Not able to get rid of a Rootkit

[viper260886]

Help...!!!
my pc's infected by a rootkit...  Avast detects it during memory scan but is unable to delete it coz it is being used by another process
Safe mode scan does not help and Scheduled Boot time isnt able to delete it either (i even tried "allow moving of system files")

c:\windows\temp\gasfkynorcrprxtd.tmp  &  c:\windows\system32\gasfkynorcrprxtd.dll
Malware name :Win32:Alureon-CY [Rtk]
Malware type  : Rootkit

strangely, i cannot find the mentioned files either in the Temp or System32 folder 
i use Win XP Pro SP2
Avast Home 4.8
VPS : 090916-0, 09/16/2009

[Jtaylor83]

Service Pack 3 is already available.

I suggest MBAM and RootRepeal. Post MBAM and RootRepeal logs in each post.

[DavidR]

If you have XP, vista or Win2k (all 32bit), you could enable a boot time scan. Right click the avast icon, select Start avast! Antivirus, a memory scan will take place followed by the opening of the Simple User Interface, Menu, 'Schedule boot-time scan...' Or see http://www.digitalred.com/avast-boot-time.php.

- Ensure that you have hidden files and folders enabled and disable hide system files in Windows Explorer, Tools, Folder Options, Hidden files and folders, uncheck Hide extensions for known file types, etc. see image.

They may well be hidden by rootkit, so the tools suggested by Jtaylor83 should help.

[viper260886]

ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time:      2009/09/17 13:01
Program Version:      Version 1.3.5.0
Windows Version:      Windows XP SP2
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xF4CF0000   Size: 98304   File Visible: No   Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF8AA0000   Size: 8192   File Visible: No   Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xF1866000   Size: 49152   File Visible: No   Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: Volume C:\
Status: MBR Rootkit Detected!

Path: Volume C:\, Sector 1
Status: Sector mismatch

Path: Volume C:\, Sector 4
Status: Sector mismatch

Path: Volume C:\, Sector 5
Status: Sector mismatch

Path: Volume C:\, Sector 6
Status: Sector mismatch

Path: Volume C:\, Sector 7
Status: Sector mismatch

Path: Volume C:\, Sector 9
Status: Sector mismatch

Path: Volume C:\, Sector 10
Status: Sector mismatch

Path: Volume C:\, Sector 11
Status: Sector mismatch

Path: Volume C:\, Sector 12
Status: Sector mismatch

Path: Volume C:\, Sector 14
Status: Sector mismatch

Path: Volume C:\, Sector 15
Status: Sector mismatch

Path: Volume C:\, Sector 18
Status: Sector mismatch

Path: Volume C:\, Sector 19
Status: Sector mismatch

Path: Volume C:\, Sector 20
Status: Sector mismatch

Path: Volume C:\, Sector 21
Status: Sector mismatch

Path: Volume C:\, Sector 24
Status: Sector mismatch

Path: Volume C:\, Sector 25
Status: Sector mismatch

Path: Volume C:\, Sector 26
Status: Sector mismatch

Path: Volume C:\, Sector 29
Status: Sector mismatch

Path: Volume C:\, Sector 30
Status: Sector mismatch

Path: Volume C:\, Sector 31
Status: Sector mismatch

Path: Volume C:\, Sector 34
Status: Sector mismatch

Path: Volume C:\, Sector 36
Status: Sector mismatch

Path: Volume C:\, Sector 37
Status: Sector mismatch

Path: Volume C:\, Sector 38
Status: Sector mismatch

Path: Volume C:\, Sector 39
Status: Sector mismatch

Path: Volume C:\, Sector 41
Status: Sector mismatch

Path: Volume C:\, Sector 42
Status: Sector mismatch

Path: Volume C:\, Sector 43
Status: Sector mismatch

Path: Volume C:\, Sector 44
Status: Sector mismatch

Path: Volume C:\, Sector 47
Status: Sector mismatch

Path: Volume C:\, Sector 48
Status: Sector mismatch

Path: Volume C:\, Sector 49
Status: Sector mismatch

Path: Volume C:\, Sector 51
Status: Sector mismatch

Path: Volume C:\, Sector 53
Status: Sector mismatch

Path: Volume C:\, Sector 54
Status: Sector mismatch

Path: Volume C:\, Sector 55
Status: Sector mismatch

Path: Volume C:\, Sector 56
Status: Sector mismatch

Path: Volume C:\, Sector 57
Status: Sector mismatch

Path: Volume C:\, Sector 59
Status: Sector mismatch

Path: Volume C:\, Sector 62
Status: Sector mismatch

Path: Volume D:\
Status: MBR Rootkit Detected!

Path: Volume D:\, Sector 1
Status: Sector mismatch

Path: Volume D:\, Sector 2
Status: Sector mismatch

Path: Volume D:\, Sector 6
Status: Sector mismatch

Path: Volume D:\, Sector 15
Status: Sector mismatch

Path: Volume D:\, Sector 16
Status: Sector mismatch

Path: Volume D:\, Sector 17
Status: Sector mismatch

Path: Volume D:\, Sector 18
Status: Sector mismatch

Path: Volume D:\, Sector 20
Status: Sector mismatch

Path: Volume D:\, Sector 24
Status: Sector mismatch

Path: Volume D:\, Sector 30
Status: Sector mismatch

Path: Volume D:\, Sector 33
Status: Sector mismatch

Path: Volume D:\, Sector 34
Status: Sector mismatch

Path: Volume D:\, Sector 35
Status: Sector mismatch

Path: Volume D:\, Sector 36
Status: Sector mismatch

Path: Volume D:\, Sector 37
Status: Sector mismatch

Path: Volume D:\, Sector 38
Status: Sector mismatch

Path: Volume D:\, Sector 39
Status: Sector mismatch

Path: Volume D:\, Sector 40
Status: Sector mismatch

Path: Volume D:\, Sector 41
Status: Sector mismatch

Path: Volume D:\, Sector 42
Status: Sector mismatch

Path: Volume D:\, Sector 46
Status: Sector mismatch

Path: Volume D:\, Sector 48
Status: Sector mismatch

Path: Volume D:\, Sector 49
Status: Sector mismatch

Path: Volume D:\, Sector 53
Status: Sector mismatch

Path: Volume D:\, Sector 54
Status: Sector mismatch

Path: Volume D:\, Sector 55
Status: Sector mismatch

Path: Volume D:\, Sector 56
Status: Sector mismatch

Path: Volume D:\, Sector 57
Status: Sector mismatch

Path: Volume D:\, Sector 58
Status: Sector mismatch

Path: Volume D:\, Sector 60
Status: Sector mismatch

Path: Volume D:\, Sector 61
Status: Sector mismatch

Path: Volume E:\
Status: MBR Rootkit Detected!

Path: Volume E:\, Sector 1
Status: Sector mismatch

Path: Volume E:\, Sector 4
Status: Sector mismatch

Path: Volume E:\, Sector 8
Status: Sector mismatch

Path: Volume E:\, Sector 9
Status: Sector mismatch

Path: Volume E:\, Sector 10
Status: Sector mismatch

Path: Volume E:\, Sector 14
Status: Sector mismatch

Path: Volume E:\, Sector 15
Status: Sector mismatch

Path: Volume E:\, Sector 16
Status: Sector mismatch

Path: Volume E:\, Sector 17
Status: Sector mismatch

Path: Volume E:\, Sector 19
Status: Sector mismatch

Path: Volume E:\, Sector 22
Status: Sector mismatch

Path: Volume E:\, Sector 23
Status: Sector mismatch

Path: Volume E:\, Sector 24
Status: Sector mismatch

Path: Volume E:\, Sector 25
Status: Sector mismatch

Path: Volume E:\, Sector 26
Status: Sector mismatch

Path: Volume E:\, Sector 27
Status: Sector mismatch

Path: Volume E:\, Sector 28
Status: Sector mismatch

Path: Volume E:\, Sector 32
Status: Sector mismatch

Path: Volume E:\, Sector 33
Status: Sector mismatch

Path: Volume E:\, Sector 34
Status: Sector mismatch

Path: Volume E:\, Sector 35
Status: Sector mismatch

Path: Volume E:\, Sector 37
Status: Sector mismatch

Path: Volume E:\, Sector 38
Status: Sector mismatch

Path: Volume E:\, Sector 40
Status: Sector mismatch

Path: Volume E:\, Sector 41
Status: Sector mismatch

Path: Volume E:\, Sector 42
Status: Sector mismatch

Path: Volume E:\, Sector 43
Status: Sector mismatch

Path: Volume E:\, Sector 44
Status: Sector mismatch

Path: Volume E:\, Sector 45
Status: Sector mismatch

Path: Volume E:\, Sector 46
Status: Sector mismatch

Path: Volume E:\, Sector 47
Status: Sector mismatch

Path: Volume E:\, Sector 48
Status: Sector mismatch

Path: Volume E:\, Sector 49
Status: Sector mismatch

Path: Volume E:\, Sector 50
Status: Sector mismatch

Path: Volume E:\, Sector 54
Status: Sector mismatch

Path: Volume E:\, Sector 56
Status: Sector mismatch

Path: Volume E:\, Sector 57
Status: Sector mismatch

Path: Volume E:\, Sector 61
Status: Sector mismatch

Path: Volume E:\, Sector 62
Status: Sector mismatch

Path: Volume F:\
Status: MBR Rootkit Detected!


Stealth Objects
-------------------
Object: Hidden Module [Name: gasfkytexrepxm.dll]
Process: svchost.exe (PID: 932)   Address: 0x10000000   Size: 53248

Object: Hidden Code [Driver: atapi, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System   Address: 0x82237680   Size: 2435

Object: Hidden Code [Driver: Cdrom, IRP_MJ_READ]
Process: System   Address: 0x821693e0   Size: 10

Object: Hidden Code [Driver: Cdrom, IRP_MJ_DEVICE_CONTROL]
Process: System   Address: 0x822374b0   Size: 37

Object: Hidden Code [Driver: axwhisky, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System   Address: 0x8212fa70   Size: 1424

==EOF==

[DavidR]

Well RootRepeal basically confirms avast's detection, so I would run RootRepeal again and select the Files Tab & Stealth Objects tab and click Scan. Once you have done that find the entry for gasfkytexrepxm.dll file, and or the Object: Hidden Module [Name: gasfkytexrepxm.dll], right click on the entry for it and select Wipe File option.

I'm not to familiar with RootRepeal so see, http://www.malwarebytes.org/forums/index.php?showtopic=12709 for general information on running it. Also see, http://forum.avast.com/index.php?topic=47511.msg401133#msg401133.

You should also update your OS as SP3 has been out for over a year so your system is more likely to exploit.

I would also suggest a visit to this site, which scans your system for out of date programs that have patches to close vulnerabilities, http://secunia.com/software_inspector/.

[viper260886]

i tried scanning via RootRepeal but it shows COULD NOT READ THE BOOT SECTOR. TRY ADJUSTING THE DISK ACCESS LEVEL IN THE OPTIONS DIALOG in the Files tab even though i've set it to High Level...
and in stealth objects i can see the following entry
Stealth Objects
-------------------
Object: Hidden Module [Name: gasfkytexrepxm.dll]
Process: svchost.exe (PID: 956)   Address: 0x10000000   Size: 53248

but cannot WIPE or force delete it... as it gives an invalid path error

[DavidR]

Try SAS as I believe that also detects this file - SUPERantispyware On-Demand only in free version.

However one of the Alwil virus labs says this Win32:Alureon-CY [Rtk] can be very difficult to remove once established.

[micky77]

Rootrepeal is not showing the file that needs deleting.It shows there is a rootkit, which will be a sys file

Hidden/Locked Files
-------------------
Path: Volume C:\
Status: MBR Rootkit Detected!

But it does not show the path. As well as trying SAS, try altering the settings  in R.R
According to there web page Q&A, they say if you suspect you have a mbr rootkit set the level to the lowest level http://rootrepeal.googlepages.com/

I believe these are the default settings anyway, so you could be out of luck.

[DavidR]

The disk access level can be moved up as the default is Middle Level, and the Enable advanced options isn't checked by default. So there may be some hope.

[viper260886]

did i mention that the following site is opened whenever i start Mozilla Firefox
http://www( dot )thenewspedia( dot )com/index.php/components/

btw, i think malware bytes has deleted the rootkit.... avast isnt detecting it anymore in the memory scan...

but the above mentioned site still opens

[nmb]

see this first

if all the rootkit thing is gone.. then,

reset mozilla to default settings, do this (see the Firefox Safe Mode subtopic)

then fix hosts file if it is infected. run this tool, it'll fix it automatically, if the hosts file is infected.

update all the anti-malware, anti-virus apps you have (use mbam and avast!).

disconnect from internet. do avast boot time, mbam full scan(post log if anything was found).- you can skip this if you are sure your computer is free of malware.

read about opendns. if you want, you can use it.

get ccleaner from here, see this for setting the best config, run it.

get secunia from here run in simple mode and see what programs are vulnerable, fix them.

get spywareblaster from here update it and immunize your browsers.

turn off and on system restore :

Turn OFF System Restore.

    * On the Desktop, right-click My Computer.
    * Click Properties.
    * Click the System Restore tab.
    * Check Turn off System Restore.
    * Click Apply, and then click OK.


Restart your computer.

Turn ON System Restore.

    * On the Desktop, right-click My Computer.
    * Click Properties.
    * Click the System Restore tab.
    * UN-Check Turn off System Restore.
    * Click Apply, and then click OK.

System Restore will now be active again.

nmb

[DavidR]

did i mention that the following site is opened whenever i start Mozilla Firefox
http://www( dot )thenewspedia( dot )com/index.php/components/

btw, i think malware bytes has deleted the rootkit.... avast isnt detecting it anymore in the memory scan...

but the above mentioned site still opens

Well that link doesn't look malicious, in fact it is incomplete as it gives a blank page as the link would normally be hXXp://wXw.thenewspedia.com/index.php/components/computers-and-the-internet. Does that ring any bells, have you ever visitied that page or site ?

What is the firefox home page set to ?

If MBAM has removed what avast was finding, what is rootrepeal now showing ?

[viper260886]

i have www(dot)orkut(dot)com as my home page
the sites i mentioned are
http://www(dot)thenewspedia(dot)com/index.php/components/education
http://www(dot)thenewspedia(dot)com/index.php/components/jobs
http://www(dot)thenewspedia(dot)com/index.php/components/marketing
http://www(dot)thenewspedia(dot)com/index.php/components/family
http://www(dot)thenewspedia(dot)com/index.php/components/humor
http://www(dot)thenewspedia(dot)com/index.php/components/auto-and-trucks
http://www(dot)thenewspedia(dot)com/index.php/components/travel-and-leisure
etc
and there's this site which opened just once
http://www(dot)mainstories(dot)com/index.php/travel-and-leisure

[viper260886]

Rootrepeal does not show that rootkit now... but the following entries seem 2b hooked...

ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time:      2009/09/20 10:14
Program Version:      Version 1.3.5.0
Windows Version:      Windows XP SP2
==================================================

SSDT
#: 268   Function Name: NtVdmControl
Status: Hooked by "C:\WINDOWS\system32\ntoskrnl.exe" at address 0xedf846b8

#: 252   Function Name: NtStopProfile
Status: Hooked by "C:\WINDOWS\system32\ntoskrnl.exe" at address 0xedf84574

#: 227   Function Name: NtSetInformationObject
Status: Hooked by "C:\WINDOWS\system32\ntoskrnl.exe" at address 0xedf84a52

#: 224   Function Name: NtSetInformationFile
Status: Hooked by "C:\WINDOWS\system32\ntoskrnl.exe" at address 0xedf8414c

#: 171   Function Name: NtQuerySystemEnvironmentValue
Status: Hooked by "C:\WINDOWS\system32\ntoskrnl.exe" at address 0xedf8464e

#: 168   Function Name: NtQuerySecurityObject
Status: Hooked by "C:\WINDOWS\system32\ntoskrnl.exe" at address 0xedf8408c

#: 162   Function Name: NtQueryMutant
Status: Hooked by "C:\WINDOWS\system32\ntoskrnl.exe" at address 0xedf840f0

#: 110   Function Name: NtNotifyChangeDirectoryFile
Status: Hooked by "C:\WINDOWS\system32\ntoskrnl.exe" at address 0xedf8476e

#: 083   Function Name: NtFreeVirtualMemory
Status: Hooked by "C:\WINDOWS\system32\ntoskrnl.exe" at address 0xedf8472e

#: 037   Function Name: NtCreateFile
Status: Hooked by "C:\WINDOWS\system32\ntoskrnl.exe" at address 0xedf848ae



Will it b safe to delete "C:\WINDOWS\system32\ntoskrnl.exe" ... or is it a system file ??

[Jtaylor83]

It's a system file.

As for your last post, I need you to download HiJackThis and post a log here.