Potential Rootkit/internet quarrantine

========== FILES ==========
c:\documents and settings\brooke and nick\application data\mozilla\firefox\profiles\vj8qx2x8.default\user.js.BAK moved successfully.
c:\documents and settings\paul\application data\mozilla\firefox\profiles\sk8ba9yj.default\user.js moved successfully.
c:\documents and settings\brooke and nick\application data\mozilla\firefox\profiles\vj8qx2x8.default\user.js moved successfully.

OTM by OldTimer - Version 3.1.16.1 log created on 09162010_065355
 
Hi HeadlessChief

How's the computer running now...still "problems", if so, what kinds of problems

Thanks peku006
 
It runs really slow sometimes. Honestly, it's performance is sporadic. We really didn't know how bad of a problem we had until it started sending out spam E-mails to people. (Including us.) So I really can't say one way or another if there is much of a difference in how it is running. Sorry.:sad:

What do I do about all of the the "stuff" the long scan from yesterday found?
 
Hi

you mean those in the System Volume Information ?.......We will take care of they later......

which program send out "spam" and what kind of emails they are ?
 
Hi HeadlessChief

perhaps your account has been compromised, and has been used as (spoofed) sender.. Have you changed your password and your security questions,

Create a new, clean System Restore point

  • Create a new, clean System Restore point which you can use in case of future system problems:
  • Press Start >> All Programs >> Accessories >>System Tools >> System Restore
  • Select Create a restore point, then Next, type a name like All Clean then press the Create button and once it's done press Close
  • Now remove old, infected System Restore points:
  • Next click Start >> Run and type cleanmgr in the box and press OK
  • Ensure the boxes for Recycle Bin, Temporary Files and Temporary Internet Files are checked, you can choose to check other boxes if you wish but they are not required.
  • Select the More Options tab, under System Restore press Clean up... and say Yes to the prompt
  • Press OK and Yes to confirm

Maxlook (XP)
Please download maxlook.exe ... by Noahdfear. Save it to your desktop.
Double click maxlook.exe to run it. Note - you must run it only once!
  1. Restart your computer.
  2. Before Windows loads, you will be prompted to choose which Operating System to start.
  3. Use the up and down arrow key to select Microsoft Windows Recovery Console
  4. You must enter which Windows installation to log onto. Type 1 and press 'Enter'.
  5. At the C:\Windows prompt, type the following:
    batch look.bat (note the spaces) Press 'Enter'.

    lookXP.gif


    You will see 1 file copied many times then return to the x:\windows> prompt.
  6. Type Exit to restart your computer then log on in normal mode.
  7. Click Start >> Run and then type the following in the run box:
    maxlook -sig (note the space before the - sign)
  8. Press OK... a file will be created on your desktop named looklog.txt.
  9. Please post the contents of looklog.txt in your next reply.

Thanks peku006
 
Hello!

I executed the directions to the best of my ability - I installed maxlook, and when I got to the Windows Recovery Console, and typed "batch look.bat", it did say 1 file(s) copied over and over, but then stopped running. I let the PC sit for approximately 15 minutes, and nothing was happening. It never came back to a system prompt. I powered the computer down, and retried, with the same result...never getting back to a system prompt.

I powered down again, and booted to windows this time, and ran the log...here you go. Please let me know if I did something wrong! Thank you for your time! :)

Code: 
Run from C:\Documents and Settings\Brooke and Nick\Desktop\maxlook.exe on Fri 09/17/2010 at 13:43:11.04

--------- maxlook unsigned files ---------

c:\windows\maxdrive\cdr4_xp.sys:
	Verified:	Unsigned
	File date:	10:42 PM 10/4/2006
	Publisher:	Sonic Solutions
	Description:	CDR4 CD and DVD Place Holder Driver (see PxHelp)
	Product:	Drag-to-Disc
	Version:	8.0.0.212 
	File version:	8.0.0.212 
c:\windows\maxdrive\cercsr6.sys:
	Verified:	Unsigned
	File date:	5:14 PM 12/13/2004
	Publisher:	Adaptec, Inc.
	Description:	DELL CERC SATA1.5/6ch Miniport Driver
	Product:	Dell RAID Controller
	Version:	4.1.0.7405
	File version:	4.1.0.7405
c:\windows\maxdrive\goprot51.sys:
	Verified:	Unsigned
	File date:	6:20 PM 4/15/2007
	Publisher:	Gteko Ltd.
	Description:	Gteko's GoProto protocol driver
	Product:	Gteko Diagnostics Network Module
	Version:	2, 1, 0, 21
	File version:	2, 1, 0, 21
c:\windows\maxdrive\mhndrv.sys:
	Verified:	Unsigned
	File date:	7:45 AM 8/10/2004
	Publisher:	Microsoft Corporation
	Description:	Microsoft Multimedia Home Network (MHN) Support Driver
	Product:	Microsoft® Windows® Operating System
	Version:	5.1.2600.2180
	File version:	5.1.2600.2180 (private/xpsp_mce.040810-0205)
c:\windows\maxdrive\pxhelp20.sys:
	Verified:	Unsigned
	File date:	3:00 AM 10/18/2006
	Publisher:	Sonic Solutions
	Description:	Px Engine Device Driver for Windows 2000/XP
	Product:	PxHelp20
	Version:	n/a
	File version:	3.00.43J
c:\windows\maxdrive\pxhelper.sys:
	Verified:	Unsigned
	File date:	3:00 AM 10/18/2006
	Publisher:	Sonic Solutions
	Description:	PX Engine Device Driver for Windows NT
	Product:	PxHelper
	Version:	n/a
	File version:	3.00.43J

--------- system32\drivers unsigned files ---------

c:\windows\system32\drivers\cdr4_xp.sys:
	Verified:	Unsigned
	File date:	10:42 PM 10/4/2006
	Publisher:	Sonic Solutions
	Description:	CDR4 CD and DVD Place Holder Driver (see PxHelp)
	Product:	Drag-to-Disc
	Version:	8.0.0.212 
	File version:	8.0.0.212 
c:\windows\system32\drivers\cercsr6.sys:
	Verified:	Unsigned
	File date:	5:14 PM 12/13/2004
	Publisher:	Adaptec, Inc.
	Description:	DELL CERC SATA1.5/6ch Miniport Driver
	Product:	Dell RAID Controller
	Version:	4.1.0.7405
	File version:	4.1.0.7405
c:\windows\system32\drivers\goprot51.sys:
	Verified:	Unsigned
	File date:	6:20 PM 4/15/2007
	Publisher:	Gteko Ltd.
	Description:	Gteko's GoProto protocol driver
	Product:	Gteko Diagnostics Network Module
	Version:	2, 1, 0, 21
	File version:	2, 1, 0, 21
c:\windows\system32\drivers\mhndrv.sys:
	Verified:	Unsigned
	File date:	7:45 AM 8/10/2004
	Publisher:	Microsoft Corporation
	Description:	Microsoft Multimedia Home Network (MHN) Support Driver
	Product:	Microsoft® Windows® Operating System
	Version:	5.1.2600.2180
	File version:	5.1.2600.2180 (private/xpsp_mce.040810-0205)
c:\windows\system32\drivers\pxhelp20.sys:
	Verified:	Unsigned
	File date:	3:00 AM 10/18/2006
	Publisher:	Sonic Solutions
	Description:	Px Engine Device Driver for Windows 2000/XP
	Product:	PxHelp20
	Version:	n/a
	File version:	3.00.43J
c:\windows\system32\drivers\pxhelper.sys:
	Verified:	Unsigned
	File date:	3:00 AM 10/18/2006
	Publisher:	Sonic Solutions
	Description:	PX Engine Device Driver for Windows NT
	Product:	PxHelper
	Version:	n/a
	File version:	3.00.43J
 
Hi HeadlessChief

you did everything right.......but still not found anything suspicious

MBR Rootkit Detector:

Please download MBR Rootkit Detector by GMER and save it to your desktop.

  • Double click on the MBR.exe file to run it.
  • A window will open briefly then close.
  • A log will be produced & saved to the desktop, called MBR.log.
  • Please post the contents of that log in your next reply.

Thanks peku006
 
Hi HeadlessChief

do not see anything suspicious........but we have many tools :D:
Download and Run Blacklight

  • Please download F-Secure Blacklight (fsbl.exe) from here
  • Save into C:\ with a name of fsbl.exe
  • Go to Start > Run
  • Copy and paste the contents of the below codebox into the run box
    Code: 
    C:\fsbl.exe /expert
  • Click OK
  • This will launch BlackLight
  • Select I accept the agreement
  • Click Next
  • Click Scan
  • Wait for the scan to finish
  • Click on Next>
  • Click Exit
  • A logfile will have been created in the C:\ drive
  • It will be named fsbl-xxxxxxxxxxxxxx.log where xxxxxxxxxxxxxx is the date and time of the scan
  • Use notepad to open that log
  • Post the contents of that log as a reply to this topic

Thanks peku006
 
09/18/10 11:21:48 [Info]: BlackLight Engine 2.2.1092 initialized
09/18/10 11:21:48 [Info]: OS: 5.1 build 2600 (Service Pack 3)
09/18/10 11:21:49 [Note]: 7019 4
09/18/10 11:21:49 [Note]: 7005 0
09/18/10 11:22:01 [Note]: 7006 0
09/18/10 11:22:01 [Note]: 7022 0
09/18/10 11:22:01 [Note]: 7011 1260
09/18/10 11:22:01 [Note]: 7035 0
09/18/10 11:22:01 [Note]: 7026 0
09/18/10 11:22:01 [Note]: 7026 0
09/18/10 11:22:01 [Note]: FSRAW library version 1.7.1024
 
Hi HeadlessChief

nothing........

RootRepeal - Rootkit Detector

  • Download RootRepeal from the following location and save it to your desktop.
  • Unzip it to your Desktop
  • Double click RootRepeal.exe to start the program
  • Click on the Report tab at the bottom of the program window
  • Click the Scan button
  • In the Select Scan dialog, check:
    • Drivers
    • Files
    • Processes
    • SSDT
    • Stealth Objects
    • Hidden Services
    • Shadow SSDT
  • Click the OK button
  • Check the box for your main system drive (Usually C:), and Click OK to start the scan

    The scan can take some time. DO NOT run any other programs while the scan is running
  • When the scan is complete, the Save Report button will become available
  • Click this and save the report to your Desktop as RootRepeal.txt
  • Go to File, then Exit to close the program

Thanks peku006
 
ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time: 2010/09/18 20:55
Program Version: Version 1.3.5.0
Windows Version: Windows XP Media Center Edition SP3
==================================================

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!





ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time: 2010/09/18 20:33
Program Version: Version 1.3.5.0
Windows Version: Windows XP Media Center Edition SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xA84E4000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7D97000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xA5E8F000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

==EOF==
 
Hi HeadlessChief

all the logs look good.....

can ou see e-mails in your Sent folder that you did not send ?

have you changed your password and your security questions on your yahoo account ?

check your account information if information was changed ?
 
It is not an active E-mail account. I don't even have access to it anymore. I haven't used it in 2 years. It just sent more spam two days ago.

It's not just that though, Brighthouse banned my account for sending some internal spam from an E-mail account that I didn't set up or have access to. They suggested we had a possible rootkit, & suggested cleaning our system. We have been trying to for months now, but it never seems to go away.

We will constantly have things come up on scans, clean them, & have them come back a few weeks later.
 
Hi HeadlessChief

ok....but it is "strange" that "rootkit" does not appear in any "rootkitt scanner" logs

we need to start a beginning..........:D:

Download GMER Rootkit Scanner from here & save it to your desktop.
  • Double click the .exe file. If asked to allow gmer.sys driver to load, please consent
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO


    Click the image to enlarge it
  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Then click the Scan button & wait for it to finish
  • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file
  • Save it where you can easily find it, such as your desktop, and post it in reply
**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries
Do not run any programs while Gmer is running.

NOTE: If you cannot run GMER as indicated above, save a scan from the initial startup scan.
  • Before scanning, make sure all other running programs are closed & no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan
  • Double click the gmer.exe file
  • The program will begin to run & perform an initial scan. If possible rootkit activity is found, you will be asked if you would like to perform a full scan. Click No
  • After the "initial scan" is complete, click on the Save button, save the log file to your desktop & post it in your reply
To post in next reply:

Contents of Gmer log

Thanks peku006
 
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-09-22 19:10:07
Windows 5.1.2600 Service Pack 3
Running: g5uzq9ry.exe; Driver: C:\DOCUME~1\BROOKE~1\LOCALS~1\Temp\uwtdqpog.sys


---- Kernel code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\DRIVERS\ati2mtag.sys section is writeable [0xB9B1B000, 0x1BDE76, 0xE8000020]

---- EOF - GMER 1.0.15 ---
 
Hi HeadlessChief

It is not an active E-mail account. I don't even have access to it anymore. I haven't used it in 2 years.
Click to expand...
how it is possible that it is your yahoo account ,if you do not have access to it anymore , have you contact yahoo
It just sent more spam two days ago
Click to expand...
Can I get a copy
They suggested we had a possible rootkit, & suggested cleaning our system
Click to expand...
how do they check your computer ?or was it only spam from your yahoo account
you had Antimalware Doctor infection ,but combofix removed it, and it does not cause "spam"
We will constantly have things come up on scans, clean them, & have them come back a few weeks later.
Click to expand...
what kind of "things"......can you give some more explanation

Thanks peku006
 
I tried accessing the account, and was locked out for 12 hours because I don't remember all of the security information - I haven't used this email account in about 6 years.

Here is a copy and paste of the second spam email that was sent out - the first was exactly the same. If you need me to forward you the exact email, let me know. :)

from Nick Pratt <fourspeed327@yahoo.com>
to andy.mcarthur@comcast.net,
benjohnston8@yahoo.com,
bjt_cmsu@hotmail.com,
adorabrooke@yahoo.com,
bhaber@shadesofgreen.org,
brooke.haber@gmail.com
date Sun, Sep 19, 2010 at 9:37 PM
mailed-by yahoo.com
signed-by yahoo.com

hide details Sep 19 (4 days ago)

http://change-fast.net/index.php


Brighthouse quarantined our internet access, and when I called them, they said it was because we had a rootkit that was sending out spam, and sent me to a site that had some of their cleanup tools/procedures. We cleaned sufficiently that they would reactivate my internet, but, obviously, we are still sending out spam emails.

I'm a rookie when it comes to these types of things, so I didn't write them down when it happened, but the system volume information keeps popping up (I know you said we'd deal with that later.) For a long time, things were being found in an old folder from the Sims 2 game - I have deleted the folders and files, as it is a game I no longer play. There were a lot of stuff that gets found in the win32 directory. There seems to be an endless supply of things that get found - sorry I can't give more details. I will attempt to document more thoroughly as we move forward, but for the time being, I really need my hand held.

Thank you so much for all of your help and support - I really appreciate it! :)
 
Hi HeadlessChief

thanks for the information......
he system volume information keeps popping up (I know you said we'd deal with that later.)
Click to expand...
Did you this :"Create a new, clean System Restore point"
If you need me to forward you the exact email, let me know
Click to expand...
yes,please

will continue so.........

we need to update combofix........
we start by removing the old version

Download OTC by Old Timer and save it to your Desktop.

  • Double-click OTC.exe
  • Click the CleanUp! button
  • Select Yes when the Begin cleanup Process? Prompt appears
  • If you are prompted to Reboot during the cleanup, select Yes
  • The tool will delete itself once it finishes, if not delete it by yourself

Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.

download a fresh copy from here

Please include the C:\ComboFix.txt in your next reply

Thanks peku006
 
You must log in or register to reply here.
Back
Top