We help IT Professionals succeed at work.

rootkit suspect

lbertacco
lbertacco asked
on
3,171 Views
Last Modified: 2007-12-19
I've a pc (not mine) that I'm trying to clean up. It had at least two rootkit (lzx32.sys, pe386), several trojans (igfxtray, hkcmd, mstds, mswsck32.dll) and other malware.
I used Rootkit Unhooker to detect lzx32 and pe386 (removed from the fs and registry using a linux livecd), then run SpyBot S&R, pc-cilling antivirus, avast antivirus, microsoft defender and prevx. Now all these tools say that the system is clean.  I checked that everything reported to be auto-run and/or loaded on startup is ok (using autoruns). Fully updated the system.
However I still suspect that another rootkit is present.
The synthoms are:
- rootkit unhooker, upon startup, says "Rootkit unhooker has detected parasite inside itself. It is recommended to remove parasite, okay?" If I say yes, then RU goes on all-right and can't detect anything wrong. Still this message is quite indicative of a rootkit.
- "rootkit revealer" can't open the SOFTWARE hive (giving error: Error dumping hive: The system cannot find the file specified)

What would you suggest ? Is it possible that these error are not related to a rootkit (I never saw them on clean systems) ? Do you know of any good Windows LiveCD that can perform an off-line scan of the HD checking that every windows system file is "uncontaminated" checking file hashes against an online db? Or even a livecd that can do a standard antivirus scan but including rootkit signatures? (while detecting rootkit from a running system can be very tricky, finding them from a livecd should be quite easy)
Comment
Watch Question

CERTIFIED EXPERT
Top Expert 2007
Commented:
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION

Author

Commented:
Here are results:
-rustbfix didn't find any active driver or ADS, anyway it has found a leftover file (system32\huy32.sys) which it deleted.
-Blacklight. I had already tried that and it reports no hidden files/processes
-hijackthis log available here: http://rafb.net/p/GO7HaE89.html (note that this is an acer laptop, so you will see some acer drivers. Also I saw an igfxsrvc dll which is a bit surprising since this laptop has an ati video card, not intel (actually I see about 50 igfx*.* files in \windows\system32). So I tried renaming it but nothing changed: rootkitunhooker and revealer still have troubles). Do you see anything suspicious?
Another thing: this is a FAT32 filesystem, so there cannot be alternate streams or permissions issues....

Author

Commented:
I've changed the FS to NTFS, but rootkit revealer still can't open the software hive.
CERTIFIED EXPERT
Top Expert 2007

Commented:
This entry below is a Trojan.Zonebac
O4 - HKLM\..\Run: [Lexmark_X79-55] C:\WINDOWS\system32\lsasss.exe

C:\WINDOWS\system32\lsasss.exe <-- delete this file maybe in safe mode, or stop the running process first.
http://www.symantec.com/enterprise/security_response/writeup.jsp?docid=2006-091612-5500-99&tabid=2

Fix these entries: Did you install Boonty games? (considered spyware)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
O4 - HKLM\..\Run: [Lexmark_X79-55] C:\WINDOWS\system32\lsasss.exe
O20 - AppInit_DLLs:  
O20 - Winlogon Notify: igfxcui - igfxsrvc.dll (file missing)
O23 - Service: Boonty Games - BOONTY - C:\Programmi\File comuni\BOONTY Shared\Service\Boonty.exe


Avast is not catching these nasties, you need to run other scanners, like Kaspersky, DrWebCureIt, Superantispyware AVG antispyware, or  Panda's Activescan etc.

DrWebCureit:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
CERTIFIED EXPERT
Top Expert 2007

Commented:
You also need to edit your registry to delete the subkey added to your zones and the values added to your ranges, as explained in Symantec info,
or you can use DelDomains.inf to do it for you.
DelDomains.inf
http://www.mvps.org/winhelp2002/DelDomains.inf
rightclick on the file and select "Install".

If you use Deldomains and you have SpywareBlaster you need to re-enable all protection,
and re-immunize if you have Spybot.
CERTIFIED EXPERT
Top Expert 2007

Commented:
Not sure why RKR can't run there, could be cause by some nasties, do you have full rights and log in as admin?

Also try GMER.
http://www.gmer.net/gmer.zip

Author

Commented:
Ooops I had missed lsasss, removed! Cleaned also the others (I don't know if Boonty games got installed as the pc is not mine, but the boonty files were there: removed!)

Other tests:
Updated hijackthis log here: http://rafb.net/p/ZyimY844.html

Scan with NOD32 reports no virus. However it also reports a few issues:
-Error while checking active boot sector of 1. Error reading sector
-C:\hiberfile.sys: error while opening file (file is blocked)
And again, the same error on c:\pagefile and several registry files (such as: C:\doc&set\localservice\ntuser.dat and all the C:\windows\system32\config\*)
I don't know if these errors are normal as this is the first time I use NOD32.

Scan with drweb: clean

RkU still reports parasite inside itself and, after cleaning itself, it reports the system as clean
RkR still can't open SOFTWARE hive. This is a WinXP HOME. Anyway I have full admin rights and clearly when the FS was FAT32 everyone had full access to everything.
If its a driver rootkit you can also try using RustBfix which works on renosfix technique and can let you know wat the root kit is all about !!!!!!

http://forums.spybot.info/showthread.php?t=10234&page=3




Regards.......

Arshad
Dear lbertacco !!!!

Please Use icesword and look for the unknown files  and use the other tools in the link given below


http://www.pcsupportadvisor.com/rootkits.htm


Regards .........

Arshad


Author

Commented:
Unfortunately I don't have this laptop in my hands anymore so I cannot do any further test. Thanks anyway arshad_dell
CERTIFIED EXPERT
Top Expert 2007

Commented:
Thanks!

Yes IceSword is a good one too but you have to be really careful and sure that what you're letting it delete is a bad file.
Last time I used it, it gave me false positive and it flagged my Zone Alarm's file "Vsdatant.sys" probably mistaken for the mass-mailing W32.Gunsan worm.


Other users reported false positives:
.sys files belonging to antivirus programs (Kaspersky and Ewido)
Files from Process Guard (procguard.sys), RegDefend (ghostsec.sys) and PrevX (pxfsf.sys) they show as red.

 
Unlock the solution to this question.
Join our community and discover your potential

Experts Exchange is the only place where you can interact directly with leading experts in the technology field. Become a member today and access the collective knowledge of thousands of technology experts.

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.