Solved

Rootkit and/or Trojan

Posted on 2009-04-11
13
6,360 Views
Last Modified: 2013-12-06
I've been working on this PC for several days and thought I had it clean. Installed AVG which is showing C:|windows\system32\drivers\ndis.sys infected with Trojan Horse Rootkit-Agent.DI. ndis.sys is a legit Windows file and part of the OS (part of network driver). I tried submitting to Jotti for verification but upload hangs.

What I have been able to determine is that C:\windows\drivers\restore.exe runs on boot and then deletes itself. ndis.sys in infected at that time. There is a registry entry HKLM\CurrentControlSet\Services\Restore which apparently initiates the infector. I have tried deleting the registry image file location but restore.exe is still running on boot. Of course, it is not listed as a service (services.msc). ndis.sys is not always flagged as infected by AVG. I think the infector may have also dropped C:\Windows\temp\BNA.tmp but am not sure.

ComboFix log is attached. There are a number of entries in recently added (30 day) files section that are strangely named but legitimate. Those are in C:\windows\system32\dllcache folder. I had to run SFC and re-install video driver to get PC back in usable condition. I didn't save a copy of initial ComboFix run log -- wish I had.

BlackLight did not detect any root kits and neither does ComboFix.

Two MBAM logs and a HJT log are also attached. MBAM does identify the  HKLM\CurrentControlSet\Services\Restore registry entry.


ComboFix.txt
mbam-log-2009-04-08--11-50-15-.txt
mbam-log-2009-04-10--18-10-07-.txt
hijackthis.log
0
Comment
Question by:willcomp
  • 7
  • 4
  • 2
13 Comments
 
LVL 47

Accepted Solution

by:
rpggamergirl earned 400 total points
Comment Utility
Hi willcomp,

ndis.sys failed the sigcheck so that's probably patched or maybe sality or virut is present there... I would just replaced that just to be sure.

I did not check those files in the dllcache folder(asuming they're all legit)....but some nasties can also hide in dllcache and i386 folders... the most likely going on here is a file infector.  Snapshot is also showing some filesize discrepancy.

If it's virut a reformat and reinstall would be the quickest and safest solution as depending on how long the system has been infected it takes time and patience to remove and replaced corrupted files. And even then we can not guarantee that the system is virus-free or error-free afterwards.


Run combofix again using this script.
1. Open Notepad.
2. Now copy/paste the text between the lines below into the Notepad window:
------------------------------------------------------------------------
KillAll::
File::
c:\windows\system32\drivers\e43edea6.sys
c:\program files\Common Files\omykon.vbs
c:\documents and settings\Owner\Application Data\iwyn.bin
c:\documents and settings\All Users\Application Data\ocisib.dll
c:\program files\Common Files\befydyz.scr
c:\program files\Common Files\tavosep.sys
c:\program files\Common Files\ehexigetiw.exe
c:\documents and settings\Owner\Application Data\yhyn.vbs
c:\documents and settings\All Users\Application Data\lipaf.bat
c:\documents and settings\Owner\Application Data\ziqylalisa.dll
c:\documents and settings\Owner\Application Data\jydocatyja.exe
c:\program files\Common Files\hozusur.inf
c:\documents and settings\Owner\Application Data\yzare.sys
c:\program files\Common Files\emakutik.dl
c:\windows\Pyihurize.dat
c:\windows\Khotoho.bin
c:\windows\system32\drivers\OLD7.tmp
c:\windows\temp\BN1.tmp

Folder::
c:\program files\temp01

Driver::
e43edea6
------------------------------------------------------------------------
3. Save the above as CFScript.txt on your desktop.
4. Then drag the CFScript.txt into ComboFix.exe. This will start ComboFix again.
 

Also run ATF Cleaner or CCleaner:
Download and run ATF Cleaner by Atribune.
http://www.atribune.org/ccount/click.php?id=1
It's normal after running ATF cleaner that the PC will be slower to boot the first time.
OR:
CCleaner:
http://www.ccleaner.com/download/
0
 
LVL 32

Author Comment

by:willcomp
Comment Utility
rpg -- thanks for the response. Ran ComboFix script and log is attached.

ndis.sys is still infected -- surprise! surprise!

I run CCleaner to clean both files and registry as a matter of course, so that had already been done. Reran to be safe but nothing suspicious was deleted (only a few log files left to delete). I also delete files in \Documents and Settings\%username%\Local Settings\Temp folder(s). Learned years ago that was a favorite malware hiding place and neither CCleaner nor ATF Cleaner clean those folders.

It's Easter Sunday morning here so I won't be working on PC again until later in the day. Will upadte as I have more info.
ComboFix.txt
0
 
LVL 32

Author Comment

by:willcomp
Comment Utility
Forgot to add -- verified those files in dllcache folder were MS signed files.
0
 
LVL 15

Assisted Solution

by:greyknight17
greyknight17 earned 100 total points
Comment Utility
Download the Flash Disinfector at http://www.techsupportforum.com/sectools/sUBs/Flash_Disinfector.exe and save it to your desktop. Double-click on it to run it and follow the on-screen instructions.

Go to http://www.bleepingcomputer.com/combofix/how-to-use-combofix and follow the instructions on how to install the Recovery Console using ComboFix. You may skip the part with using a CD to do it and go straight to the Microsoft website to download it instead.

Open up your Notepad editor (Start->Run, type in notepad and click OK). Copy the text below into Notepad:

File::c:\program files\temp01FCopy::c:\windows\ServicePackFiles\i386\ndis.sys | c:\windows\system32\drivers\ndis.sys

Save this as CFScript.txt in the same location as the ComboFix.exe tool.
Drag the CFScript.txt into ComboFix.exe
Follow the prompts. When finished, it shall produce a log for you. Post that log in your next reply.

Note: Do not click on combofix's window while it's running. That may cause it to stall.
0
 
LVL 32

Author Comment

by:willcomp
Comment Utility
@greyknight17 -- thanks, but I have already deleted ndis.sys and "expanded" a new copy from XP CD.

FYI -- that link to Flash Disinfector is no longer valid. This one still works:  http://download.bleepingcomputer.com/sUBs/Flash_Disinfector.exe

0
 
LVL 15

Expert Comment

by:greyknight17
Comment Utility
Are you still having any signs of infection now? If not, go to Start > Run and type in combofix /u to remove it. Please read the below for guides on how to help prevent infections:

1. TonyKlein's article "So how did I get infected in the first place?"
http://www.spywareinfoforum.com/index.php?showtopic=60955
2. "Simple and easy ways to keep your computer safe and secure on the Internet"
http://www.bleepingcomputer.com/tutorials/tutorial82.html
3. "miekiemoes' "How to prevent Malware"
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 32

Author Comment

by:willcomp
Comment Utility
@greyknight17 -- I'm very familiar with ComboFix including its removal. No matter what software I install and how much I advise customers, they continue to let their kids have full access to the internet. Could be because the parents are dependent on the kids for using the PC. They also aren't good about updating and/or renewing AV and anti-spyware software. Although I configure automatic updates, they won't leave PCs turned on when not in use.

I do occasionally need a Combofix script or peer input. I haven't attended Malware U yet and rely on the good folks here that have.

Some friendly advice -- when the questioner is a qualified expert, you might want to check their profile.
0
 
LVL 15

Expert Comment

by:greyknight17
Comment Utility
You didn't mention that the issue was resolved, so I wasn't sure if the issue was remaining.

Will take that advice and view the profile for those who are qualified experts in the future. But I don't see how that would help out in this case.
0
 
LVL 32

Author Comment

by:willcomp
Comment Utility
The jury is still out on whether the problem is resolved. Believe it is but waiting to see.

Without checking profiles, it's hard to determine one's level of expertise. I do appreciate your responding, but there's no need to provide basic information where it's not needed.

Did you update your link for Flash Disinfector? When you have "canned" responses or a list of links, it's good to validate links periodically.
0
 
LVL 47

Expert Comment

by:rpggamergirl
Comment Utility
Yes, the techsupportforum link hasn't been working for awhile...
Here's the working link that I've been using;
http://www.geekstogo.com/forum/redirect.php?url=http%3A%2F%2Fdownload.bleepingcomputer.com%2FsUBs%2FFlash_Disinfector.exe
Thanks for that link willcomp, :) I'll add that to my canned in case one link stops working.
0
 
LVL 32

Author Comment

by:willcomp
Comment Utility
No reinfections so far. Restore service is still not in registry and ndis.sys is still clean. I'll monitor for a while longer and then uninstall Combofix and call it cured.

Thanks for your help.
0
 
LVL 32

Author Closing Comment

by:willcomp
Comment Utility
Appreciate the help. It seems to be clean. I'll monitor for another day and then uninstall ComboFix and pronounce it cured.
0
 
LVL 15

Expert Comment

by:greyknight17
Comment Utility
Been meaning to update the link but keep forgetting. Will try to do it now. Thanks.
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

Suggested Solutions

HOW TO REMOTELY CLEAN MEROND.O WITH ESET SILENTLY PROBLEM       If you have the fortunate luck to contract the Merond.O virus on your network, it can be quite troublesome to remove as it propagates to network shares on your network. In my case, the …
It started not too long ago. It was at first annoying. My keystrokes seemed to be randomly generated, not the ones I typed on the keyboard. For some reason this only happened in certain applications (especially browsers such as IE11, Firefox and Chr…
This video discusses moving either the default database or any database to a new volume.
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

7 Experts available now in Live!

Get 1:1 Help Now