jwmarkert
asked on
Rootkit Revealer can't mount disk; virus
Im working on a computer that was severely infested with viruses. I removed the disk and slaved it off another computer to search and remove viruses. That system located and removed 3 items deemed to be a Trojan horse according to AVG. They were 1418564.exe and postcard.chm in 2 different directories. After these 2 items were removed, the system hung. On rebooting, the system could no longer see the disk.
I reinstalled the disk in the original system and amazingly it booted. There were still issues with redirected searches. I removed sdra64.exe, winwebsec, renos.gen!BE, ciggcrnsvv.exe.8, msb.dll, riwqqhtrtn.exe. The system runs reasonably well now but Rootkit Revealer quits stating that it cannot mount C: when run.
Id like to get a clean run of Rootkit Revealer before calling this clean. Do I still have some malware in the disk routines. Please advise what I have to do to the disk to get Rootkit Revealer to mount it.
I reinstalled the disk in the original system and amazingly it booted. There were still issues with redirected searches. I removed sdra64.exe, winwebsec, renos.gen!BE, ciggcrnsvv.exe.8, msb.dll, riwqqhtrtn.exe. The system runs reasonably well now but Rootkit Revealer quits stating that it cannot mount C: when run.
Id like to get a clean run of Rootkit Revealer before calling this clean. Do I still have some malware in the disk routines. Please advise what I have to do to the disk to get Rootkit Revealer to mount it.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I ran ComboFix as directed. Logfile ComboFix 2009-07-21-2.txt is attached.
I then ran CCleaner.
Then I ran Rootkit Revealer and got log file :Rootkit Revealer 2009-07-21-2 l -2.
Shortly thereafter, AVG popped up and advised that several trojans had appeared (see log AVG Resident Shield 2009-07-21.txt.
I ran Rootkit Revealer again which created the log: Rootkit Revealer 2009-07-21-3. This log shows many more entries than the -2 log. What are the HKLM\SOFTWARE\swearware\ba ckup\winso ck2\Parame ters entries? I have not seen this reported in Rootkit Revealer before.
Am I infected again?
Thanks for help and how can I learn how to interpret ComboFix results?
ComboFix-Log-2009-07-21---2.txt
AVG-Resident-Shield-2009-07-21.txt
RootkitReveal-2009-07-21-3.txt
RootkitReveal-2009-07-21-2.txt
I then ran CCleaner.
Then I ran Rootkit Revealer and got log file :Rootkit Revealer 2009-07-21-2 l -2.
Shortly thereafter, AVG popped up and advised that several trojans had appeared (see log AVG Resident Shield 2009-07-21.txt.
I ran Rootkit Revealer again which created the log: Rootkit Revealer 2009-07-21-3. This log shows many more entries than the -2 log. What are the HKLM\SOFTWARE\swearware\ba
Am I infected again?
Thanks for help and how can I learn how to interpret ComboFix results?
ComboFix-Log-2009-07-21---2.txt
AVG-Resident-Shield-2009-07-21.txt
RootkitReveal-2009-07-21-3.txt
RootkitReveal-2009-07-21-2.txt
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I can't see the following files in Windows:
C:\WINDOWS\system32\spool\ PRINTERS\F P00000.SHD
C:\WINDOWS\system32\spool\ PRINTERS\F P00000.SPL
I then booted Ubuntu to look at the disk. I could not see them using Ubuntu either.
The file
c:\documents and settings\All Users\Application Data\14181564\14181564
cannot be seen in windows. This was the first virus that I that I detected on the system. I had slaved the disk off another system and it was detected by AVG and I thought deleted. This file cannot be seen in windows, however using Ubuntu, it is there. I will delete it after I get your next post.
I ran GMER and a PDF of the result screen is attached.
I await your advice. Thank you for your help.
GMER-result-2009-07-22-9-52.pdf
C:\WINDOWS\system32\spool\
C:\WINDOWS\system32\spool\
I then booted Ubuntu to look at the disk. I could not see them using Ubuntu either.
The file
c:\documents and settings\All Users\Application Data\14181564\14181564
cannot be seen in windows. This was the first virus that I that I detected on the system. I had slaved the disk off another system and it was detected by AVG and I thought deleted. This file cannot be seen in windows, however using Ubuntu, it is there. I will delete it after I get your next post.
I ran GMER and a PDF of the result screen is attached.
I await your advice. Thank you for your help.
GMER-result-2009-07-22-9-52.pdf
ASKER
I've deleted c:\documents and settings\All Users\Application Data\14181564\14181564 and uninstalled ComboFix. The postdelete Rootkit Revealer log is attached. The only 2 entries that I am used to seeing are the second and third. What are the others?
RootkitReveal-09-07-23.txt
RootkitReveal-09-07-23.txt
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
If those swearware reg entries are still there even after Combofix has already been uninstalled, you can try to manually delete those, no reason for those to stay there.
Thanks!
Thanks!
ASKER
After Malwarebytes, I was able to detect 8 Rootkits as detected by AVG. They aww began with the characters HJGR.
I ran ComboFix and it removed whatever was keeping C: from mounting. The log is attached as well as the log from Rootkit Revealer. Apparently there are entries left in the Registry.
Please adivse my next step. Also, how do I learn more about ComboFix so I am in a position to analyze my own log. Thanks.
ComboFix-log-2009-07-21.txt
RootkitReveal-2009-07-21.txt