Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Need help - rootkit?


  • This topic is locked This topic is locked
4 replies to this topic

#1 jjng

jjng

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:08:45 AM

Posted 26 October 2009 - 12:06 AM

I had a trojan a couple months ago that I thought I had gotten rid of with MBAM and SAS. Posted here because I was unable to get into Safe Mode and also thought I got that taken care. Original thread here:
http://www.bleepingcomputer.com/forums/t/252828/trying-to-get-rid-of-trojan-and-cant-get-into-safe-mode/

Had a couple of suspicious popup windows last week and ran MBAM and SAS again. Got rid of some malware, but it looked like there was a rootkit infection. I searched online and ran RootkitRevealer which found a number of discrepancies. MBAM and SAS are not detecting anything now. I also ran Dr. Web CureIt. At the end of the complete scan, it said there were no infections detected, but then when I close the program, it pops up with a window that says "Viruses or suspicious objects have been detected during the scanning." and gives the path to the quarantine location and log. But when I go to the folder, there is no Quarantine folder, and the log does not indicate anything detected.

I'm including the Rootkit Revealer log below. Based on the timestamps on some of the items, it looks like this may all be related to my original problem a couple months ago. But there are even some older items, and this was a laptop that I just purchased from Overstock.com as a refurbished product about 3 months ago. Is is possible that it came with the infections? The first thing I did when I got the computer was to run Windows Update and install AVG and ZoneAlarm, so I've been wondering how I've been getting so many viruses.

What do I do now? Do you need the logs from any of my other scans? Thanks!

Jennifer

-----------------------------
HKLM\SECURITY\Policy\Secrets\SAC* 8/9/2004 2:12 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SECURITY\Policy\Secrets\SAI* 8/9/2004 2:12 PM 0 bytes Key name contains embedded nulls (*)
C:\RRUbackups\Documents and Settings 8/23/2009 9:03 PM 0 bytes Hidden from Windows API.
C:\RRUbackups\Documents and Settings\Administrator 8/23/2009 9:03 PM 0 bytes Hidden from Windows API.
C:\RRUbackups\Documents and Settings\Administrator\Application Data 8/23/2009 9:03 PM 0 bytes Hidden from Windows API.
C:\RRUbackups\Documents and Settings\Administrator\Application Data\Microsoft 8/23/2009 9:03 PM 0 bytes Hidden from Windows API.
C:\RRUbackups\Documents and Settings\Administrator\Application Data\Microsoft\Protect 8/23/2009 9:03 PM 0 bytes Hidden from Windows API.
C:\RRUbackups\Documents and Settings\Administrator\Application Data\Microsoft\Protect\CREDHIST 7/28/2009 11:03 PM 24 bytes Hidden from Windows API.
C:\RRUbackups\Documents and Settings\Administrator\Application Data\Microsoft\Protect\S-1-5-21-216019207-42355900-526556023-500 8/23/2009 9:03 PM 0 bytes Hidden from Windows API.
C:\RRUbackups\Documents and Settings\Administrator\Application Data\Microsoft\Protect\S-1-5-21-216019207-42355900-526556023-500\f8e541ae-e6b8-4259-bb59-0cd9b5ecc519 7/28/2009 11:03 PM 388 bytes Hidden from Windows API.
C:\RRUbackups\Documents and Settings\Administrator\Application Data\Microsoft\Protect\S-1-5-21-216019207-42355900-526556023-500\Preferred 7/28/2009 11:03 PM 24 bytes Hidden from Windows API.
C:\RRUbackups\Documents and Settings\Default User 8/23/2009 9:03 PM 0 bytes Hidden from Windows API.
C:\RRUbackups\Documents and Settings\Default User\Application Data 8/23/2009 9:03 PM 0 bytes Hidden from Windows API.
C:\RRUbackups\Documents and Settings\Default User\Application Data\Microsoft 8/23/2009 9:03 PM 0 bytes Hidden from Windows API.
C:\RRUbackups\Documents and Settings\Default User\Application Data\Microsoft\Protect 8/23/2009 9:03 PM 0 bytes Hidden from Windows API.
C:\RRUbackups\Documents and Settings\Default User\Application Data\Microsoft\Protect\CREDHIST 7/28/2009 11:10 PM 24 bytes Hidden from Windows API.
C:\RRUbackups\Documents and Settings\Default User\Application Data\Microsoft\Protect\S-1-5-21-216019207-42355900-526556023-500 8/23/2009 9:03 PM 0 bytes Hidden from Windows API.
C:\RRUbackups\Documents and Settings\Default User\Application Data\Microsoft\Protect\S-1-5-21-216019207-42355900-526556023-500\f8e541ae-e6b8-4259-bb59-0cd9b5ecc519 7/28/2009 11:10 PM 388 bytes Hidden from Windows API.
C:\RRUbackups\Documents and Settings\Default User\Application Data\Microsoft\Protect\S-1-5-21-216019207-42355900-526556023-500\Preferred 7/28/2009 11:10 PM 24 bytes Hidden from Windows API.
C:\RRUbackups\hints.dat 7/28/2009 11:10 PM 8.00 KB Hidden from Windows API.
C:\RRUbackups\pu.dat 7/28/2009 11:10 PM 224 bytes Hidden from Windows API.
C:\RRUbackups\SAM 7/28/2009 11:10 PM 256.00 KB Hidden from Windows API.
C:\RRUbackups\system 7/28/2009 11:10 PM 4.75 MB Hidden from Windows API.
C:\RRUbackups\system.dat 7/28/2009 11:10 PM 12.00 KB Hidden from Windows API.
C:\WINDOWS\Prefetch\IRFTP.EXE-3057F4F7.pf 10/25/2009 9:53 PM 15.14 KB Hidden from Windows API.

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,762 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:45 AM

Posted 26 October 2009 - 11:14 AM

Not all hidden components detected by ARKs are malicious. It is normal for a Firewall, some Anti-virus and Anti-malware software (ProcessGuard, Prevx1, AVG AS), sandboxes, virtual machines and Host based Intrusion Prevention Systems (HIPS) to hook into the OS kernal/SSDT in order to protect your system. SSDT (System Service Descriptor Table) is a table that stores addresses of functions that are used by Windows. Whenever a function is called, Windows looks in this table to find the address for it. Both Legitimate programs and rootkits can hook into and alter this table. You should not be alarmed if you see any hidden entries created by legitimate programs after performing a scan.

RKR scans the HKLM\Security\Policy hive which contains SAC* and SAI* hidden keys with embedded (trailing) nulls. This is normal and not a cause for alarm. The presence of some keys with nulls may be pertinent to the correct operation of related applications. The Windows API treats key names as null-terminated strings whereas the kernel treats them as counted strings.If you're unsure how to use RKR or read its logs, you should not be using it. Some ARK tools are intended for advanced users or to be used under the guidance of an expert as they are powerful and can be misused with disastrous results. There are many free ARK tools but some require a certain level of expertise and investigative ability to use.

These are a few of the easier ARKS for novice users:
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 jjng

jjng
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:08:45 AM

Posted 26 October 2009 - 07:14 PM

Thanks for the response. I am pretty much a novice to all this, and am just trying to learn as I go to keep my computer running well. I didn't realize RKR should only be used by advanced users - it just came up on a Google search.
http://technet.microsoft.com/en-us/sysinte...s/bb897445.aspx

I don't really understand how to read the logs, which is why I posted here for help. I haven't done anything except run RKR and was hoping for advice on whether this log indicates I still have a problem, and if/what I need to do about it. Is this not appropriate use of this forum - should I try the Sysinternals forum instead?

I'll include the logs from the MBAM and SAS scans that made me worried about a rootkit. Subsequent scans have not detected any problems, but I've been reading how the standard anti-virus programs can miss rootkits.

If the recent problem is not related to the trojan a couple months ago, what am I doing wrong? I run Windows Update regularly and install all the security updates. I also use ZoneAlarm firewall and AVG free. I don't click on any suspicious links and am careful about what websites I go to. What else can I do to prevent malware and how can I tell if my computer is ok now? Thanks!

---------------------------------
Malwarebytes' Anti-Malware 1.41
Database version: 2976
Windows 5.1.2600 Service Pack 3 (Safe Mode)

10/17/2009 5:00:42 PM
mbam-log-2009-10-17 (17-00-42).txt

Scan type: Full Scan (C:\|)
Objects scanned: 147582
Time elapsed: 53 minute(s), 19 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 0
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 2
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
\\?\globalroot\systemroot\system32\kbiwkmweybctfu.dll (Rootkit.TDSS) -> Delete on reboot.

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\inixs (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\49766335 (Rogue.Multiple) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Documents and Settings\All Users\Application Data\49766335 (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Program Files\Windows Police Pro (Rogue.WindowsPolicePro) -> Quarantined and deleted successfully.

Files Infected:
\\?\globalroot\systemroot\system32\kbiwkmweybctfu.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\49766335\49766335.exe (Rogue.SystemSecurity) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\minix32.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\ckxobmnqbh.exe (Rogue.Installer) -> Quarantined and deleted successfully.

-----------------------------------------
SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 10/17/2009 at 11:54 PM

Application Version : 4.29.1004

Core Rules Database Version : 4171
Trace Rules Database Version: 2093

Scan type : Complete Scan
Total Scan Time : 01:46:29

Memory items scanned : 216
Memory threats detected : 0
Registry items scanned : 4162
Registry threats detected : 0
File items scanned : 51792
File threats detected : 34

Adware.Tracking Cookie
C:\Documents and Settings\Jennifer Ng\Cookies\jennifer ng@a1.interclick[2].txt
C:\Documents and Settings\Jennifer Ng\Cookies\jennifer ng@zedo[2].txt
C:\Documents and Settings\Jennifer Ng\Cookies\jennifer_ng@interclick[1].txt
C:\Documents and Settings\Jennifer Ng\Cookies\jennifer ng@doubleclick[2].txt
C:\Documents and Settings\Jennifer Ng\Cookies\jennifer ng@247realmedia[1].txt
C:\Documents and Settings\Jennifer Ng\Cookies\jennifer ng@atdmt[1].txt
C:\Documents and Settings\Jennifer Ng\Cookies\jennifer ng@mediaplex[2].txt
C:\Documents and Settings\Jennifer Ng\Cookies\jennifer ng@serving-sys[2].txt
C:\Documents and Settings\Jennifer Ng\Cookies\jennifer ng@adbrite[1].txt
C:\Documents and Settings\Jennifer Ng\Cookies\jennifer ng@ads.undertone[1].txt
C:\Documents and Settings\Jennifer Ng\Cookies\jennifer ng@specificclick[1].txt
C:\Documents and Settings\Jennifer Ng\Cookies\jennifer ng@ads.pointroll[1].txt
C:\Documents and Settings\Jennifer Ng\Cookies\jennifer ng@tribalfusion[1].txt
C:\Documents and Settings\Jennifer Ng\Cookies\jennifer ng@oasn04.247realmedia[1].txt
C:\Documents and Settings\Jennifer Ng\Cookies\jennifer ng@bs.serving-sys[1].txt
C:\Documents and Settings\Jennifer Ng\Cookies\jennifer ng@content.yieldmanager[1].txt
C:\Documents and Settings\Jennifer Ng\Cookies\jennifer ng@revsci[1].txt
C:\Documents and Settings\Jennifer Ng\Cookies\jennifer ng@apmebf[1].txt
C:\Documents and Settings\Jennifer Ng\Cookies\jennifer ng@collective-media[1].txt
C:\Documents and Settings\Jennifer Ng\Cookies\jennifer ng@cdn4.specificclick[1].txt
C:\Documents and Settings\Jennifer Ng\Cookies\jennifer ng@insightexpressai[2].txt
C:\Documents and Settings\Jennifer Ng\Cookies\jennifer ng@specificmedia[1].txt
C:\Documents and Settings\Jennifer Ng\Cookies\jennifer_ng@ad.yieldmanager[2].txt
C:\Documents and Settings\Jennifer Ng\Cookies\jennifer ng@advertising[1].txt
C:\Documents and Settings\Jennifer Ng\Cookies\jennifer ng@cgi-bin[2].txt
C:\Documents and Settings\Jennifer Ng\Cookies\jennifer ng@media.adfrontiers[1].txt
C:\Documents and Settings\Jennifer Ng\Cookies\jennifer ng@realmedia[1].txt
C:\Documents and Settings\Jennifer Ng\Cookies\jennifer_ng@fastclick[1].txt

Rootkit.Agent/Gen-KBI
C:\WINDOWS\SYSTEM32\KBIWKMKACHQNNP.DLL
C:\WINDOWS\SYSTEM32\KBIWKMVQVDBORL.DLL
C:\WINDOWS\SYSTEM32\KBIWKMNYGEFYAJ.DAT
C:\WINDOWS\SYSTEM32\KBIWKMWAOCNFON.DAT

Trojan.Agent/Gen-FraudLoad
C:\SYSTEM VOLUME INFORMATION\_RESTORE{5D527826-05BD-4A83-8416-28ACDDA14001}\RP36\A0010036.DLL

Rootkit.Agent/Gen-Rustock[KBI]
C:\SYSTEM VOLUME INFORMATION\_RESTORE{5D527826-05BD-4A83-8416-28ACDDA14001}\RP36\A0010037.SYS

------------------------------------------

Malwarebytes' Anti-Malware 1.41
Database version: 2983
Windows 5.1.2600 Service Pack 3

10/19/2009 2:44:32 PM
mbam-log-2009-10-19 (14-44-32).txt

Scan type: Full Scan (C:\|)
Objects scanned: 144518
Time elapsed: 1 hour(s), 35 minute(s), 45 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\kbiwkmhkrbumiw (Rootkit.TDSS) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP37\A0011044.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,762 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:45 AM

Posted 26 October 2009 - 08:44 PM

One or more of the identified infections is related to a nasty variant of the TDSSSERV rootkit component also known as Backdoor.Tidserv. Rootkits, backdoor Trojans, Botnets, and IRCBots are very dangerous because they compromise system integrity by making changes that allow it to be used be the attacker for malicious purposes. Rootkits are used be Trojans to conceal its presence (hide from view) in order to prevent detection of an attacker's software and make removal more difficult. Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. They can disable your anti-virus and security tools to prevent detection and removal. Remote attackers use backdoors as a means of accessing and taking control of a computer that bepasses security mechanisms. This type of exploit allows them to steal sensitive information like passwords, personal and financial data which is send back to the hacker. To learn more about these types of infections, you can refer to:If your computer was used for online banking, has credit card information or other sensitive data on it, you should stay disconnected from the Internet until your system is fully cleaned. All passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised and change each password using a clean computer, not the infected one. If not, an attacker may get the new passwords and transaction information. If using a router, you need to reset it with a strong logon/password so the malware cannot gain control before connect again. Banking and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read:Although the infection has been identified and may be removed, your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume the computer is secure even if the malware appears to have been removed. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired so you can never be sure that you have completely removed a rootkit. The malware may leave so many remnants behind that security tools cannot find them. Tools that claim to be able to remove rootkits cannot guarantee that all traces of it will be removed. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:Should you decide not to follow that advice, we will do our best to help clean the computer of any infections but we cannot guarantee it to be trustworthy or that the removal will be successful. Let me know how you wish to proceed.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 jjng

jjng
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:08:45 AM

Posted 28 October 2009 - 10:11 PM

Sorry it's taken me so long to respond. I don't have a problem with reformatting and reinstalling the OS, especially since it is a fairly new (to me) computer - I was ready to do that with my last infection. I changed the password on my router, and am now using an older laptop that I've rescanned with both MBAM and SAS to make sure it is clean. Have also been working on changing all my passwords.

Regarding the laptop that is infected with the rootkit...as I mentioned before, I purchased it from Overstock.com as a refurbished product. It did not come with any discs and the first time I turned it on, Windows XP was installed from the hard drive. I'm assuming that it is not safe to reinstall from hard drive itself, and I need to start fresh with a copy of XP off a disc? If I know someone who has the software, can I use it to reinstall with the product key that came with my computer?

Thanks for any advice on how to proceed. In many years of using computers, this is the first time I've run into such a major problem and had to reformat/reinstall.

Jennifer

Mod Edit: Closed as OP started a new thread here.

Edited by quietman7, 09 November 2009 - 12:07 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users