Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

[Win7] Win32:Qandr [Rtk] RootKit.Agent.


  • Please log in to reply
22 replies to this topic

#1 TheEgaL

TheEgaL

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:23 AM

Posted 07 December 2010 - 08:24 AM

Hey,

my computer is infected by a rootkit and I don't know how to remove it. Malwarebytes and Avast are reporting the rootkit but they seem to be unable to deal with it. Their logfiles are not really interesting. (As in they only show the location which the GMER log does as well C:\Windows\System32\Drivers\gwebmwit.sys )

I followed the "Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help" step by step.

DDS took quite long (certainly more than the 3 minutes). I was not patient enough so I left it running the night through but to no avail. The computer crashes. Can you either help me to get to run it or suggest a different program with the same functionality?

GMER ran without problems. The log file is attached as described in the Preparation Guide

I wonder why it still lists Daemon-Tools even though I uninstalled it. Also while it was scanning I sat in front of the computer and saw it checking files in the location C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active In this location there are 45k files (215MB) I wonder why since I do not use Microsoft Internet Explorer. Is it save to delete these files?

Thanks in advance for your answer, I hope you can help.

Best regards
Jens

Update:

All of a sudden my Computer would not start anymore. It would only boot to the startup repair screen, which told me it cannot fix the problem.

In the details it told me that the file gwebmwit.sys is corrupted and it cannot be repaired. I know it is the rootkit that I want to remove. After trying to restore the file from a backup (infected backups -_-) it still did not work. Then I deleted it and the system booted as normal.

I do not understand at all why it works now. I restored the file again from a backup and send it to virustotal:

Report is here:

0 VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is goodware. 0 VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is malware.
File name:
gwebmwit.sys
Submission date:
2010-12-09 15:02:12 (UTC)
Current status:
queued (#18) queued (#18) analysing finished
Result:
40/ 43 (93.0%)

VT Community

not reviewed
Safety score: -
Compact
Print results
Antivirus Version Last Update Result
AhnLab-V3 2010.12.09.00 2010.12.08 Win-Trojan/Bubnix.876528
AntiVir 7.10.14.240 2010.12.09 TR/Rootkit.Gen
Antiy-AVL 2.0.3.7 2010.12.09 Trojan/Win32.Agent.gen
Avast 4.8.1351.0 2010.12.09 -
Avast5 5.0.677.0 2010.12.09 -
AVG 9.0.0.851 2010.12.09 Hider.BSX
BitDefender 7.2 2010.12.09 Trojan.Generic.4873673
CAT-QuickHeal 11.00 2010.12.09 Rootkit.Agent.bert
ClamAV 0.96.4.0 2010.12.09 Trojan.Rootkit-2664
Command 5.2.11.5 2010.12.09 W32/Rootkit.F.gen!Eldorado
Comodo 7000 2010.12.09 TrojWare.Win32.Rootkit.Agent.bert
DrWeb 5.0.2.03300 2010.12.09 Trojan.NtRootKit.6929
Emsisoft 5.1.0.1 2010.12.09 Virus.Win32.Qandr!IK
eSafe 7.0.17.0 2010.12.09 Win32.TRRootkit
eTrust-Vet 36.1.8029 2010.12.09 Win32/Bubnix.F
F-Prot 4.6.2.117 2010.12.08 W32/Rootkit.F.gen!Eldorado
F-Secure 9.0.16160.0 2010.12.09 Trojan.Generic.4873673
Fortinet 4.2.254.0 2010.12.09 W32/SysPk.A!tr.rkit
GData 21 2010.12.09 Trojan.Generic.4873673
Ikarus T3.1.1.90.0 2010.12.09 Virus.Win32.Qandr
Jiangmin 13.0.900 2010.12.09 Rootkit.Agent.hgh
K7AntiVirus 9.71.3191 2010.12.08 RootKit
Kaspersky 7.0.0.125 2010.12.09 Rootkit.Win32.Agent.bert
McAfee 5.400.0.1158 2010.12.09 Generic Rootkit.ej
McAfee-GW-Edition 2010.1C 2010.12.09 Generic.dx!prm
Microsoft 1.6402 2010.12.09 Trojan:WinNT/Bubnix.L
NOD32 5688 2010.12.09 Win32/Bubnix.AO
Norman 6.06.12 2010.12.09 Rootkit.BUWH
nProtect 2010-12-09.01 2010.12.09 Trojan/W32.Agent.823808.G
Panda 10.0.2.7 2010.12.08 Rootkit/Agent.NMS
PCTools 7.0.3.5 2010.12.09 Hacktool.Rootkit
Prevx 3.0 2010.12.09 -
Rising 22.77.03.05 2010.12.09 Trojan.Win32.Generic.51FD4740
Sophos 4.60.0 2010.12.09 Troj/Agent-MWC
SUPERAntiSpyware 4.40.0.1006 2010.12.09 Trojan.RootKit/Gen
Symantec 20101.3.0.103 2010.12.09 Hacktool.Rootkit
TheHacker 6.7.0.1.097 2010.12.09 Trojan/Agent.bert
TrendMicro 9.120.0.1004 2010.12.09 RTKT_AGENT.AUYL
TrendMicro-HouseCall 9.120.0.1004 2010.12.09 RTKT_AGENT.AUYL
VBA32 3.12.14.2 2010.12.09 Rootkit.Win32.Agent.bert
VIPRE 7574 2010.12.09 Trojan.Win32.Generic!BT
ViRobot 2010.12.9.4193 2010.12.09 Spyware.Agent.RootKit.823808
VirusBuster 13.6.82.0 2010.12.08 Rootkit.Agent!OnukoXOcC0E
Additional information
Show all
MD5 : 80c6af4f948d4168fc90da1a6f4b6924
SHA1 : 5c44387aa00c41383ee5d58772934538119a8f74
SHA256: 5c08336b69395934babfeb02773c2142fe599a733ecfc510703c72d8e44175ef
ssdeep: 24576:87sbyQYn/KnnSTCkXoKogkeU+0jsbwo25RR:RncCeondZgbwR
File size : 823808 bytes
First seen: 2010-03-24 11:20:58
Last seen : 2010-12-09 15:02:12
TrID:
Win32 Executable Generic (68.0%)
Generic Win/DOS Executable (15.9%)
DOS Executable Generic (15.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
sigcheck:
publisher....: n/a
copyright....: n/a
product......: n/a
description..: n/a
original name: n/a
internal name: n/a
file version.: n/a
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned
PEInfo: PE structure information

[[ basic data ]]
entrypointaddress: 0x704E0
timedatestamp....: 0x4BA99499 (Wed Mar 24 04:27:05 2010)
machinetype......: 0x14c (I386)

[[ 8 section(s) ]]
name, viradd, virsiz, rawdsiz, ntropy, md5
.text, 0x1000, 0x33D6, 0x0, 0.00, d41d8cd98f00b204e9800998ecf8427e
.rdata, 0x5000, 0x3F4, 0x0, 0.00, d41d8cd98f00b204e9800998ecf8427e
.data, 0x6000, 0x3E8, 0x0, 0.00, d41d8cd98f00b204e9800998ecf8427e
INIT, 0x7000, 0x736, 0x0, 0.00, d41d8cd98f00b204e9800998ecf8427e
.pak0, 0x8000, 0x3F8, 0x0, 0.00, d41d8cd98f00b204e9800998ecf8427e
.pak1, 0x9000, 0x63880, 0x0, 0.00, d41d8cd98f00b204e9800998ecf8427e
.pak2, 0x6D000, 0x6D6B5, 0x6D800, 7.98, 5300be496c8b50a2480d53766f90ae61
.reloc, 0xDB000, 0x5B4A0, 0x5B600, 8.00, e86e1db2567ef8403f0b69c8783993ef

[[ 3 import(s) ]]
ntoskrnl.exe: KeSetEvent, KeReleaseMutex, KeWaitForSingleObject, KeInitializeEvent, KeClearEvent, KeInitializeMutex, ZwClose, ZwLoadDriver, ZwSetValueKey, ZwCreateKey, RtlInitUnicodeString, swprintf, ZwDeleteValueKey, ZwQueryValueKey, ZwOpenKey, wcschr, IofCompleteRequest, ProbeForWrite, ProbeForRead, _except_handler3, IoDeleteDevice, IoCreateSymbolicLink, IoCreateDevice, PsSetCreateProcessNotifyRoutine, wcstombs, ObfReferenceObject, ObfDereferenceObject, IoRegisterBootDriverReinitialization, IoRegisterShutdownNotification, ObReferenceObjectByHandle, ZwOpenFile, IoCreateFile, ZwReadFile, ZwQueryInformationFile, PsTerminateSystemThread, ZwSetInformationFile, ExAllocatePoolWithTag, ExFreePoolWithTag, PsCreateSystemThread, KeDelayExecutionThread, _allmul, PsGetVersion, MmGetSystemRoutineAddress, IoGetRelatedDeviceObject, _wcsnicmp, MmSystemRangeStart, MmIsAddressValid, IoGetInitialStack, ObOpenObjectByName, ZwQuerySystemInformation, ZwAllocateVirtualMemory, ZwFreeVirtualMemory, KeInsertQueueApc, KeInitializeApc, PsIsThreadTerminating, IoIsSystemThread, PsLookupThreadByThreadId, MmUserProbeAddress, ZwQueryInformationProcess, KeUnstackDetachProcess, KeStackAttachProcess, PsLookupProcessByProcessId, RtlFreeUnicodeString, RtlStringFromGUID, ZwCreateEvent, ZwOpenEvent, ExAllocatePool, KeQueryInterruptTime, ZwWriteFile, KeGetCurrentThread
HAL.dll: KeGetCurrentIrql
ntoskrnl.exe: IoAllocateMdl, MmProbeAndLockPages, MmMapLockedPagesSpecifyCache, MmUnlockPages, IoFreeMdl, ExAllocatePool, ExFreePool, NtQuerySystemInformation
ThreatExpert:
ThreatExpert info: http://www.threatexpert.com/report.aspx?md5=80c6af4f948d4168fc90da1a6f4b6924

EDIT: Posts merged ~BP

Attached Files

  • Attached File  ark.txt   10.05KB   4 downloads

Edited by Budapest, 09 December 2010 - 04:02 PM.


BC AdBot (Login to Remove)

 


#2 sjpritch25

sjpritch25

  • Security Colleague
  • 899 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Coast of Florida, USA
  • Local time:05:23 AM

Posted 14 December 2010 - 10:38 PM

Welcome to BC :)

Disable Drivers
Please download Defogger by jpshortstuff. Save it to your Desktop.
  • Double-Click Defogger.exe to run the tool. The application windows will appear.
    Vista –W7 users: Right-click on Defogger.exe and choose “Run as Administrator”. If UAC prompted, allow it.
  • Click the Disable button to disable your CD Emulation drivers.
  • Click Yes to Continue. A ”Finished” message will appear. Click Ok.
  • Click Ok when DeFogger asks to reboot the machine.
Do not re-enable these drivers until otherwise instructed.
Important!!! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your Desktop…


========================================

Download Combofix from this webpage: http://www.bleepingcomputer.com/combofix/how-to-use-combofix

**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.


--------------------------------------------------------------------

Double click on combofix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" .
Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall

Microsoft MVP Consumer Security--2007-2010

#3 TheEgaL

TheEgaL
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:23 AM

Posted 15 December 2010 - 09:17 AM

Hello sjpritch25, thanks for your reply.

I ran Defogger without problems but ComboFix will not scan my computer.

It gets stuck at:

"Scanning for infected files . . .
This typically doesn't take more than 10 minutes
However, scan time for badly infected machines may easily double"

I tried to start as Admin, in Safe Mode etc. Maybe I am not patient enough but as far as I know it should print out messages like: Completed Stage_1 etc.
and so far it did not show these messages after 10 minutes.

Should I try again and wait longer?

Best regards EgaL

PS: ConmboFix did not change neither clock nor internet access settings as far as I could tell.

Edited by TheEgaL, 15 December 2010 - 09:24 AM.


#4 sjpritch25

sjpritch25

  • Security Colleague
  • 899 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Coast of Florida, USA
  • Local time:05:23 AM

Posted 15 December 2010 - 08:13 PM

Yes it depends on the system. Boot into Safe Mode Administrator and let it run. Let me know if it takes longer than 30 minutes to run.

make sure its safe mode with networking.
Microsoft MVP Consumer Security--2007-2010

#5 TheEgaL

TheEgaL
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:23 AM

Posted 16 December 2010 - 10:59 AM

Hey,
I enabled the Administrator Account, restarted in to Safe Mode with Networking and downloaded ComboFix.

When I started ComboFix it gave me the warning about active spyware tools. I started avast and deactivated it, but hat did not change much according to ComboFix.

So i rebooted into normal windows mode and deinstalled avast. Did not change anything either. So I checked for a way to remove all traces of avast, found it and removed all traces.

After I rebooted into Safe Mode with Networking ComboFix stopped showing the messagge about active realtime scanners. But it got stuck at the same message mentioned earlier.

"Scanning for infected files . . .
This typically doesn't take more than 10 minutes
However, scan time for badly infected machines may easily double"

I waited for half an hour (no changes) and then rebooted.

Should I reinstall avast? At the moment I got no kind of av protection.

Best regards, Jens

#6 sjpritch25

sjpritch25

  • Security Colleague
  • 899 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Coast of Florida, USA
  • Local time:05:23 AM

Posted 16 December 2010 - 11:20 AM

let me check with the developer of ComboFix.
Microsoft MVP Consumer Security--2007-2010

#7 sjpritch25

sjpritch25

  • Security Colleague
  • 899 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Coast of Florida, USA
  • Local time:05:23 AM

Posted 16 December 2010 - 04:44 PM

Please run ComboFix again and let me know what comboFix press is not responding.

cfxxe process

Let me know.
Microsoft MVP Consumer Security--2007-2010

#8 TheEgaL

TheEgaL
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:23 AM

Posted 17 December 2010 - 07:40 AM

Hey,

I do not understand.

"what comboFix press is not responding"

and

"cfxxe process"

I run it and then I look in the Task Manager?

Please explain what exactly I should do.

Thanks!
Jens

#9 sjpritch25

sjpritch25

  • Security Colleague
  • 899 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Coast of Florida, USA
  • Local time:05:23 AM

Posted 17 December 2010 - 03:56 PM

When you open task manager under the process tab, look for processes like cfxx.exe and let me know if its taken a lot of CPU usage.

Attached Files


Microsoft MVP Consumer Security--2007-2010

#10 TheEgaL

TheEgaL
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:23 AM

Posted 21 December 2010 - 06:19 AM

Okay I checked the Task Manager while executing ComboFix.

It gets stuck with rmbr.cfxxe the CPU usage in both of the cfxxe processes is 0.

It does not progress. rmbr sounds to me as if it is checking the masterbootrecord and cannot progress there.


Edit:
I entered my problem in google and arrived in this post: http://www.bleepingcomputer.com/forums/topic361823.html

He seems to have had a similar problem. I am tempted to try the steps outlined in that post. But I will not.

Edited by TheEgaL, 21 December 2010 - 07:07 AM.


#11 sjpritch25

sjpritch25

  • Security Colleague
  • 899 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Coast of Florida, USA
  • Local time:05:23 AM

Posted 21 December 2010 - 04:42 PM

Okay let me let the developer know and i will post back as soon as i here back.
Microsoft MVP Consumer Security--2007-2010

#12 TheEgaL

TheEgaL
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:23 AM

Posted 22 December 2010 - 05:50 AM

Since it seems to be a reoccuring problem it would maybe make sense to run combofix in debug mode (if such athing exists and see exactly at which position rmbr.cfxxe stops.

Is there a debug mode for combofix? I'll google.

Edit: Okay I understand from my search that all ComboFix commands are confidential and undisclosed to the public.

Edited by TheEgaL, 22 December 2010 - 06:15 AM.


#13 sjpritch25

sjpritch25

  • Security Colleague
  • 899 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Coast of Florida, USA
  • Local time:05:23 AM

Posted 22 December 2010 - 08:23 PM

go ahead and run ComboFix again and if it still hangs at that process. Select the process and click on End Process. Let me know if it runs afterwards.
Microsoft MVP Consumer Security--2007-2010

#14 TheEgaL

TheEgaL
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:23 AM

Posted 23 December 2010 - 12:37 AM

The computer crashes when I try to end the process. I have to reset.

Edit: Thanks for the help so far! I will be back in the New Year enjoy your holidays.

Edited by TheEgaL, 23 December 2010 - 11:39 AM.


#15 sjpritch25

sjpritch25

  • Security Colleague
  • 899 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Coast of Florida, USA
  • Local time:05:23 AM

Posted 27 December 2010 - 06:17 PM

Okay, until i here back from another developer. Lets try another tool.

  • Download TDSSKiller.zip and extract TDSSKiller.exe to your desktop
  • Execute TDSSKiller.exe by doubleclicking on it.
  • Press Start Scan
  • If Malicious objects are found, ensure Cure is selected (it should be by default)
  • Click Continue then click Reboot now
  • Once complete, a log will be produced at the root drive which is typically C:\

    For example, C:\TDSSKiller.2.4.0.0_24.07.2010_13.10.52_log.txt
  • Attach that log, please.

Microsoft MVP Consumer Security--2007-2010




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users