Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I Was Infected By Rootkit And I Dont Know If Its Already Gone


  • Please log in to reply
1 reply to this topic

#1 duzap

duzap

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:01:44 AM

Posted 31 December 2007 - 09:07 AM

* first sorry for my bad grammar :thumbsup:

Hello
I was infected by the following rootkit: (and its also keylogger)
http://www.bleepingcomputer.com/startups/1...edr5-13803.html

I tried to remove it by my own but I dont know if I succeed.
I want to be sure that my PC is clean from this rootkit.

so that what I did:
I took the SAM, SECURITY, SYSTEM, DEFAULT, SOFTWARE files from "C:\System Volume Information\_restore{CA652DDF-F83F-4B6D-8A14-8CE08CA413F2}\RP20\snapshot"
(its the registry's backup one day before I was infected by this rootkit)
and I changed their name to SAM.new SECURITY.new etc... and I placed them in C:\WINDOWS\drivers\config

then I switched to Windows Recovery Console and I renamed the current files to *.old and renamed the *.new files to the original names (SECURITY, SAM, SOFTWARE etc ...)

by this way I think I cleaned my registry from this rootkit but I'm still not sure that I'm clean
I tried also to use "ComboFix.exe" and here is the log that I received when it was finished:

ComboFix 07-12-31.4 - Administrator 12/31/2007 15:17:01.1 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.2.1255.1.1033.18.592 [GMT 2:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
 * Created a new restore point
.

(((((((((((((((((((((((((   Files Created from 2007-11-28 to 2007-12-31  )))))))))))))))))))))))))))))))
.

No new files created in this timespan

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-31 13:25	9,028,128	--sha-w	C:\WINDOWS\system32\drivers\fidbox.dat
2007-12-31 13:24	10,784	--sha-w	C:\WINDOWS\system32\drivers\fidbox2.dat
2007-12-31 13:15	---------	d-----w	C:\Program Files\MULEz SCRIPT V6.01
2007-12-31 11:57	---------	d-----w	C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-12-31 11:56	6,044	--sha-w	C:\WINDOWS\system32\drivers\fidbox.idx
2007-12-31 11:56	1,412	--sha-w	C:\WINDOWS\system32\drivers\fidbox2.idx
2007-12-31 11:49	---------	d-----w	C:\Program Files\Kaspersky Lab
2007-12-30 20:35	91,492	----a-w	C:\WINDOWS\system32\drivers\klin.dat
2007-12-30 20:35	85,860	----a-w	C:\WINDOWS\system32\drivers\klick.dat
2007-12-30 20:32	---------	d-----w	C:\Program Files\Spyware Doctor
2007-12-30 20:21	---------	d-----w	C:\Program Files\Trend Micro
2007-12-30 20:21	---------	d-----w	C:\Documents and Settings\Administrator\Application Data\Uniblue
2007-12-30 20:08	74,240	----a-w	C:\WINDOWS\system32\drivers\iksyssec.sys
2007-12-30 20:08	56,832	----a-w	C:\WINDOWS\system32\drivers\iksysflt.sys
2007-12-30 20:07	---------	d-----w	C:\Documents and Settings\Administrator\Application Data\PC Tools
2007-12-30 19:59	---------	d-----w	C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
2007-12-30 19:46	---------	d-----w	C:\Program Files\FlashFXP
2007-12-30 19:23	---------	d-s---w	C:\Program Files\HLSW
2007-12-30 19:23	---------	d-----w	C:\Program Files\mIRC
2007-12-30 19:13	---------	d-----w	C:\Program Files\Steam
2007-12-30 14:16	22,328	----a-w	C:\WINDOWS\system32\drivers\PnkBstrK.sys
2007-12-30 14:16	107,832	----a-w	C:\WINDOWS\system32\PnkBstrB.exe
2007-12-29 20:02	---------	d-----w	C:\Program Files\Server-Extractor2
2007-12-29 12:57	---------	d-----w	C:\Program Files\Debugging Tools for Windows
2007-12-24 14:25	---------	d-----w	C:\Program Files\The All-Seeing Eye
2007-12-22 19:46	---------	d-----w	C:\Documents and Settings\Administrator\Application Data\Ventrilo
2007-12-22 19:45	---------	d-----w	C:\Program Files\VentriloMIX
2007-12-22 19:32	---------	d-----w	C:\Program Files\Common Files\Wise Installation Wizard
2007-12-22 13:53	---------	d-----w	C:\Program Files\Teamspeak2_RC2
2007-12-22 12:22	---------	d-----w	C:\Program Files\Lavalys
2007-12-22 10:55	---------	d-----w	C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-21 17:50	---------	d-----w	C:\Documents and Settings\Administrator\Application Data\DAEMON Tools
2007-12-21 15:52	---------	d-----w	C:\Program Files\Radmin
2007-12-21 12:42	---------	d-----w	C:\Documents and Settings\Administrator\Application Data\mIRC
2007-12-21 11:49	66,872	----a-w	C:\WINDOWS\system32\PnkBstrA.exe
2007-12-21 11:24	---------	d-----w	C:\Program Files\InstallShield Installation Information
2007-12-21 11:15	22,328	----a-w	C:\Documents and Settings\Administrator\Application Data\PnkBstrK.sys
2007-12-21 11:05	---------	d-----w	C:\Program Files\Activision
2007-12-21 11:03	---------	d-----w	C:\Program Files\DAEMON Tools Lite
2007-12-21 10:26	715,248	----a-w	C:\WINDOWS\system32\drivers\sptd.sys
2007-12-21 09:36	---------	d-----w	C:\Documents and Settings\Administrator\Application Data\teamspeak2
2007-12-21 09:32	---------	d-----w	C:\Program Files\Winamp
2007-12-21 09:32	---------	d-----w	C:\Documents and Settings\Administrator\Application Data\Winamp
2007-12-21 09:21	---------	d-----w	C:\Program Files\Google
2007-12-21 08:15	---------	d-----w	C:\Program Files\RealVNC
2007-12-20 21:15	---------	d-----w	C:\Documents and Settings\All Users\Application Data\nView_Profiles
2007-12-20 20:24	---------	d-----w	C:\Documents and Settings\Administrator\Application Data\FlashFXP
2007-12-20 20:00	---------	d-----w	C:\Program Files\MSXML 6.0
2007-12-20 19:57	---------	d-----w	C:\Program Files\MSXML 4.0
2007-12-20 19:55	---------	d-----w	C:\Program Files\Common Files\InstallShield
2007-12-20 15:59	---------	d-----w	C:\Program Files\microsoft frontpage
2007-12-20 15:53	---------	d-----w	C:\Program Files\Windows Media Connect 2
2007-11-18 13:04	---------	d-----w	C:\Program Files\QIP
2007-11-13 10:25	20,480	----a-w	C:\WINDOWS\system32\drivers\secdrv.sys
2007-10-29 22:35	1,287,680	----a-w	C:\WINDOWS\system32\quartz.dll
2007-10-27 15:40	222,720	----a-w	C:\WINDOWS\system32\wmasf.dll
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 01:56 AM 15360]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [08/31/2007 04:46 PM 1460560]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [07/22/2007 01:14 PM 61952 C:\WINDOWS\system32\HDAShCut.exe]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [04/19/2007 01:26 PM 7700480]
"nwiz"="nwiz.exe" [04/19/2007 01:26 PM 1626112 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="NvMCTray.dll" [04/19/2007 01:26 PM 86016 C:\WINDOWS\system32\nvmctray.dll]
"Cmaudio"="cmicnfg.cpl" []
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe" [06/28/2007 12:51 PM 218376]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [08/04/2004 01:56 AM 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"ShowDeskFix"="regsvr32 /s /n /i:u shell32" []

R3 cmudax;C-Media High Definition Audio Interface;C:\WINDOWS\system32\drivers\cmudax.sys [05/12/2005 02:39 PM]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys [04/04/2007 02:58 PM]

*Newly Created Service* - FSBL-STANDALONE 
*Newly Created Service* - KL1 
*Newly Created Service* - PROCEXP90 
.
Contents of the 'Scheduled Tasks' folder
"2007-12-30 19:15:22 C:\WINDOWS\Tasks\User_Feed_Synchronization-{60F7B7D1-C0B6-471D-9791-4591A2DB2100}.job"
- C:\WINDOWS\system32\msfeedssync.exe
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-31 15:25:04
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 

scan completed successfully 
hidden files: 0 

**************************************************************************
.
Completion time: 12/31/2007 15:26:06
.
2007-12-21 15:22:10	--- E O F ---

and I also attach here hijackthis' log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:59:30, on 31/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.20696)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Winamp\winamp.exe
C:\Program Files\Teamspeak2_RC2\TeamSpeak.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\ntvdm.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.one.co.il/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'Default user')
O17 - HKLM\System\CCS\Services\Tcpip\..\{E9618202-FD99-419E-902A-CBD36937CCEB}: NameServer = 62.219.186.7 192.115.106.35
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

--
End of file - 3915 bytes

please help me as soon as possible, thanks in advance.

BC AdBot (Login to Remove)

 


#2 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,614 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:44 AM

Posted 23 January 2008 - 09:31 PM

I apologize for the very long delay. We have a huge backlog of HijackThis Logs to handle and it has been taking us greater time than normal to get caught up. If you are still having a problem, and want us to analyze your information, please post a brand new hijackthis log. If we do not hear back from you within a couple of days we will need to close your topic.

When posting your logs please post them directly into the reply. Do not attach them.

Also make sure you have already followed the steps outlined below:

Preparation Guide For Use Before Posting A Hijackthis Log

Thank you for your patience.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users