Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan horse Rootkit-Agent.DI SVCHOST.EXE


  • This topic is locked This topic is locked
8 replies to this topic

#1 Dave475_99

Dave475_99

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:53 PM

Posted 21 July 2009 - 05:53 PM

Ive been trying to clean up some nasty viruses from my uncles computer. So far ive removed over 800 infected files and it running ok, but its still got something on it that I cant figure how to get rid of. Finally got safe mode working and system restore back up but cant figure out what else its got and how to get rid of it. Its took me over a week to get this far. It had System security virus and many others. I think I got most of them off, but this one cant be removed with AVG.

BC AdBot (Login to Remove)

 


#2 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:53 PM

Posted 21 July 2009 - 08:07 PM

Hi there.

I did see the Combofix log you originally posted. :trumpet:

:thumbsup: This is a complex and powerful tool that should not be used except under the supervision and direction of a malware expert. It can and will render your computer unbootable permanently!! Also realize that in most circumstances a single run of Combofix is ineffective. Specialized scripts will be written specifically directing this program to clean-up based on your logs!! :flowers:

I also noted that when you ran CF the Recovery Console was not installed. You are very fortunate that the computer didn't crash as there would have been no way that anyone could have restored it!!

Let's see if this can be done without more complex tools.

Please do this....

* Clean your Cache and Cookies in IE:
  • Close all instances of Outlook Express and Internet Explorer
  • Go to Control Panel > Internet Options > General tab
  • Click the "Delete Cookies" button
  • Next to it, Click the "Delete Files" button
  • When prompted, place a check in: "Delete all offline content", click OK
* Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):
  • Go to Tools > Options.
  • Click Privacy in the menu on the left side of the Options window.
  • Click the Clear button located to the right of each option (History, Cookies, Cache).
  • Click OK to close the Options window
    Alternatively, you can clear all information stored while browsing by clicking Clear All.
    A confirmation dialog box will be shown before clearing the information.
* Clean other Temporary files + Recycle bin
  • Go to start > run and type: cleanmgr and click ok.
  • Let it scan your system for files to remove.
  • Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
  • Press OK to remove them.
==========

Before we start fixing anything you should print out these instructions or copy them to a NotePad file so they will be accessible. Some steps will require you to disconnect from the Internet or use Safe Mode and you will not have access to this page.

Please download DrWeb-CureIt and save it to your desktop. DO NOT perform a scan yet.

Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with Dr.Web CureIt as follows:
  • Double-click on launch.exe to open the program and click Start. (There is no need to update if you just downloaded the most current version
  • Read the Virus check by DrWeb scanner prompt and click Ok where asked to Start scan now? Allow the setup.exe to load if asked by any of your security programs.
  • The Express scan will automatically begin.
    (This is a short scan of files currently running in memory, boot sectors, and targeted folders).
  • If prompted to dowload the Full version Free Trial, ignore and click the X to close the window.
  • If an infected object is found, you will be prompted to move anything that cannot be cured. Click Yes to All.
  • When complete, click Select All, then choose Cure > Move incurable.
    (This will move any detected files to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if they can't be cured)
  • Now put a check next to Complete scan to scan all local disks and removable media.
  • In the top menu, click Settings > Change settings, and UNcheck "Heuristic analysis" under the "Scanning" tab, then click Ok.
  • Back at the main window, click the green arrow "Start Scanning" button on the right under the Dr.Web logo.
  • When the scan is complete, a message will be displayed at the bottom indicating if any viruses were found.
  • Click "Yes to all" if asked to cure or move the file(s) and select "Move incurable".
  • In the top menu, click file and choose save report list.
  • Save the DrWeb.csv report to your desktop.
  • Exit Dr.Web Cureit when done.
  • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)
Kind regards,
~t

Edited by thcbytes, 21 July 2009 - 08:17 PM.

Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#3 Dave475_99

Dave475_99
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:53 PM

Posted 22 July 2009 - 08:29 PM

Hi, Thanks for the help. I ran the scan and here is the log

_______________________________________________________

GTDownDE_87.ocx;C:\I386;Adware.Gdown;Incurable.Moved.;
NDIS.SYS.vir;C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\DRIVERS;Trojan.NtRootKit.2912;Deleted.;
A0005337.sys;C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP4;Trojan.NtRootKit.2912;Deleted.;
A0006642.SYS;C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP4;Trojan.NtRootKit.2912;Deleted.;

#4 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:53 PM

Posted 22 July 2009 - 09:14 PM

Your welcome. :thumbsup:

That looks better.

GTDownDE_87.ocx;C:\I386;Adware.Gdown;Incurable.Moved.;
NDIS.SYS.vir;C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\DRIVERS;Trojan.NtRootKit.2912;Deleted.;
A0005337.sys;C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP4;Trojan.NtRootKit.2912;Deleted.;
A0006642.SYS;C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP4;Trojan.NtRootKit.2912;Deleted.;

The red bolded was the only detection. The others are already quarantined or reside in System Restore and are of no danger unless you restore to an earlier point in time.

You did have a Rootkit that CF removed. Let's make sure there is nothing else leftover.

Please do this....

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

==========

Download and Run Scan with RootRepeal

* Download and save it to your desktop:
* Extract RootRepeal.exe from the zip archive.
* Open RootRepeal.exe on your desktop.

If you are using Windows Vista, right click RootRepeal.exe and select Run As Administrator.

* Click the Report tab.
* Click the Scan button.
* Check all six boxes.
* Push Ok
* Check the box for your main system drive (Usually C:), and press Ok.
* Allow RootRepeal to run a scan of your system. This may take some time.
* Once the scan completes, push the Posted Image button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt.
*Include this report in your next reply

==========

Please run a BitDefender Online Scan
  • Click I Agree to agree to the EULA.
  • Allow the ActiveX control to install when prompted.
  • Click Click here to scan to begin the scan.
  • Please refrain from using the computer until the scan is finished. This might take a while to run, but it is important that nothing else is running while you scan.
  • When the scan is finished, click on Click here to export the scan results.
  • Save the report to your desktop so you can post it in your next reply.
==========

With your next post please provide:

* MBAM log
* RootRepeal.txt
* Bitdefender log

Kind regards,
t
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#5 Dave475_99

Dave475_99
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:53 PM

Posted 22 July 2009 - 11:15 PM

I ran the programs you asked for except for the bitdefender, couldnt get the computer to get on the internet and it seems like something is eating up the system resources. Anyway here are the logs from the first two. The internet was working the other day, but it was really dragging down my internet connection on my other computers so I had it unplugged till I could figure out what was going on.
Any suggestions would be helpfull. Also I had to do the root repeal in safe mode because after I finished the Malwarebytes program anything I tried to load would say I didnt have enough system resources to run the program.

---------------------------------------------------------------

Malwarebytes' Anti-Malware 1.39
Database version: 2421
Windows 5.1.2600 Service Pack 2

7/22/2009 10:38:16 PM
mbam-log-2009-07-22 (22-38-16).txt

Scan type: Quick Scan
Objects scanned: 88616
Time elapsed: 10 minute(s), 2 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


---------------------------------------------------------------------------


ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/07/22 23:27
Program Version: Version 1.3.2.0
Windows Version: Windows XP SP2
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xF8E00000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF97FE000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xF8952000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\WINDOWS\$hf_mig$\{29F8DDC1-9487-49b8-B27E-3E0C3C1298FF}
Status: Locked to the Windows API!

Path: c:\system volume information\_restore{46de8921-1d39-44d2-a9e9-64119261f211}\rp6\snapshot\_registry_user_.default
Status: Allocation size mismatch (API: 266240, Raw: 278528)

Path: c:\system volume information\_restore{46de8921-1d39-44d2-a9e9-64119261f211}\rp6\snapshot\_registry_user_ntuser_s-1-5-18
Status: Allocation size mismatch (API: 4096, Raw: 262144)

Path: c:\system volume information\_restore{46de8921-1d39-44d2-a9e9-64119261f211}\rp6\snapshot\_registry_user_ntuser_s-1-5-19
Status: Allocation size mismatch (API: 200704, Raw: 233472)

Path: c:\system volume information\_restore{46de8921-1d39-44d2-a9e9-64119261f211}\rp6\snapshot\_registry_user_ntuser_s-1-5-20
Status: Allocation size mismatch (API: 200704, Raw: 233472)

Path: c:\system volume information\_restore{46de8921-1d39-44d2-a9e9-64119261f211}\rp6\snapshot\_registry_user_ntuser_s-1-5-21-3720006622-1006499469-1531445426-1005
Status: Allocation size mismatch (API: 2822144, Raw: 2859008)

Path: c:\system volume information\_restore{46de8921-1d39-44d2-a9e9-64119261f211}\rp6\snapshot\_registry_user_ntuser_s-1-5-21-3720006622-1006499469-1531445426-500
Status: Allocation size mismatch (API: 266240, Raw: 434176)

Path: c:\system volume information\_restore{46de8921-1d39-44d2-a9e9-64119261f211}\rp6\snapshot\_registry_user_usrclass_s-1-5-18
Status: Allocation size mismatch (API: 4096, Raw: 262144)

Path: c:\system volume information\_restore{46de8921-1d39-44d2-a9e9-64119261f211}\rp6\snapshot\_registry_user_usrclass_s-1-5-21-3720006622-1006499469-1531445426-500
Status: Allocation size mismatch (API: 4096, Raw: 262144)

Hidden Services
-------------------
Service Name: MBAMSwissArmy
Image PathC:\WINDOWS\system32\drivers\mbamswissarmy.sys

==EOF==

#6 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:53 PM

Posted 23 July 2009 - 07:27 AM

Lets do this....

* Clean your Cache and Cookies in IE:
  • Close all instances of Outlook Express and Internet Explorer
  • Go to Control Panel > Internet Options > General tab
  • Click the "Delete Cookies" button
  • Next to it, Click the "Delete Files" button
  • When prompted, place a check in: "Delete all offline content", click OK
* Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):
  • Go to Tools > Options.
  • Click Privacy in the menu on the left side of the Options window.
  • Click the Clear button located to the right of each option (History, Cookies, Cache).
  • Click OK to close the Options window
    Alternatively, you can clear all information stored while browsing by clicking Clear All.
    A confirmation dialog box will be shown before clearing the information.
* Clean other Temporary files + Recycle bin
  • Go to start > run and type: cleanmgr and click ok.
  • Let it scan your system for files to remove.
  • Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
  • Press OK to remove them.
==========

Reset TCP/IP Properties

First:

* Go to Start -> Control Panel -> Double click on Network Connections.
* Right click on your default connection (usually Local Area Connection or Wireless Network Connection) and select Properties.

* Select the General tab.
* Double click on Internet Protocol (TCP/IP).

Under General tab:

- Select "Obtain an IP address automatically".
- Select "Obtain DNS server address automatically".

* Click OK twice to save the settings.
* Reboot if you had to change any setting.

Next:

* Go to start > Run copy/paste the contents of the code box excluding "code" in the run box and click OK.

cmd /c (ipconfig /all&nslookup google.com&ping -n 2 google.com&route print) >log.txt&log.txt&del log.txt
A command window opens. Wait until a log.txt file opens.

* Please copy/paste the log file in your reply.

==========

With your next post please provide:

* Internet connection log
* Are you connected?

Kind regards,
t

Edited by thcbytes, 23 July 2009 - 07:40 AM.

Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#7 Dave475_99

Dave475_99
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:53 PM

Posted 23 July 2009 - 07:17 PM

The things you suggested wouldnt work because the DrWeb program had deleted the ndis.sys file and the network addapter showed the drivers as corrupted. Could not uninstall or reinstall the drivers, so I copied a clean version from the I386 folder and put it in the system32/drivers folder and rebooted. Got the internet back up and did the scan. Here is the log. Also I thought AVG had caught another file while this was scanning, and I clicked on heal but couldnt find it in the avg vault or the log file. The internet log you wanted just pops up and goes away.

_________________________________________

BitDefender Online Scanner



Scan report generated at: Thu, Jul 23, 2009 - 20:05:37





Scan path: C:\;D:\;E:\;F:\;G:\;







Statistics

Time
01:25:08

Files
181743

Folders
6078

Boot Sectors
0

Archives
10734

Packed Files
7967




Results

Identified Viruses
1

Infected Files
1

Suspect Files
0

Warnings
0

Disinfected
0

Deleted Files
1




Engines Info

Virus Definitions
3842329

Engine build
AVCORE v1.7 (build 8314.19) (i386) (Sep 29 2008 17:19:14)

Scan plugins
17

Archive plugins
45

Unpack plugins
7

E-mail plugins
6

System plugins
4




Scan Settings

First Action
Disinfect

Second Action
Delete

Heuristics
Yes

Enable Warnings
Yes

Scanned Extensions
*;

Exclude Extensions


Scan Emails
Yes

Scan Archives
Yes

Scan Packed
Yes

Scan Files
Yes

Scan Boot
Yes




Scanned File
Status

C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\WBEM\proquota.exe.vir
Infected with: Trojan.CryptRedol.Gen.2

C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\WBEM\proquota.exe.vir
Disinfection failed

C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\WBEM\proquota.exe.vir
Deleted

Edited by Dave475_99, 23 July 2009 - 07:20 PM.


#8 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:53 PM

Posted 23 July 2009 - 08:51 PM

Hi,
This is a very good example of why Combofix should not be run unsupervised. No - DrWeb did not remove ndis.sys! DrWeb removed the Qoobox quarantined ndis.sys. What that means is that Combofix removed the infected file and the DrWeb detected the Combofix quarantined folder.

NDIS.SYS.vir;C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\DRIVERS;Trojan.NtRootKit.2912;Deleted.


Unfortunately it gets even worse as BitDefender now shows me that Combofix detected other critical System file that were infected..

C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\WBEM\proquota.exe.vir
Infected with: Trojan.CryptRedol.Gen.2


You may have shot yourself in the foot. I can not review your Combofix log here. After the 1st run of CF we would have reviewed the log and determined if specialized scripts need to be run to replace infected system files.

I am concerned about the current status of your computer based on these findings. I think you need to post in the HjT forums to get a good look at your computer.

With the information you have provided I believe you will need help from the malware removal team. I would like you to start a new thread HERE and include a link to this thread. Please make sure that you read the information about getting started before you start your thread.

It would be helpful if you post a note here once you have completed the steps in the guide and have started your topic in malware removal. Good luck and be patient. Help is on the way!

Kind regards,
~t
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#9 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,947 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:08:53 PM

Posted 23 July 2009 - 09:05 PM

Dave475_99,

I have reopened the topic you posted in the HiJack This forum and removed the closing response. Please do not start another topic there. I shall edit the post to include a link to this topic.

Please note: you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a HJT Team member, nor should you ask for help elsewhere. Doing so can result in system changes which may not show in the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the HJT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the HJT Team members are EXTREMELY busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond. Please be patient. It may take a while to get a response but your log will be reviewed and answered as soon as possible

To avoid confusion, I am closing this topic. Good luck with your log.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users