rootkit problem

pinksoir

So my mothers laptop appears to have a rootkit problem. I noticed it when I kept getting an error message in firefox. "shockwave flash has performed an illegal operation etc etc". I googled the problem and it turns out that I have a rootkit on the computer. I tried installing f-secure Blacklight, but it says that I don't have sufficient administrator privileges to install it an that either I am no the administrator, or else some malware is blocking me from those privileges.

So I googled around a bit more and I found another program that does much the same thing called Sophos Anti-rootkit. I installed it and ran it, but the same problem occurred - it told me that I didn't have admin privileges. I tried running them both in safe mode but they "cannot be run in safe mode".

So I googled around a bit more and read up about it abit more and decided to try download and run HJT. However, each time I type the name of that program in full into google the browser closes automatically. This occurs in both IE and FF. Even if I separate the words into Hijack This and search, upon getting hits in google, if I try to click on a link to download the same thing happens again. The browser closes.

So I downloaded and ran AVZ antiviral toolkit. I ran the system investigation and then the full scan.

I think you'll agree this is very very strange...

Here are my results:

pinksoir

system investigation results:

pinksoir

last file:

still_raining

Try giving AVG antirootkit a try, I've never used it myself but apparently it does the job pretty well.

pinksoir

OK, I ran that and 2 files showed up (in regular, not in-depth, scan mode)and they are

C:\WINDOWS\lpt6.ify
C:\WINDOWS\mlwgk1.dll

I googled them and neither produced any hits. Any ideas? Should I delete them? AVG antirootkit says not to do so unless I am sure that they are malicious files. They couldn't be part of the OS tough, could they? Otherwise they would produce a hit in google...

cheers,
karl

still_raining

Well .ify is no extension I've ever heard of and all system dll's should be in the system32 folder. Right click on the mlwgk1.dll file and go to properties, then the details tab. What's the description say?

pinksoir

I went ahead and deleted them...and had to restart. The file C:\WINDOWS\lpts has reappeared, though without the extension .ify. Though when I look in the Windows folder the two files are there as DL_ and IF_ files. Jaysus, whats the story...

I still can't google HJT as the browser closes automatically, and I still can't run Blacklight as it "could not acquire necessary privileges (sedebugprivilege)
-your computer settings may prevent acquiring these privileges
-a malicious program may have disabled these privileges"

I have a feeling it is the latter.

pinksoir

I scanned those files with avast, and they were both trojans. So I moved them to the chest but the same problem is happeneing when I google HJT.

still_raining

Looks like you have a right infection there.
I've put Hijackthis up on rapidshare for you:

http://rapidshare.com/files/72627927/dfgse.exe.html

(it's a random filename so you don't get caught out).
Post up a log if you can get it to run.

Also download SUPERantispyware; it detects more or less everything just in case more than a rootkit is at play here.

pinksoir

thanks a million. really appreciate that. I'll post it back up now in a sec.

cheers,
karl.

pinksoir

crud. managed to download it, but when I went to install it, guess what? same thing happened. comes to terms of service agreement and then closes immediately.

pain in the hole here.

still_raining

That sounds nasty. Still try giving it a scan with SUPERantispyware (do the complete scan), it's more than once brought my computer back from the brink of death.

pinksoir

I'll give it an aul go. will report back in a bit. cheers again.

pinksoir

hmm. that only detected a couple of tracking cookies. doubt they are the problem.

this is really really weird...

still_raining

Yeah that is fairly weird. Alas Karl I'm sorry but I think that's all I can help you with. If you could get a Hijackthis log I could perhaps do something but it looks like you have one very well dug in piece of malware there.
Hopefully someone else on the boards can help you out but even so I'd recommend you post on some of the more dedicated malware forums around the net.

Try the lads over on spywareinfo or geekstogo:
http://forums.spywareinfo.com/index.php
http://www.geekstogo.com/forum/forums.html

Best of luck!

Will

have you tried going into safe mode and running it? dunno if itl help but worth a shot

pinksoir

yeah. same problem. doesn't run.

i have a rootkit revealer log if that is any help. it seems to have detected some stuff. thanks for your help.

ActorSeeksJob

I see you have posted on MajorGeeks and SpywareInfo, you need to have one of those threads closed. I would recommend not doing any further action yourself or from this topic here, and instead just wait for one of those sites to get back to you.

Shad0w

Hi Pinksoir,

It sounds like this file is replicating itself, so maybe it's also stored somewhere that the Anti-Virus or Anti-Rootkit can't analyse....


Are you running XP? If so have you turned off System Restore?

If not, try doing this and then run a Scan. If you have already done this, the only other thing I can think of is that the Anti-Virus is assuming these files are system critical and will not remove them, I have found the best way around this is to take out your drive, connect it to another PC and run a Scan from there. This way the Anti-Virus will not see those files as critical and should remove them.....

Hopefully this helps...

pinksoir

I think I'm just gonna bite the bullet and reinstall windows. This little bugger has buried itself really deeply into the system. I posted on major geeks with all my logs etc. It's not gonna be a straight up 'delete this file and it'll be ok' job as these things rarely are.

So I'm gonna leave it til tomorrow and see if any of those major geeks have any advice, and if not a reinstall is the best option. Luckily this is my ma's laptop and she doesn't have too much stuff on it. Though I would like to know how to beat the infection. Reinstalling always feels like such a cop out!

ActorSeeksJob

You were being helped by a Microsoft MVP, he would have easily removed the rootkit.

pinksoir

Ah crud. Should have waited so. Ah well, no matter. It only took an hour and a half to get the laptop back to its original state through reformat. Though, as I say, I would have liked to have defeated the litle punk without reformat.