Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rootkit prevention and recovery


  • Please log in to reply
23 replies to this topic

#1 eldred

eldred

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:10:04 PM

Posted 18 July 2009 - 04:21 PM

hey gang,

first of all, let me mention how awesome a forum this is.

I have a computer that got a nasty rootkit virus (System Security, and there was some Vundo found in there as well). It was safely backed up, so I hacked away at fixing it myself for a while, cleaning out infected parts of the registry and running various anti-malware programs in various attempts to remove the virus. One challenge was that Windows Explorer was broken; it was pretty hard to disable McAfee and AVG without access to any toolbar icons, and to wipe directories in safe mode using the New Task dialog. I ended the process by running ComboFix, which is an amazing program by the way.

I have a couple of questions for the group:

1. Is there any benefit to running ComboFix more than once? The way the program appears to work, I can't see how anything would manage to evade detection through the first pass that could be found in a second pass, though of course I don't know the secrets of the program.

2. Are there any methods, aside from the obvious "don't open anything fishy" that will help to avoid installing more rootkit viruses? For example, will keeping RUBotted running, or by installing the premium anti-rootkit version of AVG, will you be able to stop rootkits from being installed on a computer?

3. How can one tell if, once you've run Combofix, and Malwarebytes and Spybot both turn up clean reports, there are still tracers or trojans on your computer? I figure I'm going to wipe this hard drive anyway due to the risk, but I really don't want to wipe a hard drive every time a computer gets a virus. I'd much rather clean what I've got.

4. Do any of you find McAfee to be good security? I find it is more trouble than it is assistance... though maybe I'm just imagining that.

thanks for any thoughts or advice - spending countless hours hacking away at this computer while reading the posts from this forum (especially the "help, I'm infected!" posts, have taught me a considerable amount about computer security.

BC AdBot (Login to Remove)

 


#2 snowdrop

snowdrop

  • Members
  • 513 posts
  • OFFLINE
  •  
  • Local time:09:04 PM

Posted 18 July 2009 - 05:16 PM

welcom to this forum :thumbsup:
One notes you have run ComboFix? you may not be aware but

ComboFix is a tool that should only be run under the supervision of someone who has been trained in its use. Using it on your own can cause problems with your computer.

; this 'problem' includes the computer NEVER starting again!!



You mention both Macaffee and AVG ( antivirus programs ) Do you have them both installed?

I hope this answers your question and if you wish us to check your computer out for health, please fully update both Malwarebytes and Superantispyware programs, ; reboot into safe mode to run a full deep scan with Superantispyware , then reboot into Normal mode to run a full scan with Malwarebytes; then let us see their reports :flowers:

#3 eldred

eldred
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:10:04 PM

Posted 18 July 2009 - 05:47 PM

hi snowdrop,

thank you for your reply. Yes, I am well aware of the dangers of ComboFix - as I mentioned, the data on the machine is completely backed up, so I had nothing to lose by hacking away at it for a while. I figured I would learn more about computer security by trying to figure it out myself, plus I noticed that there is a significant queue for people who are asking for help on the forums.

Indeed, McAfee and AVG are both installed on the machine - though obviously they didn't do much good against the rootkit virus. I have no idea how it was even introduced to the system. I'm very interested in prevention, for next time - in a best case scenario, as soon as you light upon an executable that attempts to implant a rootkit exploit of some sort, the antivirus software would pick up such activity and kill the process. Is there any software that performs this sort of thing?

Regarding the process you indicated below, to have Malwarebytes and Superantispyware logs investigated - by doing so, would you definitively be able to pronounce the computer "clean"? Or is there still a chance that rootkit exploits are lurking in the software, hidden somewhere, ready to be triggered at a later date - that is my biggest concern.

#4 snowdrop

snowdrop

  • Members
  • 513 posts
  • OFFLINE
  •  
  • Local time:09:04 PM

Posted 18 July 2009 - 06:00 PM

We had better get you shifted to the AII section

meanwhile if you do HAVE both the antivirus programs installed then really you are running unprotected as 'the rule of thumb' is ONE INSTALLED Resident antivirus program only

If you have more than one they will fight between themselves and forget to protect the computer !!!

Hense infections get in :flowers:

Suggest you get rid of one of them; fully update the remaining one and run a full deep scan with it

then let us see up to date scans with the Malwarebytes and Superantispyware programs :thumbsup:

For your info; rule of thumb ONE installed resident antivirus program; a decent set of malware finding programs and a good firewall ; and all kept updated!! Also; daily visits to the Microsoft Windows update site for your Patches......


erm; do we have System Restore enabled?

Edited by The weatherman, 18 July 2009 - 06:14 PM.
Moved to a more appropriate forum. Tw


#5 eldred

eldred
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:10:04 PM

Posted 18 July 2009 - 08:37 PM

good evening snowdrop & friends,

that is good advice regarding multiple anti-virus programs. I had thought I had disabled McAfee a long time ago, but during the rootkit ordeal it has been popping up all over the place, so you may very well be correct that the two antivirus programs fought with each other and together were unable to prevent the intrusion. I have also, since researching, learned that the Windows Firewall is not so hot.

I'm currently running a full Malwarebytes scan, and will do the Superantispyware scan after that. I'll post the results shortly thereafter.

thanks again.

#6 eldred

eldred
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:10:04 PM

Posted 19 July 2009 - 01:04 AM

hi snowdrop & friends,

as requested, I performed a Malwarebytes full scan, and a Superantispyware in safe mode. A few items did show up. I'm not sure if these items have been installed by malware since I last tried to clean the computer, or if they are remnants from before - I'll run another full scan tomorrow and see if anything new has popped up.

The Superantispyware scan came back with several bad cookies and one other file that I fixed that didn't look too ominous; unfortunately, Superantispyware does not seem to have kept a log of the scan even though I did set a preference to do so. As such, I will run the scan again in regular mode tomorrow and see if it saves a file (it took almost 3 hours to run). Nonetheless, here is the Malwarebytes log for perusal.

BTW, System Restore is indeed enabled.

Thanks!

Malwarebytes' Anti-Malware 1.39
Database version: 2461
Windows 5.1.2600 Service Pack 3

7/18/2009 10:20:19 PM
mbam-log-2009-07-18 (22-20-19).txt

Scan type: Full Scan (C:\|E:\|F:\|)
Objects scanned: 282799
Time elapsed: 1 hour(s), 25 minute(s), 52 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 8

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\Qoobox\quarantine\C\WINDOWS\system32\UACavyxvkkdlssxwnkvd.dll.vir (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\Qoobox\quarantine\C\WINDOWS\system32\UACgnomsuvjaybnmwowy.dll.vir (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\Qoobox\quarantine\C\WINDOWS\system32\UACjlkmovgbdprrprtex.dll.vir (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\Qoobox\quarantine\C\WINDOWS\system32\UACwnkvxobqhxvmpfwbw.dll.vir (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\system volume information\_restore{129201fa-b0ac-49b3-96b2-deb8b91e727b}\RP582\A0117499.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\system volume information\_restore{129201fa-b0ac-49b3-96b2-deb8b91e727b}\RP582\A0117500.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\system volume information\_restore{129201fa-b0ac-49b3-96b2-deb8b91e727b}\RP582\A0117501.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\system volume information\_restore{129201fa-b0ac-49b3-96b2-deb8b91e727b}\RP582\A0117498.dll (Trojan.TDSS) -> Quarantined and deleted successfully.

Edited by eldred, 19 July 2009 - 01:09 AM.


#7 snowdrop

snowdrop

  • Members
  • 513 posts
  • OFFLINE
  •  
  • Local time:09:04 PM

Posted 19 July 2009 - 10:16 AM

I think you have an infected System Restore Point
Could you please do this
On the Desktop, right-click My Computer > click Properties > click the System Restore tab.
Check Turn off System Restore.
Click Apply > a window will pop up and ask if you really want to turn it off > click Yes.





Then please fully update and rerun the Malwarebytes program and get it to delete ALL it finds; then please re-enable your System Restore :thumbsup:

#8 eldred

eldred
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:10:04 PM

Posted 19 July 2009 - 12:54 PM

hi snowdrop,

I just ran another Superantispyware full scan in safe mode, and it came up empty... however, I found the infection that it fixed last night:

Trojan.Unclassified
C:\WINDOWS\SYSTEM32\MPFSERVICEFAILURECOUNT.TXT

the computer is now back in regular mode (still offline).

one question - throughout this whole process Windows Explorer has been unavailable, and this includes right click menus. In order to run processes I have to use New Task in the Task Manager dialog, and browse through the file tree. Would you happen to know where in the file tree System Restore is located, and what it's called?

meanwhile, I'll do a search online to see if I can find this information myself. EDIT: I found it, it is sysdm.cpl at the run prompt.

thanks again. I will let you know what I find out.

Edited by eldred, 19 July 2009 - 01:01 PM.


#9 eldred

eldred
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:10:04 PM

Posted 19 July 2009 - 02:21 PM

it came back empty, with System Restore off. I have since turned it back on.

Malwarebytes' Anti-Malware 1.39
Database version: 2461
Windows 5.1.2600 Service Pack 3

7/19/2009 3:16:03 PM
mbam-log-2009-07-19 (15-16-03).txt

Scan type: Full Scan (C:\|E:\|F:\|)
Objects scanned: 262232
Time elapsed: 1 hour(s), 9 minute(s), 4 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Edited by eldred, 19 July 2009 - 03:24 PM.


#10 eldred

eldred
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:10:04 PM

Posted 19 July 2009 - 07:55 PM

hi snowdrop & friends,

I did a RootRepeal scan, which came back with 0 locked/hidden files. I'm thinking of requesting the guys on the HJT forum to investigate a HJT log - I'm hoping to maximize the chances that the computer is secure before fixing the software on it. If you have any thoughts, or any other tools I might try, I would be happy to try them. Although the scans have been coming back clean, I'm still suspicious.

next step after I'm sure that the computer is clean is to set up good prevention and maintenance.

Edited by eldred, 19 July 2009 - 08:14 PM.


#11 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:10:04 PM

Posted 19 July 2009 - 10:56 PM

Hello eldred, and as snowdrop said :thumbsup: to BleepingComputer.

Got a lot to say here, please give it all a read through before doing anything. Topics/steps are separated by a line of asterisks to make reading easier :trumpet:

***************************************************

First I'm going to echo what snowdrop said a bit on ComboFix (CF for short), as well as add some to it.

Yes, I am well aware of the dangers of ComboFix - as I mentioned, the data on the machine is completely backed up, so I had nothing to lose by hacking away at it for a while.


You may have misunderstood just how much damage CF can cause to a computer. We aren't just talking about data deletion; the side effects of CF are numerous and varied. Such a powerful program often has unexpected and unpredictable results. Here are a couple examples of side effects that I've seen occur. You could lose internet access, hardware could stop working or, as snowdrop mentioned, cause your OS to become completely nonfunctional. The disclaimer you have to read every time you start CF isn't just for legal reasons; side effects do occur and then, if you don't happen to be under the guidance of someone trained in CF's use, you're pretty much on your own.

I am glad you have a complete backup of all your data; that is a wise practice. Even so, having a data backup will not save you from having to undergo a drive format and OS reinstallation if CF breaks the OS. This procedure is not fun whatsoever. It is complex, time-consuming and often very frustrating to get your computer back to being fully functional.

***************************************************

I figured I would learn more about computer security by trying to figure it out myself

Ah, an interest we share! :flowers:

If you wish to learn more about computer security, this is definitely not the way I would go about doing it. There are safer and more effective ways to gain knowledge on the subject. My personal recommendation would be to look into joining the Malware Removal Training Program. As you may have noticed, I am currently enrolled in the program and I can assure you that you will learn a ton about computer security. If you have any questions about the program, you may ask them here and I'll be happy to answer them. :inlove:

***************************************************

One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

***************************************************

Now, let's proceed to your issues.

To get windows explorer running, use the New Task and type "explorer.exe" (without the quotes). you should now have your desktop, start menu, etc. The fact that it's not running on startup is an issue though, one that needs to be addressed.

Please do not purge system restore yet. While snowdrop is correct in saying that this needs to be done, we need to make sure that all of your issues are resolved before doing so. An infected restore point is better than no restore point at all.

***************************************************

Some of the files that showed up in the MBAM scan you ran are in ComboFix's quarantine. We ought to get rid of those. To do so, we need to uninstall CF.
  • Please go to Start>Run and type the following in the Run box, without the quotes. "combofix /u" (note the space between the "x" and "/").
If you choose to download CF again, you do so against the recommendation of all of the BleepingComputer staff. But that is your business, which I respect. I will not lecture you any further on the matter. But we will not be using it here in Am I Infected, and I must ask that you do not download it while you are actively receiving help here. Its use can cause your situation to change and make the task of cleaning your computer exponentially more difficult.

~Blade

Edited by Blade Zephon, 19 July 2009 - 10:58 PM.

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#12 eldred

eldred
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:10:04 PM

Posted 20 July 2009 - 08:40 AM

good morning Blade Zephon & crew,

before I continue with your extremely kind assistance, I want to mention a few things.

1. were I to attack the problem then knowing what I know now, I would not have run ComboFix. :trumpet: I realize now that the ramifications of the program run beyond the loss of data. This is my first time posting to this forum. During my research on this and other forums I saw how ComboFix was able to handle the exact problem I was having, and, knowing that my data was backed up, decided to give it a go. Were I to try to fix this problem in a vaccuum at this point, I would instead follow these procedures: http://www.malwarebytes.org/forums/index.php?showtopic=12709 Of course, posting to this forum is clearly the best way to go. :thumbsup:

2. I am still very likely to wipe my hard drive when this is through, unless I have good reason to believe the problem is completely cured. I hope the members of this forum do not think I am wasting their time by going through this procedure. Of course I would like the machine to be completely fixed, and if that happens I will move forward, but I do realize that with rootkit viruses there are no guarantees.

3. I'm mostly interested in prevention. I don't want to wipe my hard drive every time I get a virus. Therefore, I don't want to get any more rootkit viruses. My original post was not to the AII forum, but rather to the AntiVirus, Firewall and Privacy Products and Protection Methods, so that if and when I did wipe my hard drive, I would know how to proceed. I have received some good information on this topic, but still have more to learn. That being said, I've been spending hours going through the forum reading logs about fighting malware, so I've developed an interest in that, too.

on to your advice:

To get windows explorer running, use the New Task and type "explorer.exe" (without the quotes). you should now have your desktop, start menu, etc. The fact that it's not running on startup is an issue though, one that needs to be addressed.


unfortunately this is not the case - Explorer will not show. I started a thread to try to get it back, but was told not to do so until I finish this procedure here... however, it is very hard to do certain things (like disable currently running antivirus programs) without the tools of Windows Explorer. Plus, running everything through the Task Manager gets old...

That being said, I am thinking that the only way I'm going to get McAfee to stop running without the means to turn it off is to treat it like a virus, but you might have other ideas. Until I am able to work out my antivirus software issues I'm keeping the computer offline (except to download updates or post logs to this forum).

Please do not purge system restore yet. While snowdrop is correct in saying that this needs to be done, we need to make sure that all of your issues are resolved before doing so. An infected restore point is better than no restore point at all.


I already followed those instructions and purged System Restore. I ran a Malwarebytes scan that came up empty, and afterward created another System Restore point.

Please go to Start>Run and type the following in the Run box, without the quotes. "combofix /u" (note the space between the "x" and "/").


When I first ran CF it was through instructions not on this site; those instructions told me to delete combofix.exe, so I did. I will reload combofix.exe onto my desktop and complete the uninstall unless you indicate otherwise.

My personal recommendation would be to look into joining the Malware Removal Training Program.


Count me in! :flowers: I'll check out the link.

Thanks again for your kind help. I hope my reply does not sound like I do not appreciate all that you and the fine people of this forum have been doing to help me, I simply wanted to clarify my actions and intentions. I am amazed by this forum and by the kindness and skills of its inhabitants.

I'm at work currently, but will get back to the computer once I get home.

Edited by eldred, 20 July 2009 - 08:56 AM.


#13 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:10:04 PM

Posted 20 July 2009 - 09:50 AM

Good morning to you as well eldred :flowers:

I came off a bit more stern than I intended in the beginning of that last post. I may have misinterpreted some of your earlier words as well. :thumbsup: Sorry about that, and thanks for clarifying for me. My intent was not to lecture or berate you, merely to ensure that the danger was communicated as clearly as possible. The safety of you and your machine is of the utmost importance to us at BC.

I am still very likely to wipe my hard drive when this is through, unless I have good reason to believe the problem is completely cured. I hope the members of this forum do not think I am wasting their time by going through this procedure.


Not me. :trumpet: I'd be happy to work with you for a while. However I think that given the condition your system is in, your decision to proceed with wiping the drive in the end is a wise one. Let's proceed with this in stages, so as to lessen the amount of information I throw at you simultaneously. We'll work at your pace though. For starters, let's work on your computer as it is now. When you're ready to format let me know and we'll do that, and then we can talk about prevention. Sound good?

***************************************************

at some point, yes, ComboFix will need to be re-downloaded so that you can run the uninstall routine. But let's save that for later. . . it's not going anywhere.

Since your logs are coming back clean. . . I'd like to focus our attention on trying to get explorer functional.

Let's run the Windows System File Checker utility

You will need your XP CD handy.

Open Windows Task Manager....by pressing CTRL+SHIFT+ESC

Then click File.. then New Task(Run)

In the box that opens type sfc /scannow ......There is a space between c and /

Click OK
Let it run and insert the XP CD when asked.


Let me know what happens, and how your computer behaves after running the utility.

~Blade

Edited by Blade Zephon, 20 July 2009 - 09:51 AM.

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#14 eldred

eldred
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:10:04 PM

Posted 20 July 2009 - 08:24 PM

hi Blade Zephon & friends,

I've been trying to run scannow to fix the PC, but have stumbled upon a problem. During the scan, the computer says, and I quote:

Windows File Protection
Files that are required for Windows to run properly have been replaced by unrecognized versions. To maintain system stability,Windows must retrore the original versions of these files. Insert your Windows XP Professional Service Pack 3 CD now.


(sorry, couldn't resist the quote joke)

the issue here is that I installed SP3 off the web, and not from a CD. I can't progress otherwise.

the best lead I have is that apparently, some antivirus software leads to false positives, as per this thread:

http://social.technet.microsoft.com/Forums...e6-f9f73f5d82ef

(I also found this: http://www.microsoft.com/communities/newsg...p;sloc=&p=1 - but I don't have CA Antivirus)

the only antivirus software I see as running is McAfee, and I can't turn it off because I can't get to Windows Explorer, and I can't get a McAfee UI to run to turn it off there. I'll keep tryingto open a UI. Otherwise, the solutions I can think of trying to perform are:
  • reinstall SP3. But, if an antivirus or similar process is causing the false positive, that probably won't help
  • treating McAfee like a virus and killing its processes using an antivirus tool, then trying again.
I'll await your thoughts. Thanks!

Edit: I just found this: http://www.microsoft.com/communities/newsg...p;sloc=&p=1

this looks like a good solution, if I can get McAfee turned off.

Edited by eldred, 20 July 2009 - 08:27 PM.


#15 eldred

eldred
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:10:04 PM

Posted 20 July 2009 - 10:20 PM

well... after the Windows File Protection service errored out asking for the SP3 disc, the machine started blue-screening (even in safe mode) and hasn't stopped. This has been a fun (if time consuming) exercise, and I suppose I could work out a fix for the current install, but considering I was planning on reformatting the drive at any rate, perhaps now is the time.

I might take one more look at the drive to make sure that everything is properly backed up (even though I'm already sure it is - I just can't help myself), but otherwise, it might be time to start researching prevention, for the new install. :thumbsup:

I'll keep the list informed.

Edited by eldred, 20 July 2009 - 10:22 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users