18000BDD0";"Object is hidden"
    ;"<unknown>";"Inline hook user32.dll SendDlgItemMessageA -> 0x18000BDD0";"Object is hidden"
    ;"<unknown>";"Inline hook user32.dll SendMessageCallbackA -> 0x18000BDD0";"Object is hidden"
    ;"<unknown>";"Inline hook ntdll.dll LdrLoadDll -> 0x180034480";"Object is hidden"
    ;"<unknown>";"Inline hook ntdll.dll ZwAllocateVirtualMemory -> 0x180036820";"Object is hidden"
    ;"<unknown>";"Inline hook ntdll.dll ZwSetInformationProcess -> 0x180036820";"Object is hidden"
    ;"<unknown>";"Inline hook ntdll.dll ZwOpenFile -> 0x18000BDD0";"Object is hidden"
    ;"<unknown>";"Inline hook ntdll.dll ZwOpenSection -> 0x18000BDD0";"Object is hidden"
    ;"<unknown>";"Inline hook ntdll.dll ZwWriteVirtualMemory -> 0x180036820";"Object is hidden"
    ;"<unknown>";"Inline hook ntdll.dll ZwAdjustPrivilegesToken -> 0x18000BDD0";"Object is hidden"
    ;"<unknown>";"Inline hook ntdll.dll ZwCreateSection -> 0x18000BDD0";"Object is hidden"
    ;"<unknown>";"Inline hook ntdll.dll ZwCreateProcessEx -> 0x180036820";"Object is hidden"
    ;"<unknown>";"Inline hook ntdll.dll ZwCreateThread -> 0x18000BDD0";"Object is hidden"
    ;"<unknown>";"Inline hook ntdll.dll ZwTerminateThread -> 0x18000BDD0";"Object is hidden"
    ;"<unknown>";"Inline hook ntdll.dll ZwCreateFile -> 0x18000BDD0";"Object is hidden"
    ;"<unknown>";"Inline hook ntdll.dll ZwAlpcConnectPort -> 0x18000BDD0";"Object is hidden"
    ;"<unknown>";"Inline hook ntdll.dll ZwConnectPort -> 0x18000BDD0";"Object is hidden"
    ;"<unknown>";"Inline hook ntdll.dll ZwCreateProcess -> 0x180036820";"Object is hidden"
    ;"<unknown>";"Inline hook ntdll.dll ZwCreateSymbolicLinkObject -> 0x18000BDD0";"Object is hidden"
    ;"<unknown>";"Inline hook ntdll.dll ZwCreateThreadEx -> 0x18000BDD0";"Object is hidden"
    ;"<unknown>";"Inline hook ntdll.dll ZwDeleteFile -> 0x180036820";"Object is hidden"
    ;"<unknown>";"Inline hook ntdll.dll ZwLoadDriver -> 0x18000BDD0";"Object is hidden"
    ;"<unknown>";"Inline hook ntdll.dll ZwMakeTemporaryObject -> 0x18000BDD0";"Object is hidden"
    ;"<unknown>";"Inline hook ntdll.dll ZwSetSystemInformation -> 0x18000BDD0";"Object is hidden"
    ;"<unknown>";"Inline hook ntdll.dll ZwShutdownSystem -> 0x18000BDD0";"Object is hidden"
    ;"<unknown>";"Inline hook ntdll.dll ZwSystemDebugControl -> 0x18000BDD0";"Object is hidden"
    ;"<unknown>";"Inline hook ntdll.dll ZwUnloadDriver -> 0x180036820";"Object is hidden"
    ;"<unknown>";"Inline hook ntdll.dll LdrGetProcedureAddress -> 0x180036820";"Object is hidden"
    ;"<unknown>";"Inline hook sechost.dll OpenServiceW -> 0x18000BDD0";"Object is hidden"
    ;"<unknown>";"Inline hook sechost.dll OpenServiceA -> 0x18000BDD0";"Object is hidden"
    ;"<unknown>";"Inline hook sechost.dll CreateServiceA -> 0x18000BDD0";"Object is hidden"
    ;"<unknown>";"Inline hook sechost.dll CreateServiceW -> 0x18000BDD0";"Object is hidden"
    ;"<unknown>";"Inline hook gdi32.dll BitBlt -> 0x18000BDD0";"Object is hidden"
    ;"<unknown>";"Inline hook gdi32.dll MaskBlt -> 0x18000BDD0";"Object is hidden"
    ;"<unknown>";"Inline hook gdi32.dll CreateDCW -> 0x180036080";"Object is hidden"
    ;"<unknown>";"Inline hook gdi32.dll CreateDCA -> 0x180036170";"Object is hidden"
    ;"<unknown>";"Inline hook gdi32.dll StretchBlt -> 0x18000BDD0";"Object is hidden"
    ;"<unknown>";"Inline hook gdi32.dll PlgBlt -> 0x18000BDD0";"Object is hidden"
    ;"<unknown>";"Inline hook advapi32.dll CreateProcessAsUserA -> 0x18000BDD0";"Object is hidden"
     
    them, Feb 12, 2011
    #9
  10. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    The you can do the below to remove the rest of it.

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista or Win 7, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    O4 - .DEFAULT User Startup: Best Buy pc app.lnk = C:\ProgramData\Best Buy pc app\ClickOnceSetup.exe (User 'Default user')

    After clicking Fix, exit HJT.


    There are always hidden objects on a PC. It does not mean they are rootkits. However let's run a couple of additional scans to be sure nothing has hooked into these files.

    Download TDSSKiller from Kaspersky to your directly onto your Desktop
    • Now double click the TDSSkiller.exe file to run it ( if using Vista or Windows 7 do not double click on it but rather, right click and select Run As Administrartor. )
    • If TDSSKiller does not run, try renaming it. To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123tdk.com).
    • Allow the application to run if prompted by Windows or any security programs you have installed
    • It will start the scan and run rather quickly and will notify you of whether anything is found or not.
    • Follow the instructions to delete/quarantine if asks you what to do when if finds something.
    • Whether an infection is found or not, a log file should be created on your C: drive ( or whatever drive you boot from) in the root folder named something like TDSSKiller.2.1.1_27.12.2009_14.17.04_log.txt which is based on the program version # and date and time run. Please attach this log to your next reply. (See: HOW TO: Attach Items To Your Post )


    Now run this GMER - running with a random name and attach the GMER log.
     
    chaslang, Feb 12, 2011
    #10
  11. them

    them Private E-2

    Alright, I fixed the best buy entry and ran both of the scans. They came up as clean, so here are the logs. Does this mean AVG had a false positive?

    Actually I can't include the GMER log, I guess that's because it's empty. I clicked save after the scan, should it have included anything in the log file?
     

    Attached Files:

    them, Feb 12, 2011
    #11
  12. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    If it said specifically stated you had a rootkit infection then yes.

    It should not be empty. Something is always in the log.
     
    chaslang, Feb 12, 2011
    #12
  13. them

    them Private E-2

    I ran GMER again and it still saved an empty log. I'm not sure what I'm doing wrong: I started it up, waited for it to finish checking whatever it checks when it starts running, clicked scan, let the scan run, came back after it finished and clicked ok to the message, and then saved the log to my desktop.

    Anyway, thanks so much for your help! I'm very relieved that I didn't have to re-format the hard drive.
     
    them, Feb 13, 2011
    #13
  14. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Very strange as it always shows something most of which is normal. Did your options appear to be set like below when you started it?

    g1.jpg


    Just for the heck of it, let's try another tool but I don't think you have an infection.
    • Please Download Rootkit Unhooker Save it to your desktop.
    • Now double-click on RKUnhookerLE.exe to run it.
    • Click the Report tab, then click Scan.
    • Check (Tick) Drivers, Stealth, Files, Code Hooks. Uncheck the rest. then Click OK.
    • Wait till the scanner has finished and then click File, Save Report.
    • Save the report somewhere where you can find it. Click Close.
    • Attach the repoort to your next message.
     
    chaslang, Feb 13, 2011
    #14
  15. them

    them Private E-2

    When I ran GMER, everything above services was unchecked and grayed out so they couldn't be checked.

    I also tried to connect to the rootkit.com site, but the connection couldn't be established. I'm back on my campus at the moment so it may be getting blocked. I also wonder if it might be blocked by spybot s&d or spyware guard, i think one has a list of restricted sites.
     
    them, Feb 14, 2011
    #15
  16. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Delete the copy you have, and download it again and try to run in safe mode and see if the options are still grayed out.

    Possibly since it is an EXE file. Try getting it while off campus.

    You were supposed to uninstall Spyware Guard ( see my previous instructions ). No Spybot will not block it and I doubt that Spyware Guard would even if it was still running.


    Thus far we really have not found any problems on your PC. Just problems due to what your school and software you are running are blocking. It really is not looking like you have any malware problems.
     
    chaslang, Feb 15, 2011
    #16
  17. them

    them Private E-2

    No luck, they're still grayed out. UAC was disabled as well.

    I'll do that asap.

    Sorry, I meant SpywareBlaster, I sometimes confuse the two of them. I uninstalled spyware guard when you told me it was outdated.
     
    them, Feb 16, 2011
    #17
  18. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Are you using Run As Administrator when you run GMER?
     
    chaslang, Feb 16, 2011
    #18

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds