Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

rootkit infection: antivirus sw wont run. kbi*, UAC*, Win32KStream, Gen Detection.Vundo


  • This topic is locked This topic is locked
2 replies to this topic

#1 frazzld

frazzld

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:02:00 PM

Posted 02 September 2009 - 12:24 PM

OS is Windows XP.

Have a laptop that was infected with Police Pro and Total Security 2009 and ??. Initially, no antivirus software of any kind would execute, browsers couldn't be started, and system was generally unusable. In safe mode, I experimented with various antivirus software until I found one that would run -- softZilla. Others start and close immediately or would never start (Malwarebytes' antimalware, hijackthis, SuperAntiSpyWare and AVG). For the ones that never start
(AVG, hijackthis, superAntiSpyware), I get a permission error
"Windows cannot access the specified device ,path or file.
You may not have the appropriate permissions to access the item."
But I'm running as an administrator. Malware's symptom was a little different -- the FIRST time after its installed, it'll start
the scan for 2 seconds and then terminates. Any subsequent attempt to run it gives that permission error message. If i
uninstall it and reinstall it, I can then get it to run for the 2 seconds before it terminates but any subsequent attempt gives
me the permission error message. I also tried renaming the antimalware executables to another name before executing it but that doesn't change the behavior.

softZilla cleaned some stuff up when running in SafeMode and then I still had to do a repair install (Windows XP) to get a either Firefox or Explorer to run. System is now at a point where I suspect a nasty rootkit. Browsers will start now, but Explorer immediately sends me popups to Fling.com and I'm clearly not in control of the browser.

In normal mode, none of the antivirus software programs will run - hijackThis, antimalware, softZilla, AVG, etc. They start,
and then either close within seconds or just seem to "hang" (process is seen in taskmgr, but never gets any cpu time even when I bump the priority to high). Softzilla tries to run in Safe mode, but hangs after about 10 seconds. I get the same symptom when trying to run the dds tool to get a log file -- I get the initial screen (shown in the example for this forum with the message that ends "...We only require it to run just once. Dispose after use...."
and it just 'hangs'. I left it for as much as 10 minutes with no result - I see no process in taskmgr for it.

Softzilla still complains about two viruses in the first few seconds when it is executing (before it hangs) -- Win32KStream, Gen Detection.Vundo

So, I can't run dds or hijackthis. I can't run Malwarebytes' Antimalware or any other antivirus software. Softzilla support send me a file called unhackme by Greatis software. Running it said it found a rootkit, but it was not able to clean up the problem. Softzilla told me to wait several weeks until they get a fix so I decided to try this forum instead.

I am able to run Root Repeal and Sopho's AntiRoot kit scan and GMER. I only ran them to get logs; I made no attempt to interpret or clean anything based on those logs. Note that even though I have all that different antivirus stuff on the system, its only because I was trying to find something that would run - normally I have only one ....


Here's the Sophos Anti-Rootkit log:

Sophos Anti-Rootkit Version 1.5.0 © 2009 Sophos Plc
Started logging on 9/2/2009 at 9:36:11 AM
User "juhreeb" on computer "TUTU"
Windows version 5.1 SP 2.0 Service Pack 2 build 2600 SM=0x300 PT=0x1 Win32
Info: Starting process scan.
Info: Starting registry scan.
Hidden: registry item \HKEY_LOCAL_MACHINE\SAM
Hidden: registry item \HKEY_LOCAL_MACHINE\SECURITY
Hidden: registry item \HKEY_LOCAL_MACHINE\SOFTWARE
Hidden: registry item \HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\kbiwkmrwgopeto
Hidden: registry item \HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\kbiwkmrwgopeto
Hidden: registry item \HKEY_LOCAL_MACHINE\SYSTEM\controlset003\Services\kbiwkmrwgopeto
Hidden: registry item \HKEY_LOCAL_MACHINE\SYSTEM\controlset004\Services\kbiwkmrwgopeto
Hidden: registry item \HKEY_USERS\.DEFAULT
Hidden: registry item \HKEY_USERS\S-1-5-18
Hidden: registry item \HKEY_USERS\S-1-5-18_Classes
Hidden: registry item \HKEY_USERS\S-1-5-19
Hidden: registry item \HKEY_USERS\S-1-5-19_Classes
Hidden: registry item \HKEY_USERS\S-1-5-20
Hidden: registry item \HKEY_USERS\S-1-5-20_Classes
Hidden: registry item \HKEY_USERS\S-1-5-21-834382569-130900324-2095098545-1006
Hidden: registry item \HKEY_USERS\S-1-5-21-834382569-130900324-2095098545-1006_Classes
Hidden: registry item \HKEY_USERS\S-1-5-21-834382569-130900324-2095098545-500
Hidden: registry item \HKEY_USERS\S-1-5-21-834382569-130900324-2095098545-500_Classes
Info: Starting disk scan of C: (NTFS).
Hidden: file C:\WINDOWS\system32\drivers\kbiwkmqowtskqw.sys
Hidden: file C:\WINDOWS\system32\kbiwkmkilrlopx.dll
Hidden: file C:\WINDOWS\system32\kbiwkmbtirntnb.dat
Hidden: file C:\WINDOWS\system32\kbiwkmyqcxmwhv.dll
Hidden: file C:\WINDOWS\pchealth\helpctr\binaries\HelpSvc.exe
Hidden: file C:\Program Files\AVG\AVG8\avgcsrvx.exe
Hidden: file C:\Documents and Settings\juhreeb\Local Settings\Temporary Internet Files\Content.IE5\GTMY2ZST\vxqSWVbbwQwzawQrUmgQPcADa1U%2FB%3DpVz1MEWTSRA-%2FJ%3D1235239160205974%2FA%3D5404711%2FR%3D0%2F%2A%24,http%3A%2F%2Fus.mc392.mail.yahoo.com%2Fmc%2Fwelcome%3F[1].htm
Hidden: file C:\WINDOWS\Temp\kbiwkmjemkeqxvju.tmp
Hidden: file C:\WINDOWS\Temp\kbiwkmbwhibpxdst.tmp
Hidden: file C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe
Hidden: file C:\WINDOWS\Temp\kbiwkmfvrhvcxtpe.tmp
Hidden: file C:\WINDOWS\system32\kbiwkmequqtwul.dat
Hidden: file C:\Documents and Settings\juhreeb\Local Settings\Temp\kbiwkmvspuycjneu.tmp
Hidden: file C:\Documents and Settings\juhreeb\Local Settings\Temp\kbiwkmlqecxshpmt.tmp
Hidden: file C:\WINDOWS\system32\kbiwkmrrskbpcb.dat
Hidden: file C:\Program Files\UnHackMe\reanimator.exe
Hidden: file C:\WINDOWS\Temp\kbiwkmnwbwtsqcye.tmp
Hidden: file C:\Program Files\UnHackMe\Unhackme.exe
Hidden: file C:\WINDOWS\system32\kbiwkmcbltabuh.dat
Hidden: file C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
Hidden: file C:\WINDOWS\Temp\kbiwkmiquiqyevyx.tmp
Hidden: file C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
Hidden: file C:\WINDOWS\system32\eventlog.dll
Hidden: file C:\WINDOWS\system32\drivers\dda7731a.sys
Info: Starting disk scan of E: (FAT).
Stopped logging on 9/2/2009 at 10:18:45 AM

Here's the GMER log:
GMER 1.0.15.15077 [z4zqzshv.exe] - http://www.gmer.net
Rootkit quick scan 2009-09-02 10:34:22
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.15 ----

Code 856A35F0 ZwEnumerateKey
Code 856B9A48 ZwFlushInstructionCache
Code 856501D6 ZwSaveKey
Code 8545321E ZwSaveKeyEx
Code 8563F346 IofCallDriver
Code 8547E23E IofCompleteRequest

---- Devices - GMER 1.0.15 ----

Device dda7731a.sys
Device Ntfs.sys (NT File System Driver/Microsoft Corporation)
Device Fastfat.SYS (Fast FAT File System Driver/Microsoft Corporation)

AttachedDevice fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Ip dda7731a.sys
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp dda7731a.sys
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp dda7731a.sys
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp dda7731a.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 EABFiltr.sys (QLB PS/2 Keyboard filter driver/Hewlett-Packard Company)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 EABFiltr.sys (QLB PS/2 Keyboard filter driver/Hewlett-Packard Company)

---- Services - GMER 1.0.15 ----

Service C:\WINDOWS\System32\drivers\dda7731a.sys (*** hidden *** ) [SYSTEM] dda7731a <-- ROOTKIT !!!
Service C:\WINDOWS\system32\drivers\kbiwkmqowtskqw.sys (*** hidden *** ) [SYSTEM] kbiwkmrwgopeto <-- ROOTKIT !!!
Service system32\drivers\UACrgwrubqhol.sys (*** hidden *** ) [SYSTEM] UACd.sys <-- ROOTKIT !!!

---- EOF - GMER 1.0.15 ----


The root repeal log file is attached.

I would greatly appreciate assistance. My mom needs her computer back, but starting over by reinstalling
isn't a very good option for her; that's obviously my last resort if this puppy is just too sick to fix....

Thanks very much,

Attached Files



BC AdBot (Login to Remove)

 


#2 frazzld

frazzld
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:02:00 PM

Posted 03 September 2009 - 02:52 PM

This can be closed - I resolved it [i don't see a way for me to close it on my own...]

Since I was prepared to format/reinstall, I took a chance and ran ComboFix as described in many other responses.
It identified/removed the rootkits (all 3 of them) and then I was able to run Malwarebytes' AntiMalware which
then removed the remaining viruses. My only remaining is since I did a repair install early in the process when
I couldn't get a desktop I now have to figure out why Windows Update won't let me update the installation and
am working with Microsoft on that.

For now, I'm virus free thanks to ComboFix (yes, I know, don't use it unless told too as it can be dangerous, etc.)

thanks for the forum. Even though I didn't get assistance from experts, the advice on the ones where responses
were provided was of great assistance. :(

#3 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,801 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:04:00 PM

Posted 04 September 2009 - 12:19 PM

Hello

Thank you for letting us know. I'm glad that your computer problems have been fixed. Since this issue seems to be resolved, this thread will now be closed.

In case you experience any problems with the computer, please start a new topic.

Happy computing,

Orange Blossom :(
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users