MajorGeeks Support Forums

Go Back   MajorGeeks Support Forums > ----------= PC, Desktop and Laptop Support =---------- > Malware Removal
Register FAQ Members List Calendar Casino Mark Forums Read

Malware Removal Malware removal forum. Please see the READ ME FIRST thread before you post. Forum is staffed by a small number of volunteers, please be patient.


Reply
 
Thread Tools Display Modes
  #1  
Old 02-18-09, 09:25
dagsky dagsky is offline
Private First Class
 
Join Date: Jan 2007
Posts: 44
Thanks: 0
Thanked 0 Times in 0 Posts
Default Nailed by rootkit!!

Hey guys, yesterday i encountered this trojan and boy i got to say this is the nastiest piece of work i've seen!!

The Problem:

My desktop disappered it seems as though explorer.exe kept getting shut down. I tried safemode and even here the same problem, i was also getting some dll error msgs. I then used task manager to run firefox to do an online scan, this is what was picked up on the online scan:

Trojware.win32.trojan.buzus.~gab (id=0x441a17)
c:windows/system/xccef090131.exe

Trojware.win32.rootkit.tdss.~y (id=0x67f211)
win/sys32/drivers/uacaeawsmwr.sys

Applicunwnt.win32.adware.vitrumonde~aag(id=0x4396e6)
C:win/sys32/hgGywwvv.dll:upx

Trojware.win32.trojan.buzus.~gab(id=0x441a17)
c:win/sys32/inf/xccefb090131.scr

Trojware.win32.rootkit.tdss~V(ID=0x67f1dz)
Trojware.win32.rootkit.tdss~X(ID=0x67f??- sorry i can't read what i wrote down!!!)
Trojware.win32.rootkit.tdss~ W(ID=0x67f??- sorry i can't read what i wrote down!!!)

These are all found respectively here:
win/sys32/uaccodcnmtb.dll
" "/uacxnxatkmc.dll
" "/uacxvssjmoo.dll

Unclassified malware (id=0x43bf48)
win/temp/veteo.tmp

Before i could tell the online scan to do anything else firefox crashed and so did the rest of the pc!!

Again in safemode comodo would not run nor any other malware progs.

Thanksfully on my drive E i have an emergency installation of XP on there, so i just booted into drive E and started the clean up process.

I started running these programs from my E drive and i also specifically made these progs check my c drive.

After doing 3/4 of the tests i had to boot back into my c drive to run the combofix. It did its thing and then rebooted into drive c, however this time i now have all these errors pooping up at me! It says:

RUNDLL
Error loading c:/windows/xccdf6-090131a.dll (ONLY SHOWN ONCE ON NUMEROUS REBOOTS)

Then i have Windows has encounterred a problem Run a dll as an app error
error sig rundll32.exe appver 5.1.2600.3300 mod name rundll32.exe

Then i have Drwatson Potmotem Debugger Encountered a problem
app name drwatsn32.exe app ver 5.1.2600.0 mod name drwtsn32.exe

When i try and close the above 2 error msgs the dr watson continously keeps coming back up and my desktop will not show at all. I then go to task manager and i kill the process tree for the dr watson and then my desktop will load. Within 10secs of this the dr watson error is back up and doen't go away no matter how many times you click don't send, even trying to kill the process tree doesn't stop it from coming back.

I have also noticed some strange programs in my c drive that i have never had before.

I will put screen shots of all these error msgs and stuff in my next post in case i am not describing myself properly.

I tried to run the mgtools prog but it just hangs!! I have tried the fix recommended for xppro and that doesn't help. I only manage to get an 11kb log which to me doesn't seem correct. If i try to run mgtools again the cmd window pops up and then vanishes! I tird to install the .net framework and this fails, it just starts installing and then starts rolloing back and say failed!
Attached Files
File Type: log SUPERAntiSpyware Scan Log - 02-18-2009 - 04-00-08.log (4.6 KB, 0 views)
File Type: txt mbam-log-2009-02-18 (12-55-02).txt (5.9 KB, 1 views)
File Type: txt combolog.txt (20.2 KB, 1 views)
Reply With Quote
Sponsored links
  #2  
Old 02-18-09, 09:26
dagsky dagsky is offline
Private First Class
 
Join Date: Jan 2007
Posts: 44
Thanks: 0
Thanked 0 Times in 0 Posts
Default Re: Nailed by rootkit!!

The logs for mgtools
Attached Files
File Type: txt GetUnKey.txt (78.0 KB, 0 views)
Reply With Quote
  #3  
Old 02-18-09, 09:30
dagsky dagsky is offline
Private First Class
 
Join Date: Jan 2007
Posts: 44
Thanks: 0
Thanked 0 Times in 0 Posts
Default Re: Nailed by rootkit!!

some screen shots
Attached Images
File Type: jpg netfails.jpg (101.7 KB, 7 views)
File Type: jpg mgerror.jpg (98.7 KB, 6 views)
File Type: jpg processess.JPG (92.4 KB, 6 views)
Reply With Quote
  #4  
Old 02-18-09, 12:24
TimW's Avatar
TimW TimW is offline
MajorGeeks Administrator - Jedi Malware Expert
 
Join Date: Jan 2005
Location: The recesses of my mind!
Posts: 46,715
Thanks: 449
Thanked 4,656 Times in 4,395 Posts
Default Re: Nailed by rootkit!!

We need the entire C:\MGLogs.zip
__________________
Major cake licker.
YCLAHTW, BYCMHD!!

Major Geeks on Facebook

Major Geeks Newsletter
Reply With Quote
  #5  
Old 02-18-09, 12:37
TimW's Avatar
TimW TimW is offline
MajorGeeks Administrator - Jedi Malware Expert
 
Join Date: Jan 2005
Location: The recesses of my mind!
Posts: 46,715
Thanks: 449
Thanked 4,656 Times in 4,395 Posts
Default Re: Nailed by rootkit!!

Let's do this now, and then after re-run the MGTools:

Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
Quote:

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"settings"=-

[HKEY_CURRENT_USER\software\microsoft\windows\Currentversion\policies\explorer\Run]
"settings"=-

[-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7u4y7kd0-8700-241l-fd68-737dy55ty517}]

Make sure that you tell me if you receive a success message about adding the above
to the registry. If you do not get a success message, it definitely did not work.


Now download The Avenger by Swandog469, and save it to your Desktop.

* Extract avenger.exe from the Zip file and save it to your desktop
* Run avenger.exe by double-clicking on it.
* Do not change any check box options!!
* Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

Quote:
Files to delete:
c:\windows\system32\suspects8
c:\windows\system32\suspects7
c:\windows\system32\suspects6
c:\windows\system32\suspects5
c:\windows\system32\suspects4
C:\xyephkl.exe
C:\dykhyp.exe
C:\ghjfb.exe
c:\windows\Wtuhalosacevez.dll
c:\windows\system32\rtl60.bpl
c:\windows\system32\suspects2
c:\windows\system32\grcrt.dll
c:\windows\system32\grcrt2.exe
c:\windows\callsysnt.exe
c:\windows\system32\drivers\a2d18afc.sys
C:\cisq.exe
c:\windows\system32\UACddysumtt.dll
c:\windows\system32\suspects
c:\windows\system32\uacinit.dll
c:\windows\system32\suspiciousagain2
c:\windows\system32\suspects.dat
c:\windows\system32\mswinsck.ocx
c:\windows\system32\cunts7
C:\ctuoqep.exe
C:\809504553
c:\windows\system32\tmp1458E.FOT

Folders to delete:
C:\809504553
c:\documents and settings\suli\Application Data\cogad
* Now click the Execute button.
* Click Yes to the prompt to confirm you want to execute.
* Click Yes to the Reboot now? question that will appear when Avenger finishes running.
* Your PC should reboot, if not, reboot it yourself.
* A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and also attach the log from Avenger.
__________________
Major cake licker.
YCLAHTW, BYCMHD!!

Major Geeks on Facebook

Major Geeks Newsletter
Reply With Quote
Sponsored links
  #6  
Old 02-18-09, 18:08
dagsky dagsky is offline
Private First Class
 
Join Date: Jan 2007
Posts: 44
Thanks: 0
Thanked 0 Times in 0 Posts
Default Re: Nailed by rootkit!!

Ok i wasn't sure if you wanted me to run this from my e drive or my c drive so i just assumed my c drive. By the my c and e drives are one physical disc they're just partitioned!

I got a success message when i ran the fixME.reg file.

I ran the avanger and it deleted all the files but it couldn't find one of the folders as you will see in the log.

Tried to run mgtools MGtools\GetLogs.bat and i got a cmd window that popped up and seemed to crash becuase i got the encountered problem about NTVM.exe or something along those lines! I didn't have a pen to hand to write em down! Something i noticed after this failed is that in my windows explorer when i have the drive c folder open i have all these .sqm files appearing there, and they weren't there before that.

I will also bring to your attention that even after running the avenger when it rebooted to my c drive i had the error about rundll32 and no desktop icons just my wallpaper. I clicked don't send and then the drwatsn came up, i then used taskmamnger to end the process tree and then my desktop appeared. Also to note is that i when i start my web browsers in c drive non of them will connect to the internet although according to my lan i have an ip address and its sending and recieving information.
Attached Files
File Type: txt avenger.txt (4.3 KB, 1 views)
Reply With Quote
  #7  
Old 02-18-09, 18:14
TimW's Avatar
TimW TimW is offline
MajorGeeks Administrator - Jedi Malware Expert
 
Join Date: Jan 2005
Location: The recesses of my mind!
Posts: 46,715
Thanks: 449
Thanked 4,656 Times in 4,395 Posts
Default Re: Nailed by rootkit!!

Did you check your device manager for the TDSSserv Non-Plug & Play Driver Disable

I need to know what the error message was with MGTools......and what about the e drive....is this a bootable drive? Do you have a different system on this or is it just a storage partition?

Please download this MGbeta.zip file to the C:\MGtools folder. Then extract the two files from it overwriting the current GetRunKey.bat and ShowNew.bat programs you have. Then double click on the GetLogs.bat file in the C:\MGtools folder. When it finishes running, attach the new C:\MGlogs.zip file.
__________________
Major cake licker.
YCLAHTW, BYCMHD!!

Major Geeks on Facebook

Major Geeks Newsletter
Reply With Quote
  #8  
Old 02-18-09, 18:24
TimW's Avatar
TimW TimW is offline
MajorGeeks Administrator - Jedi Malware Expert
 
Join Date: Jan 2005
Location: The recesses of my mind!
Posts: 46,715
Thanks: 449
Thanked 4,656 Times in 4,395 Posts
Default Re: Nailed by rootkit!!

You also need to do a search for this and delete it:
ntdvm.exe
__________________
Major cake licker.
YCLAHTW, BYCMHD!!

Major Geeks on Facebook

Major Geeks Newsletter
Reply With Quote
  #9  
Old 02-18-09, 18:25
dagsky dagsky is offline
Private First Class
 
Join Date: Jan 2007
Posts: 44
Thanks: 0
Thanked 0 Times in 0 Posts
Default Re: Nailed by rootkit!!

ok hold on a sec before i carry out any scans, i have 1 hard drive, my hard drive is partitioned into:

C: - Win XP
D: - Storage
E: Win Xp - i only ever boot from this partition in a case of emergency such as now, otherwise all my work is always done from my c drive.

So would you like me to carry out these scans from my c drive or my e drive?
Reply With Quote
  #10  
Old 02-18-09, 18:27
TimW's Avatar
TimW TimW is offline
MajorGeeks Administrator - Jedi Malware Expert
 
Join Date: Jan 2005
Location: The recesses of my mind!
Posts: 46,715
Thanks: 449
Thanked 4,656 Times in 4,395 Posts
Default Re: Nailed by rootkit!!

On the c drive which is where all the malware is located.
__________________
Major cake licker.
YCLAHTW, BYCMHD!!

Major Geeks on Facebook

Major Geeks Newsletter
Reply With Quote
Sponsored links
  #11  
Old 02-18-09, 18:29
dagsky dagsky is offline
Private First Class
 
Join Date: Jan 2007
Posts: 44
Thanks: 0
Thanked 0 Times in 0 Posts
Default Re: Nailed by rootkit!!

ok doeky! Doing it now...
Reply With Quote
  #12  
Old 02-18-09, 19:34
dagsky dagsky is offline
Private First Class
 
Join Date: Jan 2007
Posts: 44
Thanks: 0
Thanked 0 Times in 0 Posts
Default Re: Nailed by rootkit!!

ok booted into c drive, still get no desktop without using task manger to kill drwtsn. This time got some new dll error msgs which i have shown in the picture.

I went a searched for the ntdvm.exe file and it found a few results of which i only deleted specificaly those saying ntdvm.exe, why the other files showed up in the results i have no idea but i have a screen shot posted for you.

Next i went to look for the TDSSserv, i couldn't find but i did find something saying CATCH ME!!!! It had a little yellow triangle next to even before i did anyhting! But anyway i just disabled it to be on the safe side. Again i have a screen shot for it.

Followed the instructions for the mgtools and when i try to run the bat file this is what error i get:

32 bit Windows OS found

Running scan with GetUnkeys.bat - 08/11/2006 by Chaslang and ShadowPuterDude

32 bit Windows OS found
updating: GetUnKey.txt (188 bytes security) (deflated 87%)
C:\MGTools\temp\header0.txt
The process cannot access the file because it is being used by another process.


Running scan with GetRunKeys.Bat - (c) 01/28/2006 By Chaslang

The process cannot access the file because it is being used by another process.
The process cannot access the file because it is being used by another process.
The process cannot access the file because it is being used by another process.
The process cannot access the file because it is being used by another process.
The process cannot access the file because it is being used by another process.
The process cannot access the file because it is being used by another process.
The process cannot access the file because it is being used by another process.
The process cannot access the file because it is being used by another process.

NOTE: Ignore any error messages about not finding registry keys!
Just wait for the program to finish running!!

The cmd window flashes up real fast and then disappears again! Its taken me like 15min just to finally get it all using the pause/break button!!
Attached Images
File Type: jpg booterrors.jpg (105.3 KB, 3 views)
File Type: jpg devicemanager.jpg (98.0 KB, 3 views)
File Type: jpg ntvdm.jpg (100.5 KB, 0 views)
Reply With Quote
  #13  
Old 02-18-09, 20:16
TimW's Avatar
TimW TimW is offline
MajorGeeks Administrator - Jedi Malware Expert
 
Join Date: Jan 2005
Location: The recesses of my mind!
Posts: 46,715
Thanks: 449
Thanked 4,656 Times in 4,395 Posts
Default Re: Nailed by rootkit!!

Re-run COmbo and attach the log. You were able to run MGTools once before, so I am not sure why you cant now. Have you tried in safe mode?
__________________
Major cake licker.
YCLAHTW, BYCMHD!!

Major Geeks on Facebook

Major Geeks Newsletter
Reply With Quote
  #14  
Old 02-18-09, 21:27
dagsky dagsky is offline
Private First Class
 
Join Date: Jan 2007
Posts: 44
Thanks: 0
Thanked 0 Times in 0 Posts
Default Re: Nailed by rootkit!!

We're now getting somewhere!! Ok booted in safe mode and got the usual dll and drwatsn errors, used task manger to get desktop icons on, then ran combofix, it did its thing rebooted and presented its log. Then i rebooted into safemode to try the mgtools and surprise surprise NO more dll error and no drwatsn error! This was before i tried to run mgtools. I manged to run the bat file and i THINK it did its thing, i did notice in the cmd that it was saying file missing and other things so i copied all the stuff in the cmd window just incase its not in the logs. Also when i got an accept agreenent for trend micro after agreeing it gave me an error msg saying:

ERROR WAS PROCESSDLL.EXE
APPLICATION FAILED TO INITIALIZE PRPERLY (0xc000007b) click to terminate.

I clicked terminate and then mgtools said it was finished. The attached mgtoolsround2.txt is what i copied from the cmd window, i dont know if its any good to you.

Also in the logs you may find something called "yDGpatch", this is actually a patch for my tomtom cameras and is safe.
Attached Files
File Type: txt combofix2.txt (22.2 KB, 1 views)
File Type: txt mgtoolsround2.txt (6.8 KB, 1 views)
File Type: zip MGlogs.zip (14.5 KB, 2 views)
Reply With Quote
  #15  
Old 02-19-09, 12:01
TimW's Avatar
TimW TimW is offline
MajorGeeks Administrator - Jedi Malware Expert
 
Join Date: Jan 2005
Location: The recesses of my mind!
Posts: 46,715
Thanks: 449
Thanked 4,656 Times in 4,395 Posts
Default Re: Nailed by rootkit!!

Yes, we have gotten somewhere....but not where you want to be.

You also have the new malware that is going around that infects system files as well as the backup files in your i386 folder. This means that even if we could replace the ones that Combo finds, there would still be many that are infected leaving your system unreliable to use as the malware seems to open ports to download more malware.
Quote:
c:\windows\system32\userinit.exe . . . is infected!!

c:\windows\system32\spoolsv.exe . . . is infected!!

c:\windows\explorer.exe . . . is infected!!
All we can do is to remove the obvious malware so that you can save your files and data to cd before you reformat and reinstall your OS.

Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
Quote:

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"cogad"=-

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"bnddhtsk.exe"=-
"rvhcdcbr.exe"=-

[HKEY_LOCAL_MACHINE\software\microsoft\windows\Currentversion\policies\explorer\Run]
"xccinit"=-

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\hgGyaaAT]

Make sure that you tell me if you receive a success message about adding the above
to the registry. If you do not get a success message, it definitely did not work.


download The Avenger by Swandog469, and save it to your Desktop.

* Extract avenger.exe from the Zip file and save it to your desktop
* Run avenger.exe by double-clicking on it.
* Do not change any check box options!!
* Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

Quote:
Files to delete:
c:\windows\system32\E.tmp
c:\windows\system32\15.tmp
c:\windows\system32\12.tmp
c:\windows\system32\A.tmp
c:\windows\rvhcdcbr.exe
c:\windows\system32\11.tmp
c:\windows\system32\6.tmp
c:\windows\system32\10.tmp
c:\windows\system32\drivers\ethmiihm.sys
c:\windows\bnddhtsk.exe
c:\windows\system32\5.tmp
c:\windows\system32\3.tmp
c:\windows\system32\8.tmp
c:\windows\system32\2.tmp
c:\windows\adobe.bat
c:\windows\_id.dat
c:\windows\system32\37.tmp
c:\windows\system32\34.tmp
c:\windows\services.exe
c:\windows\bnddhtsk.exe
c:\windows\rvhcdcbr.exe

Folders to delete:
c:\documents and settings\suli\Application Data\cogad
* Now click the Execute button.
* Click Yes to the prompt to confirm you want to execute.
* Click Yes to the Reboot now? question that will appear when Avenger finishes running.
* Your PC should reboot, if not, reboot it yourself.
* A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

Nowtry to run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and also attach the log from Avenger.
__________________
Major cake licker.
YCLAHTW, BYCMHD!!

Major Geeks on Facebook

Major Geeks Newsletter
Reply With Quote
Sponsored links
  #16  
Old 02-19-09, 13:50
dagsky dagsky is offline
Private First Class
 
Join Date: Jan 2007
Posts: 44
Thanks: 0
Thanked 0 Times in 0 Posts
Default Re: Nailed by rootkit!!

before we carry can i just pont out that somehow whatever infections i have they are moving over to my e drive now! I've had all sorts of errors pooping up similar to the c drive. Whilst i truely appreciate your efforts in trying to help me i'd like to ask you a question, would it be easier for YOU to have reformat my hdd or would you like to still try and tackle the problem? For me i don't mind the reformat as long as i am able to salvage my music.

I have another hard drive that i can connect upto my pc but i just want to know if it is safe to do so as i don't want this thing spreading into my new hard drive. My new hdd is running win xp pro and has comodo as the firewall and antivirus. The files i want to move are my music files which are on my c drive and some on my d drive.
Reply With Quote
  #17  
Old 02-19-09, 14:33
TimW's Avatar
TimW TimW is offline
MajorGeeks Administrator - Jedi Malware Expert
 
Join Date: Jan 2005
Location: The recesses of my mind!
Posts: 46,715
Thanks: 449
Thanked 4,656 Times in 4,395 Posts
Default Re: Nailed by rootkit!!

As you noticed, it will spread, so the best thing to do is savage your music, pictures, data mail addy etc., and reformat the entire drive. Then you can create the partitions and reinstall. Do not hook anything up to this computer. After you are re-setup, scan your data cd for malware before transferring it back.
__________________
Major cake licker.
YCLAHTW, BYCMHD!!

Major Geeks on Facebook

Major Geeks Newsletter
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Possible Rootkit- please help Birdman77 Malware Removal 12 01-03-09 02:06
Rootkit.Agent and Rootkit.Bugle, yeah I know... filipetolhuizen Malware Removal 12 10-03-08 00:16
Rootkit.bagle and Rootkit.Agent - No Internet, No Safe Mode, No Antivirus raremedium Malware Removal 14 04-19-08 22:48
RootKit torbob Malware Removal 1 07-20-06 22:58


All times are GMT -5. The time now is 16:11.

MajorGeeks.Com Menu

MajorGeeks.Com \ All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ NEW! PC Games \ System Tools \ Macintosh \ Demonews.Com \ Top Downloads

MajorGeeks.Com \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds


All content Copyright MajorGeeks.com source code Powered by vBulletin® Version 3.8.4
Copyright © 2009 vBulletin Solutions, Inc. All rights reserved.
Ad Management by RedTyger