Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Files Needed.


  • Please log in to reply
7 replies to this topic

#1 XRainBoX

XRainBoX

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:33 PM

Posted 21 January 2008 - 12:26 AM

Hello people, how are you? So, my Windows XP is infected, i've download Prevx CSI and he detected 3 files....

They are:

c:\windows\system32\basemsb32.dll
c:\windows\system32\DRIVERS\Ip6Fw.sys
c:\windows\system32\Ip6Fw.sys

following image:

Posted Image


So, knowing what files are infected, i (noob) was logged into my Ubuntu 7.10 (i'm on it now :thumbsup: ) and i simply located those files and deleted! Now when i select Windows to boot after Windows booted, when it'll enter my pc restart ever... but now i know what rootkit does (i don't know how those rootkits work, now i know...) and now i need those files to get boot in my Windows and solve this problem there! where can i get those files? i search all over the internet (google lol) and nothing found! i found only this topic here and i have contacted this guy jston80 if he could send me the file dxdss.sys, and i found this topic too with that file, but i think the owner of this topic had clean her pc. i need your help guys! someone here make collection of those infected files? maybe (not probaly, i think) if i've contact any of those companies of security (like Symantec, Kapersky, F-Secure etc...) if they send me those files? or anybody knows one program to connect in registry of windows by linux or some other windows too (like BartPE) ??

Thanks so much! And sorry if my english have errors. I'm Brazilian...

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,954 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:33 PM

Posted 21 January 2008 - 10:25 AM

I'm not finding any info on basemsb32.dll and ip6fw.sys is related to Troj/Pushu-Gen and Troj/Agent-ELV Trojan.

dxdss.sys is related to Backdoor:Win32/Rustock.gen!C.

Rootkits are very dangerous because they use advanced techniques as a means of accessing a computer system that bypasses security mechanisms and steal sensitive information which they send back to the hacker. Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. Remote attackers use backdoor Trojans and rootkits as part of an exploit to to gain unauthorized access to a computer and take control of it without your knowledge.

If your computer was used for online banking, has credit card information or other sensitive data on it, you should immediately disconnect from the Internet until your system is cleaned. All passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised. They should be changed by using a different computer and not the infected one. If not, an attacker may get the new passwords and transaction information. Banking and credit card institutions should be notified of the possible security breach.

Although the rootkit has been identified and may be removed, your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume that because the rootkit has been removed the computer is now secure. Many experts in the security community believe that once infected with this type of malware, the best course of action is to reformat and reinstall the OS. Please read "When should I re-format?" and "Reformatting the computer or troubleshooting; which is best?".

Since you cannot reboot your computer, the next logical step is a repair install. However, some types of malware can result in a system so badly damaged that a Repair Install will NOT help!. Reinstalling Windows without first wiping the entire hard drive with a repartition and/or format will not remove the infection. The reinstall will only overwrite the Windows files. Any malware on the system will still be there afterwards. Starting over, reformatting the drive and performing a clean install of the OS removes everything and is the safest action.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 XRainBoX

XRainBoX
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:33 PM

Posted 21 January 2008 - 05:04 PM

Hi quietman7, thanks for your reply. So, i search for Ip6Fw.sys on Windows Registry (by a remote registry editor, runs in BartPE) and i located some keys relacted with this file, and its shows: Microsoft Windows Firewall IPV6, but WinXP have IPV6 support?? And i found one copy of Ip6Fw.sys located at c:\windows\system32\dllcache and it have 29056 bytes see here and here.

Description: Ip6Fw.sys is located in the folder C:\Windows\System32\drivers. The file size on Windows XP is 29056 bytes.
The driver can be started or stopped from Services in the Control Panel or by other programs. It is a Windows system file. The program has no visible window. The file is a Microsoft signed file. The process is not active. Ip6Fw.sys seems to be a compressed file. Therefore the technical security rating is 0% dangerous.


Thanks, i'll repair my Windows :thumbsup:

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,954 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:33 PM

Posted 21 January 2008 - 07:00 PM

You have to keep in mind that one of the ways malware tries to hide is to give itself the same name as a critical system file. It then puts itself in various locations, adds itself as a startup, changes registry keys, etc.
http://www.bleepingcomputer.com/startups/i....sys-17387.html

In any event, dxdss.sys is the one to be concerned about. There is no doubt about it.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 XRainBoX

XRainBoX
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:33 PM

Posted 21 January 2008 - 08:03 PM

So, i repair my Windows and i get acess to it! But now i passed Prevx and nothing was detected! But the Ip6Fw.sys still in my system32 folder and system32\drivers, the same file, name and size... and i found in registry this "IPv6 Driver of Windows Firewall" should i delete those keys?

thanks

#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,954 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:33 PM

Posted 21 January 2008 - 10:43 PM

Prevx may have given you a false detection.

Get a second opinion.

Go to jotti's virusscan or virustotal.com. In the "File to upload & scan" box, browse to the location of the suspicious file(s) and submit (upload) it for scanning/analysis.
Post back with the results of the file analysis.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 XRainBoX

XRainBoX
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:33 PM

Posted 21 January 2008 - 11:16 PM

Yes, i know jotti's virusscan and virustotal.com, but they show always the same think! but i solved the problem, thanks anyway! u can lock this topic ok?

regards

#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,954 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:33 PM

Posted 22 January 2008 - 08:36 AM

Your welcome.

To protect yourself against malware and reduce the potential for re-infection, be sure to read:
"Simple and easy ways to keep your computer safe".
"How did I get infected?, With steps so it does not happen again!".
"Best Practices - Internet Safety for 2008".
"Hardening Windows Security - Part 1".
"Hardening Windows Security - Part 2".
"IE Recommended Minimal Security Settings".

Safe surfing and have a malware free day.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users