Suspected rootkit infection in afd.sys --> remnants of crypt.awql?

Hi,

i was redirected from another topic to post several logs: my helper suspects rootkit infection in one of my files.
(i am posting logs of my pc from my laptop, since on the pc the internet is killed dead after trying to remove the virus.)

i had an infection involving crypt.aqlw + generic26.bhlg + stuff, that i thought to have removed by avast boot time scan, but something seems to be left in afd.sys, which 5 out of 20 scanners of jotti find infected.

symptom is, that the firewall is disabled, and i can not start it because of error 10050...  defogger_disable.log   854bytes   0 downloads

help me please so that i can have my net fixed!

Thanks for your aid in advance!

bye

Hi

Please download Farbar Service Scanner and run it on the computer with the issue.

• Make sure the following options are checked:
  • Internet Services
  • Windows Firewall
  • System Restore
  • Security Center
  • Windows Update
  • Windows Defender
• Press "Scan".
• It will create a log (FSS.txt) in the same directory the tool is run.
• Please copy and paste the log to your reply.

NEXT

as you know afd.sys is infected already, we need to look for a replacement for it on your machine

please rename the FSS.txt to FSS1.txt as the next scan will overwrite the first scan and I need to see it.


Re-run Farbar Service scanner, this time type

afd.sys into the search window, now press the "Search Files" button, a new FSS.txt log will be created. Please post the contents of FSS.txt and the renamed FSS1.txt

Hi,

thanks for the help!

I have attached the logs.

Bye

Hi,

Please do the following;

Go to start > run > type cmd into the open run box > OK
this will open a command window

Copy/paste the following text into the command window

ren C:\WINDOWS\system32\drivers\afd.sys afd.vir
copy /y C:\WINDOWS\ServicePackFiles\i386\afd.sys C:\WINDOWS\SYSTEM32\DRIVERS
dir C:\WINDOWS\SYSTEM32\DRIVERS\afd*>log.txt
start notepad log.txt
exit
cls

post the content of the log that opens

reboot and see if you can now connect

Hi,

thanks for the tip: i can go online again!

Here is the log (hopefully the crippled hungarian texts won't bother you):

A meghajt˘ban © l‚v‹ k”tet XP.
A k”tet sorozatsz ma: 2819-1A12

C:\WINDOWS\SYSTEM32\DRIVERS tartalma:

2008.04.13. 12:19 138˙112 afd.sys
2008.04.13. 12:19 138˙112 afd.vir
2 f jl 276˙224 b jt
0 k”nyvt r 17˙296˙248˙832 b jt szabad

So i can go online, but the still active Malwarebytes steadily reports about contact attempts (inbound/outbound) to suspicious sites like 67.215.246.204 etc.

Does it mean, that the virus still resides on my comp somewhere?

Many thanks already...

Bye

yes, we still have to clean you up, I just wanted to get you connecting again, so that it will be easier for you to download the tools and post back the logs:

Please run the following:


Please download TDSSKiller.zip

• Extract it to your desktop
• Double click TDSSKiller.exe
• when the window opens, click on Change Parameters
• under ”Additional options”, put a check mark in the box next to “Detect TDLFS File System”
• click OK
• Press Start Scan
  
  • If Malicious objects are found then ensure Cure is selected
  • If TDLFS File System is found then ensure Delete is selected
  • Then click Continue > Reboot now
• Copy and paste the log in your next reply
  
  • A copy of the log will be saved automatically to the root of the drive (typically C:\)

NEXT


Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

• Double click on ComboFix.exe & follow the prompts.

As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

• Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

• Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.

Hi,

thanks for the help!

I ran the mentioned tools: the logs are attached.
(TDSSKiller did not find anything, but ComboFix found a rootkit infection.)

Is the comp clear now?
Thank you really much!

Bye

Hi,

We just have a little more work to do so i can make certain you are clean,

please do the following:

• Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
• They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".

Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

Folder::
c:\documents and settings\Dave\Application Data\Umoluxf
c:\documents and settings\Dave\Application Data\Iluwuwg

DDS::
uStart Page = about:blank

FireFox::
FF - ProfilePath - c:\documents and settings\Dave\Application Data\Mozilla\Firefox\Profiles\idthkhz0.default\
FF - prefs.js: browser.startup.homepage - about:blank
FF - prefs.js: network.proxy.ftp - 94.199.48.81
FF - prefs.js: network.proxy.ftp_port - 80
FF - prefs.js: network.proxy.gopher - 94.199.48.81
FF - prefs.js: network.proxy.gopher_port - 80
FF - prefs.js: network.proxy.http - 94.199.48.81
FF - prefs.js: network.proxy.http_port - 80
FF - prefs.js: network.proxy.socks - 94.199.48.81
FF - prefs.js: network.proxy.socks_port - 80
FF - prefs.js: network.proxy.ssl - 94.199.48.81
FF - prefs.js: network.proxy.ssl_port - 80
FF - prefs.js: network.proxy.type - 0

ClearJavaCache::

Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"

Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

• Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
• ComboFix may request an update; please allow it.
• ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
• When finished, it shall produce a log for you.
• Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.


NEXT

• Please open your MalwareBytes AntiMalware Program
• Click the Update Tab and search for updates
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
• The scan may take some time to finish, so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected. <-- very important
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy&Paste the entire report in your next reply.

Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.



NEXT


Go here to run an online scanner from ESET.

• Turn off the real time scanner of any existing antivirus program while performing the online scan
• Tick the box next to YES, I accept the Terms of Use.
• Click Start
• When asked, allow the activeX control to install
• Click Start
• Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
• Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
• Click Scan
• Wait for the scan to finish
• When the scan completes, press the LIST OF THREATS FOUND button
• Press EXPORT TO TEXT FILE , name the file ESETSCAN and save it to your desktop
• Include the contents of this report in your next reply.
• Press the BACK button.
• Press Finish

NEXT


Please advise how the computer is running now and if there are any outstanding issues

Hi,

I performed the scans, the logs are attached.

combofix did not find anything on the recent run.
(Btw. what does it do to my machine approximately? Does it modify certain settings? Does it delete something? It surely modified a several things: e.g. it changed iexplore to be my default browser, etc. And what were those proxy-like settings you fed into it?)

malwarebytes did not find anything either.

ESET ran for quite a while and it found 10 items.
Most of them are some sort of keygens: can it be a false alarm? Or are they evil?

To make sure, I let jotti scan the suspicious files: most of them were indeed red at several scanners. (Logs attached)
Some of them were even real-time quarantined be MBAM before the scan.

So I should not feel myself secure yet, am I right?

You also asked for suspicious behavior:
- First of all, the net seems OK --> that is great!
- But there are also some negatives: system restore is still not operational --> but it was dead already before the whole stuff begun.
- iExplore was automatically set as default browser
- Alcohol 120% does not let itself be uninstalled --> maybe because of defogger?
- This is sort of all that I could recognize lately.

Thanks for your previous and further aid!

Bye
-

Hi

ComboFix is deleting the malware on your machine, it does reset items back to their default settings as a precaution in case malware has changed the defaults, same with those proxy settings, set back to default, you can just easily set Firefox as your default browser if that's what you choose etc. custom settings are generally easy to set. (let me know if you have any difficulty with any of your custom preferences)

Yes keygens are generally evil, they enable you to steal software, so of course they are going to be exploited by malware writers to spread their wares, they are inevitably infected and can wreak havoc on a system, it really isn't worth it:

I would avoid torrents and P2P in the future, most of the infections we see are because users download pirated programs, cracks and keygens.

Try REVO for uninstalling Alcohol:

Download and install the Revo Uninstaller

• Double click the new Revo Uninstaller icon on your desktop to start the program
• Scroll through the listed programs and Right Click on the program you wish to uninstall
• From the pop out menu choose Uninstall
• Click Yes to the confirmation dialogue
• In the next window select the Advanced mode
• Click Next to start uninstalling the program
• Answer Yes to confirm the uninstall
• When the program has completed the four steps, click Next to allow the program to search for leftovers
• Once complete, click Next, then Finish
• Repeat the above steps for any other programs you wish to remove.

please run Farbar Service Scanner, see if we can figure out why system restore isn't working:

Please download Farbar Service Scanner and run it on the computer with the issue.

• Make sure the following options are checked:
  • Internet Services
  • Windows Firewall
  • System Restore
  • Security Center
  • Windows Update
  • Windows Defender
• Press "Scan".
• It will create a log (FSS.txt) in the same directory the tool is run.
• Please copy and paste the log to your reply.

NEXT

• Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
• They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".

Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

NetSvc::
SetupNT
PAC7302
cwafrmiregistry
ntsecure
vcommmgr
omniinet
bhmonitorservice
3compxe
AFGMp50
dlcf_device
oracleorahomeagent
ASNDIS5
NetTcpActivator
liveupdate

File::
C:\Program Files\Alcohol Soft\Alcohol 120\Alcohol.exe	
C:\WINDOWS\FixCamera.exe	
E:\6 Installers\42 Fájlszerkeszt?k\Unlocker\Unlocker1.9.1.exe	
E:\6 Installers\54 Toolok\Alcohol120%\Alcohol 120 v.1.9.6 full version+serial\Alcohol 120 v.1.9.6 full version+serial.rar	
E:\6 Installers\81 Tervez?programok\ProE_WF4\ProE.WF4.M130x32.Eng.part01.rar	
E:\6 Installers\81 Tervez?programok\ProE_WF4\ProE_WF4_M130x32_eng\ProE_WF4_M130x32_eng.iso	
E:\6 Installers\_atnezni\NERO\nero7\Keygen_premium_approve_zsi.exe	
E:\6 Installers\_atnezni\NERO\nero7\Ahead.Nero.v7.0.1.4.Premium.not approvd\Keygen.exe	
E:\6 Installers\_atnezni\NERO\nero7\nero7xxxkeygen_not approved\nero7keygen.exe

ClearJavaCache::

Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"

Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

• Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
• ComboFix may request an update; please allow it.
• ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
• When finished, it shall produce a log for you.
• Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

Hi,

i ran the tools, the logs are attached.

Thanks in advance!

Bye

Hi,

How is the computer running now? are there any outstanding issues?

NEXT

Please do the following:

Visit ADOBE and download the latest version of Acrobat Reader (version X)
Having the latest updates ensures there are no security vulnerabilities in your system.

NEXT

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

• Download the latest version of Java Runtime Environment (JRE) 6 and Save it to your Desktop.
• Scroll down to where it says Java SE 6 Update 31
• Click the Download button under JRE to the right.
• Read the License Agreement then select Accept License Agreement
• Click on the link to download Windows x86 Offline and save the file to your desktop.
• Close any programs you may have running - especially your web browser.
• Go to Start > Control Panel, double-click on Add or Remove Programs and remove all older versions of Java.
• Check (highlight) any item with Java Runtime Environment (JRE or J2SE or Java™ 6) in the name.
• Click the Remove or Change/Remove button.
• Repeat as many times as necessary to remove each Java versions.
• Reboot your computer once all Java components are removed.
• Then from your desktop double-click on jre-6u31-windows-i586.exe to install the newest version.

• After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)
  • On the General tab, under Temporary Internet Files, click the Settings button.
  • Next, click on the Delete Files button
  • There are two options in the window to clear the cache - Leave BOTH Checked
    Applications and Applets
    Trace and Log Files
• Click OK on Delete Temporary Files Window
  Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
• Click OK to leave the Temporary Files Window
• Click OK to leave the Java Control Panel.

Hi,

i updated the two programs: thanks for the hint.

The remaining issues are that i still can't create a system restore point, and that although we already scanned and double scanned the computer, AVG started suspecting some rootkit issue in an ntkrnlpa.exe file lately.

The result screen contains following data:
"Object name";"<unknown>"
"Detection name";"Corrupted section ntkrnlpa.exe[PAGE] NtConnectPort+0x1ED8, size 4 bytes"
"Object type";"file"
"SDK Type";"Rootkit"
"Result";"Object is hidden"
"Action history";""

i let jotti scan all the found ntkrnlpa.exe with no positives.

What can it be that combofix did not find??

Thanks for the help!

Bye

ntkrnlpa.exe is a core component of windows, the NT Kernel behaves in the same way as a rootkit file,
http://en.wikipedia.org/wiki/Architecture_of_Windows_NT

There is a possibility that it may be a corrupted file, we can see if there is a replacement on the machine to swap it out with just as a precaution:


Please run Farbar Service Scanner.

Type the following in the edit box after "Search:".

ntkrnlpa.exe


Click Search Files button and post the log (FSS.txt) it makes to your reply.

Hi,

here is the log:
 FSS_20120422_1.txt   1.85K   1 downloads

Thanks!

Bye