I thought of e-mailing this directly, but decided to post on the forum instead. More along the lines of feedback, though any suggestions would be appreciated.
I "cleaned" an XP Home SP2 computer this morning using Anti-Malware. It found 5 infected folders and 22 infected folders, and quarantined and deleted them all successfully. I then re-ran the software and it came up clean. I then ran the usual antivirus software (BitDefender) and that also came up clean. I then plugged in the network cord and within a minute BitDefender had stopped 4 viruses from being launched and the constant stream of e-mails began again. I ran another deep system BitDefender scan and it came up with 2 infected files with No Action Possible. I ran Anti-Malware a third time and though BD had 2 positives, it found nothing. (I also ran GMER yesterday and they said the rootkit file is c:\windows\system32\drivers\Lqt24.sys. Unfortunately, I did not get this response from them before thinking the system was clean and plugging in the network cord.)
The initial viruses that came up on the scan way back on Friday were Trojan.Dropper.Delf.Crypt.O, Trojan.Kobcka, Trojan.Inject.IA, and another that I don't remember. For every scan, a different name comes up, it seems.
From the initial system scan of Anti-Malware I got the following 7 different positives:
Rogue.XPSecurityCenter
Rootkit.Agent (HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\tcpsr)
Security.Hijack
Trojan.Agent
Adware.Funweb
Malware.Trace
Trojan.FakeAlert
Two of the viruses that BD blocked after I plugged in the network cord were Trojan.Inject.JF and Trojan.Kobcka.DV. The Kobcka trojan was identified as being at C:\Windows\System32\drivers\tcpsr.sys. Is this merely a coincidence, or are they related? Again, Anti-Malware picked up nothing after this second BD scan which showed a No Action Possible result.
Did the rootkit "learn" to hide from Anti-Malware during the first two scans?
Full Version: quarantined and deleted successfully, but then...
QUOTE (jeanette @ Sep 3 2008, 05:55 PM) 
I thought of e-mailing this directly, but decided to post on the forum instead. More along the lines of feedback, though any suggestions would be appreciated.
I "cleaned" an XP Home SP2 computer this morning using Anti-Malware. It found 5 infected folders and 22 infected folders, and quarantined and deleted them all successfully. I then re-ran the software and it came up clean. I then ran the usual antivirus software (BitDefender) and that also came up clean. I then plugged in the network cord and within a minute BitDefender had stopped 4 viruses from being launched and the constant stream of e-mails began again. I ran another deep system BitDefender scan and it came up with 2 infected files with No Action Possible. I ran Anti-Malware a third time and though BD had 2 positives, it found nothing. (I also ran GMER yesterday and they said the rootkit file is c:\windows\system32\drivers\Lqt24.sys. Unfortunately, I did not get this response from them before thinking the system was clean and plugging in the network cord.)
The initial viruses that came up on the scan way back on Friday were Trojan.Dropper.Delf.Crypt.O, Trojan.Kobcka, Trojan.Inject.IA, and another that I don't remember. For every scan, a different name comes up, it seems.
From the initial system scan of Anti-Malware I got the following 7 different positives:
Rogue.XPSecurityCenter
Rootkit.Agent (HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\tcpsr)
Security.Hijack
Trojan.Agent
Adware.Funweb
Malware.Trace
Trojan.FakeAlert
Two of the viruses that BD blocked after I plugged in the network cord were Trojan.Inject.JF and Trojan.Kobcka.DV. The Kobcka trojan was identified as being at C:\Windows\System32\drivers\tcpsr.sys. Is this merely a coincidence, or are they related? Again, Anti-Malware picked up nothing after this second BD scan which showed a No Action Possible result.
Did the rootkit "learn" to hide from Anti-Malware during the first two scans?
I "cleaned" an XP Home SP2 computer this morning using Anti-Malware. It found 5 infected folders and 22 infected folders, and quarantined and deleted them all successfully. I then re-ran the software and it came up clean. I then ran the usual antivirus software (BitDefender) and that also came up clean. I then plugged in the network cord and within a minute BitDefender had stopped 4 viruses from being launched and the constant stream of e-mails began again. I ran another deep system BitDefender scan and it came up with 2 infected files with No Action Possible. I ran Anti-Malware a third time and though BD had 2 positives, it found nothing. (I also ran GMER yesterday and they said the rootkit file is c:\windows\system32\drivers\Lqt24.sys. Unfortunately, I did not get this response from them before thinking the system was clean and plugging in the network cord.)
The initial viruses that came up on the scan way back on Friday were Trojan.Dropper.Delf.Crypt.O, Trojan.Kobcka, Trojan.Inject.IA, and another that I don't remember. For every scan, a different name comes up, it seems.
From the initial system scan of Anti-Malware I got the following 7 different positives:
Rogue.XPSecurityCenter
Rootkit.Agent (HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\tcpsr)
Security.Hijack
Trojan.Agent
Adware.Funweb
Malware.Trace
Trojan.FakeAlert
Two of the viruses that BD blocked after I plugged in the network cord were Trojan.Inject.JF and Trojan.Kobcka.DV. The Kobcka trojan was identified as being at C:\Windows\System32\drivers\tcpsr.sys. Is this merely a coincidence, or are they related? Again, Anti-Malware picked up nothing after this second BD scan which showed a No Action Possible result.
Did the rootkit "learn" to hide from Anti-Malware during the first two scans?
Depending on the rootkit in question, it's entirely possible for it to hide... Yes. Cat and mouse game if you will.
If you would like to start a fresh thread in the hijackthis log forum, one of the helpers can hopefully get this resolved for you.
If you have GMER still click the file tab . Browse to drivers\Lqt24.sys , click it and then use the copy button on the right to copy it to your desktop as any file name other than what it actually is (it will instaly rehide if you do) .
Next tell GMER to kill the file , now reboot . The file will still be there but crippled beyond any ability to function .
Now take the copy you made earlier , zip it and attach it to your next post here .
As far as your question goes , this rootkit changes often and it seems that you caught one that we dont have (yet) .
Next tell GMER to kill the file , now reboot . The file will still be there but crippled beyond any ability to function .
Now take the copy you made earlier , zip it and attach it to your next post here .
As far as your question goes , this rootkit changes often and it seems that you caught one that we dont have (yet) .
QUOTE (nosirrah @ Sep 3 2008, 07:08 PM)
If you have GMER still click the file tab . Browse to drivers\Lqt24.sys , click it and then use the copy button on the right to copy it to your desktop as any file name other than what it actually is (it will instaly rehide if you do) .
Next tell GMER to kill the file , now reboot . The file will still be there but crippled beyond any ability to function .
Now take the copy you made earlier , zip it and attach it to your next post here .
As far as your question goes , this rootkit changes often and it seems that you caught one that we dont have (yet) .
Next tell GMER to kill the file , now reboot . The file will still be there but crippled beyond any ability to function .
Now take the copy you made earlier , zip it and attach it to your next post here .
As far as your question goes , this rootkit changes often and it seems that you caught one that we dont have (yet) .
Eh... too late. I got tired of waiting for responses and with the OK from my boss (in case deleting the file corrupted the system) deleted the said Lqt24.sys from GMER since it wouldn't let me delete it from windows. So no file for anyone to examine, but so far so good on the computer. I'm still getting two "can't find file specified" random number and letter .sys files on GMER scans (such as 8d6aff.sys), in the c:\windows\system32\drivers directory though. (These so-named files appeared directly below the Lqt24.sys file in the original scans.) Are they remnants, or does this mean that I'm still infected? (I'm typing this from my connected-to-the-internet boss's computer, yay!)
Yes, there is probably still something on or wrong with the system and you should follow the instructions here: Pre- HJT Post Instructions
Then post the requested information here: Malware Removal - HijackThis Logs
We realize that this can be a frustrating and annoying time on your computer and were here to help, but please realize that it does take time and that everyone here is volunteering their time freely to assist others.
Thank you for using and visiting Malwarebytes.
.
Then post the requested information here: Malware Removal - HijackThis Logs
We realize that this can be a frustrating and annoying time on your computer and were here to help, but please realize that it does take time and that everyone here is volunteering their time freely to assist others.
Thank you for using and visiting Malwarebytes.
.
QUOTE (AdvancedSetup @ Sep 3 2008, 07:26 PM)
We realize that this can be a frustrating and annoying time on your computer
Even more so since it's a business -- not like a home computer -- but needed for syncing calendars, etc. and that I've been re-living the old days of running back and forth with a flash drive! 
QUOTE (AdvancedSetup @ Sep 3 2008, 07:26 PM)
and were here to help, but please realize that it does take time and that everyone here is volunteering their time freely to assist others.
And you guys are doing great! Many thanks! 
QUOTE (jeanette @ Sep 4 2008, 10:23 AM)
Even more so since it's a business -- not like a home computer -- but needed for syncing calendars, etc. and that I've been re-living the old days of running back and forth with a flash drive!
I remember when stashing a floppy diskette in your shirt pocket was a sign of importance.QUOTE
And you guys are doing great! Many thanks!
A big thank you for all of your perseverance.
QUOTE (jeanette @ Sep 4 2008, 08:23 AM)
Even more so since it's a business -- not like a home computer -- but needed for syncing calendars, etc. and that I've been re-living the old days of running back and forth with a flash drive!
And you guys are doing great! Many thanks!
And you guys are doing great! Many thanks!
You need to follow the instructions given by AdvancedSetup and let someone help you.
I've had to do the cat and mouse deal, I'd run a scan then clean it, reboot and the rogue installers would do their thing. The people here know their job though to help you get back to normal ops. I took the time to actually educate my users on malware, even put up posters from our virus software company and it helped once I got my systems cleaned up.
Depending on your user requirements, how data is saved, network configuration, etc., I'd look into programs like Deep Freeze so you won't waste endless work hours on needless screw ups by your users.
Depending on your user requirements, how data is saved, network configuration, etc., I'd look into programs like Deep Freeze so you won't waste endless work hours on needless screw ups by your users.
How about updating Malwarebytes to the latest updates and then doing a full scan in safe mode. Would that help??
QUOTE (Rotty37 @ Sep 5 2008, 06:57 AM)
How about updating Malwarebytes to the latest updates and then doing a full scan in safe mode. Would that help??
She is getting help in the proper forum and yes it's always a good plan to update MBAM often. The program is often updated 3 to 4 times a day.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.