Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Almost rid of rootkit/redirect/exe-killer infection!


  • This topic is locked This topic is locked
6 replies to this topic

#1 Webdaddy

Webdaddy

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:San Antonio, TX
  • Local time:11:31 AM

Posted 24 August 2009 - 02:44 AM

It seems I've been a victim of an especially nasty rootkit/redirect/exe-killer infection that many others have recenty described. Before imposing on anyone else's time, I've always tried to figure things out on my own. But after almost two weeks of SOLID effort trying to rid my laptop of this pestulence, I realize its time to ask for help.

The infected laptop is an HP zd7389cl w/2GBs memory, 160GB disk, running Windows XP SP3. At the time I was using my licensed copy of AVG 8.5. Windows updates were automatic and current.

I vaguely recall seeing a pop-up warning me that my computer was infected (forgive my extreme sleep deprivation) but thought that by simply closing the window and then running an AVG scan followed by a run-through with Spybot S&D I'd be okay.

Yeah. Riiiiiiiight...

After seemingly endless attempts at getting ANY of my usual anti-virus/spyware weapons to run (i.e., MalwareBytes, Spybot S&D, AVG, MRT) I realized that this infection was able to reset the permissions of their respective executables, thereby rending them useless. I found that while I could get them to run by resetting their permissions, they wouldn't run for very long before disappearing into the virtual abyss. I was able to work around all of my Google searches being redirected in both IE 8 and FF 3.0.13 by using the Cached links, but what a PITA!

I caught a break reading a post suggesting that certain system files had been compromised. With this in mind, I found that the scecli.dll file had indeed been changed. I was able to replace it with a known good copy running on a clean workstation which made it possible to get a few new utilities to run.

The fact that MS Auto-Update is still failing makes me think there's still work to be done.

I can see light at the end of this long, dark tunnel. I just need help in making sure that the light I see isn't another infected train!

My HijackThis log is ready to roll. Any assistance would be most appreciated!

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:31 PM

Posted 24 August 2009 - 11:38 AM

Hello and welcome. Let's see what we get from these.

Rerun MBAM (MalwareBytes) like this:

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan (normal mode).
After scan click Remove Selected, Post new scan log and Reboot into normal mode.



Please download Sophos Anti-rootkit & save it to your desktop.
alternate download link
Note: If using the vendor's download site you will be asked to register with MySophos so an email containing an activation link can be sent to your email address.

Be sure to print out and read the Sophos Anti-Rookit User Manual and Release Notes.
  • Double-click sar_15_sfx.exe to begin the installation, read the license agreement and click Accept.
  • Allow the default location of C:\Program Files\Sophos\Sophos Anti-Rootkit and click Install.
  • A message will appear "Sophos Anti-Rootkit was successfully installed. Click 'yes' to start it now".
  • Click Yes and allow the driver and its randomly named .tmp file (i.e. F.tmp) to load if asked.
  • If the scan did not start automatically, make sure the following are checked:
    • Running processes
    • Windows Registry
    • Local Hard Drives
  • Click Start scan.
  • Sophos Anti-Rootkit will scan the selected areas and display any suspicious files in the upper panel.
  • When the scan is complete, a pop-up screen will appear with "Rootkit Scan Results". Click OK to continue.
  • Click on the suspicious file to display more information about it in the lower panel which also includes whether the item is recommended for removal.
    • Files tagged as Removable: No are not marked for removal and cannot be removed.
    • Files tagged as Removable: Yes (clean up recommended) are marked for removal by default.
    • Files tagged as Removable: Yes (but clean up not recommended) are not marked for removal because Sophos did not recognize them. These files will require further investigation.
  • Select only items recommended for removal, then click "Clean up checked items". You will be asked to confirm, click Yes.
  • A pop up window will appear advising the cleanup will finish when you restart your computer. Click Restart Now.
  • After reboot, a dialog box displays the files you selected for removal and the action taken.
  • Click Empty list and then click Continue to re-scan your computer a second time to ensure everything was cleaned.
  • When done, go to Start > Run and type or copy/paste: %temp%\sarscan.log
  • This should open the log from the rootkit scan. Please post this log in your next reply. If you have a problem, you can find sarscan.log in C:\Documents and Settings\\Local Settings\Temp\.
Before performing an ARK scan it is recommended to do the following to ensure more accurate results and avoid common issues that may cause false detections.
  • Disconnect from the Internet or physically unplug you Internet cable connection.
  • Clean out your temporary files.
  • Close all open programs, scheduling/updating tasks and background processes that might activate during the scan including the screensaver.
  • Temporarily disable your anti-virus and real-time anti-spyware protection.
  • After starting the scan, do not use the computer until the scan has completed.
  • When finished, re-enable your anti-virus/anti-malware (or reboot) and then you can reconnect to the Internet.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 Webdaddy

Webdaddy
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:San Antonio, TX
  • Local time:11:31 AM

Posted 24 August 2009 - 02:01 PM

Thank you for your quick reply! My MBAM log per your instructions:

Malwarebytes' Anti-Malware 1.40
Database version: 2690
Windows 5.1.2600 Service Pack 3

8/24/2009 1:25:59 PM
mbam-log-2009-08-24 (13-25-59).txt

Scan type: Quick Scan
Objects scanned: 164726
Time elapsed: 7 minute(s), 50 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Edited by Webdaddy, 24 August 2009 - 02:02 PM.


#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:31 PM

Posted 24 August 2009 - 03:19 PM

Ok that loks clean,will wait for the rootkit scan.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 Webdaddy

Webdaddy
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:San Antonio, TX
  • Local time:11:31 AM

Posted 24 August 2009 - 10:44 PM

Sorry for the delay, but I ran the SAR scan twice because I couldn't believe it gave me an "all clear" again! NONE of the following "Hidden" files were marked for deletion! Of course, I don't believe SAR because both GMER and RootRepeal say something evil has made a home somewhere in my laptop! The following is the SAR log:

Sophos Anti-Rootkit Version 1.5.0 © 2009 Sophos Plc
Started logging on 8/24/2009 at 17:32:29
User "Webdaddy" on computer "HENRY"
Windows version 5.1 SP 3.0 Service Pack 3 build 2600 SM=0x100 PT=0x1 Win32
Info: Starting process scan.
Info: Starting registry scan.
Info: Starting disk scan of C: (NTFS).
Hidden: file C:\WINDOWS\SoftwareDistribution\Download\555558d2c7916b118ad5baef62b18136\update\update.exe
Hidden: file C:\Documents and Settings\Webdaddy.GORDON\Desktop\RSIT.exe
Hidden: file C:\WINDOWS\system32\wbem\wmiprvse.exe
Hidden: file C:\WINDOWS\system32\dumprep.exe
Hidden: file C:\Program Files\IconForge\ICONFORGE.EXE
Hidden: file C:\Program Files\Macromedia\HomeSite+\HomeSite+.exe
Hidden: file C:\Program Files\MMshall\FLV MP4 Video Converter\mmdig.axf
Hidden: file C:\Program Files\ElcomSoft\AOPR\aopr.exe
Hidden: file C:\Program Files\Apache Group\Apache2\bin\ApacheMonitor.exe
Hidden: file C:\Program Files\Disk Space Inspector\dsinspect.exe
Hidden: file C:\Program Files\ScanSoft\NaturallySpeaking8\Program\natspeak.exe
Hidden: file C:\Program Files\Adobe\Adobe Bridge CS3\browser\opera.dll
Hidden: file C:\Program Files\Adobe\Adobe Device Central CS3\Required\Opera\Opera.dll
Stopped logging on 8/24/2009 at 19:16:40

For your convenience, here's the GMER rootkit scan log:

GMER 1.0.15.15020 [4tl5y4y2.exe] - http://www.gmer.net
Rootkit scan 2009-08-24 22:40:15
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.15 ----

SSDT 8A574EB8 ZwAlertResumeThread
SSDT 8A38C008 ZwAlertThread
SSDT 8A3C51A0 ZwAllocateVirtualMemory
SSDT 8A3D3170 ZwCreateMutant
SSDT 8A3DCA90 ZwCreateThread
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteValueKey [0xB96ED350]
SSDT 8A38AFD0 ZwFreeVirtualMemory
SSDT 8A3ABEF8 ZwImpersonateAnonymousToken
SSDT 8A387BF8 ZwImpersonateThread
SSDT 8A38A0D8 ZwMapViewOfSection
SSDT 8A37F700 ZwOpenEvent
SSDT 8A38AF60 ZwOpenProcessToken
SSDT 8A38AF98 ZwOpenThreadToken
SSDT 8A378368 ZwQueryValueKey
SSDT 8A38ACC0 ZwResumeThread
SSDT 8A38A008 ZwSetContextThread
SSDT 8A38AF28 ZwSetInformationProcess
SSDT 8A388290 ZwSetInformationThread
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwSetValueKey [0xB96ED580]
SSDT 8A379260 ZwSuspendProcess
SSDT 8A40FBF8 ZwSuspendThread
SSDT 8A38AEF0 ZwTerminateProcess
SSDT 8A3DF830 ZwTerminateThread
SSDT 8A391348 ZwUnmapViewOfSection
SSDT 8A3C50D0 ZwWriteVirtualMemory

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 snapman.sys (Acronis Snapshot API/Acronis)
---- Processes - GMER 1.0.15 ----

Library C:\Program (*** hidden *** ) @ C:\WINDOWS\Explorer.EXE [3300] 0x10000000

Almost makes me want to burn it all down and load Unbuntu! :thumbsup:

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:31 PM

Posted 24 August 2009 - 10:57 PM

Ok I think this is the new rootkit variant and we need to use the HJT tools or else you will have to reformat.

To run HJT/DDS.
Please follow this guide. Preparation Guide For Use Before Using Hijackthis. Then go here HijackThis Logs and Virus/Trojan/Spyware/Malware Removal ,click New Topic,give it a relevant Title and post that complete log.

Let me know if it went OK.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,801 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:12:31 PM

Posted 25 August 2009 - 02:21 AM

Hello,

Now that you have posted a log here: http://www.bleepingcomputer.com/forums/t/252233/possibly-the-new-rootkit-variant-time-to-kill-it-dead/ you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a HJT Team member, nor should you ask for help elsewhere. Doing so can result in system changes which may not show in the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the HJT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the HJT Team members are EXTREMELY busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

Please be patient. It may take several days, perhaps less, to get a response but your log will be reviewed and answered as soon as possible. I advise checking your topic once a day for responses.

To avoid confusion, I am closing this topic. Good luck with your log.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users