Link to home
Start Free TrialLog in
Avatar of jwmarkert
jwmarkert

asked on

Rootkit Revealer can't mount disk; virus

Im working on a computer that was severely infested with viruses. I removed the disk and slaved it off another computer to search and remove viruses. That system located and removed 3 items deemed to be a Trojan horse according to AVG. They were 1418564.exe and postcard.chm in 2 different directories. After these 2 items were removed, the system hung. On rebooting, the system could no longer see the disk.

I reinstalled the disk in the original system and amazingly it booted. There were still issues with redirected searches. I removed sdra64.exe, winwebsec, renos.gen!BE, ciggcrnsvv.exe.8, msb.dll, riwqqhtrtn.exe. The system runs reasonably well now but Rootkit Revealer quits stating that it cannot mount C: when run.

Id like to get a  clean run of Rootkit Revealer before calling this clean. Do I still have some malware in the disk routines. Please advise what I have to do to the disk to get Rootkit Revealer to mount it.
SOLUTION
Avatar of rpggamergirl
rpggamergirl
Flag of Australia image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of jwmarkert
jwmarkert

ASKER

I've run Malwarebytes and ComboFix. I believe that Malwarebytes took out a few nasties, but I can't locate my notes at the moment. In any case, what ever it removed did not correct the Rootkit Revealers inability to mount C:.

After Malwarebytes, I was able to detect 8 Rootkits as detected by AVG. They aww began with the characters HJGR.

I ran ComboFix and it removed whatever was keeping C: from mounting. The log is attached as well as the log from Rootkit Revealer. Apparently there are entries left in the Registry.

Please adivse my next step. Also, how do I learn more about ComboFix so I am in a position to analyze my own log. Thanks.
ComboFix-log-2009-07-21.txt
RootkitReveal-2009-07-21.txt
SOLUTION
Avatar of rpggamergirl
rpggamergirl
Flag of Australia image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of jwmarkert
jwmarkert

ASKER

I ran ComboFix as directed. Logfile ComboFix 2009-07-21-2.txt is attached.

I then ran CCleaner.

Then I ran Rootkit Revealer and got log file :Rootkit Revealer 2009-07-21-2 l -2.

Shortly thereafter, AVG popped up and advised that several trojans had appeared (see log AVG Resident Shield 2009-07-21.txt.

I ran Rootkit Revealer again which created the log: Rootkit Revealer 2009-07-21-3. This log shows many more entries than the -2 log. What are  the  HKLM\SOFTWARE\swearware\backup\winsock2\Parameters entries?  I have not seen this reported in Rootkit Revealer before.

Am I infected again?

Thanks for help and how can I learn how to interpret ComboFix results?
ComboFix-Log-2009-07-21---2.txt
AVG-Resident-Shield-2009-07-21.txt
RootkitReveal-2009-07-21-3.txt
RootkitReveal-2009-07-21-2.txt
SOLUTION
Avatar of rpggamergirl
rpggamergirl
Flag of Australia image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of jwmarkert
jwmarkert

ASKER

I can't see the following files in Windows:

C:\WINDOWS\system32\spool\PRINTERS\FP00000.SHD
C:\WINDOWS\system32\spool\PRINTERS\FP00000.SPL

I then booted Ubuntu to look at the disk. I could not see them using Ubuntu either.

The file
c:\documents and settings\All Users\Application Data\14181564\14181564
cannot be seen in windows. This was the first virus that I that I detected on the system. I had slaved the disk off another system and it was detected by AVG and I thought deleted.  This file cannot be seen in windows, however using Ubuntu, it is there. I will delete it after I get your next post.

I ran GMER and a PDF of the result screen is attached.

I await your advice. Thank you for your help.
GMER-result-2009-07-22-9-52.pdf
Avatar of jwmarkert
jwmarkert

ASKER

I've deleted c:\documents and settings\All Users\Application Data\14181564\14181564 and uninstalled ComboFix. The postdelete Rootkit Revealer log is attached. The only 2 entries that I am used to seeing are the second and  third. What are the others?

RootkitReveal-09-07-23.txt
SOLUTION
Avatar of rpggamergirl
rpggamergirl
Flag of Australia image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
SOLUTION
Avatar of rpggamergirl
rpggamergirl
Flag of Australia image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
ASKER CERTIFIED SOLUTION
Avatar of jwmarkert
jwmarkert
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of rpggamergirl
rpggamergirl
Flag of Australia image
If those swearware reg entries are still there even after Combofix has already been uninstalled, you can try to manually delete those, no reason for those to stay there.

Thanks!