BleepingComputer.com: Security Tool malware

I'm an airline mechanic by trade, so it's safe to say computers are just a hobby for me. I've been building my on rigs for ten or so years now, as well as a few for friends, not to mention I did the IT stuff for a small Vet clinic for a few years, and have learned a lot of what and what not to do over the years from wonderful sites like this one. That being said - over the years I have become the 'go to' guy for computer related issues of family and friends. I had to deal with the above mentioned app this past weekend on a friends box. Through this site (I googled 'security tool', bleeping computer was the second choice. I've been here before, for the same issue, so I came here first). MBAM took care of the problem. Thanx again! A day later, Security Tool popped up on my computer. AVG 9.0 (free) said I had an infection, so I quarantined it and stopped my downloads. After I did that, I was up a creek. Full blown infection. MBAM solved my problem, but it took a lot longer than the previous computer I fixed the day before. I have been told that this little jewel has mutated itself, and is harder to detect and repair since it's first introduction. Is this true? Where can I learn more about these malware apps and how to avoid them? I'd like to know for myself, as well as pass the info on to family and friends to keep them from dealing with the hassles I had to this past weekend?

Thanx for all you do!

Welcome to BC
You more than likely have a rootkit infection hanging on


We Need to check for Rootkits with RootRepeal

• Download RootRepeal from the following location and save it to your desktop.
  • Direct Download (Recommended)
    • Primary Mirror
      
    • Secondary Mirror
      
    • Secondary Mirror
      
    • Secondary Mirror
    
    
  • Zip Mirrors (Recommended if you have a slower connection or if the Direct Download mirror is down)
    
    • Primary Mirror
      
      
    • Secondary Mirror
      
      
    • Secondary Mirror
    
    
  • Rar Mirrors - Only if you know what a RAR is and can extract it.
    
    • Primary Mirror
      
      
    • Secondary Mirror
      
      
    • Secondary Mirror
  
  
• Extract RootRepeal.exe from the archive (If you did not use the "Direct Download" mirror).
  
• Open on your desktop.
  
• Click the tab.
  
• Click the button.
  
• Check all seven boxes:
  
• Push Ok
  
• Check the box for your main system drive (Usually C:), and press Ok.
  
• Allow RootRepeal to run a scan of your system. This may take some time.
  
• Once the scan completes, push the button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.

----------------------------------

Please note: If Rootrepeal fails to run, try this step: Click Settings - Options. Set the Disk Access slider to High

Also try: right-click on rootrepeal.exe and rename it to tatertot.scr

==========================


Please download Win32kDiag.exe by AD and save it to your desktop.
alternate download 1
alternate download 2

• This tool will create a diagnostic report
  
• Double-click on Win32kDiag.exe to run and let it finish.
  
• When it states Finished! Press any key to exit..., press any key on your keyboard to close the program.
  
• A file called Win32kDiag.txt should be created on your Desktop.
  
• Open that file in Notepad and copy/paste the entire contents (from Starting up... to Finished! Press any key to exit...) in your next reply.

--------------------------------------


Go to > Run..., then copy and paste this command into the open box: cmd
Click OK.
At the command prompt C:\>, copy and paste the following command and press Enter:

DIR /a/s %windir%\scecli.dll %windir%\netlogon.dll %windir%\eventlog.dll >Log.txt & START notepad Log.txt

A file called log.txt should be created on your Desktop.
Open that file and copy/paste the contents in your next reply.

From WIn32KDiag -
Running from: C:\Documents and Settings\Jack\Desktop\Win32kDiag.exe

Log file at : C:\Documents and Settings\Jack\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...





Finished!

And from Root Repeal -

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/11/10 19:22
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP2
==================================================

Drivers
-------------------
Name: giveio.sys
Image Path: giveio.sys
Address: 0xF7BD9000 Size: 1664 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xB8CA3000 Size: 49152 File Visible: No Signed: -
Status: -

Name: speedfan.sys
Image Path: speedfan.sys
Address: 0xF7B16000 Size: 5248 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: c:\$avg\$chjw\2dec7675-d222-499a-a987-35053b18b438
Status: Size mismatch (API: 991456, Raw: 987320)

Path: c:\$avg\$chjw\924bb4ad-5030-48ad-83c1-bae16657b4fe
Status: Size mismatch (API: 1119876, Raw: 1111620)

Path: C:\WINDOWS\Prefetch\ROOTREPEAL.EXE-053A1D30.pf
Status: Visible to the Windows API, but not on disk.

Stealth Objects
-------------------
Object: Hidden Handle [Index: 240, Type: Event]
Process: upsd.exe (PID: 2972) Address: 0x86556aa0 Size: -

Object: Hidden Handle [Index: 252, Type: File]
Process: upsd.exe (PID: 2972) Address: 0x8566a690 Size: -

==EOF==
From Log.txt -


Volume in drive C is WD 1
Volume Serial Number is 7C65-87C0

Directory of C:\WINDOWS\system32

04-Aug-04 03:56 180,224 scecli.dll

Directory of C:\WINDOWS\system32

04-Aug-04 03:56 407,040 netlogon.dll

Directory of C:\WINDOWS\system32

04-Aug-04 03:56 55,808 eventlog.dll
3 File(s) 643,072 bytes

Directory of C:\WINDOWS\system32\dllcache

04-Aug-04 03:56 180,224 scecli.dll

Directory of C:\WINDOWS\system32\dllcache

04-Aug-04 03:56 407,040 netlogon.dll

Directory of C:\WINDOWS\system32\dllcache

04-Aug-04 03:56 55,808 eventlog.dll
3 File(s) 643,072 bytes

Total Files Listed:
6 File(s) 1,286,144 bytes
0 Dir(s) 4,471,099,392 bytes free

I have learned that I have the W32/cryptor trojan, but still cannot get rid of it.

What next?

I really do appreciate your help!

Using the logs you created, follow these steps



Now that you were successful in creating those two logs you need to post them in our HJT forum There they will help you with the removal through some custom scripts and programs that we cannot run here in this forum

First, try to run a DDS / HJT log as outlined in our preparation guide:
http://www.bleepingcomputer.com/forums/topic34773.html

If it won't run, don't worry, just give a brief description and tell them that these logs were all you could get to run successfully

Post them here:
http://www.bleepingcomputer.com/forums/forum22.html

The HJT team is extremely busy, so be patient and good luck

Hello,

Now that you have posted a log here: http://www.bleepingcomputer.com/forums/topic271024.html you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a HJT Team member, nor should you ask for help elsewhere. Doing so can result in system changes which may not show in the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the HJT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the HJT Team members are EXTREMELY busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

Please be patient. It may take several days, up to two weeks perhaps less, to get a response but your log will be reviewed and answered as soon as possible. I advise checking your topic once a day for responses as the e-mail notification system is unreliable.

To avoid confusion, I am closing this topic. Good luck with your log.

Orange Blossom