Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Probable Rootkit left over from other virus


  • Please log in to reply
10 replies to this topic

#1 AshevilleHawker

AshevilleHawker

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:24 PM

Posted 30 November 2009 - 08:58 PM

Hello,

I believe I have a root kit and need help removing it.
System is Dell Precision M90 with WinXP SPIII on it. I run F-Secure Workstation 7.11 as my AV program with all the latest hot fixes.

I was browsing a well known and usually reputable web site that recently had gotten compromised advertisements from from a web server. Somehow I got an exploit and ended up with AntiVirus 2009 virus.
I rebooted to safe mode, disabled the virus from the start with autoruns, rebooted to safe mode again and ran MBAM and everything seemed to be fine (after also restoring my internet connection from the proxy the virus set it from).

About a week later I was on the same website (they claimed the problem had been fixed) and a new add caused Adobe to launch. I quickly shut down Adobe but it was to late. I had a virus that looked the same but said something different for the title, I think it was AntiVirus System Pro or something else bla bla bla Pro. I should say I was running Seamonkey 1.1.18 with Adobe Pro 6.x. My guess is that the Adobe was to old and had some exploit in it. Reading other comments others got the virus this way as well.

This time I could not boot to safe mode. I got a BSOD when I tried. To fix this I made a Knoppix boot disk and manually deleted the virus's .exe files from my computer. I then could boot to regular mode and used MBAM to remove the left over fragments. This got rid of the virus but now I have system event log errors EventID 45 and 49 FTDISK errors. Googleing that came up with a bunch of atapi.sys related issues and that made me wonder if I had a root kit.

I ran Combo fix (I know don't post the log but hopefully this much is acceptable) and it seems to agree that I have a MBR rookkit and that there are rootkit hooks in CLASSPNP.sys ACPI.SYS, ATAPI.sys. The other combofix comments are Greek to me.

At this point I deleted ATAPI.SYS in the hopes that windows would restore it. This caused an instant BSOD.
I rebooted and got constant virus warning from F-Secure WKS 7.11 but it could not fix. The virus was for atapi.sys and was labeled by them as Rootkit.Win32.TDSS.y.
Running Combo Fix again made the constant virus pop up go away.


So thinking I was cleaver I booted from the Windows disk and did a fixmbr. The app said the MBR was not standard (or something similar) and fixed but booting back it was the same. My guess is that the infected .sys files just put it back when I boot. I still can't boot into safe mode, only normal mode. I'm hesitant to use USB keys without more guidance to try to put things back as I am afraid of spreading this though MBRs. I have to many memorys of DOS day MBR records sounding like the latest STD (from intimate floppy disk contact with any computer who had intimate floppy disk contact with my computer).

Can you help?

Thanx
Hawker

Edited by AshevilleHawker, 30 November 2009 - 09:04 PM.


BC AdBot (Login to Remove)

 


#2 AustrAlien

AustrAlien

    Inquisitor


  • Members
  • 6,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cowra NSW Australia
  • Local time:06:24 AM

Posted 02 December 2009 - 06:03 AM

I'm hesitant to use USB keys without more guidance to try to put things back

I have no idea what you mean by the above: Would you care to explain?

Let's try and replace the corrupt atapi.sys file with a good one.
You have XP SP3 on your system. To do the following properly, you need an XP installation CD the same (with Service Pack 3). You may or may not need the CD at all. You may get away with using an SP2 version?

Start Windows normally and put your XP SP3 installation CD in the tray.
Start > Run > and type "cmd" and press
At the command prompt, type sfc /scannow (note the space!) and press
Allow it to run and complete. There will be no message to indicate that it has finished.

Then try this to check for rootkits ...
Please follow steps 1, 2 & 3 in post #5 by garmanma in the following link ...
http://www.bleepingcomputer.com/forums/ind...t&p=1508509
AustrAlien
Google is my friend. Make Google your friend too.

Posted Image

#3 AshevilleHawker

AshevilleHawker
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:24 PM

Posted 02 December 2009 - 10:06 PM

Fist the good news I'm 95% sure I got the root kit out.

The bad news, your way didn't work.

Ok I'm doing the scans now, but I have a large hard drive and so it will take most of the night. I'll post them tomorrow.
I thought I would post how to fix it, since many here seem to have this issue and all I hear is reformat or things that don't work.

The sfc scannow does not work because the rootkit stealths the file to think it is correct. Also I did not have a SP3 disk, only SP2 and windows complained about it.

So the solution -written out with more detail for others to follow.
1) Find another computer of the same Service pack and OS (in my case XP Pro SP3) that is not infected.
2) make a zip file of classpnp.sys, atapi.sys, acpi.sys. E-mail this to yourself or use a USB key.
3) Place the .zip file in C:\WINDOWS\system32\drivers\
4) Go to http://www.knoppix.org/ and download the knoppix 6.2 live CD. Burn to a CD.
5) Boot your computer to the Knoppix Linux CD.
6) From Knoppix browse to windows\system32\drivers
7) Unzipp the files into the directory overwriting the existing ones.
8) Exit Linux and boot to a windows XP install disk.
9) Enter the Recovery Console, R option and mount the drive
10) enter fixMBR to replace the Master Boot record with a non virus MBR.

In my case I can now boot to safe mode, do not have event 45/49 errors anymore and F-Secure no longer complains of a root kit.
I do have Application error EAPOL 2002s now, but I should be able to fix that eventually.

I think this is the first actual fix of this can't boot to safe mode I have read here so I wanted to post it ASAP.

This is the part of combo fix that hinted to the error. Can someone else help me read it? Does this imply there are other files that need to be replaced?

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8A55C618]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xba90cf28
\Driver\ACPI -> ACPI.sys @ 0xba77fcb8
\Driver\atapi -> atapi.sys @ 0xba719852
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
NDIS: Broadcom NetXtreme 57xx Gigabit Controller -> SendCompleteHandler -> NDIS.sys @ 0xba625bb0
PacketIndicateHandler -> NDIS.sys @ 0xba614a0d
SendHandler -> NDIS.sys @ 0xba628b40
user & kernel MBR OK


As to the USB key thing I mentioned. Way back when everything had a MBR so if you had a MRB virus like this it would spread to anything you used such as a floppy and that would infect the next thing you plugged it into. I was worried about the same.

#4 AshevilleHawker

AshevilleHawker
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:24 PM

Posted 02 December 2009 - 10:21 PM

I got the scans faster than I thought here are the results.

ROOTREPEAL AD, 2007-2009
==================================================
Scan Start Time: 2009/12/02 21:52
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xB75CE000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xBADE6000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xB5FB6000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: c:\documents and settings\hawker\application data\skype\ (privacy name edit by hawker)\ etilqs_kni4oa8mevjc3ualmwbu
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\documents and settings\hawker\application data\skype\ (privacy skype name edit by hawker) \etilqs_tzdvwsgcrqr1mogil7to
Status: Allocation size mismatch (API: 32768, Raw: 0)

==EOF==


Running from: C:\Documents and Settings\Hawker\Desktop\Win32kDiag.exe
Log file at : C:\Documents and Settings\Hawker\Desktop\Win32kDiag.txt
WARNING: Could not get backup privileges!
Searching 'C:\WINDOWS'...

Finished!

Volume in drive C has no label.
Volume Serial Number is 68BE-0FCA

Directory of C:\WINDOWS\ERDNT\cache
04/14/2008 06:00 181,248 scecli.dll

Directory of C:\WINDOWS\ERDNT\cache
04/14/2008 06:00 56,320 eventlog.dll
2 File(s) 237,568 bytes

Directory of C:\WINDOWS\system32
04/14/2008 06:00 181,248 scecli.dll

Directory of C:\WINDOWS\system32
04/14/2008 06:00 56,320 eventlog.dll
2 File(s) 237,568 bytes

Directory of C:\WINDOWS\system32\dllcache
04/14/2008 06:00 181,248 scecli.dll

Directory of C:\WINDOWS\system32\dllcache
04/14/2008 06:00 56,320 eventlog.dll
2 File(s) 237,568 bytes

Total Files Listed:
6 File(s) 712,704 bytes
0 Dir(s) 111,849,742,336 bytes free



Do I need to delete those dump files or replace any of the other file the combofix snipped mentioned?

Thanx you very much for your help?

How is BleepingComputer and you supported? Is there a donate place? your giving an amazing service for free. The local experts all just said "reformat"

Hawker

Edited by AshevilleHawker, 02 December 2009 - 10:23 PM.


#5 AustrAlien

AustrAlien

    Inquisitor


  • Members
  • 6,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cowra NSW Australia
  • Local time:06:24 AM

Posted 03 December 2009 - 05:38 AM

Fist the good news I'm 95% sure I got the root kit out.

That looks like a good start. Well done!
However, I think that it may only be "a start". Might have to suggest you getting this one checked out more thoroughly than we can do here in the "Am I Infected?" forum area. You have probably already seen the advice of experts here and perhaps in other places ....
Rootkit >>> wipe the hard drive clean and start again ... it is the ONLY way to be sure it is not stealing your identity/money etc. now or at some time/any time in the future use of that system!

Thanks for posting the info on what you have done: I like it!
You wrote: "This is the part of combo fix that hinted to the error. Can someone else help me read it?"
There are forum rules that prevent any comment on CF results in this forum area. Sorry, but this will have to be "no comment".

The logs that you posted look clean to me ... but I cannot be sure of the reference to Skype, but would assume it to be OK unless we find out something to the contrary later.

Ah yes ... I have figured this one out all by myself ...
You call it a "USB key": I call it a "flashdrive".
OK, I see what you mean now.

You wrote: "How is BleepingComputer and you supported? Is there a donate place? your giving an amazing service for free."
Firstly "me": I am barely a novice at this forum stuff, but have found that I can be of some assistance at times: That is pleasing enough, but the real kick I get is out of the occasional "miracle", if I am lucky enough to pull one out of the hat. I do it for fun, and for the learning experience. I enjoy using the skills I am acquiring to help others (perverse, I know?).
Secondly, BC: I have been a "fan" of BC and Grinler (the bloke who set it up about 6 years ago and owns it .... that means he gets to pay the bills) for a number of years now, but really, I don't know all that much about "the business". AFAIK all the "workers/helpers" are volunteers, with some desire to help others/make the www a better place for all to use. Otherwise, it is simply one member helping another member.
BleepingComputer is "the best" of the best, from what I have seen in my limited experience ... that is why I am here of course!?

How to Donate?
http://www.bleepingcomputer.com/forums/ind...4&hl=donate

I agree, about the "amazing service", and even more amazing when you realise that there are "hundreds" of such places offering support in a similar fashion on the net. People helping other people; thousands and thousands of them, devoting large chunks of their lives to helping others. It serves to restore some faith in mankind?

Edited by AustrAlien, 03 December 2009 - 05:42 AM.

AustrAlien
Google is my friend. Make Google your friend too.

Posted Image

#6 AshevilleHawker

AshevilleHawker
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:24 PM

Posted 03 December 2009 - 06:00 PM

you said "Might have to suggest you getting this one checked out more thoroughly than we can do here in the "Am I Infected?" forum area"
And where would that be?

How do I find out what that part of combo fix means and if I should worry about any other files?

I understand your thought that I should just re-format. But I don't want to have to set this computer up again, and besides in the process I tend to learn quite a bit.
If you can't tell me about the combo fix log how do I find out if there is anything left? Do I go to the Hijack This forum and post again?

Thanx again for your help.

Hawker

#7 AustrAlien

AustrAlien

    Inquisitor


  • Members
  • 6,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cowra NSW Australia
  • Local time:06:24 AM

Posted 03 December 2009 - 09:26 PM

I will ask one of the more experienced members to have a look at your info and your latest questions. They will let you know your options, and tell you what they can.
'Alien

Edited by AustrAlien, 03 December 2009 - 09:26 PM.

AustrAlien
Google is my friend. Make Google your friend too.

Posted Image

#8 garmanma

garmanma

    Computer Masochist


  • Members
  • 27,809 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cleveland, Ohio
  • Local time:04:24 PM

Posted 03 December 2009 - 10:30 PM

BC HJT Team members may ask for small donations in their signature, but all in all, BC no longer accepts donations
If you are happy with the services provided you by one of our contributing members, we ask that you select a popular local charity
Times are tough and the Christmas season is upon us. Why not a donation to your local food bank?

I would like one more person to check this quick before we send you on your merry way
Just hang tight for awhile
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#9 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,729 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:24 PM

Posted 03 December 2009 - 11:11 PM

user & kernel MBR OK

That portion of the CF log says both the user & kernel MBR are OK so its not considered an MBR infection according to the tool's developer. If CF ran smoothly and did not take a long time to complete that was a good sign it was successful in performing its routines.

I cannot comment more or analyze your specific ComboFix.txt without having a complete log and they are not permitted in this forum. If you want someone to check it more thoroughly you will have to post it in the HijackThis Logs and Malware Removal forum, per :thumbsup: in our pinned topic: ComboFix usage, Questions, Help? - Look here

Are you using a CD Emulator (Daemon Tools, Alchohol 120%, Astroburn, AnyDVD, etc)? Is so, be aware that CD Emulators use rootkit-like techniques to hide from other applications and to circumvent copy protections schemes.

When dealing with a malware infection, CD Emulators can interfere with investigative or anti-rootkit (ARK) tools including ComboFix. This interference can produce misleading or inaccurate scan results, false detection of legitimate file, cause unexpected crashes, BSODs, and general dross. This 'dross' often makes it hard to differentiate between genuine malicious rootkits and the legitimate drivers used by CM Emulators. In some cases, the drivers related to such tools can cause crashes or system hanging when attempting to boot into safe mode.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#10 AshevilleHawker

AshevilleHawker
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:24 PM

Posted 04 December 2009 - 05:53 PM

Thanx Folks.
I'll move over to the other forum for a quick check.
I have some strange explorer search behavior (wont' sort or let me search twice) and I have to keep rebuilding some icons, as well as a funky application log but seem to be much better.

No I am not using any CD emulators that I know of unless Nero, CyberLink PowerDVD Player or something in the K-Light Codec Pack puts something in like that. This no safe mode and root kit errors didn't start until I got the Acrobat Exploit version of AV Pro 2009 and now it seems to be gone.

As for donations. Actually I mostly donate two two charities, the local food bank and a local group that helps people with power bills, medical needs, shelters and other slip though the cracks here. I'm a design engineer for a consumer products company and I am also known to help some of the folks on the manufacturing floor directly when things get tight or fix/build computers for them when needed as most are barely scraping by. I remember being in there shoes 20 years ago.


Thanx again
Hawker

#11 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,729 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:24 PM

Posted 04 December 2009 - 06:32 PM

As for donations. Actually I mostly donate two two charities, the local food bank and a local group that helps people with power bills, medical needs, shelters and other slip though the cracks here.

Both are worthy choices. :thumbsup:

Good luck with your log review.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users