Solved

Rootkit(s) and Trojan

Posted on 2009-04-08
12
1,136 Views
Last Modified: 2013-12-06
I am working on a PC that was infected with Antispyware2009, Cleaner2009, and who knows what else. Sequence of events so far:

Disabled all non MS services and startup items in safe mode
Ran Combofix (Combofix1 log attached)
Ran MBAM with old definitions -- LSP problem and no internet access (MBAM-01 log attached)
Ran MBAM with updates after fixing LSP with WinsockFix (MBAM-02 log attached)
Installed and ran AVG Free
Ran Combofix (Combofix2 log attached)
Ran Hijack This (log attached)

Combofix log is showing hidden files that have not been removed. Need a script or other means to clean them out.

AVG shows  asyncmac.sys and atmarpc.sys infected with Trojan Horse Agent_r.G. They are white listed system (network) files and cannot be deleted. I probably can delete and replace them by booting from UBCD4Win CD. Any other methods?
0
Comment
Question by:willcomp
  • 8
  • 4
12 Comments
 
LVL 32

Author Comment

by:willcomp
ID: 24103636
Something happened to attached files. Let's try again.
ComboFix1.txt
ComboFix2.txt
mbam-log-01.txt
mbam-log-02.txt
hijackthis.log
0
 
LVL 47

Accepted Solution

by:
rpggamergirl earned 500 total points
ID: 24104048
Hi,

>>>AVG shows  asyncmac.sys and atmarpc.sys <<<
Those above files showing in the CF log are legit.... if they are infected then that means a file infector is at work in the system....Or could be false positive from AVG.
Submit those files at http://virusscan.jotti.org/ and if most scanners flag them as infected you can then replace them.


Run combofix again using this script.
1. Open Notepad.
2. Now copy/paste the text between the lines below into the Notepad window:
------------------------------------------------------------------------
KillAll::
File::
c:\windows\system32\drivers\7051257f.sys
c:\windows\system32\drivers\924143b5.sys
c:\windows\SYSTEM32\3708222215.dat
c:\windows\SYSTEM32\DRIVERS\f0bdb4f7.sys
c:\windows\SYSTEM32\buyivalo.dll
c:\windows\SYSTEM32\vutulewo.dll
c:\windows\SYSTEM32\fuzayubi.dll
c:\windows\SYSTEM32\ewf3.pxf
c:\windows\SYSTEM32\fe3.wa
c:\windows\awmcb.dat
c:\windows\bedjo.dat
c:\windows\hwtml.dat
c:\windows\kdzxe.dat
c:\windows\kxqhk.dat
c:\windows\ldeqx.dat
c:\windows\mfywm.dat
c:\windows\mvimb.dat
c:\windows\obmbr.dat
c:\windows\orbol.dat
c:\windows\qievk.dat
c:\windows\rqwrg.dat
c:\windows\ucgus.dat
c:\windows\veajh.dat
c:\windows\vinfl.dat
c:\windows\SYSTEM32\crmgn.dat
c:\windows\SYSTEM32\gadfz.dat
c:\windows\SYSTEM32\gchga.dat
c:\windows\SYSTEM32\gihgs.dat
c:\windows\SYSTEM32\hmufs.dat
c:\windows\SYSTEM32\hstbf.dat
c:\windows\SYSTEM32\ibiif.dat
c:\windows\SYSTEM32\lwtcr.dat
c:\windows\SYSTEM32\maheo.dat
c:\windows\SYSTEM32\mdcyb.dat
c:\windows\SYSTEM32\pfdac.dat
c:\windows\SYSTEM32\premt.dat
c:\windows\SYSTEM32\ptrzs.dat
c:\windows\SYSTEM32\rlcdn.dat
c:\windows\SYSTEM32\rsohc.dat
c:\windows\SYSTEM32\sseyb.dat
c:\windows\SYSTEM32\tzvxf.dat
c:\windows\SYSTEM32\viivm.dat
c:\windows\SYSTEM32\wlkdg.dat
c:\windows\SYSTEM32\wvxla.dat
c:\windows\SYSTEM32\wzqwl.dat
c:\windows\SYSTEM32\yqfks.dat

Folder::
c:\windows\SYSTEM32\omignyjk
c:\windows\SYSTEM32\grreyyfuh
c:\windows\SYSTEM32\cigcenkwq
C:\-260994896

ADS::
c:\windows\WindowsUpdate.log
c:\windows\jautoexp.dat
c:\windows\Q328213.LOG
c:\windows\TSOC.LOG
c:\windows\KB828035.log
c:\windows\KB842773.log
c:\windows\DJBDRV.LOG

Driver::
7051257f
924143b5
------------------------------------------------------------------------
3. Save the above as CFScript.txt on your desktop.
4. Then drag the CFScript.txt into ComboFix.exe. This will start ComboFix again.


Also check to make sure that the BITS has the correct "path to executable"
Start > Run > Type in:

services msc

Enter and doubleclick on the 'Background Intelligent Transfer Service' and check to make sure that the path to executable is this --> %SystemRoot%\System32\svchost.exe  -k netsvcs
0
 
LVL 32

Author Comment

by:willcomp
ID: 24104235
CF script ran successfully. Do you want to see the last CF log.

BITS and wuauserv both had the modified executable path (f instead of s). I edited registry to correct but had to change permissions in order to save changes. Key is HKLM\SYSTEM\CurrentControlSet\Services in case anyone needs to know.

I doubt that AVG is reporting false positives. Those 2 files exist in every XP system and it's the first time I've seen them flagged. Will submit just to be sure.

I'm glad you were first responder and I didn't have to respond to run Spybot and similar comments :-)

Thanks for your help.

A couple of questions: what generated the root kit(s) and do you know what has happened to IndiGenus -- haven't seen him around lately
0
 
LVL 32

Author Comment

by:willcomp
ID: 24104264
The Automatic Update service was disabled as well -- had to change to Automatic and start service in order to run Windows Update.
0
 
LVL 32

Author Comment

by:willcomp
ID: 24104485
Kaspersky, NOD32, Avast, and several other AV scanners show the 2 files flagged by AVG as infected with either a rootkit or a worm. What's surprising is that about half pronounced them clean.
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 24104585
>>>I doubt that AVG is reporting false positives. <<<
that's what I meant....there are only 2 possibilies either a file infector or FP.
Usually if a file infector is present other legit files would also be infected.
An online virus scan should tell us.
If those files are infected try combofix script function to delete them later...not sure if they are in CF whitelist.
Good job in fixing both the BITS and wuauserv 'path to executable, well done.
IndiGenus is still around, I saw his recent posts 4 days ago.
He is more active in other forums than here (I think) and he has his own site as so I guess that's why he is not posting in every Questions in Virus & Spyware zones.

Yes, do attach the latest CF log thanks.


0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 32

Author Comment

by:willcomp
ID: 24104814
Indi covered the day shift and you cover the night shift (our time).

Here's last Combofix log.

I deleted the two infected files and replaced them with ones copied from a clean PC using a43 file manager in UBCD4Win. Appears to have worked so far. The a43 file manager is also on the Bart PE disk. Both boot disks support flash drives.

I'm pretty handy with XP but you and Indi are far ahead of me in malware removal.


ComboFix.txt
0
 
LVL 32

Author Comment

by:willcomp
ID: 24107794
Nothing else showing up on scans, so have to consider it clean. Have run Windows Update to install non automatic updates and am installing SP3 now.

Thanks for your help.
0
 
LVL 32

Author Closing Comment

by:willcomp
ID: 31568353
Good job.
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 24113210

Hi willcomp,
I didn't realize straightaway that it was you, :)
Sorry for the delayed reply. Some of the files and folders came back?
I must've missed something... you still got that pc?

BTW, I'll be gone Saturday 18th (no internet access) for the whole week period so I hope you'll be here with the others and keep Virus & Spyware zone questions answered, thanks :)
0
 
LVL 32

Author Comment

by:willcomp
ID: 24113246
It appears clean -- all scans are free from any detections and I haven't noticed any behavior which indicates malware.

Am finishing up another one that was not as badly infected. It did have the same Windows Update problem with renamed paths, changed permissions for registry keys, and Automatic Update service disabled.

Ah, how could you forget me? My heart's broken :-)

I'll see what I can do in your absence. Won't be the same but maybe we can negate some of the useless comments and provide a bit of assistance and some sanity.

Once again, thanks for the help. This one was beyond my expertise and I don't like to wipe and reload unless absolutely necessary.
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 24113564
>>>Ah, how could you forget me? My heart's broken :-)<<<

I certainly did not forget you. I just missed to look at the Asker's username, :)
... just tired sorry.


Thanks for the points! :)
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

Suggested Solutions

I recently had to create a utility which aim is to update McAfee's Virusscan and that had to be launched from a command line. I thought I’d share my experience with you. Why is it useful to be able to update an Antivirus from the command line?…
There are many reasons malware will stay around and continue to grow as a business.  The biggest reason is the expanding customer base.  More than 40% of people who are infected with ransomware, pay the ransom.  That makes ransomware a multi-million…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now