ROOTKIT infection

Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Forum Rules

When posting your problem, do not run and post a ComboFix log. ComboFix is a tool that should only be run under the supervision of someone who has been trained in its use. Using it on your own can cause problems with your computer. Any posts containing CF Logs will be ignored.

To receive help, you should instead provide a detailed description of your problem, detailed word-for-word error messages that you are receiving, screenshots of strange behaviour, and your operating system. This information is much more useful to our helpers than a ComboFix log.

If you have not received help after three days, please post a link to your topic HERE.

2 Pages
1
2
→

You cannot start a new topic
You cannot reply to this topic

ROOTKIT infection Need help with removal...

#1 NickTTTA

Member

Group: Members
Posts: 38
Joined: 30-July 08

Posted 06 July 2009 - 01:53 PM

Firefox, Maleware Bytes, SuperAntiSpyware, and HJT will not open. Very randomly iexplorer.exe will open (in process explorer-but no window is visible) and the audio from commercials will play on the computer. Google is not working properly, nor is ANY search engine I attempt to use.

You guys have helped me before, and I learned a lot, but I feel that I am in need of your expertise again.

Ocassionally I am able to open Maleware Bytes or SuperAntiSpyware with Process Explorer but after the reboot, the files are still on the computer, with the commercials playing randomly.

Please direct me.

Windows XP Pro SP3

This post has been edited by NickTTTA: 06 July 2009 - 01:54 PM

#2 Budapest

Bleepin' Cynic

Group: Moderator
Posts: 21,855
Joined: 11-November 06
Gender:Male

Posted 07 July 2009 - 01:44 AM

Please download RootRepeal Rootkit Detector and save it to your Desktop.

* Close all programs and temporarily disable your anti-virus, Firewall and any anti-malware real-time protection before performing a scan.
* Click this link to see a list of such programs and how to disable them.
* Create a new folder on your hard drive called RootRepeal (C:\RootRepeal) and extract (unzip) RootRepeal.zip. (click here if you're not sure how to do this. Vista users refer to this link.)
* Open the folder and double-click on RootRepeal.exe to launch it. If using Vista, right-click and Run as Administrator...
* Click on the Files tab, then click the Scan button.
* In the Select Drives, dialog Please select drives to scan: select all drives showing, then click OK.
* When the scan has completed, a list of files will be generated in the RootRepeal window.
* Click on the Save Report button and save it as rootrepeal.txt to your desktop or the same location where you ran the tool from.
* Open rootrepeal.txt in Notepad and copy/paste its contents in your next reply.
* Exit RootRepeal and be sure to re-enable your anti-virus, Firewall and any other security programs you had disabled.

Note: If RootRepeal cannot complete a scan and results in a crash report, try repeating the scan in "Safe Mode".

_{The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw}

#3 NickTTTA

Member

Group: Members
Posts: 38
Joined: 30-July 08

Posted 07 July 2009 - 09:15 AM

After extracting RR and opening it, I get a "RootRepeal Error - Invalid PE image found!" error

It is scanning now however

#4 NickTTTA

Member

Group: Members
Posts: 38
Joined: 30-July 08

Posted 07 July 2009 - 09:27 AM

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Time: 2009/07/07 09:26
Program Version: Version 1.3.0.0
Windows Version: Windows XP SP3
==================================================

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: c:\rootrepeal\settings.dat
Status: Size mismatch (API: 12, Raw: 0)

Path: C:\WINDOWS\system32\UACdrxxdoqhuidymlo.log
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\uacinit.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACjejbfrhdemkilta.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACojqsloerbcklnbg.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACqaamnfnnspotgxt.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACrekvygmjdsvyuja.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACtvpkmrmebxtfnwi.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACynmykcqqltpwvbp.dat
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UAC191.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\drivers\UAChlsxyevkayuuhwm.sys
Status: Invisible to the Windows API!

Path: c:\documents and settings\user\local settings\temp\~df7c4d.tmp
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: c:\documents and settings\user\local settings\temp\~dfa52.tmp
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: c:\documents and settings\user\local settings\temp\~df2668.tmp
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: C:\Documents and Settings\user\Local Settings\Temp\UAC69eb.tmp
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\user\My Documents\Downloads\All Magician and Mentalisim Books (Total 250+ Books)\Bob Cassidy\Bob Cassidy - The Real Work Of Cold Reading\Bob Cassidy - Shadow Hunter\Bob Cassidy - Shadow Hunter\Bob Cassidy - The Schattenjaeger.pdf
Status: Locked to the Windows API!

This post has been edited by Budapest: 15 April 2010 - 05:53 PM

#5 Budapest

Bleepin' Cynic

Group: Moderator
Posts: 21,855
Joined: 11-November 06
Gender:Male

Posted 07 July 2009 - 04:14 PM

Rerun Rootrepeal. After the scan completes, go to the files tab and find this file:

C:\WINDOWS\system32\drivers\UAChlsxyevkayuuhwm.sys

Then use your mouse to highlight it in the Rootrepeal window.
Next right mouse click on it and select *wipe file* option only.
Then immediately reboot the computer.

Then run a quick-scan with Malwarebytes.

_{The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw}

#6 NickTTTA

Member

Group: Members
Posts: 38
Joined: 30-July 08

Posted 07 July 2009 - 09:04 PM

Malwarebytes' Anti-Malware 1.38
Database version: 2389
Windows 5.1.2600 Service Pack 3

7/7/2009 9:03:11 PM
mbam-log-2009-07-07 (21-03-11).txt

Scan type: Quick Scan
Objects scanned: 163784
Time elapsed: 14 minute(s), 12 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 7

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Rootkit.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\system32\UACjejbfrhdemkilta.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\UACojqsloerbcklnbg.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\UACqaamnfnnspotgxt.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\UACrekvygmjdsvyuja.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\UACtvpkmrmebxtfnwi.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\drivers\UAChlsxyevkayuuhwm.sys (Trojan.Agent) -> Quarantined and deleted successfully.

#7 Budapest

Bleepin' Cynic

Group: Moderator
Posts: 21,855
Joined: 11-November 06
Gender:Male

Posted 07 July 2009 - 09:10 PM

Reboot, run the Malwarebytes scan again and post the new log. Keep doing this until it shows zero infections. If after 3 runs there are still problems post back the final log.

_{The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw}

#8 NickTTTA

Member

Group: Members
Posts: 38
Joined: 30-July 08

Posted 07 July 2009 - 09:18 PM

I just did this again, and it removed 2 more UAC infections, doing the third scan now

#9 NickTTTA

Member

Group: Members
Posts: 38
Joined: 30-July 08

Posted 08 July 2009 - 09:33 AM

All clean!

#10 Budapest

Bleepin' Cynic

Group: Moderator
Posts: 21,855
Joined: 11-November 06
Gender:Male

Posted 08 July 2009 - 04:20 PM

If you’re clean, you should create a new Restore Point to prevent possible re-infection from an old one.

Go Start > Programs > Accessories > System Tools and click System Restore. Choose the radio button marked Create a Restore Point on the first screen then click Next. Give the Restore Point a name and then click Create. Then use Disk Cleanup to remove all but the most recently created Restore Point. Go Start > Run and type: "Cleanmgr" (without the quotes). Click Ok > More Options tab > Clean Up in the System Restore section to remove all previous restore points except the newly created one.

Also, go Start > Control Panel and double-click Add or Remove Programs. Post back and report any Java entries that you have.

_{The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw}