Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rootkit/Hijacker of unknown type or origin (Vundo?)


  • This topic is locked This topic is locked
3 replies to this topic

#1 stillBeingWatched

stillBeingWatched

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:03:50 AM

Posted 03 August 2010 - 04:30 AM

I noticed my system running unusually slowly while installing a few new Firefox add-ons. The browser itself was working fine, but whenever I would open a menu to change any kind of settings on Firefox or an extension it would stop responding for a minute and the screen would flash as if it was going to ask for a permission, then the menu window would take forever to close even if I didn't change anything. I thought I had just installed something that used more memory than I expected so I switched to IE (which I almost never use but FF was taking too long) and looked at the task manager as well to see which extension I needed to uninstall, and noticed that random system services as well as Firefox (which I had shut down several minutes before) were using more than half the memory on what should have been an idle system. I started looking through event logs and found that a bunch of unknown user id's had managed to log in remotely. I know very little about programming and was still able to follow it around as it made registry changes and inserted weird instructions (in more-or-less plain English) into executables in the directory. It was as if there was another person doing it in real time, but I had the (windows) firewall locked down and my wireless adapter switched off manually, so there's no way I can think of where that's possible. We had a duel over file and directory permissions for a while as I was able to regain ownership of some directories and kick it out of a few before it found another way around this clueless amateur (didn't delete or write on any files or registries I promise). I didn't have a chance to notice the weird popups (on both Norton and IE) until after I had already discovered the threat. Eventually I lost access to every file and application and had to wipe and reinstall.

But it looks like I screwed up and didn't completely wipe the drive. The first thing I had to do after reinstall of course was use IE to download Norton, and those two programs are this thing's puppets. I couldn't even get into my ISP-hosted email because it would redirect to a blank page every time I tried to submit my password. Finally managed to get Opera downloaded and thus Norton up again, but the latter was already refusing to help me by the time I got it configured too. Any files that I lost are already gone, so I thought one of you nice people might have some fun with this one running around a relatively clean machine. Thanks!

DDS log=


DDS (Ver_10-03-17.01) - NTFSx86
Run by StinkinCoyote at 0:46:21.71 on Tue 08/03/2010
Internet Explorer: 8.0.7600.16385
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.1918.1388 [GMT -7:00]


============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Norton Security Suite\Engine\4.0.0.127\ccSvcHst.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\taskhost.exe
C:\Program Files\Norton Security Suite\Engine\4.0.0.127\ccSvcHst.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\system32\sppsvc.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\explorer.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\StinkinCoyote\Desktop\dds.scr
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton security suite\engine\4.0.0.127\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton security suite\engine\4.0.0.127\IPSBHO.DLL
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton security suite\engine\4.0.0.127\coIEPlg.dll
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
Trusted Zone: comcast.net\login
Trusted Zone: comcast.net\redir
Trusted Zone: comcast.net\security

============= SERVICES / DRIVERS ===============

R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\n360\0400000.07f\SymDS.sys [2010-8-2 328752]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\n360\0400000.07f\SymEFA.sys [2010-8-2 172592]
R1 BHDrvx86;BHDrvx86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\definitions\bashdefs\20091205.001\BHDrvx86.sys [2010-8-2 529456]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\n360\0400000.07f\cchpx86.sys [2010-8-2 501888]
R1 IDSVix86;IDSVix86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\definitions\ipsdefs\20091105.001\IDSVix86.sys [2010-8-2 343088]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\n360\0400000.07f\Ironx86.sys [2010-8-2 116272]
R1 SYMTDIv;Symantec Vista Network Dispatch Driver;c:\windows\system32\drivers\n360\0400000.07f\symtdiv.sys [2010-8-2 340016]
R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-13 48128]
R2 N360;Norton Security Suite;c:\program files\norton security suite\engine\4.0.0.127\ccSvcHst.exe [2010-8-2 126392]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-8-2 102448]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt86win7.sys [2009-6-10 139776]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]

=============== Created Last 30 ================

2010-08-03 05:22:58 0 ----a-w- c:\users\stinkincoyote\defogger_reenable
2010-08-03 04:42:01 26600 ----a-r- c:\windows\system32\drivers\GEARAspiWDM.sys
2010-08-03 04:42:01 107368 ----a-r- c:\windows\system32\GEARAspi.dll
2010-08-03 04:42:00 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2010-08-03 04:42:00 7443 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2010-08-03 04:42:00 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-08-03 04:42:00 0 d-----w- c:\program files\Symantec
2010-08-03 04:42:00 0 d-----w- c:\program files\common files\Symantec Shared
2010-08-03 04:41:39 0 d-----w- c:\windows\system32\drivers\N360
2010-08-03 04:41:38 0 d-----w- c:\program files\Norton Security Suite
2010-08-03 04:41:22 0 d-----w- c:\programdata\NortonInstaller
2010-08-03 04:41:22 0 d-----w- c:\program files\NortonInstaller
2010-08-03 04:35:27 0 d-----w- c:\programdata\Norton
2010-08-03 04:29:58 0 d-sh--w- c:\windows\Installer
2010-08-03 01:31:12 172032 ----a-w- c:\windows\system32\wintrust.dll
2010-08-03 01:31:01 132608 ----a-w- c:\windows\system32\cabview.dll
2010-08-03 00:42:59 0 d-----w- c:\windows\Panther
2010-08-03 00:33:48 0 d-----w- C:\Windows.old
2010-08-03 00:31:10 713888 ----a-w- c:\windows\system32\PerfStringBackup.INI
2010-08-03 00:30:59 0 d-----w- c:\windows\system32\wbem\Performance

==================== Find3M ====================

2009-07-14 04:56:42 31548 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2009-07-14 04:56:42 31548 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2009-07-14 04:56:42 291294 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2009-07-14 04:56:42 291294 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2009-07-14 04:41:57 174 --sha-w- c:\program files\desktop.ini
2009-07-14 00:34:40 291294 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2009-07-14 00:34:40 291294 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2009-07-14 00:34:38 31548 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2009-07-14 00:34:38 31548 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-06-10 21:26:35 9633792 --sha-r- c:\windows\fonts\StaticCache.dat
2009-07-14 01:14:45 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe

============= FINISH: 0:46:56.32 ===============

I didn't mention that I partitioned the drive and formatted the vacated part in order to install Linux while I wait for a reply. After trying in vain for several hours to get the new OS to cofigure my network devices for interface I discovered that the infection had been busy not only in the MSW partitions but had bridged all of them and one of the "empty" ones had over 4gb moved into it. I found comms hidden in the middle of program files that looked like the program or its operator reporting progress to someone else saying "volume 5 is free, volume 5 is unprotected, volume 5 is hidden, volume 5 is password protected" etc. So it set up its own little (78g) forbidden city to operate from and wasn't even slowed down by the different OS languages or file system formats.
So anyway, I'm off to find the electronic version of sodium hydroxide to soak my HHD in, but I'll be sure to let you know if it comes back.

Merged posts. ~ OB

Attached Files


Edited by Orange Blossom, 04 August 2010 - 11:52 PM.


BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:06:50 AM

Posted 11 August 2010 - 12:59 AM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.
  1. Do not run any other tool untill instructed to do so!
  2. Please Do not Attach logs or put in code boxes.
  3. Tell me about any problems that have occurred during the fix.
  4. Tell me of any other symptoms you may be having as these can help also.
  5. Do not run anything while running a fix.

In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond to your topic and facilitate the cleaning of your machine.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

In order for me to see the status of the infection I will need a new set of logs to start with.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

DeFogger:
    Please download DeFogger to your desktop.

    Double click DeFogger to run the tool.
    • The application window will appear
    • Click the Disable button to disable your CD Emulation drivers
    • Click Yes to continue
    • A 'Finished!' message will appear
    • Click OK
    • DeFogger may ask you to reboot the machine, if it does - click OK
    Do not re-enable these drivers until otherwise instructed.

Download DDS:
    Please download DDS by sUBs from one of the links below and save it to your desktop:


    Download DDS and save it to your desktop

    Link1
    Link2
    Link3

    Please disable any anti-malware program that will block scripts from running before running DDS.
    • Double-Click on dds.scr and a command window will appear. This is normal.
    • Shortly after two logs will appear:
      • DDS.txt
      • Attach.txt
    • A window will open instructing you save & post the logs
    • Save the logs to a convenient place such as your desktop
    • Copy the contents of both logs & post in your next reply

Scan With RKUnHooker
  • Please Download Rootkit Unhooker Save it to your desktop.
  • Now double-click on RKUnhookerLE.exe to run it.
  • Click the Report tab, then click Scan.
  • Check (Tick) Drivers, Stealth,. Uncheck the rest. then Click OK.
  • Wait till the scanner has finished and then click File, Save Report.
  • Save the report somewhere where you can find it. Click Close.
Copy the entire contents of the report and paste it in a reply here.

Note** you may get this warning it is ok, just ignore

"Rootkit Unhooker has detected a parasite inside itself!
It is recommended to remove parasite, okay?"


MBRCheck

Please also download MBRCheck to your desktop
  • Double click MBRCheck.exe to run (vista and Win 7 right click and select Run as Administrator)
  • It will show a Black screen with some data on it
  • a report called MBRcheck will be on your desktop
  • open this report
  • Right click on the screen and select > Select All
  • Press Control+C
  • now please copy that report to this thread


information and logs:
    In your next post I need the following
      1.logs from DDS
      2.log from RKUnHooker
      3. report from MBRchecker
      4.let me know of any problems you may have had

Gringo


I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:06:50 AM

Posted 14 August 2010 - 01:34 AM

Hello

three day bump

It has been Three days since my last post.
  • do you still need help with this?
  • do you need more time?
  • are you having problems following my instructions?
  • if after 48hrs you have not replied to this thread then it will have to be closed!

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:06:50 AM

Posted 17 August 2010 - 01:33 AM

Due to lack of feedback, this topic is now Closed

If you need this topic reopened, please send me a PM.
Please include the address of this thread in your request.
This applies only to the original topic starter.

Everyone else please start a new topic.

The fixes and advice in this thread are for this machine only.
Do not apply the instructions from this thread to your own machine.
Please start a new thread describing your issue and someone will be along to assist you.


With Regards,
Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users