Author Topic: Rootkit Hidden Service (Read 26605 times)

essexboy · « **Reply #30 on:** September 28, 2012, 07:55:44 PM »

This should be the last run, could you check windows updates please

1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
3. Open notepad and copy/paste the text in the quotebox below into it:

Code: [Select]

File::
C:\Windows\System32\drivers\b2892b92cea0254.sys 

FCopy::
C:\Windows\winsxs\amd64_microsoft-windows-bits-client_31bf3856ad364e35_6.1.7600.16385_none_7f85b69413231233\qmgr.dll|c:\windows\system32\qmgr.dll

Registry::
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\BITS]
"DisplayName"="@%SystemRoot%\\system32\\qmgr.dll,-1000"
"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\
  74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\
  00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\
  6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00
"Description"="@%SystemRoot%\\system32\\qmgr.dll,-1001"
"ObjectName"="LocalSystem"
"ErrorControl"=dword:00000001
"Start"=dword:00000002
"DelayedAutoStart"=dword:00000001
"Type"=dword:00000020
"DependOnService"=hex(7):52,00,70,00,63,00,53,00,73,00,00,00,45,00,76,00,65,00,\
  6e,00,74,00,53,00,79,00,73,00,74,00,65,00,6d,00,00,00,00,00
"ServiceSidType"=dword:00000001
"RequiredPrivileges"=hex(7):53,00,65,00,43,00,72,00,65,00,61,00,74,00,65,00,47,\
  00,6c,00,6f,00,62,00,61,00,6c,00,50,00,72,00,69,00,76,00,69,00,6c,00,65,00,\
  67,00,65,00,00,00,53,00,65,00,49,00,6d,00,70,00,65,00,72,00,73,00,6f,00,6e,\
  00,61,00,74,00,65,00,50,00,72,00,69,00,76,00,69,00,6c,00,65,00,67,00,65,00,\
  00,00,53,00,65,00,54,00,63,00,62,00,50,00,72,00,69,00,76,00,69,00,6c,00,65,\
  00,67,00,65,00,00,00,53,00,65,00,41,00,73,00,73,00,69,00,67,00,6e,00,50,00,\
  72,00,69,00,6d,00,61,00,72,00,79,00,54,00,6f,00,6b,00,65,00,6e,00,50,00,72,\
  00,69,00,76,00,69,00,6c,00,65,00,67,00,65,00,00,00,53,00,65,00,49,00,6e,00,\
  63,00,72,00,65,00,61,00,73,00,65,00,51,00,75,00,6f,00,74,00,61,00,50,00,72,\
  00,69,00,76,00,69,00,6c,00,65,00,67,00,65,00,00,00,00,00
"FailureActions"=hex:80,51,01,00,00,00,00,00,00,00,00,00,03,00,00,00,14,00,00,\
  00,01,00,00,00,60,ea,00,00,01,00,00,00,c0,d4,01,00,00,00,00,00,00,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\BITS\Parameters]
"ServiceDll"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,\
  00,74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,\
  71,00,6d,00,67,00,72,00,2e,00,64,00,6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\BITS\Performance]
"Library"="bitsperf.dll"
"Open"="PerfMon_Open"
"Collect"="PerfMon_Collect"
"Close"="PerfMon_Close"
"InstallType"=dword:00000001
"PerfIniFile"="bitsctrs.ini"
"First Counter"=dword:000007d2
"Last Counter"=dword:000007e2
"First Help"=dword:000007d3
"Last Help"=dword:000007e3
"Object List"="2002"
"PerfMMFileName"="Global\\MMF_BITS_s"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\BITS\Security]
"Security"=hex:01,00,14,80,90,00,00,00,a0,00,00,00,14,00,00,00,34,00,00,00,02,\
  00,20,00,01,00,00,00,02,c0,18,00,00,00,0c,00,01,02,00,00,00,00,00,05,20,00,\
  00,00,20,02,00,00,02,00,5c,00,04,00,00,00,00,02,14,00,ff,01,0f,00,01,01,00,\
  00,00,00,00,05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,\
  20,00,00,00,20,02,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,04,\
  00,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,06,00,00,00,01,02,\
  00,00,00,00,00,05,20,00,00,00,20,02,00,00,01,02,00,00,00,00,00,05,20,00,00,\
  00,20,02,00,00

Driver::
b2892b92cea0254

Save this as CFScript.txt, in the same location as ComboFix.exe

Refering to the picture above, drag CFScript into ComboFix.exeWhen finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

amyhh30 · « **Reply #31 on:** September 28, 2012, 08:25:33 PM »

here's the log

essexboy · « **Reply #32 on:** September 28, 2012, 08:34:51 PM »

OK how is it running now ? Do windows updates work, any further problems ?

amyhh30 · « **Reply #33 on:** September 29, 2012, 10:29:46 AM »

I'm not sure how check if windows updates work? Was thinking i might run an antivirus check through avast now and see if it throws anything up. Do the logs suggest the virus is gone? It seems ok but to be honest the virus wasn't stopping me doing much i could still use the net etc...

amyhh30 · « **Reply #34 on:** September 29, 2012, 10:33:14 AM »

Ok i just went into Avast and it says "UNSECURED" with a "fix now" button.. should i uninstall it and download it starting from fresh? Very worried something else is going to get in now and want to get my antivirus all set up properly - can you assist me with this?

Ps THANK YOU! you've been amazing i really appreciate the help you've given me

essexboy · « **Reply #35 on:** September 29, 2012, 12:56:39 PM »

First we will try an Avast repair
Go to control panel > Programmes and features
Select Avast and then select repair

For windows updates
Go Start > All programs and select windows updates

amyhh30 · « **Reply #36 on:** September 29, 2012, 06:27:23 PM »

Ok i did the Avast repair, rebooted but still saying unsecured and getting a big red cross.
also noticing my internet is a bit iffy , keeps saying cannot display webpage on google or any other sites, seems to be ok when i dont have Avast running??

Windows updates big red cross saying cannot check for updates, service not running... Something's still not right here i'm guessing!

essexboy · « **Reply #37 on:** September 29, 2012, 08:11:29 PM »

OK could you run Combofix again and let it uppdate if it requires

amyhh30 · « **Reply #38 on:** September 29, 2012, 09:10:06 PM »

MAJOR problem! I ran combo fix... it did its usual up to stage 50 and then seemed to try and reboot... Nothing happened for 15 mins so i switched off. I now can't switch it back on atall! It's definately plugged into the power, i've been trying to switch it back on for ages now nothings happening??

amyhh30 · « **Reply #39 on:** September 29, 2012, 09:11:35 PM »

it's come back on now... how weird!!

amyhh30 · « **Reply #40 on:** September 29, 2012, 09:15:37 PM »

Ok it has come back on, no log has been produced from the combo run - avast and windows updates still not available

amyhh30 · « **Reply #41 on:** September 29, 2012, 11:26:55 PM »

Additional notes: Having intermittent issues with the internet now, keep getting boxes saying "you are leaving secure space" or something like that when i log into facebook, also cant view some pics on facebook, and i'm having an ongoing issue with my battery - this i am not sure is related to the virus but thougt i'd mention it...!

essexboy · « **Reply #42 on:** September 29, 2012, 11:53:27 PM »

I will use the same designator as that may well have come back

1. Please download The Avenger by Swandog46 to your Desktop.

Right click on the Avenger.zip folder and select "Extract All..."
Follow the prompts and extract the avenger folder to your desktop

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Code: [Select]

Begin copying here:
Files to delete:
C:\Windows\System32\drivers\b2892b92cea0254.sys 
Drivers to delete:
b2892b92cea0254

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, open the avenger folder and start The Avenger program by clicking on its icon.

Accept the disclaimer

Right click on the window under Input script here:, and select Paste.
You can also click on this window and press (Ctrl+V) to paste the contents of the clipboard.
Click on Execute
Answer "Yes" twice when prompted.

4. The Avenger will automatically do the following:

It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete", The Avenger will actually restart your system twice.)
On reboot, it will briefly open a black command window on your desktop, this is normal.
After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

5. Please copy/paste the content of c:\avenger.txt into your reply.

amyhh30 · « **Reply #43 on:** September 30, 2012, 10:24:39 AM »

Hi - I did the Avenger thing, it rebooted once but nothing happened when it came back on and there was no log that i could see. Ii rebooted again and it just died and won't come back on again now for some reason?? I wonder if this is somehow affecting the battery, it's plugged in to the power though so i'm not sure...

essexboy · « **Reply #44 on:** September 30, 2012, 12:48:36 PM »

Could you rename Combofix to Gotcha please and then run .. This one is a darn sight tougher than the last one

Author Topic: Rootkit Hidden Service (Read 26605 times)

essexboy

Re: Rootkit Hidden Service

amyhh30

Re: Rootkit Hidden Service

essexboy

Re: Rootkit Hidden Service

amyhh30

Re: Rootkit Hidden Service

amyhh30

Re: Rootkit Hidden Service

essexboy

Re: Rootkit Hidden Service

amyhh30

Re: Rootkit Hidden Service

essexboy

Re: Rootkit Hidden Service

amyhh30

Re: Rootkit Hidden Service

amyhh30

Re: Rootkit Hidden Service

amyhh30

Re: Rootkit Hidden Service

amyhh30

Re: Rootkit Hidden Service

essexboy

Re: Rootkit Hidden Service

amyhh30

Re: Rootkit Hidden Service

essexboy

Re: Rootkit Hidden Service