Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rootkit Or False Alarm?


  • Please log in to reply
14 replies to this topic

#1 SabreKitteh

SabreKitteh

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:04 AM

Posted 27 September 2008 - 10:20 PM

In preparation for buying something online, I decided to run my standard array of scans (Avast! Antivirus and Sophos Anti-Rootkit). Avast found nothing, but Sophos gave me inconsistent results. First I tried running it in Safe Mode, but got a "Fatal error" message. So I ran it in normal mode and it found a rootkit. When I ran Sophos again at first it turned up nothing, then the next time I got another "Fatal error" message. If I remember correctly, I had Firefox running when Sophos found the rootkit, don't know if that would affect anything. I can't remember what the rootkit's name was, but when I Googled it only two results came up, one of which said something about amvo.exe.

These wildly inconsistent results are giving me heartburn. Any help would be appreciated.

Edited by SabreKitteh, 27 September 2008 - 11:29 PM.


BC AdBot (Login to Remove)

 


m

#2 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:05:04 AM

Posted 28 September 2008 - 05:24 AM

http://www.sophos.com/security/analyses/vi...sillyfdcbr.html

Show Hidden Folders/Files
  • Open My Computer.
  • Go to Tools > Folder Options.
  • Select the View tab.
  • Scroll down to Hidden files and folders.
  • Select Show hidden files and folders.
  • Uncheck (untick) Hide extensions of known file types.
  • Uncheck (untick) Hide protected operating system files (Recommended).
  • Click Yes when prompted.
  • Click OK.
  • Close My Computer.

Chewy

No. Try not. Do... or do not. There is no try.

#3 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:05:04 AM

Posted 28 September 2008 - 11:09 AM

copied from the info tab for that worm from my link

W32/SillyFDC-BR is a worm for the Windows platform.

When run W32/SillyFDC-BR copies itself to <System>\amvo.exe and sets the following registry entry to run itself on startup:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
amva
<System>\amvo.exe
W32/SillyFDC-BR also registers itself as a service with the name "asdcvb", a description of "asdcvb" and a startup type of automatic. Registry entries are created under:

HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ASDCVB\

W32/SillyFDC-BR creates the following files:

<System>\amvo0.dll - detected as Troj/Lineag-Gen
<System>\gnsmo.dll - detected as W32/SillyFDC-BR

W32/SillyFDC-BR spreads via removable shared drives by copying itself to <Root>\dosocom.com and creates the file <Root>\autorun.inf (also detected as W32/SillyFDC-BR) which is designed to run the worm when the drive is connected to an uninfected computer.


Chewy

No. Try not. Do... or do not. There is no try.

#4 SabreKitteh

SabreKitteh
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:04 AM

Posted 28 September 2008 - 05:19 PM

I unchecked the hide options under Folder Options, looked for the amvo related files, and checked the registry with regedit. Nothing came up. I ran Sophos again and it turned up nothing this time. So I ran it again with Firefox running to try to recreate the situation, and two different hidden files cropped up.

Area: Local hard drives
Description: Unknown hidden file
Location: C:\System Volume Information\_restore{6BE91D51-86E2-43B4-8C09-783189E544CB}\RP383\A0039146.exe
Removable: Yes (but clean up not recommended for this file)
Notes: (no more detail available)

and

Area: Local hard drives
Description: Unknown hidden file
Location: C:\Documents and Settings\{my username}\Local Settings\Temporary Internet Files\Content.IE5\NU4DHZV1\dw5severe[1].xml
Removable: Yes (but clean up not recommended for this file)
Notes: (no more detail available)

Neither of these files came up when Sophos first found the rootkit from earlier. I can't remember the original's name but it was not removable. Might it have been a temporary internet file?

#5 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:05:04 AM

Posted 28 September 2008 - 05:33 PM

Whenever you run a rootkit scan I would suggest a clean boot and then unload any program running in the background after disconnecting from the internet

I would assume for a rootkit scan that you had already emptied all temp files

http://www.atribune.org/index.php?option=c...5&Itemid=25

Edited by DaChew, 28 September 2008 - 05:36 PM.

Chewy

No. Try not. Do... or do not. There is no try.

#6 perr

perr

  • Members
  • 151 posts
  • OFFLINE
  •  
  • Local time:01:04 AM

Posted 28 September 2008 - 05:51 PM

Try this one.
http://www.f-secure.com/blacklight/

#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,606 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:04 AM

Posted 29 September 2008 - 09:39 AM

Most anti-rootkit scanners will not work in safe mode because they utilize a driver which is required for the scanning process and that driver will not load in safe mode. Further, there are rootkit variants (haxdoor) that run in safe mode so the usual reason for running a scan in that mode does not apply.

Before performing an ARK scan it is recommended to do the following to ensure more accurate results and avoid common issues that may cause false detections.
  • Disconnect from the Internet or physically unplug you Internet cable connection.
  • Clean out your temporary files.
  • Close all open programs, scheduling/updating tasks and background processes that might activate during the scan including the screensaver.
  • Temporarily disable your anti-virus and real-time anti-spyware protection.
  • After starting the scan, do not use the computer until the scan has completed.
  • When finished, re-enable your anti-virus/anti-malware (or reboot) and then you can reconnect to the Internet.
Note: Not all hidden components detected by ARKs are malicious. It is normal for a Firewall, some Anti-virus and Anti-malware software (ProcessGuard, Prevx1, AVG AS), sandboxes, virtual machines and Host based Intrusion Prevention Systems (HIPS) to hook into the OS kernal/SSDT in order to protect your system. You should not be alarmed if you see any hidden entries created by these software programs after performing a scan.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#8 SabreKitteh

SabreKitteh
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:04 AM

Posted 29 September 2008 - 02:46 PM

Downloaded Blacklight, restarted, disabled antivirus programs, cleaned out temp files, then ran Sophos twice in a row followed by Blacklight. Nothing came up in the scans. The only thing that came up was when I restarted with both Spybot's resident shield and Spyware Doctor's resident shield active, but those same popup warnings appear whenever I have had them running simultaneously. I got one missing file warning after reboot (C:\WINDOWS\is-Q3K5B.exe), so I shut down Spyware Doctor.

Am I in the clear, or should I do more?

#9 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,606 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:04 AM

Posted 30 September 2008 - 07:26 AM

It's not unusual to receive such an error when "booting up" after using anti-virus and other security scanning tools to remove malware infection. I can find no info on is-Q3K5B.exe so I suspect it was malware related.

Are you still getting that missing file warning after booting up?
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#10 SabreKitteh

SabreKitteh
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:04 AM

Posted 30 September 2008 - 01:50 PM

Indeed I did get the same messages this time. They are:
At Shutdown

Access violation at address 74E50DE8. Read of address 74E50DE8

Access violation at address 004B6BE9 in module 'TeaTimer.exe'. Read of address 00000010

Access violation at address 00000000. Read of address 00000000

Access violation at address 694C5405. Read of address 604C5405

After Startup/login
the can't find file (is-Q3K5B.exe) message.
Spybot registry change message:

Category: System Startup global entry
Change: Value deleted
Entry: lnnoSetupRegFile.0000000001
Old data: "C:\WINDOWS\is-Q3K5B.exe" /REG


When I Googled 74E50DE8 I came across this post. Could these errors be the result of some malware removed by an antivirus program (or worse, remnants of malware that has installed itself and tried to cover its tracks)?

#11 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,606 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:04 AM

Posted 30 September 2008 - 02:07 PM

It's not unusual to receive such an error when "booting up" after using anti-virus and other security scanning tools to remove malware infection.

A "Cannot find...", "Could not run...", "Error loading... or "specific module could not be found" message is usually related to malware that was set to run at startup but has been deleted. Windows is trying to load this file but cannot locate it since the file was mostly likely removed during an anti-virus or anti-malware scan. However, an associated orphaned registry entry remains and is telling Windows to load the file when you boot up. Since the file no longer exists, Windows will display an error message. You need to remove this registry entry so Windows stops searching for the file when it loads.

To resolve this, download Autoruns, search for the related entry and then delete it.
  • Create a new folder on your hard drive called AutoRuns (C:\AutoRuns) and extract (unzip) the file there. (click here if you're not sure how to do this.)
  • Open the folder and double-click on autoruns.exe to launch it.
  • Please be patient as it scans and populates the entries.
  • When done scanning, it will say Ready at the bottom.
  • Scroll through the list and look for a startup entry related to the file(s) in the error message.
  • Right-click on the entry and choose delete.
  • Reboot your computer and see if the startup error returns.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#12 SabreKitteh

SabreKitteh
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:04 AM

Posted 30 September 2008 - 09:07 PM

Downloaded AutoRuns, ran it, and looked at the name of the file. Turns out it's part of an open source installer called Inno Setup. And I did recently install an updated version of Glary Utilities as well as a utility for The Sims 2 called Sims2Pack Clean Installer. It's also apparently used by MBAM. So I deleted the useless startup entry.

It seems the problems with the popups at shutdown are a typical problem of TeaTimer. Here's some threads about the same messages I've been getting.
http://forums.spybot.info/showthread.php?p=183037
http://forums.spybot.info/showthread.php?t=28785
http://forums.spybot.info/archive/index.php/t-18809.html

As for Virtumonde, which came up in some Google results, I doubt it is on my computer because I don't get any popups when on Facebook/MySpace/etc. and my emails can be accessed normally. I also checked which version of Java is on my computer and it's version 6, so presumably it's not vulnerable to it unless someone's made a variant capable of exploiting version 6.

Any more things to check, or shall this case be closed?

#13 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,606 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:04 AM

Posted 01 October 2008 - 08:12 AM

Odd that I found no info on is-Q3K5B.exe when doing a search. Good investigative work finding that info.

Vundo is a Trojan that infects a system with malicious Browser Helper Objects and .dll files attached to Winlogon and Explorer.exe. The infection is responsible for launching unwanted pop ups, advertising for rogue antispyware programs, and downloading more malicious files which hampers system performance. Newer variants of Vundo typically use bogus warning messages and alerts to indicate that your computer is infected with spyware or has critical errors as a scare tactic to goad you into downloading a rogue security application to fix it. The messages can mimic system messages so they appear as if they are generated by the Windows Operating System. The problem with these types of infections is that they can download other malicious files so the extent of the infection can vary to include rootkit components.

For more detail on how these types of infections install themselves, read Anatomy of a malware scam.

Vundo spreads via Internet Relay Chat, by visiting underground web pages, adult, gaming or pirated software sites, and by using peer-to-peer (P2P) file sharing programs. They are a security risk which can make your computer susceptible to a smörgåsbord of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites. Users visiting such sites may see innocuous-looking banner ads containing code which can trigger pop-up ads and Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users. The infection also spreads through emails containing links to websites that exploit your web browser’s security holes and by exploiting a vulnerability in exploiting a vulnerability in older versions of Sun Java.

When you click on a Vundo laced email link, Internet Explorer launches a site that stealthy installs the Trojan so that it can run every time you startup Windows and download move malicious files. Read Ghosts Of Java Haunt Users

The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications. Read P2P Software User Advisories and Risks of File-Sharing Technology.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#14 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:05:04 AM

Posted 01 October 2008 - 08:28 AM

Either way, by virtue of not removing older versions of Java, Sun's updater has once again kept users exposed to older security vulnerabilities.


Just having the older versions is dangerous even after updating
Chewy

No. Try not. Do... or do not. There is no try.

#15 SabreKitteh

SabreKitteh
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:04 AM

Posted 01 October 2008 - 04:23 PM

Thanks for pointing out that older versions of Java installed were still a danger. Thankfully all of the versions on my machine were version 6, but I removed all the out-of-date updates just to be sure.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users