Solved Pretty stubborn rootkit

Status
Not open for further replies.

khan351

Posts: 13   +0
Hi there everyone,
writing this in hope that someone will hear and help me:)
few days ago dont know when and how been hit but rootkit and every since then trying to find out how to get rid of it and now the longer i got that little bugger it just seems impossible.
Scanned my laptop with avira antivir, SAS and MBAM none of them are capable of removing this rootkit, all of them detect it, put it in quarintine and say deleted but after reboot and new scan is back on.Even when i follow it can not rename it or unlock it either. I know im not the first person with this problem, but seen your note next the everyone not to follow unless advised which is understandable didnt follow the 8 step either because wasnt sure what to do if i should reformat and reinstall which im not really keen on doing as me and computers dont go futher then on and off button.Was advised to go onto your forum so you are my last hope. Thanx Khan
 
I just wanted to mention that if you want help from the experts here you need to follow their 8-step procedure to reproduce some logs and reports. See the sticky in the main thread.
 
khan, us3r1 is right- he's getting this help now.

We have a thread with steps for Preliminary Virus and Malware Removal HERE.
Please follow those steps and leave the logs for our review.

One of the programs you'll run is specifically for Rootkit detection. As soon as we have the logs, we can see what is on your system and help find and remove it. There are Rootkits that are resistant to usual cleaning methods, so finding what the specific malware is, is the first step.
 
Hi us3r1 and Bobbye, sorry it took so long to get back to you especially if im the one with the problem. Really glad that someone is willing to help me. Did follow the 8 steps and here are my logs


Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4110

Windows 6.0.6001 Service Pack 1
Internet Explorer 7.0.6001.18000

17/05/2010 20:43:07
mbam-log-2010-05-17 (20-43-07).txt

Scan type: Quick scan
Objects scanned: 124756
Time elapsed: 6 minute(s), 41 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Windows\system32\Drivers\zhgkbjvw.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit quick scan 2010-05-17 09:17:48
Windows 6.0.6001 Service Pack 1
Running: 1xv35gc1.exe; Driver: C:\Users\Martinka\AppData\Local\Temp\pxldrpow.sys


---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 85947188

AttachedDevice \Driver\tdx \Device\Tcp tcpipBM.SYS (Bytemobile Kernel Network Provider/Bytemobile, Inc.)

---- Services - GMER 1.0.15 ----

Service (*** hidden *** ) [BOOT] zhgkbjvw <-- ROOTKIT !!!

---- EOF - GMER 1.0.15 ----
 

Attachments

  • DDS.txt
    19.9 KB · Views: 1
  • Attach.txt
    12.2 KB · Views: 1
I note that you started a thread here 2 days ago and have been receiving help: http://www.howtogeek.com/forum/topic/rootkit-agent-please-help

Since you are getting help there, I will close this thread.

While we appreciate that you very likely posted at multiple forums in order to ensure a response, that only serves to tie up the time of multiple helpers who could be using that time to help someone else who also has problems. Although there are many forums that handle malware cleaning, there are not so many helpers; most of us help out at several forums. In addition, the results may not work out so well when you're following different instructions from different helpers. They may suggest different approaches for the same problem, all of which may be good; however, system conflicts may arise if different fixes for the same problem are applied simultaneously.

In the future, for your sake as well as ours, please refrain from requesting help from multiple forums. Choose one, and stick with that one until they've resolved your problem.
 
Hi Bobbye,
thanx for reopening, havent reinstall yet as I was still looking around for ways to get rid of it, havent tried anything since either, here are my logs, thank you:)



GMER 1.0.15.15281 - http://www.gmer.net
Rootkit quick scan 2010-05-18 15:09:33
Windows 6.0.6001 Service Pack 1
Running: 1xv35gc1.exe; Driver: C:\Users\Martinka\AppData\Local\Temp\pxldrpow.sys


---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 866E6528

AttachedDevice \Driver\tdx \Device\Tcp tcpipBM.SYS (Bytemobile Kernel Network Provider/Bytemobile, Inc.)

---- Services - GMER 1.0.15 ----

Service (*** hidden *** ) [BOOT] zhgkbjvw <-- ROOTKIT !!!

---- EOF - GMER 1.0.15 ----
 

Attachments

  • Attach.txt
    4.5 KB · Views: 2
  • DDS.txt
    19.8 KB · Views: 3
khan, please take a look at the program and it's Tutorial here:
http://www.bleepingcomputer.com/tutorials/tutorial124.html

It is very well written and illustrated. Do you feel comfortable running this program as set up from the 'Download' link on? If not, I can break it up in steps for you. You system has a hidden Rootkit, most likely in the MBR. This program can find the hidden Tootkit and remove it.
 
Bobbye, had a quick look and looks like i should be able to follow the instructions sorry will be back tomorrow, unfortunatelly we are in different time zone :) gonna give it a go first thing tomorrow morning will let you know about my progress, i know not anywhere of being finished but thank you so much!! khan
 
Ok Bobbye, followed the steps and run blacklight (had to run it as administrator)
thats showing me no hidden objects were found, actually done it twice just to make sure i havent missed anything and got the same result. Then updated and scanned with MBAM anyways and there the rootkit pops up again. Please let me know if you need me to attach the result for blacklight or MBAM, khan
 
You have both Avira and McAfee entries loading. Please remove one of the programs. Multiple AV programs can make the system more vulnerable and slow it down. Here are tools to hep: only download removal for AV you are not going to keep:
McAfee Removal
To uninstall Avira:
  • Start> Settings> Control Panel> Add or Remove Programs (Windows 2000/ XP) or Start - Control Panel - Uninstall a program (Windows Vista / 7)
  • Wait for the list of installed programs to load, then click the name of the Avira program.
  • Click Remove next to the program's name (Windows 2000 / XP) or in the menu above the list (Windows Vista / 7).
  • Press Yes, to confirm the removal and then OK.
  • . Click Next until Finish. The software is removed.
Reboot when finished.
=============================
Please download ComboFix from Here and save to your Desktop.

  • [1]. Do NOT rename Combofix unless instructed.
    [2].Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    [3].Close any open browsers.
    [4]. Double click combofix.exe & follow the prompts to run.
  • NOTE: Combofix will disconnect your machine from the Internet as soon as it starts. The connection is automatically restored before CF completes its run. If it does not, restart your computer to restore your connection.
    [5]. If Combofix asks you to install Recovery Console, please allow it.
    [6]. If Combofix asks you to update the program, always allow.
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    [7]. A report will be generated after the scan. Please post the C:\ComboFix.txt in next reply.
Note: Do not mouseclick combofix's window while it's running. That may cause it to stall.
Note: Make sure you re-enable your security programs, when you're done with Combofix.
==================================
Once Combofix has run, do the following:
Custom CFScript


  • [1]. Close any open browsers.
    [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    [3]. Open notepad and copy/paste the text in the code below into it:
Code:
File::
c:\windows\system32\drivers\zhgkbjvw.sys
Folder::

Registry::

DDS::
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_gb&c=81&bd=Presario&pf=laptop
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_gb&c=81&bd=Presario&pf=laptop
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_gb&c=81&bd=Presario&pf=laptop
BHO: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - No File
TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
uRunOnce: [Shockwave Updater] c:\windows\system32\adobe\shockw~1\SWHELP~1.EXE -Update -1103471 -"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; GTB6; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.5.30729; .NET CLR 3.0.30618)" -"http://www.miniclip.com/games/lead-storm/en/"
mRun: [<NO NAME>] 

Extra::
File::
c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
Firefox::
Firefox-: Profile- c:\users\martinka\appdata\roaming\mozilla\firefox\profiles\oepkeyze.default\
Driver::
Save this as CFScript.txt, in the same location as ComboFix.exe
CFScriptB-4.gif


Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please attach to your next reply.
====================
Follow with Eset NOD32 Online AntiVirus Scanner HERE
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the Active X control to install
  • Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
  • Click Start
  • Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
  • Click Scan
  • Wait for the scan to finish
  • Re-enable your Antivirus software.
  • A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

Please leave the Combofix report and Eset log in next reply.

I notice there are no restore points. Did someone tell you to turn System Restore off?
I also note some restrictions on the network. Have you put any restrictions on or are you aware of them?
 
Dear Bobbey, havent done all the steps you asked me to do, wanted to confirm with you first. McAfee was actually put on by friend of mine so i dont actually personally remember activating or even using this program, now i've tried to remove it, have windows vista so done the whole uninstall....to running MCPR.exe but after all this the clean up keeps on being incomplete, reboot..etc run again, well basically gone thru the whole process few times with the same result, when i view the log some of them are showned as to be removed and the rest comes up as - doesnt exist. So not really sure if i should contact the support technician or just keep on completing steps requested by you.
Answer to your questions ;wasnt aware of system restore being off and the same goes for restrictions on the network!!!! well couple of months ago got one of them viruses 'security tool' which i got rid of (well believe i DID with MBAM thru geekpolice.net) and ever since then icon windows blocked start-up program popped up thats the only change i did notice, but honestly with my knowledge of computers, maybe it was there the whole time and i just havent notice. Sorry to be creating you so much trouble
 
Bobbye, so sorry for the delay here are the 2logs, thank you ever so much again!!
 

Attachments

  • ComboFix.txt
    16.8 KB · Views: 2
  • log.txt
    1 KB · Views: 2
Please download OTMovit by Old Timer and save to your desktop.
  • Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    Code:
    :Processes	
    
    :Services
    :Reg
    
    :Files  
    C:\SwSetup\AOLIMS\setup.exe
    
    :Commands
    [purity]
    [emptytemp]
    [start explorer]
    [Reboot]
  • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt3
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
========================================
Custom CFScript


  • [1]. Close any open browsers.
    [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    [3]. Open notepad and copy/paste the text in the code below into it:
Code:
File::
Folder::
Registry::

RegNull::
[HKEY_USERS\S-1-5-21-2067342001-456172612-789128725-1000\Software\YourCompanyName\YourProductName\Version*]
RegLock::
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]

Driver::
FCopy::
Save this as CFScript.txt, in the same location as ComboFix.exe
CFScriptB-4.gif


Referring to the picture above, drag CFScript into ComboFix.exe
When finished, it will produce a log for you at C:\ComboFix.txt . Please attach to your next reply.
===================
Regarding Group Policy and settings: Vista Home Premium doesn't have the editor for this, but you can get it here: http://www.vista123.net/content/how-enable-grouppolicy-vista-home
 
Hi Bobbey,
here are the requested logs! still dont understand how you do it :confused: :)
 

Attachments

  • ComboFix.txt
    20.3 KB · Views: 2
  • 05252010_204548.log
    3.2 KB · Views: 1
khan, what if any of the original problem remain? There are some stubborn Registry keys that aren't unlocking.
 
Bobbye,
hate to say that because now I feel like I just been wasting your time, but do you reckon that I should just reinstall to get completely rid of it??
If so is there any antivirus you would recommend so I wouldnt get one of these again
 
Are you still having any system problems that were related to the malware?

The reinstall is up to you. The 2 AV programs, both free and good that we usually recommend are:
Avira Free
Avast Home

Use one antivirus program, one firewall and 2 or more antimalware programs.
 
Dear Bobbye,
thank you ever so so much for getting rid of the rootkit. Dont have anymore problems so will leave the reinstall and thank you for saving me from doing so:grinthumb . Done SAS and MBAM scan everything came back clean. Thank you once more for your time and great help, you guys are stars for doing what you doing. It was great working with you.
All the best, Khan.
 
That's a good start to the day!

Removing all of the tools we used and the files and folders they created
  • Uninstall ComboFix and all Backups of the files it deleted
  • Click START> then RUN
  • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    CF_Uninstall-1.jpg
  • Download OTCleanIt by OldTimer and save it to your Desktop.
  • Double click OTCleanIt.exe.
  • Click the CleanUp! button.
  • If you are prompted to Reboot during the cleanup, select Yes.
  • The tool will delete itself once it finishes.

Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.
  • You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.
  • Go to Start > All Programs > Accessories > System Tools
  • Click "System Restore".
  • Choose "Create a Restore Point" on the first screen then click "Next".
  • Give the Restore Point a name> click "Create".
  • Go back and follow the path to > System Tools.
    [*]Choose Disc Cleanup
    [*]Click "OK" to select the partition or drive you want.
    [*]Click the "More Options" Tab.
    [*]Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.


Let me know if I can be of further help.
 
Hi Bobbye,
ok everything is now uninstalled and new restore point created. THANK YOU so so much again, would be completely lost without your help. You guys are really doing amazing job, especially for people like me :)
All the best
Khan
 
You're very welcome. I'm leaving you some to help keep the system clean- then I'll close the thread:

Please follow these simple steps to keep your computer clean and secure:


Stay current on updates:
  • Visit the Microsoft Download Sitefrequently. You should get All updates marked Critical and the current SP updates: Windows XP> SP2, SP3.
  • Visit this Adobe Reader site often and make sure you have the most current update. Uninstall any earlier updates as they are vulnerabilities.
  • Check this site often.Java Updates Stay current as most updates are for security. Uninstall any earlier versions in Add/Remove Programs.

Make Internet Explorer safer. Follow the suggestions HERE This Tutorial will help guide you through Configuring Security Settings, Managing Active X Controls and other safety features.

Do regular Maintenance
  • Remove Temporary Internet Files regularly:
    [o]ATF Cleaner by Atribune
    OR
    [o]TFC
  • Disable and Enable System Restore:
    [o]See System Restore Guide This will help you understand what this is, why you need to clean and set restore points and what information is in them.

Have layered Security:
  • Antivirus Software(only one): Both of the following programs are free and known to be good:
    [o]Avira Free
    [o]Avast Home
  • Firewall (only one): Use bi-directional firewall. Both of the following programs are free and known to be good:
    [o]Comodo
    [o] Zone Alarm
  • Antispyware: I recommend all of the following:
    [o]Spywareblaster: SpywareBlaster protects against bad ActiveX. It places kill bits to stop bad Active X controls from being installed. Remember to update it regularly.
    [o]IE/Spyad This places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
    [o]MVPS Hosts files This replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.
    [o]Google Toolbar Get the free google toolbar to help stop pop up windows.
 
Hi Bobbye,
thank you for the tips also, hopefully wont have to ever ask for help again - of course in the good way :)
thank you again
bye bye khan :wave:
 
Status
Not open for further replies.
Back