Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Max++ Rootkit Infection


  • This topic is locked This topic is locked
62 replies to this topic

#1 Brawgates

Brawgates

  • Members
  • 95 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Scotland
  • Local time:07:07 PM

Posted 27 September 2009 - 07:01 PM

After discovering, and probably only partially removing, intrusions from b.exe, c.exe and msa.exe a few days ago, my system developed the following symptoms:-
  • Attempts to start Malwarebytes and Spybot failed with message:-

    Windows cannot access the specific device, path, or file. You may not have the appropriate permissions to access the item.
  • Ad-Aware failed with message:-

    System Error: 1814 has occurred. Description: Could not login to service. Are you running the application as another user? Application terminates.
  • AVG main window opened, but scan failed to start. Email scanner became disabled.
Trawling the web for clues, it seemed that bleeping computer user dogbraincatscan had encountered much the same problem. See http://www.bleepingcomputer.com/forums/t/258086/max-rootkit-dds-rootrepeal-not-working/.

Attached are my posts from RootRepeal, DDS and Win332kDiag.

RootRepeal

Attached File  RootRepeal_090927.Ful.txt   13.58KB   26 downloads

DDS

Attached File  DDS.txt   7.33KB   19 downloads

Attached File  Attach.txt   13.08KB   15 downloads

Win32kDiag

Attached File  Win32kDiag.txt   6KB   35 downloads

As these reports seem to confirm a Max++ infection, I'd like to call upon your advice to help with its removal.

Many thanks

Peter

BC AdBot (Login to Remove)

 


#2 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:07 PM

Posted 27 September 2009 - 08:43 PM

Hi and welcome to the HijackThis Logs and Virus/Trojan/Spyware/Malware Removal forum,

I am Posted Image and I am here to help you!

I ask that you refrain from running tools other than those I suggest to you while I am cleaning up your computer. The reason for this is so I know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.

Please perform all steps in the order received and do not proceed if you need clarification.

In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond to your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.

As I am in the final stages of training an Expert Coach will also oversee your fix. Your benefit will be "four eyes and two brains" but responses may be somewhat delayed so please be patient!!!!

I would also like to inform you that most of us here at Bleeping Computer offer our expert assistance out of the goodness of our hearts. Please be courteous and appreciative for the assistance provided!

==========

Right click and delete Win32kDiag from you desktop..

Re-Download and run Win32kDiag:Next......


Download and run a batch file (peek.bat):
  • Download peek.bat from the download link below and save it to your Desktop.
  • Double-click peek.bat to run it.A black Command Prompt window will appear shortly: the program is running.
  • Once it is finished, copy and paste the entire contents of the Log.txt file it creates as a reply to this post.
==========

Again I would like to remind you to make no further changes to your computer unless I direct you to do so. Your computer fix will be based on the current condition of your computer! Any changes might delay my ability to help you.

==========

With your next post please provide:

* Win32kDiag.txt
* Log.txt

==========

I will review your logs and post instructions forthcoming.
Regards,
~t
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#3 Brawgates

Brawgates
  • Topic Starter

  • Members
  • 95 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Scotland
  • Local time:07:07 PM

Posted 28 September 2009 - 10:51 AM

Hi thcbytes!

Much appreciate your response. I could not have wished for a faster reply.

I've tried Options/Track this Topic and received the error message: You are already subscribed to this topic or forum.

Apologies for jumping the gun. I've now downloaded Win32kDiag.exe to my Desktop from where I tried to run it with double-click. Unfortunately it failed instantly with the now familiar message:

Windows cannot access the specific device, path, or file. You may not have the appropriate permissions to access the item.

Would you still like me to proceed with peek.bat or hold back for further instructions on Win32kDiag.exe before proceeding?

With kind regards

Peter

#4 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:07 PM

Posted 28 September 2009 - 01:14 PM

Hi there,
Go ahead with the peek.bat please.
Thanks for checking with me first,
~t
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#5 Brawgates

Brawgates
  • Topic Starter

  • Members
  • 95 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Scotland
  • Local time:07:07 PM

Posted 28 September 2009 - 02:19 PM

Hi thcbytes

It's bad news! After downloding peek.bat to Desktop, double-click immediately gave same message:

Windows cannot access the specific device, path, or file. You may not have the appropriate permissions to access the item.


Back to you, I'm afraid.

Best wishes

Peter

#6 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:07 PM

Posted 28 September 2009 - 02:33 PM

Hi there,
Please try to run those scans in safe mode please.
Thanks,
~t
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#7 Brawgates

Brawgates
  • Topic Starter

  • Members
  • 95 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Scotland
  • Local time:07:07 PM

Posted 28 September 2009 - 05:05 PM

Hi thcbytes

No joy. Tried both Win32kDiag.exe and peek.bat in Safe. Same message returned instantly for both on double-click:

Windows cannot access the specific device, path, or file. You may not have the appropriate permissions to access the item.


Ball in your hands again!

Regards

Peter

#8 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:07 PM

Posted 29 September 2009 - 07:16 AM

Hi there,
We got one mean Rootkit here.

This is what we need to do. Please take your time and follow these instruction exactly as I have outlined.

==========

Click on..

- Start
- Run
- Copy and paste the contents of the code box excluding the word "code" into the Run box and press "Ok".
sc config eventlog start= disabled
- Re-boot <--- Important!!

==========

Next....

Restore Permissions for (Win32Diag & Peek.bat)

Please download Inherit by sUBs
  • Drag and drop (Win32Diag) onto Inherit
  • Please confirm the prompts
  • This shall restore permissions to the application
  • The application should now run normally

    - Repeat the process -

  • Drag and drop (Peek.bat) onto Inherit
  • Please confirm the prompts
  • This shall restore permissions to the application
  • The application should now run normally
==========

Now do this....

Click on Start->Run, and copy-paste the following command (the bolded text) into the "Open" box, and click OK. When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with notepad and post the contents here.
"%userprofile%\desktop\win32kdiag.exe" -f -r

==========

Next......

Re-run the batch file (peek.bat):
  • Double-click peek.bat to run it.
  • A black Command Prompt window will appear shortly: the program is running.
  • Once it is finished, copy and paste the entire contents of the Log.txt file it creates as a reply to this post.
==========

Finally...

Download and Run ComboFix (by sUBs)

You must rename it before saving it.

Posted Image

Posted Image

Please download ComboFix from one of these locations:

Link 1
Link 2

Save thcbytes.exe to your Desktop <-- Important!!!
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Please refer to this link for instructions.

  • Double click on thcbytes.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


==========

With your next post please provide:

* Win32kDiag log
* peek.bat
* Combofix.txt

Kind regards,
~t
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#9 Brawgates

Brawgates
  • Topic Starter

  • Members
  • 95 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Scotland
  • Local time:07:07 PM

Posted 29 September 2009 - 08:44 AM

Hi thcbytes

I was beginning to get the same impression! I'll hold off until this evening before attempting the fix. That way I'll be able subject to fewer interruptions.

Much appreciate your continued involvement. I'll be back by the end of our day.

Kind regards

Peter

#10 Brawgates

Brawgates
  • Topic Starter

  • Members
  • 95 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Scotland
  • Local time:07:07 PM

Posted 29 September 2009 - 08:50 AM

Hi

I've just had a quick scan of the fix details. One question. Is there meant to be a space between the start= and disabled in the sc command? Better to be cautious!

Peter

#11 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:07 PM

Posted 29 September 2009 - 09:28 AM

Hello,
You are very observant. :(
Yes. Please copy and paste as posted. The space is purposeful.
Thanks,
~t
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#12 Brawgates

Brawgates
  • Topic Starter

  • Members
  • 95 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Scotland
  • Local time:07:07 PM

Posted 29 September 2009 - 01:26 PM

Hello thcbytes

Not good news.

I followed the Start/Run/OK procedure on sc config eventlog start= disabled. I guess this worked correctly - a fleeting glimpse of a DOS black window. Thereafter, I immediately rebooted the PC through Restart.

My first task after reboot was to download Inherit from sUBs to the Desktop. This worked.

Then all went pear-shaped. A left button drag and drop of Win32kDiag.exe onto INHERIT.EXE immediately generated the now all-too-familiar popup:

Windows cannot access the specific device, path, or file. You may not have the appropriate permissions to access the item.


I chose not to try Peek.bat through Inherit until contacting you again.

Grim....

Sorry, but it's over to you once more.

Peter

#13 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:07 PM

Posted 29 September 2009 - 04:14 PM

Hi Peter,
Hang in there your doing fine. :(

Please do this....

Please open a command prompt (Start -> Run, type CMD and click OK) At the prompt copy and paste the following commands and press Enter

DIR /a/s c:\scecli.dll netlogon.dll eventlog.dll >Log.txt&log.txt

A log will be produced.

Please post that log for my review.

Thanks,
~t
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#14 Brawgates

Brawgates
  • Topic Starter

  • Members
  • 95 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Scotland
  • Local time:07:07 PM

Posted 29 September 2009 - 05:17 PM

Hello again thcbytes

Trust good old fashioned DOS to come up with some output.

========================================================

Volume in drive C has no label.
Volume Serial Number is 347F-EEDD

Directory of c:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e

14/04/2008 01:12 181,248 scecli.dll
1 File(s) 181,248 bytes

Directory of c:\WINDOWS\system32

04/08/2004 00:56 180,224 scecli.dll
1 File(s) 180,224 bytes

Directory of c:\WINDOWS\system32\dllcache

04/08/2004 00:56 180,224 scecli.dll
1 File(s) 180,224 bytes

========================================================

Hope it's useful.

Till later

Peter

#15 Brawgates

Brawgates
  • Topic Starter

  • Members
  • 95 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Scotland
  • Local time:07:07 PM

Posted 29 September 2009 - 05:33 PM

Hello yet again

After sending you a copy of Log.txt, I returned to the Command Box. Thought you should know that it displayed File Not Found directly below the DIR command.

Peter




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users