Sign in to follow this  
Jimi

CLOSED Possible Rootkit infection on Windows XP -- looking to remove

Recommended Posts

Hello,

I ran Emsisoft Anti-Malware earlier and had quanrantined some stuff (I'll attach that initial log, which is named "a2scan_120705-212634.txt"), and then when it found a possible Rootkit infection, I went through all of the Emsisoft Emergency Kit steps, so I'll include those text files as well.

Seperately, I have run Malwarebytes Anti-Malware and other stuff, and although they have found things too, it doesn't seem as though the underlying cause (possibly the Rootkit infection) has been removed.

Also worth noting, when I tried to run the browser-based (IE) Trojan scan (I think Emsisoft provides it) at "windowssecurity.com/trojanscan" it would always crap out and close the browser unexpectedly after a few minutes, but I managed to grab a screen shot which mentions that it found "Trojan.Win32.Tracur!IK" before it closed the browser one time. I will attach that screen shot (trojan_scan.jpg) as well, if this forum lets me. Btw, I was running the scan on the infected PC via a VPN connection at the time (so you'll see a desktop within a desktop), but I have also tried running the browser-based scan tool directly on the PC, also to no avail.

In addition to the attachments that you request from folloing the steps of the Emsisoft Emergency Kit, I will also include an attachment (text file) from a Malwarebytes Anti-Malware scan that I ran today, and I can also send some log files from other scans I have run recently. I think this PC got infected about a two weeks ago or so, and we're not sure where/how.

Anyway, I would appreciate any insights that can help me solve this issue before I end up contacting one of my IT support guys, since I figured I would give it a shot first, having solved this kind of stuff in the past, even if with some help and pointers from experts and forums like you.

I will be happy to spread to good word about you guys if you're able to help me out, and appreciate any advice in any case.

I can be reached at email address removed to avoid spamming (yes, I'm a guitar head when I'm not geeking out on the computer, ha-ha)...

Thanks!

Share this post


Link to post
Share on other sites

Hello Jimi and welcome to Emsisoft Support forums! :)

Lets take a look at your MBR. Please download Emsisoft MBR Master from this link (make sure to save it on your desktop), and follow the instructions below to get me an MBR dump and a log:

  1. Open the Emsisoft MBR Master file that you saved on your desktop (the default file name is mbrmastr).
  2. Click on the Backup MBR button in the lower-right corner.
  3. Save the backup of your MBR on your desktop (you can name it whatever you want).
  4. Close Emsisoft MBR Master, and a log file will be saved on your desktop.
  5. Please right-click on the MBR backup that you saved on your desktop, go to Sent to, and select Compressed (zipped) folder in order to zip the file so that it can be attached to a reply. Note that you can use something such as 7-Zip, WinZip, WinRar, etc. if you would prefer.
  6. Please attach both the log and the zipped MBR backup to a reply by using the More Reply Options button to the lower-right of where you type in your reply.

Share this post


Link to post
Share on other sites

Hi Elise,

OK, thanks for the reply. I am attaching the info you have requested. Please keep me posted on next steps.

Thanks!

Share this post


Link to post
Share on other sites

It looks like there might be a hidden (malicious) partition here, so lets doublecheck that. :)

Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!

  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • If TDSSKiller does not run, try renaming it.
  • To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
  • Click the Start Scan button.
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
  • A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.

Share this post


Link to post
Share on other sites

OK, I followed those instructions and it looks like a "Rootkit.Boot.Pihar.c" was found and cured, and some other files were quarantined.

The log file is attached. Interestingly, it looks like there was a similar log file (from the same program) from October 2011 on the C drive, so one of my colleagues must have had to disinfect the same (ir similar) thing back in October.

Anyway, hopefully this has been fixed. Let me know if there's any other steps I need to take.

Thanks!

Share this post


Link to post
Share on other sites

That did the trick! However, this was a nasty rootkit, please read also the following information:

------------------------------

One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and cleaned, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall

Its unlikely this same infection was present last year, this is a newer variant. However TDSSkiller is a commonly used tool when it comes to rootkits so its quite likely it was used to scan for or disinfect a similar rootkit.

Lets also make sure nothing else has been hiding here.

COMBOFIX

---------------

Please download ComboFix from one of these locations:


Bleepingcomputer
ForoSpyware

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.

Query_RC.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

RC_successful.gif

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\Combofix.txt in your next reply.

Share this post


Link to post
Share on other sites

OK, I ran Combofix and the logfile is attached. I will touch base with our IT guy and we'll look into re-installing the OS, etc. I was hoping to avoid that, but if it needs to be done, we'll do it. We do use this computer for our on-line banking and other sensitive stuff, so I guess we'll need to look into changing those passwords as needed. We have our accounting software (Quickbooks) on it as well, although the data is on our network.

Let me know if any further items for attention based on the Combofix log.

Thanks!

Share this post


Link to post
Share on other sites

I see a few AVG remnants here, please download and run AVG remover to get rid of them: http://www.bleepingcomputer.com/download/avg-remover-2012/dl/38/

Your version of Adobe Reader is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Adobe components and update:

  • Download the latest version of Adobe Reader Version X. and save it to your desktop.
  • Uncheck the "Free McAfee Security plan Plus" option or any other Toolbar you are offered
  • Click the download button at the bottom.
  • If you use Internet Explorer and do not wish to install the ActiveX element, simply click on the click here to download link on the next page.
  • Remove all older version of Adobe Reader: Go to Add/remove and uninstall all versions of Adobe Reader, Acrobat Reader and Adobe Acrobat.
    If you are unsure of how to use Add or Remove Programs, the please see this tutorial:How To Remove An Installed Program From Your Computer
  • Then from your desktop double-click on Adobe Reader to install the newest version.
    If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
  • When the "Adobe Setup - Welcome" window opens, click the Install > button.
  • If offered to install a Toolbar, just uncheck the box before continuing unless you want it.

Your Adobe Reader is now up to date!

Your version of Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system.

  • Download the latest version of Java Runtime Environment (JRE) Version 7u4.
  • Look for "JDK 7u4 (JDK or JRE).
  • Click the "Download JRE" button at the right.
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
    • Select "Windows x86 Offline" and click on jre-7-windows-i586.exe

    [*]Save it to your desktop

    [*]Close any programs you may have running - especially your web browser.

    [*]Uninstall all older versions of Java (any item with Java Runtime Environment, JRE or J2SE in the name).

    [*]Reboot your computer once all Java components are removed.

    [*]Install the newest version by double clicking (run as Administrator for Windows Vista/Seven) the downloaded file.

Please run a Deep Scan with EAM (be sure to update first) and post me the resulting log.

Do you have any problem left at this point?

Share this post


Link to post
Share on other sites

So, are you saying I should remove AVG completely? I'm asking becuase I think it was the main anti-virus program that we have running on this system.

If we remove AVG, what should we be using in its place? I will have to discuss this with our IT consultant first before we remove AVG completely, if that's what you are proposing.

I'll update the Acrobat and Java now.

I will run the EAM deep scan once I hear back from you.

Thanks.

Share this post


Link to post
Share on other sites

From your logs it looks like you have Emsisoft antimalware (which is AV with realtime protection in the registered version as you have it), F-Prot and AVG. that really is too much and will have a serious impact on system stability and performance.

The reason for this is that if both products have their automatic (Real-Time) protection switched on, then those products which do not encrypt the virus strings within them can cause other anti virus products to cause "false alarms". It can also lead to a clash as both products fight for access to files which are opened again this is the resident/automatic protection. In general terms, the two programs may conflict and cause:

  • False Alarms: When the anti virus software tells you that your PC has a virus when it actually doesn't.
  • System Performance Problems: Your system may lock up due to both products attempting to access the same file at the same time.

While EAM works as AV, it usually works well together with other "classic" AV applications. However the same cannot be said of all AVs as also explained above. Of course, as this seems to be a corporate computer, its always the best to discuss it with the IT department as well.

I'll wait for the EAM deep scan results (if you have any large storage drives, run a quick scan instead, otherwise the scan time may be quite long).

Share this post


Link to post
Share on other sites

I just ran the quick Scan with EAM (we just have the 30 day trial right now) since we do have some large-ish drives on this PC.

Our F-prot is also a free version, as is AVG. I guess I will need to discuss with our IT guy as to which we should keep, and I'll certainly put in a good word for EAM, as I appreciate your assistance today.

Attached is the log file form the Quick scan -- looks to be clean. I can run the deep scan overnight, if that is advised.

Acrobat reader and Java have been updated.

Anything else at this point?

Thanks!

Share this post


Link to post
Share on other sites

That looks excellent! :)

Its good to keep in mind though that free AVs (as well as other programs) often are only intended for home-use. Its good to read the indidivual End-User-License-Agreements to see if you're allowed to use a program on a work computer as well. If you have additional questions about this, please let me know.

ALL CLEAN

--------------

Your machine appears to be clean, please take the time to read below on how to secure the machine and take the necessary steps to keep it clean :)

Please do the following to remove the remaining programs from your PC:

  • Delete the tools used during the disinfection:
    • Press windows key Windows_Logo_key.gif + r on your keyboard at the same time. In the run box type combofix /uninstall, then press OK.
      run-box.jpg
    • This will remove Combofix and other tools we used from your computer.

    [*]You can delete any other tool or log by simply deleting them.

Please read the following advice on how to prevent reinfecting your PC:

  1. Install and update the following programs regularly:
    • an outbound firewall. If you are connected to the internet through a router, you are already behind a hardware firewall and as such you do not need an extra software firewall.
      A comprehensive tutorial and a list of possible firewalls can be found here.
    • an AntiVirus Software
      It is imperative that you update your AntiVirus Software on regular basis.If you do not update your AntiVirus Software then it will not be able to catch the latest threats.

[*]Keep Windows (and your other Microsoft software) up to date!

I cannot stress how important this is enough. Often holes are found in Internet Explorer or Windows itself that require patching. Sometimes these holes will allow an attacker unrestricted access to your computer.

Therefore, please, visit the Microsoft Update Website and follow the on screen instructions to setup Microsoft Update. Also follow the instructions to update your system. Please REBOOT and repeat this process until there are no more updates to install!!

[*]Keep your other software up to date as well

Software does not need to be made by Microsoft to be insecure. You can use the Secunia Online Software occasionally to help you check for out of date software on yourmachine.

[*]Stay up to date!

The MOST IMPORTANT part of any security setup is keeping the software up to date. Malware writers release new variants every single day. If your software updates don't keep up, then the malware will always be one step ahead. Not a good thing.

Some more links you might find of interest:

Please reply to this topic if you have read the above information. If your computer is working fine, this topic will be closed afterwards.

Share this post


Link to post
Share on other sites

Thread Closed

Reason: Resolved

The procedures contained in this thread are for this user and this user only. Attempting to use the instructions in this thread on your system could result in damaging the Operating System beyond repair. Do Not use any of the tools mentioned in this thread without the supervision of a Malware Removal Specialist.

All posters requesting Malware Removal assistance are required to follow all procedures in the thread titled START HERE, if you don't we are just going to send you back to this thread.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this  

  • Recently Browsing   0 members

    No registered users viewing this page.