Rootkit Revealer can't mount disk; virus

jwmarkert
jwmarkert used Ask the Experts™
on
Im working on a computer that was severely infested with viruses. I removed the disk and slaved it off another computer to search and remove viruses. That system located and removed 3 items deemed to be a Trojan horse according to AVG. They were 1418564.exe and postcard.chm in 2 different directories. After these 2 items were removed, the system hung. On rebooting, the system could no longer see the disk.

I reinstalled the disk in the original system and amazingly it booted. There were still issues with redirected searches. I removed sdra64.exe, winwebsec, renos.gen!BE, ciggcrnsvv.exe.8, msb.dll, riwqqhtrtn.exe. The system runs reasonably well now but Rootkit Revealer quits stating that it cannot mount C: when run.

Id like to get a  clean run of Rootkit Revealer before calling this clean. Do I still have some malware in the disk routines. Please advise what I have to do to the disk to get Rootkit Revealer to mount it.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Top Expert 2007
Commented:
Try running other scanners first, there might be other nastes still present in the system...then you can run RKR again afterwards.

Try MalwareBytes and Combofix.
Download Malwarebytes' Anti-Malware to your desktop, check for the tool's Updates before running a scan.
http://www.malwarebytes.org/mbam.php



Please download ComboFix by sUBs:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

You must download it to and run it from your Desktop
Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
Double click combofix.exe & follow the prompts.
When finished, it will produce a log. Please save that log and attach it in your next reply by pasting it in the "Code Snippet" or "Attach File" window.
Re-enable all the programs that were disabled during the running of ComboFix..


Note:Do not mouse-click combofix's window while it is running. That may cause it to stall.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.


If needed, here's the Combofix tutorial which includes the installation of the Recovery Console:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix



Or, you can also try Gmer, which is also a very good rootkit scanner.

Author

Commented:
I've run Malwarebytes and ComboFix. I believe that Malwarebytes took out a few nasties, but I can't locate my notes at the moment. In any case, what ever it removed did not correct the Rootkit Revealers inability to mount C:.

After Malwarebytes, I was able to detect 8 Rootkits as detected by AVG. They aww began with the characters HJGR.

I ran ComboFix and it removed whatever was keeping C: from mounting. The log is attached as well as the log from Rootkit Revealer. Apparently there are entries left in the Registry.

Please adivse my next step. Also, how do I learn more about ComboFix so I am in a position to analyze my own log. Thanks.
ComboFix-log-2009-07-21.txt
RootkitReveal-2009-07-21.txt
Top Expert 2007
Commented:
Thanks for the logs.

The culprit was a CLB rootkit.
Rootkit Revealer's log is clean, it's not showing any nasty entries.
With Combofix log all is well but there's just one folder I'd like to peek.

Run ComboFix again using this script.

1. Open Notepad.
2. Now copy/paste the text between the lines below into the Notepad window:
------------------------------------------------------------------------
File::c:\docume~1\Owner\LOCALS~1\Temp\AUKYUSPK.exeDriver::AUKYUSPKDirLook::c:\documents and settings\All Users\Application Data\14181564
------------------------------------------------------------------------
3. Save the above as CFScript.txt on your desktop.
4. Then drag the CFScript.txt into ComboFix.exe. This will start ComboFix again.




Also clean your temp folders with either one of these temp cleaners:
CCleaner:
http://www.ccleaner.com/download/

ATF Cleaner:
Download and run ATF Cleaner by Atribune.
http://www.atribune.org/ccount/click.php?id=1

Download  TFC Cleaner:
http://oldtimer.geekstogo.com/TFC.exe
Click the Start button to begin the process.
Depending on how often  you clean temp files, execution time should be anywhere from a few seconds to a  minute or two. Let it run uninterrupted to completion.  
Once it's finished it should reboot your machine. If it does not,  please manually reboot the machine yourself to ensure a complete  clean.


11/26 Forrester Webinar: Savings for Enterprise

How can your organization benefit from savings just by replacing your legacy backup solutions with Acronis' #CyberProtection? Join Forrester's Joe Branca and Ryan Davis from Acronis live as they explain how you can too.

Author

Commented:
I ran ComboFix as directed. Logfile ComboFix 2009-07-21-2.txt is attached.

I then ran CCleaner.

Then I ran Rootkit Revealer and got log file :Rootkit Revealer 2009-07-21-2 l -2.

Shortly thereafter, AVG popped up and advised that several trojans had appeared (see log AVG Resident Shield 2009-07-21.txt.

I ran Rootkit Revealer again which created the log: Rootkit Revealer 2009-07-21-3. This log shows many more entries than the -2 log. What are  the  HKLM\SOFTWARE\swearware\backup\winsock2\Parameters entries?  I have not seen this reported in Rootkit Revealer before.

Am I infected again?

Thanks for help and how can I learn how to interpret ComboFix results?
ComboFix-Log-2009-07-21---2.txt
AVG-Resident-Shield-2009-07-21.txt
RootkitReveal-2009-07-21-3.txt
RootkitReveal-2009-07-21-2.txt
Top Expert 2007
Commented:
C:\WINDOWS\system32\spool\PRINTERS\FP00000.SHD
C:\WINDOWS\system32\spool\PRINTERS\FP00000.SPL

The above are the only 2 that are suspicious, which you can submit  for an online check, --> http://virusscan.jotti.org/


<<<"What are  the  HKLM\SOFTWARE\swearware\backup\winsock2\Parameters entries?">>>

Those entries are legit entries....
With Rootkit Revealer scan it reads the disk at the start of the scan and read the disk at the end and any changes made and any activity that are going on while RKR are scanning by apps or by the user are listed as discrepancies or hidden from windows API....
It is always recommended to run RKR while the machine is idle and no other programs running.


c:\documents and settings\All Users\Application Data\14181564\14181564<-- can you check what's inside this folder?



HKLM\SYSTEM\ControlSet001\Services\hjgruibnexrlxj    
HKLM\SYSTEM\ControlSet003\Services\hjgruibnexrlxj

The above rootkit service doesn't mean rootkit is present or active as those entries are gone at boot.


AVG's result are files in the restore folder and we can turn system restore off later on to get rid of any viruses there.
If you become a member to any anti-spyware forums they have classes where you can learn starting from basic onwards.


What I need you to do is scan the system with Gmer, to make sure rootkit is nt still lurking.
Download GMER:
http://www.geekstogo.com/forum/redirect.php?url=http%3A%2F%2Fwww.gmer.net%2Ffiles.php


Unzip it to the desktop.
Open the program and click on the Rootkit tab.
Make sure all the boxes on the right of the screen are checked, EXCEPT for Show All.
Click on Scan.
When the scan has run click Copy and then paste the results into this thread.


Author

Commented:
I can't see the following files in Windows:

C:\WINDOWS\system32\spool\PRINTERS\FP00000.SHD
C:\WINDOWS\system32\spool\PRINTERS\FP00000.SPL

I then booted Ubuntu to look at the disk. I could not see them using Ubuntu either.

The file
c:\documents and settings\All Users\Application Data\14181564\14181564
cannot be seen in windows. This was the first virus that I that I detected on the system. I had slaved the disk off another system and it was detected by AVG and I thought deleted.  This file cannot be seen in windows, however using Ubuntu, it is there. I will delete it after I get your next post.

I ran GMER and a PDF of the result screen is attached.

I await your advice. Thank you for your help.
GMER-result-2009-07-22-9-52.pdf

Author

Commented:
I've deleted c:\documents and settings\All Users\Application Data\14181564\14181564 and uninstalled ComboFix. The postdelete Rootkit Revealer log is attached. The only 2 entries that I am used to seeing are the second and  third. What are the others?

RootkitReveal-09-07-23.txt
Top Expert 2007
Commented:
Is that all the result from the Gmer log? Nothing there.


<<<"The only 2 entries that I am used to seeing are the second and  third. What are the others?">>>
The last entry is from the System Restore.

And all the other reg entries like below, belongs to Combofix.
HKLM\SOFTWARE\swearware


How did you uninstall Combofix?
Via Start > Run with the below command?

Combofix /u
Top Expert 2007
Commented:
<<<The file
c:\documents and settings\All Users\Application Data\14181564\14181564
cannot be seen in windows.">>>

Were you showing hidden files and folders?
Application Data folder is hidden by default so unless you were showing hidden files and folders you won't see its subfolders.
You are right regarding the hidden folder. That computer is set "do not show hidden folders". Anyway, that is gone ... at least for the moment.

I uninstalled ComboFix with "ComboFix /u". I did this because I wanted to see if there were any detectable system changes.

Thanks for the insight into the swearware keys in the registry. Is there any reason to leave these in the registry?

The GMER log is the screen image when GMER terminated.

Before I close this out, I'm going to try slaving the disk off another system as I did when it originally became unmountable.

Thanks for the help.
 
Top Expert 2007

Commented:
If those swearware reg entries are still there even after Combofix has already been uninstalled, you can try to manually delete those, no reason for those to stay there.

Thanks!


Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial