Jump to content
Due to inclement weather in Southwest Florida, our Clearwater support team is offline. Our other offices are available to assist you, however their responses may be delayed. We appreciate your patience and understanding during this time. ×

Rootkit Virus - Help!


Recommended Posts

Hello,

First of all, a bit of history on the issue at hand...

I was not witness to the beginning of this virus, but from what I was told, there were numerous Windows alerts such as low drive space, no hard drive found, ram memory failure, and ram memory usage is critical. Then the computer proceeded to shutdown. Upon reboot some of these viruses were caught and quarantined by Alvira Antivirus (updated with latest definitions). I saw a few of these in the logs, such as shutdowner.fdb, tr/fakeav.af, tr/crypt.zpack.gen, tr/crypt.xpack.gen3.

There were no longer any window alerts, but Firefox (Google results) was being redirected to random sites. At this point, the computer was handed over to me to take a look.

First, I installed Anti-Malware and ran a quick scan. It found a number of viruses and appeared to quarantine them:

Trojan.Hiloti.Gen (File)

Malware.Trace (File)

Trojan.Agent (File)

Trojan.Hiloti.Gen (Registry)

I rebooted and did some testing. I wasn't getting any window errors and the browser appeared to be working correctly...no redirects. I thought everything was good, so I gave the computer back. The next day, the computer was again redirecting to random websites.

Back to troubleshooting...first, I disconnected from the Internet and booted up. I checked the processes running and didn't notice anything unusual. I ran the antivirus and nothing was found. Checking the registry, I found a suspicious registry entry:

HLM\Software\Microsoft\Windows\CurrentVersion\Run\Ymilixigot

The value for this entry is "rundl32.exe "C:\WINDOWS\uyobohojafa.dll",Startup"

Typically when I've seen these types of entries, deleting the entry and the associated dll file has taken care of the problem, so I deleted the entry. I couldn't delete the file, but I was able to rename it (thought that was odd.) I rebooted only to get an error message that the dll couldn't be found.

I checked the registry and the same entry I deleted was back! I deleted the entry again and closed the registry. I reopened the registry (without rebooting) and the entry was back again. It doesn't appear that I can remove it?!

This is when I started thinking this may be a rootkit virus located on the MBR, so I need some additional help. I've already followed your instructions on cleaning a system with the following results and attached logs:

ANTI-MALWARE RESULTS

I ran another quick scan with Anti-Malware - unlike the previous scan, nothing was found this time.

DEFOGGER RESULTS

Ran Defogger and disabled emulated drivers. I was not asked to restart the computer, so I didn't.

No errors.

DDS RESULTS

Saved both log files.

GMER SCAN RESULTS

Saved log file.

The Anti-Malware and DDS.txt log files are below. I've attached the attach.txt and ark.txt in a zip file. Any help you can offer would be GREATLY appreciated! Thank you for your time and assistance. Let me know if there's anything else you need.

ANTI-MALWARE LOG FILE

-----------------------------

Malwarebytes' Anti-Malware 1.50

www.malwarebytes.org

Database version: 5214

Windows 5.1.2600 Service Pack 2

Internet Explorer 8.0.6001.18702

12/10/2010 7:32:12 AM

mbam-log-2010-12-10 (07-32-12).txt

Scan type: Quick scan

Objects scanned: 138480

Time elapsed: 3 minute(s), 32 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

DDS LOG FILE

-----------------

DDS (Ver_10-12-05.01) - NTFSx86

Run by Administrator at 8:25:13.98 on Fri 12/10/2010

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_13

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1560 [GMT -5:00]

AV: AntiVir Desktop *On-access scanning enabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

C:\Program Files\Avira\AntiVir Desktop\avguard.exe

C:\Program Files\Avira\AntiVir Desktop\avshadow.exe

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\System32\WLTRYSVC.EXE

C:\WINDOWS\System32\bcmwltry.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Avira\AntiVir Desktop\sched.exe

C:\Program Files\Juniper Networks\Common Files\dsNcService.exe

C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\SigmaTel\C-Major Audio\DellXPM_5515v131\WDM\StacSV.exe

C:\WINDOWS\system32\rundll32.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Program Files\Apoint\Apoint.exe

C:\WINDOWS\system32\WLTRAY.exe

C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe

C:\WINDOWS\system32\KADxMain.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\PowerISO\PWRISOVM.EXE

C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9FA.EXE

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe

C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe

C:\Program Files\Apoint\ApMsgFwd.exe

C:\Program Files\Avira\AntiVir Desktop\avgnt.exe

C:\Program Files\Apoint\HidFind.exe

C:\Program Files\Apoint\Apntex.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Brother\ControlCenter3\brccMCtl.exe

C:\Program Files\Pixoria\Konfabulator\Konfabulator.exe

C:\Program Files\Brother\Brmfcmon\BrMfcmon.exe

C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Documents and Settings\Administrator\Desktop\New Folder\dds.com

============== Pseudo HJT Report ===============

uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll

BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\progra~1\yahoo!\companion\installs\cpn\YTSingleInstance.dll

TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll

TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [Messenger (Yahoo!)] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet

mRun: [NvCplDaemon] "RUNDLL32.EXE" c:\windows\system32\NvCpl.dll,NvStartup

mRun: [nwiz] "nwiz.exe" /installquiet

mRun: [NVHotkey] "rundll32.exe" nvHotkey.dll,Start

mRun: [NvMediaCenter] "RUNDLL32.EXE" c:\windows\system32\NvMcTray.dll,NvTaskbarInit

mRun: [Apoint] "c:\program files\apoint\Apoint.exe"

mRun: [broadcom Wireless Manager UI] "c:\windows\system32\WLTRAY.exe"

mRun: [sigmatelSysTrayApp] "%ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe"

mRun: [KADxMain] "c:\windows\system32\KADxMain.exe"

mRun: [PWRISOVM.EXE] "c:\program files\poweriso\PWRISOVM.EXE"

mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"

mRun: [EPSON Stylus Photo R320 Series] "c:\windows\system32\spool\drivers\w32x86\3\E_FATI9FA.EXE" /P30 "EPSON Stylus Photo R320 Series" /O6 "USB001" /M "Stylus Photo R320"

mRun: [sunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"

mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"

mRun: [sSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot

mRun: [PaperPort PTD] "c:\program files\scansoft\paperport\pptd40nt.exe"

mRun: [indexSearch] "c:\program files\scansoft\paperport\IndexSearch.exe"

mRun: [PPort11reminder] "c:\program files\scansoft\paperport\ereg\ereg.exe" -r "c:\documents and settings\all users\application data\scansoft\paperport\11\config\ereg\Ereg.ini"

mRun: [brMfcWnd] "c:\program files\brother\brmfcmon\BrMfcWnd.exe" /AUTORUN

mRun: [ControlCenter3] "c:\program files\brother\controlcenter3\brctrcen.exe" /autorun

mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min

mRun: [Ymilixigot] rundll32.exe "c:\windows\uyobohojafa.dll",Startup

StartupFolder: c:\docume~1\admini~1\startm~1\programs\startup\konfab~1.lnk - c:\program files\pixoria\konfabulator\Konfabulator.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL

Trusted Zone: intuit.com\ttlc

DPF: {44BD92DB-D8A8-43A8-8900-DD73310A59EB} - hxxp://192.9.100.15/auroraweb/BSTtodg8.CAB

DPF: {6F0892F7-0D44-41C3-BF07-7599873FAA04} - hxxp://192.9.100.15/auroraweb/BSTeReportsCE11.CAB

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab

DPF: {90C8812D-81C2-45EA-8101-6C6F29835AE8} - hxxp://192.9.100.15/auroraweb/BSTeInstaller.CAB

DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxps://extranet.ohm-advisors.com/pub/shockwave/cabs/flash/,DanaInfo=fpdownload.macromedia.com+swflash.cab

DPF: {DB797690-40E0-11D2-9BD5-0060082AE372} - hxxp://192.9.100.15/auroraweb/BSTeDepFiles.CAB

DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} - hxxps://extranet.ohm-advisors.com/dana-cached/setup/JuniperSetupSP1.cab

DPF: {E6671596-1F52-11D3-8162-00C04F8DF62C} - hxxp://192.9.100.15/auroraweb/AuroraShell.CAB

Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~2\office12\GR99D3~1.DLL

SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\4sam50og.default\

FF - prefs.js: browser.search.selectedEngine - Google

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?refresh=1

FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll

FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll

FF - plugin: c:\program files\mozilla firefox\plugins\NPcol308.dll

FF - plugin: c:\program files\mozilla firefox\plugins\NPcol400.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npMozCouponPrinter.dll

FF - HiddenExtension: XULRunner: {163E0302-5F46-4BEA-AD6D-71B9C9D529DE} - c:\documents and settings\administrator\local settings\application data\{163E0302-5F46-4BEA-AD6D-71B9C9D529DE}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Extension: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

FF - Extension: Upromise TurboSaver: FFToolbar@upromise - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\4sam50og.default\extensions\FFToolbar@upromise

FF - Extension: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2010-12-7 11608]

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-12-7 135336]

R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-12-7 267944]

R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-12-3 60936]

R3 DXEC01;DXEC01;c:\windows\system32\drivers\dxec01.sys [2006-11-2 97536]

S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-12-17 135664]

=============== File Associations ===============

.scr=AutoCADScriptFile

=============== Created Last 30 ================

2010-12-10 12:35:53 -------- d-----w- c:\docume~1\admini~1\applic~1\Avira

2010-12-07 23:21:25 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-12-07 23:21:20 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-12-07 21:43:34 0 ----a-w- c:\windows\Hdixeqayis.bin

2010-12-07 21:43:33 -------- d-----w- c:\docume~1\admini~1\locals~1\applic~1\{163E0302-5F46-4BEA-AD6D-71B9C9D529DE}

2010-12-07 12:21:17 -------- d-----w- c:\program files\Avira

2010-12-07 12:21:17 -------- d-----w- c:\docume~1\alluse~1\applic~1\Avira

2010-12-07 12:16:52 -------- d-----w- c:\docume~1\alluse~1\applic~1\Webroot

2010-12-07 11:33:24 -------- d-----w- c:\docume~1\admini~1\applic~1\Malwarebytes

2010-12-07 11:33:14 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes

2010-12-07 11:33:11 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-12-06 12:04:53 -------- d-----w- c:\docume~1\admini~1\locals~1\applic~1\PackageAware

2010-12-06 11:06:01 -------- d-----w- c:\program files\MSSOAP

2010-12-06 11:05:28 -------- d-----w- c:\program files\Webroot

==================== Find3M ====================

2010-09-13 17:02:49 398744 ----a-r- c:\windows\system32\cpnprt2.cid

2010-04-09 04:25:29 1068544 ----a-w- c:\program files\CouponPrinter.exe

2010-04-07 04:08:29 629288 ----a-w- c:\program files\WindowsXP-KB932823-v3-x86-ENU.exe

2010-02-26 02:29:31 45739568 ----a-w- c:\program files\AATheCaribbeanSecretSetup.exe

2009-12-17 14:02:58 564064 ----a-w- c:\program files\googleupdatesetup.exe

2009-06-13 20:22:06 26739584 ----a-w- c:\program files\AdbeRdr910_en_US.exe

2009-04-30 19:06:59 9915072 ----a-w- c:\program files\winamp5552_full_emusic-7plus_en-us.exe

2009-04-27 18:43:43 21878064 ----a-w- c:\program files\QuickTimeInstaller.exe

2009-04-22 00:34:17 10970431 ----a-w- c:\program files\ppreader10.exe

2009-04-18 21:17:19 607640 ----a-w- c:\program files\jre-6u13-windows-i586-p-iftw.exe

=================== ROOTKIT ====================

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net

Windows 5.1.2600 Disk: FUJITSU_MHW2120BJ_G2 rev.0085001A -> Harddisk0\DR0 -> \Device\Ide\IdePort1 P1T0L0-e

device: opened successfully

user: MBR read successfully

Disk trace:

called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x89DD6555]<<

_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x89ddc7b0]; MOV EAX, [0x89ddc82c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }

1 ntkrnlpa!IofCallDriver[0x804EF16A] -> \Device\Harddisk0\DR0[0x89D06030]

3 CLASSPNP[0xB810905B] -> ntkrnlpa!IofCallDriver[0x804EF16A] -> [0x89D9F6B0]

\Driver\atapi[0x89DEA110] -> IRP_MJ_CREATE -> 0x89DD6555

kernel: MBR read successfully

_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [bP+0x0], CH; JL 0x2e; JNZ 0x3a; }

detected disk devices:

\Device\Ide\IdeDeviceP1T0L0-e -> \??\IDE#DiskFUJITSU_MHW2120BJ_G2____________________0085001A#5&16482f9&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found

detected hooks:

\Driver\atapi DriverStartIo -> 0x89DD639B

user & kernel MBR OK

Warning: possible TDL3 rootkit infection !

============= FINISH: 8:26:34.45 ===============

Attach.zip

Link to post
Share on other sites

After doing some further research from reviewing the logs I created, I came to the conclusion that I have a TDSS rootkit on the system. I ran TDDSKiller, which confirmed my suspicion (found it) and got rid of it. I'm now able to delete that pesky startup process in the registry and it doesn't come back (woo hoo!)

I ran mbam again along with a second run of TDDSKiller and everything looks good. I'm no longer getting redirects in my browser, so I think I'm finally in the clear!

I figured I'd post this for anyone else that might be having similar issues.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.