We help IT Professionals succeed at work.

Check out our new AWS podcast with Certified Expert, Phil Phillips! Listen to "How to Execute a Seamless AWS Migration" on EE or on your favorite podcast platform. Listen Now

x

Sign of a Rootkit infection?

Medium Priority
1,635 Views
Last Modified: 2013-11-30
Greetings.  I believe I'm infected with a Google Re-Direct rootkit.  I found this in the Registry under HKey_Local_Machine\Software\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\Windows\System32

C:\WINDOWS\system32\1767DA3E-7E60-4cbf-8AB8-CFF4D42C6D04.pdf

This does not look normal to me.

Any assistance is graciously appreciated.

Jozze99
Comment
Watch Question

Hmmm... well it is a PDF file, those usually don't caus problems.

If you are having problems with your google search please go into your internet option and check your accelerators. Make sure that the google search accelerator is pointing to the correct google address. If not remove it and re-add the accelerator.

While in internet options check your connections tab for any proxy connections. Make sure it is empty.

Also you will want to check your hosts file @ c:\windows\system32\drivers\etc\hosts
Makes sure it is not re-directing you there.

Finally run Malwarebytes: http://download.cnet.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html
and CCleaner: http://www.piriform.com/ccleaner

If this does not clear up your problem there is always this rootkit remover though it is more of a last resort tool:

ComboFix: http://www.bleepingcomputer.com/download/anti-virus/combofix

Commented:
follow Mark's blog on related to Root kits/malware detection and fix: This will at least give you the idea what exactly happening on your box.

http://technet.microsoft.com/en-us/sysinternals/bb963890

http://blogs.technet.com/b/markrussinovich/archive/2011/03/08/3392087.aspx

Author

Commented:
Thank you for your replies, suggestions, and links.  I'm in the process of trying to identify exactly what is going on.  I did remove "memman.vxd" from my workstation last week, but I did find that my hosts file was gone (subsequently replaced).

I plan on unplugging my network cable and run ccCleaner to see what it can find.  The organization I work for has Symantec Endpoint protection on all workstations (including mine) and mine was fully patched before I got hit with TidServ, or a variant.  According to Symantec Endpoint, my definitions are up-to-date (dates of yesterday and today) and I'm not getting the balloon of TidServ activity when I go to a website.

However, I still get re-directed when I go to a website for the first time.  I have to run IE7 for some legacy apps I'm responsibe for.  Do you think it would help if I rolled back to IE6 and then updated to IE7?

Assistance, past and future, is graciously appreciated.

Jozze
If you are interested in really finding out my profile has a lot of usefull tools. These 3 will help you find what is causing the problem:

--Discovery Tools
   Process Explorer: http://technet.microsoft.com/en-us/sysinternals/bb896653
   Process Monitor: http://technet.microsoft.com/en-us/sysinternals/bb896645 
   AutRuns: http://technet.microsoft.com/en-us/sysinternals/bb963902

Most people just want a scanner to fix it though which is why I suggested the scanners.

Author

Commented:
PCipollone,

Thank you for your generous offer.

FYI - ccCleaner didn't find anything, nor did Malwarebytes.  TDSSKiller.exe (from Kaspersky) loads to 80% then fails.  I was even re-directed when I tried to view this response.

Jozze99
CERTIFIED EXPERT
Most Valuable Expert 2013

Commented:
Try running a scan by RogueKiller first and delete any processes running that might be interfereing with TDSSKiller, then run TDSK again

Author

Commented:
Masqueraid,

Greetings.  Great name.  I will do so.

I did see from a previous posting that running another desktop under Desktops (Sysinternals) will show what's going on that the rootkit cannot detect.  I've done that and have found several files in the System32 folder that may be suspect.

Thanx for the assistance.

Jozze99

Author

Commented:
Greetings.  Here are the results from Sysinternals Autoruns:
HKLM\System\CurrentControlSet\Services
Changer.sys
lbrtfdc.sys
PCIDump.sys
PDCOMP.sys
PDFRAME.sys
PDRELI.sys
PDRFRAME.sys
WDICA.sys

All are located in C:\Windows\System32\Drivers

Located in C:\temp --> pxtdapog.sys

Results from HitMan Pro:
Possible variant of the TDL3 (alias Alureon) rootkit detected
(The device stack of the hard disk is referencing a hidden driver.  This could affect the detection of malicious files)
Suspicious file --> decvw_32.dll located in C:\Windows\system32
There are indications that this file is a threat.  However, it can also be benign.  The digital signature on this file is invalid.

Thanking you in advance.

Jozze99

Author

Commented:
Here's the website I keep getting directed to:

http://thegiftcardwheel.com/300winner/index.html

Jozze99

Author

Commented:
Well, I was just going to celebrate being disinfected, but when I googled something, I received a notification of TidServ Activity from Symantec Endpoint protection (SID 23621 TidServ activity).  However (aka "so far"), I have not had any re-directs or pop-ups.

Here's the tool I used - http://www.tizersecure.com/about_tizer_rootkit_removal.php
(I found the tool by googling "remove Alureon rootkit" (include double quotes).  There's alot of good information in the returns/hits.)

Here's what the tool found:
SSHelper.dll --> C:\Program Files\Symantec Anti-virus\SSHelper.dll
FWSVPN.dll --> C:\Windows\System32\FWSVPN.dll
SymVPN.dll --> C:\Windows\System32\SymVPN.dll
sysfer.dll --> C:\Windows\System32\sysfer.dll

I'll wait and see.

BCipollone, dkumar82, and Masqueraid - I truly appreciate the assistance.  If I'm back here tomorrow, you'll know I still need help.

"THANK YOU" - and Kind Regards.

Jozze99

Author

Commented:
Why wait till tomorrow.  FYI, I even unplugged my network cable and when I rebooted, all those dll's were back.

Back to the drawing board.

Jozze99
Simple Geek from the '70s
CERTIFIED EXPERT
Distinguished Expert 2019
Commented:
Unlock this solution and get a sample of our free trial.
(No credit card required)
UNLOCK SOLUTION

Author

Commented:
ve3ofa,

I'll do so in the AM and post the results.

Thanx,

Jozze99

Author

Commented:
ve30fa,

Q.  Where exactly do I find fixboot ? (from the recovery console do a fixboot /mbr)

I've been busy today and have not had time to perform all of the tasks you listed.

Thank You.

Jozze99
David Johnson, CDSimple Geek from the '70s
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
it is one of the commands available from the recovery console

Author

Commented:
ve3Ofa,

Thanx.  I found it.  Actually, my pc has both FIXBOOT and FIXMBR as separate commands.  FIXMBR is telling me that my pc has an invalid or non-standard mbr and that running FIXMBR may damage my partition tables if I proceed and could cause all the partition tables on my HD to become inaccessible.  I'm guessing that is a change I'm going to have to take - yes?

Actually, do I run one (FIXBOOT) and then the other (FIXMBR)?  or just run the one (FIXMBR)?

Thanx,

Jozze99

Author

Commented:
OK - I ran FIXMBR and it wrote a new MBR and I booted into Safe Mode.  I think I need to boot into Safe Mode w/networking so I can run HitMan Pro, etc.


Thank You

Jozze99

Author

Commented:
OK - things look fine.  I've gotten a clean bill of health, but I haven't been out on the Internet on my workstation (I'm using a different workstation).

I'll see what tomorrow brings.

Jozze99

Author

Commented:
I appreciate the assistance from all contributors.  I'd be less hesitant to apply this solution if were itemized step-by-step (I did find out that FIXMBR is only for NTFS-formatted HD's).  Kudos to this site, it got my workstation back on track.

Thanks to all.
Unlock the solution to this question.
Thanks for using Experts Exchange.

Please provide your email to receive a sample view!

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.