security software detects rootkit but doesn't remove effectively

Here's what it found:

Object Name: C:\WINDOWS\System32\Drivers\alut8q84.SYS
Detection Name: Hidden Driver
Object Type: File
SDK Type: Rootkit


Operating System is Windows XP SP3

Any help would be much appreciated. Thanks

Edited by dgkdgk, 31 May 2009 - 11:53 AM.

Not a lot of info there, dqkdqk. What did you scan it with to find it? What other security software do you have on your computer ready to go to work?

possumbarnes,

Thanks for your response.

I have AVG Internet Security build 8.5.339 and, beyond that, can download, install, and scan with any tool of any type recommended by anyone who knows how to approach such a problem. I've downloaded two tools called "gmer" and "rootkitrevealer" but wouldn't really know what to do with the raw data they provide. (Preferably I'd like to utilize free tools, of course, but that isn't to definitively rule out investment on my part.)

Oh, one note - I tried to remove this once and it seems to morph and reappear under a new filename when I do that.

dgkdgk

Edited by dgkdgk, 31 May 2009 - 05:00 PM.

I've downloaded two tools called "gmer" and "rootkitrevealer" but wouldn't really know what to do with the raw data they provide.

Not all hidden components detected by ARKs are malicious. It is normal for a Firewall, some Anti-virus and Anti-malware software (ProcessGuard, Prevx1, AVG AS), sandboxes, virtual machines and Host based Intrusion Prevention Systems (HIPS) to hook into the OS kernal/SSDT in order to protect your system. SSDT (System Service Descriptor Table) is a table that stores addresses of functions that are used by Windows. Whenever a function is called, Windows looks in this table to find the address for it. Both Legitimate programs and rootkits can hook into and alter this table. You should not be alarmed if you see any hidden entries created by legitimate programs after performing a scan.

Anytime you come across a suspicious file for which you cannot find any information about or you want a second opinion, submit it to Jotti's virusscan or VirusTotal. In the "File to upload & scan" box, browse to the location of the suspicious file and submit (upload) it for scanning/analysis.

If you're unsure how to use RKR/GMER or read their logs, you should not be using it. Some ARK tools are intended for advanced users or to be used under the guidance of an expert as they are powerful and can be misused with disastrous results. There are many free ARK tools but some require a certain level of expertise and investigative ability to use. These are a few of the easier ARKS for novice users:

• Sophos Anti-rootkit
• Panda AntiRootkit
• Avira AntiRootkit
• AVG Anti-Rootkit

IMPORTANT NOTE: If confirmed as malicious, please know that rootkits, backdoor Trojans, Botnets, and IRCBots are very dangerous because they compromise system integrity by making changes that allow it to by used by the attacker for malicious purposes. Rootkits are used by Trojans to conceal its presence (hide from view) in order to prevent detection of an attacker's software and make removal more difficult. Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. They can disable your anti-virus and security tools to prevent detection and removal. Remote attackers use backdoors as a means of accessing and taking control of a computer that bypasses security mechanisms. This type of exploit allows them to steal sensitive information like passwords, personal and financial data which is send back to the hacker. To learn more about these types of infections, you can refer to:

• What danger is presented by rootkits?
• Rootkits and how to combat them
• r00tkit Analysis: What Is A Rootkit

If your computer was used for online banking, has credit card information or other sensitive data on it, all passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised and change each password using a clean computer, not the infected one. If not, an attacker may get the new passwords and transaction information. If using a router, you need to reset it with a strong logon/password so the malware cannot gain control again. Banking and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read:

• How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
• What Should I Do If I've Become A Victim Of Identity Theft?
• Identity Theft Victims Guide - What to do

Although the rootkit was identified and may be removed, your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume the computer is secure even if the malware appears to have been removed. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired so you can never be sure that you have completely removed a rootkit. The malware may leave so many remnants behind that security tools cannot find them. Tools that claim to be able to remove rootkits cannot guarantee that all traces of it will be removed. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:

• When should I re-format? How should I reinstall?
• Help: I Got Hacked. Now What Do I Do?
• Where to draw the line? When to recommend a format and reinstall?

Edited by quietman7, 01 June 2009 - 08:03 AM.

AVG detected this originally and it is the only piece of security software on the computer; I doubt it is detecting itself. The file it detects (basic information about) morphs and reappears, upon reboot, when AVG attempts to remove. (See my first post for basic preliminary information.)

I am looking for help removing this. It appears I may not be in the right venue. But thanks for the canned reply which has some general information.

Is this site a real community or a front for some sort of software sales?

Edited by dgkdgk, 01 June 2009 - 09:09 AM.

Please download Malwarebytes Anti-Malware (v1.37) and save it to your desktop.
alternate download link 1
alternate download link 2

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.

• Make sure you are connected to the Internet.
• Double-click on mbam-setup.exe to install the application.
• When the installation begins, follow the prompts and do not make any changes to default settings.
• When installation has finished, make sure you leave both of these checked:
  • Update Malwarebytes' Anti-Malware
  • Launch Malwarebytes' Anti-Malware
• Then click Finish.

MBAM will automatically start and you will be asked to update the program before performing a scan.

• If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
• If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.

On the Scanner tab:

• Make sure the "Perform Quick Scan" option is selected.
• Then click on the Scan button.
• If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
• The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
• When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
• Click OK to close the message box and continue with the removal process.

Back at the main Scanner screen:

• Click on the Show Results button to see a list of any malware that was found.
• Make sure that everything is checked, and click Remove Selected.
• When removal is completed, a log report will open in Notepad.
• The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
• Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
• Exit MBAM when done.

Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

I am looking for help removing this. It appears I may not be in the right venue. But thanks for the canned reply which has some general information.

Is this site a real community or a front for some sort of software sales?

The "canned reply", as you call it, IS for general information and is canned because the guys on here that know a lot more about what they're doing than the other 99% of the members don't want to have to retype the same information over and over again. This is a real community and is very helpful to those who need it.

Now, if you'll read what Quietman7 posted, you'll see that maybe the best thing for you to do right now would be to upload this "infected" file to Jotti Virus Scan or VirusTotal. They will scan it and tell you if it is infected or not.

If you don't want to do that, then I'd suggest uninstalling AVG and downloading Avira Antivir, install it, update it, and do a complete system scan using it. See what it finds and may be able to clear that AVG couldn't. My personal opinion is that Avira is a better virus killer than AVG and it has more scheduling options. Again, that's just my opinion.

possumbarnes,

Thanks for the reply - no offense intended, I just wanted to throw a message out there that would help me determine whether or not this community is for real, and the tone and care of your reply indicates that it is.

I cannot upload the file as it appears to be a hidden driver file - all the "view hidden files" options and such are set correctly but I still cannot view the file so as to upload it anywhere. Sorry, I should have indicated that explicitly.

I'm currently running the Malwarebytes scan he recommended.

Thanks,

dgk

quietman

Thanks for the suggestion. Here is the output of the cleaning attempt. It also prompted me for a reboot which I will perform right after I send off this message.

:)

dgk

Malwarebytes' Anti-Malware 1.37
Database version: 2206
Windows 5.1.2600 Service Pack 3

6/1/2009 9:42:50 AM
mbam-log-2009-06-01 (09-42-50).txt

Scan type: Quick Scan
Objects scanned: 87354
Time elapsed: 1 minute(s), 26 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\Temp\cd149930-677c-4154-a312-218ee4be8e2f.tmp (Heuristics.Malware) -> Quarantined and deleted successfully.

Did you try running any of the ARK tools I provided above?

Let's see if you can confirm the file is still present.
Please download WinPatrolToGo which is a portable stand-alone tool that does not require installation.

• Double-click on WinPatrolToGo.exe to launch the program.
• Click the Hidden Files tab to see a list of hidden files on your system.
• To create a report, click the Options tab.
• Click WinPatrol Log and a report (.html file) should automatically open in your default browser.
• Save the report log to your desktop.
• Copy and paste the information under Hidden files only (scroll down and look under Services) in your next reply.
• Exit WinPatrolToGo when finished.

quietman7,

I'm trying Sophos. In the meanwhile here is the hidden file list from winpatrol. I don't see it here...

• Hidden Files •
boot
boot.ini
Path: C:\boot.ini
Click for Plus Info

hiberfil
hiberfil.sys
Path: C:\hiberfil.sys
Click for Plus Info

IO
IO.SYS
Path: C:\IO.SYS
Click for Plus Info

MSDOS
MSDOS.SYS
Path: C:\MSDOS.SYS
Click for Plus Info

NTDETECT
NTDETECT.COM
Path: C:\NTDETECT.COM
Click for Plus Info

n
ntldr
Path: C:\ntldr
Click for Plus Info

pagefile
pagefile.sys
Path: C:\pagefile.sys
Click for Plus Info

WindowsShell.Mani
WindowsShell.Manifest
Path: C:\WINDOWS\WindowsShell.Manifest
Click for Plus Info

winnt
winnt.bmp
Path: C:\WINDOWS\winnt.bmp
Click for Plus Info

winnt256
winnt256.bmp
Path: C:\WINDOWS\winnt256.bmp
Click for Plus Info

cdplayer.exe.mani
cdplayer.exe.manifest
Path: C:\WINDOWS\system32\cdplayer.exe.manifest
Click for Plus Info

default
default.LOG
Path: C:\WINDOWS\system32\config\default.LOG
Click for Plus Info

SAM
SAM.LOG
Path: C:\WINDOWS\system32\config\SAM.LOG
Click for Plus Info

SECURITY
SECURITY.LOG
Path: C:\WINDOWS\system32\config\SECURITY.LOG
Click for Plus Info

software
software.LOG
Path: C:\WINDOWS\system32\config\software.LOG
Click for Plus Info

system
system.LOG
Path: C:\WINDOWS\system32\config\system.LOG
Click for Plus Info

TempKey
TempKey.LOG
Path: C:\WINDOWS\system32\config\TempKey.LOG
Click for Plus Info

userdiff
userdiff.LOG
Path: C:\WINDOWS\system32\config\userdiff.LOG
Click for Plus Info

MsftWdf_Kernel_01005_Coinstaller_Critical
MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
Path: C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
Click for Plus Info

Msft_Kernel_LHidFilt_01005
Msft_Kernel_LHidFilt_01005.Wdf
Path: C:\WINDOWS\system32\drivers\Msft_Kernel_LHidFilt_01005.Wdf
Click for Plus Info

Msft_Kernel_LMouFilt_01005
Msft_Kernel_LMouFilt_01005.Wdf
Path: C:\WINDOWS\system32\drivers\Msft_Kernel_LMouFilt_01005.Wdf
Click for Plus Info

logonui.exe.mani
logonui.exe.manifest Windows Logon UI
Version: 6.00.2900.5512 © Microsoft Corporation. All rights reserved.
Path: C:\WINDOWS\system32\logonui.exe.manifest
Click for Plus Info

ncpa.cpl.mani
ncpa.cpl.manifest
Path: C:\WINDOWS\system32\ncpa.cpl.manifest
Click for Plus Info

nwc.cpl.mani
nwc.cpl.manifest
Path: C:\WINDOWS\system32\nwc.cpl.manifest
Click for Plus Info

filelist
filelist.xml
Path: C:\WINDOWS\system32\Restore\filelist.xml
Click for Plus Info

sapi.cpl.mani
sapi.cpl.manifest
Path: C:\WINDOWS\system32\sapi.cpl.manifest
Click for Plus Info

WindowsLogon.mani
WindowsLogon.manifest
Path: C:\WINDOWS\system32\WindowsLogon.manifest
Click for Plus Info

wuaucpl.cpl.mani
wuaucpl.cpl.manifest
Path: C:\WINDOWS\system32\wuaucpl.cpl.manifest
Click for Plus Info

BITE4
BITE4.tmp
Path: C:\Documents and Settings\dgk\Local Settings\Temp\BITE4.tmp
Click for Plus Info

If Sophos doesn't find anything, lets try something else.

Please download Rooter.exe and save to your desktop.

• Double-click on Rooter.exe to start the tool. If using Vista, right-click and Run as Administrator...
• A DOS window will appear and show the scan progress.
• If you receive a Windows - No Disk error message, click Continue.
• Once the scan is complete, a notepad file (Rooter.txt) containing the report will open and Rooter will automatically close.
• A log will also be saved at %systemdrive%\Rooter.txt (where %systemdrive% is usually C: or the drive that you have Windows installed).
• Copy and paste the contents of Rooter.txt in your next reply.

Edited by quietman7, 01 June 2009 - 10:28 AM.

quietman,

Here is the output from that tool. I'm beginning to wonder if this is just a false positive from AVG?

Microsoft Windows XP Professional (5.1.2600) Service Pack 3

C:\ [Fixed] - NTFS - (Total:305234 Mo/Free:767 Mo)
E:\ [CD-Rom] (Total:0 Mo/Free:0 Mo)
F:\ [CD-Rom] (Total:0 Mo/Free:0 Mo)

Mon 06/01/2009|10:42

----------------------\\ Processes..

--Locked-- [System Process]
---------- System
---------- \SystemRoot\System32\smss.exe
---------- \??\C:\WINDOWS\system32\csrss.exe
---------- \??\C:\WINDOWS\system32\winlogon.exe
---------- C:\WINDOWS\system32\services.exe
---------- C:\WINDOWS\system32\lsass.exe
---------- C:\WINDOWS\system32\svchost.exe
---------- C:\WINDOWS\system32\svchost.exe
---------- C:\WINDOWS\System32\svchost.exe
---------- C:\WINDOWS\system32\svchost.exe
---------- C:\WINDOWS\system32\svchost.exe
---------- C:\WINDOWS\system32\spoolsv.exe
---------- C:\WINDOWS\system32\svchost.exe
---------- C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
---------- C:\PROGRA~1\AVG\AVG8\avgfws8.exe
---------- C:\WINDOWS\system32\svchost.exe
---------- C:\Program Files\Java\jre6\bin\jqs.exe
---------- C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
---------- C:\WINDOWS\System32\svchost.exe
---------- C:\WINDOWS\system32\nvsvc32.exe
---------- C:\PROGRA~1\AVG\AVG8\avgam.exe
---------- C:\WINDOWS\System32\svchost.exe
---------- C:\PROGRA~1\AVG\AVG8\avgrsx.exe
---------- C:\WINDOWS\system32\rpcnet.exe
---------- C:\PROGRA~1\AVG\AVG8\avgnsx.exe
---------- C:\Program Files\IDT\WDM\STacSV.exe
---------- C:\WINDOWS\system32\svchost.exe
---------- C:\WINDOWS\system32\vmnat.exe
---------- C:\Program Files\VMware\VMware Server\tomcat\bin\Tomcat6.exe
---------- C:\WINDOWS\system32\vmnetdhcp.exe
---------- C:\Program Files\VMware\VMware Server\vmware-authd.exe
---------- C:\WINDOWS\system32\wbem\wmiprvse.exe
---------- C:\Program Files\VMware\VMware Server\vmware-hostd.exe
---------- C:\WINDOWS\System32\alg.exe
---------- C:\WINDOWS\system32\wscntfy.exe
---------- C:\WINDOWS\Explorer.EXE
---------- C:\WINDOWS\system32\RUNDLL32.EXE
---------- C:\Program Files\IDT\WDM\sttray.exe
---------- C:\WINDOWS\system32\rundll32.exe
---------- C:\PROGRA~1\AVG\AVG8\avgtray.exe
---------- C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
---------- C:\Program Files\Java\jre6\bin\jusched.exe
---------- C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
---------- C:\Documents and Settings\dgk\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
---------- C:\Program Files\DNA\btdna.exe
---------- C:\Program Files\Windows Live\Messenger\msnmsgr.exe
---------- C:\WINDOWS\system32\ctfmon.exe
---------- C:\Program Files\Logitech\SetPoint\SetPoint.exe
---------- C:\Program Files\RadioLabs Wave Magnum Wireless Utility\RtWLan.exe
---------- C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
---------- C:\Program Files\World of Warcraft\WoW.exe
---------- C:\Documents and Settings\dgk\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
---------- C:\Documents and Settings\dgk\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
---------- C:\Documents and Settings\dgk\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
---------- C:\Documents and Settings\dgk\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
---------- C:\Documents and Settings\dgk\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
---------- C:\Documents and Settings\dgk\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
---------- C:\Documents and Settings\dgk\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
---------- C:\WINDOWS\system32\cmd.exe
---------- C:\Rooter$\RK.exe

----------------------\\ Search..

----------------------\\ ROOTKIT !!



1 - "C:\Rooter$\Rooter_1.txt" - Mon 06/01/2009|10:37
2 - "C:\Rooter$\Rooter_2.txt" - Mon 06/01/2009|10:42

----------------------\\ Scan completed at 10:42

-Dan

I'm beginning to wonder if this is just a false positive from AVG?

That's a possibility but since some rootkits can be dangerous, that's why I'm having you check with some different tools. There are more powerful tools but we don't use them in this forum.

Reboot your computer, update AVG's definitions and scan again to see if it still detects a rootkit.

quietman,

Ok, thanks I appreciate it. AVG finds this:

Object Name: C:\WINDOWS\System32\Drivers\aq6qar6u.SYS
Detection Name: Hidden Driver
Object Type: file
SDK Type: Rootkit
Result: Object is hidden

It's similar to the finding I reported in my original posting, but with a new filename here...

I did clone my system using clonezilla when it was clean so that is a possibility if this can't be cleaned.

dgk