Jump to content

The malwarebytes software does NOT find the rootkit files anymore, but GMER shows that there is still a rootkit on my computer.


jdbnospam

Recommended Posts

The malwarebytes software does NOT find the rootkit files anymore, but GMER shows that there is still a rootkit on my computer.

History:

On 9/19 I was browsing the web -- I did not download anything but noticed the "Windows Police Pro" pop-up and within minutes of my not being able to identify the program or shut is down I pulled my internet plug. I then proceeded to use malwarebytes, spybot search and destroy and antiviral to fix the problem in safemode. That computer has remained offline (with one 5 minute exception) since I first pulled the internet plug. In the searches using malwayre bytes adn Avira I found that the rootkit.tdss was installed. I deleted the files as requested by the sofware, (the machine rebooted, re-scanned, re-deleted, rebooted, rescanned) and the computer is still offline and out of use.

Here is the MalwareBytes log:

Malwarebytes' Anti-Malware 1.41

Database version: 2831

Windows 5.1.2600 Service Pack 3

9/21/2009 8:52:32 PM

mbam-log-2009-09-21 (20-52-32).txt

Scan type: Full Scan (C:\|)

Objects scanned: 240651

Time elapsed: 34 minute(s), 26 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Here is the GMER log:

GMER 1.0.15.15087 - http://www.gmer.net

Rootkit scan 2009-09-23 00:09:55

Windows 5.1.2600 Service Pack 3

Running: gmer.exe; Driver: C:\DOCUME~1\k\LOCALS~1\Temp\uwldapob.sys

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet001\Services\gasfkyeydxlkaw@start 1

Reg HKLM\SYSTEM\ControlSet001\Services\gasfkyeydxlkaw@type 1

Reg HKLM\SYSTEM\ControlSet001\Services\gasfkyeydxlkaw@group file system

Reg HKLM\SYSTEM\ControlSet001\Services\gasfkyeydxlkaw@imagepath \systemroot\system32\drivers\gasfkyktfoqdtk.sys

Reg HKLM\SYSTEM\ControlSet001\Services\gasfkyeydxlkaw\main (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet001\Services\gasfkyeydxlkaw\main@aid 10096

Reg HKLM\SYSTEM\ControlSet001\Services\gasfkyeydxlkaw\main@sid 0

Reg HKLM\SYSTEM\ControlSet001\Services\gasfkyeydxlkaw\main@cmddelay 14400

Reg HKLM\SYSTEM\ControlSet001\Services\gasfkyeydxlkaw\main\delete (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet001\Services\gasfkyeydxlkaw\main\injector (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet001\Services\gasfkyeydxlkaw\main\injector@* gasfkywsp8y.dll

Reg HKLM\SYSTEM\ControlSet001\Services\gasfkyeydxlkaw\main\tasks (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet001\Services\gasfkyeydxlkaw\modules (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet001\Services\gasfkyeydxlkaw\modules@gasfkyrk.sys \systemroot\system32\drivers\gasfkyktfoqdtk.sys

Reg HKLM\SYSTEM\ControlSet001\Services\gasfkyeydxlkaw\modules@gasfkycmd.dll \systemroot\system32\gasfkybgdkopjo.dll

Reg HKLM\SYSTEM\ControlSet001\Services\gasfkyeydxlkaw\modules@gasfkylog.dat \systemroot\system32\gasfkyyicofjwf.dat

Reg HKLM\SYSTEM\ControlSet001\Services\gasfkyeydxlkaw\modules@gasfkywsp.dll \systemroot\system32\gasfkycpoyvxdq.dll

Reg HKLM\SYSTEM\ControlSet001\Services\gasfkyeydxlkaw\modules@gasfky.dat \systemroot\system32\gasfkyjktjolda.dat

Reg HKLM\SYSTEM\ControlSet001\Services\gasfkyeydxlkaw\modules@gasfkywsp8y.dll \systemroot\system32\gasfkyetodsrmt.dll

Should malwarebytes detect this and clean it?

What is this gasfky program anyway?

Link to post
Share on other sites

  • Staff

Hi,

Above are registry leftovers. Have you already rebooted? Because those leftovers should get deleted after a next reboot since the reference under the CURRENTCONTROLSET is already gone.

If it's still showing, then do the following...

Open notepad and copy and paste next present in the quotebox below in it:

(don't forget to copy and paste REGEDIT4)

REGEDIT4

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\gasfkyeydxlkaw]

Save this as fix.reg Choose to save as *all files and place it on your desktop.

It should look like this: reg.gif

Doubleclick on it and when it asks you if you want to merge the contents to the registry, click yes/ok.

Link to post
Share on other sites

Above are registry leftovers. Have you already rebooted? Because those leftovers should get deleted after a next reboot since the reference under the CURRENTCONTROLSET is already gone.

If it's still showing, then do the following...

Hi, They did show after reboot(s). The registry entries were not visible to my user account. I reset the permission on the registry entry and it's subfolders so my account was the owner and then I could delete them.

Link to post
Share on other sites

  • Staff

Hi,

So, from what I understand, there were permissions set on that key? That would make sense why those keys didn't get deleted. I've seen it a few times before with this variant. Still unsure if it's the malware itself doing this (as this only happens once in a while) or a security related program/tool.

This "gasfky" is actually a variant of the TDSS rootkit, responsible for redirecting searchengine results.

Anyway, I see you already reset permissions there and delete the key, so all should be fine now. It was just an orphaned registry leftover, so even when it was still present, it wouldn't do anything ;)

Link to post
Share on other sites

So, from what I understand, there were permissions set on that key? That would make sense why those keys didn't get deleted. I've seen it a few times before with this variant. Still unsure if it's the malware itself doing this (as this only happens once in a while) or a security related program/tool.

This "gasfky" is actually a variant of the TDSS rootkit, responsible for redirecting searchengine results.

Thanks for the details about the regkeys.

If I'd been running your pro version on the 19th, would it have caught this proactively?

Is there anyway to tell how long the TDSS rootkit was on the system?

Link to post
Share on other sites

  • Staff

Yes, mbam already blocks this one from installing + the IP protection is an extra protection that even blocks the site where this one may be downloaded.

No, I cannot tell you how long this one was present already, but I know that this one is spread since 3-4 weeks ago.

In anyway, this isn't a critical rootkit is its main goal was to redirect searchengine searches. ;)

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.