Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rootkit Kdwrq.exe Identified


  • Please log in to reply
5 replies to this topic

#1 MartinP

MartinP

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:42 AM

Posted 16 April 2007 - 08:15 PM

I run Windows XP and both Blacklight and AVG identify the same rootkit. This is the Blacklight log: -
04/17/07 01:16:30 [Info]: BlackLight Engine 1.0.61 initialized
04/17/07 01:16:30 [Info]: OS: 5.1 build 2600 (Service Pack 2)
04/17/07 01:16:30 [Note]: 7019 4
04/17/07 01:16:30 [Note]: 7005 0
04/17/07 01:16:32 [Note]: 7006 0
04/17/07 01:16:32 [Note]: 7011 1464
04/17/07 01:16:32 [Note]: 7026 0
04/17/07 01:16:32 [Note]: 7026 0
04/17/07 01:16:35 [Note]: FSRAW library version 1.7.1021
04/17/07 01:20:06 [Note]: 7006 0
04/17/07 01:20:06 [Note]: 7011 1464
04/17/07 01:20:06 [Note]: 7026 0
04/17/07 01:20:06 [Note]: 7026 0
04/17/07 01:20:09 [Note]: FSRAW library version 1.7.1021
04/17/07 01:24:00 [Info]: Hidden file: c:\WINDOWS\system32\kdwrq.exe
04/17/07 01:24:00 [Note]: 7002 32
04/17/07 01:24:00 [Note]: 7003 1
04/17/07 01:24:00 [Note]: 10002 1

I was surfing Stumble! and a screen for a video said an updated version of Macromedia Flash was needed - I foolishly clicked on update. Then, suspicious, I ran Spybot Search and Destroy and this has quarantined Zlob.MovieBox. Running Spybot and Avast identify no other problems. I then ran Blacklight and AVG.

I could rename the rootkit with Blacklight but I am hesitant to do so as I am not particularly technical and might do more harm than good. I would much appreciate guidance on how I find out if the rootkit is hiding something nasty and, if so, how to remove both the rootkit and the nasty.

Edited by MartinP, 16 April 2007 - 08:17 PM.


BC AdBot (Login to Remove)

 


m

#2 buddy215

buddy215

  • BC Advisor
  • 12,614 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:03:42 AM

Posted 16 April 2007 - 09:08 PM

Install Super Antispyware. Run it in safe mode. Allow it to quarantine whatever it finds.
http://www.superantispyware.com/

Run the online scan for Bit Defender in normal mode. Allow it to quarantine whatever it finds.
http://www.bitdefender.com/scan8/ie.html

--------------------------------------------------------------------------------

Post a Hijack This log in the Hijack This Forum by following the directions in the link below if the programs above have not removed ALL malware. DO NOT post the log in this forum.
http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/
--------------------------------------------------------------------------------

Getting into Windows Safe Mode
http://www.computerhope.com/issues/chsafe.htm
(pre-Vista OS's)

“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss

A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”


#3 MartinP

MartinP
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:42 AM

Posted 17 April 2007 - 05:54 PM

I have now run: -
Avast Antivirus
Super AntiSpyware
AdAware SE
Spybot Search & Destroy
Housecall Antivirus
PandaAntivirus
McAfee Stinger

Each time something has been found I have run the programme again until I got a 'clean' result. Now there are no unquarantined items.

If I have correctly understood your guidance, as all identified malaware has been removed I have not made a post to the Hijack This Forum.

However, the rootkit remains in place (may or may not be malevolent?) and could you please guide me on what to do next.

Thanks

#4 buddy215

buddy215

  • BC Advisor
  • 12,614 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:03:42 AM

Posted 17 April 2007 - 06:36 PM

Post a Hijack This Log In the Hijack This forum. The prep you have done is sufficient.

“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss

A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”


#5 MartinP

MartinP
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:42 AM

Posted 17 April 2007 - 07:16 PM

Thanks, will do.

I hope the following is correct: -

This topic is now closed so I will repeat the main information in a new post on the Hijack This Forum.

#6 fozzie

fozzie

    aut viam inveniam aut faciam


  • Members
  • 3,516 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ossendrecht/The Netherlands
  • Local time:10:42 AM

Posted 18 April 2007 - 02:37 AM

As a sidenote it is contraproductive to run 3 Antivirus programs at the same time. Rather than more safety it will produce conflicts and consequently less protection.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users