Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rootkit infection and Smitfraud


  • This topic is locked This topic is locked
58 replies to this topic

#1 wildtp

wildtp

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Houston, TX, USA
  • Local time:01:50 PM

Posted 17 September 2009 - 12:30 PM

I've got this fake anti-spyware infection that has a rootkit that is stopping my McAfee and SuperAntiSpyware from working. I read a description of the removal process on this forum, and need some help getting this SOB off of my wife's laptop. I'm attaching the RootRepeal log. I couldn't do the file scan, because the malware shuts it off...but it appears to have performed all of the other scans correctly.

Thanks, Pat

Attached Files



BC AdBot (Login to Remove)

 


#2 DocSatan

DocSatan

    Bleepin' Wanna-Be


  • Members
  • 2,156 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Boston, Ma.
  • Local time:03:50 PM

Posted 03 October 2009 - 07:38 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

#3 wildtp

wildtp
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Houston, TX, USA
  • Local time:01:50 PM

Posted 05 October 2009 - 09:21 AM

Thanks for the reply. It appears that I have a rootkit infection called UACsomething. About the only thing I can get to run is root repeal, and I'm enclosing the report it gave me. My IExplorer has been hijacked, and I have to use a different computer to access the internet. I have McAfee installed, and SuperAntispyware Pro, but it can't seem to clean the machine. I tried Avenger, but it won't initiate properly. Below is the rootrepeal log, thanks for your help.

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/09/20 10:12
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP2
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xEF509000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF8A8A000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xEF1F1000 Size: 49152 File Visible: No Signed: -
Status: -

Name: win32k.sys:1
Image Path: C:\WINDOWS\win32k.sys:1
Address: 0xF8856000 Size: 20480 File Visible: No Signed: -
Status: -

Name: win32k.sys:2
Image Path: C:\WINDOWS\win32k.sys:2
Address: 0xF8736000 Size: 61440 File Visible: No Signed: -
Status: -

Stealth Objects
-------------------
Object: Hidden Module [Name: UACmtifqjxjgx.dll]
Process: svchost.exe (PID: 976) Address: 0x00a00000 Size: 65536

Object: Hidden Module [Name: UACyndexgshui.dll]
Process: svchost.exe (PID: 976) Address: 0x10000000 Size: 217088

Object: Hidden Module [Name: UACyndexgshui.dll]
Process: Iexplore.exe (PID: 208) Address: 0x10000000 Size: 217088

Object: Hidden Module [Name: UACiwlrtolxml.dll]
Process: explorer.exe (PID: 2220) Address: 0x10000000 Size: 49152

Object: Hidden Module [Name: UACyndexgshui.dll]
Process: Iexplore.exe (PID: 2316) Address: 0x10000000 Size: 217088

Hidden Services
-------------------
Service Name: UACd.sys
Image Path: C:\WINDOWS\system32\drivers\UACepcblxewfv.sys

==EOF==

#4 DocSatan

DocSatan

    Bleepin' Wanna-Be


  • Members
  • 2,156 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Boston, Ma.
  • Local time:03:50 PM

Posted 05 October 2009 - 09:32 AM

Hello wildtp,

I'm DocSatan and I will be helping you with your Malware related computer problems.

Please give me some time to research your RootRepeal Log and I will get back to you as soon as possible. :(

In the meantime, please do not attempt to make any changes to this system, i.e., run ANY tools (Antivirus, AntiSpyware, etc.), or Delete or install anything. Any changes you make before I post a fix may interfere with my fix.

Thanks,

Doc.

#5 wildtp

wildtp
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Houston, TX, USA
  • Local time:01:50 PM

Posted 05 October 2009 - 09:40 AM

OK, thanks Doc. I have already run everything under the sun since the root repeal log though. Including SDfix, Combofix, Avenger, XSoftsomething, Vipre, and SAWS Pro. I think the virus's protection characteristics shuts them down before they can run though. I can execute the "Alternate Start' on SAS Pro, but the scan gets shut down half way through. After a program is shut down, I get an error saying wither the application didn't initialize properly, or access has been denied due to insufficient priveleges, when I try to run the program again (by clicking the icon).

Regs, Pat

#6 DocSatan

DocSatan

    Bleepin' Wanna-Be


  • Members
  • 2,156 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Boston, Ma.
  • Local time:03:50 PM

Posted 05 October 2009 - 09:42 AM

Yes, the Rootkit is preventing all of your Tools from running.

Please do NOT try anything else until I return with a Plan. :(

Doc.

#7 wildtp

wildtp
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Houston, TX, USA
  • Local time:01:50 PM

Posted 05 October 2009 - 09:47 AM

No prob...I think the Avenger kernel level program would work if I could only get the script to put in the window so it could nuke this POS on startup, before it hijacks everything. I'll wait for your instructions as requested.

#8 DocSatan

DocSatan

    Bleepin' Wanna-Be


  • Members
  • 2,156 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Boston, Ma.
  • Local time:03:50 PM

Posted 06 October 2009 - 07:35 AM

Hello wildtp,

You have a nasty Rootkit Infection: Win32k.sys:1 - Win32k.sys:2 rootkit

If you can't get internet access on the infected computer, transfer the files below from one that you can. Then follow the rest of the instructions for the infected computer.

1. Download and run Win32kDiag.exe
  • Download Win32kDiag.exe from one of the following locations and save it to your Desktop.
  • Double-click on Win32kDiag.exe and let it run.
  • When it states "Finished! Press any key to exit...", press any key on your keyboard to close the program.
  • A text document named Win32kDiag.txt will be created and saved on to your desktop.
  • Please Copy and Paste the contents of Win32kDiag.txt in a reply to this Topic.
2. Download and run peek.bat
  • Download peek.bat from the link below and save it to your Desktop.
  • Double-click peek.bat, a black Command Prompt window will pop-up: the program is running.
  • When it is finished running the Black Command Prompt window will disappear and the text document Log.txt will open up with the results, please Copy and Paste the contents in a reply to this topic.
    • Note: A copy of Log.txt will also be saved on to your desktop, peek.bat will delete itself.
3. What I need in your next reply:
  • Contents of Win32kDiag.txt
  • Contents of Log.txt

Doc.

#9 wildtp

wildtp
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Houston, TX, USA
  • Local time:01:50 PM

Posted 06 October 2009 - 04:10 PM

Hi Doc...below is the Peek log file you requested, I'm attaching the Win32KDiag log because it's so big. Thanks, Pat'

Volume in drive C has no label.
Volume Serial Number is F8C1-AE96

Directory of C:\WINDOWS\$hf_mig$\KB968389\SP2QFE

02/06/2009 01:46 PM 408,064 netlogon.dll
1 File(s) 408,064 bytes

Directory of C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e

04/13/2008 07:12 PM 181,248 scecli.dll

Directory of C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e

04/13/2008 07:12 PM 407,040 netlogon.dll

Directory of C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e

04/13/2008 07:11 PM 56,320 eventlog.dll
3 File(s) 644,608 bytes

Directory of C:\WINDOWS\system32

08/04/2004 07:00 AM 180,224 scecli.dll

Directory of C:\WINDOWS\system32

08/04/2004 07:00 AM 407,040 netlogon.dll

Directory of C:\WINDOWS\system32

08/04/2004 07:00 AM 62,464 eventlog.dll
3 File(s) 649,728 bytes

Directory of C:\WINDOWS\system32\dllcache

08/04/2004 07:00 AM 180,224 scecli.dll

Directory of C:\WINDOWS\system32\dllcache

08/04/2004 07:00 AM 407,040 netlogon.dll

Directory of C:\WINDOWS\system32\dllcache

08/04/2004 07:00 AM 55,808 eventlog.dll
3 File(s) 643,072 bytes

Total Files Listed:
10 File(s) 2,345,472 bytes
0 Dir(s) 6,341,758,976 bytes free

Attached Files



#10 wildtp

wildtp
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Houston, TX, USA
  • Local time:01:50 PM

Posted 07 October 2009 - 09:37 PM

Yo Doc... any ideas?

#11 DocSatan

DocSatan

    Bleepin' Wanna-Be


  • Members
  • 2,156 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Boston, Ma.
  • Local time:03:50 PM

Posted 08 October 2009 - 03:59 AM

Hello wildtp,

Yo Doc... any ideas?

  • Yup!. :(
  • Just waiting on the OK from my Coach. As you can see under my Avatar, I am still in training (HJT Senior Classmen).
  • I work under the guidance of a Coach, who has to "OK" all of my proposed Fixes before I can post them to the person I'm helping. Sometimes both myself and my Coach are busy with our Real Lives, or may be located in different parts of the world, so my responses may take a day or two.
  • Sorry for the wait. Should be posting a Fix here shortly. :(
Doc.

#12 wildtp

wildtp
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Houston, TX, USA
  • Local time:01:50 PM

Posted 08 October 2009 - 10:56 AM

OK, thanks. Just wanted to make sure I hadn't lost you. It looks like 7 other people have downloaded that Win32kdiag log file.

#13 wildtp

wildtp
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Houston, TX, USA
  • Local time:01:50 PM

Posted 08 October 2009 - 11:01 AM

One other question. When I was downloading the Win32kdiag executable, I had to go to an older machine in order to get it through the antivirus software. I kept getting flagged as trojan backdoor? Should I delete it from the other computers' desktop? Does it really pose a security risk? The other machine's already all infected anyway, but...

Thx, Pat

#14 DocSatan

DocSatan

    Bleepin' Wanna-Be


  • Members
  • 2,156 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Boston, Ma.
  • Local time:03:50 PM

Posted 09 October 2009 - 08:05 AM

Hello wildtp,

One other question. When I was downloading the Win32kdiag executable, I had to go to an older machine in order to get it through the antivirus software. I kept getting flagged as trojan backdoor?

  • The Win32kdiag executable is completely safe. :(
  • It probably gets flagged by your AV because in order to locate this Rootkit, it may have to perform some other than "Normal" functions, which is what your AV is probably catching.

It looks like 7 other people have downloaded that Win32kdiag log file.

  • That's probably me. I try to research Logs while at work as well, so I tend to click on the attachments a lot. :(
OK, here we go....

Please perform the following steps in the order that they appear!

1. Please run the following command from the Command Prompt
  • Click on Start then Run
  • Type cmd in to the area to the right of Open:
  • Click OK
  • In the Command Prompt window that opens, copy and paste the Bold text below:
    • copy C:\WINDOWS\system32\dllcache\eventlog.dll C:\ /y
  • Press the Enter key on your keyboard.
  • If successful, you should receive the following message within the Command Prompt window:
    • 1 file(s) copied
  • Exit the Command Prompt window.
  • Note: If you did not get the above message, then stop and post a reply back here telling me so. Do NOT continue with the instructions for using The Avenger
2. Please download The Avenger by Swandog46 and save it to your desktop
  • Unzip/extract it to a folder on your desktop.
  • Double click on avenger.exe to run The Avenger.
  • Click OK.
  • Make sure that the box next to Scan for rootkits does have a tick in it.
  • Make sure that the box next to Automatically disable any rootkits found does NOT have a tick in it.
  • Copy all of the text in the below code box to the clipboard by highlighting it and then pressing Ctrl+C.
    Files to move:
    C:\eventlog.dll | C:\WINDOWS\system32\eventlog.dll
  • In the avenger window, click the Paste Script from Clipboard, Posted Image button.
  • Click the Execute button
  • You will be asked, "Are you sure you want to execute the current script?"
  • Click Yes
  • You will now be asked "First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now?"
  • Click Yes
  • Your PC will now be rebooted.
  • Note: If the above script contains Drivers to delete: or Drivers to disable:, then The Avenger will require two reboots to complete its operation.
  • After your PC has completed the necessary reboots, the log: avenger.txt should automatically open.
  • If avenger.txt does not automatically open, then the log can be found at %systemdrive%\avenger.txt (typically C:\avenger.txt).
  • Please copy and paste the contents of this log in a reply to this topic.
3. Please Download ComboFix
Here is a Tutorial on using ComboFix: A guide and tutorial on using ComboFix
  • Save it to your Desktop
  • Do NOT run ComboFix yet
  • Here is an alternative link to download ComboFix, if the above one is not working for you:Link 1
  • Disable Your AntiVirus and AntiSpyware Programs
    • You should be able to Right-Click on the program's icon in the System Tray and get an option to shut-down/disable each program.
    • These programs may interfere with our fix. We will re-enable them when we are done.
  • Double click on ComboFix.exe that you just saved to your Desktop
    • Follow the prompts.
    • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. The Recovery Console will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
    • It is strongly recommended to have the Recovery Console installed on your machine before doing any malware removal.
      • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

    Posted Image

    NOTE: If the Microsoft Windows Recovery Console is already installed, you will not receive a prompt from ComboFix regarding the Recovery Console.

    • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

      Posted Image

    • Click on Yes, to continue scanning for malware.
    • When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.
  • Re-enable the AntiVirus and AntiSpyware Programs That You Disabled earlier.
4. Run this command from the Command Prompt
  • Click on Start then Run
  • Type cmd in to the area to the right of Open:
  • Click OK
  • In the Command Prompt window that opens, copy and paste the Bold text below (quotation marks included):
    • "%userprofile%\desktop\win32kdiag.exe" -f -r
  • Press the Enter key on your keyboard.
  • When it's finished, there will be a log called Win32kDiag.txt on your desktop.
  • Please copy and paste the contents of this log in a reply to this topic.
5. What I need in your next reply:
  • avenger.txt
  • ComboFix.txt
  • Win32kDiag.txt
  • Any problems executing any of the above procedures?
  • Any difference in computer performance after executing the above steps?
Doc.

#15 wildtp

wildtp
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Houston, TX, USA
  • Local time:01:50 PM

Posted 09 October 2009 - 12:49 PM

Hey Doc, could not get a copy of the event log, I tried to browse to it, and couldn't find a folder named dllcache in the system32 folder. I did a file search and found eventlog.dll in the system32 folder though, so I tried to copy IT to the root directory but the computer says I can't copy it because it's being used by another person or process. So I safebooted to the command prompt and tried again, and it did the same thing. Bottom line, it won't let me copy the damned event log.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users