Hidden rootkit file.

[wasewell]

Hello

I am currently going through the preliminary removal instructions for spyware and malware. Some of the prescribed programs or tools have encountered problems and stopped running. I am still working my way through them.

A couple of procedures show the following hidden rootkit program:

C:\windows\system32\kdpgl.exe

Does that program mean anything to anyone? Does it sound suspicious?

Thank you,

wasewell

 

[howard_hopkinso]

Hello and welcome to Techspot.

I can find no info on the kdpgl.exe file, that in itself makes it suspicious.

Very Important: Before deciding whether you should clean or reformat your system, go and read this thread HERE and decide what it is you want to do.

If after reading the above, you wish to clean your system, do the following.

Go and read the Viruses/Spyware/Malware, preliminary removal instructions. Follow all the instructions exactly.

Post fresh HJT, AVG Antispyware and Combofix logs as attachments into this thread, only after doing the above.

Also, let me know the results of the AVG Antirootkit scan.

Regards Howard :wave: :wave:

This thread is for the use of wasewell only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[wasewell]

Hello again

I am attaching a Hijackthis.log and a combofix.txt although the combofix program "encountered problems and had to close." The AVG antispyware program also had to close and I have no log to attach.

wasewell

 

[howard_hopkinso]

What were the results of the AVG Antirootkit scan?

Your HJT log is clean, but as you`re probably aware, your combofix log is incomplete.

Regards Howard

This thread is for the use of wasewell only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[wasewell]

Hello again Howard

When I try to run AVG Antirootkit scan, it detects (C:\windows\system32\kdpgl.exe) about 50% through the scan but then crashes at 66%.

I have since discovered that my "Windows Explorer" crashes when I try to open the file "Documents and Settings". In fact it crashes as soon as the pointer hits the file even without clicking. Other files in "Local Disk C" open without a problem.

I think this is what's causing the AVG Antirootkit scan to crash because that is where the scan is as it stops.

awsewell

 

[Phantasm66]

but then crashes at 66%

There's probably malware on your machine that's actively crashing the scan, because it doesn't want removed, or "Documents and Settings" probably contains a rootkit - Windows Explorer is crashing when you are in there because the rootkit bypasses the Windows API and talks directly to the kernel / filesystem (to try to hide itself), so it has probably done something the Windows API is now seeing and does not like / can't understand, hence the crash.

I'd bet good money your machine is part of a botnet right now.

Format and reinstall, there's a good chap.

Before you do, though, can you try running RootKit Revealer
http://www.filehippo.com/download_rootkit_revealer/

 

[howard_hopkinso]

Try the following and see if your system becomes stable.

1. Please download The Avenger by Swandog46 from HERE. Save it to your Desktop and extract it.

2. Download the attached avengerscript.txt and save it to your desktop

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, start The Avenger program by double clicking on its icon on your desktop.

Under "Script file to execute" choose "Load script from file".
Now click on the folder icon which will open a new window titled "open Script File"
navigate to the file you have just downloaded, click on it and press open
Now click on the Green Light to begin execution of the script
Answer "Yes" twice when prompted.

4. The Avenger will automatically do the following:

It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
On reboot, it will briefly open a black command window on your desktop, this is normal.
After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

5. Please attach the content of c:\avenger.txt into your reply.

Regards Howard

This thread is for the use of wasewell only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[wasewell]

Thank you, Howard

Everything seems to be running correctly now.

My first indication of a problem was in Google searches. If I searched for "TechSpot", Google would give me a list with this website listed first. When I clicked on it I would be redirected to some random site. When I would back up and click the same listing I would again be redirected. Always on the third try I would be sent to the correct website.

I ran "Avenger" as you suggested and the .txt file is attached.
I then ran "Combofix" and AVG Anti-Rootkit. Nothing found.
The hidden file, "C:\windows\system32\kdpgl.exe" is gone.
I can use Windows Explorer again and Google searches are normal.

Thank you, thank you, thank you.

wasewell

 

[howard_hopkinso]

Those logs look fine. However, you should still post an AVG Antispyware and HJT logs as requested in my first post.

Regards Howard

This thread is for the use of wasewell only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[wasewell]

Hello Mr. Hopkinson

Attached are the results of my HJT, Combo.fix and AVG Anti-spyware scans.

Apparently my problem has been a Trojan horse with two names. Trojan Dnschanger and Trojan.Flush.K.

http://www.symantec.com/security_response/writeup.jsp?docid=2007-011811-1222-99&tabid=2


According to Symantec, the trojan hides the file and creates a registry entry using a file named “kd???.exe”. In my case it was “kdpgl.exe”.

I think (hope) I am clean now. Although I believe it was not a serious threat, it was my first one and I am very happy to be rid of it.

Thank you,

wasewell
Tucson, Arizona

 

[howard_hopkinso]

I think you forgot to attach your logfiles lol.

Have you followed the removal instructions HERE for the Trojan.Flush.K? If not, you should do so, just to make absolutly sure it`s gone.

Regards Howard

This thread is for the use of wasewell only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[Phantasm66]

and I am very happy to be rid of it...

But ARE you rid of it? Has it really gone? Truth is, you have no idea what that infection did in total. There could be other problems which you have not been sucessful in detecting. You can't trust that machine. Format and reinstall, that's my advice.

 

[wasewell]

One more try

For some reason the files would not upload last night. I'll give it another shot this morning.

Thanks for your advice Phantasma66 but if it comes to that, I think I will reinstall on a brand new machine.

Botnet begone for good.

wasewell

 

[howard_hopkinso]

Your log files are all clean.

Delete all files in AVG Antispyware quarantine.

Turn off system restore.(XP/ME only) See how HERE.

Now, turn system restore back on. This will have deleted all your old restore points and any nasties that are in them. It will also have created a new, clean restore point.

If you have any further virus/spyware problems, please post in this thread.

Regards Howard

This thread is for the use of wasewell only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.