Hijacked, Generic Rootkit.d!rootkit, others..

Dell / INSPIRON 9300
June 28, 2009 at 18:36:59
Specs: Microsoft Windows XP Professional, 1.995 GHz / 1023 MB
Malware symptoms 06/28/09
A. McAfee scan has found multiple instances of a “Generic Rootkit.d!rootkit”, which it calls NTOSKRNL-HOOK, and classifies as a Trojan. It has both eliminated and quarantined them.
1) As many as 2 to 5 have been found at once.
2) Once “removed,” they appear again in no time.
B. McAfee – Update Error
“An error occurred in updating. Please reinstall these programs:Malware symptoms 06/28/09
A. McAfee scan has found multiple instances of a “Generic Rootkit.d!rootkit”, which it calls NTOSKRNL-HOOK, and classifies as a Trojan. It has both eliminated and quarantined them.
1) As many as 2 to 5 have been found at once.
2) Once “removed,” they appear again in no time.
B. McAfee – Update Error
“An error occurred in updating. Please reinstall these programs:
- McAfee Security Center”
NOT DONE – Expected to be repetitive.
C. Defrag – no access
1) Norton Speed Disk won’t start. Error Message:
“An unexpected error occurred while communicating with the Speed Disk Service (NOPDB.EXE). Please exit Speed Disk, restart the Speed Disk Service, and try again. If the problem persists, reinstall Speed Disk.”
Reinstalled Speed Disk. Same result.
2) Windows XP Accessories Disk Defragmenter Error message:
“Disk Defragmenter could not start.”
D. Backup – presently unable to back up.
1) My backup utility, XXCLONE, will not start. It returns following Error Message from its initial disk scan:
“The source volume (C:) specified in the command line does not exist, or the volume label does not match. Therefore, it will be ignored.”
2) Windows XP Accessories backup component refused to start as well. Error message:
“The Backup Utility cannot connect to the Removable Storage service. This service is required for use of tape drives and other backup devices.
Please exit and start the Removable Storage service using the System Services function of the Management Console.”
Started service. Allowed backup utility to start. It backed up over half of C: drive. But insufficient space on target drive.
E. Formatting – presently unable to format. I attempted to format backup target drive F: on USB hard drive.
1) Windows Disk Management utility does not see ANY drives. Its window is BLANK.
2) Right-clicking F: in Explorer gave access to the format command. A Quick Format command produced this error message:
“Windows was unable to complete the format.”
F. Browser (Firefox)
1) Misdirection to other search or ad aggregation pages when clicking on Google search results ‘headlines’ links. Copy/pasting of the results’ urls works fine.
2) Numerous pop-ups
G. Email (Outlook)
1) Huge numbers of “Mail Undeliverable” messages in Inbox, sent to me and or my domain, returning obvious spam which I’ve had nothing to do with sending.
H. Taskbar Volume Control – instead of emitting the modulated confirming “beep,” a VERY loud sharp shriek is heard when making an adjustment to volume.
I. Adobe Acrobat – .pdf files close unexpectedly.
Questions
1. System is far behind on Windows updates. Still running XP SP2. Obvious malware problems began about a week ago. Should I wait until I’ve established a clean system before updating Windows?
2. I’m trying to comply with your suggestion to back up prior to malware scans. Is there an obvious fix for inability to use backup software short of malware elimination?
3. So, should I just get started running scans according whatever schedule may be suggested? What is the risk of running them without a recent backup?
Many thanks,
pajuliet

See More: Hijacked, Generic Rootkit.d!rootkit, others..

Report •


#1
June 28, 2009 at 19:35:27
Follow these steps in order numbered:

1) Download GMER: http://gmer.net/download.php
[This version will download a randomly named file (Recommended).]

2) Disconnect from the Internet and close all running programs.

3) Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.

4) Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.

5) GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)

6) If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.

7) Now click the Scan button. If you see a rootkit warning window, click OK.

8) When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log and upload it rapidshare.com. Post the download link to the uploaded file in your post.

9) Exit GMER and re-enable all active protection when done.

If I'm helping you and I don't reply within 24 hours send me a PM.


Report •

#2
June 29, 2009 at 14:01:52
I'm sending this from another system.

I started gmer.exe about 12 hours ago. At least I think i did.
I selected not only the C: drive, 50 GB, ~41 GB used, but F:, G:, and H:, as well.

They are three logical drives on an attached USB hard drive, total capacity 300GB, perhaps 200 used.

When I clicked on <Scan> the application window disappeared. I have a blank monitor. The disk activity led indicator blinks only once in a great while. I have not wanted to disturb the processif it is running... but, is gmer meant to run invisibly? I need access to the target system.

What should be my next steps?
Thank you,
pajuliet


Report •

#3
June 29, 2009 at 14:19:09
No its not suppose to disappear and it doesn't take more then 10-15 mins. Close gmer, reboot and follow:

Download and run Kaspersky AVP tool: http://devbuilds.kaspersky-labs.com...
Once you download and start the tool:

# Check below options:

    * Select all the objects/places to be scanned. 
    * Settings > Customize > Heuristic analyzer > Enable deep rootkit search

# Click Scan
# Fix what it detects
# Zip/Rar Scan log/Summary and upload it to rapidshare.com. Post download link in your next message.

Illustrated tutorial: http://img32.imageshack.us/img32/76...

If I'm helping you and I don't reply within 24 hours send me a PM.


Report •

Related Solutions

#4
July 12, 2009 at 16:28:27
Thanks, but have tried kapersky several times and never connect with the server.

GMER was a bust and kapersky is unreachable...

If this is THE right move, do you or someone else have a copy of the tool that you could send me or that I could download?


Report •

#5
July 15, 2009 at 12:31:35
Try: ftp://212.47.219.86/devbuilds/AVPTool/index.html and follow Response Number 3 in safe mode.

If I'm helping you and I don't reply within 24 hours send me a PM.


Report •

#6
July 15, 2009 at 21:32:08
If I was fighting this one I would get my hands on a copy of ubuntu linux and boot it from my CD rom. Once booted I would see if I could access the main hard drive. If you can, then plug in an external hard drive and backup all the files. Once I finished backing up my files I would unplug the external drive and boot up my partitioner and redo the drive. Here is a free partitioner.

http://partedmagic.com/

Then reinstall windows and quit fighting the beast that is lose in your computer.

Oh ya. When you get your computer set up and stable Image the damn thing. Next time you get an infection you can format the drive and write the image back on and be virus free in an hour.


Report •


Ask Question