6 replies to this topic

[adamevans]

Unfortunately, tonight I contracted the CLB Rootkit, which I was able to remove with the help of RootRepeal and MBAM.

However, after getting rid of it, some additional things come up on Files scan with RootRepeal.

Are any of these rootkits? Two of them look especially suspicious.

And if they are, what do I need to do?

Any help is GREATLY appreciated.

Here's my log:

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Time: 2009/07/01 08:31
Program Version: Version 1.3.0.0
Windows Version: Windows XP SP3
==================================================

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\drivers\92b9cb1d.sys
Status: Locked to the Windows API!

Path: c:\documents and settings\adam\local settings\temp\etilqs_gzdjbewnj6opgumkqkwp
Status: Allocation size mismatch (API: 32768, Raw: 0)

Path: c:\documents and settings\adam\application data\mozilla\firefox\profiles\ipcutm5p.default\sessionstore.js
Status: Size mismatch (API: 3782, Raw: 3552)

Path: C:\Documents and Settings\Adam\Local Settings\Apps\2.0\VPX2AQ5G.53C\HJ1NOR9V.YJJ\manifests\clickonce_bootstrap.exe.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Adam\Local Settings\Apps\2.0\VPX2AQ5G.53C\HJ1NOR9V.YJJ\manifests\clickonce_bootstrap.exe.manifest
Status: Locked to the Windows API!

[miekiemoes]

Hi,

Nothing to worry about the ones being listed, except for this one:

Quote

Path: C:\WINDOWS\system32\drivers\92b9cb1d.sys
Status: Locked to the Windows API!

This can be malware or can be legit.
To find out, * Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingc...to-use-combofix

Post the log from ComboFix in your next reply.

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix..This because Security Software may see some components ComboFix uses (prep.com for example) as suspicious and blocks the tool, or even deletes it. Please visit HERE if you don't know how.

[adamevans]

Thank you, mieke. Here is the ComboFix log as requested.

ComboFix 09-07-01.01 - Adam 07/01/2009 17:34.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1510 [GMT -5:00]
Running from: c:\documents and settings\Adam\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Adam\nah_log.dat
c:\program files\sys
c:\windows\system32\drivers\92b9cb1d.sys
c:\windows\system32\SKYNETtowqbuws.dat
c:\windows\system32\SKYNETulracirx.dat
c:\windows\system32\wbem\proquota.exe

c:\windows\system32\proquota.exe was missing
Restored copy from - c:\windows\ServicePackFiles\i386\proquota.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_sys
-------\Legacy_sysdrv
-------\Service_92b9cb1d
-------\Service_SKYNETillnsvpx


((((((((((((((((((((((((( Files Created from 2009-06-01 to 2009-07-01 )))))))))))))))))))))))))))))))
.

2009-07-01 22:38 . 2008-04-14 09:42 50176 -c--a-w- c:\windows\system32\dllcache\proquota.exe
2009-07-01 22:38 . 2008-04-14 09:42 50176 ----a-w- c:\windows\system32\proquota.exe
2009-07-01 12:51 . 2009-07-01 12:51 0 ----a-w- c:\documents and settings\Adam\settings.dat
2009-07-01 12:33 . 2009-06-17 16:27 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-01 12:33 . 2009-07-01 12:33 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-01 12:33 . 2009-06-17 16:27 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-26 08:11 . 2009-06-26 08:11 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-06-24 01:21 . 2009-06-24 01:21 -------- d-----w- c:\program files\PS3 Media Server
2009-06-24 01:02 . 2007-12-24 18:47 7680 ----a-w- c:\windows\system32\ff_vfw.dll
2009-06-24 01:02 . 2007-11-29 17:52 60273 ----a-w- c:\windows\system32\pthreadGC2.dll
2009-06-24 01:02 . 2009-06-24 01:02 -------- d-----w- c:\program files\ffdshow
2009-06-24 01:01 . 2009-06-24 01:02 -------- d-----w- c:\program files\TVersity Codec Pack
2009-06-24 00:35 . 2009-06-24 00:35 -------- d-----w- c:\documents and settings\LocalService\Application Data\DivX
2009-06-23 23:35 . 2009-06-23 23:35 -------- d-----w- c:\program files\Haali
2009-06-22 04:45 . 2009-06-22 04:45 -------- d-----w- c:\program files\Linksys
2009-06-22 04:33 . 2009-06-22 04:33 -------- d-----w- c:\program files\WebEx
2009-06-19 23:32 . 2009-06-19 23:32 -------- d-----w- c:\windows\system32\Adobe
2009-06-19 03:51 . 2009-06-19 03:51 -------- d-----w- c:\windows\system32\LogFiles
2009-06-17 20:45 . 2009-06-17 20:45 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2009-06-16 22:15 . 2009-06-16 22:15 -------- d-----w- c:\program files\TVersity
2009-06-11 04:41 . 2009-06-11 04:41 -------- d-sh--w- c:\documents and settings\Adam\PrivacIE
2009-06-10 17:06 . 2009-06-10 17:06 -------- d-sh--w- c:\documents and settings\Adam\IETldCache
2009-06-10 04:40 . 2009-04-30 21:22 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-06-10 04:40 . 2009-04-30 21:22 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2009-06-10 04:39 . 2009-06-10 04:39 -------- d-----w- c:\windows\ie8updates
2009-06-10 04:39 . 2009-05-12 05:11 102912 -c----w- c:\windows\system32\dllcache\iecompat.dll
2009-06-10 04:36 . 2009-06-10 04:38 -------- dc-h--w- c:\windows\ie8
2009-06-10 04:31 . 2009-06-28 01:01 152576 ----a-w- c:\documents and settings\Adam\Application Data\Sun\Java\jre1.6.0_14\lzma.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-01 12:33 . 2008-12-02 06:15 -------- d-----w- c:\documents and settings\Adam\Application Data\Malwarebytes
2009-07-01 12:33 . 2008-12-02 06:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-07-01 06:20 . 2008-11-25 04:23 -------- d-----w- c:\program files\Paint Shop Pro 6
2009-07-01 04:02 . 2008-10-20 20:02 -------- d-----w- c:\documents and settings\Adam\Application Data\CoreFTP
2009-06-30 21:47 . 2009-02-02 20:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-06-29 03:59 . 2008-10-21 23:15 -------- d-----w- c:\documents and settings\Adam\Application Data\uTorrent
2009-06-28 01:01 . 2009-01-26 02:35 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-06-22 21:13 . 2008-09-03 12:29 43784 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-19 23:43 . 2008-10-16 01:58 -------- d-----w- c:\program files\Google
2009-06-13 02:44 . 2008-10-16 00:37 -------- d-----w- c:\program files\World of Warcraft
2009-06-10 04:33 . 2009-01-26 02:34 -------- d-----w- c:\program files\Java
2009-05-23 00:55 . 2009-05-23 00:55 -------- d-----w- c:\documents and settings\All Users\Application Data\94864366
2009-05-17 23:56 . 2009-05-17 23:40 -------- d-----w- c:\documents and settings\Adam\Application Data\LimeWire
2009-05-17 23:41 . 2008-10-23 03:58 -------- d-----w- c:\program files\eMule
2009-05-17 23:39 . 2009-05-17 23:39 -------- d-----w- c:\program files\LimeWire
2009-05-13 05:15 . 2004-08-04 12:00 915456 ----a-w- c:\windows\system32\wininet.dll
2009-05-13 03:59 . 2009-05-13 03:59 -------- d-----w- c:\program files\Common Files\TechSmith Shared
2009-05-13 03:59 . 2009-05-13 03:59 -------- d-----w- c:\program files\TechSmith
2009-05-07 15:32 . 2004-08-04 12:00 345600 ----a-w- c:\windows\system32\localspl.dll
2009-05-05 19:33 . 2009-05-05 19:33 18189072 ----a-w- c:\documents and settings\All Users\Application Data\Yahoo!\YUpdater\msgup900_2152_us.exe
2009-04-17 12:26 . 2004-08-04 12:00 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 14:51 . 2004-08-04 12:00 585216 ----a-w- c:\windows\system32\rpcrt4.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-11-17 139264]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-08-12 794714]
"FunctionKeyCtrl"="c:\program files\Function Key Controller\FKC.exe" [2006-05-25 49152]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-10-20 8495104]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-05 667718]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-11-28 602182]
"EOUApp"="c:\program files\Intel\Wireless\Bin\EOUWiz.exe" [2005-11-28 569413]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2007-03-15 71216]
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2007-02-07 54832]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-06-28 148888]
"SkyTel"="SkyTel.EXE" - c:\windows\SkyTel.exe [2006-05-16 2879488]
"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\AGRSMMSG.exe [2006-06-29 89541]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2007-10-20 1626112]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2007-01-30 16116224]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2008-12-12 9555968]

c:\documents and settings\Adam\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe [2006-10-23 40048]
Adobe Reader Synchronizer.lnk - c:\program files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2006-10-23 734872]
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-12-11 561213]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]
OSCust.lnk - c:\windows\system32\OEM\OSCust.exe [2007-8-17 67072]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\eMule\\emule.exe"=
"c:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=
"c:\\Program Files\\World of Warcraft\\Launcher.exe"=
"c:\\Program Files\\TVersity\\Media Server\\MediaServer.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"c:\\WINDOWS\\system32\\javaw.exe"=

S2 gupdate1c985758c1abc40;Google Update Service (gupdate1c985758c1abc40);c:\program files\Google\Update\GoogleUpdate.exe [2/2/2009 3:33 PM 133104]
S3 SUSTUCAU;Susteen USB Cable USB Driver;c:\windows\system32\drivers\sustucau.sys [10/21/2008 9:11 PM 21376]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-07-01 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-02-02 02:00]

2009-07-01 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-02 20:33]

2009-07-01 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-02 20:33]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
FF - ProfilePath - c:\documents and settings\Adam\Application Data\Mozilla\Firefox\Profiles\ipcutm5p.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\program files\Google\Google Gears\Firefox\components\gears.dll
FF - plugin: c:\documents and settings\Adam\Application Data\Mozilla\Firefox\Profiles\ipcutm5p.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071303000006.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-01 17:40
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{95808DC4-FA4A-4c74-92FE-5B863F82066B}]
"ImagePath"="\??\c:\program files\CyberLink\PowerDVD\000.fcl"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(184)
c:\windows\system32\WININET.dll
c:\windows\system32\btmmhook.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\windows\system32\wdfmgr.exe
c:\program files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
c:\program files\WIDCOMM\Bluetooth Software\BTStackServer.exe
c:\progra~1\Intel\Wireless\Bin\Dot1XCfg.exe
.
**************************************************************************
.
Completion time: 2009-07-01 17:43 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-01 22:43
ComboFix2.txt 2009-03-04 05:38

Pre-Run: 40,033,198,080 bytes free
Post-Run: 40,194,191,360 bytes free

198 --- E O F --- 2009-06-13 01:47

[miekiemoes]

Hi,

This looks OK again.

By the way, after you scanned with rootrepeal and deleted the clb rootkit, did you scan with malwarebytes afterwards? Because the files Combofix found is should also be detected by malwarebytes though.

Anyway, * Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Let me know in your next reply how things are now.

[adamevans]

miekiemoes, on Jul 2 2009, 07:01 AM, said:

By the way, after you scanned with rootrepeal and deleted the clb rootkit, did you scan with malwarebytes afterwards? Because the files Combofix found is should also be detected by malwarebytes though.

I did, and I noticed that. There were four Skynet files in my system32 folder. For whatever reason, MBAM would only pick up two of them. I ran it twice just to make sure.

And everything seems to be working good. Thanks for the help

[miekiemoes]

Aaah, I see now. Those are .dat files that weren't detected. Those are just traces/leftovers

Good to hear everything is OK again.

Glad I could help.

Please read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!

[miekiemoes]

Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.