win32: rootkit-gem

Hello All,
I am working on a pc infected with the win32:rootkit-gen. My first step was to download Avast and run it. I am still seeing a 'Warning Dangerous Spyware" message on the desktop. I then disabled restore points and stopped the startup and services using MSCONFIG that I didn’t recognize or that I thought were causing the problem. I ran Avast again (boot scan) and still have the desktop icon, so I know I haven’t gotten everything. I did some research on internet and then downloaded HiJackThis and ran it. I am attaching the result file.

Any help would be deeply appreciated.
Thanks,
ARobtek

You seem to have ‘at least’ a rogue spyware program, try and download the following 2 programs, update and run quick scans.
Post the logs , and then another HJT log

http://filehippo.com/download_malwarebytes_anti_malware/

http://filehippo.com/download_superantispyware/

Are you running two AV’s ?

Thanks for such a quick reply mickey77. I have downloaded and run the 2 programs you recommended And have run the HighJackThis again. I am attaching the log files.

Thanks,
Arobtek

First you didn’t fix the things found by MBAM, so do that.

Your HJT log, bad entries are

O1 - Hosts: ::1 localhost
O1 - Hosts: 94.232.248.66 antivirsystem.com
O1 - Hosts: 94.232.248.66 www.antivirsystem.com
O4 - HKUS\S-1-5-18..\Run: [autochk] rundll32.exe C:\DOCUME~1\DEFAUL~1\protect.dll,_IWMPEvents@16 (User ‘SYSTEM’)
O4 - HKUS.DEFAULT..\Run: [autochk] rundll32.exe C:\DOCUME~1\DEFAUL~1\protect.dll,_IWMPEvents@16 (User ‘Default user’)

I also see ovfsthxlbirkcxx in your MBAM log

This is worrying as it is probably related to ovfst rootkit

So run MBAM again,choose to fix the things found,reboot if necessary.
Run HJT, choose scan only, highlight the bad entries above and choose fix selected.

See this link,

http://www.malwarebytes.org/forums/index.php?showtopic=12709

read carefully,download rootrepeal and justpost a log
I think theres a link for zip, if you download rar, heres a free program for extracting rar files

http://download.cnet.com/Free-RAR-Extract-Frog/3000-2250_4-10804840.html

Hi mickey77. I hope I have done the things you suggested correctly. I had to quit on Friday before I was finished with everything and completed the tasks this morning. The RootRepeal file is attached.

Thanks,
Arobtek

Sorry, that log is all scrambled, can you try to copy/paste the log. ( I doubt it,but its possible, you may have to split the log into two parts, as there is a limit on the amount of characters,per post)

OK. The report is pasted below.

Thanks,
arobtek

ROOTREPEAL (c) AD, 2007-2008

Scan Time: 2009/05/19 12:56
Program Version: Version 1.2.3.0
Windows Version: Windows XP SP2

Drivers

Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xAA1B1000 Size: 98304 File Visible: No
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF89D1000 Size: 8192 File Visible: No
Status: -

Name: mcsmblxy.sys
Image Path: mcsmblxy.sys
Address: 0xF8473000 Size: 61440 File Visible: No
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xAA149000 Size: 45056 File Visible: No
Status: -

SSDT

#: 017 Function Name: NtAllocateVirtualMemory
Status: Hooked by “” at address 0x823ca6f0

#: 025 Function Name: NtClose
Status: Hooked by “C:\WINDOWS\System32\Drivers\aswSP.SYS” at address 0xaa1f46b8

#: 031 Function Name: NtConnectPort
Status: Hooked by “” at address 0x823515e0

#: 041 Function Name: NtCreateKey
Status: Hooked by “C:\WINDOWS\System32\Drivers\aswSP.SYS” at address 0xaa1f4574

#: 047 Function Name: NtCreateProcess
Status: Hooked by “” at address 0x823cac18

#: 048 Function Name: NtCreateProcessEx
Status: Hooked by “” at address 0x823caba0

#: 053 Function Name: NtCreateThread
Status: Hooked by “” at address 0x823ca9c0

#: 063 Function Name: NtDeleteKey
Status: Hooked by “” at address 0x8237cd10

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by “C:\WINDOWS\System32\Drivers\aswSP.SYS” at address 0xaa1f4a52

#: 068 Function Name: NtDuplicateObject
Status: Hooked by “C:\WINDOWS\System32\Drivers\aswSP.SYS” at address 0xaa1f414c

#: 119 Function Name: NtOpenKey
Status: Hooked by “C:\WINDOWS\System32\Drivers\aswSP.SYS” at address 0xaa1f464e

#: 122 Function Name: NtOpenProcess
Status: Hooked by “C:\WINDOWS\System32\Drivers\aswSP.SYS” at address 0xaa1f408c

#: 128 Function Name: NtOpenThread
Status: Hooked by “C:\WINDOWS\System32\Drivers\aswSP.SYS” at address 0xaa1f40f0

#: 177 Function Name: NtQueryValueKey
Status: Hooked by “C:\WINDOWS\System32\Drivers\aswSP.SYS” at address 0xaa1f476e

#: 180 Function Name: NtQueueApcThread
Status: Hooked by “” at address 0x823ca768

#: 186 Function Name: NtReadVirtualMemory
Status: Hooked by “” at address 0x823ca600

#: 192 Function Name: NtRenameKey
Status: Hooked by “” at address 0x8238a0a8

#: 204 Function Name: NtRestoreKey
Status: Hooked by “C:\WINDOWS\System32\Drivers\aswSP.SYS” at address 0xaa1f472e

#: 213 Function Name: NtSetContextThread
Status: Hooked by “” at address 0x823ca858

#: 226 Function Name: NtSetInformationKey
Status: Hooked by “” at address 0x8236f0a8

#: 228 Function Name: NtSetInformationProcess
Status: Hooked by “” at address 0x823caab0

#: 229 Function Name: NtSetInformationThread
Status: Hooked by “” at address 0x823ca8d0

#: 247 Function Name: NtSetValueKey
Status: Hooked by “C:\WINDOWS\System32\Drivers\aswSP.SYS” at address 0xaa1f48ae

#: 253 Function Name: NtSuspendProcess
Status: Hooked by “” at address 0x823caa38

#: 254 Function Name: NtSuspendThread
Status: Hooked by “” at address 0x823ca7e0

#: 257 Function Name: NtTerminateProcess
Status: Hooked by “C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys” at address 0xaa30ddf0

#: 258 Function Name: NtTerminateThread
Status: Hooked by “” at address 0x823ca948

#: 277 Function Name: NtWriteVirtualMemory
Status: Hooked by “” at address 0x823ca678

Stealth Objects

Object: Hidden Code [Driver: Tcpip, IRP_MJ_CREATE]
Process: System Address: 0x81eb2150 Size: -

Object: Hidden Code [Driver: Tcpip, IRP_MJ_CREATE_NAMED_PIPE]
Process: System Address: 0x81eba580 Size: -

Object: Hidden Code [Driver: Tcpip, IRP_MJ_CLOSE]
Process: System Address: 0x81ec08c0 Size: -

Object: Hidden Code [Driver: Tcpip, IRP_MJ_READ]
Process: System Address: 0x81ec9cf8 Size: -

Object: Hidden Code [Driver: Tcpip, IRP_MJ_WRITE]
Process: System Address: 0x81e35020 Size: -

Object: Hidden Code [Driver: Tcpip, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x81e5edf8 Size: -

Object: Hidden Code [Driver: Tcpip, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x81e69b58 Size: -

Object: Hidden Code [Driver: Tcpip, IRP_MJ_QUERY_EA]
Process: System Address: 0x81e6a160 Size: -

Object: Hidden Code [Driver: Tcpip, IRP_MJ_SET_EA]
Process: System Address: 0x81e8bae0 Size: -

Object: Hidden Code [Driver: Tcpip, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x81e8ec60 Size: -

Object: Hidden Code [Driver: Tcpip, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x81e95dc0 Size: -

Object: Hidden Code [Driver: Tcpip, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x81c8a0a8 Size: -

Object: Hidden Code [Driver: Tcpip, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x81ea06f0 Size: -

Object: Hidden Code [Driver: Tcpip, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x81f2b2f8 Size: -

Object: Hidden Code [Driver: Tcpip, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x81f39f18 Size: -

Object: Hidden Code [Driver: Tcpip, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x81f4d968 Size: -

Object: Hidden Code [Driver: Tcpip, IRP_MJ_SHUTDOWN]
Process: System Address: 0x81fc47b8 Size: -

Object: Hidden Code [Driver: Tcpip, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x81f9cb78 Size: -

Object: Hidden Code [Driver: Tcpip, IRP_MJ_CLEANUP]
Process: System Address: 0x81fb1898 Size: -

Object: Hidden Code [Driver: Tcpip, IRP_MJ_CREATE_MAILSLOT]
Process: System Address: 0x81f73498 Size: -

Object: Hidden Code [Driver: Tcpip, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x81f738b0 Size: -

Object: Hidden Code [Driver: Tcpip, IRP_MJ_SET_SECURITY]
Process: System Address: 0x81f93618 Size: -

Object: Hidden Code [Driver: Tcpip, IRP_MJ_POWER]
Process: System Address: 0x823500d0 Size: -

Object: Hidden Code [Driver: Tcpip, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x82351b48 Size: -

Object: Hidden Code [Driver: Tcpip, IRP_MJ_DEVICE_CHANGE]
Process: System Address: 0x82004458 Size: -

Object: Hidden Code [Driver: Tcpip, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x81f00020 Size: -

Object: Hidden Code [Driver: Tcpip, IRP_MJ_SET_QUOTA]
Process: System Address: 0x81eb80a8 Size: -

Object: Hidden Code [Driver: Tcpip, IRP_MJ_PNP]
Process: System Address: 0x81cfb840 Size: -

That looks fine. Are yours scans with MBAM and SAS now showing all clear ? Can you post another HJT log

OK, here you go. 1 more HiJackThis log attached.
T
hanks,
arobtek

The HJT log looks clean. If allyour scans are showing no infections, then things look ok. The entry you fixed O4 - HKUS.DEFAULT..\Run: [autochk] rundll32.exe C:\DOCUME~1\DEFAUL~1\protect.dll,_IWMPEvents@16 (User ‘Default user’)
I would boot in safe mode,locate and delete protect.dll, although its no longer active,it may still be on the pc.
Is your pc running ok ?

I really haven’t done anything on it except the things you have told me to do. It no longer has the ‘fake’ desktop wallpaper and no popups are appearing. I will do the things you suggested and check it out further befor returning it to my friend.

I appreciate so much all of your help.

Arobtek