Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

is this a rootkit or trojan?


  • Please log in to reply
4 replies to this topic

#1 cherokeeguitar

cherokeeguitar

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cherokee NC for the moment...
  • Local time:06:25 PM

Posted 31 July 2009 - 04:43 AM

I am having a hard time with this one ! :thumbsup:
I got No results when I googled for hjgruiylthespy, which is very unusual or any of the file names I found that go with this rootkit trojan type abomination, maybe a relatively new one?
It changed the registry to not show hidden files, it uninstalled the cd rom drive from the registry, and sound card, and monitor drivers etc, and many other things, It was hard to fix manually, and I only can get slow dial up where I just moved, (boonies) so I couldn't download anything to fix it with, nothing I already had found it, like spybot s&d , with current updated definitions, or several antivirus progs. I had to boot in linux (I dual boot so as to have linux and win xp on that box, and it's handy sometimes to boot in linux, then mount windows volume, to look at files that hides themselves from windows even when showing hidden files, but it killed that, no clean win shutdown, so I had to boot from linux disk) to find it. There were 3 .dll's and 2 .dat files in system 32 and one .dll in root, or C: (I will have to get those file names and post later, long names all letters a couple were like jgruiyfoax.dll or something) I got rid of those, deleted windows swapfile while still in linux, and when I rebooted in windows xp, all was ok, (after I edited the registry to fix things) and reinstalled some stuff, then it came back, at least partially, (the deleted .dlls , and wouldn't show hidden files,etc, so I started thinking hidden registry entries, and ran root kit revealer, and found these, remember them from searching google so much with them:
HKLM\system\controlset001\services\hjgruiylthespy 0 bytes hidden from windows api and,
HKLM\system\controlset002\services\hjgruiylthespy <-- 0 bytes hidden from windows API,

And since they are hidden from windows API, they do Not show up in regedit TO delete them, that is as far as I have gotten. I will work on it again when I get time, my question is has anyone here seen this before?
I would appreciate any help,
Thanks in advance

BC AdBot (Login to Remove)

 


m

#2 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:06:25 PM

Posted 31 July 2009 - 07:05 AM

All this manual editing from a second enviroment reminds me of the title of an old Pink Floyd song.

careful with that axe eugene

Let's look for rootkits

http://rootrepeal.googlepages.com/

http://rootrepeal.googlepages.com/RootRepeal.zip

Just use the file tab at the bottom, scan and paste the report into a reply here please

Posted Image
Chewy

No. Try not. Do... or do not. There is no try.

#3 cherokeeguitar

cherokeeguitar
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cherokee NC for the moment...
  • Local time:06:25 PM

Posted 02 August 2009 - 10:05 PM

Yeah the Pink Floyd song :flowers:
great analogy :trumpet: I may not be safe with an ax ! :thumbsup:

Thanks DaChew1 I didn't have that one.

I downloaded it, is scanning now, (rootrepeal)
found these already:
hjgruipymyxnrj.dll <------ fake dll's really are all hal.dll renamed from l inside inux.
hjgruidunrfoax.dll
hjgruiepswbftk.dat
hjgruieqccfmlw.dat
hjgruilog.dat
hjgruixuexhesb <---Looks like an .exe in dissambler...

these .dll's aren't the real ones either, I renamed HAL.dll's to these names while in there in linux, and deleted old ones (saved a copy) so they aren't really running .
need to get Ice maybe set break points to see when what is called?


The Root repeal is finding a Lot of files hidden from windows API, some of them are like text files I recognize, that I made, maybe I better run chkdsk /f
Thanks again DaChew, thanks a lot, I will try to log on again later, have to run for a bit.

#4 cherokeeguitar

cherokeeguitar
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cherokee NC for the moment...
  • Local time:06:25 PM

Posted 04 August 2009 - 09:57 PM

Thanks Dachew, the root repeal found it :flowers:
I had 4 or 5 other rootkit finders and several spyware finders like spybot s&d ,Microsoft's MRT, and various antivirus programs, and none of them found the hjgruixuexhesb.sys file.
the rootkit repeal found this:

C:\windows\drivers\hjgruixuexhesb.sys

I grabbed my ax (haha) and booted from linux disk, and made a copy of it, saved it and named a .dll the same name deleted the original hjgruixuexhesb.sys and pasted a copy of the renamed .dll in the folder, rebooted in safe mode, set its permissioms to read only, and rebooted in windows xp normally, and all things hidden before were visible again..
I did that because in the early part of my battle I just deleted all them I could find, and when I rebooted in windows, it replaced them and did all the damage again, .. so I started Replacing them with renamed inert files, used .dlls as they were handy.

Here is the files I found :
C:\WINDOWS\system32\hjgruidunrfoax.dll
C:\WINDOWS\system32\hjgruiepswbftk.dat
C:\WINDOWS\system32\hjgruilog.dat
C:\WINDOWS\system32\hjgruilog.dat
C:\windows\drivers\hjgruixuexhesb.sys
C:\WINDOWS\system32\hjgruieqccfmlw.dat

HKLM\SYSTEM\ControlSet001\Services\hjgruiylthespy 0 bytes Hidden from Windows API. <- embebbed nulls ;)
HKLM\SYSTEM\ControlSet002\Services\hjgruiylthespy 0 bytes Hidden from Windows API.

C:\windows\drivers\hjgruixuexhesb.sys <- the main demon that was hiding the reg entries etc. was only 66 kb, I disassembled it to see how it did So much damage, and in hex view it is Wierd, like it has some crazy poetry or something, here is an excerpt:
ROSENCRANTZ.art.so.die.not.dread.shall.obey.lose.they.good.will.shall.patient.of.never.book like I said, wierd...

But when it first appeared, the virus deleted hal.dll, removed the cdrom from the registry, uninstalled the sound card, and the oem monitor driver, windows media player, and made hidden files and folders not be able to show no matter how you set it from tools/folder options/show hidden, it would set itself back and never show any hidden folders or files, (registry) I had to manually fix that and add a few missing keys, a dword or two, and maybe a cussword or two as well, to get them working again.


The HKLM\SYSTEM\ControlSet001\Services\hjgruiylthespy entries had an embedded null */ followed by binary info, for example one translated to hjgruidunrfoax.dll , they were a bit hard to delete, had to keep getting ownership as I found them , etc. but now All is ok, in fact I am online now on that box, and have rebooted it several times :trumpet:

THANKS again Dachew
:thumbsup:

Edited by cherokeeguitar, 04 August 2009 - 10:56 PM.


#5 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:06:25 PM

Posted 04 August 2009 - 10:28 PM

with 17,500 views the last few months this infection is pretty common

http://www.malwarebytes.org/forums/index.php?showtopic=12709
Chewy

No. Try not. Do... or do not. There is no try.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users