• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1158
  • Last Modified:

Rootkit(s) and Trojan

I am working on a PC that was infected with Antispyware2009, Cleaner2009, and who knows what else. Sequence of events so far:

Disabled all non MS services and startup items in safe mode
Ran Combofix (Combofix1 log attached)
Ran MBAM with old definitions -- LSP problem and no internet access (MBAM-01 log attached)
Ran MBAM with updates after fixing LSP with WinsockFix (MBAM-02 log attached)
Installed and ran AVG Free
Ran Combofix (Combofix2 log attached)
Ran Hijack This (log attached)

Combofix log is showing hidden files that have not been removed. Need a script or other means to clean them out.

AVG shows  asyncmac.sys and atmarpc.sys infected with Trojan Horse Agent_r.G. They are white listed system (network) files and cannot be deleted. I probably can delete and replace them by booting from UBCD4Win CD. Any other methods?
0
willcomp
Asked:
willcomp
  • 8
  • 4
1 Solution
 
willcompAuthor Commented:
Something happened to attached files. Let's try again.
ComboFix1.txt
ComboFix2.txt
mbam-log-01.txt
mbam-log-02.txt
hijackthis.log
0
 
rpggamergirlCommented:
Hi,

>>>AVG shows  asyncmac.sys and atmarpc.sys <<<
Those above files showing in the CF log are legit.... if they are infected then that means a file infector is at work in the system....Or could be false positive from AVG.
Submit those files at http://virusscan.jotti.org/ and if most scanners flag them as infected you can then replace them.


Run combofix again using this script.
1. Open Notepad.
2. Now copy/paste the text between the lines below into the Notepad window:
------------------------------------------------------------------------
KillAll::
File::
c:\windows\system32\drivers\7051257f.sys
c:\windows\system32\drivers\924143b5.sys
c:\windows\SYSTEM32\3708222215.dat
c:\windows\SYSTEM32\DRIVERS\f0bdb4f7.sys
c:\windows\SYSTEM32\buyivalo.dll
c:\windows\SYSTEM32\vutulewo.dll
c:\windows\SYSTEM32\fuzayubi.dll
c:\windows\SYSTEM32\ewf3.pxf
c:\windows\SYSTEM32\fe3.wa
c:\windows\awmcb.dat
c:\windows\bedjo.dat
c:\windows\hwtml.dat
c:\windows\kdzxe.dat
c:\windows\kxqhk.dat
c:\windows\ldeqx.dat
c:\windows\mfywm.dat
c:\windows\mvimb.dat
c:\windows\obmbr.dat
c:\windows\orbol.dat
c:\windows\qievk.dat
c:\windows\rqwrg.dat
c:\windows\ucgus.dat
c:\windows\veajh.dat
c:\windows\vinfl.dat
c:\windows\SYSTEM32\crmgn.dat
c:\windows\SYSTEM32\gadfz.dat
c:\windows\SYSTEM32\gchga.dat
c:\windows\SYSTEM32\gihgs.dat
c:\windows\SYSTEM32\hmufs.dat
c:\windows\SYSTEM32\hstbf.dat
c:\windows\SYSTEM32\ibiif.dat
c:\windows\SYSTEM32\lwtcr.dat
c:\windows\SYSTEM32\maheo.dat
c:\windows\SYSTEM32\mdcyb.dat
c:\windows\SYSTEM32\pfdac.dat
c:\windows\SYSTEM32\premt.dat
c:\windows\SYSTEM32\ptrzs.dat
c:\windows\SYSTEM32\rlcdn.dat
c:\windows\SYSTEM32\rsohc.dat
c:\windows\SYSTEM32\sseyb.dat
c:\windows\SYSTEM32\tzvxf.dat
c:\windows\SYSTEM32\viivm.dat
c:\windows\SYSTEM32\wlkdg.dat
c:\windows\SYSTEM32\wvxla.dat
c:\windows\SYSTEM32\wzqwl.dat
c:\windows\SYSTEM32\yqfks.dat

Folder::
c:\windows\SYSTEM32\omignyjk
c:\windows\SYSTEM32\grreyyfuh
c:\windows\SYSTEM32\cigcenkwq
C:\-260994896

ADS::
c:\windows\WindowsUpdate.log
c:\windows\jautoexp.dat
c:\windows\Q328213.LOG
c:\windows\TSOC.LOG
c:\windows\KB828035.log
c:\windows\KB842773.log
c:\windows\DJBDRV.LOG

Driver::
7051257f
924143b5
------------------------------------------------------------------------
3. Save the above as CFScript.txt on your desktop.
4. Then drag the CFScript.txt into ComboFix.exe. This will start ComboFix again.


Also check to make sure that the BITS has the correct "path to executable"
Start > Run > Type in:

services msc

Enter and doubleclick on the 'Background Intelligent Transfer Service' and check to make sure that the path to executable is this --> %SystemRoot%\System32\svchost.exe  -k netsvcs
0
 
willcompAuthor Commented:
CF script ran successfully. Do you want to see the last CF log.

BITS and wuauserv both had the modified executable path (f instead of s). I edited registry to correct but had to change permissions in order to save changes. Key is HKLM\SYSTEM\CurrentControlSet\Services in case anyone needs to know.

I doubt that AVG is reporting false positives. Those 2 files exist in every XP system and it's the first time I've seen them flagged. Will submit just to be sure.

I'm glad you were first responder and I didn't have to respond to run Spybot and similar comments :-)

Thanks for your help.

A couple of questions: what generated the root kit(s) and do you know what has happened to IndiGenus -- haven't seen him around lately
0
What Kind of Coding Program is Right for You?

There are many ways to learn to code these days. From coding bootcamps like Flatiron School to online courses to totally free beginner resources. The best way to learn to code depends on many factors, but the most important one is you. See what course is best for you.

 
willcompAuthor Commented:
The Automatic Update service was disabled as well -- had to change to Automatic and start service in order to run Windows Update.
0
 
willcompAuthor Commented:
Kaspersky, NOD32, Avast, and several other AV scanners show the 2 files flagged by AVG as infected with either a rootkit or a worm. What's surprising is that about half pronounced them clean.
0
 
rpggamergirlCommented:
>>>I doubt that AVG is reporting false positives. <<<
that's what I meant....there are only 2 possibilies either a file infector or FP.
Usually if a file infector is present other legit files would also be infected.
An online virus scan should tell us.
If those files are infected try combofix script function to delete them later...not sure if they are in CF whitelist.
Good job in fixing both the BITS and wuauserv 'path to executable, well done.
IndiGenus is still around, I saw his recent posts 4 days ago.
He is more active in other forums than here (I think) and he has his own site as so I guess that's why he is not posting in every Questions in Virus & Spyware zones.

Yes, do attach the latest CF log thanks.


0
 
willcompAuthor Commented:
Indi covered the day shift and you cover the night shift (our time).

Here's last Combofix log.

I deleted the two infected files and replaced them with ones copied from a clean PC using a43 file manager in UBCD4Win. Appears to have worked so far. The a43 file manager is also on the Bart PE disk. Both boot disks support flash drives.

I'm pretty handy with XP but you and Indi are far ahead of me in malware removal.


ComboFix.txt
0
 
willcompAuthor Commented:
Nothing else showing up on scans, so have to consider it clean. Have run Windows Update to install non automatic updates and am installing SP3 now.

Thanks for your help.
0
 
willcompAuthor Commented:
Good job.
0
 
rpggamergirlCommented:

Hi willcomp,
I didn't realize straightaway that it was you, :)
Sorry for the delayed reply. Some of the files and folders came back?
I must've missed something... you still got that pc?

BTW, I'll be gone Saturday 18th (no internet access) for the whole week period so I hope you'll be here with the others and keep Virus & Spyware zone questions answered, thanks :)
0
 
willcompAuthor Commented:
It appears clean -- all scans are free from any detections and I haven't noticed any behavior which indicates malware.

Am finishing up another one that was not as badly infected. It did have the same Windows Update problem with renamed paths, changed permissions for registry keys, and Automatic Update service disabled.

Ah, how could you forget me? My heart's broken :-)

I'll see what I can do in your absence. Won't be the same but maybe we can negate some of the useless comments and provide a bit of assistance and some sanity.

Once again, thanks for the help. This one was beyond my expertise and I don't like to wipe and reload unless absolutely necessary.
0
 
rpggamergirlCommented:
>>>Ah, how could you forget me? My heart's broken :-)<<<

I certainly did not forget you. I just missed to look at the Asker's username, :)
... just tired sorry.


Thanks for the points! :)
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

  • 8
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now