Go Back   Web User Forums > Security > HijackThis logs help and analysis

Reply
 
Thread Tools Search this Thread Display Modes
  #1  
Old 02-12-11, 20:38
mikec1 mikec1 is offline
Familiar face
 
Join Date: Dec 2011
Posts: 14
Default Aftermath of Aluroot in Avast?

Avast Free on my Desktop (XP SP3) reported stopping a rootkit and recommended a boot time scan to complete cleanup. Did that, several infections found which I sent to the Chest & all went well until the Avast orange sphere came up with an error symbol and couldn't update. Neither FF nor IE7 will connect to any website and I get no action from 192.168.1.1 to look at the router.

Network Connections shows a good signal and I am using my wife's laptop on the same wireless connection so that's OK.

Avast interface shows the Web Shield is disabled and none of the obvious ways re-enable it.

The files sent to the chest today (and the infections shown) are ProcessLogger.exe (Win32:PUP-gen), json\XML.class (Java Agent - ADT), json\Option.class (Java Agent -ADL) and ipsec.sys (Win32:Aluroot).

I guess the last was the rootkit but don't know if the others are associated, or indeed what to do next or what is actually stopping the internet connection/page display.

Maybe the files could be reinstated and then another boot scan run, setting the action to Repair instead of Move to Chest, as everything worked when they were in place!

System Restore doesn't work in normal or Safe Mode. Start>Run>ipconfig just flashes on and off. Start>Run>CMD>ipconfig returns "An internal error has occurred. The request is not supported. Pls contact MS Product Support Services for further help. Additional info: Unable to query host name"

Any ideas very welcome please.
Reply With Quote
  #2  
Old 02-12-11, 21:32
kevinf80's Avatar
kevinf80 kevinf80 is offline
Global Moderator
 
Join Date: Feb 2008
Location: Sunderland.UK.
Posts: 1,890
Default Re: Aftermath of Aluroot in Avast?

Download Farbar Service Scanner and transfer to the Desktop of the computer with the issue. Double click to run, Vista or Windows 7 user right click and select "Run as Administrator"


  • Check "Include All Files" option.
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.

Kevin
Reply With Quote
  #3  
Old 03-12-11, 10:54
mikec1 mikec1 is offline
Familiar face
 
Join Date: Dec 2011
Posts: 14
Default Re: Aftermath of Aluroot in Avast?

Thanks for your reply. Here's the log:

Farbar Service Scanner
Ran by Compaq_Administrator (administrator) on 03-12-2011 at 11:46:05
Microsoft Windows XP Service Pack 3 (X86)
************************************************** ******

Service Check:
==============
Dhcp Service is not running. Checking service configuration:
The start type of Dhcp service is OK.
The ImagePath of Dhcp service is OK.
The ServiceDll of Dhcp service is OK.

Dnscache Service is not running. Checking service configuration:
The start type of Dnscache service is OK.
The ImagePath of Dnscache service is OK.
The ServiceDll of Dnscache service is OK.

Tcpip Service is not running. Checking service configuration:
The start type of Tcpip service is OK.
The ImagePath of Tcpip service is OK.

IpSec Service is not running. Checking service configuration:
Checking Start type: Attention! Unable to open IpSec registry key. The service key does not exist.
Checking ImagePath: Attention! Unable to open IpSec registry key. The service key does not exist.


File Check:
===========
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit

Connection Status:
==================
Localhost is blocked.
There is no connection to network.
Attempt to access Google IP returned error: Other errors
Attempt to access Yahoo IP returend error: Other errors

**** End of log ****


I hope you can clear this up! Will I need to reinstate the system files in the Avast Chest?
Reply With Quote
  #4  
Old 03-12-11, 16:00
kevinf80's Avatar
kevinf80 kevinf80 is offline
Global Moderator
 
Join Date: Feb 2008
Location: Sunderland.UK.
Posts: 1,890
Default Re: Aftermath of Aluroot in Avast?

The steps that I am about to suggest involve modifying the registry. Modifying the registry can be dangerous so we will make a backup of the registry first.
Modification of the registry can be EXTREMELY dangerous if you do not know exactly what you are doing so follow the steps that are listed below EXACTLY. if you cannot perform some of these steps or if you have ANY questions please ask BEFORE proceeding.

Backing Up Your Registry
  • Download ERUNT
    (ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.)
  • Install ERUNT by following the prompts
    (use the default install settings but say no to the portion that asks you to add ERUNT to the start-up folder, if you like you can enable this option later)
  • Start ERUNT
    (either by double clicking on the desktop icon or choosing to start the program at the end of the setup)
  • Choose a location for the backup
    (the default location is C:\WINDOWS\ERDNT which is acceptable).
  • Make sure that at least the first two check boxes are ticked
  • Press OK
  • Press YES to create the folder.


I`ve attached two zip files, fixme.zip and fixit.zip Unzip both of these files to your Desktop.

Run them in this order:

1. double click on fixme.reg, accept any alerts. Re-boot.
2. double click on fixit.bat, accept any alerts. Check connection, if still not right, re-boot and check again.

Kevin
Attached Files
File Type: zip fixme.zip (713 Bytes, 39 views)
File Type: zip fixit.zip (279 Bytes, 25 views)
Reply With Quote
  #5  
Old 05-12-11, 09:00
mikec1 mikec1 is offline
Familiar face
 
Join Date: Dec 2011
Posts: 14
Default Re: Aftermath of Aluroot in Avast?

Thanks. I've downloaded the three files and now have to transfer them to the desktop.

Hopefully, I will be back within the hour!

Mike
Reply With Quote
  #6  
Old 05-12-11, 09:28
mikec1 mikec1 is offline
Familiar face
 
Join Date: Dec 2011
Posts: 14
Default Re: Aftermath of Aluroot in Avast?

Hi Kevin

ERUNT instal didn't give me an option to say no to adding to Start Folder, so I got this far:



Cancelled instal at this stage - is it ok to proceed with these settings?
Reply With Quote
  #7  
Old 05-12-11, 09:34
kevinf80's Avatar
kevinf80 kevinf80 is offline
Global Moderator
 
Join Date: Feb 2008
Location: Sunderland.UK.
Posts: 1,890
Default Re: Aftermath of Aluroot in Avast?

Yep just continue...
Reply With Quote
  #8  
Old 05-12-11, 10:07
mikec1 mikec1 is offline
Familiar face
 
Join Date: Dec 2011
Posts: 14
Default Re: Aftermath of Aluroot in Avast?

Wow! The connection has come back and seems ok just after running fixme.reg & rebooting. Do I still need to run fixit.bat?
Reply With Quote
  #9  
Old 05-12-11, 10:24
kevinf80's Avatar
kevinf80 kevinf80 is offline
Global Moderator
 
Join Date: Feb 2008
Location: Sunderland.UK.
Posts: 1,890
Default Re: Aftermath of Aluroot in Avast?

No need to run fixit.bat, that was just to start the services if necessary. Good to hear you`ve got your connection back. You can delete those files, also uninstall ERUNT, unless you want to keep it.

Do the following :-

Step 1

Please download Malwarebytes Anti-Malware and save it to your desktop.
Alernative D/L mirror
Alternative D/L mirror

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • Please save the log to a location you will remember.
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

Step 2

We need to see some additional information about what is happening in your machine.*
Please perform the following scan:
  • Download DDS by sUBs from one of the following links.* Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool.* *
  • When done, DDS will open two (2) logs
    * * * * *1. DDS.txt
    * * * * *2. Attach.txt
  • Save both reports to your desktop.
  • The instructions here ask you to attach the Attach.txt.

    *
  • Instead of attaching, please copy/past both logs into your next reply.
  • Close the program window, and delete the program from your desktop.
Please note:* You may have to disable any script protection running if the scan fails to run.
After downloading the tool, disconnect from the internet and disable all antivirus protection.
Run the scan, enable your A/V and reconnect to the internet.*
Information on A/V control HERE

Let me see the log from Malwarebytes and both logs from DDS in your reply, i`ve got to go out in about 10 minutes wont be back until about 6:30 pm, i`ll have a look at your logs then... Okey Dokey...

Kevin
Reply With Quote
  #10  
Old 05-12-11, 10:41
mikec1 mikec1 is offline
Familiar face
 
Join Date: Dec 2011
Posts: 14
Default Re: Aftermath of Aluroot in Avast?

OK. It will take some time to do all that, but I already have MBAM so that's a help

See you later!
Reply With Quote
Reply

Bookmarks

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


Search the forum

Search

© Dennis Publishing Limited Licensed by Felden





All times are GMT. The time now is 03:43.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Copyright Dennis Publishing 2010, All rights reserved