Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Amazing Rootkit!


  • Please log in to reply
7 replies to this topic

#1 AzJazz

AzJazz

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:10:07 AM

Posted 02 October 2009 - 07:12 AM

I have been removing friend's viruses for a looong time now (this forum is one of my main resources!), and I have never met defeat before.

I have to raise the white flag on this one, though. Hopefully, you can help!

The infected computer is running WinXP Pro SP2.

Here are the characteristics of this attack (or attacks):

- For the first few days I had the computer, no executibles would run on the computer. I always saw a 'What application would you like to run an .EXE file with?" standard Microsoft response for an unknown file type. It took awhile, but I finally partially fixed it. "Partially", because of this:
- Now, if I do anything on the desktop (like a right-click on an icon), I see the entire desktop disappear except for the wallpaper. I can do a Ctrl-Alt-Del and get the Task Manager to run OK, but little else. Rebooting seems to start OK, but after logging in, I only see the wallpaper. No task bar, Start button, or anything else. Once I get to this point, C:\WINDOWS\explorer.exe has been corrupted. If I try to run explorer.exe directly, I get a "Windows can not access the specified device, path, or file." error message. If I boot Knoppix, I can replace a good "explorer.exe" over the corrupted version. Then, things are "fixed" again temporarily - until I do something on the desktop - which reinfects the computer.
- I can't seem to run many anti-virus/anti-malware/anti-rootkit programs. Most of the repair programs abruptly terminate without warning. If I try to re-run the same repair program again, I get a "Windows can not access the specified device, path, or file." error message. Replacing explorer.exe again temporarily fixes things.
- I submitted a corrupted version of explorer.exe to VirusTotal. Nothing was detected on 40/41 of the virus scanners. The only one that came back with a hit was: McAfee-GW-Edition 6.8.5-Heuristic.LooksLike.Win32.Luder.K
- Running anti-virus programs will occasionally cause the computer to crash to a BSOD (STOP 0x8E).
- I know that one or more other files are corrupted, but I haven't figured out which ones are damaged yet.
- I tried running MGTools, but it always terminated with an error.

Any help would be appreciated!

AzJazz

BC AdBot (Login to Remove)

 


#2 nivek

nivek

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:07 PM

Posted 02 October 2009 - 07:54 AM

I had a simalar prob and used panda online scan found quit a lot and destroyed most after that the pc started responding better and iw as able to run utils what finall got them was an emsi a squared scan

here hoping

#3 AzJazz

AzJazz
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:10:07 AM

Posted 02 October 2009 - 07:56 AM

Thanks for the response! I tried a few online scans (Panda included), and they all caused the computer to BSOD.

#4 AzJazz

AzJazz
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:10:07 AM

Posted 03 October 2009 - 12:03 AM

Is there anything I can post that can provide help on this infection?

Thanks,

AzJazz

#5 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:01:07 PM

Posted 03 October 2009 - 01:55 PM

Hello and :thumbsup: to BleepingComputer

Seems like you might have a new twist on a nasty little rootkit. . . try this.

Please save this file to your desktop. Double-click on it to run a scan. When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with notepad and post the contents here.

~Blade

Edited by Blade Zephon, 03 October 2009 - 01:56 PM.

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#6 AzJazz

AzJazz
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:10:07 AM

Posted 04 October 2009 - 04:54 PM

Thanks, Blade Zephon -

Note - The "explorer_.exe" and "explorer.exe.old" shown below were my creations during my debugging efforts.

Here is the report:

--------------------------------

Running from: C:\Win32kDiag.exe

Log file at : C:\Documents and Settings\Administrator\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...



Found mount point : C:\WINDOWS\addins\addins

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Config\Config

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Mount point destination : \Device\__max++>\^

Cannot access: C:\WINDOWS\explorer.exe.old

[2] 2004-08-03 17:56:50 1032192 C:\WINDOWS\explorer.exe (Microsoft Corporation)

[1] 2005-10-15 01:07:16 1032192 C:\WINDOWS\explorer.exe.old ()

[2] 2004-08-03 17:56:50 1032192 C:\WINDOWS\explorer_.exe (Microsoft Corporation)

[2] 2005-10-15 01:07:16 1032192 C:\WINDOWS\system32\dllcache\explorer.exe (Microsoft Corporation)



Found mount point : C:\WINDOWS\ime\chsime\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\CHTIME\Applets\Applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imejp\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imejp98\imejp98

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imjp8_1\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imkr6_1\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imkr6_1\dicts\dicts

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\shared\res\res

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\Managed

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\java\classes\classes

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\java\trustlib\trustlib

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Minidump\Minidump

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\msapps\msinfo\msinfo

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\ERRORREP\QHEADLES\QHEADLES

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\ERRORREP\QSIGNOFF\QSIGNOFF

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\BATCH\BATCH

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\Config\CheckPoint\CheckPoint

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\InstalledSKUs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\System\DFS\DFS

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\System_OEM\System_OEM

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\Temp\Temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\security\logs\logs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\Downloaded

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\EventCache\EventCache

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\SelfUpdate\Default\Default

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\SelfUpdate\Registered\Registered

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SxsCaPendDel\SxsCaPendDel

Mount point destination : \Device\__max++>\^

Cannot access: C:\WINDOWS\system32\dumprep.exe

[1] 2004-08-03 15:56:50 10752 C:\WINDOWS\system32\dllcache\dumprep.exe (Microsoft Corporation)

[1] 2004-08-03 15:56:50 10752 C:\WINDOWS\system32\dumprep.exe ()



Cannot access: C:\WINDOWS\system32\eventlog.dll

[1] 2004-08-03 15:56:44 55808 C:\WINDOWS\system32\dllcache\eventlog.dll (Microsoft Corporation)

[1] 2004-08-03 15:56:44 61952 C:\WINDOWS\system32\eventlog.dll ()

[2] 2004-08-03 15:56:44 55808 C:\WINDOWS\system32\logevent.dll (Microsoft Corporation)



Found mount point : C:\WINDOWS\Temp\IXP000.TMP\IXP000.TMP

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp

Mount point destination : \Device\__max++>\^



Finished!

--------------------------

Edited by AzJazz, 04 October 2009 - 04:56 PM.


#7 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:01:07 PM

Posted 04 October 2009 - 10:33 PM

With the information you have provided I believe you will need help from the malware removal team. I would like you to start a new thread HERE and include a link to this thread. In your new thread you should post your Win32kDiag log (the log you just generated for me).

It would be helpful if you post a note here once you have started your topic in malware removal. Good luck and be patient. The HJT team is very busy, so it could be several days (12-14 days is the average wait right now) before you receive a reply. But rest assured, help is on the way!

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#8 AzJazz

AzJazz
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:10:07 AM

Posted 05 October 2009 - 01:42 AM

It would be helpful if you post a note here once you have started your topic in malware removal. Good luck and be patient. The HJT team is very busy, so it could be several days (12-14 days is the average wait right now) before you receive a reply. But rest assured, help is on the way!


Thanks for the support, Blade!

I have submitted a new topic here.

Cheers!

AzJazz




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users