Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rootkit issue shuts down any anti malware software


  • This topic is locked This topic is locked
4 replies to this topic

#1 kleach

kleach

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:09:22 PM

Posted 08 September 2009 - 04:05 PM

I am running Vista... and have AntiVir Guard running..
AVir does report a random bogus file name with a TR/Alureon.BF.2 signature in it.
I have been battling this for 24 hours now.. and need help.
I had a UACd.sys stealth service running but RootRepela no longer sees it I tried to remove with Avanger and made some progress..


The previous person tried these toold..
SuperAntiSpyware: Got this to install after many tries.. but when run, like all other apps it dies in the middle of processing.
I tried to remove it with the uninstall tool but combofix still thinks it is there
Malwarebytes: Same deal here.. shuts down mid run.
ComboFix Got this to finally install.. when I go to run (with AVIR off) it takes a restore point and never advances (sat all night) Same is true for safe mode..
I don't think he had this installed correcly.. It does not get far before it hangs.. combofix /w did not take it all out..
HiJackThis I just downlaod the latest copy.. was able to rename the exe and run quickly and get a log ..see below.. but it shutdown right after...
UAC is off
internet access is blocked via sonicwall

RootRepela will run..
If I try to run a Files scan it will crash the app and change the permissions so I can't run it again..
process explorer is one of the only apps that will run..

Here is the basic Rootrepeal log (minus the "files"
ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/09/08 12:14
Program Version: Version 1.3.5.0
Windows Version: Windows Vista SP1
==================================================

Drivers
-------------------
Name: dump_dumpfve.sys
Image Path: C:\Windows\System32\Drivers\dump_dumpfve.sys
Address: 0x8B61B000 Size: 69632 File Visible: No Signed: -
Status: -

Name: dump_iaStor.sys
Image Path: C:\Windows\System32\Drivers\dump_iaStor.sys
Address: 0x8B5A8000 Size: 471040 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\Windows\system32\drivers\rootrepeal.sys
Address: 0x9A380000 Size: 49152 File Visible: No Signed: -
Status: -

Name: win32k.sys:1
Image Path: C:\Windows\win32k.sys:1
Address: 0x8B683000 Size: 20480 File Visible: No Signed: -
Status: -

Name: win32k.sys:2
Image Path: C:\Windows\win32k.sys:2
Address: 0x8B688000 Size: 61440 File Visible: No Signed: -
Status: -

Processes
-------------------
Path: System
PID: 4 Status: Locked to the Windows API!

Path: C:\Windows\System32\audiodg.exe
PID: 1216 Status: Locked to the Windows API!

SSDT
-------------------
#: 078 Function Name: NtCreateThread
Status: Hooked by "<unknown>" at address 0x9568519c

#: 194 Function Name: NtOpenProcess
Status: Hooked by "<unknown>" at address 0x95685188

#: 201 Function Name: NtOpenThread
Status: Hooked by "<unknown>" at address 0x9568518d

#: 334 Function Name: NtTerminateProcess
Status: Hooked by "<unknown>" at address 0x95685197

==EOF==


Ran BitDefender online scan.
I loaded / installed and started scanning.. then the entire browser shut down in the middle of scanning.. now I can't use IE again.. (until a reset the permissions)
It is as if whatever is causing the issue is scanned.. it closes the app that is scanning and changes the permissions of that app so you can't run it again.

I ran Root Kit Buster from Trend Micro.. same deal.. runs up to a point and crashes..then I get locked out..
I did play with this one a little and I am able to cleanly run thh MBR,Process and Driver test.. the Reg test is what kills the app itself.

There does not seem to be any files in the system that even begin with UAC now..
Lots of stuff tries to get into c:\users\kenl\appdata\local\temp

There is SOMETHING running that prevents be from running ANY tools tha can help..
At this point I am looking for any help... this one is annoying..

Hijack this log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:54:35 PM, on 9/8/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\rdpclip.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Active ShutDown\asd.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\mmc.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\SearchFilterHost.exe
C:\anti virus tools\HJThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User '?')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User '?')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User '?')
O4 - S-1-5-21-823518204-1677128483-725345543-1004 Startup: Active ShutDown.lnk = C:\Program Files\Active ShutDown\asd.exe (User '?')
O4 - Startup: Active ShutDown.lnk = C:\Program Files\Active ShutDown\asd.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office Outlook 2007.lnk = ?
O4 - Global Startup: PC Monitor.lnk = C:\Program Files\Wireless Sync\Client\Monitor.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\MICROS~1\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\Windows\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\Windows\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\Windows\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\Windows\Network Diagnostic\xpnetdiag.exe
O13 - Gopher Prefix:
O16 - DPF: {00134F72-5284-44F7-95A8-52A619F70751} (ObjWinNTCheck Class) - https://trend/officescan/console/ClientInstall/WinNTChk.cab
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} - https://components.viewpoint.com/MTSInstall...p;noreloadredir
O16 - DPF: {08D75BB0-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupINICtrl Class) - https://trend/officescan/console/ClientInstall/setupini.cab
O16 - DPF: {08D75BC1-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupCtrl Class) - https://trend/officescan/console/ClientInstall/setup.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/...can8/oscan8.cab
O16 - DPF: {5EFE8CB1-D095-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment ObjRemoveCtrl Class) - https://trend/officescan/console/ClientInst.../RemoveCtrl.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{BF72558A-1900-463B-8422-578D08A3BB88}: NameServer = 68.9.16.25,68.9.16.30
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\MicrosoftOffice2003\Office12\GrooveSystemServices.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: PRTG 7 Core Server Service (PRTG7CoreService) - Paessler AG - C:\Program Files\PRTG Network Monitor\PRTG Server.exe
O23 - Service: PRTG 7 Probe Service (PRTG7ProbeService) - Paessler AG - C:\Program Files\PRTG Network Monitor\PRTG Probe.exe
O23 - Service: SonicWall VPN Client Service (RampartSvc) - SonicWALL, Inc. - C:\Program Files\SonicWALL\SonicWALL Global VPN Client\RampartSvc.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: spkrmon - Unknown owner - C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
O23 - Service: TVersityMediaServer - Unknown owner - C:\Program Files\TVersity\Media Server\MediaServer.exe
O23 - Service: VMware Agent Service (ufad-ws60) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-ufad.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\Windows\system32\vmnetdhcp.exe
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\Windows\system32\vmnat.exe
O23 - Service: WinFtp Server Service (WinFTP Server Service) - Network Software - C:\Program Files\WinFTP Server\WFTPSRV.exe

--
End of file - 6092 bytes


Any helo is greatly appreciated..

I am stuck..
-Ken

BC AdBot (Login to Remove)

 


#2 kleach

kleach
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:09:22 PM

Posted 08 September 2009 - 04:44 PM

Update..
I was able to cleanly remove combofix (there where two installs)
I noticed that the system restore was disabled..
I removed the DisableSR reg entry from
HKLM\Software\Policies\Microso­ft\Windows NT\SystemRestore
and it was enabled..
I re installed Combofix and ran..
It completed the restore point and is now running
(I have the 10min + message on the screen now)
Also Avira was uninstalled (to combofix could run better)
It still complained about SuperAntiSpyware scanner running ... but I have not found it.. it may be picking up PRTG??

I will update with any progress with ComboFix
-Ken

Hello kleach,

We ask that once you have posted your log and are waiting, please DO NOT "bump" your thread or make further replies until it has been responded to by a member of the HJT Team. The reason we ask this or do not respond to your requests is because that would remove you from the active queue that Techs and Staff have access to. The malware staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response, there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

That is why I have made an edit to your last post, instead of a reply. Please do not multiple post here, as that only pushes you further down the queue and causes confusion to the staff.

Please be patient. It may take a while to get a response but your log will be reviewed and answered as soon as possible.

Thank you for understanding.

Regards,

The weatherman
(Moderator)

Edited by The weatherman, 08 September 2009 - 05:03 PM.


#3 kleach

kleach
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:09:22 PM

Posted 09 September 2009 - 02:00 PM

Title was: ALG.exe is blocking internet access ~ OB

I am running vista.. and I posted earlier with an RootKit issue.
I have resolved most of the errors.. and can now run malwarebytes (which is clean) and hijack etc..
Windows firewall is off.
UAC is off

The only issue I see is that when I run
I get a warning that the alg.exe has a root kit issue... but it is NOT running..
How can I replace the alg.exe (i have a good copy elsewhere)
It is locked down.. and in the windows\system32 dir It will not let me change the name or delete / replace it.
I did not want to use avenger for a system file until i heard from you..

The only issue I notice is that OUTLOOK 2007 does not send and receive emails properly.. it hangs..
I was able to do a windows update..
I was able to clean the outlook file with SCANPST.exe but still get issues..

Here is the Hijack Log...

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:00:25 PM, on 9/9/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18294)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\rdpclip.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Wireless Sync\Client\Monitor.exe
C:\Program Files\Active ShutDown\asd.exe
C:\Program Files\PRTG Network Monitor\PRTG System Tray Notifier.exe
C:\Program Files\Wireless Sync\Client\Monitor.exe
C:\MicrosoftOffice2003\Office12\OUTLOOK.EXE
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\taskmgr.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\anti virus tools\HiJackThis3.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - S-1-5-21-823518204-1677128483-725345543-1004 Startup: Active ShutDown.lnk = C:\Program Files\Active ShutDown\asd.exe (User '?')
O4 - S-1-5-21-823518204-1677128483-725345543-1004 Startup: PRTG System Tray Notifier.lnk = C:\Program Files\PRTG Network Monitor\PRTG System Tray Notifier.exe (User '?')
O4 - Startup: Active ShutDown.lnk = C:\Program Files\Active ShutDown\asd.exe
O4 - Startup: PRTG System Tray Notifier.lnk = C:\Program Files\PRTG Network Monitor\PRTG System Tray Notifier.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: PC Monitor.lnk = C:\Program Files\Wireless Sync\Client\Monitor.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\MICROS~1\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\MICROS~1\Office12\REFIEBAR.DLL
O16 - DPF: {00134F72-5284-44F7-95A8-52A619F70751} (ObjWinNTCheck Class) - https://trend/officescan/console/ClientInstall/WinNTChk.cab
O16 - DPF: {08D75BB0-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupINICtrl Class) - https://trend/officescan/console/ClientInstall/setupini.cab
O16 - DPF: {08D75BC1-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupCtrl Class) - https://trend/officescan/console/ClientInstall/setup.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{BF72558A-1900-463B-8422-578D08A3BB88}: NameServer = 68.105.28.11,68.105.29.11
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\MicrosoftOffice2003\Office12\GrooveSystemServices.dll
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: PRTG 7 Core Server Service (PRTG7CoreService) - Paessler AG - C:\Program Files\PRTG Network Monitor\PRTG Server.exe
O23 - Service: PRTG 7 Probe Service (PRTG7ProbeService) - Paessler AG - C:\Program Files\PRTG Network Monitor\PRTG Probe.exe
O23 - Service: SonicWall VPN Client Service (RampartSvc) - SonicWALL, Inc. - C:\Program Files\SonicWALL\SonicWALL Global VPN Client\RampartSvc.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: VMware Agent Service (ufad-ws60) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-ufad.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\Windows\system32\vmnetdhcp.exe
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
O23 - Service: WinFtp Server Service (WinFTP Server Service) - Network Software - C:\Program Files\WinFTP Server\WFTPSRV.exe

--
End of file - 4677 bytes

Edited by Orange Blossom, 09 September 2009 - 08:08 PM.
Merged topics. ~ OB


#4 pwgib

pwgib

  • Malware Response Team
  • 2,957 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:God's Country
  • Local time:09:22 PM

Posted 23 September 2009 - 06:37 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE
PW

#5 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:09:22 PM

Posted 30 September 2009 - 12:30 PM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users