Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

infected with rootkit - how do I get rid of it?


  • Please log in to reply
4 replies to this topic

#1 w111ser

w111ser

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:12:05 PM

Posted 15 July 2009 - 11:48 AM

Hello! I'm sort of dumb when it comes to computers, so bare with me please! My computer was infected and I ran malwarebytes that cleaned up most of it. But, I'm still having a few problems and everytime I run malwarebytes it lists 3 infections: rootkit.trace, rootkit.agent and trojan.agent. It says it deletes them, but they're still there everytime I run it. I installed sophos anti-rootkit and it found over 60 infections, but it did not recommend cleanup on any of them so I haven't done anything after that scan. Any ideas on how I can fix this? Thanks so much for your help!

BC AdBot (Login to Remove)

 


#2 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,986 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:07:05 PM

Posted 15 July 2009 - 11:56 AM

Hi w111ser and :thumbsup: to BleepingComputer!

Lets do a rootkit scan first.

ROOTREPEAL
-------------
Please install RootRepeal
Note: Vista users ,, right click on desktop icon and select "Run as Administrator."
  • Go HERE and download RootRepeal.zip to your Desktop.
  • Unzip that, (7-zip tool if needed) and then click RootRepeal.exe to open the scanner.
  • Next click on the Report tab, now click on Scan. A Window will open asking what to include in the scan. Check all of the below and then click OK.
    • Drivers
    • Files
    • Processes
    • SSDT
    • Stealth Objects
    • Hidden Services
  • Now you'll be asked which drive to scan. Check C: and click OK again and the scan will start. Please be patient as the scan runs. When the scan has finished, click on Save Report.
  • Name the log RootRepeal.txt and save it to your Documents folder (it should automatically save it there).
Please copy and paste that into your next reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#3 w111ser

w111ser
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:12:05 PM

Posted 15 July 2009 - 11:59 AM

Hello and thank you! Should I uninstall the sophos software first, or is it okay to leave it?

#4 w111ser

w111ser
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:12:05 PM

Posted 15 July 2009 - 12:12 PM

Okay, I did a scan and here is the report:

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/07/15 13:00
Program Version: Version 1.3.2.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: 000009D0
Image Path: 000009D0
Address: 0x8653E000 Size: 41218 File Visible: No Signed: -
Status: -

Name: 000009D0
Image Path: 000009D0
Address: 0xEE0F3000 Size: 76032 File Visible: No Signed: -
Status: Hidden from the Windows API!

Name: 31.tmp
Image Path: C:\WINDOWS\system32\31.tmp
Address: 0xF7B20000 Size: 6144 File Visible: No Signed: -
Status: -

Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xEE9DC000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7B0A000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xED9EB000 Size: 49152 File Visible: No Signed: -
Status: -

Name: win32k.sys:1
Image Path: C:\WINDOWS\win32k.sys:1
Address: 0xF7886000 Size: 20480 File Visible: No Signed: -
Status: -

Name: win32k.sys:2
Image Path: C:\WINDOWS\win32k.sys:2
Address: 0xEE238000 Size: 57344 File Visible: No Signed: -
Status: -

SSDT
-------------------
ServiceTable Hooked [0x869a41b0]!

Stealth Objects
-------------------
Object: Hidden Module [Name: UACsbbfxramsevegwv.dll]
Process: winlogon.exe (PID: 632) Address: 0x00650000 Address: 49152

Object: Hidden Module [Name: UACkbqxmpckxmwvcyr.dll]
Process: winlogon.exe (PID: 632) Address: 0x10000000 Address: 45056

Object: Hidden Module [Name: UACsbbfxramsevegwv.dll]
Process: services.exe (PID: 680) Address: 0x00650000 Address: 49152

Object: Hidden Module [Name: UACkbqxmpckxmwvcyr.dll]
Process: services.exe (PID: 680) Address: 0x10000000 Address: 45056

Object: Hidden Module [Name: UACsbbfxramsevegwv.dll]
Process: lsass.exe (PID: 692) Address: 0x00720000 Address: 49152

Object: Hidden Module [Name: UACkbqxmpckxmwvcyr.dll]
Process: lsass.exe (PID: 692) Address: 0x10000000 Address: 45056

Object: Hidden Thread [ETHREAD: 0x86bc52a0, TID: 1516]
Process: svchost.exe (PID: 868) Address: 0x00de1f3c Address: -

Object: Hidden Module [Name: UACsbbfxramsevegwv.dll]
Process: svchost.exe (PID: 868) Address: 0x006f0000 Address: 49152

Object: Hidden Module [Name: UAC2f87.tmpuxtukjwbnsx.dll]
Process: svchost.exe (PID: 868) Address: 0x00a00000 Address: 204800

Object: Hidden Module [Name: UACweetasqucfunmrn.dll]
Process: svchost.exe (PID: 868) Address: 0x00af0000 Address: 73728

Object: Hidden Module [Name: UACkbqxmpckxmwvcyr.dll]
Process: svchost.exe (PID: 868) Address: 0x00d90000 Address: 45056

Object: Hidden Module [Name: UACbrnnuxtukjwbnsx.dll]
Process: svchost.exe (PID: 868) Address: 0x03140000 Address: 204800

Object: Hidden Module [Name: UACkbqxmpckxmwvcyr.dll]
Process: svchost.exe (PID: 868) Address: 0x10000000 Address: 45056

Object: Hidden Module [Name: UACsbbfxramsevegwv.dll]
Process: svchost.exe (PID: 868) Address: 0x034c0000 Address: 49152

Object: Hidden Module [Name: UACsbbfxramsevegwv.dll]
Process: svchost.exe (PID: 952) Address: 0x006f0000 Address: 49152

Object: Hidden Module [Name: UACkbqxmpckxmwvcyr.dll]
Process: svchost.exe (PID: 952) Address: 0x10000000 Address: 45056

Object: Hidden Module [Name: UACsbbfxramsevegwv.dll]
Process: svchost.exe (PID: 1048) Address: 0x006f0000 Address: 49152

Object: Hidden Module [Name: UACkbqxmpckxmwvcyr.dll]
Process: svchost.exe (PID: 1048) Address: 0x10000000 Address: 45056

Object: Hidden Module [Name: UACsbbfxramsevegwv.dll]
Process: svchost.exe (PID: 1116) Address: 0x006f0000 Address: 49152

Object: Hidden Module [Name: UACkbqxmpckxmwvcyr.dll]
Process: svchost.exe (PID: 1116) Address: 0x10000000 Address: 45056

Object: Hidden Module [Name: UACsbbfxramsevegwv.dll]
Process: svchost.exe (PID: 1200) Address: 0x006f0000 Address: 49152

Object: Hidden Module [Name: UACkbqxmpckxmwvcyr.dll]
Process: svchost.exe (PID: 1200) Address: 0x10000000 Address: 45056

Object: Hidden Module [Name: UACsbbfxramsevegwv.dll]
Process: brsvc01a.exe (PID: 1400) Address: 0x00930000 Address: 49152

Object: Hidden Module [Name: UACkbqxmpckxmwvcyr.dll]
Process: brsvc01a.exe (PID: 1400) Address: 0x10000000 Address: 45056

Object: Hidden Module [Name: UACsbbfxramsevegwv.dll]
Process: spoolsv.exe (PID: 1428) Address: 0x00980000 Address: 49152

Object: Hidden Module [Name: UACkbqxmpckxmwvcyr.dll]
Process: spoolsv.exe (PID: 1428) Address: 0x10000000 Address: 45056

Object: Hidden Module [Name: UACsbbfxramsevegwv.dll]
Process: brss01a.exe (PID: 1440) Address: 0x00940000 Address: 49152

Object: Hidden Module [Name: UACkbqxmpckxmwvcyr.dll]
Process: brss01a.exe (PID: 1440) Address: 0x10000000 Address: 45056

Object: Hidden Module [Name: UACsbbfxramsevegwv.dll]
Process: Explorer.EXE (PID: 156) Address: 0x00c10000 Address: 49152

Object: Hidden Module [Name: UACkbqxmpckxmwvcyr.dll]
Process: Explorer.EXE (PID: 156) Address: 0x10000000 Address: 45056

Object: Hidden Module [Name: UACsbbfxramsevegwv.dll]
Process: PRISMSVR.EXE (PID: 176) Address: 0x009c0000 Address: 49152

Object: Hidden Module [Name: UACkbqxmpckxmwvcyr.dll]
Process: PRISMSVR.EXE (PID: 176) Address: 0x10000000 Address: 45056

Object: Hidden Module [Name: UACsbbfxramsevegwv.dll]
Process: dad9.exe (PID: 404) Address: 0x00a20000 Address: 49152

Object: Hidden Module [Name: UACkbqxmpckxmwvcyr.dll]
Process: dad9.exe (PID: 404) Address: 0x10000000 Address: 45056

Object: Hidden Module [Name: UACsbbfxramsevegwv.dll]
Process: svchost.exe (PID: 504) Address: 0x006f0000 Address: 49152

Object: Hidden Module [Name: UACkbqxmpckxmwvcyr.dll]
Process: svchost.exe (PID: 504) Address: 0x10000000 Address: 45056

Object: Hidden Module [Name: UACsbbfxramsevegwv.dll]
Process: AOLacsd.exe (PID: 536) Address: 0x00b20000 Address: 49152

Object: Hidden Module [Name: UACkbqxmpckxmwvcyr.dll]
Process: AOLacsd.exe (PID: 536) Address: 0x10000000 Address: 45056

Object: Hidden Module [Name: UACsbbfxramsevegwv.dll]
Process: svchost.exe (PID: 552) Address: 0x006f0000 Address: 49152

Object: Hidden Module [Name: UACkbqxmpckxmwvcyr.dll]
Process: svchost.exe (PID: 552) Address: 0x10000000 Address: 45056

Object: Hidden Module [Name: UACsbbfxramsevegwv.dll]
Process: MDM.EXE (PID: 696) Address: 0x009b0000 Address: 49152

Object: Hidden Module [Name: UACkbqxmpckxmwvcyr.dll]
Process: MDM.EXE (PID: 696) Address: 0x10000000 Address: 45056

Object: Hidden Module [Name: UACkbqxmpckxmwvcyr.dll]
Process: sqlservr.exe (PID: 1028) Address: 0x10000000 Address: 45056

Object: Hidden Module [Name: UACsbbfxramsevegwv.dll]
Process: sqlservr.exe (PID: 1028) Address: 0x00f30000 Address: 49152

Object: Hidden Module [Name: UACsbbfxramsevegwv.dll]
Process: PRISMSVC.EXE (PID: 1084) Address: 0x006c0000 Address: 49152

Object: Hidden Module [Name: UACkbqxmpckxmwvcyr.dll]
Process: PRISMSVC.EXE (PID: 1084) Address: 0x10000000 Address: 45056

Object: Hidden Module [Name: UACsbbfxramsevegwv.dll]
Process: QBCFMonitorService.exe (PID: 1176) Address: 0x00710000 Address: 49152

Object: Hidden Module [Name: UACkbqxmpckxmwvcyr.dll]
Process: QBCFMonitorService.exe (PID: 1176) Address: 0x10000000 Address: 45056

Object: Hidden Module [Name: UACsbbfxramsevegwv.dll]
Process: svchost.exe (PID: 1680) Address: 0x00980000 Address: 49152

Object: Hidden Module [Name: UACkbqxmpckxmwvcyr.dll]
Process: svchost.exe (PID: 1680) Address: 0x10000000 Address: 45056

Object: Hidden Module [Name: UACkbqxmpckxmwvcyr.dll]
Process: QBDBMgrN.exe (PID: 1792) Address: 0x10000000 Address: 45056

Object: Hidden Module [Name: UACsbbfxramsevegwv.dll]
Process: QBDBMgrN.exe (PID: 1792) Address: 0x00730000 Address: 49152

Object: Hidden Module [Name: UACsbbfxramsevegwv.dll]
Process: svchost.exe (PID: 1832) Address: 0x006f0000 Address: 49152

Object: Hidden Module [Name: UACkbqxmpckxmwvcyr.dll]
Process: svchost.exe (PID: 1832) Address: 0x10000000 Address: 45056

Object: Hidden Module [Name: UACsbbfxramsevegwv.dll]
Process: wdfmgr.exe (PID: 1908) Address: 0x005e0000 Address: 49152

Object: Hidden Module [Name: UACkbqxmpckxmwvcyr.dll]
Process: wdfmgr.exe (PID: 1908) Address: 0x10000000 Address: 45056

Object: Hidden Module [Name: UACsbbfxramsevegwv.dll]
Process: YahooAUService.exe (PID: 1996) Address: 0x009e0000 Address: 49152

Object: Hidden Module [Name: UACkbqxmpckxmwvcyr.dll]
Process: YahooAUService.exe (PID: 1996) Address: 0x10000000 Address: 45056

Object: Hidden Module [Name: UACsbbfxramsevegwv.dll]
Process: sargui.exe (PID: 3936) Address: 0x00a10000 Address: 49152

Object: Hidden Module [Name: UACkbqxmpckxmwvcyr.dll]
Process: sargui.exe (PID: 3936) Address: 0x10000000 Address: 45056

Object: Hidden Module [Name: UACsbbfxramsevegwv.dll]
Process: iexplore.exe (PID: 3028) Address: 0x00a10000 Address: 49152

Object: Hidden Module [Name: UACkbqxmpckxmwvcyr.dll]
Process: iexplore.exe (PID: 3028) Address: 0x10000000 Address: 45056

Object: Hidden Module [Name: UACsbbfxramsevegwv.dll]
Process: iexplore.exe (PID: 2188) Address: 0x00a10000 Address: 49152

Object: Hidden Module [Name: UACkbqxmpckxmwvcyr.dll]
Process: iexplore.exe (PID: 2188) Address: 0x10000000 Address: 45056

Object: Hidden Module [Name: UACsbbfxramsevegwv.dll]
Process: Iexplore.exe (PID: 1964) Address: 0x00a10000 Address: 49152

Object: Hidden Module [Name: UACkbqxmpckxmwvcyr.dll]
Process: Iexplore.exe (PID: 1964) Address: 0x10000000 Address: 45056

Object: Hidden Module [Name: UACsbbfxramsevegwv.dll]
Process: Iexplore.exe (PID: 3316) Address: 0x00a10000 Address: 49152

Object: Hidden Module [Name: UACkbqxmpckxmwvcyr.dll]
Process: Iexplore.exe (PID: 3316) Address: 0x10000000 Address: 45056

Object: Hidden Module [Name: UACsbbfxramsevegwv.dll]
Process: RootRepeal.exe (PID: 3712) Address: 0x00af0000 Address: 49152

Object: Hidden Module [Name: UACkbqxmpckxmwvcyr.dll]
Process: RootRepeal.exe (PID: 3712) Address: 0x10000000 Address: 45056

==EOF==

It did give me an error that said something like "could not read registry"....

#5 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,986 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:07:05 PM

Posted 15 July 2009 - 12:34 PM

Hi, you have definitely a TDSS rootkit infection here. The problem is, with the tools we use in this forum, I cannot help you further. The rootkit driver remains hidden even in RootRepeal.
Therefore I recommend you to start a new thread HERE and include a link to this thread. Please make sure that you read the information about getting started before you start your thread.

It would be helpful if you post a note here once you have completed the steps in the guide and have started your topic in malware removal. Good luck and be patient. Help is on the way!

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users