Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Severe infection with NTO SKRNL-HOOK Generic Rootkit


  • Please log in to reply
3 replies to this topic

#1 bozo50

bozo50

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:11:37 PM

Posted 09 May 2009 - 02:32 PM

I'm running XP with McAfee Virus Scan on high-speed internet connection. I frequently download from the Japan Megaupload and the main infestation occured after I downloaded a 16-part Mega download two days ago. I first noticed that the drop down history on IE7 had disappeared and been replaced with just these last 16 Mega site addresses. Then I noticed all the hypertext in searches on IE were misdirected and I could only get to the site by pasting in the site address from the search. With Chrome, I would just get broken link errors on most search hyperlinks.

I ran McAfee manually and it came up with the NTO SKRNL-HOOK rootkit trojan which it said it had removed, but everytime I run McAfee it comes up with the same Trojan in the Windows folder so it is always reinfecting. McAfee also found trojans in the autorun.inf files (Generic !atr, Generic !atr trojans) for each of my external and secondary internal harddrives which it quarantined. It also quarantined two Generic Downloader X trojans connected with the Wondershare YouTube Downloader I purchased a few weeks ago -- IS-E4TS2.tmp and IS-POUL4.tmp. This is where I'm sure the infestation started. Also quarantined were HTML/FAKE AV, VUND.GEN.A! and OBFUSCATED HTML.

I was finally able to run Anti-Malware by changing the extension to COM instead of EXE per one of the postings I read here. It found 6 or 7 trojans on teh Quick Scan which I deleted and then ran a full scan and it found nothing:


Malwarebytes' Anti-Malware 1.35
Database version: 1904
Windows 5.1.2600 Service Pack 3

5/9/2009 2:46:35 PM
mbam-log-2009-05-09 (14-46-29).txt

Scan type: Quick Scan
Objects scanned: 70393
Time elapsed: 4 minute(s), 50 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 6
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\{NSINAME} (Trojan.Agent) -> No action taken.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.202,85.255.112.190 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{eadc1620-1e48-430a-a5c8-97813dc9c4ff}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.202,85.255.112.190 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.202,85.255.112.190 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{eadc1620-1e48-430a-a5c8-97813dc9c4ff}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.202,85.255.112.190 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.202,85.255.112.190 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{eadc1620-1e48-430a-a5c8-97813dc9c4ff}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.202,85.255.112.190 -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
F:\RECYCLER\S-9-5-60-100003394-100014156-100024037-7779.com (Trojan.Agent) -> No action taken.


But when I run McAfee, it find the same old generic rootkit -- NTO SKRNL-HOOK in two mintues. I still can't run Malware with the extension changed back to EXE and can't run SpyBot and can't install SuperAnti Spyware.

IE7 is not misdirecting as much and I'm able to download programs now but it's still acting up.

Thanks

Edited by bozo50, 09 May 2009 - 06:32 PM.


BC AdBot (Login to Remove)

 


#2 buddy215

buddy215

  • BC Advisor
  • 12,876 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:11:37 PM

Posted 09 May 2009 - 08:36 PM

Your MBAM scan results says "no action taken". If you haven't allowed it to remove what it found, do that and then reboot.

Super Antispyware finds and removes a lot of rootkits. Follow the instructions in the link below.
http://www.bleepingcomputer.com/forums/ind...t&p=1040160

You will have better results scanning with SAS in safe mode. Be sure to UPDATE SAS after downloading, installing and
before booting into safe mode to run the scan.

You should read these comments concerning rootkits.
http://www.dslreports.com/faq/10063

“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss

A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”


#3 bozo50

bozo50
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:11:37 PM

Posted 10 May 2009 - 04:21 PM

Thanks to you and all the various posts I referred to -- it is fixed :thumbsup: . Went into safe mode -- ran ATF Cleaner -- was able to finally get SAS installed and run after changing the file name and it caught some. Then GMER and it found the toolkit virus and took it out. Then ran SmitFraudFix and Dr. Web CureIt. Went into regular made -- updated Malware and SAS and reran full scans with both and picked up two more trojans. But now EXE files are working -- no more redirect on IE and Chrome -- I can download again -- and McAfee shows clean -- no more rootkit.

This is a great site and great service to the web community -- and thanks to all the volunteers who answer all these questions and get us through these troubled waters.

Thanks again. :flowers:

#4 buddy215

buddy215

  • BC Advisor
  • 12,876 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:11:37 PM

Posted 10 May 2009 - 04:55 PM

You have certainly been busy. Glad you have been successful. Would be a good idea to run more scans in the next
day or two.

You should remove all restore points as some are infected. Removing all is the only option. Directions, if needed, are in the
link below.
Windows XP: http://www.bleepingcomputer.com/tutorials/windows-xp-system-restore-guide/
Windows Vista: http://www.bleepingcomputer.com/tutorials/windows-vista-system-restore-guide/

Allow Secunia Online Scanner to scan your programs for missing security updates. Only takes a minute.
http://secunia.com/vulnerability_scanning/online/

“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss

A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users