Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Still have rootkit?


  • This topic is locked This topic is locked
30 replies to this topic

#1 BitHammer

BitHammer

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:06:25 AM

Posted 09 January 2010 - 12:14 AM

This is my neighbor's PC. When I got hold of it, it could not log into any of the four user profiles. After some hunting, I found that wsaupdater had been removed without changing the registry entry back so that the proper executable would be run. I changed it back using the remote registry tool in the UBCD. I've since run scans with malwarebytes and combofix. Combofix reports rootkit activity and reboots before scanning. GMER blows up. (GPF or similar error message.) When I ran rootrepeal, it complained about an invalid PE object, but then it continued to run. I've included the logs as requested in the Getting Started page.

Thank you very much for any assistance you can give.

Attached Files



BC AdBot (Login to Remove)

 


#2 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:02:25 PM

Posted 15 January 2010 - 05:30 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

Please include a clear description of the problems you're having, along with any steps you may have performed so far.

Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.

Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.
  1. Please download OTL from following mirror:
  2. Save it to your desktop.
  3. Double click on the icon on your desktop.
  4. Click the "Scan All Users" checkbox.
  5. Push the button.
  6. Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. I suggest you do this and select Immediate E-Mail notification and click on Proceed. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#3 BitHammer

BitHammer
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:06:25 AM

Posted 16 January 2010 - 08:03 PM

Thank you very much for your response. The computer is not showing any outward signs of infection, but Combofix still says Rootkit activity. Could Daemon Tools have this effect? Also, I tried an older version of GMER (1.14), and that ran successfully. I'll paste it below, since it's rather short.


I've attached the requested OTL logs. I've run a few other scans and stuff before I got your reply (As a fellow IT professional, I understand overwhelmed!)

I think it might be clean, or at least as clean as I can be sure of with rootkits. I'd just like to be as sure as possible.

Thanks again for all your help.

GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2010-01-12 00:29:17
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.14 ----

SSDT d346bus.sys (PnP BIOS Extension/ ) ZwEnumerateKey [0xF76294FC]
SSDT d346bus.sys (PnP BIOS Extension/ ) ZwEnumerateValueKey [0xF7634E00]

---- Devices - GMER 1.0.14 ----

Device \FileSystem\Ntfs \Ntfs 873794F8

AttachedDevice \FileSystem\Ntfs \Ntfs naiavf5x.sys (Anti-Virus File System Filter Driver/Network Associates, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip mvstdi5x.sys (Anti-Virus Mini-Firewall Driver/Network Associates, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp mvstdi5x.sys (Anti-Virus Mini-Firewall Driver/Network Associates, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp mvstdi5x.sys (Anti-Virus Mini-Firewall Driver/Network Associates, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp mvstdi5x.sys (Anti-Virus Mini-Firewall Driver/Network Associates, Inc.)

---- Modules - GMER 1.0.14 ----

Module _________ F75B1000-F75C9000 (98304 bytes)

---- EOF - GMER 1.0.14 ----

Attached Files



#4 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:02:25 PM

Posted 16 January 2010 - 08:13 PM

Hi,

that is one heck of an old gmer-version. Could you please try to run gmer in safe mode?

ComboFix is an extremely powerful tool which should only be used when instructed to do so by someone who has been properly trained.
It is intended by its creator to be used under the guidance and supervision of a Malware Removal Expert, not for private use.
Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.

Please do not run Combofix on your own

If you still have the combofix log, I would like to see it though.

I see you ran MGTools, have you asked for help at their forum as well? If so please decide where you wish to get help.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#5 BitHammer

BitHammer
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:06:25 AM

Posted 16 January 2010 - 09:47 PM

I've uploaded two combofix logs, both which say MBR Rootkit. (I've run mbrfix, but don't know if it did any good.) I've also included the mgtools logs and a rootrepeal log. I've run lots of different things on this machine, mostly rootkit related. I've not asked for help anywhere else, though.

Thanks again!

Attached Files



#6 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:02:25 PM

Posted 16 January 2010 - 10:02 PM

Hi,

please try running the latest gmer version in safe mode:

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.


  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

Please also run tdsskiller:
  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.
  • Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

    "%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v

  • If it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to not do anything to the file.
  • When it is done, a log file should be created on your C: drive called "TDSSKiller.txt" please copy and paste the contents of that file here.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#7 BitHammer

BitHammer
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:06:25 AM

Posted 16 January 2010 - 10:16 PM

Sorry, I forgot to mention that I had tried GMER in safe mode the last time, and it still blows up. Still, I downloaded from your link and ran it in safe mode again, and got the same result. The scan starts, runs for about 5 seconds or so, then pops up a window that says that the instruction at 0x0045c887 referenced memory at 0x00000008, and could not read it. Then the program ends.

#8 BitHammer

BitHammer
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:06:25 AM

Posted 16 January 2010 - 10:41 PM

Sorry again - Misst the TDSSKiller part on the first read. Here's the log.

Attached Files



#9 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:02:25 PM

Posted 16 January 2010 - 10:56 PM

Hi,

since gmer will not run please run mbr for me:
  • Go to Start > Run and type: cmd.exe
  • press Ok.
  • At the command prompt type: mbr.exe -t >"C:\mbr.log"
  • press Enter.
  • A "DOS" box will open and quickly disappear. That is normal.
  • A log file named mbr.log will be created and saved to the root of the system drive (usually C:\).
  • Copy and paste the results of the mbr.log in your next reply.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#10 BitHammer

BitHammer
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:06:25 AM

Posted 17 January 2010 - 12:58 AM

Here is the mbr log.

Thanks!

Attached Files

  • Attached File  mbr.log   453bytes   10 downloads


#11 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:02:25 PM

Posted 17 January 2010 - 07:48 AM

Hi,

I forgot to ask you to disable your cd-emulation first.

Please download DeFogger to your desktop.

Double click DeFogger to run the tool.
  • The application window will appear
  • Click the Disable button to disable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK
IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.

Do not re-enable these drivers until otherwise instructed.

Please run a new scan with mbr after that.

Please post the logs into your replies, instead of attaching them.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#12 BitHammer

BitHammer
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:06:25 AM

Posted 17 January 2010 - 11:22 AM

Defogger log:

defogger_disable by jpshortstuff (28.11.09.2)
Log created at 10:11 on 17/01/2010 (MAMA)

Checking for autostart values...
HKCU\~\Run values retrieved.
HKLM\~\Run values retrieved.

Checking for services/drivers...
Unable to read atapi.sys
d346prt -> Disabled (Service running -> reboot required)


-=E.O.F=-

It did reboot, then I ran mbr:


Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x871C3248]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\atapi -> 0x871c3248
Warning: possible MBR rootkit infection !
user & kernel MBR OK
Use "Recovery Console" command "fixmbr" to clear infection !


Thanks for your dedication!

#13 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:02:25 PM

Posted 17 January 2010 - 12:27 PM

Hi,

the signs are pointing to a MBR-infection therefore please do the following steps:

We need to restore a backup Combofix made:
  1. Restart your computer
  2. Before Windows loads, you will be prompted to choose which Operating System to start
  3. Use the up and down arrow key to select Microsoft Windows Recovery Console
  4. You must enter which Windows installation to log onto. Type 1 and press enter.
  5. At the C:\Windows prompt, type the following bolded text, and press Enter:

    fixmbr

  6. At the next prompt, type the following bolded text, and before beginning a new line press Enter:

    exit
Windows will now begin loading.

Please let me know if the reboot goes fine and rerun mbr once more and post the log here.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#14 BitHammer

BitHammer
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:06:25 AM

Posted 17 January 2010 - 03:05 PM

Rebooted into recovery console. Ran fixmbr, which cautioned:
Caution
This computer appears to have a non-standard or invalid master boot record.
FIXMBR may damage your partition tables if you proceed.
This could cause all partitions on the current hard disk to become inaccessible.
If you are not having problems accessing your drive, do not continue.

I continued.

Then exit and reboot just fine.

Here is the result of the subsequent mbr - it appears to still be infected.

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0
x871A5008]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\atapi -> 0x871a5008
Warning: possible MBR rootkit infection !
user & kernel MBR OK
Use "Recovery Console" command "fixmbr" to clear infection !

#15 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:02:25 PM

Posted 17 January 2010 - 03:12 PM

Hi,

if you do not want to go through with the fixmbr command, please try running the following command instead:
  • Go to Start > Run and type: cmd.exe
  • press Ok.
  • At the command prompt type: c:\mbr.exe -f >"C:\mbr.log"
  • press Enter.
  • A "DOS" box will open and quickly disappear. That is normal.
  • A log file named mbr.log will be created and saved to the root of the system drive (usually C:\).
  • Copy and paste the results of the mbr.log in your next reply.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users