Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

NOT SURE IF I AM INFECTED


  • Please log in to reply
15 replies to this topic

#1 tekktronic

tekktronic

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:08:15 PM

Posted 04 July 2009 - 12:16 AM

Hello all:

I run Windows XP on a Sony VAIO laptop. Now, I have suspected that my laptop has been infected with viruses and such, since it has been running very slow for quite some time, and if I open several tabs, it bogs down to a CRAWL. Now, I navigated to a website (can't remember what it was) about a couple of days ago, and all of a sudden, I got an alert saying "trojan_rootkit_something-or-other detected on open" and then it showed me a path and filename, and also an option to either heal the file or move to vault. I opted to move the file to the vault. If I remember correctly, the file was rhoss.dll or something like that. I then attempted to go back to browsing the net, but my system halted after this, even bypassing ctrl-alt-del. I even tried shutting the computer down, but it did not shut down, and I had to remove the battery and put it back in just to shut it down. Please, if you can point me in the right direction, I would greatly appreciate it. Thank you all for the valuable service you provide to the computing masses.

Sincerely,

tekktronic
-Ezra G.-
"Danger = Crisis + Opportunity" - Chinese character

BC AdBot (Login to Remove)

 


#2 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,316 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:07:15 AM

Posted 06 July 2009 - 03:33 AM

Hello tekktronic, and :thumbsup: to BleepingComputer!

Lets see if we can find a cause for your problems! Please follow the steps below.

Before we start fixing anything you should print out these instructions or copy them to a NotePad file so they will be accessible. Some steps will require you to disconnect from the Internet or use Safe Mode and you will not have access to this page.

ATF-CLEANER
------------------
Please download ATF Cleaner by Atribune. (This program is for XP and Windows 2000 only)Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.


DR. WEB CUREIT
----------------------
Please download Dr.Web CureIt and save it to your desktop. DO NOT perform a scan yet.
alternate download link
Note: The file will be randomly named (i.e. 5mkuvc4z.exe).

Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in Safe Mode.

Scan with Dr.Web CureIt as follows:
  • Double-click on the randomly named file to open the program and click Start. (There is no need to update if you just downloaded the most current version
  • Read the Virus check by DrWeb scanner prompt and click Ok where asked to Start scan now? Allow the setup.exe to load if asked by any of your security programs.
  • The Express scan will automatically begin.
    (This is a short scan of files currently running in memory, boot sectors, and targeted folders).
  • If prompted to dowload the Full version Free Trial, ignore and click the X to close the window.
  • If an infected object is found, you will be prompted to move anything that cannot be cured. Click Yes to All. (This will move any detected files to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if they can't be cured)
  • After the Express Scan is finished, put a check next to Complete scan to scan all local disks and removable media.
  • In the top menu, click Settings > Change settings, and uncheck "Heuristic analysis" under the "Scanning" tab, then click Apply, Ok.
  • Back at the main window, click the green arrow "Start Scanning" button on the right under the Dr.Web logo.
  • Please be patient as this scan could take a long time to complete.
  • When the scan has finished, a message will be displayed at the bottom indicating if any viruses were found.
  • Click Select All, then choose Cure > Move incurable.
  • In the top menu, click file and choose save report list.
  • Save the DrWeb.csv report to your desktop.
  • Exit Dr.Web Cureit when done.
  • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#3 tekktronic

tekktronic
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:08:15 PM

Posted 07 July 2009 - 01:21 AM

Hello Elise!

Thanks for taking a look at my situation. I ran ATF-Cleaner, then rebooted into safe mode and subsequently ran a scan with Dr. Web CureIt. I think it found some virus remnants in a Symantec quarantine folder, or some such anomaly. However, while deleting the files, it encountered a fatal error, upon which, it rebooted itself. Upon reboot, the system again encountered a fatal error, something to do with DCOM not being able to load properly, or something, which rebooted the system yet again. It stopped in mid-shutdown and just froze up, so I took off the battery (as I described in my earlier post) and proceeded to boot the laptop once more. It did boot up with no problems; however, I don't know how long the system will remain stable. Also, I was not able to save a log file because the system encountered the error while still in mid-scan in safe mode. I'm running the scan again in normal mode right now, and it found something called tool.cracksearch (I don't know who put it there, since it is a shared computer). I will also rescan in safe mode after this scan is done. Thank you once again, and please advise me on what I could and should do next.

tekktronic
-Ezra G.-
"Danger = Crisis + Opportunity" - Chinese character

#4 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,316 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:07:15 AM

Posted 07 July 2009 - 02:16 AM

Hi tekktronic, please let me know what the results of the scan were and based on that we will see what the next step should be.

If you have crashing-problems again while running Dr. Web, do not rerun it, we don't want to get your laptop in worse shape :thumbsup:

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#5 tekktronic

tekktronic
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:08:15 PM

Posted 07 July 2009 - 02:28 PM

Hello again!!

This time, the system did not crash; however, I am having problems with firefox: whenever i try to click on a link i pulled up with a google search (and I mean ANY LINK), firefox redirects me to some random website.. And NOW, even as I'm typing this post, System Security kicked in and just randomly started scanning, and showing me all kinds of infections. Now, I know that System Security is not really a legitimate antivirus, and that somehow it has installed malware on my computer to look like a virus (or viruses) has infected my computer. Anyway, what do I do now?? I'm pretty sure I am infected somehow. Do I run a HiJackThis scan now or what? Please advise. Thanks very much. Oh, I'm posting the Dr. Web CureIt report as well:


2E992B02.exe;C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine;Tool.CrackSearch;;
aolcinst.exe\core.cab\GTDOWNAO_106.ocx;C:\Program Files\Online Services\AOL Setup\comps\coach\aolcinst.exe;Adware.Gdown;;
aolcinst.exe;C:\Program Files\Online Services\AOL Setup\comps\coach;Archive contains infected objects;Moved.;
hjgruiomtiwtib.dll;C:\WINDOWS\system32;BackDoor.Tdss.265;Deleted.;
hjgruiftpetdqxov.tmp;C:\WINDOWS\Temp;BackDoor.Tdss.265;Deleted.;
hjgruikkguvtfqlm.tmp;C:\WINDOWS\Temp;BackDoor.Tdss.265;Deleted.;
hjgruirtfpxjbgbu.tmp;C:\WINDOWS\Temp;BackDoor.Tdss.265;Deleted.;


This is all it gave me on the second run (in normal mode). Thanks again!!!

Sincerely,

tekktronic
-Ezra G.-
"Danger = Crisis + Opportunity" - Chinese character

#6 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,316 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:07:15 AM

Posted 07 July 2009 - 02:48 PM

Hi tekktronic, that is no good news I am afraid. But lets confirm what we found. I see some rootkit traces there, so we are gonna run RootRepeal to see if it finds any.

Install RootRepeal

Click here - Official Rootrepeal Site, and download RootRepeal.zip. I recommend downloading to your desktop.
Fatdcuk at Malwarebytes posted a comprehensive tutorial - Self Help guide can be found here if needed.: Malwarebytes Removal and Self Help Guides.
  • Click RootRepeal.exe to open the scanner.
  • Click the Report tab, now click on Scan. A Window will open asking what to include in the scan.
  • Check the following items:
  • Drivers
  • Files
  • Processes
  • SSDT
  • Stealth Objects
  • Hidden Services
  • Click OK
  • Scan your C Drive (Or your current system drive) and click OK. The scan will begin. This my take a moment, so please be patient. When the scan completes, click Save Report.
  • Name the log RootRepeal.txt and save it to your Documents folder - (Default folder).
Paste the log into your next reply.

MALWAREBYTES ANTIMALWARE
-------------------------------------------
Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Rename mbam-setup.exe to winlogon.exe
  • Double-click on winlogon.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Full Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

If after installation, MBAM will not run, open the Malwarebytes' Anti-Malware folder in Program Files.
  • Right-click on mbam.exe, rename it to winlogon.exe.
  • Double-click on winlogon.exe to launch the program.
  • If that did not work, then try renaming and change the .exe extension in the same way as noted above.
  • Double-click on winlogon.scr (or whatever extension you renamed it) to launch the program.
If using Windows Vista, refer to How to Change a File Extension in Windows Vista.

Edited by elise025, 07 July 2009 - 02:49 PM.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#7 tekktronic

tekktronic
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:08:15 PM

Posted 07 July 2009 - 09:48 PM

Hello again Elise!!

That RootRepeal is a nifty little program. Was it developed by the same developers as MBAM?? Anyway, I am running RootRepeal as we speak, and it is showing me that there is indeed invisible activity. So far, I can see c:\windows\system32\drivers\hjgruiquwkbodj.sys (as per the tutorial on using RootRepeal says on how to identify the rootkit driver says). Should I wipe this file using RootRepeal?? Anyway, I will await further instructions before I do anything else, and also, here is my RootRepeal Report:


ROOTREPEAL AD, 2007-2009
==================================================
Scan Time: 2009/07/07 19:35
Program Version: Version 1.3.0.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xAA73C000 Size: 98304 File Visible: No Signed:

-
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF8A60000 Size: 8192 File Visible: No Signed:

-
Status: -

Name: hjgruiquwkbodj.sys
Image Path: C:\WINDOWS\system32\drivers\hjgruiquwkbodj.sys
Address: 0xAAA59000 Size: 163840 File Visible: - Signed: -
Status: Hidden from Windows API!

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xA9878000 Size: 49152 File Visible: No Signed:

-
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: C:\WINDOWS\Prefetch\ROOTREPEAL.EXE-0FFBFDFD.pf
Status: Visible to the Windows API, but not on disk.

Path: C:\WINDOWS\system32\hjgruifoeptkyp.dat
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\hjgruifwabltov.dat
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\hjgruikypixwip.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\hjgruiomtiwtib.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\hjgruipmkpcbxqxc.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\hjgruixvhivfpniy.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\drivers\hjgruiquwkbodj.sys
Status: Invisible to the Windows API!

Path: c:\documents and settings\brian\local

settings\temp\etilqs_ngkgqlvtpajhfuxptluu
Status: Allocation size mismatch (API: 32768, Raw: 0)

Path: C:\Documents and Settings\BRIAN\Application

Data\Mozilla\Firefox\Profiles\p3q0n0ac.default\sessionstore.js
Status: Could not get file information (Error 0xc0000008)

Stealth Objects
-------------------
Object: Hidden Module [Name: hjgruipmkpcbxqxc.tmpll]
Process: winlogon.exe (PID: 732) Address: 0x10000000 Size:

32768

Object: Hidden Module [Name: hjgruipmkpcbxqxc.tmpll]
Process: services.exe (PID: 784) Address: 0x10000000 Size:

32768

Object: Hidden Module [Name: hjgruipmkpcbxqxc.tmpll]
Process: lsass.exe (PID: 796) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: hjgruikypixwip.dll]
Process: svchost.exe (PID: 956) Address: 0x008c0000 Size: 53248

Object: Hidden Module [Name: hjgruiomtiwtib.dll]
Process: svchost.exe (PID: 956) Address: 0x01360000 Size: 32768

Object: Hidden Module [Name: hjgruipmkpcbxqxc.tmpll]
Process: svchost.exe (PID: 956) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: hjgruipmkpcbxqxc.tmpll]
Process: svchost.exe (PID: 1028) Address: 0x10000000 Size:

32768

Object: Hidden Module [Name: hjgruipmkpcbxqxc.tmpll]
Process: svchost.exe (PID: 1112) Address: 0x10000000 Size:

32768

Object: Hidden Module [Name: hjgruipmkpcbxqxc.tmpll]
Process: EvtEng.exe (PID: 1184) Address: 0x00700000 Size: 32768

Object: Hidden Module [Name: hjgruipmkpcbxqxc.tmpll]
Process: S24EvMon.exe (PID: 1352) Address: 0x009e0000 Size:

32768

Object: Hidden Module [Name: hjgruipmkpcbxqxc.tmpll]
Process: Explorer.EXE (PID: 1552) Address: 0x10000000 Size:

32768

Object: Hidden Module [Name: hjgruipmkpcbxqxc.tmpll]
Process: svchost.exe (PID: 1592) Address: 0x10000000 Size:

32768

Object: Hidden Module [Name: hjgruipmkpcbxqxc.tmpll]
Process: svchost.exe (PID: 1852) Address: 0x10000000 Size:

32768

Object: Hidden Module [Name: hjgruipmkpcbxqxc.tmpll]
Process: svchost.exe (PID: 228) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: hjgruipmkpcbxqxc.tmpll]
Process: avgwdsvc.exe (PID: 264) Address: 0x10000000 Size:

32768

Object: Hidden Module [Name: hjgruipmkpcbxqxc.tmpll]
Process: jqs.exe (PID: 388) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: hjgruipmkpcbxqxc.tmpll]
Process: sqlservr.exe (PID: 436) Address: 0x10000000 Size:

32768

Object: Hidden Module [Name: hjgruipmkpcbxqxc.tmpll]
Process: avgrsx.exe (PID: 556) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: hjgruipmkpcbxqxc.tmpll]
Process: avgnsx.exe (PID: 564) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: hjgruipmkpcbxqxc.tmpll]
Process: HPZipm12.exe (PID: 664) Address: 0x10000000 Size:

32768

Object: Hidden Module [Name: hjgruipmkpcbxqxc.tmpll]
Process: RegSrvc.exe (PID: 1228) Address: 0x10000000 Size:

32768

Object: Hidden Module [Name: hjgruipmkpcbxqxc.tmpll]
Process: VESMgr.exe (PID: 1384) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: hjgruipmkpcbxqxc.tmpll]
Process: VCSW.exe (PID: 1412) Address: 0x00950000 Size: 32768

Object: Hidden Module [Name: hjgruipmkpcbxqxc.tmpll]
Process: ViewpointService.exe (PID: 1732) Address: 0x10000000

Size: 32768

Object: Hidden Module [Name: hjgruipmkpcbxqxc.tmpll]
Process: VzCdbSvc.exe (PID: 1912) Address: 0x10000000 Size:

32768

Object: Hidden Module [Name: hjgruipmkpcbxqxc.tmpll]
Process: wmiapsrv.exe (PID: 2052) Address: 0x10000000 Size:

32768

Object: Hidden Module [Name: hjgruipmkpcbxqxc.tmpll]
Process: avgemc.exe (PID: 2256) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: hjgruipmkpcbxqxc.tmpll]
Process: VzFw.exe (PID: 2468) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: hjgruipmkpcbxqxc.tmpll]
Process: igfxext.exe (PID: 2572) Address: 0x10000000 Size:

32768

Object: Hidden Module [Name: hjgruipmkpcbxqxc.tmpll]
Process: avgcsrvx.exe (PID: 2608) Address: 0x10000000 Size:

32768

Object: Hidden Module [Name: hjgruipmkpcbxqxc.tmpll]
Process: igfxsrvc.exe (PID: 2624) Address: 0x10000000 Size:

32768

Object: Hidden Module [Name: hjgruipmkpcbxqxc.tmpll]
Process: VzRs.exe (PID: 2880) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: hjgruipmkpcbxqxc.tmpll]
Process: alg.exe (PID: 3000) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: hjgruipmkpcbxqxc.tmpll]
Process: hkcmd.exe (PID: 3440) Address: 0x00390000 Size: 32768

Object: Hidden Module [Name: hjgruipmkpcbxqxc.tmpll]
Process: igfxpers.exe (PID: 3448) Address: 0x10000000 Size:

32768

Object: Hidden Module [Name: hjgruipmkpcbxqxc.tmpll]
Process: Apoint.exe (PID: 3460) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: hjgruipmkpcbxqxc.tmpll]
Process: RTHDCPL.EXE (PID: 3472) Address: 0x10000000 Size:

32768

Object: Hidden Module [Name: hjgruipmkpcbxqxc.tmpll]
Process: SPMgr.exe (PID: 3524) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: hjgruipmkpcbxqxc.tmpll]
Process: ISBMgr.exe (PID: 3532) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: hjgruipmkpcbxqxc.tmpll]
Process: AvRmtCtr.exe (PID: 3556) Address: 0x003c0000 Size:

32768

Object: Hidden Module [Name: hjgruipmkpcbxqxc.tmpll]
Process: SsAAD.exe (PID: 3692) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: hjgruipmkpcbxqxc.tmpll]
Process: svchost.exe (PID: 3860) Address: 0x10000000 Size:

32768

Object: Hidden Module [Name: hjgruipmkpcbxqxc.tmpll]
Process: hphmon04.exe (PID: 3928) Address: 0x10000000 Size:

32768

Object: Hidden Module [Name: hjgruipmkpcbxqxc.tmpll]
Process: vVX3000.exe (PID: 3960) Address: 0x10000000 Size:

32768

Object: Hidden Module [Name: hjgruipmkpcbxqxc.tmpll]
Process: avgtray.exe (PID: 4020) Address: 0x10000000 Size:

32768

Object: Hidden Module [Name: hjgruipmkpcbxqxc.tmpll]
Process: GrooveMonitor.exe (PID: 528) Address: 0x10000000 Size:

32768

Object: Hidden Module [Name: hjgruipmkpcbxqxc.tmpll]
Process: Apntex.exe (PID: 1196) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: hjgruipmkpcbxqxc.tmpll]
Process: jusched.exe (PID: 1300) Address: 0x10000000 Size:

32768

Object: Hidden Module [Name: hjgruipmkpcbxqxc.tmpll]
Process: ctfmon.exe (PID: 1152) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: hjgruipmkpcbxqxc.tmpll]
Process: SetPoint.exe (PID: 2020) Address: 0x10000000 Size:

32768

Object: Hidden Module [Name: hjgruipmkpcbxqxc.tmpll]
Process: KHALMNPR.EXE (PID: 2808) Address: 0x10000000 Size:

32768

Object: Hidden Module [Name: hjgruipmkpcbxqxc.tmpll]
Process: firefox.exe (PID: 3196) Address: 0x10000000 Size:

32768

Object: Hidden Module [Name: hjgruiomtiwtib.dll]
Process: svchost.exe (PID: 884) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: hjgruiomtiwtib.dll]
Process: RootRepeal.exe (PID: 2672) Address: 0x10000000 Size:

32768

Hidden Services
-------------------
Service Name: hjgruidyiuwqpq
Image Path: C:\WINDOWS\system32\drivers\hjgruiquwkbodj.sys

==EOF==



Thanks!!

tekktronic


ADDENDUM:

I was able to run MBAM, and it found 17 infections. Here's the log:



Malwarebytes' Anti-Malware 1.38
Database version: 2389
Windows 5.1.2600 Service Pack 3

7/7/2009 8:44:57 PM
mbam-log-2009-07-07 (20-44-57).txt

Scan type: Full Scan (C:\|)
Objects scanned: 187296
Time elapsed: 34 minute(s), 5 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 5
Registry Values Infected: 2
Registry Data Items Infected: 4
Folders Infected: 2
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SystemSecurity2009 (Rogue.SystemSecurity) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\13509844 (Rogue.Multiple) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.FakeAlert) -> Data: c:\windows\system32\sdra64.exe -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.Userinit) -> Bad: (C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe,) Good: (Userinit.exe) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
c:\documents and settings\BRIAN\Application Data\gadcom (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lowsec (Stolen.data) -> Delete on reboot.

Files Infected:
c:\WINDOWS\system32\lowsec\local.ds (Stolen.data) -> Delete on reboot.
c:\WINDOWS\system32\lowsec\user.ds (Stolen.data) -> Delete on reboot.
C:\WINDOWS\system32\sdra64.exe (Trojan.FakeAlert) -> Delete on reboot.
c:\documents and settings\BRIAN\Desktop\winlogon.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.



I ran MBAM again after reboot, and the next scan revealed no infections; HOWEVER, when I tried googling something, the same thing happens: redirect to a random website. I guess because I still haven't nuked the rootkit yet. Anyway, I ran RootRepeal, and it still showed exactly the same hidden activity as before. Please advise. Thanks again!!

tekktronic

Edited by tekktronic, 08 July 2009 - 12:38 AM.

-Ezra G.-
"Danger = Crisis + Opportunity" - Chinese character

#8 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,316 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:07:15 AM

Posted 08 July 2009 - 01:41 AM

Hi there!
First of all we need to re-run rootrepeal

Run RootRepeal and select *Files* then scan only.
When the scan is finished, you should see a list of files.
Rightclick the following file C:\WINDOWS\system32\drivers\hjgruiquwkbodj.sys and select Wipe.
Reboot your computer immediately!!

Do NOT wipe any other file!!!

Now please run again ATF-Cleaner and Dr. Web Cureit, following the steps I gave you in my first post.

Do you still have SystemSecurity pop ups?

In your next reply, please post the Dr. Web scan results.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#9 tekktronic

tekktronic
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:08:15 PM

Posted 08 July 2009 - 03:45 AM

Hello again!!

I wiped the file successfully with RootRepeal. Upon reboot, AVG Resident Shield kicked in and detected multiple threats, all linked to the same .DLL file (c:\windows\system32\hjgruiomtiwtib.dll). It says it's Trojan horse BackDoor.Generic11.zne and it even says that MBAM and AVG are both infected. It's asking me to remove selected items, or remove all unhealed items, or close the resident shield window. I don't want to accidentally remove anything. Should I just remove unhealed? I want to at least be able to quarantine items that get infected. Please advise. Thanks!!

tekktronic

ADDENDUM:

No more redirects or System Security 2009 alerts!!! I think we did it, but I want to be 100% sure, so I ran another RootRepeal scan, and it revealed a hidden service (connected to c:\windows\system32\hjgruiqwukbodj.sys). I already wiped that file, and I just want to know how to remove all traces of this malware, including this .SYS file. Is it safe to delete this file directly? Can I even delete this manually?? Please advise once again. Also, I will run all scans a second time, including AVG, MBAM, and Dr. Web CureIt, and will post all subsequent reports relevant. Thanks!!

Edited by tekktronic, 08 July 2009 - 04:50 AM.

-Ezra G.-
"Danger = Crisis + Opportunity" - Chinese character

#10 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,316 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:07:15 AM

Posted 08 July 2009 - 08:16 AM

Hi Tekktronic,

Be carefull, do NOT remove unhealed files!!!!! Instead try Dr. Web in safemode and make sure you follow the steps I posted for that in my first post!

Just ignore AVG and so on for now. The files that are now detected were hidden by the rootkit. Since we wiped the driver file from the rootkit, all associated baddies are now visible.

Dr. Web should be able to clean up quite a bit, so I will wait for that report.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#11 tekktronic

tekktronic
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:08:15 PM

Posted 08 July 2009 - 06:30 PM

Hello again!!

Dr. Web CureIt did not report any infections at all, so I did feel it was necessary to post the report. AVG Resident Shield moved the .DLL file that was showing up as infected to the virus vault, and I manually deleted the other .DLL files associated with the rootkit (C:\...\hjgrui*.*). The only trace that remains on the computer, I think, is the .SYS file that we wiped earlier (C:\...\hjgruiqwukbodj.sys). It is still showing up on the RootRepeal scan AS A HIDDEN SERVICE. I don't know if I should just delete that file outright, or what. Anyway, here's that RootRepeal report:


ROOTREPEAL © AD, 2007-2009
==================================================
Scan Time: 2009/07/08 16:13
Program Version: Version 1.3.0.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xAA764000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF8A46000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xA945C000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Hidden Services
-------------------
Service Name: hjgruidyiuwqpq
Image Path: C:\WINDOWS\system32\drivers\hjgruiquwkbodj.sys


==EOF==


Hope everything is looking good so far... And I hope we're almost to the end of this nightmare.


Thanks again, and please advise further.


Sincerely,

tekktronic
-Ezra G.-
"Danger = Crisis + Opportunity" - Chinese character

#12 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,316 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:07:15 AM

Posted 09 July 2009 - 01:21 AM

Well done, that looks a lot better already!

You can wipe the hidden service you highlighted in your post.

Please let me know how everything is working now! Any redirects, errors, pop ups and so on?

After that rerun MBAM, update and a full scan (do this in normal mode).

SUPERANTISPYWARE
------------------------------------
Please download and scan with SUPERAntiSpyware Free
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If it will not start, go to Start > All Prgrams > SUPERAntiSpyware and click on Alternate Start.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
  • In the Main Menu, click the Preferences... button.
  • Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen and exit the program.
  • Do not run a scan just yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with SUPERAntiSpyware as follows:
  • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes" and reboot normally.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#13 tekktronic

tekktronic
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:08:15 PM

Posted 09 July 2009 - 11:11 AM

Hello again!!!

No more popups, SystemSecurity2009 alerts, or redirects AT ALL!!! Thanks so much for all your help... I ran MBAM one more time (as per your instructions), and it found the last remaining trace (C:\...\hjgruiqwukbodj.sys) of the virus and nuked it. Do you still recommend scanning with SAS? If you do, I will proceed as advised. Thank you once again for your efforts... I think they paid off!!!

Sincerely,

tekktronic
-Ezra G.-
"Danger = Crisis + Opportunity" - Chinese character

#14 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,316 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:07:15 AM

Posted 09 July 2009 - 11:43 AM

Hi tekktronic, yes I recommend scanning with SAS. It is entirely possible that a trace of anything bad has remained on your system.
I also recommend you to post a DDS log in the HJT forums to let a trained helper look at your logs to make absolutely sure everything is gone. Since you had a nasty infection we can never make sure you are absolutely clean without a deeper investigation.

Also, please make sure you read the following information.

One or more of the identified infections was a backdoor trojan.

If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

Please post the SAS log and let me know if you want to post your log in the HJT forum.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#15 tekktronic

tekktronic
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:08:15 PM

Posted 24 July 2009 - 08:17 PM

Hello again, Elise!!

Thank you once again for helping me out with my situation. I ran SAS, and no traces of the infection were found, only two adware cookies (nuked them as of this post and ran the complete scan again after nuking them. There were no detections in that scan as well). I may not need to post to the HJT forum, as I also downloaded CCleaner and ran it through once (I fixed my registry anomalies). Since running CCleaner post-infection, my computer has now been running smoother, without any popups, redirects, or alerts. Thank you so much for your help in this matter!!! Case closed LOL!!! Regards to you and the entire team!!

Sincerely,

tekktronic
-Ezra G.-
"Danger = Crisis + Opportunity" - Chinese character




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users