Not what you were looking for? Ask our experts!
Reply
Visitor
scho1989
Posts: 9
Registered: ‎08-21-2009
Accepted Solution

GLOBALROOT ESQUL ROOTKIT

[ Edited ]

Hello. So after hours of researching online, I believe I have the nasty ESQUL rootkit problem. When I try to click Internet Explorer, the message with the globalroot\system32\ESQUL[randomletters]  pops up. When I click "OK" a windows message shows up telling me that JAVA isn't working properly and needs to be shut down. After that, IE appears to be running properly, but it probably isn't really, right?

 

I used to have Symantec Endpoint Protection, but the malware wouldn't let me run a scan, and so I tried deleting it with Hijackthis. I'm not sure if it worked, but basically I don't think I have any Anti-virus protection on my PC right now. I also stupidly tried running Combofix by myself, and the famous bluescreen showed up and I'd have to restart my computer.

 

I'm not sure if I'm posting in the right place, but please help me if you can! I would really appreciate it.

Message Edited by scho1989 on 08-21-2009 11:45 PM
dbrisendine
Posts: 5,583
Kudos: 1,292
Solutions: 263
Registered: ‎10-06-2008

Re: GLOBALROOT ESQUL ROOTKIT

Please download SysProt here http://homepages.slingshot.co.nz/~crutches/SysProt  and run it.

Choose the Log tab and select all the items in the Write to log box. Then select Create Log to start scanning. When it is done, a message window will appear with the location of the log file.

Please attach the log file to a post here; the Add Attachments links is below the orange Post button. Thanks
Win7 x32 SP1 NIS 21.1.0.18
Visitor
scho1989
Posts: 9
Registered: ‎08-21-2009

Re: GLOBALROOT ESQUL ROOTKIT

I tried running the Sysprot; I checked the boxes and clicked Create Log. The blue bar on the bottom was showing that it was scanning, but then a windows message popped up saying "you need admin privileges....sysprot failed to launch" ( something along those lines).  My account is an administrator account, so I don't know what the problem is. I clicked ok, and then another window popped up from the program itself with the options of either running a scan on "all drives"  or just running a scan of the "root drive". When I tried to run a scan on all drives, the Sysprot program would freeze and stop responding, so I just ran it on the "root drives." 

 

Here is the log attached.

dbrisendine
Posts: 5,583
Kudos: 1,292
Solutions: 263
Registered: ‎10-06-2008

Re: GLOBALROOT ESQUL ROOTKIT

What is your OS on the system?  (XP, Vista, etc)
Win7 x32 SP1 NIS 21.1.0.18
Visitor
scho1989
Posts: 9
Registered: ‎08-21-2009

Re: GLOBALROOT ESQUL ROOTKIT

It's windows Vista
dbrisendine
Posts: 5,583
Kudos: 1,292
Solutions: 263
Registered: ‎10-06-2008

Re: GLOBALROOT ESQUL ROOTKIT

Try running SysProt once more by right clicking it and selecting "Run as administrator" from the context menu.  Let us know how this goes.
Win7 x32 SP1 NIS 21.1.0.18
Visitor
scho1989
Posts: 9
Registered: ‎08-21-2009

Re: GLOBALROOT ESQUL ROOTKIT

Thank you for that; it worked just as you said this time.

 

Attached is the new log.

Bot Obliterator
Quads
Posts: 16,434
Registered: ‎07-21-2008

Re: GLOBALROOT ESQUL ROOTKIT

Hi

 

 

If you have Spybot S&D installed remove it 

 

Also during the restarts with Avenger if Your PC has a Startup repair center like with HP and Toshiba tell it to start Normally if it kicks in.

 

1. Download Avenger to your desktop,

 

Unzipped version http://homepages.slingshot.co.nz/~crutches/Avenger/

OR Creators website http://swandog46.geekstogo.com/avenger2/avenger2.html with zipped version to the unzip to desktop 

 

2. Click to run "Avenger.exe"  (right click "Run as Administrator" if using Vista)

 

3. In the "Input script here:" copy and paste the script between the lines

 


Drivers to disable:

ESQULserv.sys

 

Drivers to delete:

ESQULserv.sys

 

Files to delete:

C:\Autorun.inf

D:\Autorun.inf

C:\Windows\System32\drivers\ESQULdiydhrpxnbayptswrjhqibiqptikcrud.sys

C:\Windows\System32\ESQULzcounter

 

Registry keys to delete:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ESQULserv.sys

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ESQULserv.sys

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\ESQULserv.sys

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\ESQULserv.sys

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\ESQULserv.sys

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Services\ESQULserv.sys

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet006\Services\ESQULserv.sys

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet007\Services\ESQULserv.sys

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet008\Services\ESQULserv.sys

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet009\Services\ESQULserv.sys

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet010\Services\ESQULserv.sys

HKEY_LOCAL_MACHINE\SOFTWARE\ESQUL 


 

Here is a screenshot (script updated since shot)

 

Avenger.jpg

 

Make sure the "Automatically disable any rootkits found" is NOT selected

 

4. Click "Execute"

 

You will be asked to restart the PC click "Yes", when the PC restarts the load screen will takes slightly longer, then when it looks as though windows is loading the PC will restart again.

Then when Windows fully loads the Avenger log will be loaded, showing files it could or could not find.

 

5. Restart the PC again, then see if you can install  Update and run Malwarebytes  http://www.filehippo.com/download_malwarebytes_anti_malware/

 

Quads   

Visitor
scho1989
Posts: 9
Registered: ‎08-21-2009

Re: GLOBALROOT ESQUL ROOTKIT

[ Edited ]

Hello, so Avenger worked fine. Attached is the log for Avenger.

 

I then installed, updated, and ran a full scan with Malwarebytes. It found three Trojans, and I tried removing them. Attached is the log for that as well.

 

Also, I don't think I have Spybot.

Message Edited by scho1989 on 08-23-2009 12:14 AM
Bot Obliterator
Quads
Posts: 16,434
Registered: ‎07-21-2008

Re: GLOBALROOT ESQUL ROOTKIT

Hi

 

When You say "It found three Trojans, and I tried removing them. "   Does that mean they still appear, on another scan as the log says, No action Taken.

 

Quads