Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

This Is The Ultimate Rootkit/trojan Ever...


  • This topic is locked This topic is locked
5 replies to this topic

#1 adiel

adiel

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:56 PM

Posted 04 June 2008 - 02:01 AM

Ok...I am not a noob, in fact I do consider myself an expert when it comes to viruses and trojans, but recently at my office I have encountered the most stealth and tough trojan/rootkit of all times.
Its the RECYCLER trojan. I have been searching for any info about this and although I have found a lot of people reporting it but no antivirus/antispyware detect it, I have used avira, avg, mcafee,kaspersky,spyware doctor, webroot spy sweeper, spybot, super antispyware and none detects it.
The problem is on 5 systems running xp pro sp2 with NTFS. FAT32 is safe.
Normally I do not need antiviruses or antispywares to remove a trojan, I know every place from where a trojan can start with windows. But there is NO place in registry I found where there is any entry for this trojan. Most of the people who are reporting about this has an autorun.exe or autorun.inf on their root drives from where this trojan is executed, but in my pc there is no such files, I have used icesword for this in case windows is unable to show me any file although I have set windows to show me even the superhidden files. But there is no such file on my root drive. When I open the recycler folder there is an icon of recycle bin with following name

S-1-5-21-606747145-1770027372-839522115-1005
or sometimes there are two icons and the second one is
S-1-5-21-606747145-1770027372-839522115-1004

when i open this recycle bin it directs me towards the normal windows recycel bin, but through ice sword I have accessed the real files inside this and they are

Info.exe
desktop.ini

Although I did manually removed the recycler folder many times, but whenever I delete ANY file the folder reappears. I have searched and searched in registry for any suspicious entry but I did'nt found one. And believe me I have searched EVERY starting point a trojan can use.
So is this the ultimate hiding machine or what??that I cannot see its registry entries even with a great program like icesword??
What is making me mad is that I cannot even find how it is starting with windows in the first place because there is no entry, no autorun file..then how is it doing this?? I have disconnected my pc from network hoping that it somehow copies itself from other computers but thats not the case, it has some file on my pc that I cannot see, antivius can't detect. One thing more when I access any of the infected pc through network although I can access the pc BUT I cannot access windows, program files and documents and settings folders, everything else like other drives is accessible. So I cannot see these folders through network and I think if and only if I can do that then maybe I will be able to see the malicious file.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:58:47 PM, on 6/4/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\Avira Premium Security Suite\sched.exe
C:\Program Files\Avira\Avira Premium Security Suite\avguard.exe
C:\Program Files\Avira\Avira Premium Security Suite\avesvc.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Avira\Avira Premium Security Suite\AVWEBGRD.EXE
C:\Program Files\Avira\Avira Premium Security Suite\avmailc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\PROGRA~1\AVG\AVG8\aAvgApi.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\System32\NOTEPAD.EXE
C:\WINDOWS\regedit.exe
E:\Down\HiJackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.0.1:80
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Flashget Catch Url Class - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AVGTOOLBAR - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: gFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O3 - Toolbar: FlashGet - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\Program Files\FlashGet\fgiebar.dll
O3 - Toolbar: AVGTOOLBAR - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\Avira Premium Security Suite\avgnt.exe" /min
O4 - HKCU\..\Run: [SpybotSD TeaTimer] "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: Download Using &BitSpirit - C:\Program Files\BitSpirit\bsurl.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} -
O17 - HKLM\System\CCS\Services\Tcpip\..\{4DFDFEBF-F1FA-4101-A702-8D4A29FAFF26}: NameServer =
O17 - HKLM\System\CS1\Services\Tcpip\..\{4DFDFEBF-F1FA-4101-A702-8D4A29FAFF26}: NameServer =
O17 - HKLM\System\CS2\Services\Tcpip\..\{4DFDFEBF-F1FA-4101-A702-8D4A29FAFF26}: NameServer =
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Avira Premium Security Suite Firewall (AntiVirFirewallService) - Avira GmbH - C:\Program Files\Avira\Avira Premium Security Suite\avfwsvc.exe
O23 - Service: Avira Premium Security Suite MailGuard (AntiVirMailService) - Avira GmbH - C:\Program Files\Avira\Avira Premium Security Suite\avmailc.exe
O23 - Service: Avira Premium Security Suite Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\Avira Premium Security Suite\sched.exe
O23 - Service: Avira Premium Security Suite Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\Avira Premium Security Suite\avguard.exe
O23 - Service: Avira Premium Security Suite WebGuard (antivirwebservice) - Avira GmbH - C:\Program Files\Avira\Avira Premium Security Suite\AVWEBGRD.EXE
O23 - Service: Avira Premium Security Suite MailGuard helper service (AVEService) - Avira GmbH - C:\Program Files\Avira\Avira Premium Security Suite\avesvc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - D:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - D:\Program Files\Spyware Doctor\pctsSvc.exe

--
End of file - 6195 bytes

I can always do a low level format and can solve this issue, but its kinda hurting my ego, I have removed so many trojans manually and now this undetectable thing is destroying my ego, besides I have read at some places that this thing does'nt go even after formatting. So I want to know what is this, why it is able to bypass antiviruses and antispywares, how is it starting with windows and so on.

Can anyone help me???

Edited by adiel, 04 June 2008 - 04:16 AM.


BC AdBot (Login to Remove)

 


#2 adiel

adiel
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:56 PM

Posted 04 June 2008 - 04:42 AM

nobody???

#3 adiel

adiel
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:56 PM

Posted 04 June 2008 - 12:26 PM

does nobody knows anything about this or what???

#4 adiel

adiel
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:56 PM

Posted 04 June 2008 - 03:39 PM

I have been waiting from morning to get an answer..can nobody help me???

#5 adiel

adiel
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:56 PM

Posted 05 June 2008 - 12:15 AM

What a useless forum, I think people here don't have enough knowledge to help anyone. sad

#6 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:06:56 PM

Posted 10 June 2008 - 08:16 AM

You waited one day, many other users have had to wait for much longer than you to recieve any help; we deal with people on a first-come-first-served basis, and as such, by bumping repeatedly, and not even being prepared to wait a couple of days, you keep pushing yourself to the bottom of the pile.

What a useless forum, I think people here don't have enough knowledge to help anyone. sad

That's just unnecessary, topic closed.

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users