Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

unkillable rootkit


  • This topic is locked This topic is locked
15 replies to this topic

#1 Anth-Sama

Anth-Sama

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:29 PM

Posted 03 August 2009 - 02:15 PM

(im using XP)ive had spyware and some msb.exe, now ive gotten rid of those using NOD32 and Malwarebytes, but only 1 thing remains... these rootkits... NOD32 detects them but cant do anything, Malwarebytes doesnt detect them so thats no good, then i decided to use GMER, it found my rootkit and its service, i can only disable and delete the services (i couldnt do anything to the rootkits themselves), so i deleted it... i did another scan with GMER and the services reappeared (im doing this is safe mode btw, just to be sure it would work)... ive used some powerful removal systems and nothing has worked... i want my computer back, and i'd truly appretiate it if someone helped me ASAP, thanks

Edited by Anth-Sama, 03 August 2009 - 02:19 PM.


BC AdBot (Login to Remove)

 


m

#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,112 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:29 PM

Posted 03 August 2009 - 02:51 PM

We Need to check for Rootkits with RootRepeal
  • Download RootRepeal from the following location and save it to your desktop:
  • Extract RootRepeal.exe from the zip archive.
  • Open Posted Image on your desktop.
  • Click the Posted Image tab.
  • Click the Posted Image button.
  • Check all six boxes: Posted Image
  • Push Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the Posted Image button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 Anth-Sama

Anth-Sama
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:29 PM

Posted 03 August 2009 - 03:17 PM

EDIT srry, didnt know about the spoiler thing... btw i ran this scan in safe mode, would this have altered any of the results?



ROOTREPEAL AD, 2007-2009
==================================================
Scan Start Time: 2009/08/03 15:57
Program Version: Version 1.3.3.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: aujasnkj.sys
Image Path: C:\DOCUME~1\Anthony\LOCALS~1\Temp\aujasnkj.sys
Address: 0xF8397000 Size: 82432 File Visible: No Signed: -
Status: -

Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xF8BC4000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF97F2000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xF8367000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\WINDOWS\system32\UACbiqrrygwxt.db
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACevdbbmdwhq.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\uacinit.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACpdwyltstmo.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACriyqjrufev.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACvvrrwrhmuy.dat
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACxrqbtkoptt.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACyudowkrful.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UAC1f99.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UAC305d.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UAC3994.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UAC4397.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UACdac0.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UACe4a3.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UACe5db.tmp
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Anthony\Local Settings\Temp\UACf3c7.tmp
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Anthony\My Documents\Skulltag\uacbase_lockdown.wad
Status: Invisible to the Windows API!

Stealth Objects
-------------------
Object: Hidden Module [Name: UACyudowkrful.dll]
Process: winlogon.exe (PID: 588) Address: 0x00640000 Size: 49152

Object: Hidden Module [Name: UACriyqjrufev.dll]
Process: winlogon.exe (PID: 588) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACyudowkrful.dll]
Process: services.exe (PID: 636) Address: 0x00640000 Size: 49152

Object: Hidden Module [Name: UACriyqjrufev.dll]
Process: services.exe (PID: 636) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACyudowkrful.dll]
Process: lsass.exe (PID: 648) Address: 0x00710000 Size: 49152

Object: Hidden Module [Name: UACriyqjrufev.dll]
Process: lsass.exe (PID: 648) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACyudowkrful.dll]
Process: svchost.exe (PID: 812) Address: 0x006e0000 Size: 49152

Object: Hidden Module [Name: UACxrqbtkoptt.dll]
Process: svchost.exe (PID: 812) Address: 0x009e0000 Size: 73728

Object: Hidden Module [Name: UACriyqjrufev.dll]
Process: svchost.exe (PID: 812) Address: 0x00cc0000 Size: 45056

Object: Hidden Module [Name: UACpdwyltstmo.dll]
Process: svchost.exe (PID: 812) Address: 0x02900000 Size: 217088

Object: Hidden Module [Name: UACyudowkrful.dll]
Process: svchost.exe (PID: 812) Address: 0x02b60000 Size: 49152

Object: Hidden Module [Name: UACriyqjrufev.dll]
Process: svchost.exe (PID: 812) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACyudowkrful.dll]
Process: svchost.exe (PID: 936) Address: 0x006e0000 Size: 49152

Object: Hidden Module [Name: UACriyqjrufev.dll]
Process: svchost.exe (PID: 936) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACyudowkrful.dll]
Process: svchost.exe (PID: 1076) Address: 0x006e0000 Size: 49152

Object: Hidden Module [Name: UACriyqjrufev.dll]
Process: svchost.exe (PID: 1076) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACyudowkrful.dll]
Process: svchost.exe (PID: 1140) Address: 0x006e0000 Size: 49152

Object: Hidden Module [Name: UACriyqjrufev.dll]
Process: svchost.exe (PID: 1140) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACyudowkrful.dll]
Process: svchost.exe (PID: 1268) Address: 0x006e0000 Size: 49152

Object: Hidden Module [Name: UACriyqjrufev.dll]
Process: svchost.exe (PID: 1268) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACyudowkrful.dll]
Process: Explorer.EXE (PID: 1656) Address: 0x00c00000 Size: 49152

Object: Hidden Module [Name: UACriyqjrufev.dll]
Process: Explorer.EXE (PID: 1656) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACyudowkrful.dll]
Process: ctfmon.exe (PID: 1924) Address: 0x00980000 Size: 49152

Object: Hidden Module [Name: UACriyqjrufev.dll]
Process: ctfmon.exe (PID: 1924) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACyudowkrful.dll]
Process: msnmsgr.exe (PID: 164) Address: 0x01290000 Size: 49152

Object: Hidden Module [Name: UACriyqjrufev.dll]
Process: msnmsgr.exe (PID: 164) Address: 0x10000000 Size: 45056

Hidden Services
-------------------
Service Name: UACd.sys
Image Path: C:\WINDOWS\system32\drivers\UACjvivksamdb.sys

==EOF==

Edited by Anth-Sama, 03 August 2009 - 03:24 PM.


#4 Computer Pro

Computer Pro

  • Members
  • 2,448 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:29 PM

Posted 03 August 2009 - 03:21 PM

Hidden Services
-------------------
Service Name: UACd.sys
Image Path: C:\WINDOWS\system32\drivers\UACjvivksamdb.sys


Please right click on this item, and then select *Wipe File*. Then, please Update Malwarebytes by going to the "Update Tab". Then after than please run a Quick Scan with Malwarebytes and post back the log.

Edited by Computer Pro, 03 August 2009 - 03:24 PM.

Computer Pro

#5 Anth-Sama

Anth-Sama
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:29 PM

Posted 03 August 2009 - 03:29 PM

when i try to wipe the file it says it cant find the file on the disk... should i take off safe mode?

#6 Computer Pro

Computer Pro

  • Members
  • 2,448 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:29 PM

Posted 03 August 2009 - 03:32 PM

Please try in Normal mode.
Computer Pro

#7 Anth-Sama

Anth-Sama
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:29 PM

Posted 03 August 2009 - 03:53 PM

it still says that it cant find it on my disk...

#8 Anth-Sama

Anth-Sama
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:29 PM

Posted 03 August 2009 - 05:02 PM

srry for the doublepost but. there is an option to force delete the file... idk what else to do, but would that have any impact?

#9 Computer Pro

Computer Pro

  • Members
  • 2,448 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:29 PM

Posted 03 August 2009 - 05:39 PM

Please try Force Delete. And then if that doesnt work, then:

Please download Sophos Anti-rootkit& save it to your desktop.
Note: If using the vendor's download site you will be asked to register with MySophos so an email containing an activation link can be sent to your email address.

Credits to DaChew
Be sure to print out and read the User Manualand Release Notes
Double-click sar_15_sfx.exe to begin the installation, read the license agreement and click Accept.
Allow the default location of C:\Program Files\Sophos\Sophos Anti-Rootkit and click Install.
A message will appear "Sophos Anti-Rootkit was successfully installed. Click 'yes' to start it now". Click Yes.
Make sure the following are checked:
o Running processes
o Windows Registry
o Local Hard Drives

Click Start scan.
Sophos Anti-Rootkit will scan the selected areas and display any suspicious files in the upper panel.
When the scan is complete, a pop-up screen will appear with "Rootkit Scan Results". Click OK to continue.
Click on the suspicious file to display more information about it in the lower panel which also includes whether the item is recommended for removal.
o Files tagged as Removable: No are not marked for removal and cannot be removed.
o Files tagged as Removable: Yes (clean up recommended) are marked for removal by default.
o Files tagged as Removable: Yes (but clean up not recommended) are not marked for removal because Sophos did not recognize them. These files will require further investigation.
Select only items recommended for removal, then click "Clean up checked items". You will be asked to confirm, click Yes.
A pop up window will appear advising the cleanup will finish when you restart your computer. Click Restart Now.
After reboot, a dialog box displays the files you selected for removal and the action taken.
Click Empty list and then click Continue to re-scan your computer a second time to ensure everything was cleaned.
When done, go to Start > Run and type or copy/paste: %temp%\sarscan.log
This should open the log from the rootkit scan. Please post this log in your next reply. If you have a problem, you can find sarscan.log in C:\Documents and Settings\<username>\Local Settings\Temp\.
Before performing an ARK scan it is recommended to do the following to ensure more accurate results and avoid common issues that may cause false detections.
Disconnect from the Internet or physically unplug you Internet cable connection.
Clean out your temporary files.
Close all open programs, scheduling/updating tasks and background processes that might activate during the scan including the screensaver.
Temporarily disable your anti-virus and real-time anti-spyware protection.
After starting the scan, do not use the computer until the scan has completed.
When finished, re-enable your anti-virus/anti-malware (or reboot) and then you can reconnect to the Internet.

Edited by Computer Pro, 03 August 2009 - 05:42 PM.

Computer Pro

#10 Anth-Sama

Anth-Sama
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:29 PM

Posted 03 August 2009 - 06:35 PM

Sophos Anti-Rootkit Version 1.5.0 © 2009 Sophos Plc
Started logging on 8/3/2009 at 18:45:28
User "Anthony" on computer "AMODEO"
Windows version 5.1 SP 3.0 Service Pack 3 build 2600 SM=0x100 PT=0x1 Win32
Info: Starting process scan.
Info: Starting registry scan.
Info: Starting disk scan of C: (NTFS).
Hidden: file C:\Documents and Settings\Anthony\Local Settings\Application Data\Microsoft\Messenger\Kisame_Kabuto@hotmail.com\SharingMetadata\rific453@insightbb.com\DFSR\Staging\CS{120CD437-0701-4BC7-E606-0CC0AF0F1543}\01\10-{120CD437-0701-4BC7-E606-0CC0AF0F1543}-v1-{B1A7903A-3AB6-4A2C-9B8D-1FE1C144EF6C}-v10-Downloaded.frx
Hidden: file C:\WINDOWS\system32\UACxrqbtkoptt.dll
Hidden: file C:\System Volume Information\_restore{0EA7726F-7DC9-4E9D-8ABB-AAEB5ADCC4A7}\RP66\A0056298.dll
Hidden: file C:\Documents and Settings\Anthony\Local Settings\Temporary Internet Files\Content.IE5\036142ZP\26ea1-34841-770e5;dg=E5133-W-MS-7;dst=1;et=1249249667609;tzo=240;a=p-35zC8ZTmkLrqU;labels=Campaign.3376%2CPlan.12428%2CPublisher.1635%2CSpot.5762%2CChannel[1].gif
Hidden: file C:\Documents and Settings\Nicky\Local Settings\Temporary Internet Files\Content.IE5\1ZSKZT89\x100;kl=N;k21=1;custl=6YI7mxrpdsBa1UmCiIurbg;kgender=m;kga=1001;kar=3;klg=en;kage=22;kgg=1;kt=U;kcr=ca;dc_dedup=1;kmyd=ad_creative_3;tile=3;ord=4254317448880398[1]
Hidden: file C:\Documents and Settings\Nicky\Local Settings\Temporary Internet Files\Content.IE5\1ZSKZT89\sBa1UmCiIurbg;kgender=m;kga=1001;kar=3;klg=en;kage=22;kgg=1;kt=U;kw=jamesnetindonerd;kcr=ca;dc_dedup=1;kmyd=ad_creative_1;tile=1;dcopt=ist;ord=1035503161953430[1].5
Hidden: file C:\Documents and Settings\Vince\Local Settings\Temporary Internet Files\Content.IE5\SS0TBE22\1934;ko=0;cid=31960765;rid=31978641;rv=1;&timestamp=1248614165218;eid1=2;ecn1=0;etm1=8;eid2=117291;ecn2=1;etm2=0;eid3=10;ecn3=1;etm3=0;eid4=4;ecn4=1;etm4=0;[1].gif
Hidden: file C:\Documents and Settings\Vince\Local Settings\Temporary Internet Files\Content.IE5\SS0TBE22\1934;ko=0;cid=31960765;rid=31978641;rv=1;&timestamp=1248614336546;eid1=2;ecn1=1;etm1=1;eid2=117291;ecn2=1;etm2=0;eid3=10;ecn3=1;etm3=0;eid4=4;ecn4=1;etm4=0;[1].gif
Hidden: file C:\Documents and Settings\Anthony\Local Settings\Application Data\Mozilla\Firefox\Profiles\uim510jk.default\Cache\0D66F04Ad01
Hidden: file C:\Documents and Settings\Anthony\Local Settings\Temp\UACf3c7.tmp
Hidden: file C:\WINDOWS\Temp\UAC3994.tmp
Hidden: file C:\WINDOWS\Temp\UAC4397.tmp
Hidden: file C:\WINDOWS\Temp\UAC305d.tmp
Hidden: file C:\System Volume Information\_restore{0EA7726F-7DC9-4E9D-8ABB-AAEB5ADCC4A7}\RP39\A0016367.exe
Info: Starting disk scan of F: (FAT).
Stopped logging on 8/3/2009 at 19:29:51

#11 Computer Pro

Computer Pro

  • Members
  • 2,448 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:29 PM

Posted 03 August 2009 - 07:02 PM

It's doing a pretty good job of hiding. Let's scan with Rootrepeal one last time, except this time dont reboot your computer until I have given you permission to wipe the file, as the file might change each time after the reboot.
Computer Pro

#12 Anth-Sama

Anth-Sama
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:29 PM

Posted 03 August 2009 - 07:22 PM

ok, here u go again




ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/08/03 20:06
Program Version: Version 1.3.3.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: 118D.tmp
Image Path: C:\WINDOWS\system32\118D.tmp
Address: 0xF981C000 Size: 6144 File Visible: No Signed: -
Status: -

Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xF014F000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF9804000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xEF6DC000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: c:\documents and settings\anthony\local settings\application data\mozilla\firefox\profiles\uim510jk.default\cache\babbcd52d01
Status: Size mismatch (API: 4816896, Raw: 4161536)

SSDT
-------------------
#: 019 Function Name: NtAssignProcessToJobObject
Status: Hooked by "<unknown>" at address 0xff7e5630

#: 122 Function Name: NtOpenProcess
Status: Hooked by "<unknown>" at address 0xff7e4a60

#: 128 Function Name: NtOpenThread
Status: Hooked by "<unknown>" at address 0xff7e4e80

#: 253 Function Name: NtSuspendProcess
Status: Hooked by "<unknown>" at address 0xff7e5460

#: 254 Function Name: NtSuspendThread
Status: Hooked by "<unknown>" at address 0xff7e5280

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "<unknown>" at address 0xff7e4c90

#: 258 Function Name: NtTerminateThread
Status: Hooked by "<unknown>" at address 0xff7e50b0

Stealth Objects
-------------------
Object: Hidden Code [ETHREAD: 0xff8777e8]
Process: System Address: 0xff7e3790 Size: 1000

Hidden Services
-------------------
Service Name: UACd.sys
Image Path: C:\WINDOWS\system32\drivers\UACjvivksamdb.sys

==EOF==

#13 Computer Pro

Computer Pro

  • Members
  • 2,448 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:29 PM

Posted 03 August 2009 - 08:01 PM

Ok, please try once more to wipe it.
Computer Pro

#14 Anth-Sama

Anth-Sama
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:29 PM

Posted 03 August 2009 - 08:09 PM

it gave me the same error message "could not find on disk!"

#15 Computer Pro

Computer Pro

  • Members
  • 2,448 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:29 PM

Posted 03 August 2009 - 08:25 PM

It looks like we are going to have to use more powerful tools than what we are allowed to use in the Am I Infected forum. I am going to need for you to post a DDS/HijackThis Log in the HijackThis Log section of the forum.

Please refer to this for your preparation reasons before posting:
http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/

You can find the forum here:
http://www.bleepingcomputer.com/forums/f/22/virus-trojan-spyware-and-malware-removal-logs/

Once you have created a new topic in the HijackThis section, please post a link to it in this topic.
Please allow time for your topic to be replied to in the HijackThis section as the HJT Team is EXTREMELY busy posting logs before yours.

Good Luck!
Computer Pro




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users