Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Need help with Hacktool.Rootkit and Infostealer


  • Please log in to reply

#1
smithm55

smithm55

    Member

  • Member
  • PipPip
  • 37 posts
Greetings -- I have worked with this site once before to resolve a tricky issue -- I appreciate everything you all do!

My uncle's laptop has been infected with what Norton AV is reporting as "Hacktool.Rootkit" and "Infostealer". I've gotten the machine as clean as I can with a combination of MS Antispyware, NAV 2003, Ad-Aware, and Spybot S&D, all with current definitions. The machine is running Win XP Home, and has all the updates from MS Update. I've also already run ATF-Cleaner.

When I reboot, the firewall gets shut down and the Security Center Service gets disabled.

Hacktool.Rootkit gets detected by NAV, linked to c:\windows\hide_evr2.sys. The file gets deleted, but of course finds its way back. Infostealer gets detected, linked to us_biz_plusik[1].exe. Same deal -- gets deleted, comes back. The same time that Infostealer gets detected, an .exe with a 7-random-digit filename also tries to run, but blows up.

I've downloaded and run RootkitRevealer, but I'm still learning how to interpret the results. If the output from that would be helpful, I'll be glad to supply it.

I'll attach my HJT log below. If there's anything you can do to help me resolve this issue, it will be much appreciated!

Thanks so much,

Matt Smith

===== HJT log follows =====

Logfile of HijackThis v1.99.1
Scan saved at 7:47:54 PM, on 10/14/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\Program Files\Java\jre1.5.0\bin\jusched.exe
C:\PROGRA~1\VIRTUA~1\SMARTB~1\SprintDSLAlert.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Temp\WENGINE\wmonitor.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\mmc.exe
C:\WINDOWS\system32\rundll32.exe
C:\Byron\HijackThisx.exe
C:\Program Files\Messenger\msmsgs.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink...ton/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://start.earthlink.net/AL/Search
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.earthlink...ton/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.embarq.earthlink.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://start.earthlink.net/AL/Search
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: SrchHook Class - {44F9B173-041C-4825-A9B9-D914BD9DCBB3} - C:\Temp\elnIE.dll
R3 - URLSearchHook: (no name) - ~CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: EarthLink BHO Guard - {00000000-0000-0000-0000-000000000002} - C:\Temp\Toolbar\EScamBlk.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: EarthLink ScamBlocker V3 - {15F4D456-5BAA-4076-8486-EECB38CD3E57} - C:\Temp\Toolbar\EScamBlk.dll
O2 - BHO: EarthLink PopUp Blocker V2 - {512ACF1B-64D9-4928-B382-A80556F28DB4} - C:\Temp\Toolbar\ElnkPuB.dll
O2 - BHO: IE_PopupBlocker Class - {656EC4B7-072B-4698-B504-2A414C1F0037} - C:\Temp\Accelerator\prpl_IePopupBlocker.dll
O2 - BHO: Earthlink Protection BHO - {9579D574-D4D8-4335-9560-FE8641A013BD} - C:\Temp\Toolbar\ProtctIE.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: Uninstall Legacy Earthlink Toolbar - {E713904C-DF05-4C79-BBAD-02DB923253BE} - C:\Temp\Toolbar\uninsttb.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: EarthLink Toolbar - {C7768536-96F8-4001-B1A2-90EE21279187} - C:\Temp\Toolbar\Toolbar.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
O4 - HKLM\..\Run: [ABBYY Community Agent] C:\Program Files\ABBYY FineReader 5.0 Sprint\CAgent.exe
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Executive Software\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0\bin\jusched.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VIRTUA~1\SMARTB~1\SprintDSLAlert.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [E6TaskPanel] "C:\Temp\TaskPanl.exe" -winstart
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: EarthLink Google Search - res://C:\Temp\Toolbar\SearchUI.dll/search.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell....iler/SysPro.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?LinkID=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1160709677294
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: BPDF - Unknown owner - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\BPDF.exe (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: EarthLink Monitor Service (EarthLinkMonitor) - Boingo Wireless, Inc. - C:\Temp\WENGINE\wmonitor.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NSKRM - Unknown owner - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\NSKRM.exe (file missing)
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe
  • 0

Advertisements


#2
smithm55

smithm55

    Member

  • Topic Starter
  • Member
  • PipPip
  • 37 posts
** UPDATE **

After my initial posting, my RootkitRevealer scan finished, with some files listed at the bottom of the results as follows:

C:\Documents and Settings\Byron\Local Settings\Temporary Internet Files\Content.IE5\0TY7GXQZ\cmd[2].txt 10/14/2006 8:27 PM 42 bytes Hidden from Windows API.
C:\Documents and Settings\Byron\Local Settings\Temporary Internet Files\Content.IE5\0TY7GXQZ\options[3] 10/14/2006 8:16 PM 13.26 KB Hidden from Windows API.
C:\Documents and Settings\Byron\Local Settings\Temporary Internet Files\Content.IE5\IJK3M5OP\options[3] 10/14/2006 8:21 PM 13.26 KB Hidden from Windows API.
C:\Documents and Settings\Byron\Local Settings\Temporary Internet Files\Content.IE5\IJK3M5OP\options[4] 10/14/2006 8:26 PM 13.26 KB Hidden from Windows API.
C:\Documents and Settings\Byron\Local Settings\Temporary Internet Files\Content.IE5\IJK3M5OP\us_biz_plusik[1].exe 10/14/2006 8:09 PM 0 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Byron\Local Settings\Temporary Internet Files\Content.IE5\O56RSPMR\cmd[4].txt 10/14/2006 8:18 PM 42 bytes Hidden from Windows API.
C:\Documents and Settings\Byron\Local Settings\Temporary Internet Files\Content.IE5\O56RSPMR\options[2] 10/14/2006 8:11 PM 13.26 KB Hidden from Windows API.
C:\Documents and Settings\Byron\Local Settings\Temporary Internet Files\Content.IE5\O56RSPMR\us_biz_plusik[1].exe 10/14/2006 8:27 PM 0 bytes Hidden from Windows API.
C:\Documents and Settings\Byron\Local Settings\Temporary Internet Files\Content.IE5\XKDWY81U\options[5] 10/14/2006 8:31 PM 13.26 KB Hidden from Windows API.
C:\WINDOWS\2757525.exe 10/14/2006 8:18 PM 21.06 KB Hidden from Windows API.
C:\WINDOWS\3261569.exe 10/14/2006 8:27 PM 21.06 KB Hidden from Windows API.
C:\WINDOWS\3765834.exe 10/14/2006 8:35 PM 21.06 KB Visible in directory index, but not Windows API or MFT.
C:\WINDOWS\9129837.exe 10/14/2006 7:35 PM 23.97 KB Hidden from Windows API.
C:\WINDOWS\hide_evr2.sys 10/14/2006 7:36 PM 5.25 KB Hidden from Windows API.
C:\WINDOWS\Prefetch\2757525.EXE-0E11F588.pf 10/14/2006 8:18 PM 12.89 KB Hidden from Windows API.
C:\WINDOWS\Prefetch\3261569.EXE-388F8729.pf 10/14/2006 8:27 PM 12.25 KB Hidden from Windows API.
C:\WINDOWS\Prefetch\3765834.EXE-2897563E.pf 10/14/2006 8:35 PM 12.75 KB Visible in directory index, but not Windows API or MFT.
C:\WINDOWS\Prefetch\DESKUP.EXE-012890CD.pf 10/14/2006 8:32 PM 39.07 KB Hidden from Windows API.
C:\WINDOWS\Prefetch\IOMUPDATEICONS.EXE-174650CD.pf 10/14/2006 8:31 PM 13.91 KB Hidden from Windows API.
C:\WINDOWS\Prefetch\RUNDLL32.EXE-6E8D4657.pf 10/14/2006 8:30 PM 12.17 KB Hidden from Windows API.


I've deleted all those files, plus everything else in any folders under ...\Temporary Internet Files\Content.IE5. After a reboot things seem pretty stable at this point. If there's more anyone still believes I should do, please don't hesitate to speak up!

Thanks,

Matt
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP