Probable Win32k.sys Rootkit

To whomever answers this distress call,

I believe I have the rootkit described in topic 253639 entry 1405644 Click me! or else one very similar to it. I don't have any doubt about being infected, so I skipped the AII part of the procedure. Of course I will be glad to go back to it if you require, but I am pretty confident you will waive it for me.

Win XP HE SP3 Pentium 4 @ 3GHz with 512MB RAM. I don't know what kind of RAM it is, though. The machine is an eMachines T5010 bought about 3 years ago. It came with the OS preinstalled with a restore "disk" ( D: ) residing in an NTFS partition on the same hard drive as C:. Did not get any actual CD's, floppies, or anything else to restore from that is external.

////////////////

Just to give you a general idea of the state of my system here are some things that DON'T work or that I can't get to, or that I no longer have permission for:

• explorer - unavailable
• start-up taskbar - unavailable
• start-up taskbar - unavailable
• systray (therefore) - unavailable
• drag/drop - unavailable
• Write to CD - unavailable
• cmd - unavailable
• search - unavailable
• run - unavailable
• control panel - unavailable

Now for the good news...

• Administrator tools are OK
• command.com works
• System configuration utility works
• Many exe's in \sys32\ and \WINDOWS\ work
• a, b, c, and d.exe are at least part of the rootkit
• I can use sysconfig to access windows firewall and stuff like SYSTEM.INI, WIN.INI, BOOT.INI, and a few of the control panel aps. I suppose the rest are available, too, I just don't know what they are named and I can't search for them except "manually".

////////////////////

I have followed the pre- procedure Click me! as much as possible:

• I backed up (partial) using Cobian, but as mentioned above, I do not have a separate drive to back up to. I have a 4GB mini sdhc card in a slot on my machine that theoretically I could back up to, but I don't know how to set that up. It was formatted(?) to work with my MOTO Q...if you can tell me how to do it, I would like to transfer my backup files to that before we proceded with the actual removal process. If not, that's life.
• Also as mentioned above, I have little doubt that I a rootkit is present, so I skipped this step.
• Completed
• Completed
• Completed, but only have windows firewall. I accessed it via the "Security Center" and the link on that page.I turned off exceptions and unchecked all the exception boxes just to be sure, and made sure all the boxes were unchecked...however, now I don't seem to have enough resources to open it any longer...things appear to be going downhill fast. There are tons of processes running that I just can't believe are native...
• I can't run dds.scr. All I get when I open the file is the screensaver dialog in desktop preferences. The dialog is of course confused since dds.scr is not a screensaver. CScript says I don't have an engine for dds.scr. I tried changing the extension, etc., but I could never get CScript to do anything except display the banner and error and then quit. (Didn't try Wscript because I don't know anything about that, only that it exists.)
• Rootrepeal log attached, such as it is (see below)
• Completed
• In progress...

As I mentioned above, the rootkit has disabled explorer/startup task bar/systray, so most of the drag/drop instructions you give are strictly not possible for me to perform at this point. HOWEVER I am using the GUI for 7-zip 9.07 beta along with the taskman "create new task" dialog "browse" function to do most of the file manipulation that I need to do.

Also, I have opera running (IE and mozilla/firefox are OOC).

This is all I got for now. I would keep trying to get you Win32kDiag.exe output but it seems to be getting worse...I am now getting low resources errors when I try to run it. I will post this, reboot, and hope for the best while I wait for someone to reply.

As a bonus, simply because it would run, see bottom of post for fport.txt attachment with (oddly enough) fport output.

Rootrepeal would not perform the file scan, so I ran it with that turned off. Here is what I got for the rest of it:


ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/11/10 02:27
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xEE30B000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF8B1D000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xED63C000 Size: 49152 File Visible: No Signed: -
Status: -

Name: win32k.sys:1
Image Path: C:\WINDOWS\win32k.sys:1
Address: 0xF896D000 Size: 20480 File Visible: No Signed: -
Status: -

Name: win32k.sys:2
Image Path: C:\WINDOWS\win32k.sys:2
Address: 0xEE2C3000 Size: 61440 File Visible: No Signed: -
Status: -

SSDT
-------------------
#: 047 Function Name: NtCreateProcess
Status: Hooked by "C:\WINDOWS\system32\drivers\iksysflt.sys" at address 0xef201794

#: 048 Function Name: NtCreateProcessEx
Status: Hooked by "C:\WINDOWS\system32\drivers\iksysflt.sys" at address 0xef201f1e

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "C:\WINDOWS\system32\drivers\iksysflt.sys" at address 0xef200d0a

#: 277 Function Name: NtWriteVirtualMemory
Status: Hooked by "C:\WINDOWS\system32\drivers\iksysflt.sys" at address 0xef200384

==EOF==

fport - seem to be losing the ability to paste to this board...still can do it inside windows, however. Attached is a log of fport output that I ran per instructions I found in the topic that led up to this one.

 fport.txt   1.31KB   12 downloads

Sorry for the delay. Do you still desire help?
Kind regards,
~t

Yes, please! I have slightly different circumstances now, however. I don't currently have tethering so that will probably make things challenging.
Somehow I have corrupted my MBR or boot.ini. I have been trying hard to get it restored before your reply, so the delay has not been a greatly noticed. I have trinity rescue kit 3.2 running from a live cd and am currently working at transfering files to a 4GB mini sdhc card. I figured I would take advantage of the opportunity to move files while the malware was sleeping! Is it possible that we can work within Linux? Regardless, just tell me how you want me to procede. Thanks,
Gary

Edited by Orange Blossom, 23 November 2009 - 09:30 PM.
Delete duplicate text. ~ OB

Can your computer boot into Windows?

Not at the moment. Notwithstanding directions from you to do otherwise, I am at this moment attempting to recover the ntfs partition that "c:" resides on. I can see from Linux that the files are intact. The bios just doesn't seem to know how to find it.

I should clarify that during an attempted boot to windows, I get the boot menu, with option to use last known good hardware config, but regardless of what I choose, it stalls on the logo/load progress screen and reboots. Linux says the boot log is dirty and can't mount the drive except by forcing. This doesn't seem to cause any problems and I can read/write to c: from Linux.

Hello again,

• Do you know what led to the crash?
• What was the step that preceded your crash?
• Have you ever run Combofix? If you have I might be able to get you booting again.
• Do you have a Windows XP install disc?
• Which Linux distro are you using?
• Do you have the Recovery Console installed on C:\ as far as you know?
• Careful what your backing up...

Note that the files with the following extensions should not be backed up:
.exe
.scr
.htm
.html
.xml
.zip
.rar
.asp
.php

Kind regards,
~t

Do you know what led to the crash?
There was no crash, per se. I rebooted to free-up resources and got an "unbootable media" error. 
Have you ever run Combofix?
No.
Do you have a Windows XP install disc?
No. Recover is on an NTFS partition. I tried running winnt.exe and got as far as the reboot after DOS mode file copying phase. Same error as before.
Which Linux distro are you using?
It's called Trinity Rescue Kit 3.2 and can be found here
http://trinityhome.org/Home/index.php?wpid=5&front_id=12
 

Documentation (such as it is) here:

http://trinityhome.org/Home/Print_Collate....5,76,33,124,128

Do you have the Recovery Console installed on C:\ as far as you know?
No. 

I am trying to repair the MBR. Failing that, the boot files.

You could try this....

Please go here and create a Recovery Console CD. Just click the link provided there to download the recovery_console_cd.zip and unzip that to your desktop.

Then inside the recovery_console_cd folder that created locate and click on the IE icon titled Readme. This will open a webpage, which will provide the simple steps you will need to follow, as well as a clickable link to go to the MS download page where you can select the BootDisk file download appropriate for your operating system. For example, for an XP SP2 Home Edition you would be downloading WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe.

For emergency boot disk uses, as well as to access the Recovery Console, the SP2 version can also be used on systems that have the SP3 upgrade.

• Insert the CD-ROM into the CD-ROM drive, and then restart the computer.
  
  
• If your PC is not booting from the CD, you need to change the boot order:
  • Restart your PC
  • As soon as you get an image, press the Setup key. This is usually F2, or Del. On some machines the key can also be a different one. It should, however, be stated on the screen which key is the setup key.
  • Once you enter the computer's BIOS, use the arrow keys and tab key to move between elements. Press enter to select an item to change.
  • Navigate to the tab, where you can set the boot order. It should be called Boot or Boot order
  • The tab should now show your current boot order.
    If the CD-drive is not at the top, please navigate to the CD-Rom drive with the keys arrows. Then move it to the top of the list. The keys for switching boot position are usually + to move up and - to move down. However they can be different, but they should be stated in the help, so that you can find them easily.
  • Once the CD-drive is on top of the boot order, navigate to Exit and select Exit saving changes.
• Your PC should now boot from your CD.
  Click to select any options that are required to start the computer from the CD-ROM drive if you are prompted.
  
  
• When the "Welcome to Setup" screen appears, press R to start the Recovery Console.
  
  
• When you are prompted, type the Administrator password. If the administrator password is blank, just press ENTER.
  
• A command prompt will open
• Type the green bolded one line at a time and press Enter after entering each line.

chkdsk /r
fixboot
ren C:\Boot.ini Boot.ini.bak
bootcfg /rebuild

• The first prompt should ask Add installation to boot list? (Yes/No/All).
• Type Y in response to this question and press Enter.
• The next prompt asks you to Enter Load Identifier:
• This is the name of the operating system, type Windows XP Home Edition or Windows XP Professional (it specifies such on your disc!!!!) and press Enter.
• The final prompt asks you to Enter OS Load options:
• Type /Fastdetect here and press Enter.
• Type exit and press Enter.
• Reboot.

Success?

Please recall that I do not have a GUI.

Yes. I realize that. Please download and burn the Iso from a clean computer. Launch it then from the sick computer.

okay i am working on that...

Okay..the procedure got me 75% of the way there. I still had to run bootcfg and copy a few files to different directories, but i finally have windows back. What next?

Excellent.

First some ground rules.

You obviously have more than the average amount of computer experience. I will make a deal with you. I will only help you if you promise not to do anything to that computer of yours without asking me first. If you start making changes without my knowing I might do more harm than good. Deal?

Lets continue......

Download and run Win32kDiag:

• Download Win32kDiag from any of the following locations and save it to your Desktop.
  • Download Win32kDiag (Win32kDiag.exe) - #1
  • Download Win32kDiag (Win32kDiag.exe) - #2
  • Download Win32kDiag (Win32kDiag.exe) - #3
• Double-click Win32kDiag.exe to run Win32kDiag and let it finish. If you are using Vista please right click and run as Admin!
• When it states "Finished! Press any key to exit...", press any key on your keyboard to close the program.
• Double-click on the Win32kDiag.txt file that is located on your Desktop and post the entire contents of that log as a reply to this topic.

Next......


Download and run a batch file (peek.bat):

• Download peek.bat from the download link below and save it to your Desktop.
  • Download peek.bat
• Double-click peek.bat to run it.A black Command Prompt window will appear shortly: the program is running. If you are using Vista please right click and run as Admin!
• Once it is finished, copy and paste the entire contents of the Log.txt file it creates as a reply to this post.

==========

With your next post please provide:

* Win32kDiag.txt
* Log.txt

Kind regards,
~t