Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

RootKit Infection


  • This topic is locked This topic is locked
15 replies to this topic

#1 pendana

pendana

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:35 AM

Posted 22 September 2009 - 01:06 PM

My problems started September 18th. I seem to have several viruses and malware.

Computer symptoms:

I cannot download any anti-virus software. Although, I do have malwarebytes anti-malware. I HAD AVG-antivirus which, is the software that alerted me to the infection.
I hear advertisement audio coming from my computer out of no where.
Access is blocked when I want to view web sites that can help me solve my problem, i.e. threatexpert or malwarebytes.org. I am using Firefox browser with the noscript add-on to view bleepingcomputer.com.
The Windows\system32 directory has many files that are not suppose to be there. For example, there is a file called Install.txt. I delete it but it pop back in to place.
All of my html files on my computer are infected with an< iframe>. This does not happen with the text files on my computer.
My host file located at Windows\system32\drivers\etc\host had been changed to the <iframe> path.
Msconfig shows many start -up programs with .dll extensions such as calc.dll, scandisk.dll, and protect.dll. These .dlls are in the Users folders.
I have svchost.exe, isvchost.exe, sv1.exe, sv3. exe and svchust.exe in the Windows directory. I know that svchost.exe should only show in the Windows\system32 directory.
My browser redirects to feedonline.com and genieknows and other web sites. I have to use the firefox add-on to avoid the redirects.
My Windows|Temp folder is full of .tmp, .dll and .bak files that locked to the virus.

There are items on the OTL safelist that are viruses.


I will attach Root Repeal and OTL log.

Attached Files


Edited by pendana, 22 September 2009 - 02:49 PM.


BC AdBot (Login to Remove)

 


#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:10:35 AM

Posted 23 September 2009 - 07:08 PM

Hello! :(
My name is Sam and I will be helping you.

In order to see what's going on with your computer I'll ask for you to post various logs from the tools that we will use to resolve your issue. Please also share with me any information about how your computer is reacting and behaving each step of the way as we work through this process.



Please download ComboFix from one of these locations:

Link 1
Link 2
Link 3

Important!
You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an Malware Removal Expert, not for private use.
Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.



Make sure that you save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 pendana

pendana
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:35 AM

Posted 23 September 2009 - 07:37 PM

Hi Sam,

I downloaded ComboFix. I ran but got an error message that it was not safe to continue. I attached an image of the message.

Attached Files


Edited by pendana, 23 September 2009 - 07:49 PM.


#4 pendana

pendana
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:35 AM

Posted 24 September 2009 - 02:29 PM

The virus has mutated. I can no longer run malwarebytes, rootrepeal or Hijackthis. All three are met with Windows cannot access the specified file or path. You may not have appropriate permission.

I uploaded a Win32kdiag results.

Attached Files


Edited by pendana, 24 September 2009 - 03:34 PM.


#5 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:10:35 AM

Posted 24 September 2009 - 03:32 PM

It's protecting itself.


Please follow these steps first:
  • Click on the Start button, then click on Run...
  • In the empty "Open:" box provided, type cmd and press Enter
    • This will launch a Command Prompt window (looks like DOS).
  • Copy the entire blue text below to the clipboard by highlighting all of it and pressing Ctrl+C (or after highlighting, right-click and select Copy).

    copy C:\WINDOWS\system32\dllcache\eventlog.dll C:\ /y

  • In the Command Prompt window, paste the copied text by right-clicking and selecting Paste.
  • Press Enter.When successfully, you should get this message within the Command Prompt: "1 file(s) copied"
    NOTE: If you didn't get this message, stop everything and come back and tell me first. Executing The Avenger script (step #2) won't work if the file copy was not successful.
  • Exit the Command Prompt window.

===============================
Next set of steps...


Please disable your antivirus program.
  • Download The Avenger by Swandog46 from here.
  • Unzip/extract it to a folder on your desktop.
  • Double click on avenger.exe to run The Avenger.
  • Click OK.
  • Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it.
  • Copy all of the text in the below code box to the clipboard by highlighting it and then pressing Ctrl+C.

    Files to move:
    C:\eventlog.dll | C:\WINDOWS\system32\eventlog.dll
  • In the avenger window, click the Paste Script from Clipboard, Posted Image button.
  • Click the Execute button.
  • You will be asked Are you sure you want to execute the current script?.
  • Click Yes.
  • You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now?.
  • Click Yes.
  • Your PC will now be rebooted.
  • Note: If the above script contains Drivers to delete: or Drivers to disable:, then The Avenger will require two reboots to complete its operation.
  • After your PC has completed the necessary reboots, a log should automatically open. If it does not automatically open, then the log can be found at %systemdrive%\avenger.txt (typically C:\avenger.txt).

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#6 pendana

pendana
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:35 AM

Posted 24 September 2009 - 03:46 PM

Here is the text from Avenger:

Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File move operation "C:\eventlog.dll|C:\WINDOWS\system32\eventlog.dll" completed successfully.

Completed script processing.

*******************

Finished! Terminate.

#7 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:10:35 AM

Posted 24 September 2009 - 03:54 PM

Well done! :(

Click on Start->Run, and copy-paste the following command (the bolded text) into the "Open" box, and click OK.

"%userprofile%\desktop\win32kdiag.exe" -f -r

When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with notepad and post the contents here.



========================



Now delete any copy of combofix.exe that you have if you downloaded it previously.

Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

Link 1
Link 2
Link 3

Posted Image


Posted Image
--------------------------------------------------------------------

Double click on Combo-Fix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt so we can continue cleaning the system.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#8 pendana

pendana
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:35 AM

Posted 24 September 2009 - 03:58 PM

The results:

Running from: C:\Users\Renisha\desktop\win32kdiag.exe

Log file at : C:\Users\Renisha\Desktop\Win32kDiag.txt

Removing all found mount points.

Attempting to reset file permissions.

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...





Finished!

#9 pendana

pendana
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:35 AM

Posted 24 September 2009 - 04:00 PM

Hi Sam,

I am in safemode. I ran Combo Fix but I go the Alert Message I mentioned above. It is not safe to Continue. :(

Edited by pendana, 24 September 2009 - 04:06 PM.


#10 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:10:35 AM

Posted 24 September 2009 - 04:04 PM

No, it's best run from normal mode.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#11 pendana

pendana
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:35 AM

Posted 24 September 2009 - 04:30 PM

HI Sam,

I am not able to run ComboFix in normal or safe mode. Possible Virut virus.

#12 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:10:35 AM

Posted 24 September 2009 - 04:53 PM

Virut is very bad. We're not going to give up yet, but you should know there is the possibility that a format and reinstall is the only option. Let's see what we can do.


Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
  • Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, in the menu, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
Note: If you have problems with DrWeb shutting down before it completes the scan you can perform a custom scan and select individual folders to scan. In that case start with C:\Windows\System32


Please post the contents of the log from DrWeb in your next reply.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#13 pendana

pendana
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:35 AM

Posted 24 September 2009 - 04:57 PM

Hi Sam,


I clicked the link but I got the message: Server Not Found. Firefox can't find the server at ftp.drweb.com. This virus will allow me to go to any anti-virus web site. I cannot go to malwarebytes.org, microsoft.com, for example.

Can I download the file from another source? I will look on the Internet.

Edited by pendana, 24 September 2009 - 05:00 PM.


#14 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:10:35 AM

Posted 25 September 2009 - 07:14 AM

The link is working, so you're definitely being blocked from it. Let's see what we can do with OTL.


Run OTL.exe
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    :OTL
    PRC - [2009/09/21 23:32:29 | 01,167,872 | ---- | M] () -- C:\WINDOWS\svchost.exe
    PRC - [2009/09/22 12:36:33 | 01,167,872 | ---- | M] () -- C:\WINDOWS\svchust.exe
    PRC - [2009/09/22 12:37:22 | 00,115,712 | ---- | M] () -- C:\WINDOWS\sv1.exe
    SRV - [2009/09/21 23:32:29 | 01,167,872 | ---- | M] () -- C:\WINDOWS\svchost.exe -- (NetLogin [Disabled | Running])
    SRV - [2009/09/22 12:36:33 | 01,167,872 | ---- | M] () -- C:\WINDOWS\svchust.exe -- (Net_Login [Auto | Running])
    O3 - HKLM\..\Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found.
    O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - No CLSID value found.
    O3 - HKU\S-1-5-18\..\Toolbar\WebBrowser: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - No CLSID value found.
    O3 - HKU\S-1-5-21-1202660629-746137067-2052111302-1004\..\Toolbar\WebBrowser: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - No CLSID value found.
    O3 - HKU\S-1-5-21-1202660629-746137067-2052111302-1004\..\Toolbar\WebBrowser: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found.
    O4 - HKLM..\Run: [calc] C:\WINDOWS\System32\calc.DLL (Microsoft)
    O4 - HKU\.DEFAULT..\Run: [calc] C:\Users\NetworkService\protect.dll (Microsoft)
    O4 - HKU\S-1-5-18..\Run: [calc] C:\Users\NetworkService\protect.dll (Microsoft)
    O4 - HKU\S-1-5-21-1202660629-746137067-2052111302-1004..\Run: [calc] C:\Users\Renisha\protect.DLL (Microsoft)
    O4 - HKU\.DEFAULT..\RunOnce: [IESetDefaultSearchScope]  File not found
    O4 - HKU\.DEFAULT..\RunOnce: [nltide_2]  File not found
    O4 - HKU\.DEFAULT..\RunOnce: [ProfileFolderName]  File not found
    O4 - HKU\S-1-5-18..\RunOnce: [IESetDefaultSearchScope]  File not found
    O4 - HKU\S-1-5-18..\RunOnce: [nltide_2]  File not found
    O4 - HKU\S-1-5-18..\RunOnce: [ProfileFolderName]  File not found
    O4 - Startup: C:\Users\Renisha\Start Menu\Programs\Startup\scandisk.dll (Microsoft)
    O20 - AppInit_DLLs: (vihokaso.dll) -  File not found
    O20 - AppInit_DLLs: (c:\windows\system32\lijaduhi.dll) - C:\WINDOWS\System32\lijaduhi.dll File not found
    
    
    
    :Files
    C:\WINDOWS\svchost.exe
    C:\WINDOWS\svchust.exe
    C:\WINDOWS\sv1.exe
    C:\Users\Renisha\protect.dll
    C:\WINDOWS\sv3.exe
    C:\WINDOWS\isvchost.exe
    C:\WINDOWS\System32\*.tmp
    
    
    :Commands
    [purity]
    [emptytemp]
    [Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot when it is done
  • You will get a log that shows the results of the fix. Please post it.
  • Then also run and post a new OTL log.

Once you've rebooted, delete the combofix.exe that you downloaded before and then download a fresh copy and try to run it. This time when you save it to your desktop name it svchost.exe
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#15 pendana

pendana
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:35 AM

Posted 25 September 2009 - 01:41 PM

Hi Sam,

You were right. The virut is tough. I had to reformat. It became progressively worse. I did a netstat lookup and the virus had an established connection via port 65520 and it was downloading information to my computer. I tried to block it but it was persistent and slowed down my computer to the point of crashing.

Thanks for your assistance. I hope I won't need your service again. :(

Edited by pendana, 25 September 2009 - 01:45 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users