RootKit discovered

#1 dusty564


Posted 26 September 2010 - 07:18 PM

My girl friend gave me her computer to fix because it was doing some weird things. I booted into safe mode and installed and updated the Malwarebytes software. I tried to do a scan and it got killed. A friend at work recomended it and said that it would take care of just about anything. Well, maybe I have something that is too far infected. Anyway, I found this site, read through a good bit of information and had no luck on my own. I am on the pc now, running in xp home safe mode w/ networking. It won't let me change the screen resolution so I am stuck at 640X480, really anoying... Any help would be greatly appreciated. thx in advance. This is what I have done:

installed and ran Malwarebytes - app was killed
installed and ran Spybot S&D - app was killed
ran rkill.com - nothing found
ran rkill.scr - nothing found
ran gmer - it performed the scan and killed with no log file. But I did see something under the Library directory??

ran spywareDLLRemovePortable - Rootkit DLL found -> A985B6D8.x86.dll
also found by spywareDLLRemovePortable -> scecli.dll - but reports no file
- I was able to find the file under \windows\system32\scecli.dll but it would not let me rename the .extention - file in use. Could not find it under processes in task manager.

I read some about firewall on the site, just to be on the safe side, however it says that the WMI is corrupt and there is nothing to check or click. I would love to copy her profile to another hard drive and reload the pc, however, there are a couple of programs that she doesn't have the install disks for and I can't risk losing them. I decided to ask the prfessionals. Here is the listing from the DDS file requestd.

DDS (Ver_10-03-17.01) - NTFSx86 NETWORK
Run by Administrator at 17:59:26.09 on Sun 09/26/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_18
AV: McAfee VirusScan *On-access scanning enabled* (Outdated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

============== Pseudo HJT Report ===============

mDefault_Search_URL = hxxp://www.google.com/ie
mSearch Page = hxxp://www.google.com
mSearchAssistant =
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - d:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {364abf8c-4086-4e16-bed5-78c96cf8063f} - No File
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - d:\program files\spybot - search & destroy\SDHelper.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - d:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - d:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - d:\program files\java\jre6\bin\jp2ssv.dll
BHO: STOPzilla Browser Helper Object: {e3215f20-3212-11d6-9f8b-00d0b743919d} - d:\program files\stopzilla!\SZIEBHO.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - d:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Lexmark Toolbar: {1017a80c-6f09-4548-a84d-edd6ac9525f0} - d:\program files\lexmark toolbar\toolband.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - d:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [ctfmon.exe] d:\windows\system32\ctfmon.exe
uRun: [SpybotSD TeaTimer] d:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [Alcmtr] ALCMTR.EXE
mRun: [SunJavaUpdateSched] "d:\program files\common files\java\java update\jusched.exe"
mRun: [lxddmon.exe] "d:\program files\lexmark 2500 series\lxddmon.exe"
mRun: [lxddamon] "d:\program files\lexmark 2500 series\lxddamon.exe"
mRun: [Adobe Reader Speed Launcher] "d:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "d:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Easy Dock]
mRun: [iTunesHelper] "d:\program files\itunes\iTunesHelper.exe"
mRun: [Ykijuxujabo] rundll32.exe "d:\windows\ulutobabuyutomo.dll",e
mRun: [NvCplDaemon] RUNDLL32.EXE d:\windows\system32\NvCpl.dll,NvStartup
mRun: [QuickTime Task] "d:\program files\quicktime\qttask.exe" -atboottime
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
StartupFolder: d:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - d:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: d:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - d:\program files\windows desktop search\WindowsSearch.exe
mPolicies-system: EnableLUA = 0 (0x0)
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - d:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - d:\progra~1\mi1933~1\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - d:\program files\spybot - search & destroy\SDHelper.dll
DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} - hxxp://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} - hxxp://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} - hxxp://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1280106821463
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {9BDF4724-10AA-43D5-BD15-AEA0D2287303} - hxxp://zone.msn.com/bingame/zpagames/zpa_txhe.cab79352.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
DPF: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} - hxxp://zone.msn.com/binframework/v10/StProxy.cab55579.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} - hxxp://gfx1.hotmail.com/mail/w4/pr01/photouploadcontrol/MSNPUpld.cab
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - d:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - d:\program files\windows desktop search\MSNLNamespaceMgr.dll
LSA: Notification Packages = scecli d:\windows\system32\tumegivo.dll kbdasvmf.dll

================= FIREFOX ===================

FF - ProfilePath - d:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\q374eeog.default\
FF - plugin: d:\documents and settings\owner\application data\move networks\plugins\npqmp071503000010.dll
FF - plugin: d:\documents and settings\owner\application data\move networks\plugins\npqmp071504000001.dll
FF - plugin: d:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: d:\program files\google\update\\npGoogleOneClick8.dll
FF - HiddenExtension: XUL Cache: {8A7FBF5F-DF11-4F89-9D33-4A42EFFFF6CF} - d:\documents and settings\owner\local settings\application data\{8A7FBF5F-DF11-4F89-9D33-4A42EFFFF6CF}
FF - HiddenExtension: Java Console: No Registry Reference - d:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - d:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - d:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - d:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

=============== Created Last 30 ================

2010-09-26 21:23:40 0 d-----w- d:\program files\Spybot - Search & Destroy
2010-09-26 21:23:40 0 d-----w- d:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-09-26 18:34:50 7680 --sha-w- d:\windows\Thumbs.db
2010-09-26 18:21:41 0 d-----w- d:\program files\Cobian Backup 10
2010-09-26 17:13:27 112 ----a-w- d:\documents and settings\administrator\backup.cmd
2010-09-26 16:30:50 0 d-----w- d:\program files\Magical Jelly Bean
2010-09-26 16:15:12 21504 ----a-w- d:\windows\system32\hidserv.dll
2010-09-26 12:40:01 14592 ----a-w- d:\windows\system32\drivers\kbdhid.sys
2010-09-26 12:38:30 0 d-----w- d:\docume~1\admini~1\applic~1\Malwarebytes
2010-09-26 12:38:25 38224 ----a-w- d:\windows\system32\drivers\mbamswissarmy.sys
2010-09-26 12:38:24 20952 ----a-w- d:\windows\system32\drivers\mbam.sys
2010-09-26 12:38:24 0 d-----w- d:\program files\Malwarebytes' Anti-Malware
2010-09-26 12:38:24 0 d-----w- d:\docume~1\alluse~1\applic~1\Malwarebytes
2010-09-26 12:25:17 0 d-sh--w- d:\documents and settings\administrator\PrivacIE
2010-09-26 12:25:15 0 d-sh--w- d:\documents and settings\administrator\IECompatCache
2010-09-26 12:24:06 12160 ----a-w- d:\windows\system32\drivers\mouhid.sys

==================== Find3M ====================

2010-08-19 02:18:12 1072 ----a-w- d:\windows\system32\drivers\kgpfr2.cfg
2010-08-15 04:17:03 2838 ----a-w- d:\windows\ayagapojuy.dll
2010-08-12 07:01:03 1265664 ---ha-w- D:\SZKGFS.dat
2010-07-10 01:49:11 56884 ---ha-w- d:\windows\system32\mlfcache.dat
2010-07-02 01:08:51 2716 ----a-w- d:\windows\ifozuyoc.dll
2010-07-02 00:03:36 2716 ----a-w- d:\windows\opokajom.dll
2010-07-01 22:02:39 2716 ----a-w- d:\windows\usijiqigisoh.dll
2010-07-01 19:59:19 2716 ----a-w- d:\windows\iyorabulezelagar.dll
2010-07-01 17:57:26 2716 ----a-w- d:\windows\avehetil.dll
2010-07-01 15:54:58 2716 ----a-w- d:\windows\unujoweraxiju.dll
2010-07-01 13:52:53 2716 ----a-w- d:\windows\ivorafoxosiv.dll
2010-07-01 11:50:55 2716 ----a-w- d:\windows\alotudok.dll
2010-05-24 18:31:08 5042 ----a-w- d:\program files\uninstal.log
2009-08-10 16:31:34 50176 --sha-w- d:\windows\system32\gamuduhe.dll
2009-08-09 04:25:49 38400 --sha-w- d:\windows\system32\hisoyaji.dll
2009-08-11 04:31:19 83968 --sha-w- d:\windows\system32\reraketo.dll
2009-08-09 04:26:20 50176 --sha-w- d:\windows\system32\somejuwo.dll
2009-08-09 04:25:49 85504 --sha-w- d:\windows\system32\vugivodi.dll
2009-08-08 16:25:36 84992 --sha-w- d:\windows\system32\zafufovi.dll
2009-12-19 05:56:12 16384 --sha-w- d:\windows\system32\config\systemprofile\ietldcache\index.dat
2009-12-19 05:56:12 32768 --sha-w- d:\windows\system32\config\systemprofile\local settings\application data\microsoft\feeds cache\index.dat
2008-08-09 20:10:33 32768 --sha-w- d:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008080920080810\index.dat
2009-08-07 21:33:59 32768 --sha-w- d:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009080720090808\index.dat
2009-08-08 23:12:55 32768 --sha-w- d:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009080820090809\index.dat
2009-10-27 06:16:47 32768 --sha-w- d:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009102720091028\index.dat
2009-12-19 05:56:12 32768 --sha-w- d:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009121920091220\index.dat
2009-10-27 06:16:47 212992 --sha-w- d:\windows\system32\config\systemprofile\privacie\index.dat

============= FINISH: 17:59:45.20 ===============

thx Dusty

sorry, I forgot to add that when I rebooted into safe mode after doing the scans, I was unable to run the programs again. I noticed that it disabled or elevated the permissions on the program files. It had disabled my McAfee, Malwarebytes, and Spyware S&D shortcuts.


#2 dusty564

Posted 28 September 2010 - 08:35 AM

Ok, so, here is what I was able to do to irradicate this issue. Since the rootkit was killing every program that I downloaded and installed, not to mention whacking the shortcut after that first initial run, I had to find something that didn't install or that could scan from the internet. I found a site that listed internet rootkit scans. Well, this is the site http://www.techsupportalert.com/best-free-...ner-remover.htm .. I tried the Sophos Anti-Rootkit. It downloaded the file, I ran it and it tried to install something to the hhd, so I figured it would get whacked just like the other, however, it ran completely through and removed a lot of stuff. Had an error with Memsweep.sys . I searched on that issue - reboot and keep fingers crossed. Booted back to safe mode, ran the Sophos again, still the memsweep.sys error - found something that said reboot to normal windows. I did this and it was able to finish the clean up. I then re-installed Malwarebytes for the 4th time, under a different subdir, because the rootkit kept disabling them. It ran a full scan and found close to 400 issues. I removed all of those and rebooted. Used CCleaner to go through the registry and delete un-necessary files, put a new antivirus prg on it and then tried to do a windows update. The update site says that there are some file versions that will need to be copied from the xp home cd. After I do the updates, she should be close to new as you can get. Although I didn't get anyone to attempt assistance, hopefully my information will help someone else. This was a nasty bug, it is my determination that got me through it, of course I made a backup of all the files and photos, so if I really screwed it up, no harm done because she couldn't use it anyway..


#3 Budapest


    Moderator

Posted 28 September 2010 - 04:06 PM

As this issue appears to be resolved I am closing the topic. Please send me (or any other Moderator) a Personal Message (PM) if you would like the topic re-opened.
