1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Nailed by rootkit!!

Discussion in 'Malware Removal' started by dagsky, Feb 18, 2009.

  1. dagsky

    dagsky Private E-2

    Hey guys, yesterday i encountered this trojan and boy i got to say this is the nastiest piece of work i've seen!!

    The Problem:

    My desktop disappered it seems as though explorer.exe kept getting shut down. I tried safemode and even here the same problem, i was also getting some dll error msgs. I then used task manager to run firefox to do an online scan, this is what was picked up on the online scan:

    Trojware.win32.trojan.buzus.~gab (id=0x441a17)
    c:windows/system/xccef090131.exe

    Trojware.win32.rootkit.tdss.~y (id=0x67f211)
    win/sys32/drivers/uacaeawsmwr.sys

    Applicunwnt.win32.adware.vitrumonde~aag(id=0x4396e6)
    C:win/sys32/hgGywwvv.dll:upx

    Trojware.win32.trojan.buzus.~gab(id=0x441a17)
    c:win/sys32/inf/xccefb090131.scr

    Trojware.win32.rootkit.tdss~V(ID=0x67f1dz)
    Trojware.win32.rootkit.tdss~X(ID=0x67f??- sorry i can't read what i wrote down!!!)
    Trojware.win32.rootkit.tdss~ W(ID=0x67f??- sorry i can't read what i wrote down!!!)

    These are all found respectively here:
    win/sys32/uaccodcnmtb.dll
    " "/uacxnxatkmc.dll
    " "/uacxvssjmoo.dll

    Unclassified malware (id=0x43bf48)
    win/temp/veteo.tmp

    Before i could tell the online scan to do anything else firefox crashed and so did the rest of the pc!!

    Again in safemode comodo would not run nor any other malware progs.

    Thanksfully on my drive E i have an emergency installation of XP on there, so i just booted into drive E and started the clean up process.

    I started running these programs from my E drive and i also specifically made these progs check my c drive.

    After doing 3/4 of the tests i had to boot back into my c drive to run the combofix. It did its thing and then rebooted into drive c, however this time i now have all these errors pooping up at me! It says:

    RUNDLL
    Error loading c:/windows/xccdf6-090131a.dll (ONLY SHOWN ONCE ON NUMEROUS REBOOTS)

    Then i have Windows has encounterred a problem Run a dll as an app error
    error sig rundll32.exe appver 5.1.2600.3300 mod name rundll32.exe

    Then i have Drwatson Potmotem Debugger Encountered a problem
    app name drwatsn32.exe app ver 5.1.2600.0 mod name drwtsn32.exe

    When i try and close the above 2 error msgs the dr watson continously keeps coming back up and my desktop will not show at all. I then go to task manager and i kill the process tree for the dr watson and then my desktop will load. Within 10secs of this the dr watson error is back up and doen't go away no matter how many times you click don't send, even trying to kill the process tree doesn't stop it from coming back.

    I have also noticed some strange programs in my c drive that i have never had before.

    I will put screen shots of all these error msgs and stuff in my next post in case i am not describing myself properly.

    I tried to run the mgtools prog but it just hangs!! I have tried the fix recommended for xppro and that doesn't help. I only manage to get an 11kb log which to me doesn't seem correct. If i try to run mgtools again the cmd window pops up and then vanishes! I tird to install the .net framework and this fails, it just starts installing and then starts rolloing back and say failed!
     

    Attached Files:

  2. dagsky

    dagsky Private E-2

    The logs for mgtools
     

    Attached Files:

  3. dagsky

    dagsky Private E-2

    some screen shots
     

    Attached Files:

  4. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    We need the entire C:\MGLogs.zip
     
  5. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Let's do this now, and then after re-run the MGTools:

    Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

    Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Make sure that you tell me if you receive a success message about adding the above
    to the registry. If you do not get a success message, it definitely did not work.


    Now download The Avenger by Swandog469, and save it to your Desktop.

    * Extract avenger.exe from the Zip file and save it to your desktop
    * Run avenger.exe by double-clicking on it.
    * Do not change any check box options!!
    * Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

    * Now click the Execute button.
    * Click Yes to the prompt to confirm you want to execute.
    * Click Yes to the Reboot now? question that will appear when Avenger finishes running.
    * Your PC should reboot, if not, reboot it yourself.
    * A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and also attach the log from Avenger.
     
  6. dagsky

    dagsky Private E-2

    Ok i wasn't sure if you wanted me to run this from my e drive or my c drive so i just assumed my c drive. By the my c and e drives are one physical disc they're just partitioned!

    I got a success message when i ran the fixME.reg file.

    I ran the avanger and it deleted all the files but it couldn't find one of the folders as you will see in the log.

    Tried to run mgtools MGtools\GetLogs.bat and i got a cmd window that popped up and seemed to crash becuase i got the encountered problem about NTVM.exe or something along those lines! I didn't have a pen to hand to write em down! Something i noticed after this failed is that in my windows explorer when i have the drive c folder open i have all these .sqm files appearing there, and they weren't there before that.

    I will also bring to your attention that even after running the avenger when it rebooted to my c drive i had the error about rundll32 and no desktop icons just my wallpaper. I clicked don't send and then the drwatsn came up, i then used taskmamnger to end the process tree and then my desktop appeared. Also to note is that i when i start my web browsers in c drive non of them will connect to the internet although according to my lan i have an ip address and its sending and recieving information.
     

    Attached Files:

  7. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Did you check your device manager for the TDSSserv Non-Plug & Play Driver Disable

    I need to know what the error message was with MGTools......and what about the e drive....is this a bootable drive? Do you have a different system on this or is it just a storage partition?

    Please download this MGbeta.zip file to the C:\MGtools folder. Then extract the two files from it overwriting the current GetRunKey.bat and ShowNew.bat programs you have. Then double click on the GetLogs.bat file in the C:\MGtools folder. When it finishes running, attach the new C:\MGlogs.zip file.
     
  8. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    You also need to do a search for this and delete it:
    ntdvm.exe
     
  9. dagsky

    dagsky Private E-2

    ok hold on a sec before i carry out any scans, i have 1 hard drive, my hard drive is partitioned into:

    C: - Win XP
    D: - Storage
    E: Win Xp - i only ever boot from this partition in a case of emergency such as now, otherwise all my work is always done from my c drive.

    So would you like me to carry out these scans from my c drive or my e drive?
     
  10. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    On the c drive which is where all the malware is located.
     
  11. dagsky

    dagsky Private E-2

    ok doeky! Doing it now...
     
  12. dagsky

    dagsky Private E-2

    ok booted into c drive, still get no desktop without using task manger to kill drwtsn. This time got some new dll error msgs which i have shown in the picture.

    I went a searched for the ntdvm.exe file and it found a few results of which i only deleted specificaly those saying ntdvm.exe, why the other files showed up in the results i have no idea but i have a screen shot posted for you.

    Next i went to look for the TDSSserv, i couldn't find but i did find something saying CATCH ME!!!! It had a little yellow triangle next to even before i did anyhting! But anyway i just disabled it to be on the safe side. Again i have a screen shot for it.

    Followed the instructions for the mgtools and when i try to run the bat file this is what error i get:

    32 bit Windows OS found

    Running scan with GetUnkeys.bat - 08/11/2006 by Chaslang and ShadowPuterDude

    32 bit Windows OS found
    updating: GetUnKey.txt (188 bytes security) (deflated 87%)
    C:\MGTools\temp\header0.txt
    The process cannot access the file because it is being used by another process.


    Running scan with GetRunKeys.Bat - (c) 01/28/2006 By Chaslang

    The process cannot access the file because it is being used by another process.
    The process cannot access the file because it is being used by another process.
    The process cannot access the file because it is being used by another process.
    The process cannot access the file because it is being used by another process.
    The process cannot access the file because it is being used by another process.
    The process cannot access the file because it is being used by another process.
    The process cannot access the file because it is being used by another process.
    The process cannot access the file because it is being used by another process.

    NOTE: Ignore any error messages about not finding registry keys!
    Just wait for the program to finish running!!

    The cmd window flashes up real fast and then disappears again! Its taken me like 15min just to finally get it all using the pause/break button!!
     

    Attached Files:

  13. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Re-run COmbo and attach the log. You were able to run MGTools once before, so I am not sure why you cant now. Have you tried in safe mode?
     
  14. dagsky

    dagsky Private E-2

    :-D:-D:-D:-D We're now getting somewhere!! Ok booted in safe mode and got the usual dll and drwatsn errors, used task manger to get desktop icons on, then ran combofix, it did its thing rebooted and presented its log. Then i rebooted into safemode to try the mgtools and surprise surprise NO more dll error and no drwatsn error! This was before i tried to run mgtools. I manged to run the bat file and i THINK it did its thing, i did notice in the cmd that it was saying file missing and other things so i copied all the stuff in the cmd window just incase its not in the logs. Also when i got an accept agreenent for trend micro after agreeing it gave me an error msg saying:

    ERROR WAS PROCESSDLL.EXE
    APPLICATION FAILED TO INITIALIZE PRPERLY (0xc000007b) click to terminate.

    I clicked terminate and then mgtools said it was finished. The attached mgtoolsround2.txt is what i copied from the cmd window, i dont know if its any good to you.

    Also in the logs you may find something called "yDGpatch", this is actually a patch for my tomtom cameras and is safe.
     

    Attached Files:

  15. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Yes, we have gotten somewhere....but not where you want to be. :(

    You also have the new malware that is going around that infects system files as well as the backup files in your i386 folder. This means that even if we could replace the ones that Combo finds, there would still be many that are infected leaving your system unreliable to use as the malware seems to open ports to download more malware.
    All we can do is to remove the obvious malware so that you can save your files and data to cd before you reformat and reinstall your OS.

    Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Make sure that you tell me if you receive a success message about adding the above
    to the registry. If you do not get a success message, it definitely did not work.


    download The Avenger by Swandog469, and save it to your Desktop.

    * Extract avenger.exe from the Zip file and save it to your desktop
    * Run avenger.exe by double-clicking on it.
    * Do not change any check box options!!
    * Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

    * Now click the Execute button.
    * Click Yes to the prompt to confirm you want to execute.
    * Click Yes to the Reboot now? question that will appear when Avenger finishes running.
    * Your PC should reboot, if not, reboot it yourself.
    * A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

    Nowtry to run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and also attach the log from Avenger.
     
  16. dagsky

    dagsky Private E-2

    before we carry can i just pont out that somehow whatever infections i have they are moving over to my e drive now! I've had all sorts of errors pooping up similar to the c drive. Whilst i truely appreciate your efforts in trying to help me i'd like to ask you a question, would it be easier for YOU to have reformat my hdd or would you like to still try and tackle the problem? For me i don't mind the reformat as long as i am able to salvage my music.

    I have another hard drive that i can connect upto my pc but i just want to know if it is safe to do so as i don't want this thing spreading into my new hard drive. My new hdd is running win xp pro and has comodo as the firewall and antivirus. The files i want to move are my music files which are on my c drive and some on my d drive.
     
  17. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    As you noticed, it will spread, so the best thing to do is savage your music, pictures, data mail addy etc., and reformat the entire drive. Then you can create the partitions and reinstall. Do not hook anything up to this computer. After you are re-setup, scan your data cd for malware before transferring it back.
     

Share This Page

MajorGeeks.Com Menu

MajorGeeks.Com \ All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ NEW! PC Games \ System Tools \ Macintosh \ Demonews.Com \ Top Downloads

MajorGeeks.Com \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds