Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan horse BackDoor.Generic11.ZNE and virus Packed.Monder


  • Please log in to reply
5 replies to this topic

#1 ihatevirusesok

ihatevirusesok

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:12:33 AM

Posted 13 July 2009 - 12:01 AM

Hello,

I am running windows vista home edition and have been struggling with a bunch of viruses. Currently, all i have left is 'Trojan horse BackDoor.Generic11.ZNE' and virus 'Packed.Monder'.

I have removed a bunch of viruses already with Malbytes Anti-Malware and SuperAntiSpyware. The ones i remember are Win32\Cryptor and Generic13.(something). There was also one that had rootkit in the name, but can't remember the full name.

I've got the virus using FireFox or IE, not 100% sure. I think i had IE on my hotmail and had 2 firefoxes, one searching for game related stuff and the other for porn (guess that's the virus one).

Before i removed the first 3 viruses/malware, google would not work for me, searches would return blank pages. Eventually, i found out that by going on advanced search i could bypass the virus and search for information about it. I would also have IE opening sometimes with publicity links. Now all the internet functionnality seems to work fine.

I used comboFix too, and it found a bunch of stuff, of which i am pretty sure one is a keylogger. For that reason, i created a new hotmail account to register to this website and will probably not use my real account on this computer anymore until it is safe to do so.

Currently, AVG8.5 Free Resident Shield alert keeps telling me about the file C:\Windows\System32\hjgruirhlshwmp.dll (infection Trojan horse BackDoor.Generic11.ZNE) and C:\Windows\System32\drivers\hjgruiqpjfuvvq.sys (infection Virus identified Packed.Monder)

I have not been able to deal with those 2 threats with AVG8.5Free,malbytes, SAS and combofix.

Among the files i've seen infected so far was a bunch of UAC files. My User Account Control cannot be actived anymore (service could not be started)


I know that it says not to post CF logs here so i won't, but skimming through the log i found something that seemed similar to other posts i've seen while googling the problem, it's filenames with 'random characters'. This excerpt toward the end of the cf log seems like something noteworthy, especially since a lot of similar named files were deleted by combofix :

scanning hidden files ...

c:\windows\system32\drivers\hjgruiqpjfuvvq.sys 67584 bytes executable
c:\windows\system32\hjgruijyylefim.dat 112790 bytes
c:\windows\system32\hjgruiodsvxwkm.dat 93 bytes
c:\windows\system32\hjgruirhlshwmp.dll 18944 bytes executable
c:\windows\system32\hjgruisvhturtk.dll 42496 bytes executable
c:\users\hp2\AppData\Local\Temp\hjgrui000 0 bytes

scan completed successfully
hidden files: 6

**************************************************************************

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\hjgruivwycbxpt]
"imagepath"="\systemroot\system32\drivers\hjgruiqpjfuvvq.sys"

BC AdBot (Login to Remove)

 


#2 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,577 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:33 PM

Posted 14 July 2009 - 05:47 PM

Please download RootRepeal Rootkit Detector and save it to your Desktop.

* Close all programs and temporarily disable your anti-virus, Firewall and any anti-malware real-time protection before performing a scan.
* Click this link to see a list of such programs and how to disable them.
* Create a new folder on your hard drive called RootRepeal (C:\RootRepeal) and extract (unzip) RootRepeal.zip. (click here if you're not sure how to do this. Vista users refer to this link.)
* Open the folder and double-click on RootRepeal.exe to launch it. If using Vista, right-click and Run as Administrator...
* Click on the Files tab, then click the Scan button.
* In the Select Drives, dialog Please select drives to scan: select all drives showing, then click OK.
* When the scan has completed, a list of files will be generated in the RootRepeal window.
* Click on the Save Report button and save it as rootrepeal.txt to your desktop or the same location where you ran the tool from.
* Open rootrepeal.txt in Notepad and copy/paste its contents in your next reply.
* Exit RootRepeal and be sure to re-enable your anti-virus, Firewall and any other security programs you had disabled.

Note: If RootRepeal cannot complete a scan and results in a crash report, try repeating the scan in "Safe Mode".
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#3 ihatevirusesok

ihatevirusesok
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:12:33 AM

Posted 16 July 2009 - 12:01 AM

Thanks for your help,

Unfortunately, i have not been able to execute root repealer successfully. it always jams at the 'initializing, please wait' screen. i have tried it in normal and safe mode, with and without opening the file by right clicking-run as administrator. To make sure it wasn't just a long initialisation, it let the screen at 'initializing, please wait' for about 8 hours straight, while sleeping. When i woke up, it was still there. Looking at the processes in ctrl alt del, i saw it would always be taking 2GB RAM (all i have on this computer) and 50% cpu (i assume it takes 100% of one of my 2 cores)

I also tried doing some cleaning up to remove some of my anti viruses and anti spyware, to make sure they are not interfering, but uninstallation failed for both AVG Free 8.5 and Dr Web (Dr Web prompted me for a capcha, to then tell me i could not remove self protection). Also, when trying to go in regedit to remove some keys associated with AVG, as suggested on AVG Free forum by a moderator as a step towards uninstallation, i found how i didn't have the permissions required to view/edit keys in HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

I'm currently thinking that either an antivirus or a virus messed up my rights and that insufficient permissions could be the cause of the root repealer fail.

I would appreciate any suggestions or pointers.

Thanks !

EDIT : as an additionnal information, my account is an administrator account and UAC is turned off

Edited by ihatevirusesok, 16 July 2009 - 12:04 AM.


#4 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,577 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:33 PM

Posted 16 July 2009 - 12:17 AM

Try changing the disk access level in RootRepeal.

The disk access level controls how RootRepeal reads the disk to perform the Files and Hidden Services scan. If you experience a crash or unpredictable results when using either of those scans, please change the Disk Access Level to another level in the options dialog. The default level is recommended for most users. If you suspect that you have the MBR rootkit, you may want to change the level to the lowest possible level and run another scan.


The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#5 ihatevirusesok

ihatevirusesok
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:12:33 AM

Posted 16 July 2009 - 12:25 AM

I can't do anything in root repeal, it locks up at the initialization screen, before i can see any user interface (except for the screen that says Initialising, please wait...)

#6 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,577 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:33 PM

Posted 16 July 2009 - 12:36 AM

Try scanning with Sophos Anti-rootkit.

Before performing a rootkit scan it is recommended to do the following to ensure more accurate results and avoid common issues that may cause false detections.

* Disconnect from the Internet or physically unplug you Internet cable connection.
* Clean out your temporary files.
* Close all open programs, scheduling/updating tasks and background processes that might activate during the scan including the screensaver.
* Temporarily disable your anti-virus and real-time anti-spyware protection.
* After starting the scan, do not use the computer until the scan has completed.
* When finished, re-enable your anti-virus/anti-malware (or reboot) and then you can reconnect to the Internet.

Note: Not all hidden components detected by ARKs are malicious. It is normal for a Firewall, some Anti-virus and Anti-malware software (ProcessGuard, Prevx1, AVG AS), sandboxes, virtual machines and Host based Intrusion Prevention Systems (HIPS) to hook into the OS kernal/SSDT in order to protect your system. SSDT (System Service Descriptor Table) is a table that stores addresses of functions that are used by Windows. Both Legitimate programs and rootkits can hook into and alter this table. You should not be alarmed if you see any hidden entries created by legitimate programs after performing a scan.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users