Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Very interesting malware here.. i need some assistance


  • This topic is locked This topic is locked
4 replies to this topic

#1 SyXX

SyXX

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:08:36 AM

Posted 27 August 2009 - 01:36 PM

One of my client machines here at work ended up with this. I haven't run into malware I couldn't remove yet, but this one is giving me real problems.

HJT MBAM ComboFix RootRepeal and everything else related.... I have run these every different way I can think of but when any of them begin to scan the process closes, the exe gets corrupted and the permissions get changed. The exe files will not run until you install a new copy.

GMER is the ONLY thing that I have got that will actually scan enough to pick something up without the above happening. However, if I enable the file scanning, it will do just as the others. So here is what I have of my GMER log:

GMER 1.0.15.15077 [gamer.exe] - http://www.gmer.net
Rootkit scan 2009-08-27 13:27:52
Windows 5.1.2600 Service Pack 3


---- Kernel code sections - GMER 1.0.15 ----

? win32k.sys:1 The system cannot find the file specified. !
? win32k.sys:2 The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\Explorer.exe[860] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\27EEFA66.x86.dll
.text C:\WINDOWS\Explorer.exe[860] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\27EEFA66.x86.dll
.text C:\WINDOWS\Explorer.exe[860] USER32.dll!CallNextHookEx + 4A 7E42B410 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\27EEFA66.x86.dll

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\WINDOWS\Explorer.exe[860] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\27EEFA66.x86.dll
IAT C:\WINDOWS\Explorer.exe[860] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\27EEFA66.x86.dll
---- Processes - GMER 1.0.15 ----

Library \\?\globalroot\Device\__max++>\27EEFA66.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [528] 0x35670000
Library \\?\globalroot\Device\__max++>\27EEFA66.x86.dll (*** hidden *** ) @ C:\WINDOWS\Explorer.exe [860] 0x35670000
Library \\?\globalroot\Device\__max++>\27EEFA66.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1176] 0x35670000

---- EOF - GMER 1.0.15 ----


Keep in mind, that this is ALL I can get. And GMER will NOT delete, dump or kill anything. EVERYTHING is greyed out on all of the tabs. Something is going to have to be done manually, or by script. Any help with this is appreciated. Thanks in advance.

BC AdBot (Login to Remove)

 


#2 SyXX

SyXX
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:08:36 AM

Posted 27 August 2009 - 01:40 PM

I forgot to mention, this had PC AntiSpyware 2010 and Windows Security Suite on it initially, but I removed those fairly easily, this rootkit is a tougher one to crack though.

#3 SyXX

SyXX
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:08:36 AM

Posted 27 August 2009 - 02:07 PM

DDS and Rootkit Revealer close in the manner described above as well.
===========

Hello

While we understand your frustration at having to wait, please note that Bleeping Computer deals with several hundred requests for assistance such as yours on a daily basis. As a result, our backlog is quite large as are other comparable sites that help others with malware issues. Although our HJT Team members work on hundreds of requests each day, they are all volunteers who work logs when they can and are able to do so. No one is paid by Bleeping Computer for their assistance to our members.

Further, our malware removal staff is comprised of team members with various levels of skill and expertise to deal with thousands of malware variants, some more complex than others. Although we try to take DDS/HJT logs in order (starting with the oldest), it is often the skill level of the particular helper and sometimes the operating system that dictates which logs get selected first. Some infections are more complicated than others and require a higher skill level to remove. Without that skill level attempted removal could result in disastrous results. In other instances, the helper may not be familiar with the operating system that you are using, since they use another. In either case, neither of us want someone to assist you who is not familiar with your issue and attempt to fix it.

We ask that once you have posted your log and are waiting, please DO NOT "bump" your thread or make further replies until it has been responded to by a member of the HJT Team. The reason we ask this or do not respond to your requests is because that would remove you from the active queue that Techs and Staff have access to. The malware staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response, there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

That is why I have made an edit to your last post, instead of a reply. Please do not multiple post here, as that only pushes you further down the queue and causes confusion to the staff.

Please be patient. It may take a while to get a response but your log will be reviewed and answered as soon as possible.

Thank you for understanding.

Orange Blossom ~ forum moderator

Edited by Orange Blossom, 27 August 2009 - 11:05 PM.


#4 SyXX

SyXX
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:08:36 AM

Posted 28 August 2009 - 02:02 PM

Rootkit Removed :thumbup2:

For anyone who is interested, I ran "Win32kdiag.exe -f -r" to remove the mount points then used Avenger to restore the infected system files with originals. Ran Combo Fix,mbam and installed additional protection.

#5 Guest_The weatherman_*

Guest_The weatherman_*

  • Guests
  • OFFLINE
  •  

Posted 09 September 2009 - 06:06 PM

Thank you for sharing that with us SyXX.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users