Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

ROOTKIT infection


  • Please log in to reply
16 replies to this topic

#1 NickTTTA

NickTTTA

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:03:38 AM

Posted 06 July 2009 - 01:53 PM

Firefox, Maleware Bytes, SuperAntiSpyware, and HJT will not open. Very randomly iexplorer.exe will open (in process explorer-but no window is visible) and the audio from commercials will play on the computer. Google is not working properly, nor is ANY search engine I attempt to use.

You guys have helped me before, and I learned a lot, but I feel that I am in need of your expertise again.

Ocassionally I am able to open Maleware Bytes or SuperAntiSpyware with Process Explorer but after the reboot, the files are still on the computer, with the commercials playing randomly.

Please direct me.

Windows XP Pro SP3

Edited by NickTTTA, 06 July 2009 - 01:54 PM.


BC AdBot (Login to Remove)

 


#2 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,573 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:38 PM

Posted 07 July 2009 - 01:44 AM

Please download RootRepeal Rootkit Detector and save it to your Desktop.

* Close all programs and temporarily disable your anti-virus, Firewall and any anti-malware real-time protection before performing a scan.
* Click this link to see a list of such programs and how to disable them.
* Create a new folder on your hard drive called RootRepeal (C:\RootRepeal) and extract (unzip) RootRepeal.zip. (click here if you're not sure how to do this. Vista users refer to this link.)
* Open the folder and double-click on RootRepeal.exe to launch it. If using Vista, right-click and Run as Administrator...
* Click on the Files tab, then click the Scan button.
* In the Select Drives, dialog Please select drives to scan: select all drives showing, then click OK.
* When the scan has completed, a list of files will be generated in the RootRepeal window.
* Click on the Save Report button and save it as rootrepeal.txt to your desktop or the same location where you ran the tool from.
* Open rootrepeal.txt in Notepad and copy/paste its contents in your next reply.
* Exit RootRepeal and be sure to re-enable your anti-virus, Firewall and any other security programs you had disabled.

Note: If RootRepeal cannot complete a scan and results in a crash report, try repeating the scan in "Safe Mode".
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#3 NickTTTA

NickTTTA
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:03:38 AM

Posted 07 July 2009 - 09:15 AM

After extracting RR and opening it, I get a "RootRepeal Error - Invalid PE image found!" error

It is scanning now however

#4 NickTTTA

NickTTTA
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:03:38 AM

Posted 07 July 2009 - 09:27 AM

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Time: 2009/07/07 09:26
Program Version: Version 1.3.0.0
Windows Version: Windows XP SP3
==================================================

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: c:\rootrepeal\settings.dat
Status: Size mismatch (API: 12, Raw: 0)

Path: C:\WINDOWS\system32\UACdrxxdoqhuidymlo.log
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\uacinit.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACjejbfrhdemkilta.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACojqsloerbcklnbg.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACqaamnfnnspotgxt.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACrekvygmjdsvyuja.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACtvpkmrmebxtfnwi.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACynmykcqqltpwvbp.dat
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UAC191.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\drivers\UAChlsxyevkayuuhwm.sys
Status: Invisible to the Windows API!

Path: c:\documents and settings\user\local settings\temp\~df7c4d.tmp
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: c:\documents and settings\user\local settings\temp\~dfa52.tmp
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: c:\documents and settings\user\local settings\temp\~df2668.tmp
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: C:\Documents and Settings\user\Local Settings\Temp\UAC69eb.tmp
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\user\My Documents\Downloads\All Magician and Mentalisim Books (Total 250+ Books)\Bob Cassidy\Bob Cassidy - The Real Work Of Cold Reading\Bob Cassidy - Shadow Hunter\Bob Cassidy - Shadow Hunter\Bob Cassidy - The Schattenjaeger.pdf
Status: Locked to the Windows API!

Edited by Budapest, 15 April 2010 - 05:53 PM.


#5 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,573 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:38 PM

Posted 07 July 2009 - 04:14 PM

Rerun Rootrepeal. After the scan completes, go to the files tab and find this file:

C:\WINDOWS\system32\drivers\UAChlsxyevkayuuhwm.sys

Then use your mouse to highlight it in the Rootrepeal window.
Next right mouse click on it and select *wipe file* option only.
Then immediately reboot the computer.

Then run a quick-scan with Malwarebytes.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#6 NickTTTA

NickTTTA
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:03:38 AM

Posted 07 July 2009 - 09:04 PM

Malwarebytes' Anti-Malware 1.38
Database version: 2389
Windows 5.1.2600 Service Pack 3

7/7/2009 9:03:11 PM
mbam-log-2009-07-07 (21-03-11).txt

Scan type: Quick Scan
Objects scanned: 163784
Time elapsed: 14 minute(s), 12 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 7

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Rootkit.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\system32\UACjejbfrhdemkilta.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\UACojqsloerbcklnbg.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\UACqaamnfnnspotgxt.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\UACrekvygmjdsvyuja.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\UACtvpkmrmebxtfnwi.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\drivers\UAChlsxyevkayuuhwm.sys (Trojan.Agent) -> Quarantined and deleted successfully.

#7 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,573 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:38 PM

Posted 07 July 2009 - 09:10 PM

Reboot, run the Malwarebytes scan again and post the new log. Keep doing this until it shows zero infections. If after 3 runs there are still problems post back the final log.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#8 NickTTTA

NickTTTA
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:03:38 AM

Posted 07 July 2009 - 09:18 PM

I just did this again, and it removed 2 more UAC infections, doing the third scan now

#9 NickTTTA

NickTTTA
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:03:38 AM

Posted 08 July 2009 - 09:33 AM

All clean!

#10 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,573 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:38 PM

Posted 08 July 2009 - 04:20 PM

If you’re clean, you should create a new Restore Point to prevent possible re-infection from an old one.

Go Start > Programs > Accessories > System Tools and click System Restore. Choose the radio button marked Create a Restore Point on the first screen then click Next. Give the Restore Point a name and then click Create. Then use Disk Cleanup to remove all but the most recently created Restore Point. Go Start > Run and type: "Cleanmgr" (without the quotes). Click Ok > More Options tab > Clean Up in the System Restore section to remove all previous restore points except the newly created one.

Also, go Start > Control Panel and double-click Add or Remove Programs. Post back and report any Java entries that you have.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#11 NickTTTA

NickTTTA
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:03:38 AM

Posted 08 July 2009 - 06:55 PM

I'd like to rename you "Budabest" =) Thank you so much!

#12 NickTTTA

NickTTTA
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:03:38 AM

Posted 08 July 2009 - 09:34 PM

J2SE Runtime Environment 5.0 Update 2
J2SE Runtime Environment 5.0 Update 6

#13 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,573 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:38 PM

Posted 08 July 2009 - 10:10 PM

Those Java are out of date. Remove them and get the latest:

http://java.com/getjava/
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#14 NickTTTA

NickTTTA
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:03:38 AM

Posted 10 July 2009 - 11:53 PM

Done

#15 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,573 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:38 PM

Posted 11 July 2009 - 12:59 AM

Then I think you're good to go.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users