Got a bad RootKit! Help!

My sisters computer, running Vista, froze while booting and we consulted
the sellers service department to get a diagnose on the problem. This we
did because her computer had the powersupply replaced just some weeks
before, and I thougt it was the same problem.

The sellers service department told us it was a motherboard failure and
we considered the computer as a total write off.

During the weeked I connected her Vista SATA disc to my big computer and
began copying her Documents on to an external harddrive, well aware of the
intrusive character of both SATA discs and of Vista…

During this manouver I got infected with a RootKit that probably made my
sisters computer freeze while booting. :frowning:


My Specs:

Moderboard Asus P4P800 DELUXE i865PE 4DDR-DIMM 5PCI SATA Raid FireWire GB-LAN Audio Socket478 ATX
CPU Intel Pentium 4 Northwood 3.0GHz -C Hyperthreading 512Kb 800MHz bulk/tray Socket 478 (3GHZ)

Graphicscard Club 3D Radeon 9800Pro 128Mb DDR TV-out DVI RETAIL AGP
RAM 4 x TwinMOS Original 512Mb DDR-DIMM PC3200/DDR400 184pin 400MHz CAS2.5 (2 GB)

XP Pro SP3
Avast Suite with built in Firewall.


First the RootKit whacked my 4th in chassi disc, the only SATA one and
messed up the boot record. About one years worth of film, music and
other downloads are now very hard to access… :cry:

  • XP runs fine, even in Normal mode.

  • The Root kit messes with the boot, so I have to use F8 boot screen and
    manually choose boot disc.

  • I can’t Repair XP from the original CD, as the RootKit interrupts the
    loading of files after a while. This it does on both CD drives
    and even on additional connected external drives.

  • I can’t ReInstall XP from the original CD, as the RootKit interrupts the
    loading of files after a while.

  • I can’t use a Boot Floppy as the RootKit messes with my A: .

  • I can’t install the “Windows Recovery Console” as the YouKnowWhat stops
    the installation half way.

  • I don’t dare flashing the BIOS, as my A: floppydrive has been made unreliable.


I’ve run the TrendMicro RootkitBuster and logs are below.

It might be “Backdoor Rustock B” I’ve got, but I’m not sure.


Are there any real friendly experts here that can help me?
My options are a bit limited as you see.

I’m quite a good computer user, but this thing is clearly over my head.

There must have been others with this kind of serious problems.

http://www.planetsmilies.com/smilies/sign/sign0037.gif

http://www.planetsmilies.com/smilies/indifferent/indifferent0010.gif

Edited.

Here are some of the logs from Trend Micro RootkitBuster:


±---------------------------------------------------
| Trend Micro RootkitBuster
| Module version: 3.60.0.1016
| Computer Name: ********************
| User Name: ************************
±---------------------------------------------------

–== Dump Hidden MBR, Hidden Files and Alternate Data Streams on C:\ ==–
No hidden files found.

–== Dump Hidden Registry Value on HKLM ==–
[HIDDEN_REGISTRY][Hidden Reg Key]:
KeyPath : HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf40
SubKey : 0Jf40
FullLength: 0x46
[HIDDEN_REGISTRY][Hidden Reg Key]:
KeyPath : HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf41
SubKey : 0Jf41
FullLength: 0x46
[HIDDEN_REGISTRY][Hidden Reg Key]:
KeyPath : HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf42
SubKey : 0Jf42
FullLength: 0x46
3 hidden registry entries found.

–== Dump Hidden Process ==–
No hidden processes found.

–== Dump Hidden Driver ==–
No hidden drivers found.

–== Service Win32 API Hook List ==–
[HOOKED_SERVICE_API]:
Service API : ZwAddBootEntry
Image Path : C:\WINDOWS\System32\Drivers\aswSnx.SYS
OriginalHandler : 0x80650dff
CurrentHandler : 0xb1445202
ServiceNumber : 0x9
ModuleName : aswSnx.SYS
SDTType : 0x0
[HOOKED_SERVICE_API]:
Service API : ZwAllocateVirtualMemory
Image Path : C:\WINDOWS\System32\Drivers\aswSP.SYS
OriginalHandler : 0x80570bc5
CurrentHandler : 0xb14d3cb2
ServiceNumber : 0x11
ModuleName : aswSP.SYS
SDTType : 0x0
[HOOKED_SERVICE_API]:
Service API : ZwClose
Image Path : C:\WINDOWS\System32\Drivers\aswSnx.SYS
OriginalHandler : 0x8056f8d7
CurrentHandler : 0xb14696c1
ServiceNumber : 0x19
ModuleName : aswSnx.SYS
SDTType : 0x0
[HOOKED_SERVICE_API]:
Service API : ZwCreateEvent
Image Path : C:\WINDOWS\System32\Drivers\aswSnx.SYS
OriginalHandler : 0x805744f6
CurrentHandler : 0xb144781c
ServiceNumber : 0x23
ModuleName : aswSnx.SYS
SDTType : 0x0

------------------------------------------------------------

[HOOKED_SERVICE_API]:
Service API : ZwVdmControl
Image Path : C:\WINDOWS\System32\Drivers\aswSnx.SYS
OriginalHandler : 0x805c28f0
CurrentHandler : 0xb14452b6
ServiceNumber : 0x10c
ModuleName : aswSnx.SYS
SDTType : 0x0

–== Dump Hidden Port ==–
No hidden ports found.

–== Dump Kernel Code Patching ==–
[KERNEL_CODE][PATCHED]:
Service API : ZwCreateProcessEx
Address : 8058B9EC
CurrentCode : E915DFF530
ExpectedCode : 6A0C6818F6
ServiceNumber : 0x30
SDTType : 0x0
1 Kernel code patching found.

–== Dump Hidden Services ==–
No hidden services found.


The Trend Micro RootkitBuster supposedly cleens this away during the boot
but the RootKit puts it back just before XP springs to life.

I can litteraly see the DOS promt on the screen as the RootKit installs
itself again,a second before the XP screen comes on.

???

Download aswMBR.exe ( 1.8mb ) to your desktop.

Double click the aswMBR.exe to run it

Click the “Scan” button to start scan

http://i1224.photobucket.com/albums/ee362/Essexboy3/aswMBR2-1.gif

On completion of the scan click save log, save it to your desktop and post in your next reply

http://public.avast.com/~gmerek/aswMBR2.png

aswMBR version 0.9.7.750 Copyright(c) 2011 AVAST Software
Run date: 2011-07-16 16:11:25

16:11:25.781 OS Version: Windows 5.1.2600 Service Pack 3
16:11:25.781 Number of processors: 2 586 0x209
16:11:25.781 ComputerName: zzzzzzzzzzzzzz UserName: ***************
16:11:27.093 Initialize success
16:11:27.187 AVAST engine defs: 11071600

16:11:40.203 Disk 0 (boot) \Device\Harddisk0\DR0 → \Device\Ide\IdeDeviceP0T0L0-4
16:11:40.203 Disk 0 Vendor: WDC_WD3200AAJB-00J3A0 01.03E01 Size: 305245MB BusType: 3
16:11:40.203 Disk 1 \Device\Harddisk1\DR1 → \Device\Ide\IdeDeviceP0T1L0-c
16:11:40.203 Disk 1 Vendor: WDC_WD2500JB-00REA0 20.00K20 Size: 238475MB BusType: 3
16:11:40.203 Disk 2 \Device\Harddisk2\DR2 → \Device\Scsi\viaraid1Port2Path0Target1Lun0

16:11:40.203 Disk 2 Vendor: Maxtor_6 BAH4 Size: 194481MB BusType: 1
16:11:40.203 Device \Driver\atapi → DriverStartIo f747b864
16:11:40.203 Device \Driver\atapi → MajorFunction 8a212f00
16:11:40.203 Disk 0 MBR read error 0
16:11:40.203 Disk 0 MBR scan

16:11:40.203 Disk 0 unknown MBR code
16:11:40.203 MBR BIOS signature not found 0
16:11:40.203 Disk 0 scanning sectors +625137345
16:11:40.234 Disk 0 scanning C:\WINDOWS\system32\drivers
16:11:41.953 File: C:\WINDOWS\system32\drivers\ati2mtag.sys TDL3 ROOTKIT

16:11:50.265 Service scanning
16:11:51.312 Disk 0 trace - called modules:
16:11:51.312 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8a212f00]<<
16:11:51.312 1 nt!IofCallDriver → \Device\Harddisk0\DR0[0x8a624030]
16:11:51.312 3 CLASSPNP.SYS[f7657fd7] → nt!IofCallDriver → \Device\00000076[0x8a658450]

16:11:51.328 5 ACPI.sys[f7588620] → nt!IofCallDriver → \Device\Ide\IdeDeviceP0T0L0-4[0x8a64a940]
16:11:51.328 \Driver\atapi[0x8a69bc00] → IRP_MJ_CREATE → 0x8a212f00
16:11:51.546 AVAST engine scan C:\WINDOWS
16:12:56.109 AVAST engine scan C:\Documents and Settings********

16:12:56.140 AVAST engine scan C:\Documents and Settings\All Users
16:12:56.140 Scan finished successfully
16:19:52.937 Disk 0 MBR has been saved successfully to “C:\Documents and Settings*\Mina dokument\MBR.dat"
16:19:52.953 The log file has been saved successfully to "C:\Documents and Settings*
\Mina dokument\SkynetCore_110716aswMBR.txt"
16:20:08.312 Disk 0 MBR has been saved successfully to "C:\Documents and Settings*
\Skrivbord\MBR.dat"
16:20:08.312 The log file has been saved successfully to "C:\Documents and Settings*
\Skrivbord\SkynetCore_110716aswMBR.txt”

Download TDSSkiller from here "http://support.kaspersky.com/downloads/utils/tdsskiller.zip and save it to your Desktop.

Extract its contents to your DEKSTOP.
Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
[b]If an infected file is detected, the default action will be Cure, click on Continue.

If a suspicious file is detected, the default action will be Skip, click on Continue.

It may ask you to reboot the computer to complete the process. Click on Reboot Now.[/b]

If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of “TDSSKiller.[Version][Date][Time]_log.txt”. Please copy and paste the contents of that file here.

Thank You so much for all the help guys! :slight_smile:

I’m a bit shaky as there might be a risk of destroying my rig.

No offence Left123
http://www.planetsmilies.com/smilies/party/party0012.gif
, but I’d just like to hear if essexboy
http://www.planetsmilies.com/smilies/party/party0005.gif
agrees
with this, or if he suggests something else.

I’d rather stick to one game plan, and swith to the next 100% if the first one fails.

(Haven’t done this before, can’t tell what’s the best method.)

Of course,while waiting for Essexbot you can read about TDSS variants here:
http://www.securelist.com/en/analysis/204792131
http://www.securelist.com/en/analysis/204792180/TDL4_Top_Bot and here
http://www.securelist.com/en/analysis/204792157/TDSS_TDL_4

Confirmed - we had a PM chat about it - TDL3 will be cured by TDSSKiller ;D Once it has run let us know of any other problems

??? You shouldn’t have said “will” there, essexboy!
http://www.planetsmilies.com/smilies/winking/winking0019.gif

(Lots of logs)

18:53:15.0765 3628 Boot (0x1200) (1a90abdcc29c4a29ae507986d2253247) \Device\Harddisk0\DR0\Partition5
2011/07/16 18:53:15.0781 3628 ================================================================================
2011/07/16 18:53:15.0781 3628 Scan finished
2011/07/16 18:53:15.0781 3628 ================================================================================
2011/07/16 18:53:15.0796 0676 Detected object count: 0
2011/07/16 18:53:15.0796 0676 Actual detected object count: 0

:frowning:

Next time please use “Attach:” under Additional Options.
Thanks,
asyn

When you opened TDSSKiller,the following options were checked?: Services and drivers and Boot sectors?

This has the smell of a different type of TDL3

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

  • IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

[*]Double click on ComboFix.exe & follow the prompts.

As part of it’s process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it’s strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

[*]Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it’s malware removal procedures.

http://img.photobucket.com/albums/v706/ried7/RC1.png

[*]Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

http://img.photobucket.com/albums/v706/ried7/RC2-1.png

[*]Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Notes:

  1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
  2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

Got it, Asyn! :wink:

Yep, both!

I’m gonna try the Combofix and Microsoft Windows Recovery Console. Wish me luck! :slight_smile:

Everyone should install the recovery console on their system as it is a handy bit of kit

Success! I think… :slight_smile:

Combo fix and Windows Recovery Console both installed and did their tricks. Log enclosed.

Thanks for good and thorough instructions, essexboy! 8)

But the RootkitBuster still thinks I’m infected! ??? (That log also enclosed.)

What should I do now?

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\d347prt
Is it this one ? If so it is part of your cd rom emulator (daemon tools)

Download MBRCheck.exe to your Desktop. Run the application.

If no infection is found, it will produce a report on the desktop. Post that report in your next reply.

If an infection is found, you will be presented with the following dialog:

[QUOTE]Enter ‘Y’ and hit ENTER for more options, or ‘N’ to exit:
[/quote]
Type N and press Enter. A report will be produced on the desktop. Post that report in your next reply.

Yep, I saw that Windows Recovery Console killed Daemon in it’s log and
it’s no longer in the system tray.

I tried to uninstall it, but naturally the uninstaller couldn’t finish.
Now I’ve deleted all remaining files under C:\Program\ (Edit: related to daemonTools. :wink: )

And here’s the MBR Check log:

We’ve also left my computer skillz about ten miles ago…