I believe I have the rootkit described in topic 253639 entry 1405644 Click me! or else one very similar to it. I don't have any doubt about being infected, so I skipped the AII part of the procedure. Of course I will be glad to go back to it if you require, but I am pretty confident you will waive it for me.
Win XP HE SP3 Pentium 4 @ 3GHz with 512MB RAM. I don't know what kind of RAM it is, though. The machine is an eMachines T5010 bought about 3 years ago. It came with the OS preinstalled with a restore "disk" ( D: ) residing in an NTFS partition on the same hard drive as C:. Did not get any actual CD's, floppies, or anything else to restore from that is external.
Just to give you a general idea of the state of my system here are some things that DON'T work or that I can't get to, or that I no longer have permission for:
- explorer - unavailable
- start-up taskbar - unavailable
- start-up taskbar - unavailable
- systray (therefore) - unavailable
- drag/drop - unavailable
- Write to CD - unavailable
- cmd - unavailable
- search - unavailable
- run - unavailable
- control panel - unavailable
- Administrator tools are OK
- command.com works
- System configuration utility works
- Many exe's in \sys32\ and \WINDOWS\ work
- a, b, c, and d.exe are at least part of the rootkit
- I can use sysconfig to access windows firewall and stuff like SYSTEM.INI, WIN.INI, BOOT.INI, and a few of the control panel aps. I suppose the rest are available, too, I just don't know what they are named and I can't search for them except "manually".
I have followed the pre- procedure Click me! as much as possible:
- I backed up (partial) using Cobian, but as mentioned above, I do not have a separate drive to back up to. I have a 4GB mini sdhc card in a slot on my machine that theoretically I could back up to, but I don't know how to set that up. It was formatted(?) to work with my MOTO Q...if you can tell me how to do it, I would like to transfer my backup files to that before we proceded with the actual removal process. If not, that's life.
- Also as mentioned above, I have little doubt that I a rootkit is present, so I skipped this step.
- Completed, but only have windows firewall. I accessed it via the "Security Center" and the link on that page.I turned off exceptions and unchecked all the exception boxes just to be sure, and made sure all the boxes were unchecked...however, now I don't seem to have enough resources to open it any longer...things appear to be going downhill fast. There are tons of processes running that I just can't believe are native...
- I can't run dds.scr. All I get when I open the file is the screensaver dialog in desktop preferences. The dialog is of course confused since dds.scr is not a screensaver. CScript says I don't have an engine for dds.scr. I tried changing the extension, etc., but I could never get CScript to do anything except display the banner and error and then quit. (Didn't try Wscript because I don't know anything about that, only that it exists.)
- Rootrepeal log attached, such as it is (see below)
- In progress...
As I mentioned above, the rootkit has disabled explorer/startup task bar/systray, so most of the drag/drop instructions you give are strictly not possible for me to perform at this point. HOWEVER I am using the GUI for 7-zip 9.07 beta along with the taskman "create new task" dialog "browse" function to do most of the file manipulation that I need to do.
Also, I have opera running (IE and mozilla/firefox are OOC).
This is all I got for now. I would keep trying to get you Win32kDiag.exe output but it seems to be getting worse...I am now getting low resources errors when I try to run it. I will post this, reboot, and hope for the best while I wait for someone to reply.
As a bonus, simply because it would run, see bottom of post for fport.txt attachment with (oddly enough) fport output.
Rootrepeal would not perform the file scan, so I ran it with that turned off. Here is what I got for the rest of it:
ROOTREPEAL © AD, 2007-2009
Scan Start Time: 2009/11/10 02:27
Program Version: Version 188.8.131.52
Windows Version: Windows XP SP3
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xEE30B000 Size: 98304 File Visible: No Signed: -
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF8B1D000 Size: 8192 File Visible: No Signed: -
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xED63C000 Size: 49152 File Visible: No Signed: -
Image Path: C:\WINDOWS\win32k.sys:1
Address: 0xF896D000 Size: 20480 File Visible: No Signed: -
Image Path: C:\WINDOWS\win32k.sys:2
Address: 0xEE2C3000 Size: 61440 File Visible: No Signed: -
#: 047 Function Name: NtCreateProcess
Status: Hooked by "C:\WINDOWS\system32\drivers\iksysflt.sys" at address 0xef201794
#: 048 Function Name: NtCreateProcessEx
Status: Hooked by "C:\WINDOWS\system32\drivers\iksysflt.sys" at address 0xef201f1e
#: 257 Function Name: NtTerminateProcess
Status: Hooked by "C:\WINDOWS\system32\drivers\iksysflt.sys" at address 0xef200d0a
#: 277 Function Name: NtWriteVirtualMemory
Status: Hooked by "C:\WINDOWS\system32\drivers\iksysflt.sys" at address 0xef200384
fport - seem to be losing the ability to paste to this board...still can do it inside windows, however. Attached is a log of fport output that I ran per instructions I found in the topic that led up to this one.
fport.txt 1.31KB 12 downloads