Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Seriously Bad Rootkit, Please Help


  • This topic is locked This topic is locked
3 replies to this topic

#1 King_Robot

King_Robot

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:06:55 AM

Posted 21 August 2009 - 01:25 AM

Operating System: Windows Vista Ultimate SP1

Howdy everybody, I have come to you today to ask you for your help. I have done tool-assisted and manual malware removal for years, and it is how I make my living (among other things).

Today I encountered a rootkit like I have never seen before, and spent a good part of my day trying to clean it. I am actually the party at fault here, I clicked on a fishy link in firefox, saw a firefox window popup, then disappear, and then saw the java icon pop up in the system tray. I though oh no, I'm being infected, and sure enough I saw some fake security program pop up next.


I immediately unplugged the network cable, and started trying to figure out what I had. I fired up either autoruns or malwarebytes <can't remember>, and at that point the system bluescreened. Upon reboot, windows asked me to specify a program to launch net.net. I opened up autoruns, which was on the desktop, it launched, and then immediately closed, and had a new image added to the icon. I tried to launch it again, and received the message: "Windows cannot access the specified device path or file. You may not have the appropriate permissions to access the item." I have never seen this behavior before. This must be a very novel rootkit.

I booted into Windows PE, and looked at the System32 system and Windows directories, I was able to find and delete Uacd.sys, net.net, and a few other randomly named dlls and dat files. I believed with these files removed I would be able to run Malwarebytes in windows. Wrong, I found that I could still not launch any utilities in windows, without them immediately closing, and then being locked out. If I re-ran the installer for Malwarebytes, it would launch again, but then close and become disabled (access denied).

I pulled the drive, and stuck it in another PC, and tried to run malwarebytes on the drive on the other PC. The scan found a few registry entries (services in CurrentControlSet001), but passed right over Windows\system32, where I knew there were still files hiding.

At this point I tried GMER, which was able to run, and detect several instances of the kbiwkm* files. Here is the list I typed into notepad from my first GMER scan.

C:\Windows\system32\drivers:

kbiwkmtipgxgvs.sys
UACcmjyebkyjtswdclpu.sys

C:\Windows\system32:

UACentncvpffwgvximsx.dll
UACdgbwdvkinpdyeivii.dat
UAChnvlsoluwyxdqkcve.db
UACtqqrmifrjtctthsvf.dll
UACmedtfuujtesjsvoimb.dll
UACvxycgntumidrttaio.dll

kbiwkmwsp.dll

kbiwkmsuvbovyp.sys
kbiwkmhvtoirqq.dll
kbiwkmcjhouodwp.dat
kbiwkmmgprqpbd.dll
kbiwkmciwpwdso.dat


I removed the kbiwkm* service with GMER, and rebooted, I still have the same issue. I ran another GMER scan, and exported the log which is below:

GMER 1.0.15.15077 [vnwkiy9b.exe] - http://www.gmer.net
Rootkit scan 2009-08-20 20:27:48
Windows 6.0.6001 Service Pack 1


---- Kernel code sections - GMER 1.0.15 ----

? win32k.sys:1 The system cannot find the file specified. !
? win32k.sys:2 The system cannot find the file specified. !

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Windows\Explorer.EXE[1252] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [74867BA4] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2e
c9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1252] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [748A98C5] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2e
c9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1252] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [7486D3C8] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2e
c9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1252] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [7485F527] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2e
c9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1252] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [74867599] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2e
c9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1252] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [7485E43D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2e
c9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1252] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStreamICM] [7489B33D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2e
c9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1252] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStream] [7486D68A] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2e
c9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1252] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [7486012E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2e
c9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1252] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [74860095] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2e
c9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1252] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [748571F3] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2e
c9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1252] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFileICM] [748ED802] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2e
c9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1252] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFile] [748875E1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2e
c9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1252] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [7485DAE1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2e
c9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1252] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [7485668F] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2e
c9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1252] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [748566BA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2e
c9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1252] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [74861E45] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2e
c9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 hotcore3.sys (Hotbackup helper driver/Paragon Software Group)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 timntr.sys (Acronis True Image Backup Archive Explorer/Acronis)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 hotcore3.sys (Hotbackup helper driver/Paragon Software Group)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 timntr.sys (Acronis True Image Backup Archive Explorer/Acronis)
AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
---- Processes - GMER 1.0.15 ----

Library \\?\globalroot\Device\__max++>\BEAFDF33.x86.dll (*** hidden *** ) @ C:\Windows\system32\wininit.exe [504] 0x35670000
Library \\?\globalroot\Device\__max++>\BEAFDF33.x86.dll (*** hidden *** ) @ C:\Windows\system32\services.exe [576] 0x35670000
Library \\?\globalroot\Device\__max++>\BEAFDF33.x86.dll (*** hidden *** ) @ C:\Windows\system32\svchost.exe [796] 0x35670000
Library \\?\globalroot\Device\__max++>\BEAFDF33.x86.dll (*** hidden *** ) @ C:\Windows\System32\svchost.exe [924] 0x35670000

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys@start 1
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys@type 1
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys@imagepath \systemroot\system32\drivers\UACcmjyebkyjtswdclpu.sys
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys@group file system
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys\modules@UACd \\?\globalroot\systemroot\system32\drivers\UACcmjyebkyjtswdclpu.sys
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys\modules@UACc \\?\globalroot\systemroot\system32\UACcosuaprnfxqdfiqqj.dll
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys\modules@uacbbr \\?\globalroot\systemroot\system32\UACentncvpffwgvximsx.dll
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys\modules@uacsr \\?\globalroot\systemroot\system32\UACdgbwdvkinpdyeivii.dat
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys\modules@uacmal \\?\globalroot\systemroot\system32\UAChnvlsoluwyxdqkcve.db
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys\modules@uacrem \\?\globalroot\systemroot\system32\UACtqqrmifrjtctthsvf.dll
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys\modules@uacmask \\?\globalroot\systemroot\system32\UACmedtfuujtejsvoimb.dll
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys\modules@uacserf \\?\globalroot\systemroot\system32\UACvxycgntumidrttaio.dll
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@AppInit_DLLs
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@LoadAppInit_DLLs 0
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@IconServiceLib IconCodecService.dll
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DdeSendTimeout 0
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DesktopHeapLogging 1
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@ShutdownWarningDialogTimeout -1
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERPostMessageLimit 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@ mnmsrvc
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{FE2BD83A-F147-2F47-08E9-DD7726CFA5C8}
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{FE2BD83A-F147-2F47-08E9-DD7726CFA5C8}@mabffkpofgoakbnlehdlcmpice 0x6A 0x61 0x63 0x6F ...



Only the UACd.sys entries are showing up. I can't delete the service out of the registry. Although I'm not entirely sure they are running, since they are in the CurrentControlSet001 Key. The only other symptom I've noticed is disappearing icons, which I think may correspond with the other entries in the GMER log. I have tried to get either HijackThis or ComboFix going on the machine, but neither will launch. RootRepeal scanned for a moment before closing and then becoming locked out.

Any help would be greatly appreciated, Firefox is still redirecting and I can't launch any tools to get rid of this thing. If it wasn't my personal machine, I probably would have already reloaded windows by now, and that may still happen if nobody has any ideas here. I have tried to delete the files in the GMER log manually, but nothing seems to be able to, I always get "file does not exist" or similar.

Thank you in advance anybody who cares to contribute.

BC AdBot (Login to Remove)

 


#2 King_Robot

King_Robot
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:06:55 AM

Posted 21 August 2009 - 09:42 AM

Okay, so I got up this morning, and stupidly started working on my machine again. I tried to run combofix again, it would show it's window, then just quit, so I extracted the cobofix exe using 7zip, and ran combobatch.bat. This turned the cmd window blue (on the right track), before exiting and becoming locked out, which by locked out, I mean access denied. Combofix has now joined the ranks of the other anti-malware applications on my machine.


WTF? I've never seen this behavior before, have any of you? I've not been able to launch apps before, but this in particular has never happened. hopefully somebody will have a clue.......
===========

Hello

Please note: you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a HJT Team member, nor should you ask for help elsewhere. Doing so can result in system changes which may not show in the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the HJT Team should be the only members that you take advice from, until they have verified your log as clean.

While we understand your frustration at having to wait, please note that Bleeping Computer deals with several hundred requests for assistance such as yours on a daily basis. As a result, our backlog is quite large as are other comparable sites that help others with malware issues. Although our HJT Team members work on hundreds of requests each day, they are all volunteers who work logs when they can and are able to do so. No one is paid by Bleeping Computer for their assistance to our members.

Further, our malware removal staff is comprised of team members with various levels of skill and expertise to deal with thousands of malware variants, some more complex than others. Although we try to take DDS/HJT logs in order (starting with the oldest), it is often the skill level of the particular helper and sometimes the operating system that dictates which logs get selected first. Some infections are more complicated than others and require a higher skill level to remove. Without that skill level attempted removal could result in disastrous results. In other instances, the helper may not be familiar with the operating system that you are using, since they use another. In either case, neither of us want someone to assist you who is not familiar with your issue and attempt to fix it.

We ask that once you have posted your log and are waiting, please DO NOT "bump" your thread or make further replies until it has been responded to by a member of the HJT Team. The reason we ask this or do not respond to your requests is because that would remove you from the active queue that Techs and Staff have access to. The malware staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response, there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

That is why I have made an edit to your last post, instead of a reply. Please do not multiple post here, as that only pushes you further down the queue and causes confusion to the staff.

Please be patient. It may take several days, perhaps less, to get a response but your log will be reviewed and answered as soon as possible. I'd suggest checking your topic for responses once a day.

Thank you for understanding.

Orange Blossom ~ forum moderator

Edited by Orange Blossom, 21 August 2009 - 09:49 AM.


#3 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:09:55 PM

Posted 01 September 2009 - 03:56 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.  

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine.  Please perform the following scan:
  • Download DDS by sUBs from one of the following links.  Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool.  No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note:  You may have to disable any script protection running if the scan fails to run.  After downloading the tool, disconnect from the internet and disable all antivirus protection.  Run the scan, enable your A/V and reconnect to the internet.  

Information on A/V control HERE

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#4 harrythook

harrythook


  • Security Colleague
  • 4,152 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Philadelphia
  • Local time:08:55 AM

Posted 12 September 2009 - 05:41 AM

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter.
All others please read The Preparation Guide before starting your topic.

Veni Vidi Vici
THE FIGHT AGAINST MALWARE

Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users