Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Likely Rootkit Infection: "kbiwkm****.tmp" and "APQ****.tmp" files, can't load Windows correctly


  • Please log in to reply
11 replies to this topic

#1 jdps

jdps

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:39 AM

Posted 24 August 2009 - 10:52 AM

Hello,

I am running an HP Pavilion Notebook with (genuine) Windows Vista Home Premium Service Pack 1 (32-bits). (But I'm sending this from another machine.)

Yesterday, Symantec Endpoint Protection 11.0.4000.2295 began to pick up on several files in the "C:\WINDOWS\Temp" directory as trojans. The files would show up every once in a while with names starting with "kbiwkm", all with a .tmp extension (e.g. "kbiwkmgykfriyqs.tmp"). Symantec would report them but their status would remain "Pending..." and the files are not visible in the Temp folder (even when showing system and hidden files). Later on it began to report several files in the "C:\ProgramData\Symantec\SRTSP\Quarantine" folder, all named "APQ***.tmp" (e.g. "APQBE59.tmp").

I ran Symantec Full Scan and SpyBot Search and Destroy (both up to date) and found nothing. I also ran Malwarebytes' Anti-Malware full scan and it only found one of the "kbiwkm***.tmp" files but nothing else.

This morning I restarted the computer to go into safe mode, which I was able to do, and when I restarted it normally ("Start Windows Normally"), I got several messages saying that unauthorized changes had been made to Windows. It asks for the Product Key again (which I'm hesitant to enter, so I haven't), and if I hit Cancel, it returns me to the Windows Logon screen (asking for my password). In other words, I couldn't load Windows in normal mode. I also can't load Windows in Safe Mode with networking because it asks me to open up Windows in normal mode to fix the activation problem. (I am, however, able to load Safe Mode without networking).

Finally, yesterday (before I restarted and became unable to use Windows normally), when I opened Microsoft Internet Explorer, I would get the following error messages:

"the procedure entry point _resetstkoflw could not be located in the dynamic link library msvcrt.dll"
"the procedure entry point ??_ v@yaxpax@z could not be located in the dynamic link library msvcrt.dll"

Then Java would crash.

If you do get a chance to answer, please let me know, before anything else:

- Is it safe to enter my Windows product key to attempt to load Windows?
- Is it safe (or even possible) to plug in a thumbdrive or external hard drive to try to salvage my files, just in case?

Thank you very much for your attention and I hope you are able to help me.

BC AdBot (Login to Remove)

 


#2 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:07:39 AM

Posted 24 August 2009 - 12:49 PM

Try entering your product key, I am sure the infection is not out to steal it.

On the clean computer immunize the usb jump drive before plugging into the infected computer

Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives. Please do so and allow the utility to clean up those drives as well.
  • Hold down the Shift key when inserting the drive until Windows detects it to keep autorun.inf from executing if it is present.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: As part of its routine, Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive that was plugged in when you ran it. Do not delete this folder...it will help protect your drives from future infection by keeping the autorun file from being installed on the root drive and running other malicious files.
Chewy

No. Try not. Do... or do not. There is no try.

#3 jdps

jdps
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:39 AM

Posted 24 August 2009 - 01:03 PM

Try entering your product key, I am sure the infection is not out to steal it.

On the clean computer immunize the usb jump drive before plugging into the infected computer

Please download Flash_Disinfector.exe by sUBs and save it to your desktop.

  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives. Please do so and allow the utility to clean up those drives as well.
  • Hold down the Shift key when inserting the drive until Windows detects it to keep autorun.inf from executing if it is present.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: As part of its routine, Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive that was plugged in when you ran it. Do not delete this folder...it will help protect your drives from future infection by keeping the autorun file from being installed on the root drive and running other malicious files.



Thank you very much for your reply, DaChew.

McAfee (in the clean computer) identifies the Flash_Disinfector.exe file as a trojan. I'm sure that's wrong, but I wanted to double-check.

Backups aside, do you (or anyone else who may read this) think there's any way to fix the infection to avoid having to restore the whole system?

Thanks again!

#4 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:07:39 AM

Posted 24 August 2009 - 01:14 PM

As long as you have to fight windows activation and norton's I doubt you will ever get your problem fixed, if you can sort out the windows problem then you might disable Norton's so we could get some scans to run.
Chewy

No. Try not. Do... or do not. There is no try.

#5 jdps

jdps
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:39 AM

Posted 24 August 2009 - 02:11 PM

As long as you have to fight windows activation and norton's I doubt you will ever get your problem fixed, if you can sort out the windows problem then you might disable Norton's so we could get some scans to run.


Alright, I finally managed to get past the activation process and load Windows normally.

I'm all "ears".

Once again, DaChew, thank you very much for all your help.

#6 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:07:39 AM

Posted 24 August 2009 - 02:19 PM

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.
Chewy

No. Try not. Do... or do not. There is no try.

#7 jdps

jdps
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:39 AM

Posted 24 August 2009 - 08:39 PM

Hi DaChew,

Malwarebytes still isn't finding anything:

Malwarebytes' Anti-Malware 1.40
Database version: 2692
Windows 6.0.6001 Service Pack 1

8/24/2009 8:06:16 PM
mbam-log-2009-08-24 (20-06-16).txt

Scan type: Quick Scan
Objects scanned: 89726
Time elapsed: 9 minute(s), 16 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


I highly doubt the infection simply vanished (no files at all have been deleted)... Is there a "deeper" test that could be run to double-check?

Thanks again for everything.

#8 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:07:39 AM

Posted 24 August 2009 - 09:14 PM

It's best to procede cautiously with this rootkit?

Ignore the pasrts of this guide that require you to make any changes, we just need the log

Please download Sophos Anti-rootkit & save it to your desktop.
alternate download link
Note: If using the vendor's download site you will be asked to register with MySophos so an email containing an activation link can be sent to your email address.

Be sure to print out and read the Sophos Anti-Rookit User Manual and Release Notes.
  • Double-click sar_15_sfx.exe to begin the installation, read the license agreement and click Accept.
  • Allow the default location of C:\Program Files\Sophos\Sophos Anti-Rootkit and click Install.
  • A message will appear "Sophos Anti-Rootkit was successfully installed. Click 'yes' to start it now".
  • Click Yes and allow the driver and its randomly named .tmp file (i.e. F.tmp) to load if asked.
  • If the scan did not start automatically, make sure the following are checked:
    • Running processes
    • Windows Registry
    • Local Hard Drives
  • Click Start scan.
  • Sophos Anti-Rootkit will scan the selected areas and display any suspicious files in the upper panel.
  • When the scan is complete, a pop-up screen will appear with "Rootkit Scan Results". Click OK to continue.
  • Click on the suspicious file to display more information about it in the lower panel which also includes whether the item is recommended for removal.
    • Files tagged as Removable: No are not marked for removal and cannot be removed.
    • Files tagged as Removable: Yes (clean up recommended) are marked for removal by default.
    • Files tagged as Removable: Yes (but clean up not recommended) are not marked for removal because Sophos did not recognize them. These files will require further investigation.
  • Select only items recommended for removal, then click "Clean up checked items". You will be asked to confirm, click Yes.
  • A pop up window will appear advising the cleanup will finish when you restart your computer. Click Restart Now.
  • After reboot, a dialog box displays the files you selected for removal and the action taken.
  • Click Empty list and then click Continue to re-scan your computer a second time to ensure everything was cleaned.
  • When done, go to Start > Run and type or copy/paste: %temp%\sarscan.log
  • This should open the log from the rootkit scan. Please post this log in your next reply. If you have a problem, you can find sarscan.log in C:\Documents and Settings\\Local Settings\Temp\.
Before performing an ARK scan it is recommended to do the following to ensure more accurate results and avoid common issues that may cause false detections.
  • Disconnect from the Internet or physically unplug you Internet cable connection.
  • Clean out your temporary files.
  • Close all open programs, scheduling/updating tasks and background processes that might activate during the scan including the screensaver.
  • Temporarily disable your anti-virus and real-time anti-spyware protection.
  • After starting the scan, do not use the computer until the scan has completed.
  • When finished, re-enable your anti-virus/anti-malware (or reboot) and then you can reconnect to the Internet.

Chewy

No. Try not. Do... or do not. There is no try.

#9 jdps

jdps
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:39 AM

Posted 24 August 2009 - 11:51 PM

Here it is! Indeed the rootkit is there. I haven't told it to clean anything yet.


Sophos Anti-Rootkit Version 1.5.0 © 2009 Sophos Plc
Started logging on 8/24/2009 at 21:47:43 PM
User "Juancho" on computer "GUANABANA"
Windows version 6.0 SP 1.0 Service Pack 1 build 6001 SM=0x300 PT=0x1 Win32
Info: Starting process scan.
Info: Starting registry scan.
Warning: Failed to query live registry key \HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib\009.
You may not have access rights to the whole registry.
The system cannot find the file specified.
Hidden: registry item \HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\kbiwkmkpjibucv
Hidden: registry item \HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\kbiwkmkpjibucv
Info: Starting disk scan of C: (NTFS).
Hidden: file C:\ProgramData\BVRP Software\Motorola Phone Tools\QUEUE\brulCour.fic
Hidden: file C:\WINDOWS\Temp\TMP0000006E2FDE1F16507AF361
Hidden: file C:\WINDOWS\System32\drivers\kbiwkmrbvqfgdl.sys
Hidden: file C:\WINDOWS\System32\kbiwkmpipvymes.dll
Hidden: file C:\WINDOWS\System32\kbiwkmxcefiutx.dat
Hidden: file C:\WINDOWS\System32\kbiwkmcnvtoxwd.dll
Hidden: file C:\Program Files\muvee Technologies\muvee autoProducer 5.0 - SE\muveeapp.exe
Hidden: file C:\WINDOWS\System32\DivX.dll
Hidden: file C:\ProgramData\Symantec\SRTSP\Quarantine\APQ4083.tmp
Hidden: file C:\ProgramData\Symantec\SRTSP\Quarantine\APQ3AC0.tmp
Hidden: file C:\WINDOWS\System32\kbiwkmtnxksotd.dat
Hidden: file C:\ProgramData\Symantec\SRTSP\Quarantine\APQ3D53.tmp
Hidden: file C:\ProgramData\Symantec\SRTSP\Quarantine\APQ3E6C.tmp
Hidden: file C:\ProgramData\Symantec\SRTSP\Quarantine\APQ4053.tmp
Hidden: file C:\ProgramData\Symantec\SRTSP\Quarantine\APQ33D7.tmp
Hidden: file C:\ProgramData\Symantec\SRTSP\Quarantine\APQ3A14.tmp
Hidden: file C:\ProgramData\Symantec\SRTSP\Quarantine\APQ3F38.tmp
Hidden: file C:\ProgramData\Symantec\SRTSP\Quarantine\APQ4390.tmp
Hidden: file C:\ProgramData\Symantec\SRTSP\Quarantine\APQ48AF.tmp
Hidden: file C:\ProgramData\Symantec\SRTSP\Quarantine\APQ4B11.tmp
Hidden: file C:\ProgramData\Symantec\SRTSP\Quarantine\APQ4D14.tmp
Hidden: file C:\ProgramData\Symantec\SRTSP\Quarantine\APQ509E.tmp
Hidden: file C:\ProgramData\Symantec\SRTSP\Quarantine\APQ5513.tmp
Hidden: file C:\ProgramData\Symantec\SRTSP\Quarantine\APQ5801.tmp
Hidden: file C:\ProgramData\Symantec\SRTSP\Quarantine\APQ5A43.tmp
Hidden: file C:\Users\Juancho\Downloads\Otros\colombia.exe
Hidden: file C:\Users\Juancho\Downloads\Firefox Setup 2.0.exe
Hidden: file C:\Users\Juancho\Downloads\Mozilla\Thunderbird Setup 1.5.exe
Hidden: file C:\WINDOWS\Temp\kbiwkmqgathonfep.tmp
Hidden: file C:\Program Files\Adobe\Adobe Device Central CS3\Required\Opera\Opera.dll
Hidden: file C:\Program Files\Adobe\Adobe Bridge CS3\browser\opera.dll
Hidden: file C:\ProgramData\mpDRM\AVCDEC.ax
Hidden: file C:\ProgramData\mpDRM\AVCTCD.ax
Hidden: file C:\ProgramData\mpDRM\ISOCreatorSecure.dll
Hidden: file C:\ProgramData\mpDRM\mpDRM.dll
Hidden: file C:\ProgramData\mpDRM\mpDRMHelper3.dll
Hidden: file C:\ProgramData\mpDRM\XCTSecureBurn.dll
Hidden: file C:\ProgramData\mpDRM\XEBDMP.ax
Hidden: file C:\Program Files\Common Files\fluxDVD\Lib\XEB\FCZip.dll
Hidden: file C:\Program Files\Common Files\fluxDVD\Lib\XEB\XEBShell.dll
Hidden: file C:\Users\Juancho\Downloads\Mozilla\Firefox Setup 3.5.2.exe
Hidden: file C:\Users\Juancho\Documents\Biblioteca\Historia y Política\Libros y ensayos\Justicia transicional y reconciliación\IJTJ 2-3\Patrick Vinck and Phuong Pham - Ownership and Participation in Transitional Justice Mechanisms, A Sustainable Human Development Perspective from Eastern DRC.pdf
Hidden: file C:\Users\Juancho\Documents\Biblioteca\Historia y Política\Libros y ensayos\Justicia transicional y reconciliación\IJTJ 2-3\Laplante, Lisa -
Transitional Justice and Peace Building, Diagnosing and Addressing theSocioeconomic Roots of Violence through a Human Rights Framework.pdf
Info: Starting disk scan of D: (NTFS).
Stopped logging on 8/24/2009 at 23:42:43 PM


#10 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:07:39 AM

Posted 25 August 2009 - 12:05 AM

I would like a second opinion on this infection


Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.
Chewy

No. Try not. Do... or do not. There is no try.

#11 jdps

jdps
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:39 AM

Posted 25 August 2009 - 06:35 PM

Here it is:

GMER 1.0.15.15077 [19ivws48.exe] - http://www.gmer.net
Rootkit quick scan 2009-08-25 18:27:28
Windows 6.0.6001 Service Pack 1


---- System - GMER 1.0.15 ----

Code 85861300 ZwEnumerateKey
Code 858612C8 ZwFlushInstructionCache
Code 858F3446 ZwSaveKey
Code 858F0E1E ZwSaveKeyEx
Code 8591FA6D IofCallDriver
Code 85946A16 IofCompleteRequest

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\tdx \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\tdx \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\tdx \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)

---- Services - GMER 1.0.15 ----

Service C:\Windows\System32\alg.exe? (*** hidden *** ) [MANUAL] ALG <-- ROOTKIT !!!
Service C:\Windows\system32\drivers\kbiwkmrbvqfgdl.sys (*** hidden *** ) [SYSTEM] kbiwkmkpjibucv <-- ROOTKIT !!!

---- EOF - GMER 1.0.15 ----


#12 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:07:39 AM

Posted 25 August 2009 - 08:02 PM

This is a complexe rootkit and you need the tools used in our HJT forum by our trained helpers

http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/

Please start the prepartions, it's the safest approach for this infection. Create a link back to this thread
Chewy

No. Try not. Do... or do not. There is no try.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users