Register - Login
Views: 99805235
 Main - Memberlist - Active users - Calendar - Wiki - IRC Chat - Online users
Ranks - Rules/FAQ - Stats - Latest Posts - Color Chart - Smilies 		05-03-22 07:48:53 AM
Jul - Computers and Technology - Rootkit woes New poll - New thread - New reply
Next newer thread | Next older thread
Keitaro

Fire Snake
LOVELY ARRANGEMENT. VOLCANO BAKEMEAT
Level: 70


Posts: 882/1191
EXP: 2901537
For next: 114274

Since: 09-09-08

From: California

Since last post: 4.1 years
Last activity: 3.8 years
Posted on 06-30-11 07:53:16 PM (last edited by Keitaro at 06-30-11 04:54 PM) Link | Quote
so my desktop has a rootkit and i cannot for the life of me figure out how the shit to fix this. Combofix is about as useful as a soggy cracker, as it merely tells me it detects a rootkit presence then proceeds to reboot the system and doesn't actually do much in the way of FIXING it. in fact, pretty much every thing I've used so far (including GMER, which even advertises itself as being able to fix rootkits as well) merely does little more than detect them. Great, thanks, I'm aware that I have one already. Cool, you pinpointed it. Now how the crap do I get rid of it?

I guess I could post a GMER or HijackThis log if anyone is really interested. I know for certain there's a rogue svchost.exe which is quite obviously a culprit here, though GMER seems to be spouting off some nonsense about the MBR as well and...uhg, this is really just a pain in my ass as while my Mac is my primary work computer, there are still many things I need to use my desktop for as well. It has XP SP3, if that even matters.
Liliana
"A horrible person". That's what it says. "A horrible person."

We weren't even testing for that.


Level: NaN


Posts: 2998/-3841
EXP: NaN
For next: 0

Since: 07-23-07


Since last post: 10.3 years
Last activity: 10.1 years
Posted on 06-30-11 07:54:53 PM Link | Quote
Well yeah. It makes sense to start off with some logs, as they help to pinpoint the exact cause of the problem, and from there, we can see how to proceed best.

____________________
Keitaro

Fire Snake
LOVELY ARRANGEMENT. VOLCANO BAKEMEAT
Level: 70


Posts: 883/1191
EXP: 2901537
For next: 114274

Since: 09-09-08

From: California

Since last post: 4.1 years
Last activity: 3.8 years
Posted on 06-30-11 08:08:20 PM Link | Quote
as you wish. here is some log output from GMER:


GMER 1.0.15.15640 - http://www.gmer.net
Rootkit scan 2011-06-30 13:56:45
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdePort0 WDC_WD400BB-00DEA0 rev.05.03E05
Running: rpysvhq3.exe; Driver: C:\DOCUME~1\Tony\LOCALS~1\Temp\awroquog.sys


---- Kernel code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB8E16340, 0x121A5F, 0xF8000020]
init C:\WINDOWS\system32\drivers\p17xfilt.sys entry point in "init" section [0xB8942EB0]
.text C:\WINDOWS\System32\nv4_disp.dll section is writeable [0xBF012380, 0x25BA81, 0xF8000020]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\Explorer.EXE[288] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00B8000A
.text C:\WINDOWS\Explorer.EXE[288] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00B9000A
.text C:\WINDOWS\Explorer.EXE[288] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00B7000C
.text C:\WINDOWS\System32\svchost.exe[1040] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00C6000A
.text C:\WINDOWS\System32\svchost.exe[1040] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00C7000A
.text C:\WINDOWS\System32\svchost.exe[1040] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 006F000C

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Program Files\Windows Live\Messenger\msnmsgr.exe[960] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [011C2F20] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Windows Live\Messenger\msnmsgr.exe[960] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [011C2C90] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Windows Live\Messenger\msnmsgr.exe[960] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [011C2CF0] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Windows Live\Messenger\msnmsgr.exe[960] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [011C2CC0] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs DigiFilt.sys (Digidesign Filter Driver/Digidesign, A Division of Avid Technology, Inc.)

Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP1T1L0-17 83F4031B
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort0 83F4031B
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP0T0L0-3 83F4031B
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort1 83F4031B
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP1T0L0-f 83F4031B

AttachedDevice \FileSystem\Fastfat \Fat DigiFilt.sys (Digidesign Filter Driver/Digidesign, A Division of Avid Technology, Inc.)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@RequireSignedAppInit_DLLs 1
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{CEF0BB66-A7CE-A820-67AA-5AEE26B66D83}

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 TDL4@MBR code has been found <-- ROOTKIT !!!
Disk \Device\Harddisk0\DR0 sector 00: rootkit-like behavior

---- EOF - GMER 1.0.15 ----


and from Rootkit Revealer:


HKU\S-1-5-21-117609710-1336601894-839522115-1003\Console 6/26/2011 7:58 PM 0 bytes Security mismatch.
HKU\S-1-5-21-117609710-1336601894-839522115-1003\console_combofixbackup 6/26/2011 7:58 PM 0 bytes Security mismatch.
HKU\S-1-5-21-117609710-1336601894-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{5C255C8A-E604-49B4-9D64-90988571CECB}\iexplore\Count 6/30/2011 1:56 PM 4 bytes Data mismatch between Windows API and raw hive data.
HKU\S-1-5-21-117609710-1336601894-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{5C255C8A-E604-49B4-9D64-90988571CECB}\iexplore\Time 6/30/2011 1:56 PM 16 bytes Data mismatch between Windows API and raw hive data.
HKU\S-1-5-21-117609710-1336601894-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{9030D464-4C02-4ABF-8ECC-5164760863C6}\iexplore\Count 6/30/2011 1:56 PM 4 bytes Data mismatch between Windows API and raw hive data.
HKU\S-1-5-21-117609710-1336601894-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{9030D464-4C02-4ABF-8ECC-5164760863C6}\iexplore\Time 6/30/2011 1:56 PM 16 bytes Data mismatch between Windows API and raw hive data.
HKU\S-1-5-21-117609710-1336601894-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{CEF0BB66-A7CE-A820-67AA-5AEE26B66D83}* 1/20/2011 4:30 AM 0 bytes Key name contains embedded nulls (*)
HKU\S-1-5-21-117609710-1336601894-839522115-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\MRUListEx 6/30/2011 1:56 PM 52 bytes Data mismatch between Windows API and raw hive data.
HKLM\SECURITY\Policy\Secrets\SAC* 8/14/2010 9:44 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SECURITY\Policy\Secrets\SAI* 8/14/2010 9:44 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed 6/30/2011 1:57 PM 80 bytes Data mismatch between Windows API and raw hive data.
HKLM\SOFTWARE\Swearware\backup\winsock2 2/17/2011 8:55 PM 0 bytes Security mismatch.
HKLM\SOFTWARE\Swearware\backup\winsock2\Parameters 2/17/2011 8:55 PM 0 bytes Security mismatch.
HKLM\SOFTWARE\Swearware\backup\winsock2\Parameters\NameSpace_Catalog5 2/17/2011 8:55 PM 0 bytes Security mismatch.
HKLM\SOFTWARE\Swearware\backup\winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries 2/17/2011 8:55 PM 0 bytes Security mismatch.
HKLM\SOFTWARE\Swearware\backup\winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001 2/17/2011 8:55 PM 0 bytes Security mismatch.
HKLM\SOFTWARE\Swearware\backup\winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002 2/17/2011 8:55 PM 0 bytes Security mismatch.
HKLM\SOFTWARE\Swearware\backup\winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003 2/17/2011 8:55 PM 0 bytes Security mismatch.
HKLM\SOFTWARE\Swearware\backup\winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000004 2/17/2011 8:55 PM 0 bytes Security mismatch.
HKLM\SOFTWARE\Swearware\backup\winsock2\Parameters\Protocol_Catalog9 2/17/2011 8:55 PM 0 bytes Security mismatch.
HKLM\SOFTWARE\Swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries 2/17/2011 8:55 PM 0 bytes Security mismatch.
HKLM\SOFTWARE\Swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001 2/17/2011 8:55 PM 0 bytes Security mismatch.
HKLM\SOFTWARE\Swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002 2/17/2011 8:55 PM 0 bytes Security mismatch.
HKLM\SOFTWARE\Swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003 2/17/2011 8:55 PM 0 bytes Security mismatch.
HKLM\SOFTWARE\Swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000004 2/17/2011 8:55 PM 0 bytes Security mismatch.
HKLM\SOFTWARE\Swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000005 2/17/2011 8:55 PM 0 bytes Security mismatch.
HKLM\SOFTWARE\Swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000006 2/17/2011 8:55 PM 0 bytes Security mismatch.
HKLM\SOFTWARE\Swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000007 2/17/2011 8:5
paulguy

Green Birdo
Level: 93


Posts: 1634/2294
EXP: 8032390
For next: 20420

Since: 09-14-07

From: Buffalo, NY

Since last post: 9.7 years
Last activity: 9.7 years
Posted on 06-30-11 08:25:22 PM Link | Quote
Paulguy's Post configuration
Could you possibly just boot to a linux liveCD, mount a Windows install disc and replace the modified files?

I'm not sure of the possibility of an MBR rootkit, or what it could really do. As far as I can tell, it might be able to replace a BIOS call, but I don't think Windows really uses those other than maybe probing the existence of disks or reading in the first few portions of the kernel (which does seem like it could be a vector of infection, but I mean really, how much of a payload are you going to fit in to 400some bytes after including the actual loading code, and the code to patch that BIOS call?), and such techniques haven't been seen since like, DOS/win3.x days. It could also be some funky thing that the computer manufacturer puts in for god knows what reason.

But yeah I'm kind of going on about crap.

____________________
Liliana
"A horrible person". That's what it says. "A horrible person."

We weren't even testing for that.


Level: NaN


Posts: 3001/-3841
EXP: NaN
For next: 0

Since: 07-23-07


Since last post: 10.3 years
Last activity: 10.1 years
Posted on 06-30-11 09:01:36 PM Link | Quote
Oh, MBR rootkits these days have gained a massive popularity, since they can hide from common malware removal programs this way.

If you can boot to the XP recovery console, you should be able to run the fixmbr command there, which rewrites the MBR file. This should be good at least for the next start, and you should then be able to remove the threat.

____________________
Keitaro

Fire Snake
LOVELY ARRANGEMENT. VOLCANO BAKEMEAT
Level: 70


Posts: 884/1191
EXP: 2901537
For next: 114274

Since: 09-09-08

From: California

Since last post: 4.1 years
Last activity: 3.8 years
Posted on 06-30-11 11:59:04 PM Link | Quote
Ah! Okay, I'm not entirely sure how to get in to the recovery console again but I'll try this as soon as I get home thanks!
Rena
I had one (1) message in Discord deleted and proceeded to make a huge, huge mess about how it was a violation of free speech and how moderators are supposed to be spam janitors and nobody should have the right to tell me not to talk about school shootings
Level: 135


Posts: 4201/5390
EXP: 29075639
For next: 259366

Since: 07-22-07

Pronouns: he/him/whatever
From: RSP Segment 6

Since last post: 342 days
Last activity: 342 days
Posted on 07-01-11 10:29:56 AM Link | Quote
Post #4201 · 07-01-11 05:29:56 AM
Originally posted by paulguy
might be able to replace a BIOS call, but I don't think Windows really uses those other than maybe probing the existence of disks or reading in the first few portions of the kernel (which does seem like it could be a vector of infection, but I mean really, how much of a payload are you going to fit in to 400some bytes after including the actual loading code, and the code to patch that BIOS call?), and such techniques haven't been seen since like, DOS/win3.x days. It could also be some funky thing that the computer manufacturer puts in for god knows what reason.

But yeah I'm kind of going on about crap.
Being the first code your computer loads off the hard disk, it can pretty much do anything. Most likely it loads some other sectors containing the "real" MBR, patched to give it control of the kernel.

Best thing to do would be to back up what you want to keep and reinstall. Failing that, run fixmbr from the recovery console of a Windows disc, and then reboot into a Linux live CD without booting from the hard disk first and replace the modified files. (If you boot into the compromised system again before you finish cleaning it, it'll likely just re-infect anything you cleaned.) Do a full virus scan afterward to detect any contaminated files now that the rootkit (hopefully) isn't active to prevent a scan from working properly.

____________________
Programs
stuffgoeshere
Log outShut down
Post #4201...[blag][Twitter][Freenet]
Keitaro

Fire Snake
LOVELY ARRANGEMENT. VOLCANO BAKEMEAT
Level: 70


Posts: 886/1191
EXP: 2901537
For next: 114274

Since: 09-09-08

From: California

Since last post: 4.1 years
Last activity: 3.8 years
Posted on 07-01-11 11:42:46 AM Link | Quote
well, I had gone ahead and did fixmbr and that seems to have done the trick!!! things still feel just a tad bit off, so I'm running combofix and some other things just to do some housekeeping--I guess I won't know for sure for sure until I connect it back to the internet, but it looks like I'm in a much better place than I was before. thanks all! I'll keep you updated from here..
Keitaro

Fire Snake
LOVELY ARRANGEMENT. VOLCANO BAKEMEAT
Level: 70


Posts: 887/1191
EXP: 2901537
For next: 114274

Since: 09-09-08

From: California

Since last post: 4.1 years
Last activity: 3.8 years
Posted on 07-02-11 10:19:05 PM Link | Quote
Yep...fixmbr seems to have done it it's still acting a little weird (it takes a good 10 seconds or so for the windows start up sound to play, at times) but the weird rootkit-induced behavior seems to have completely subsided, which is the important thing. thanks again!
Lyskar
12210
-The Chaos within trumps the Chaos without-
Level: 192


Posts: 9512/12211
EXP: 99321415
For next: 552156

Since: 07-03-07

From: 52-2-88-7

Since last post: 7.4 years
Last activity: 7.3 years
Posted on 07-03-11 06:55:55 PM Link | Quote
Stats
Time/Date
07-03-11 12:55:55 PM
Posts
9512
Days Here
1461
Level
143
Metal_Man88's Post
Yeah, with fixmbr done, all that's left is stomping out rogue files leftover here or there.

____________________
Sometimes, you just have to do what you feel is best, even if it seems to contradict 'conventional' wisdom.
Eisnaught - SSQ² - Mobius Roleplay - SSS
Next newer thread | Next older thread
Jul - Computers and Technology - Rootkit woes New poll - New thread - New reply


Rusted Logic

Acmlmboard - commit 47be4dc [2021-08-23]
©2000-2022 Acmlm, Xkeeper, Kaito Sinclaire, et al.

29 database queries, 4 query cache hits.
Query execution time: 0.080346 seconds
Script execution time: 0.026252 seconds
Total render time: 0.106598 seconds