Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

kernel root kit driver ard autochk proxy host


  • This topic is locked This topic is locked
9 replies to this topic

#1 jesse59zj

jesse59zj

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:texas
  • Local time:12:35 AM

Posted 06 September 2011 - 10:02 AM

I cought this bug about 3 months ago and have not gave up the fight to finaly find that last bit of malware code and permanently erase it , but about a week ago I finally gave up and formated my main hard drive and tried to do a clean install but come to my knowladge tHat I had attached or hooked infected drivers on my USBcontroller , Virtual Disk , kernel , video processor , audio driver. So every time I used cleaned all from diskpart I would inject rootkit code instead of zeros oN the drive , I was so frustated that I literaly removed the RAM , CPU , DiskDrive , and tried to get my WLAN card out but couldn't cuz the screw was overtorked from factory and left it alone and let them out overnight. I couldn't find the BIOS cmos lithium battery to remove it and erase BIOS, I got a flash tool software and BIOS upgrd version.
Through this post I hope I can get a heads up on what the correct path is to recover my Laptops (3) Vostro 1520 ,Vostro 1500, D600. I recovered my DSL wifirouter through my BlackBerry that has wifi and my notes made about 2 yrs ago with Usr and pass and settings. I feel so agravated and frustated right now about my situation cuz I promise my doughters that I will get the internet back stay up all night traying to get it back online and nothing , its funny in a sarcastic way to say that I ruined 2 PALM pixis while downloading rootkit removal detector tools and conecting to the USB port on my laptop , now my Cellfone carrier thinks ama haker shoot!!!
Please bleepingcomputer comunity help would be greatly apreciated from me and my 2 doughters in getting their connectivity back online , I've got an old kaMikaze notebook I kan use to recover the PALM pixies

JESSE

BC AdBot (Login to Remove)

 


#2 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,113 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:09:35 AM

Posted 07 September 2011 - 05:30 AM

Hello and welcome to BleepingComputer!

Rootkit boot code does not spread from device to device, so as long as you reformat the drives before reinstalling Windows you should be perfectly fine. The only way to be reinfected with a bootkit is to run the original dropper (usually a malicious file downloaded from the internet).

Please let me know what exactly you need help with here.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#3 jesse59zj

jesse59zj
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:texas
  • Local time:12:35 AM

Posted 19 September 2011 - 06:42 AM

this infection would pass on from device to device i have a small home network with hdtv , bluray , 3 laps , 1 notebook
and the only reason im typing right now because of best buy had a fair price samsung laptop x64 win7 and walmart had a NETGEAR adsl+router+wlan onsale for $70 wich was pretty good
this bug is very dificult to remove specialy if it has a virtual disk driver loaded in high memory cuz when u try to do clean instal with dikpart and format disk 0 virtual D. is loading code during the format and skips 6-8 files that start with the letter A??####.exe i know this because i used my x64win7 recovery disk to fool virtual disk controller the first time 2 get chkdsk to work on disk 0 dismount and repair files , then go to bootcfg or bcdedit and get DEP or nx or data execution proteccion "/alwayson" and PAE "/forcedenable" , then FSUTIL set autorepair , set encriptpagingfile , set allowencription , set allowcompression , set bugcheckoncorrupt , then look at the enviroment variables endlocal disable auto cmd with cmd /d , then erase all not normal extension paths to command , erase all paths on env. var. exept %systemroot% %systemdrive% %wbam% and whatever u need executed that command cant see , then go to netshll and reset winsock cuz one of the 1rst simptoms is you loose conectivity bcuz Mr.Rootkit is busy with it talking to its Proxy Server , then have winPE fooled into needing a driver so it will open explorer and now u can navigate around and load drivers from CD or DVD not Hdisk drive cuz they are infected start with Chipset , Storage , video , sound ,keyboard and mouse all brand new from cd ,while you are there install winrar just in case explorer gets infected and all its doing is spreading hooks as it opens windows , install antihook to stop .dll's getting run as executables or getting used for the wrong purposes while you move your mouse pointer around the desktop spreading hooks ANTIHOOK doesnt work in safe mode so as soon as you can log in to guest account and then work from there , activate your "builtin" Administrator account bcuz any "other" administrator privilegies account wont cut it to get you acces to where you need to go to do a thourghly deep cleaning command : "Net user administrator active:yes" i only had one chance cuz on reboot the hooks would be loaded to the winmin or winPE instal on virtual ram disk ,at this point you can reboot trial and error got me to fix 2 laptops. this is what i did : all my laptops where using i386 OS's XP,XPsp3 ,Vista B, the new one win7x64 everytime you reboot a couple infected drivers gets replaced , if the OS crashes and creates a mem dump its right there waiting for it to read it so a clean instal was my route. After you get all this done then use your tools : rkill , comobofix , unhide , smithtool ,dds , otl ,ETC.
all get the gmer log file and dds log file next time i get some free time thx!

#4 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,113 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:09:35 AM

Posted 19 September 2011 - 06:44 AM

Especially the GMER log would help.

As a side note, if you have a network and you reformat one computer, as long as the other computers have malware on board, they will reinfect the formatted computer as soon as it is connected.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#5 jesse59zj

jesse59zj
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:texas
  • Local time:12:35 AM

Posted 22 September 2011 - 05:08 PM

here ya go folks the LOGS as u can c my laptop suffering from a severe infestation not infection. :busy:

Attached Files



#6 jesse59zj

jesse59zj
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:texas
  • Local time:12:35 AM

Posted 22 September 2011 - 05:22 PM

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2011-08-23 08:01:23
Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 ST9250424ASG rev.DEC6
Running: rj15whkt.exe; Driver: C:\Users\ADMINI~1\AppData\Local\Temp\pgddqpoc.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\system32\DRIVERS\vdiskbus.sys (Virtual Disk Bus Enumerator/Winternals) ZwCreateSymbolicLinkObject [0x8BFE80DC]

Code \SystemRoot\System32\Drivers\Normandy.sys ExAllocatePool
Code \SystemRoot\System32\Drivers\Normandy.sys ExAllocatePoolWithTag
Code \SystemRoot\System32\Drivers\Normandy.sys KeDelayExecutionThread

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ExAllocatePool 82642B56 5 Bytes JMP 8875C525 \SystemRoot\System32\Drivers\Normandy.sys
.text ntkrnlpa.exe!KeDelayExecutionThread 826E05DC 5 Bytes JMP 8875C584 \SystemRoot\System32\Drivers\Normandy.sys
.text ntkrnlpa.exe!KeSetEvent + 21D 826E39A0 4 Bytes [DC, 80, FE, 8B]

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----

Edited by jesse59zj, 22 September 2011 - 05:24 PM.


#7 jesse59zj

jesse59zj
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:texas
  • Local time:12:35 AM

Posted 22 September 2011 - 05:25 PM

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 7.0.6001.18000
Run by ADMINISTRADOR at 13:01:42 on 2011-08-28
Microsoft® Windows Vista™ Business 6.0.6001.1.1252.1.1033.18.2008.1239 [GMT -5:00]
.
AV: Norton 360 *Disabled/Outdated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Norton 360 *Disabled/Outdated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
FW: Norton 360 *Disabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Norton 360\Engine\5.0.0.125\ccSvcHst.exe
C:\Program Files\Palm, Inc\novacom\x86\novacomd.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\System32\rpcnetp.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Norton 360\Engine\5.0.0.125\ccSvcHst.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Windows\explorer.exe
C:\Windows\system32\notepad.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton 360\engine\5.0.0.125\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton 360\engine\5.0.0.125\ips\IPSBHO.DLL
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton 360\engine\5.0.0.125\coIEPlg.dll
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
.
============= SERVICES / DRIVERS ===============
.
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\n360\0500000.07d\SymDS.sys [2011-8-23 340016]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\n360\0500000.07d\SymEFA.sys [2011-8-23 652336]
R1 BHDrvx86;BHDrvx86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_5.0.0.125\definitions\bashdefs\20101123.003\BHDrvx86.sys [2011-8-23 691248]
R1 IDSVix86;IDSVix86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_5.0.0.125\definitions\ipsdefs\20101201.001\IDSvix86.sys [2011-8-23 353912]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\n360\0500000.07d\Ironx86.sys [2011-8-23 136312]
R1 SYMTDIv;Symantec Vista Network Dispatch Driver;c:\windows\system32\drivers\n360\0500000.07d\symtdiv.sys [2011-8-23 330360]
R2 N360;Norton 360;c:\program files\norton 360\engine\5.0.0.125\ccSvcHst.exe [2011-8-23 130000]
R2 NovacomD;Palm Novacom;c:\program files\palm, inc\novacom\x86\novacomd.exe [2010-1-12 33792]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2011-8-23 102448]
RUnknown rpcnetp;rpcnetp; [x]
.
=============== Created Last 30 ================
.
2011-08-28 11:28:52 -------- d-----w- c:\windows\pss
2011-08-28 03:23:05 -------- d-----w- c:\program files\Sophos
2011-08-28 03:21:28 -------- d-----w- c:\users\administrador\appdata\local\CrashDumps
2011-08-25 15:50:40 -------- d-----w- c:\program files\SysShield Tools
2011-08-25 15:48:00 -------- d-----w- c:\program files\Dell
2011-08-24 21:28:59 -------- d-----w- c:\program files\Realtek
2011-08-24 06:45:53 -------- d-----w- c:\windows\Panther
2011-08-24 06:45:07 328728 ----a-w- c:\windows\system32\drivers\iaStor.sys
2011-08-24 06:44:48 -------- d-----w- c:\windows\system32\OEM
2011-08-24 06:36:11 -------- d-----w- C:\Windows.old
2011-08-24 05:51:36 17920 ----a-w- c:\windows\system32\rpcnetp.dll
2011-08-24 05:46:37 17920 ----a-w- c:\windows\system32\rpcnetp.exe
2011-08-24 05:07:09 -------- d-----w- c:\program files\Palm, Inc
2011-08-24 05:00:39 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-08-24 05:00:07 -------- d-sh--w- c:\windows\Installer
2011-08-24 04:54:24 -------- d-----w- c:\programdata\NortonInstaller
2011-08-24 04:54:24 -------- d-----w- c:\program files\NortonInstaller
2011-08-21 04:55:52 -------- d-----w- C:\FileWiz
2011-08-17 17:49:26 -------- d-----w- C:\AlaGranPutaRaizKiittdesenganche
2011-08-11 18:51:09 -------- d-----w- C:\Intel
2011-07-30 09:11:23 -------- d-----w- C:\NBRT
.
==================== Find3M ====================
.
2011-08-24 04:55:40 126512 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
.
============= FINISH: 13:01:55.87 ===============

Edited by jesse59zj, 22 September 2011 - 05:26 PM.


#8 jesse59zj

jesse59zj
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:texas
  • Local time:12:35 AM

Posted 22 September 2011 - 05:34 PM

javaupdater is disabled in my new builds as you can see why in the log
Norton 360 got ownd pretty fast that rootkit took full advantage of its sofisticated tools to use them against it self what a Friking waste!
it was so frustrating to see how your %system32% folder keeps on changing and changing and changing and you can do nothing about it
and to see how your drivers as they are loading turn from lower case to caps one by one or by two at a time , i knew all my legit drivers where lower case
on my other laptop the OS was about 80% cloned already and running from the TEMP and TMP folders can u believe that all the driver that you see load from the /nogui switch boot time are just for show everithing is running from behind closed doors 20 to 30 directories deep so no program could reachit (gmer did!) all the default user folders where like this appdata , local , local low , roaming, local settings , temp .

Edited by jesse59zj, 22 September 2011 - 05:53 PM.


#9 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,113 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:09:35 AM

Posted 23 September 2011 - 04:22 AM

Not a sign of malware here, but ftr, you didn't do a complete reformat/reinstall, see the following folder:

C:\Windows.old

This is the folder where setup moves the old Windows installation to when you do a side-by-side install of Windows on the same partition.

it was so frustrating to see how your %system32% folder keeps on changing and changing and changing and you can do nothing about it
and to see how your drivers as they are loading turn from lower case to caps one by one or by two at a time , i knew all my legit drivers where lower case

That is not saying anything. Windows is not case sensitive and it completely depends on what is calling for the drivers. If something calls Atapi.sys, while the file on disk is atapi.sys, the file will still be loaded and is unaltered, however, it will show up in RAM as Atapi.sys and not atapi.sys.

There is no malware on this computer. However, if you want to be sure, reformat the drive first instead of doing a side-by-side isntallation. If not for malware, doing this will not increase performance and/or free disk space.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#10 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,113 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:09:35 AM

Posted 09 October 2011 - 03:49 AM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users