Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rootkit Activity since January


  • This topic is locked This topic is locked
5 replies to this topic

#1 Zen Seeker

Zen Seeker

  • Members
  • 695 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:06:20 PM

Posted 13 May 2011 - 06:15 AM

Hello, please find attached a link to my issue and let me know what steps you would like me to apply as soon as possible.

"http://www.bleepingcomputer.com/forums/topic396300.html/page__p__2239766__fromsearch__1#entry2239766"

TIA!

Update: BCWipe using DoD 7 pass seems to have removed the RAW partition hex values with random data. I was then able to open a hex editor and remove random data and replace with "00". A return to fdisk confirms that all but the final "55 AA" have been removed. (Not sure if this is due to the new linux image that BCWipe uses is clean(er) or because the DaRT disk only has two limited wipe features.

The ATA Erase was blocked by the BIOS but this is not a use option when I went to remove it. A check of the log shows it was a ioctrl issue.

Edited by memine, 13 May 2011 - 06:49 AM.


BC AdBot (Login to Remove)

 


#2 Zen Seeker

Zen Seeker
  • Topic Starter

  • Members
  • 695 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:06:20 PM

Posted 16 May 2011 - 01:05 AM

GMER 1.0.15.15627 - http://www.gmer.net

Rootkit scan 2011-05-16 00:34:53

Windows 6.1.7600 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 WDC_WD800BEVS-75RST0 rev.04.01G04

Running: QXDX7CWT.EXE; Driver: X:\windows\TEMP\afroikoc.sys





---- Kernel code sections - GMER 1.0.15 ----



.text ntkrnlpa.exe!ZwSaveKeyEx + 13AD 8F482579 1 Byte [06]

.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 8F4A6F52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}



---- Devices - GMER 1.0.15 ----



AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)



Device \Driver\ACPI_HAL \Device\00000002 halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)



AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)



---- Services - GMER 1.0.15 ----



Service X:\windows\system32\DRIVERS\usbhub.sys (*** hidden *** ) [MANUAL] usbhub <-- ROOTKIT !!!

Service X:\windows\system32\svchost.exe (*** hidden *** ) [AUTO] Winmgmt <-- ROOTKIT !!!



---- Registry - GMER 1.0.15 ----



Reg HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName@ComputerName MINWINPC

Reg HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB@CurrentConfig 0

Reg HKLM\SYSTEM\CurrentControlSet\services\usbhub@ImagePath \SystemRoot\system32\DRIVERS\usbhub.sys

Reg HKLM\SYSTEM\CurrentControlSet\services\Winmgmt@Start 2

Reg HKLM\SYSTEM\Setup@SetupType 1

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion@CurrentType Multiprocessor Checked

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion@SystemRoot X:\Windows

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon@Userinit userinit.exe



---- EOF - GMER 1.0.15 ----







GMER 1.0.15.15627 - http://www.gmer.net

Rootkit scan 2011-05-16 00:39:41

Windows 6.1.7600 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 WDC_WD800BEVS-75RST0 rev.04.01G04

Running: QXDX7CWT.EXE; Driver: X:\windows\TEMP\afroikoc.sys





---- Kernel code sections - GMER 1.0.15 ----



.text ntkrnlpa.exe!ZwSaveKeyEx + 13AD 8F482579 1 Byte [06]

.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 8F4A6F52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}

? X:\windows\system32\DRIVERS\usbhub.sys The system cannot find the file specified. !



---- User code sections - GMER 1.0.15 ----



? X:\windows\system32\svchost.exe[504] X:\windows\system32\svchost.exe The system cannot find the file specified.

? X:\windows\system32\svchost.exe[568] X:\windows\system32\svchost.exe The system cannot find the file specified.

? X:\windows\System32\svchost.exe[648] X:\windows\System32\svchost.exe The system cannot find the file specified.



---- Devices - GMER 1.0.15 ----



AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)



Device \Driver\ACPI_HAL \Device\00000002 halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)



AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Processes - GMER 1.0.15 ----



Library X:\windows\system32\svchost.exe (*** hidden *** ) @ X:\windows\system32\svchost.exe [504] 0x00FE0000

Library X:\windows\system32\svchost.exe (*** hidden *** ) @ X:\windows\system32\svchost.exe [568] 0x00FE0000

Library X:\windows\System32\svchost.exe (*** hidden *** ) @ X:\windows\System32\svchost.exe [648] 0x00FE0000



---- Services - GMER 1.0.15 ----



Service X:\windows\system32\svchost.exe (*** hidden *** ) [AUTO] Winmgmt <-- ROOTKIT !!!



---- Registry - GMER 1.0.15 ----



Reg HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName@ComputerName MINWINPC

Reg HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB@CurrentConfig 0

Reg HKLM\SYSTEM\CurrentControlSet\services\usbhub

Reg HKLM\SYSTEM\CurrentControlSet\services\usbhub@Start 3

Reg HKLM\SYSTEM\CurrentControlSet\services\usbhub@Type 1

Reg HKLM\SYSTEM\CurrentControlSet\services\usbhub@ErrorControl 1

Reg HKLM\SYSTEM\CurrentControlSet\services\usbhub@ImagePath \SystemRoot\system32\DRIVERS\usbhub.sys

Reg HKLM\SYSTEM\CurrentControlSet\services\usbhub@DisplayName Microsoft USB Standard Hub Driver

Reg HKLM\SYSTEM\CurrentControlSet\services\usbhub@Group Base

Reg HKLM\SYSTEM\CurrentControlSet\services\usbhub@DriverPackageId usb.inf_x86_neutral_e24d8d3fec6e4567

Reg HKLM\SYSTEM\CurrentControlSet\services\usbhub@BootFlags 4

Reg HKLM\SYSTEM\CurrentControlSet\services\Winmgmt

Reg HKLM\SYSTEM\CurrentControlSet\services\Winmgmt@DisplayName @%Systemroot%\system32\wbem\wmisvc.dll,-205

Reg HKLM\SYSTEM\CurrentControlSet\services\Winmgmt@ErrorControl 0

Reg HKLM\SYSTEM\CurrentControlSet\services\Winmgmt@ImagePath %systemroot%\system32\svchost.exe -k netsvcs

Reg HKLM\SYSTEM\CurrentControlSet\services\Winmgmt@Start 2

Reg HKLM\SYSTEM\CurrentControlSet\services\Winmgmt@Type 32

Reg HKLM\SYSTEM\CurrentControlSet\services\Winmgmt@Description @%Systemroot%\system32\wbem\wmisvc.dll,-204

Reg HKLM\SYSTEM\CurrentControlSet\services\Winmgmt@DependOnService RPCSS?

Reg HKLM\SYSTEM\CurrentControlSet\services\Winmgmt@ObjectName localSystem

Reg HKLM\SYSTEM\CurrentControlSet\services\Winmgmt@ServiceSidType 1

Reg HKLM\SYSTEM\CurrentControlSet\services\Winmgmt@FailureActions 0x80 0x51 0x01 0x00 ...

Reg HKLM\SYSTEM\CurrentControlSet\services\Winmgmt\Parameters

Reg HKLM\SYSTEM\CurrentControlSet\services\Winmgmt\Parameters@ServiceDllUnloadOnStop 1

Reg HKLM\SYSTEM\CurrentControlSet\services\Winmgmt\Parameters@ServiceMain ServiceMain

Reg HKLM\SYSTEM\CurrentControlSet\services\Winmgmt\Parameters@ServiceDll %SystemRoot%\system32\wbem\WMIsvc.dll

Reg HKLM\SYSTEM\Setup@SetupType 1

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion@CurrentType Multiprocessor Checked

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion@SystemRoot X:\Windows

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon@Userinit userinit.exe



---- EOF - GMER 1.0.15 ----



After scanning first time deleted service and scanned again.

Above scans done on a BCWiped drive, booted into safe mode from a new DaRT disk burned from same system. (No clean system available.)

No OS installed on HDD, just antivirus tools from this site.

After booting from DaRT disk hex entries noted earlier reappear on 0x1B0. (If deleted in Linux with hex editor it won't return until the next time I boot into Windows Vista, Windows 7 or DaRT OS.

GMER shows same issues if no HDD but USB stick/key installed.

#3 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:11:20 PM

Posted 16 May 2011 - 11:08 AM

Please follow the instructions in ==>This Guide<==.

Once the proper logs are created, then make a NEW TOPIC and post it ==>HERE<== Please include the link to this topic in your new topic and a description of your computer issues and what you have done to resolve them.

If you can produce at least some of the logs, then please create the new topic and explain what happens when you try to create the log(s) that you couldn't get. If you cannot produce any of the logs, then still post the topic and explain that you followed the Prep. Guide, were unable to create the logs, and describe what happens when you try to create the logs.

Once you have created the new topic, please reply back here with a link to the new topic.

#4 Zen Seeker

Zen Seeker
  • Topic Starter

  • Members
  • 695 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:06:20 PM

Posted 16 May 2011 - 12:55 PM

Please find my update here: http://www.bleepingcomputer.com/forums/topic397708.html

Let me knwo what you need next and I'll do what I can to get it done in a few hours. As I have no data or OS to worry about anything you wish to try or apply is fine. I just want this pain gone.

Thanks again

#5 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:11:20 PM

Posted 16 May 2011 - 12:58 PM

You just need to wait it out, until someone replies to you.

#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,265 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:20 PM

Posted 16 May 2011 - 02:47 PM

Now that your log is posted, you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a Malware Response Team member...nor should you continue to ask for help elsewhere. Doing so can result in system changes which may not show it the log you already posted. Further, any modifications you make on your own may cause confusion for the member assisting you and could complicate the malware removal process or make things worst which would extend the time it takes to clean your computer.

From this point on the Malware Response Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the Malware Response Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have posted your log and are waiting, please DO NOT "bump" your post or make another reply until it has been responded to by a member of the Malware Response Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another Malware Response Team member is already assisting you and not open the thread to respond.

To avoid confusion, I am closing this topic until you are cleared by the Malware Response Team. If you still need assistance after your log has been reviewed and you have been cleared, please PM me or another moderator and we will re-open this topic.

Good luck with your log.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users