TechSpot

Some kind of rootkit

By Andeee
Jan 8, 2008
  1. Hi there. New user, been using the forum as a reference. Hope someone can help. I opened a dodgy file (stupid i realise) which then removed my antivirus (AnitVir Personal Classic) and SBS&D from memory, deleted their .exe's and prevented me from reinstalling them. Also prevented me from booting into safemode (BSOD). Display driver also self destructed (although could be unrelated). Following advice performed the following actions (logs to follow).

    1. Safebootkeyrepair - logged & rebooted to SM
    2. SDFix - Logged & rebooted to normal mode
    3. ComboFix
    4. Catchme
    5. Dr. Web Cure It - FAILED (BSOD) - Attempted SM reboot - BSOD
    6. Safebootkey repair again
    7. Panda Anti-Rootkit - logged
    8. Dr Web Cure It - run passed, logged
    9. Catchme
    10. Panda Anti-Rootkit Intensive run.
    11. Hijackthis - logged

    Still no antivirus - still have to re-run SafeBootKeyRepair between SM boots and Catchme still finding hidden processes.

    Ok, here are the logs in order of oldest to newest: - hmm appears some logs are missing...
     
  2. brutalhoe

    brutalhoe TS Rookie Posts: 45

    ok here u go bud ,i just went thought the same ****,dled a "crack" and opened before scanning it how dumb but any way go here http://www.techspot.com/vb/topic58138.html and go step by step that will take care of the worst part, trust me helped 3rd time using it.
    and after u post ur logs just wait till some one will check them, might take some time, i waited 3 days so stay cool and keep scanning lmao have a good one.
     
  3. AlbertLionheart

    AlbertLionheart TechSpot Chancellor Posts: 2,026

    can you post your hijackthis log please?
     
  4. momok

    momok TS Rookie Posts: 2,265

    Post your logs seperately, not in a single document. Only HijackThis, ComboFix and AVG antispyware is needed. Also, please let us know the results of the antirootkit scan from after u complete the instructions here -> http://www.techspot.com/vb/topic58138.html
     
  5. Andeee

    Andeee TS Rookie Topic Starter

    Running throught the steps on the thread again now. Avast! has installed but all .exe's deleted after reboot. Comodo opens a blank box with a next button at the bottom. Sunbelt will not even start the install process.

    Here is a copy of my last Hijackthis log as requested.
     
  6. momok

    momok TS Rookie Posts: 2,265

    Hi,

    Open Task Manager and end the following process:

    svchost_.exe

    Have HijackThis fix the following entries:

    O4 - HKUS\S-1-5-18\..\Run: [svchost_] C:\WINDOWS\svchost_.exe (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [svchost_] C:\WINDOWS\svchost_.exe (User 'Default user')

    Close HJT.

    Navigate manually in Windows Explorer to the following file and delete it.
    C:\WINDOWS\svchost_.exe

    Please post ComboFix and AVG Antispyware logs in your next reply as well as a fresh HijackThis log.

    Regards,
    momok

    This thread is for the use of Andeee only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our Security and The Web forum.
     
  7. AlbertLionheart

    AlbertLionheart TechSpot Chancellor Posts: 2,026

    Looking at the hijack this log there are a few nasties:
    there is no sign of a firewall running - maybe on your modem/router?
    O4 - HKUS\S-1-5-18\..\Run: [svchost_] C:\WINDOWS\svchost_.exe (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [svchost_] C:\WINDOWS\svchost_.exe (User 'Default user')
    Otherwise nothing.
    Please move the hijack this program to a new folder c:\program files\hijackthis and run it again as analysis.exe - if the results are the same you are OK.
     
  8. Andeee

    Andeee TS Rookie Topic Starter

    Hi. Sorry for the delay, I've been away from home.

    None of the anti-virus/ spyware programs will install, same goes for firewalls. Either the install stops half way through or the .exe's are deleted as soon as they are written to the drive. (hence no AVG-AS log)

    Smitfraud and Vundo fix programs found nothing.

    Panda Anti-Rootkit found 3 unknown rootkits (log to follow)
    C:\WINDOWS\system32\drivers\hldrrr.exe
    C:\WINDOWS\system32\wintems.exe
    SYSTEM\CurrentControlSet\Services\srosa

    Every reboot the machine hangs and has to have a hard reset, and then it boots normally. Still can't get into safemode without using safebootkeyrepair.

    svchost_.exe has been removed. Thanks again for the help.
     
  9. AlbertLionheart

    AlbertLionheart TechSpot Chancellor Posts: 2,026

    You need to remove this entry - reported to be a real nasty.
    O4 - HKCU\..\Run: [german.exe] C:\WINDOWS\system32\wintems.exe
     
  10. momok

    momok TS Rookie Posts: 2,265

    He needs to do way more than just fixing that entry in Hijack This.

    You may wish to copy and paste these instructions on notepad for easier reference later.

    1. Boot into safe mode under your normal user name. See how HERE
    2. Next turn on "Show all files and folders, including hidden and system". See how HERE

    3. Run the Panda Antirootkit program and fix all 3 of the entries you stated earlier.

    4. After that, run HijackThis and fix the following entries, if found (do this by placing a tick in the check boxes beside these entries and clicking "Fix checked"):

      O4 - HKCU\..\Run: [german.exe] C:\WINDOWS\system32\wintems.exe

      Close HJT.

    5. Navigate to these folder and let me know what is its contents, and whether you created it. C:\Program Files\Catan GmbH

    6. Open notepad and copy/paste the text in the quote box below into it (all except the word QUOTE):

    7. Save this as CFScript on the desktop.
    8. Referring to the image below, drag CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe.
      [​IMG]
    9. ComboFix will begin to execute, just follow the prompts. After reboot (in case it asks to reboot), it shall produce a log for you. Post that log (Combofix.txt) in your next reply.
      Note: Do not mouseclick combofix's window while it is running. That may cause your system to hang

    10. Reboot into normal mode and rehide your protected OS files.
    Thereafter, please post fresh HJT and AVG Antispyware logs and the resultant ComboFix log from the above instructions as attachments into this thread.

    Also, please let me know the results of the antirootkit fixing.


    Regards,
    momok =)

    This thread is for the use of Andeee only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  11. Andeee

    Andeee TS Rookie Topic Starter

    Thanks again for all the help.

    System seems to be running fine now. Although Comodo will still not install, the system is running pretty slow as is the web. Panda didn't find any rootkits in safemode, and although the problems in the AVG log are tagged as 'ignored', they have in fact been quarantined.

    Catan Gmbh is a folder related to a german game which has been removed. I created the folder and it is empty.
     
  12. momok

    momok TS Rookie Posts: 2,265

    Hi,

    Your log looks fairly clean now other than AVG.

    Could you run the AVG antispyware scan once more via the instructions HERE? Note that you should save the report after applying all the "quarantine" actions after the scan. Post the latest log in your reply.

    Regards,
    momok =)
     
  13. Andeee

    Andeee TS Rookie Topic Starter

    Hey momok.

    unfortunately after cleaning up I attempted to install windows updates which seems to have destroyed the master boot record. Machine wouldn't boot, just round and round reseting before it began loading windows. Forced to save data, format and re-install.

    Thanks for all the help anyway.

    Andeee
     
  14. momok

    momok TS Rookie Posts: 2,265

    I'm sorry to hear that. Should you have any further malware related problems feel free to post back.

    This thread shall be closed until the original starter requires it to be reopened, in which case please PM a mod.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...