Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Having trouble with a rootkit


  • Please log in to reply
11 replies to this topic

#1 Jawbraker67

Jawbraker67

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:53 AM

Posted 27 May 2009 - 08:22 PM

A few days ago my system started acting odd. I kept getting a pop-up about win 32 BRONTOC. Ran AVG8.5 Free(My goto virus scanner) and it found several rootkit items. I was unable to remove them with AVG so I attempted to do it with MALWAREBYTES ANTI-MALWARE and SUPERANTISPYWARE (logs Below). After the reboot and a rescan the files were back. Any help would be much obliged. I should also mention I had to rename both Malwarebytes and Superantispyware to install and run them.

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 05/27/2009 at 08:40 PM

Application Version : 4.26.1004

Core Rules Database Version : 3912
Trace Rules Database Version: 1856

Scan type : Complete Scan
Total Scan Time : 00:53:05

Memory items scanned : 492
Memory threats detected : 1
Registry items scanned : 6265
Registry threats detected : 79
File items scanned : 74232
File threats detected : 1

Rootkit.Agent/Gen-UACFake
\?\GLOBALROOT\C:\WINDOWS\SYSTEM32\UACCIODQADMBDOUPDE.DLL
\?\GLOBALROOT\C:\WINDOWS\SYSTEM32\UACCIODQADMBDOUPDE.DLL

Adware.HBHelper
HKLM\Software\Classes\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}
HKCR\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}
HKCR\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}\InprocServer32
HKCR\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}\ProgID
HKCR\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}\TypeLib
HKCR\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}\VersionIndependentProgID

Browser Hijacker.Deskbar
HKCR\TypeLib\{77AA25E8-6083-4949-A831-9CB11861DC10}
HKCR\TypeLib\{77AA25E8-6083-4949-A831-9CB11861DC10}\1.0
HKCR\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}
HKCR\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\ProxyStubClsid
HKCR\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\ProxyStubClsid32
HKCR\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\TypeLib
HKCR\Interface\{9EBB289A-2D7B-465B-825F-1530B813E95A}
HKCR\Interface\{9EBB289A-2D7B-465B-825F-1530B813E95A}\ProxyStubClsid
HKCR\Interface\{9EBB289A-2D7B-465B-825F-1530B813E95A}\ProxyStubClsid32
HKCR\Interface\{9EBB289A-2D7B-465B-825F-1530B813E95A}\TypeLib
HKCR\Interface\{CD5C92AE-97B0-4BC3-BA65-BA0308D543BF}
HKCR\Interface\{CD5C92AE-97B0-4BC3-BA65-BA0308D543BF}\ProxyStubClsid
HKCR\Interface\{CD5C92AE-97B0-4BC3-BA65-BA0308D543BF}\ProxyStubClsid32
HKCR\Interface\{CD5C92AE-97B0-4BC3-BA65-BA0308D543BF}\TypeLib

Rootkit.Agent/Gen
HKLM\SOFTWARE\UAC
HKLM\SOFTWARE\UAC#cmddelay
HKLM\SOFTWARE\UAC#LastBSOD
HKLM\SOFTWARE\UAC\connections
HKLM\SOFTWARE\UAC\connections#7d72e91c
HKLM\SOFTWARE\UAC\disallowed
HKLM\SOFTWARE\UAC\disallowed#trsetup.exe
HKLM\SOFTWARE\UAC\disallowed#ViewpointService.exe
HKLM\SOFTWARE\UAC\disallowed#ViewMgr.exe
HKLM\SOFTWARE\UAC\disallowed#SpySweeper.exe
HKLM\SOFTWARE\UAC\disallowed#SUPERAntiSpyware.exe
HKLM\SOFTWARE\UAC\disallowed#SpySub.exe
HKLM\SOFTWARE\UAC\disallowed#SpywareTerminatorShield.exe
HKLM\SOFTWARE\UAC\disallowed#SpyHunter3.exe
HKLM\SOFTWARE\UAC\disallowed#XoftSpy.exe
HKLM\SOFTWARE\UAC\disallowed#SpyEraser.exe
HKLM\SOFTWARE\UAC\disallowed#combofix.exe
HKLM\SOFTWARE\UAC\disallowed#otscanit.exe
HKLM\SOFTWARE\UAC\disallowed#mbam.exe
HKLM\SOFTWARE\UAC\disallowed#mbam-setup.exe
HKLM\SOFTWARE\UAC\disallowed#flash_disinfector.exe
HKLM\SOFTWARE\UAC\disallowed#otmoveit2.exe
HKLM\SOFTWARE\UAC\disallowed#smitfraudfix.exe
HKLM\SOFTWARE\UAC\disallowed#prevxcsifree.exe
HKLM\SOFTWARE\UAC\disallowed#download_mbam-setup.exe
HKLM\SOFTWARE\UAC\disallowed#cbo_setup.exe
HKLM\SOFTWARE\UAC\disallowed#spywareblastersetup.exe
HKLM\SOFTWARE\UAC\disallowed#rminstall.exe
HKLM\SOFTWARE\UAC\disallowed#sdsetup.exe
HKLM\SOFTWARE\UAC\disallowed#vundofixsvc.exe
HKLM\SOFTWARE\UAC\disallowed#daft.exe
HKLM\SOFTWARE\UAC\disallowed#gmer.exe
HKLM\SOFTWARE\UAC\disallowed#catchme.exe
HKLM\SOFTWARE\UAC\disallowed#mcpr.exe
HKLM\SOFTWARE\UAC\disallowed#sdfix.exe
HKLM\SOFTWARE\UAC\disallowed#hjtinstall.exe
HKLM\SOFTWARE\UAC\disallowed#fixpolicies.exe
HKLM\SOFTWARE\UAC\disallowed#emergencyutil.exe
HKLM\SOFTWARE\UAC\disallowed#techweb.exe
HKLM\SOFTWARE\UAC\disallowed#GoogleUpdate.exe
HKLM\SOFTWARE\UAC\disallowed#windowsdefender.exe
HKLM\SOFTWARE\UAC\disallowed#spybotsd.exe
HKLM\SOFTWARE\UAC\disallowed#winlognn.exe
HKLM\SOFTWARE\UAC\disallowed#csrssc.exe
HKLM\SOFTWARE\UAC\disallowed#klif.sys
HKLM\SOFTWARE\UAC\disallowed#pctssvc.sys
HKLM\SOFTWARE\UAC\disallowed#pctcore.sys
HKLM\SOFTWARE\UAC\disallowed#mchinjdrv.sys
HKLM\SOFTWARE\UAC\disallowed#szkg.sys
HKLM\SOFTWARE\UAC\disallowed#sasdifsv.sys
HKLM\SOFTWARE\UAC\disallowed#saskutil.sys
HKLM\SOFTWARE\UAC\disallowed#sasenum.sys
HKLM\SOFTWARE\UAC\disallowed#ccHPx86.sys
HKLM\SOFTWARE\UAC\injector
HKLM\SOFTWARE\UAC\injector#*
HKLM\SOFTWARE\UAC\mask
HKLM\SOFTWARE\UAC\mask#e0ae8144
HKLM\SOFTWARE\UAC\versions
HKLM\SOFTWARE\UAC\versions#/banner/crcmds/init
==================================================
Malwarebytes' Anti-Malware 1.36
Database version: 2178
Windows 5.1.2600 Service Pack 3

5/26/2009 3:30:05 PM
mbam-log-2009-05-26 (15-30-05).txt

Scan type: Full Scan (C:\|)
Objects scanned: 234364
Time elapsed: 41 minute(s), 50 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Rootkit.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> Delete on reboot.

Thank you.

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,323 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:53 AM

Posted 27 May 2009 - 09:40 PM

Hello yes we have rootkits.


C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) Trojan.Agent is a nasty Trojan that may allow hackers to re-direct internet traffic through your computer. Trojan.Agent may display a system error message stating “Your browser was infected by Trojan.Agent”. Trojan.Agent is part of the programming developed by hackers to take over your computer


One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 Jawbraker67

Jawbraker67
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:53 AM

Posted 28 May 2009 - 10:50 AM

Would using the system restore remove the rootkit. It's a preloaded Alienware system and it only comes with a restore disc.

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,323 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:53 AM

Posted 28 May 2009 - 11:07 AM

The Restore will only reset the Windows files. Any malware on the system at that point will also be restored.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 Jawbraker67

Jawbraker67
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:53 AM

Posted 28 May 2009 - 12:00 PM

I should have been more specific. The restore disc in an image of the drive when it left the factory not a restore from the system itself. When i spoke to the tech at Alienware he told me all I would need to do is use the restore disc and all will be fine.

He sounded unsure of himself. I'm going to assume clever rootkits will take into account system restore and find a way to leave something behind.

What I was thinking of doing is reformat, then run the image of the disc from factory. Does that sound like it would be the best bet to remove the rootkit?

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,323 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:53 AM

Posted 28 May 2009 - 12:48 PM

Ok i 've seen success with that. As long as it does a format along with a reinstall so watch what it does.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,471 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:53 AM

Posted 28 May 2009 - 01:07 PM

A Recovery Disk is a CD-ROM or DVD data disc that contains a complete copy/image of the entire contents of the hard drive that will restore the system to its factory default state at a certain time. Essentially, it will reformat your hard drive, remove all data and restore the computer to the state it was in when you first purchased it. You will lose all data and have to reinstall all programs that you added afterwards. This includes all security updates from Microsoft so you will need to download/install them again.

Some factory restore CDs give you all the options of a full Microsoft Windows CD, but with better instructions and the convenience of having all the right hardware drivers. Others can do nothing except reformat your hard drive and restore it to the condition it was in when you bought the computer.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#8 Jawbraker67

Jawbraker67
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:53 AM

Posted 28 May 2009 - 01:11 PM

Ok, I keep a close eye to be sure that it formats with the restore. I really want to thank you for your prompt response and advise. I'll reply once I get it taken care of.

#9 Jawbraker67

Jawbraker67
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:53 AM

Posted 28 May 2009 - 08:27 PM

Ok. I've reformatted and re-installed WinXP. First thing I did was the updates. I then installed SUPERantiSpyeware and Malware Anti-malware and ran the update and then the scans (logs Below). On the installs for the AVG and Malware I did not need to rename either file(Good Start).

Malware Anti-Malware log

Malwarebytes' Anti-Malware 1.37
Database version: 2191
Windows 5.1.2600 Service Pack 2

5/28/2009 8:37:46 PM
mbam-log-2009-05-28 (20-37-46).txt

Scan type: Quick Scan
Objects scanned: 69372
Time elapsed: 2 minute(s), 13 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
======================
SUPERantiSpyeware Logs

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 05/28/2009 at 09:24 PM

Application Version : 4.26.1004

Core Rules Database Version : 3915
Trace Rules Database Version: 1859

Scan type : Complete Scan
Total Scan Time : 00:12:22

Memory items scanned : 374
Memory threats detected : 0
Registry items scanned : 2849
Registry threats detected : 0
File items scanned : 20949
File threats detected : 3

Adware.Tracking Cookie
C:\Documents and Settings\Rob Galvin\Cookies\rob galvin@apmebf[1].txt
C:\Documents and Settings\Rob Galvin\Cookies\rob galvin@112.2o7[2].txt
C:\Documents and Settings\Rob Galvin\Cookies\rob galvin@mediaplex[1].txt

As you can see the system looks clean(very excited :thumbsup: ). I'd like to thank you all again for such fast turn around and easy, accurate answers to my problem. Thanks a bunch.

-Rob.

#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,471 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:53 AM

Posted 29 May 2009 - 06:05 AM

Tips to protect yourself against malware and reduce the potential for re-infection:Keep Windows and Internet Explorer current with all critical updates from Microsoft which will patch many of the security holes through which attackers can gain access to your computer. If you're not sure how to do this, see Microsoft Update helps keep your computer current.

Avoid gaming sites, porn sites, pirated software, cracking tools, keygens, and peer-to-peer (P2P) file sharing programs. They are a security risk which can make your computer susceptible to a smörgåsbord of malware infections, remote attacks, exposure of personal information, and identity theft. Malicious worms, backdoor Trojans IRCBots, and rootkits spread across P2P file sharing networks, gaming, porn and underground sites. Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install viruses, Trojans, and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users. The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications.Keeping Autorun enabled on USB (pen, thumb, jump) and other removable drives has become a significant security risk due to the increasing number of malware variants that can infect them and transfer the infection to your computer. To learn more about this risk, please read:Many security experts recommend you disable Autorun asap as a method of prevention. Microsoft recommends doing the same.

...Disabling Autorun functionality can help protect customers from attack vectors that involve the execution of arbitrary code by Autorun when inserting a CD-ROM device, USB device, network shares, or other media containing a file system with an Autorun.inf file...

Microsoft Security Advisory (967940): Update for Windows Autorun
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#11 Jawbraker67

Jawbraker67
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:53 AM

Posted 29 May 2009 - 10:52 AM

Sound advice Quietman. I've bookmarked most of the sites you recommend. It was a pleasure coming here. I'll advise everyone I know with computer issues to check here first.

Thanks again Guys.

#12 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,471 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:53 AM

Posted 29 May 2009 - 03:18 PM

You're welcome. Safe surfing and have a malware free day.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users