rootkit found in one file in system 32 drivers

I never heard of a rootkit before. I seem to have one cause by an infected drive I was looking at.
That drive has since been reformatted but on my main system everytime I do a scan with Hitman Pro I get a message telling me I have a Rootkit in C:\WINDOWS\system32\drivers\dmio.sys. This does not seem to go and Hitman pro always finds it. Yet my other programs such as Spydoctor with AntiVirus, Bell Security Advisor, Norton and Malwarebytes Anti-Malware all tell me I am virus free.
1. What is a Rootkit
2. what is dmio.sys in the windows\system32 directory
3. can I get rid of this rootkit and how?
Thanks.
LVL 1
PawloAAsked:
Who is Participating?
 
rpggamergirlCommented:
Good advice Jonvee, patched file also shows up in Combofix but hard to pick out which one.

Gmer is the best one to ID the patched driver caused by latest TDSS rootkit.
There's another tool that can also identify the patched driver but it needs to be run in Recovery Console.

1. You must first verify that you can logon to the Windows Recovery Console.
To do so, you must have the Recovery Console installed or use the Windows XP installation cd.

How to install and use the Windows XP Recovery Console
http://www.bleepingcomputer.com/tutorials/tutorial117.html


2. Next, please download maxlook, saving the file to your desktop.
http://noahdfear.net/downloads/maxlook.exe
Double click maxlook.exe to run it.
NOTE: - you must run it only once!

As instructed when the tool runs, restart the computer and logon to the Recovery Console.
Execute the following bolded command at the X:\windows> prompt <--- x represents your operating system drive letter, usually C

batch look.bat

You will see 1 file copied many times then return to the x:\windows> prompt.
Type Exit to restart your computer then logon in normal mode.

3. Once in normal mode, please run maxlook.exe again now.
NOTE: - you must run it only once!

It will produce looklog.txt on the desktop and open it.
Please post the results here.

 
NEXT: Do this also.

Once back in Windows, go to Start > Run, and copy/paste the following(bolded text) then press Enter.

maxlook -sig


Post the log in your next reply.
0
 
lobo797Commented:
"What is a Rootkit?"
http://en.wikipedia.org/wiki/Rootkit

"what is dmio.sys in the windows\system32 directory"
Here's a pretty good explanation.  Check the file size on your computer against what is the known sizes.  There is a recommended procedure for verifying security, as well.
http://www.file.net/process/dmio.sys.html


All the best
0
 
optomaCommented:
A rootkit is obviously bad(modifies a legit file and leaves a possible "back door" open on a system) and once present remains undetectable by majority of AV vendors.

Check your system32\dllcache >is there a copy of dmio.sys there?

Also run TdssKiller to see if it detects it
Post its logfile
http://support.kaspersky.com/viruses/solutions?qid=208280684
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

 
johnb6767Commented:
It might be patched, but the file itself is supposed to be there... Normally, with a rootkit infection, you wouldnt even see it present. Nor would you be able to find it in Process Explorer if you did a module search. That what makes them so fun....

If this is a managed environment, easiest thing to do is to compare whats on another one of the systems that has the same image......
0
 
B HCommented:
3. can I get rid of this rootkit and how?

www.gmer.net has a fantastic rootkit detector/remover

0
 
JonveeCommented:
You could also try the excellent Sophos remover...
Free rootkit detection and removal tool:
http://www.sophos.com/products/free-tools/sophos-anti-rootkit.html

Further information, and scanner>
RootkitRevealer v1.71                                
http://www.microsoft.com/technet/sysinternals/utilities/RootKitRevealer.mspx
0
 
rpggamergirlCommented:
Is your search also redirected or it's not a problem?
0
 
PawloAAuthor Commented:
I find no dmio.sys file found in system32\cll\cache\ folder
 
0
 
JonveeCommented:
Have you been successful in running at least one of those three rootkit scanners?
0
 
B HCommented:
a rootkit by design will be hidden from you - you won't see it in the registry, or as a file - it's hidden, that's the point.

you need a tool to see it - www.gmer.net is one of the best for finding and removing it.

if you want to manually check if the file is there, do this:
start > run > cmd
cd\windows\system32\drivers
dir dmio.*
(does it show up? probably not)
dir > dmio.sys
(do you get an error message? if yes, it's there.  if no, it's not)
cd ..
(now we're going to check the system32 folder because you mentioned that)
dir dmio.*
(does it show up? probably not)
dir > dmio.sys
(do you get an error message? if yes, it's there.  if no, it's not)
exit

now - if the dmio.sys was NOT there in either place, what are your symptoms - how do you know something is wrong?
if you got an error message, you are still infected... run one of the many scanners people here suggested and report back.

0
 
PawloAAuthor Commented:

Also run TdssKiller to see if it detects it
Post its logfile
http://support.kaspersky.com/viruses/solutions?qid=208280684
tdssd.bmp
0
 
optomaCommented:
Ok thats showing iastor.sys as infected.

Reboot and re run TdssKiller
0
 
JonveeCommented:
Then from the TDSSKiller logfile, if any rootkit infection is still seen, try the "gmer" tool of bryon4403 or the Sophos remover...both are listed above ....it can often take more than one tool.
0
 
Thomas Zucker-ScharffSolution GuideCommented:
For a treatment of rootkits see my article describing what they are, tools you can use and some best practices:

http://e-e.com/A_2245.html
0
 
rpggamergirlCommented:
I asked if search redirects is one of the symptoms.
There are many TDSS variants... and it's important to know which one we are dealing with in order to remove it.
A very recent variant patched system drivers, and one of the symptoms is TDSSKiller being constantly curing atapi.sys or iastor.sys.

The patched file should show up in the Gmer log provided "Sections" box is checked. what TDSSKiller keeps curing is not necessarily the patched one.
Download GMER as already suggested.
http://www.gmer.net/gmer.zip

Unzip it to your Desktop.
Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed.
Do not use your computer for anything else during the scan.
Also make sure that the "Sections" box is checked, otherwise patched files caused by the latest TDSS rootkits will not show up.

[*] Double click GMER.exe.
[*] If it gives you a warning about rootkit activity and asks if you want to run a full scan...click on NO, then use the following settings for a more complete scan..
[*] In the right panel, you will see several boxes that have been checked.

Ensure the following are UNCHECKED ...
[*] IAT/EAT
[*] Drives/Partition other than Systemdrive (typically C:\)
[*] Show All (don't miss this one)

Then click the Scan button & wait for it to finish.
Once done click on the "Save.." button, and in the File name area, type in "ark.txt"  
Save the log where you can easily find it, such as your desktop.

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries.
Attach the log.

0
 
PawloAAuthor Commented:
yes I get search redirects. My system is also very slow at times and I have a lot of hard disk read/writes (the access light stays on)
0
 
rpggamergirlCommented:
Run Gmer and make sure "Sections" box is checked it is important....leaving all boxes checked except for these 3 below:

Ensure the following are UNCHECKED ...
[*] IAT/EAT
[*] Drives/Partition other than Systemdrive (typically C:\)
[*] Show All (don't miss this one)

If Gmer hangs during scan..... uncheck the "Files" box and scan again.
0
 
PawloAAuthor Commented:
I only have the following two selections in Gmer
[*] IAT/EAT
[*] Show All (don't miss this one)

I do not have this selection in Gmer
[*] Drives/Partition other than Systemdrive (typically C:\)
 
0
 
PawloAAuthor Commented:
Gmer does not have the following

[*] Drives/Partition other than Systemdrive (typically C:\)
 

Wirus.bmp
0
 
optomaCommented:
That refers to just having c:\ checked and
 d:\ e:\  etc... unchecked which you do :)
0
 
rpggamergirlCommented:
That's right.....just need to uncheck the  "IAT /EAT" box
Sorry if the canned is a little vague.

Gmer tends to hang at times that's why it's important if you don't use the pc while Gmer is scanning.
If Gmer hangs, uncheck the "Files" box and rescan(only if it hangs at first scan)
0
 
PawloAAuthor Commented:
I have tried to run Gmer many times. All without success. The program will not complete the task as it hangs up and the only thing for me to do is to reboot.
0
 
PawloAAuthor Commented:
I have the following programs for virus checking and removal
Hitman Pro 3.5.5 (this says that dmio.sys is a rootkit)
Newton Security Scan (scan only)
Malwarebytes' Anti-malware
Spyware Doctor
Registry Booster
Bell Internet Security Services (default program I normally use)
Tdsskiller (this says that iastore.sys is infected)
Gmer.exe
Perhaps something is better. There are so many programs to choose from. Two of the programs tell me I have different infections and the others say all is fine. Any suggestions on this?
 
0
 
JonveeCommented:
Yes, no one appears to have mentioned ComboFix, and it's certainly worth a try.    
From here you can download ComboFix and save to your Desktop >
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Before using it please disable any realtime Anti-virus, Anti-spyware, Shields, etc. that you may have running.
Also it may be necessary to rename ComboFix.exe (to Combo-Fix.exe for example), before saving it to your desktop.  If you have difficulties downloading it, try downloading to another machine, then into a USB memory stick or CD.  Rename it and carry to the infected machine, then try this key combination to reach a Run box>
Windows Logo+R: Run dialog box

Double click "combofix.exe" and follow the prompts.
When it's finished it will have produced a Logfile, probably at C:\ComboFix.txt.
You could post that log in a reply for us.
Please do not mouseclick Combofix's window while it is running, because it may stall.  It is absolutely normal for you to see a blue screen with flashing cursor, and this can last for up to 25 mins.
Ideally ComboFix should be run in normal mode, although it will work in safe mode if you're unable to reach normal mode.

Should you need it>   A guide and tutorial on using ComboFix:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
0
 
riowgCommented:
you need a boot time scan from AV s/w like Avast home for free @ http://www.avast.com/free-antivirus-download
0
 
optomaCommented:
Did you uncheck iat/eat and files?
Your Bell Internet Security Services> are their real time shields disabled, firewall disabled?
0
 
rpggamergirlCommented:
If Gmer still won't run... you might like to follow Jonvee's advice of using ComboFix, it does fix most common rootkits(though not the latest TDSS).
Let ComboFix install the Recovery Console for you, and if we can't ID the patched file using ComboFix we can use maxlook.
0
 
PawloAAuthor Commented:
In the process of attempting to speed up my computor I sytarted it with nothing running in msconfig. then had to reenable everything in msconfig when i was in SAFE MODE. The computer works faster now but I get |Error 1058 The dependancy service or group failed to start " if I attempt to start any services. The Device manager shows no devices existing and the disk manager shows  no drives attached. Yet my drives are still being accessed as normal. yet I have no sound (it says no sound card existing) and no LAN so I have touse another computer. Should I ask this as a separate question or can this be related to all the above plus some of my overzealus attemps?
0
 
optomaCommented:
I've seen that in Vista. The only way I got that resolved was using system restore and going back a week or two.

But the machine wasn't infected so dunno what the outcome would be :(
0
 
rpggamergirlCommented:
Did you try any of hte above mentioned tools?
Did you disable any services via msconfig?
0
 
PawloAAuthor Commented:
I finally got my sound and internet to work on the infected system as most of my services were disabled and now I will try the above suggestions and programs later on today. and post results here.
0
 
JonveeCommented:
Ok, thank you...
0
 
PawloAAuthor Commented:
Combofix worked and here is the log file.
art.txt
0
 
PawloAAuthor Commented:
All infections appear to be gone and my system is 100% operational again.
0
 
JonveeCommented:
That's good!  But time only allowed a brief study of your ComboFix log log this morning, although i am suspicious of this remaining entry, it could be related to/or part of a rootkit.
Although it ~may~ now be harmless, one option could be to re-run ComboFix using a small script (we'll write it) to deal with this one.
Another option would be to run HiJackThis and "Fix" the entry.

S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\77B.tmp --> c:\windows\system32\77B.tmp [?]  

Perhaps rpggamergirl would care to comment on this entry, she's the Malware expert  :)     ...thanks.
0
 
JonveeCommented:
Have to logoff shortly for a couple of days....should you not get an early reply to my earlier comment due to time zone differences, this script should deal with that 'bad' entry>


1. Open Notepad.
2. Copy & paste all text between the lines below, into Notepad window:
==================================================

File::
c:\windows\system32\77B.tmp

==================================================
3. Now Save the above as CFScript.txt on your desktop.
4. Then drag the CFScript.txt just created into ComboFix.exe. This will re-start ComboFix, & hopefully the problem is removed.
5. Finally, please attach the newComboFix logfile.
0
 
optomaCommented:
You appear to have Bell + Spyware Doctor AV active. Uninstall one of them.


" S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\77B.tmp --> c:\windows\system32\77B.tmp [?]  "  >belonging to Sophos anti-rootkit

What happens when you run TdssKiller? Still seeing iastor.sys as infected?

0
 
JonveeCommented:
@ optoma  .....ref:    " S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\77B.tmp --> c:\windows\system32\77B.tmp [?] " >belonging to Sophos anti-rootkit

good one!  ...but i'm still unable to find any reference to Sophos ..strange...but have to go....


@ PawloA    ...good luck with final cleanup.
0
 
rpggamergirlCommented:
ComboFix did it again and save the day by the looks!
@Jonvee,
Yes that file belongs to Sophos Anti-rootkit.
http://www.bleepingcomputer.com/startups/random_locations-22472.html
Based on the CF log, the MEMSWEEP2 service is redundant and the file no longer exist.
So running the script would've been harmless.
0
 
optomaCommented:
Ah! well spotted Rpg ;)
0
 
PawloAAuthor Commented:
TdssKiller shows me a clean slate. all 0/0/0s.
When I ran ComboFix it disabled my Daemon Tools (virtual dvd drive program) and I had problems (but eventually reinstalled it) with Daemon.
All is ok now.
0
 
rpggamergirlCommented:
"When I ran ComboFix it disabled my Daemon Tools (virtual dvd drive program) and I had problems (but eventually reinstalled it) with Daemon."

CD Emulator software interferes the scan so ComboFix disables their drivers but suppose to reenable them at reboot.

Glad to know all is okay now.
0
 
JonveeCommented:
@ rpggamergirl  .... thanks for the Sophos Anti-rootkit file information/confirmation.
0
 
rpggamergirlCommented:
PawloA,

To uninstall ComboFix:
Go to Start > Run and 'copy and paste' next command in the field:

ComboFix /Uninstall



Or simply rename ComboFix.exe to Uninstall.exe and double click it.
Thanks for using Experts-Exchange!
 
@ Jonvee:
No problem, :)
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.