Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijack.WindowsUpdates and Rootkit problem


  • Please log in to reply
3 replies to this topic

#1 blue_guitar

blue_guitar

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:06:05 AM

Posted 14 September 2009 - 12:42 PM

Hi there

i received a warning via Malwarebytes whilst surfing, that it had discovered i had picked up a Trojan.

ran a full scan. and discovered that my computer has been hijacked!

have included my most recent log file concerning :-


Malwarebytes' Anti-Malware 1.41
Database version: 2787
Windows 5.1.2600 Service Pack 3

14/09/2009 16:35:55
mbam-log-2009-09-14 (16-35-55).txt

Scan type: Full Scan (C:\|)
Objects scanned: 578260
Time elapsed: 4 hour(s), 41 minute(s), 16 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\AGprotect (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BITS\ImagePath (Hijack.WindowsUpdates) -> Bad: (%fystemRoot%\system32\svchost.exe -k netsvcs) Good: (%SystemRoot%\System32\svchost.exe -k netsvcs) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\wuauserv\ImagePath (Hijack.WindowsUpdates) -> Bad: (%fystemroot%\system32\svchost.exe -k netsvcs) Good: (%SystemRoot%\System32\svchost.exe -k netsvcs) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\drivers\623ef727.sys (Rootkit.Rustock) -> Delete on reboot.

____________________________



AVG also picked up a further Trojan on restart

C:\WINDOWS\system32\drivers\ndis.sys
Trojan Horse Rootkit-Agent.DI

Process name C:\WINDOWS\system32\svhost.exe
Process ID 1432
____________________________



I then ran a further quick scan via Malwarebytes and found that
BITS and wuauserv Hijack.WindowsUpdates
as well as the rootkit.svchost.exe & Rootkit.Rustock are still all showing up as infections


what should i do ?



blue_guitar

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,221 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:05 AM

Posted 14 September 2009 - 03:03 PM

Hello and welcome.. Looks like a Rootkit may be at work.

We Need to check for Rootkits with RootRepeal
  • Download RootRepeal from the following location and save it to your desktop.
  • Extract RootRepeal.exe from the archive (If you did not use the "Direct Download" mirror).
  • Open Posted Image on your desktop.
  • Click the Posted Image tab.
  • Click the Posted Image button.
  • Check all seven boxes: Posted Image
  • Push Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the Posted Image button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 blue_guitar

blue_guitar
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:06:05 AM

Posted 14 September 2009 - 07:37 PM

Hi boopme

thanks for your assistance


ran RootRepeal as you instructed and have posted you my report via PM




blue_guitar

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,221 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:05 AM

Posted 16 September 2009 - 09:11 AM

As pre the logs in the PM,we need to run HJT>
To run HJT/DDS. (if you cannot do a step move on to the next).
Please follow this guide. Preparation Guide For Use Before Using Hijackthis. Then go here HijackThis Logs and Virus/Trojan/Spyware/Malware Removal ,click New Topic,give it a relevant Title and post that complete log.

Let me know if it went OK
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users