Do I still have a rootkit?

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by Gisele, Sep 12, 2009.

  1. Gisele

    Gisele Private E-2

    I've been working on a friend's PC [XP Home, SP2, 512MB RAM, 80GB]. Slow as molasses but doesn't crash. Sometimes Word and IE7 wouldn't open any longer.

    After cleaning temp files, I scanned with MBAM and removed over 700 infected objects. SAS, Spybot and SpySweeper found another 50 or so. AVG found nothing after that. The PC was better but still too slow. I ran Gmer and found a rootkit and 36 related registry entries:

    ---- Services - GMER 1.0.15 ----

    Service system32\drivers\hjgruisexjkxto.sys (*** hidden *** ) [SYSTEM] hjgruibabvfulp

    ---- Registry - GMER 1.0.15 ----

    Reg HKLM\SYSTEM\CurrentControlSet\Services\hjgruibabvfulp@start 1
    Reg HKLM\SYSTEM\CurrentControlSet\Services\hjgruibabvfulp@type 1
    Reg HKLM\SYSTEM\CurrentControlSet\Services\hjgruibabvfulp@group file system
    Reg HKLM\SYSTEM\CurrentControlSet\Services\hjgruibabvfulp@imagepath\ systemroot\system32\drivers\hjgruisexjkxto.sys
    Reg HKLM\SYSTEM\CurrentControlSet\Services\hjgruibabvfulp\main
    Reg HKLM\SYSTEM\CurrentControlSet\Services\hjgruibabvfulp\main@aid 10096
    Reg HKLM\SYSTEM\CurrentControlSet\Services\hjgruibabvfulp\main@sid 0
    Reg HKLM\SYSTEM\CurrentControlSet\Services\hjgruibabvfulp\main@cmddelay 14400
    Reg HKLM\SYSTEM\CurrentControlSet\Services\hjgruibabvfulp\main\delete
    Reg HKLM\SYSTEM\CurrentControlSet\Services\hjgruibabvfulp\main\injector
    Reg HKLM\SYSTEM\CurrentControlSet\Services\hjgruibabvfulp\main\injector@* hjgruiwsp.dll
    Reg HKLM\SYSTEM\CurrentControlSet\Services\hjgruibabvfulp\main\tasks
    Reg HKLM\SYSTEM\CurrentControlSet\Services\hjgruibabvfulp\modules
    Reg HKLM\SYSTEM\CurrentControlSet\Services\hjgruibabvfulp\modules@hjgruirk.sys \systemroot\system32\drivers\hjgruisexjkxto.sys
    Reg HKLM\SYSTEM\CurrentControlSet\Services\hjgruibabvfulp\modules@hjgruicmd.dll \systemroot\system32\hjgruibuxyriee.dll
    Reg HKLM\SYSTEM\CurrentControlSet\Services\hjgruibabvfulp\modules@hjgruilog.dat \systemroot\system32\hjgruiixlncvit.dat
    Reg HKLM\SYSTEM\CurrentControlSet\Services\hjgruibabvfulp\modules@hjgruiwsp.dll \systemroot\system32\hjgruintxorqmd.dll
    Reg HKLM\SYSTEM\CurrentControlSet\Services\hjgruibabvfulp\modules@hjgrui.dat \systemroot\system32\hjgruirgbfjpwm.dat
    Reg HKLM\SYSTEM\ControlSet002\Services\hjgruibabvfulp@start 1
    Reg HKLM\SYSTEM\ControlSet002\Services\hjgruibabvfulp@type 1
    Reg HKLM\SYSTEM\ControlSet002\Services\hjgruibabvfulp@group file system
    Reg HKLM\SYSTEM\ControlSet002\Services\hjgruibabvfulp@imagepath \systemroot\system32\drivers\hjgruisexjkxto.sys
    Reg HKLM\SYSTEM\ControlSet002\Services\hjgruibabvfulp\main (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet002\Services\hjgruibabvfulp\main@aid 10096
    Reg HKLM\SYSTEM\ControlSet002\Services\hjgruibabvfulp\main@sid 0
    Reg HKLM\SYSTEM\ControlSet002\Services\hjgruibabvfulp\main@cmddelay 14400
    Reg HKLM\SYSTEM\ControlSet002\Services\hjgruibabvfulp\main\delete (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet002\Services\hjgruibabvfulp\main\injector (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet002\Services\hjgruibabvfulp\main\injector@* hjgruiwsp.dll
    Reg HKLM\SYSTEM\ControlSet002\Services\hjgruibabvfulp\main\tasks (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet002\Services\hjgruibabvfulp\modules (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet002\Services\hjgruibabvfulp\modules@hjgruirk.sys \systemroot\system32\drivers\hjgruisexjkxto.sys
    Reg HKLM\SYSTEM\ControlSet002\Services\hjgruibabvfulp\modules@hjgruicmd.dll \systemroot\system32\hjgruibuxyriee.dll
    Reg HKLM\SYSTEM\ControlSet002\Services\hjgruibabvfulp\modules@hjgruilog.dat \systemroot\system32\hjgruiixlncvit.dat
    Reg HKLM\SYSTEM\ControlSet002\Services\hjgruibabvfulp\modules@hjgruiwsp.dll \systemroot\system32\hjgruintxorqmd.dll
    Reg HKLM\SYSTEM\ControlSet002\Services\hjgruibabvfulp\modules@hjgrui.dat \systemroot\system32\hjgruirgbfjpwm.dat

    I disabled then deleted the rootkit service (driver), rebooted and ran Gmer again intending to delete the 10 files referenced in the above registry entries. But Gmer no longer flagged these files. I turned on the display of hidden files and searched the computer for them. None were found. I looked in the registry for the above entries but they weren't there.

    I ran RootRepeal, MBAM, SAS, SpySweeper and 2 online scans (Kaspersky Online Scanner and F-Secure Online Scanner). Nothing. Where did these files go?? Would deleting the service (driver) in Gmer have deleted all these files too??

    The PC is better than it was but it's still slow. I'm concerned the rootkit is still hiding somewhere and that nothing else was found after its supposed removal. Rootkits generally hide other nasties.

    I've followed the READ & RUN ME FIRST procedure and attached the requested logs. If you want to see older MBAM (or other) logs to see what was found before I deleted the rootkit, let me know. I still have them.
     

    Attached Files:

    Gisele, Sep 12, 2009
    #1
  2. Gisele

    Gisele Private E-2

    Here is the MGtools log.
     

    Attached Files:

    Gisele, Sep 12, 2009
    #2
  3. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Major Geeks!

    The first instructions in the READ & RUN ME specified you must only have one antivirus installed. You have AVG8.5 and Webroot AntiVirus installed with AntiSpyware. You must uninstall one of these immediately before continuing.

    Looks you may have gotten the infection but let's be safe and run a fix. It may be redundant, but better safe than sorry.



    Uninstall the below old versions of software:
    Java(TM) 6 Update 15

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

    After clicking Fix, exit HJT.

    Now we need to use ComboFix to remove a bunch of malware files.
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    • If ComboFix tells you it has expired or need to be updated to a new version, make sure you allow it to update.
    • Open Notepad and copy/paste the text in the below quote box into it:
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below
    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.


    After reboot, now install the current version of Sun Java from: Sun Java Runtime Environment

    Now run Ccleaner. Only use the Run Cleaner button. Do not run anything else on any other forms.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:
    • C:\ComboFix.txt
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    chaslang, Sep 17, 2009
    #3
  4. Gisele

    Gisele Private E-2

    >> You have AVG8.5 and Webroot AntiVirus installed with AntiSpyware. You must uninstall one of these immediately before continuing. <<

    Antivirus Protection and all Shields were disabled in Webroot AntiVirus with AntiSpyware. It was basically used as an on-demand scanner. I have gone ahead and uninstalled it, but I thought it was OK to have both installed as long as only one was running resident.

    I did everything you suggested. ComboFix.txt and MGlogs.zip are attached.

    The ComboFix log shows an error under the files you wanted me to delete. Does that mean that they are still present? Here is the error:

    .
    /wow section - STAGE 35
    The process cannot access the file because it is being used by another process.

    The computer does seem faster now.
     

    Attached Files:

    Gisele, Sep 17, 2009
    #4
  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Absolutely not. The services and registry keys are still put in place and can cause problems. In addition AVG also contains antispyware protection and from what I remember, they even stated they were incompatible with SpySweeper (at least at one point in time).

    Quite possibly! Please run GMER again and attach a new log.

    Yes it should be with SpySweeper removed.
     
    chaslang, Sep 22, 2009
    #5
  6. Gisele

    Gisele Private E-2

    I downloaded a randomly named .exe for Gmer from the author's website, saved it to the Desktop, and double-clicked it. I got the following error:

    "[random name] is not a valid Win32 application"

    Since all the other tools I have run to date have run, I suspected a possible corrupt download and redownloaded. This time I noticed that the icon had Gmer written inside it (the first one didn't). When I double-clicked it, it ran.

    Attached is the Gmer log.

    For the most part the computer is faster, but every once in a while I get very noticeable slowdowns, even right after bootup. Things like right-clicking a file, opening or closing the browser, and clicking OK in a dialog box seem to take a lot longer than they used to. No crashes though.
     

    Attached Files:

    Gisele, Sep 22, 2009
    #6
  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Looks like the removal with ComboFix work anyway. Your performance issues are just due to lack of memory. You need twice the amount of memory that you currently have. You need at least 1 GB to properly run current versions of Windows XP ( and by the way you are out of date only using SP2) and all other software you need.

    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    2. If we used Pocket Killbox during your cleanup, do the below
      • Run Pocket Killbox and select File, Cleanup, Delete All Backups
    3. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /u
        • Notes: The space between the combofix" and the /u, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
    4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    7. Go to add/remove programs and uninstall HijackThis.
    8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
    9. If you are running Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures in step 3 the READ ME for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    10. After doing the above, you should work thru the below link:
     
    chaslang, Sep 24, 2009
    #7
  8. Gisele

    Gisele Private E-2

    Hey, I wasn't expecting a reply for a couple of days yet <g>.

    This is my friend's PC. I've already told him that if he plans to keep the computer for a while, he should upgrade his memory to at least 1 GB. He seems willing to do that.

    As far as Service Pack 3 is concerned, I was planning to install that for him as soon as I got the all-clear signal. I noticed from his Windows Update logs that three attempts had already been made to install SP3 and failed. Probably due to all the malware.

    I do have a question about SP3 though if you're still there. Since ComboFix installed the Recovery Console while SP2 was on the machine, do I need to do anything special when I install SP3 to update the Recovery Console?

    Thanks again for your help, chaslang.
     
    Gisele, Sep 25, 2009
    #8
  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    No!

    You're welcome.
     
    chaslang, Sep 25, 2009
    #9

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds