Author Topic: Got a bad RootKit! Help!  (Read 13181 times)

0 Members and 1 Guest are viewing this topic.

SkynetCore

  • Guest
Got a bad RootKit! Help!
« on: July 16, 2011, 02:59:17 PM »
My sisters computer, running Vista, froze while booting and we consulted
the sellers service department to get a diagnose on the problem. This we
did because her computer had the powersupply replaced just some weeks
before, and I thougt it was the same problem.

The sellers service department told us it was a motherboard failure and
we considered the computer as a total write off.


During the weeked I connected her Vista SATA disc to my big computer and
began copying her Documents on to an external harddrive, well aware of the
intrusive character of both SATA discs and of Vista...

During this manouver I got infected with a RootKit that probably made my
sisters computer freeze while booting.  :(

- - -

My Specs:

Moderboard   Asus P4P800 DELUXE i865PE 4DDR-DIMM 5PCI SATA Raid FireWire GB-LAN Audio Socket478 ATX
CPU      Intel Pentium 4 Northwood 3.0GHz -C Hyperthreading 512Kb 800MHz bulk/tray Socket 478 (3GHZ)

Graphicscard   Club 3D Radeon 9800Pro 128Mb DDR TV-out DVI RETAIL AGP
RAM      4 x TwinMOS Original 512Mb DDR-DIMM PC3200/DDR400 184pin 400MHz CAS2.5 (2 GB)

XP Pro SP3
Avast Suite with built in Firewall.

- - -


First the RootKit whacked my 4th in chassi disc, the only SATA one and
messed up the boot record. About one years worth of film, music and
other downloads are now very hard to access...  :'(




* XP runs fine, even in Normal mode.

* The Root kit messes with the boot, so I have to use F8 boot screen and
   manually choose boot disc.

* I can't Repair XP from the original CD, as the RootKit interrupts the
   loading of files after a while. This it does on both CD drives
   and even on additional connected external drives.


* I can't ReInstall XP from the original CD, as the RootKit interrupts the
   loading of files after a while.

* I can't use a Boot Floppy as the RootKit messes with my A: .

* I can't install the "Windows Recovery Console" as the YouKnowWhat stops
   the installation half way.

* I don't dare flashing the BIOS, as my A: floppydrive has been made unreliable.



- - -


I've run the TrendMicro RootkitBuster and logs are below.

It might be "Backdoor Rustock B" I've got, but I'm not sure.


- - -


Are there any real friendly experts here that can help me?
My options are a bit limited as you see.


I'm quite a good computer user, but this thing is clearly over my head.

There must have been others with this kind of serious problems.



« Last Edit: July 16, 2011, 03:56:32 PM by SkynetCore »

Offline Left123

  • There Is No Patch For Human Stupidity.
  • Avast Evangelist
  • Advanced Poster
  • ***
  • Posts: 1048
  • Proud Community Member&Helper.
Re: Got a bad RootKit! Help!
« Reply #1 on: July 16, 2011, 03:02:44 PM »
Edited.
   
« Last Edit: July 16, 2011, 03:20:20 PM by Left123 »
AMD Athlon(tm) X2 Dual-Core Processor 4200+ - 2.20 GHz,3,00 GB RAM -
Browser:Mozilla Firefox +WOT - SoftWare:CCleaner - Windows 7 32 bit
No Anti-Virus

SkynetCore

  • Guest
Re: Got a bad RootKit! Help!
« Reply #2 on: July 16, 2011, 03:08:54 PM »
Here are some of the logs from Trend Micro RootkitBuster:


- - - - - -



+----------------------------------------------------
| Trend Micro RootkitBuster
| Module version: 3.60.0.1016
| Computer Name: ********************
| User Name: ************************
+----------------------------------------------------


--== Dump Hidden MBR, Hidden Files and Alternate Data Streams on C:\ ==--
No hidden files found.

--== Dump Hidden Registry Value on HKLM ==--
[HIDDEN_REGISTRY][Hidden Reg Key]:
   KeyPath   : HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf40
   SubKey    : 0Jf40
   FullLength: 0x46
[HIDDEN_REGISTRY][Hidden Reg Key]:
   KeyPath   : HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf41
   SubKey    : 0Jf41
   FullLength: 0x46
[HIDDEN_REGISTRY][Hidden Reg Key]:
   KeyPath   : HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf42
   SubKey    : 0Jf42
   FullLength: 0x46
 3 hidden registry entries found.


--== Dump Hidden Process ==--
No hidden processes found.

--== Dump Hidden Driver ==--
No hidden drivers found.

--== Service Win32 API Hook List ==--
[HOOKED_SERVICE_API]:
   Service API     : ZwAddBootEntry
   Image Path      : C:\WINDOWS\System32\Drivers\aswSnx.SYS
   OriginalHandler : 0x80650dff
   CurrentHandler  : 0xb1445202
   ServiceNumber   : 0x9
   ModuleName      : aswSnx.SYS
   SDTType         : 0x0
[HOOKED_SERVICE_API]:
   Service API     : ZwAllocateVirtualMemory
   Image Path      : C:\WINDOWS\System32\Drivers\aswSP.SYS
   OriginalHandler : 0x80570bc5
   CurrentHandler  : 0xb14d3cb2
   ServiceNumber   : 0x11
   ModuleName      : aswSP.SYS
   SDTType         : 0x0
[HOOKED_SERVICE_API]:
   Service API     : ZwClose
   Image Path      : C:\WINDOWS\System32\Drivers\aswSnx.SYS
   OriginalHandler : 0x8056f8d7
   CurrentHandler  : 0xb14696c1
   ServiceNumber   : 0x19
   ModuleName      : aswSnx.SYS
   SDTType         : 0x0
[HOOKED_SERVICE_API]:
   Service API     : ZwCreateEvent
   Image Path      : C:\WINDOWS\System32\Drivers\aswSnx.SYS
   OriginalHandler : 0x805744f6
   CurrentHandler  : 0xb144781c
   ServiceNumber   : 0x23
   ModuleName      : aswSnx.SYS
   SDTType         : 0x0

<snip> ------------------------------------------------------------

[HOOKED_SERVICE_API]:
   Service API     : ZwVdmControl
   Image Path      : C:\WINDOWS\System32\Drivers\aswSnx.SYS
   OriginalHandler : 0x805c28f0
   CurrentHandler  : 0xb14452b6
   ServiceNumber   : 0x10c
   ModuleName      : aswSnx.SYS
   SDTType         : 0x0


--== Dump Hidden Port ==--
No hidden ports found.

--== Dump Kernel Code Patching ==--
[KERNEL_CODE][PATCHED]:
   Service API     : ZwCreateProcessEx
   Address         : 8058B9EC
   CurrentCode     : E915DFF530
   ExpectedCode    : 6A0C6818F6
   ServiceNumber   : 0x30
   SDTType         : 0x0
1 Kernel code patching found.

--== Dump Hidden Services ==--
No hidden services found.



- - - - -

The Trend Micro RootkitBuster supposedly cleens this away during the boot
but the RootKit puts it back just before XP springs to life.

I can litteraly see the DOS promt on the screen as the RootKit installs
itself again,a second before the XP screen comes on.


 ???

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40605
  • Dragons by Sasha
    • Malware fixes
Re: Got a bad RootKit! Help!
« Reply #3 on: July 16, 2011, 03:18:34 PM »
Download aswMBR.exe ( 1.8mb ) to your desktop.
 
Double click the aswMBR.exe to run it
 
Click the "Scan" button to start scan
 
 
On completion of the scan click save log, save it to your desktop and post in your next reply


SkynetCore

  • Guest
Re: Got a bad RootKit! Help!
« Reply #4 on: July 16, 2011, 04:29:08 PM »
aswMBR version 0.9.7.750 Copyright(c) 2011 AVAST Software
Run date: 2011-07-16 16:11:25
-----------------------------
16:11:25.781    OS Version: Windows 5.1.2600 Service Pack 3
16:11:25.781    Number of processors: 2 586 0x209
16:11:25.781    ComputerName: zzzzzzzzzzzzzz  UserName: ***************
16:11:27.093    Initialize success
16:11:27.187    AVAST engine defs: 11071600

16:11:40.203    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-4
16:11:40.203    Disk 0 Vendor: WDC_WD3200AAJB-00J3A0 01.03E01 Size: 305245MB BusType: 3
16:11:40.203    Disk 1  \Device\Harddisk1\DR1 -> \Device\Ide\IdeDeviceP0T1L0-c
16:11:40.203    Disk 1 Vendor: WDC_WD2500JB-00REA0 20.00K20 Size: 238475MB BusType: 3
16:11:40.203    Disk 2  \Device\Harddisk2\DR2 -> \Device\Scsi\viaraid1Port2Path0Target1Lun0

16:11:40.203    Disk 2 Vendor: Maxtor_6 BAH4 Size: 194481MB BusType: 1
16:11:40.203    Device \Driver\atapi -> DriverStartIo           f747b864
16:11:40.203    Device \Driver\atapi -> MajorFunction 8a212f00
16:11:40.203    Disk 0 MBR read error 0
16:11:40.203    Disk 0 MBR scan

16:11:40.203    Disk 0 unknown MBR code
16:11:40.203    MBR BIOS signature not found 0
16:11:40.203    Disk 0 scanning sectors +625137345
16:11:40.234    Disk 0 scanning C:\WINDOWS\system32\drivers
16:11:41.953    File: C:\WINDOWS\system32\drivers\ati2mtag.sys TDL3 **ROOTKIT**

16:11:50.265    Service scanning
16:11:51.312    Disk 0 trace - called modules:
16:11:51.312    ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8a212f00]<<
16:11:51.312    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a624030]
16:11:51.312    3 CLASSPNP.SYS[f7657fd7] -> nt!IofCallDriver -> \Device\00000076[0x8a658450]

16:11:51.328    5 ACPI.sys[f7588620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-4[0x8a64a940]
16:11:51.328    \Driver\atapi[0x8a69bc00] -> IRP_MJ_CREATE -> 0x8a212f00
16:11:51.546    AVAST engine scan C:\WINDOWS
16:12:56.109    AVAST engine scan C:\Documents and Settings\********

16:12:56.140    AVAST engine scan C:\Documents and Settings\All Users
16:12:56.140    Scan finished successfully
16:19:52.937    Disk 0 MBR has been saved successfully to "C:\Documents and Settings\**********\Mina dokument\MBR.dat"
16:19:52.953    The log file has been saved successfully to "C:\Documents and Settings\************\Mina dokument\SkynetCore_110716aswMBR.txt"
16:20:08.312    Disk 0 MBR has been saved successfully to "C:\Documents and Settings\**********\Skrivbord\MBR.dat"
16:20:08.312    The log file has been saved successfully to "C:\Documents and Settings\********\Skrivbord\SkynetCore_110716aswMBR.txt"


« Last Edit: July 16, 2011, 04:37:10 PM by SkynetCore »

Offline Left123

  • There Is No Patch For Human Stupidity.
  • Avast Evangelist
  • Advanced Poster
  • ***
  • Posts: 1048
  • Proud Community Member&Helper.
Re: Got a bad RootKit! Help!
« Reply #5 on: July 16, 2011, 04:49:36 PM »
Download TDSSkiller from here "http://support.kaspersky.com/downloads/utils/tdsskiller.zip  and save it to your Desktop.

Extract its contents to your DEKSTOP.
Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
If an infected file is detected, the default action will be Cure, click on Continue.

If a suspicious file is detected, the default action will be Skip, click on Continue.

It may ask you to reboot the computer to complete the process. Click on Reboot Now.


If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.
« Last Edit: July 16, 2011, 04:51:08 PM by Left123 »
AMD Athlon(tm) X2 Dual-Core Processor 4200+ - 2.20 GHz,3,00 GB RAM -
Browser:Mozilla Firefox +WOT - SoftWare:CCleaner - Windows 7 32 bit
No Anti-Virus

SkynetCore

  • Guest
Re: Got a bad RootKit! Help!
« Reply #6 on: July 16, 2011, 05:45:30 PM »
Thank You so much for all the help guys!  :)


I'm a bit shaky as there might be a risk of destroying my rig.


No offence Left123 , but I'd just like to hear if essexboy agrees
with this, or if he suggests something else.


I'd rather stick to one game plan, and swith to the next 100% if the first one fails.

(Haven't done this before, can't tell what's the best method.)

Offline Left123

  • There Is No Patch For Human Stupidity.
  • Avast Evangelist
  • Advanced Poster
  • ***
  • Posts: 1048
  • Proud Community Member&Helper.
Re: Got a bad RootKit! Help!
« Reply #7 on: July 16, 2011, 05:50:11 PM »
Thank You so much for all the help guys!  :)


I'm a bit shaky as there might be a risk of destroying my rig.


No offence Left123 , but I'd just like to hear if essexboy agrees
with this, or if he suggests something else.


I'd rather stick to one game plan, and swith to the next 100% if the first one fails.

(Haven't done this before, can't tell what's the best method.)

Of course,while waiting for Essexbot you can read about TDSS variants here:
http://www.securelist.com/en/analysis/204792131
http://www.securelist.com/en/analysis/204792180/TDL4_Top_Bot and here
http://www.securelist.com/en/analysis/204792157/TDSS_TDL_4

AMD Athlon(tm) X2 Dual-Core Processor 4200+ - 2.20 GHz,3,00 GB RAM -
Browser:Mozilla Firefox +WOT - SoftWare:CCleaner - Windows 7 32 bit
No Anti-Virus

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40605
  • Dragons by Sasha
    • Malware fixes
Re: Got a bad RootKit! Help!
« Reply #8 on: July 16, 2011, 06:28:32 PM »
Confirmed - we had a PM chat about it - TDL3 will be cured by TDSSKiller  ;D  Once it has run let us know of any other problems

SkynetCore

  • Guest
Re: Got a bad RootKit! Help!
« Reply #9 on: July 16, 2011, 07:05:37 PM »
 ??? You shouldn't have said "will" there, essexboy!


« Last Edit: July 17, 2011, 01:05:57 AM by SkynetCore »

SkynetCore

  • Guest
Re: Got a bad RootKit! Help!
« Reply #10 on: July 16, 2011, 07:06:09 PM »
(Lots of logs)
« Last Edit: July 17, 2011, 01:06:45 AM by SkynetCore »

SkynetCore

  • Guest
Re: Got a bad RootKit! Help!
« Reply #11 on: July 16, 2011, 07:07:49 PM »
 18:53:15.0765 3628   Boot (0x1200)   (1a90abdcc29c4a29ae507986d2253247) \Device\Harddisk0\DR0\Partition5
2011/07/16 18:53:15.0781 3628   ================================================================================
2011/07/16 18:53:15.0781 3628   Scan finished
2011/07/16 18:53:15.0781 3628   ================================================================================
2011/07/16 18:53:15.0796 0676   Detected object count: 0
2011/07/16 18:53:15.0796 0676   Actual detected object count: 0



 :(
« Last Edit: July 17, 2011, 01:07:19 AM by SkynetCore »

Offline Asyn

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 75415
    • >>>  Avast Forum - Deutschsprachiger Bereich  <<<
Re: Got a bad RootKit! Help!
« Reply #12 on: July 16, 2011, 07:10:34 PM »
Next time please use "Attach:" under Additional Options.
Thanks,
asyn
Win 8.1 [x64] - Avast PremSec 22.5.7216.B [UI.704] - Firefox ESR 91.9 [NS/uBO/PB] - Thunderbird 91.9.0
Avast-Tools: Secure Browser 101.0 - Cleanup 22.2 - SecureLine 5.18 - Driver Updater 22.2 - CCleaner 6.0
Avast Wissenswertes (Downloads, Anleitungen & Infos): https://forum.avast.com/index.php?topic=60523.0

Offline Left123

  • There Is No Patch For Human Stupidity.
  • Avast Evangelist
  • Advanced Poster
  • ***
  • Posts: 1048
  • Proud Community Member&Helper.
Re: Got a bad RootKit! Help!
« Reply #13 on: July 16, 2011, 07:12:21 PM »
When you opened TDSSKiller,the following options were checked?: Services and drivers and Boot sectors?
AMD Athlon(tm) X2 Dual-Core Processor 4200+ - 2.20 GHz,3,00 GB RAM -
Browser:Mozilla Firefox +WOT - SoftWare:CCleaner - Windows 7 32 bit
No Anti-Virus

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40605
  • Dragons by Sasha
    • Malware fixes
Re: Got a bad RootKit! Help!
« Reply #14 on: July 16, 2011, 07:30:20 PM »
This has the smell of a different type of TDL3

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
  • Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



  • Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now