Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rootkit removal


  • This topic is locked This topic is locked
2 replies to this topic

#1 joedan99

joedan99

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:42 AM

Posted 14 December 2009 - 08:02 AM

Referred from here: http://www.bleepingcomputer.com/forums/t/278275/iexplore-starts-in-background-larger-malware-issue/ ~ OB

I was asked to post this here - I need help with this; I tried running GMER, said essentially what RootReveal says, but the system freezes when I tried to save the log.
>>I see there is a serious rootkit variant in this log. The rootkit itself is a protection module used to terminate a variety of security tools by changing the permissions on targeted programs so that they cannot run or complete scans. There are some new variants of rootkits in the wild right now that will require custom scripts to remove the infection, the process must be completed by HJT team members or above.<<


------------------------------------------------------------------------------------

Win32kDiag.txt output (Had to rename win32Diag.exe to get it to run):

Running from: C:\Documents and Settings\user\Desktop\XWin32kDiag.exe

Log file at : C:\Documents and Settings\user\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...


Finished!
----------------------------------------------------------
results of DIR cmd:

Volume in drive C is NEW
Volume Serial Number is 10D0-BA36

Directory of C:\WINDOWS\$NtServicePackUninstall$

03/08/2004 08:07 PM 180,224 scecli.dll

Directory of C:\WINDOWS\$NtServicePackUninstall$

03/08/2004 08:07 PM 407,040 netlogon.dll

Directory of C:\WINDOWS\$NtServicePackUninstall$

03/08/2004 08:07 PM 55,808 eventlog.dll
3 File(s) 643,072 bytes

Directory of C:\WINDOWS\ServicePackFiles\i386

13/04/2008 07:12 PM 181,248 scecli.dll

Directory of C:\WINDOWS\ServicePackFiles\i386

13/04/2008 07:12 PM 407,040 netlogon.dll

Directory of C:\WINDOWS\ServicePackFiles\i386

13/04/2008 07:11 PM 56,320 eventlog.dll
3 File(s) 644,608 bytes

Directory of C:\WINDOWS\system32

13/04/2008 07:12 PM 181,248 scecli.dll

Directory of C:\WINDOWS\system32

13/04/2008 07:12 PM 407,040 netlogon.dll

Directory of C:\WINDOWS\system32

13/04/2008 07:11 PM 56,320 eventlog.dll
3 File(s) 644,608 bytes

Total Files Listed:
9 File(s) 1,932,288 bytes
0 Dir(s) 49,360,048,128 bytes free

------------------------------------------------------------------
results of ROOTREPEAL....


ROOTREPEAL AD, 2007-2009
==================================================
Scan Start Time: 2009/12/13 11:13
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xF0C29000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7C39000 Size: 8192 File Visible: No Signed: -
Status: -

Name: H8SRTnfvywoxwtx.sys
Image Path: C:\WINDOWS\system32\drivers\H8SRTnfvywoxwtx.sys
Address: 0xF24EC000 Size: 114688 File Visible: - Signed: -
Status: Hidden from the Windows API!

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xEFB3A000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\WINDOWS\system32\h8srtcfg.dat
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\H8SRTjovclsypwn.dat
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\H8SRTjvebumgvrw.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\H8SRTrysywaddyl.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\drivers\H8SRTnfvywoxwtx.sys
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\user\Local Settings\Temp\H8SRTface.tmp
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\9RQ1W7C0\NLCAH71IEKCA8CXJ0OCAOVPEFTCAY50KCRCAFZ8R11CAOIXX6DCASK7W8FCA2TVCKXCAO7KF0NC
A41LELQCAYPU3APCAXOTR69CA7CL605CAOBFYXYCA72ACXLCACYH0X1CARCP4GNCALGN192CA9RH2D0C
AK7A4RC
Status: Visible to the Windows API, but not on disk.

Path: c:\documents and settings\user\local settings\temporary internet files\content.ie5\cimqhpfr\z6calwwip1ca8kgx19caa5r7qbcasteusgcavajibucatu65uvcak3zn18cazinhr2cajm121ec
ao5kptucanebhi2canqcaz0caexde38ca8gdx6scat2ez8cca1wp4ptcatoj11fca4fny02ca37ewdyc
axt3djz
Status: Allocation size mismatch (API: 8192, Raw: 16384)

Path: C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\CIMQHPFR\1684154106@x10[1]
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\CIMQHPFR\;kw=How_do_you_remove_hidden_and_useless_files_from_a_hard_drive;csrc=unans
wered;pos=1;answ=ad;tile=1;dcopt=ist;sz=160x600;ord=457451089[1].htm
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\CIMQHPFR\abg-en-100c-000000[1].gif
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\CIMQHPFR\blank[2].gif
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\CIMQHPFR\blank[3].gif
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\CIMQHPFR\dictionary_2_b[1].js
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\CIMQHPFR\headerTabsBg01[1].gif
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\CIMQHPFR\houseIcon_blue[1].gif
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\CIMQHPFR\icon-home-default[1].gif
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\CIMQHPFR\icon-print-hover[1].gif
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\CIMQHPFR\icon-search-default[1].gif
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\CIMQHPFR\intro_snowfall_EPN_160x600[1].swf
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\CIMQHPFR\rc_gray1b[1].gif
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\CIMQHPFR\showLeftDart[1].js
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\CIMQHPFR\tooltip[1].gif
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\CIMQHPFR\tooltip_bg[1].gif
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\CIMQHPFR\TRCAU4JMEBCAWXJUDSCAZGGA1YCA1PS096CAENOVS1CA1E2BKACA18YMWSCA0GLHVXCAY53GTCC
AQI256RCAC20XQ8CA34TT0DCA7OXTCHCAPG0SIOCA9YBE3QCAZVF35GCARITBRGCAYOCHZBCACQ5EVSC
A62878R
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\CIMQHPFR\web_tip[1].css
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\CIMQHPFR\XOCAVWQKNPCA69T29LCA54Y0JQCAA3F3ZYCARWDVZ2CAJCX5MQCAFO9A26CATPSYLBCAWMK2HRC
A6S730FCA6RDK0KCAWT013RCAL56FHECAU75PFBCAPHLU1BCASCKLMDCAM9UVXZCA4BD3FRCAW2MTA0C
AYJ4DB3
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\CIMQHPFR\x_on[1].png
Status: Visible to the Windows API, but not on disk.

Stealth Objects
-------------------
Object: Hidden Module [Name: H8SRTjvebumgvrw.dll]
Process: svchost.exe (PID: 932) Address: 0x10000000 Size: 77824

Object: Hidden Module [Name: H8SRTrysywaddyl.dll]
Process: svchost.exe (PID: 932) Address: 0x00890000 Size: 65536

Hidden Services
-------------------
Service Name: H8SRTd.sys
Image Path: C:\WINDOWS\system32\drivers\H8SRTnfvywoxwtx.sys

Edited by Orange Blossom, 18 December 2009 - 01:43 AM.


BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:04:42 AM

Posted 20 December 2009 - 11:24 PM

Hello joedan99,

Sorry for the delay. We have many logs backed up. :(

Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

We need to scan the system with this special tool.
  • Please download Junction.zip and save it.
  • Unzip it and put junction.exe in the Windows directory (C:\Windows).
  • Go to Start => Run... => Copy and paste the following command in the run box and click OK:

    cmd /c junction -s c:\ >log.txt&log.txt& del log.txt

    A command window opens starting to scan the system. Wait until a log file opens. Copy and paste or attach the content of it.
**********************

Download Security Check by screen317 from here or here.
Save it to your Desktop.
Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
A Notepad document should open automatically called checkup.txt.
Please post the contents of that document.

**********************

Note: Since you already have Malwarebytes' Anti-Malware, then update, run it, then do a "Perform Full Scan"

* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select "Perform Full Scan", then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy&Paste the entire MBAM report (even if it does not find anything) in your next reply .

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.

Edited by SifuMike, 20 December 2009 - 11:30 PM.
typo

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:04:42 AM

Posted 06 January 2010 - 05:26 PM

This thread will now be closed due to lack of feedback.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users