Help Please RootKit Craziness

GMER Log

OK. So I ran GMER and it found the following:
GMER 1.0.15.15530 - http://www.gmer.net
Rootkit scan 2012-02-28 10:19:55
Windows 6.1.7601 Service Pack 1
Running: GMER.exe


---- Files - GMER 1.0.15 ----

File L:\Windows\$NtUninstallKB45721$\1252915252 0 bytes
File L:\Windows\$NtUninstallKB45721$\1252915252\@ 2048 bytes
File L:\Windows\$NtUninstallKB45721$\1252915252\cfg.ini 56 bytes
File L:\Windows\$NtUninstallKB45721$\1252915252\Desktop.ini 4608 bytes
File L:\Windows\$NtUninstallKB45721$\1252915252\keywords 261 bytes
File L:\Windows\$NtUninstallKB45721$\1252915252\L 0 bytes
File L:\Windows\$NtUninstallKB45721$\1252915252\L\qnbwvoto 72192 bytes
File L:\Windows\$NtUninstallKB45721$\1252915252\U 0 bytes
File L:\Windows\$NtUninstallKB45721$\1252915252\U\00000001.@ 1536 bytes
File L:\Windows\$NtUninstallKB45721$\1252915252\U\00000002.@ 224768 bytes
File L:\Windows\$NtUninstallKB45721$\1252915252\U\00000004.@ 1024 bytes
File L:\Windows\$NtUninstallKB45721$\1252915252\U\80000000.@ 1024 bytes
File L:\Windows\$NtUninstallKB45721$\1252915252\U\80000004.@ 12800 bytes
File L:\Windows\$NtUninstallKB45721$\1252915252\U\80000032.@ 98304 bytes
File L:\Windows\$NtUninstallKB45721$\2328040050 0 bytes

---- EOF - GMER 1.0.15 ----

I'm assuming I should kill/delete these. No other "bad" files were found on the other two partitions: K:\ & F:\

Since this is the very first time GMER has found something after I've used it, I'm not sure what to do with them. Thoughts?
 
Galdorf said:
Sounds like you have both a hard drive with possible bad sectors and rootkit/trojans i would go about first scanning the hard drive for bad sectors, then using dart or recovery dvd start a command prompt and fixmbr,fixboot , chkdsk /r.

After running chkdsk /r then try either kaspersky rescue cd or bitdefender rescue cd, then try booting to safemode and run combofix.

On drives with that many problems i always make an image just incase.

hdd regenerator is the best utility to fix hard drive problems and is worth buying there is nothing like it and is fastest surface scan that is available you might want to try it.
Click to expand...

Hi Galdorf, Thank you for your response.

I did run HDDTune on Long Scan and it found no bad sectors. Running a recovery dvd (Win 7 32-bit) System Recovery c: prompt would not run chkdsk, chkdsk /r, fixmbr or fixboot, :confused: Earlier, I tried to get into safe mode but all modes only boot to a black screen with an active pointer - no desktop.

As I mentioned above, I just ran GMER and posted the results there.
 
Ray of Hope

Google is my friend. :D

It looks like this File L:\Windows\$NtUninstallKB45721$\1252915252\L\qnbwvoto is a variant of a virus/malware that made the rounds last year. I'm not sure what the others on the list are but since they are all in L:\Windows\$NtUninstallKB45721$\1252915252, I'm thinking I should kill/delete them all.

What say ye people of Rome?

UPDATE: Tried to kill or delete in GMER and got this message:

An error occured during the killing of file:
"L:\Windows\$NtUninstallKB45721$\1252915252": The handle
is invalid.

and, if I go straight for the culprit, I get:

File
"L:\Windows\$NtUninstallKB45721$\1252915252\L\wnbwvoto"
couldn't be deleted. Error 0x00000006 !: The handle is invalid.

Hmmm... I'm not giving up yet.
 
Last edited:
Hello,

When I run into problems such as this....try the latest Dr. Web bootable CD.

It has done wonders for cleaning up stuff for me, as a last resort.

You already have an image, so at least you can pull of the data if it bombs.

Run a full scan and select cure or repair if given the option.

This can take a LONG time to scan a full drive.




Harold
ACS Alternative Computer Solutions
 
HFultzjr said:
Hello,

When I run into problems such as this....try the latest Dr. Web bootable CD.

It has done wonders for cleaning up stuff for me, as a last resort.

You already have an image, so at least you can pull of the data if it bombs.

Run a full scan and select cure or repair if given the option.

This can take a LONG time to scan a full drive.


Harold
ACS Alternative Computer Solutions
Click to expand...

Thank you for that Harold. I'll download and try that. How long? 2,6,8 hours?
 
ScarletPathos said:
Hi BT- Yes, I can get to a command prompt via System Repair, but it doesn't run. Since I'm booting from an OS disk (Win 7 32-bit) the default drive name is X:\ then I change it to C:\ and try sfc. No joy. It says it cannot run the sfc command (sfc /scannow).
Click to expand...
Try booting from a Vista CD and not a 7 CD, once you get to volume that you want can you type commands like dir, cd windows, etc. to make sure the drive is taking commands and that your in the system volume and then try sfc again?


ScarletPathos said:
Earlier, I tried to get into safe mode but all modes only boot to a black screen with an active pointer - no desktop.
Click to expand...
Once at the black screen did you try Ctrl-Alt-Del to open the Task Manager and from the File menu Run explorer.exe?


ScarletPathos said:
It looks like this File L:\Windows\$NtUninstallKB45721$\1252915252\L\qnbwvoto is a variant of a virus/malware that made the rounds last year. I'm not sure what the others on the list are but since they are all in L:\Windows\$NtUninstallKB45721$\1252915252, I'm thinking I should kill/delete them all.

What say ye people of Rome?
Click to expand...
The Uninstall Knowledge Base 45721 just doesn't look right, with a quick search on Google I didn't find any updates under 45721 and with what looks like a random named directory (1252915252) and files, and GMER reporting them, and you Goggling and finding qnbwvoto to be malware, and other people using programs like Combofix and it deleting similar files:
c:\windows\$NtUninstallKB31569$\1117439540\click.t lb
c:\windows\$NtUninstallKB31569$\1117439540\L\qnbwv oto
c:\windows\$NtUninstallKB31569$\1117439540\loader. tlb
c:\windows\$NtUninstallKB31569$\1117439540\U\@0000 0001
Click to expand...
yeah, it does look like they are malware related, maybe rename the files if you can't delete them.


If you like the Dr. Web live CD you may also want to try Avira AntiVir Rescue System or Kaspersky's Rescue Disc. I think all of them have settings you can change to just report what they find if you don't want them to just delete any malware they find.
 
Hi BT- Yes, I can get to a command prompt via System Repair, but it doesn't run. Since I'm booting from an OS disk (Win 7 32-bit) the default drive name is X:\ then I change it to C:\ and try sfc. No joy. It says it cannot run the sfc command (sfc /scannow).
Click to expand...

Didn't you say OS is on L:?
 
B Trevathan said:
Try booting from a Vista CD and not a 7 CD, once you get to volume that you want can you type commands like dir, cd windows, etc. to make sure the drive is taking commands and that your in the system volume and then try sfc again?



Once at the black screen did you try Ctrl-Alt-Del to open the Task Manager and from the File menu Run explorer.exe?



The Uninstall Knowledge Base 45721 just doesn't look right, with a quick search on Google I didn't find any updates under 45721 and with what looks like a random named directory (1252915252) and files, and GMER reporting them, and you Goggling and finding qnbwvoto to be malware, and other people using programs like Combofix and it deleting similar files:
yeah, it does look like they are malware related, maybe rename the files if you can't delete them.


If you like the Dr. Web live CD you may also want to try Avira AntiVir Rescue System or Kaspersky's Rescue Disc. I think all of them have settings you can change to just report what they find if you don't want them to just delete any malware they find.
Click to expand...


I agree with the above post....Kaspersky Rescue Disk has worked for me very well also. Seems like Dr. Web and Kaspersky work the best on persistant rootkits. Make sure to download the latest definitions, and be very careful what you select to DELETE. They can be very aggressive and flag legitimate, but infected files.


Harold
ACS Alternative Computer Solutions
 
B Trevathan said:
Try booting from a Vista CD and not a 7 CD, once you get to volume that you want can you type commands like dir, cd windows, etc. to make sure the drive is taking commands and that your in the system volume and then try sfc again?



Once at the black screen did you try Ctrl-Alt-Del to open the Task Manager and from the File menu Run explorer.exe?



The Uninstall Knowledge Base 45721 just doesn't look right, with a quick search on Google I didn't find any updates under 45721 and with what looks like a random named directory (1252915252) and files, and GMER reporting them, and you Goggling and finding qnbwvoto to be malware, and other people using programs like Combofix and it deleting similar files:yeah, it does look like they are malware related, maybe rename the files if you can't delete them.


If you like the Dr. Web live CD you may also want to try Avira AntiVir Rescue System or Kaspersky's Rescue Disc. I think all of them have settings you can change to just report what they find if you don't want them to just delete any malware they find.
Click to expand...

I apologize for not responding sooner to your post.

Yes, I tried a Vista CD before the Win 7 CD. sfc would not run.

Yes, I did try Ctrl-Alt-Del at the black screen. No joy.

I tried running combofix while the drive was slaved. Combo doesn't let me change drive parameters, it just runs on the resident drive. Am I missing something? renaming would be a great idea, but I can't change the permissions to have my bench computer see the OS drive. :confused:

I'm running Dr. Web both default and advanced now. The default found 38 malicious files, 2 adware files and 2 suspicious files. Many files were "too large to scan" and about 275 zip files "couldn't be found." The advanced search is still going on.

Thanks for sticking with me on this.
 
gazza said:
Try running the Windows Unlocker tool from the Kaspersky live cd.

See here http://support.kaspersky.com/viruses/solutions?qid=208285998

After you have run the program you should hopefully be able to boot into windows to run your gammut of tools etc.

If you can then run Windows Repair from Tweaking.com download here http://www.tweaking.com/content/page/windows_repair_all_in_one.html.

Run the advanced selection and hopefully you will be back on track to a normal installation.
Click to expand...

Thanks gazza: I'm D/Ling Kaspersky right now and will check out the Tweaking.com link you suggested. Thanks.
 
HFultzjr said:
I usually let it run overnight. Depends on how big the hard drive is.

By the way.....the option may say "disinfect".



Harold
ACS Alternative Computer Solutions
Click to expand...

I ran six hours. Found 300+ bad files/Folders. Unfortunately, the mouse stopped working and had to remove each one manually! No highlighting multiple files in that program. I'm running the Advanced command-line scan right now. Probably another six hours. Started 9:00 am. It's 12:45 pm. now.

BTW, The option shown says "Cure" or you can open a dropdown box that provides options to "Quarantine" or "Remove".
 
ScarletPathos said:
I ran six hours. Found 300+ bad files/Folders. Unfortunately, the mouse stopped working and had to remove each one manually! No highlighting multiple files in that program. I'm running the Advanced command-line scan right now. Probably another six hours. Started 9:00 am. It's 12:45 pm. now.

BTW, The option shown says "Cure" or you can open a dropdown box that provides options to "Quarantine" or "Remove".
Click to expand...

WOW!!!!!!

300+

Usually when I get to this point it only finds a few persitant ones.

I would seriously consider a nuke and pave, you may never be sure to get them all.

Were there many rootkits or system files infected.....if so, it may never be right, unless your'e willing to spend a lot of time on this.

Salvage the data.......Nuke and Pave


Harold
ACS Alternative Computer Solutions
 
HFultzjr said:
WOW!!!!!!

300+

Usually when I get to this point it only finds a few persitant ones.

I would seriously consider a nuke and pave, you may never be sure to get them all.

Were there many rootkits or system files infected.....if so, it may never be right, unless your'e willing to spend a lot of time on this.

Salvage the data.......Nuke and Pave


Harold
ACS Alternative Computer Solutions
Click to expand...

Nothing identified as a rootkit per se, just a lot of leftovers, some with addresses, some without. I am using this HDD cleanup as an opportunity to learn; the client is in no rush to get it back, and just wants me to "do what I can." If this were a lose business, life 'n' death kind of thing I would have N&P'd yesterday. My focus now is to restore/repair permissions and get that OS drive accessible so I can get directly at the problems.

Now, I've got all these great tools that have been suggested on this thread and I want to play it out hopefully for the benefit of the members who have helped and others who may stumble on this through a search.

I appreciate the help and support from you and others who have joined this thread. I will report back with final results.
 
You must log in or register to reply here.

Similar threads

Larry Sabo
ASUS Vivobook keyboard not functional in Windows, but does in WinPE
2
Replies
23
Views
351
Porthos
Porthos
katz
Client forgot pin, trying to delete Ngc folder issues
Replies
17
Views
459
britechguy
britechguy
SimonB
Deleting old user profiles
Replies
6
Views
182
johnrobert
johnrobert
johnrobert
Add screen to PC
Replies
12
Views
676
johnrobert
johnrobert
thecomputerguy
Never a dull moment. (story time)
Replies
18
Views
741
britechguy
britechguy
Back
Top