Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rootkit blocking MBAM, ComboFix, RootRepeal


  • This topic is locked This topic is locked
31 replies to this topic

#1 Howie69

Howie69

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:02:27 AM

Posted 16 August 2009 - 02:25 PM

Hi. I removed a few fake antivirus and antispyware programs on a pc recently using Malwarebytes and Kaspersky on a seperate pc. However, these programs missed the rootkit that was protecting these programs. It was one of the variants of the AntiSpy Protector 2009 which is listed on the front page here.

With the fake AV and all the downloaders gone from the HDD, and the registry keys wiped clean, I am left with this annoying rootkit that terminates any program that tries to scan any files.

For example, this rootkit removed the AVG Free version that was originally on the pc. So, I installed and ran MalwareBytes. It scans for a few seconds then is terminated. If you try to run it again, it says access denied. If you reboot, the executable is missing.

I tried to use ComboFix, but all it does is give the green line where it is unpacking and then does nothing. I look in C:/ComboFix folder and it is empty.

I scanned with SuperAntiSpyware, it found some things, removed them, then reboot. Upon reboot, the executable was also unusable again.

I downloaded and ran RootRepeal. It can scan the devices, drivers, and processes just fine. But once I try to scan the files, it is mysteriously terminated.

I am no rookie at this. I have been removing malware for well over 10 years and have never run into anything quite this annoying.

The only thing that RootRepeal tells me before it terminates is that hiberfil.sys is locked to the windows API.

Attached is a DDS scan (neat way to bypass a rootkit, make it look like a screensaver file) log.

Any help would be appreciated. Notice this is my first post. This has to be the first time I have not been able to find the answer to my question just by searching the forums here :thumbup2:

Attached Files



BC AdBot (Login to Remove)

 


#2 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:07:27 AM

Posted 16 August 2009 - 02:39 PM

Hello and welcome to the BleepingComputer.com! :thumbup2:

I will be helping you today. :)

In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond to your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.

Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.

Please give me some time to analyse your logs, I will be back shortly.
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#3 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:07:27 AM

Posted 17 August 2009 - 11:03 AM

Hello, Howie69 and again
Welcome to the Bleeping Computer Forums. My name is Thomas (Tom is fine), and I will be helping you fixing your problems.

If you do not make a reply in 5 days, we will have to close your topic.

You may want to keep the link to this topic in your favourites. Alternatively, you can click the Posted Image button at the top bar of this topic and Track this Topic. The topics you are tracking can be found here.

Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools. Doing so could cause changes to the directions I have to give you and prolong the time required. Further more, you should not be taking any advice relating to this computer from any other source throughout the course of this fix.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean". We do not want to clean you part-way, only to have the system re-infect itself.
  • Please reply using the Posted Image button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Old topics are closed after 3 days with no reply, and working topics are closed after 5 days. If for any reason you cannot complete instructions within that time, that's fine, just post back here so that we know you're still here.
  • Please set your system to show all files.
    Click Start, open My Computer, select the Tools menu and click Folder Options.
    Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
    Uncheck: Hide file extensions for known file types
    Uncheck the Hide protected operating system files (recommended) option.
    Click Yes to confirm.



Step 1

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.





Step 2
  • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<info.txt (<




Please post back with:
  • Gmer-Logfile
  • Both RSIT-Logfiles

regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#4 Howie69

Howie69
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:02:27 AM

Posted 17 August 2009 - 02:19 PM

I will be right with you. The Gmer scans I performed over the weekend I cannot seem to locate, so I am having to redo it, it tends to take almost 3 hours here.

It should be done in another hour and I will post, followed with the RSIT info. Don't fall asleep over there in Germany on me :thumbup2:

#5 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:07:27 AM

Posted 17 August 2009 - 02:28 PM

Don't fall asleep over there in Germany on me


No chance :thumbup2:

I will go in maybe 2 hours :).
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#6 Howie69

Howie69
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:02:27 AM

Posted 17 August 2009 - 02:53 PM

I am pretty sure you frown upon someone like me doing something like this, but I am running out of time in the day, and I believe I see the rootkit from the Gmer scan, which has been running for almost 3 hours now. So, I am posting the partial log with what appears to be the obvious rootkit running. I will post the ENTIRE log once it is finished scanning.

GMER 1.0.15.15077 [fq6lpd3b.exe] - http://www.gmer.net
Rootkit scan 2009-08-17 15:47:37
Windows 5.1.2600 Service Pack 3


---- Kernel code sections - GMER 1.0.15 ----

?			   win32k.sys:1																							   The system cannot find the file specified. !
?			   win32k.sys:2																							   The system cannot find the file specified. !
?			   C:\DOCUME~1\COMPAQ~1.YOU\LOCALS~1\Temp\catchme.sys														 The system cannot find the file specified. !

---- Devices - GMER 1.0.15 ----

AttachedDevice  \FileSystem\Ntfs \Ntfs																					 bb-run.sys (Promise Disk Accelerator/Promise Technology, Inc.)
AttachedDevice  \FileSystem\Fastfat \Fat																				   bb-run.sys (Promise Disk Accelerator/Promise Technology, Inc.)
---- Processes - GMER 1.0.15 ----

Library		 \\?\globalroot\Device\__max++>\6B8C431A.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [496]  0x35670000													  

---- Registry - GMER 1.0.15 ----

Reg			 HKLM\SYSTEM\ControlSet003\Services\geyekrjovvwqox@start													1
Reg			 HKLM\SYSTEM\ControlSet003\Services\geyekrjovvwqox@type													 1
Reg			 HKLM\SYSTEM\ControlSet003\Services\geyekrjovvwqox@group													file system
Reg			 HKLM\SYSTEM\ControlSet003\Services\geyekrjovvwqox@imagepath												\systemroot\system32\drivers\geyekrjlkxrqpp.sys
Reg			 HKLM\SYSTEM\ControlSet003\Services\geyekrjovvwqox\main (not active ControlSet)							 
Reg			 HKLM\SYSTEM\ControlSet003\Services\geyekrjovvwqox\main@aid												 10096
Reg			 HKLM\SYSTEM\ControlSet003\Services\geyekrjovvwqox\main@sid												 0
Reg			 HKLM\SYSTEM\ControlSet003\Services\geyekrjovvwqox\main@cmddelay											14400
Reg			 HKLM\SYSTEM\ControlSet003\Services\geyekrjovvwqox\main\delete (not active ControlSet)					  
Reg			 HKLM\SYSTEM\ControlSet003\Services\geyekrjovvwqox\main\injector (not active ControlSet)					
Reg			 HKLM\SYSTEM\ControlSet003\Services\geyekrjovvwqox\main\injector@*										  geyekrwsp.dll
Reg			 HKLM\SYSTEM\ControlSet003\Services\geyekrjovvwqox\main\tasks (not active ControlSet)					   
Reg			 HKLM\SYSTEM\ControlSet003\Services\geyekrjovvwqox\modules (not active ControlSet)						  
Reg			 HKLM\SYSTEM\ControlSet003\Services\geyekrjovvwqox\modules@geyekrrk.sys									 \systemroot\system32\drivers\geyekrjlkxrqpp.sys
Reg			 HKLM\SYSTEM\ControlSet003\Services\geyekrjovvwqox\modules@geyekrcmd.dll									\systemroot\system32\geyekrnfyqtudy.dll
Reg			 HKLM\SYSTEM\ControlSet003\Services\geyekrjovvwqox\modules@geyekrlog.dat									\systemroot\system32\geyekrirtbwyyw.dat
Reg			 HKLM\SYSTEM\ControlSet003\Services\geyekrjovvwqox\modules@geyekrwsp.dll									\systemroot\system32\geyekrltnyttkl.dll
Reg			 HKLM\SYSTEM\ControlSet003\Services\geyekrjovvwqox\modules@geyekr.dat									   \systemroot\system32\geyekryfviqdcr.dat
Reg			 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@AppInit_DLLs									 cru629.dat
Reg			 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout						 15
Reg			 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota							10000
Reg			 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler										  yes
Reg			 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk										 
Reg			 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout						 90
Reg			 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota						   10000

Apparently my friend's son likes to download TONS of WildTangent games which is what is taking the scan so long.

Anyway, the library 6B8C431A.x86.dll is what was coming up on my gmer scans over the weekend as well. I tried to remove the HKLM\SYSTEM\ControlSet003\Services\geyekrjovvwqox key from the registry over the weekend, as regedit showed it as empty, but I kept getting permission denied. I am pretty sure that is where the rootkit is, but will continue scanning and posting until you tell me otherwise.

#7 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:07:27 AM

Posted 17 August 2009 - 03:03 PM

Ok, please post the complete logfile when finished and the both RSIT-logfiles :thumbup2:.
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#8 Howie69

Howie69
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:02:27 AM

Posted 17 August 2009 - 06:33 PM

I would love to, but now, after that scan, I cannot use start->run, or anything to paste that logfile into a text file to upload here.

#9 Howie69

Howie69
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:02:27 AM

Posted 17 August 2009 - 06:34 PM

It now says:

"Insufficient system resources exist to complete the requested service"

#10 Howie69

Howie69
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:02:27 AM

Posted 17 August 2009 - 06:39 PM

I tried using an existing notepad file, I pasted, notepad.exe crashed.

#11 Howie69

Howie69
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:02:27 AM

Posted 17 August 2009 - 06:44 PM

As far as RSIT , I get this error:

AutoIT Error

Line -1:
Error: Variable being used without being declared

Which now makes that took useless as well.

#12 Howie69

Howie69
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:02:27 AM

Posted 17 August 2009 - 06:47 PM

Oh, well, I will leave it on yet another overnight 4 hour scan to see if I have any better luck with it.

All of the other things it mentioned were under an install of Python22, and the C:\Recycler

#13 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:07:27 AM

Posted 18 August 2009 - 06:24 AM

Hi,


Here we go:


One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.




Please go here and have a look how you can disable your security software.



please delete your copy from Combofix, if still present.




Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

Link 1
Link 2


Posted Image


Posted Image
--------------------------------------------------------------------

Double click on Combo-Fix.exe & follow the prompts.When finished, it will produce a report for you.



Please post back with:
  • Combofix-Logfile
  • Content of C:\Qoobox\Add-Remove-Programs.txt

regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#14 Howie69

Howie69
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:02:27 AM

Posted 18 August 2009 - 10:52 AM

Saving it as Combofix-File.exe did not help. I clicked it, it gives the green status bar, and nothing happens.

I was able to get gmer to finish and save a log, but RSIT still will not run.

Here's the gmer log:

Well, it is apparently too long to post in here, so I will have to attach it.

I even have to zip it because as a .txt it is too big :thumbup2:

Attached Files



#15 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:07:27 AM

Posted 18 August 2009 - 02:23 PM

Hi,

No matter, we don't give up :thumbup2:

Please delete your copy of Combofix and download a fresh one and rename it before you download it, like in the above instruction.



Do not run Combofix yet!


Now reboot into Safe Mode with Network Support.
This can be done tapping the F8 key as soon as you start your computer
You will be brought to a menu where you can choose to boot into safe mode.
Make sure you choose the option with networking support.
Please see here for additional details.



Now follow the instructions from my last post and run the renamed version of Combofix in Safe Mode.



Please post back with:
  • Combofix-Logfile
  • C:\Qoobox\Add-Remove Programs.txt

regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users