Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rootkit Found... What Should I Do?


  • Please log in to reply
8 replies to this topic

#1 Bone Idol

Bone Idol

  • Members
  • 393 posts
  • OFFLINE
  •  
  • Local time:11:49 PM

Posted 12 December 2007 - 04:29 AM

Hi all.

My Rootkit software has found a rootkit - but then warns me that it might cause a disaster if I remove it.

I don't know what to do.

Any help?

Thanks.

Posted Image

Posted Image

Edited by rigel, 12 December 2007 - 10:21 AM.
More to a more appropriate forum ~ rigel


BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,141 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:49 AM

Posted 12 December 2007 - 03:21 PM

I can't ready the name of the file in your image. Could you type the name in your next reply or post the log file? By default the file will be saved with a .csv extension. You can use notepad to open it and copy/paste the results back here.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 buddy215

buddy215

  • BC Advisor
  • 13,004 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:07:49 AM

Posted 12 December 2007 - 03:41 PM

Quietman7:
This is what I see after clicking on the Photo Bucket link.

Rootkit type---Hidden driver file
C:\WINDOWS\System32\Drivers\a5kvtrfn.SYS

“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss

A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”


#4 Bone Idol

Bone Idol
  • Topic Starter

  • Members
  • 393 posts
  • OFFLINE
  •  
  • Local time:11:49 PM

Posted 12 December 2007 - 04:59 PM

What buddy has there is all I can find.

There is no log because I haven't yet deleted the rootkit.

#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,141 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:49 AM

Posted 12 December 2007 - 06:52 PM

I can't find any info on it.

Go to jotti's virusscan or virustotal.com. In the "File to upload & scan" box, click the "browse" button and locate the following file:
C:\WINDOWS\System32\a5kvtrfn.SYS <- this file
Click "Open", then click the "Submit" button.
Please copy the results and paste them in your next reply.

Download submit files packer.
Extract (unzip) the file to the desktop. (Click here for information on how to do this if not sure.)
  • Highlight the file to submit, right-click and select copy.
  • Double-click on sfp.exe to start the file packer program
  • Right-click in the white box and select paste to paste the copied file names in the field.
  • Press the Continue button.
  • It will create an archive with the files and a small log on your Desktop that starts with a name "requested-file[date].cab".
  • Rename this file to yourmembername.cab (for example grinler.cab).
  • Click on this link -> Submit Malware Sample to Bleeping Computer for analysis.[list]
  • Fill in the required fields and browse to this file on your desktop.
  • Click on the Send File button.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#6 Bone Idol

Bone Idol
  • Topic Starter

  • Members
  • 393 posts
  • OFFLINE
  •  
  • Local time:11:49 PM

Posted 12 December 2007 - 09:10 PM

Quietman - I opened Browse and couldn't find the 'a5kvtrfn.SYS' file in C:\WINDOWS\System32\

So I ran AVG Rootkit again, and the baddy now comes up as C:\WINDOWS\System32\avq9mqqi.SYS

So I immediately opened Browse again and looked for it... but it's not there.

Ah! I've just noticed that with this new file name, when I checked the box to remove it - there is no warning that pops up to tell me that this might cause damage to my system.

Oops, must edit again. A notice of warning DID pop up when I've now clicked the 'Remove selected items' button.

As a newbie, I can't understand how Jotti's Virusscan works. It only asks for one file at a time.

Edited by Bone Idol, 12 December 2007 - 11:19 PM.


#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,141 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:49 AM

Posted 13 December 2007 - 06:20 AM

Are you using Daemon Tools? It uses rootkit-like techniques to to hide from other applications and to circumvent copy protection schemes. Some of its files often leads to false reports by antivirus or ARK software. These are some examples I have seen.

\SystemRoot\System32\Drivers\aipoo3sv.sys
\SystemRoot\System32\Drivers\a8gmqt1g.sys
\SystemRoot\System32\Drivers\a17bv1ll.sys
\SystemRoot\System32\Drivers\a6coz31f.sys
\SystemRoot\System32\Drivers\a8w1z6pv.sys
\SystemRoot\System32\Drivers\ajmgz8bs.sys

It uses semi random names but always with a*******.sys and is 8 characters long (combination of letters/numbers). I have read that the name changing routine may be due to the fact that Daemon Tools is sometimes used to circumvent anti-piracy measures in games so the player does not have to keep swapping out CDs. Thus, the name change may be an attempt to stop the antipiracy systems detecting its presence.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#8 Bone Idol

Bone Idol
  • Topic Starter

  • Members
  • 393 posts
  • OFFLINE
  •  
  • Local time:11:49 PM

Posted 13 December 2007 - 08:55 PM

No I don't use Daemon tools.

As a frequent torrent downloader I've got PeerGuardian2 installed which might be changing my file names to keep my IP ID one step ahead of the spies.

I finally took the plunge and clicked the 'Remove selected items' button - and all worked out okay. No problems.

Thanks very much for your time and help, Quietman. Much appreciated.

#9 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,141 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:49 AM

Posted 14 December 2007 - 05:53 AM

Your welcome.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users