MSIVX rootkit - another one!

Norton Security | Norton Internet Security
1

I've read about a few people having this problem, so i've already got the logs here as asked for in the other qiestions, I'm just not sure what to do next.

 

Rootrepel report:

 

ROOTREPEAL (c) AD, 2007-2008
==================================================
Scan Time:   2009/06/23 17:23
Program Version:  Version 1.2.3.0
Windows Version:  Windows Vista SP1
==================================================

Drivers
-------------------
Name: (
Image Path: (
Address: 0x8B655000 Size: 90112 File Visible: No
Status: Hidden from Windows API!

Name: 3&33fd14ca&0&28
Image Path: REV_03\3&33fd14ca&0&28
Address: 0x8B60D000 Size: 294912 File Visible: No
Status: Hidden from Windows API!

Name: dump_atapi.sys
Image Path: C:\Windows\System32\Drivers\dump_atapi.sys
Address: 0x8BF4D000 Size: 32768 File Visible: No
Status: -

Name: dump_dumpata.sys
Image Path: C:\Windows\System32\Drivers\dump_dumpata.sys
Address: 0x8BF42000 Size: 45056 File Visible: No
Status: -

Name: MSIVXrtpwcsfiwcsifustuxrqpomqjckeqbvs.sys
Image Path: C:\Windows\system32\drivers\MSIVXrtpwcsfiwcsifustuxrqpomqjckeqbvs.sys
Address: 0x8AAF2000 Size: 188416 File Visible: -
Status: Hidden from Windows API!

Name: rootrepeal.sys
Image Path: C:\Windows\system32\drivers\rootrepeal.sys
Address: 0xA7425000 Size: 45056 File Visible: No
Status: -

Stealth Objects
-------------------
Object: Hidden Module [Name: luafv.sys]
Process: svchost.exe (PID: 1196) Address: 0x00de0000 Size: 106496

Object: Hidden Module [Name: winlogon.exe]
Process: svchost.exe (PID: 1196) Address: 0x01ae0000 Size: 323584

Object: Hidden Module [Name: winlogon.exe]
Process: svchost.exe (PID: 1196) Address: 0x01ff0000 Size: 323584

Object: Hidden Module [Name: WinMgmtR.dll]
Process: svchost.exe (PID: 1196) Address: 0x71ad0000 Size: 8192

Object: Hidden Module [Name: wuaueng.dll]
Process: svchost.exe (PID: 1196) Address: 0x6e960000 Size: 1814528

Object: Hidden Module [Name: adtschema.dll]
Process: svchost.exe (PID: 1196) Address: 0x6c430000 Size: 606208

Object: Hidden Module [Name: ci.dll]
Process: svchost.exe (PID: 1196) Address: 0x32f10000 Size: 913408

Object: Hidden Module [Name: tquery.dll]
Process: svchost.exe (PID: 1196) Address: 0x71f20000 Size: 1589248

Object: Hidden Module [Name: dps.dll]
Process: svchost.exe (PID: 1196) Address: 0x72c80000 Size: 139264

Object: Hidden Module [Name: profsvc.dll]
Process: svchost.exe (PID: 1196) Address: 0x73dd0000 Size: 163840

Object: Hidden Module [Name: wevtapi.dll]
Process: svchost.exe (PID: 1196) Address: 0x75200000 Size: 258048

Object: Hidden Code [ETHREAD: 0x83853668]
Process: System Address: 0x86e69128 Size: -

Object: Hidden Code [ETHREAD: 0x8389c580]
Process: System Address: 0x8389c774 Size: -

Object: Hidden Code [ETHREAD: 0x8389c2d8]
Process: System Address: 0x8389c4cc Size: -

Object: Hidden Code [ETHREAD: 0x8389d020]
Process: System Address: 0x8389d214 Size: -

Object: Hidden Code [ETHREAD: 0x8389dd78]
Process: System Address: 0xa4a12c80 Size: -

Object: Hidden Code [ETHREAD: 0x8389dad0]
Process: System Address: 0x8d8634d0 Size: -

Object: Hidden Code [ETHREAD: 0x8389d580]
Process: System Address: 0x8389d774 Size: -

Object: Hidden Code [ETHREAD: 0x858aa840]
Process: System Address: 0x8d880b68 Size: -

Hidden Services
-------------------
Service Name: MSIVXserv.sys
Image Path: C:\Windows\system32\drivers\MSIVXrtpwcsfiwcsifustuxrqpomqjckeqbvs.sys

 

 

Gmer log:

 

GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-06-23 17:25:13
Windows 6.0.6001 Service Pack 1


---- System - GMER 1.0.15 ----

Code            857A4138                                                                                 ZwEnumerateKey
Code            855AA3A0                                                                                 ZwFlushInstructionCache
Code            8583A315                                                                                 IofCallDriver
Code            852803BE                                                                                 IofCompleteRequest

---- Devices - GMER 1.0.15 ----

AttachedDevice  \Driver\tdx \Device\Ip                                                                   SYMTDI.SYS
AttachedDevice  \Driver\tdx \Device\Tcp                                                                  SYMTDI.SYS
AttachedDevice  \Driver\tdx \Device\Udp                                                                  SYMTDI.SYS
AttachedDevice  \Driver\tdx \Device\RawIp                                                                SYMTDI.SYS

---- Services - GMER 1.0.15 ----

Service         C:\Windows\system32\drivers\MSIVXrtpwcsfiwcsifustuxrqpomqjckeqbvs.sys (*** hidden *** )  [SYSTEM] MSIVXserv.sys    <-- ROOTKIT !!!

---- EOF - GMER 1.0.15 ----

 

 

Hijack this log:

 

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:33:24 PM, on 23/06/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\Program Files\Norton 360\Engine\3.0.0.135\ccSvcHst.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\wuauclt.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\VIRGIN BROADBAND\VIRGIN BROADBAND.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://en.au.acer.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://en.au.acer.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://en.au.acer.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://au.rd.yahoo.com/customize/ycomp/defaults/su/*http://au.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton 360\Engine\3.0.0.135\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton 360\Engine\3.0.0.135\IPSBHO.DLL
O2 - BHO: ShowBarObj Class - {83A2F9B1-01A2-4AA5-87D1-45B6B8505E96} - C:\Windows\system32\ActiveToolBand.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\Windows\system32\eDStoolbar.dll
O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton 360\Engine\3.0.0.135\coIEPlg.dll
O4 - HKCU\..\Run: [Mobile Partner] "C:\Program Files\VIRGIN BROADBAND\VIRGIN BROADBAND.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: @C:\Windows\WindowsMobile\INetRepl.dll,-222 - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra 'Tools' menuitem: @C:\Windows\WindowsMobile\INetRepl.dll,-223 - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O13 - Gopher Prefix:
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/FacebookPhotoUploader3.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8FA550CD-ADF1-4DF1-B391-7E2FBC87A64F}: NameServer = 123.200.191.17 123.200.191.18
O18 - Protocol: symres - {AA1061FE-6C41-421F-9344-69640C9732AB} - C:\Program Files\Norton 360\Engine\3.0.0.135\coIEPlg.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: Norton 360 (N360) - Symantec Corporation - C:\Program Files\Norton 360\Engine\3.0.0.135\ccSvcHst.exe

--
End of file - 5005 bytes

 

 

Also when trying to open internet explorer, i get a message about MSIVXmheihxdumqerxpxxwitkslempgbdtqqs.dll

I'm not sure if this is related to the msivx.....sys that shows up in the scans.

 

 

Help with what to do next will be much appreciated!

 

Message Edited by jaxsta on 06-23-2009 12:44 AM
2

Is that all of the GMER Log??  No FILES listed

 

Quads 

3

Sorry I wasn’t sure if I should have run a full scan when it asked. Am running it now.
It seems to be very long, should i still copy and paste it or just attach it?

4

It was a very long log file so i couldn't paste it here

 

 

http://pastebin.ca/1470974 

5

Hi Jaxsta: 

 

Quads will be along later.  We have time zone issues.  I checked the pastebin url on Norton Safe Web.  It came back with a clean bill of health.  We have to be very careful with links off the forum.  Logs can be posted here in segments.

6

Thanks for having a look.

I'm not really sure what i'm looking for, but there does seem to be a lot of lines with MSIVX in them. Is this normal?

7

It’s only normal when you have the rootkit.  Don’t try to fix anything.  Quads will tell you what to do.

8

Now  (read carefully) If you have Spybot S&D uninstall it.

 

1. Download Avenger to your desktop,

 

Unzipped version http://homepages.slingshot.co.nz/~crutches/Avenger/

Creators website http://swandog46.geekstogo.com/avenger2/avenger2.html with zipped version to the unzip to desktop 

 

2. Click to run "Avenger.exe"  (right click "Run as Administrator" if using Vista)

 

3. In the "Input script here:" copy and paste the script between the lines

 

Drivers to disable:

MSIVXserv.sys

 

Drivers to delete:

MSIVXserv.sys

 

Files to delete:

C:\Autorun.inf

D:\Autorun.inf

C:\Windows\System32\drivers\MSIVXrtpwcsfiwcsifustuxrqpomqjckeqbvs.sys

C:\Windows\System32\MSIVXcount

C:\Windows\System32\MSIVXmheihxdumqerxpxxwitkslempgbdtqqs.dll

C:\Windows\System32\MSIVXomejftkivbdnwxibopvebrunciupuxdm.dll 

 

Registry keys to delete:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSIVXserv.sys

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MSIVXserv.sys

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\MSIVXserv.sys

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\MSIVXserv.sys

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\MSIVXserv.sys

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Services\MSIVXserv.sys

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet006\Services\MSIVXserv.sys

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet007\Services\MSIVXserv.sys

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet008\Services\MSIVXserv.sys

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet009\Services\MSIVXserv.sys

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet010\Services\MSIVXserv.sys

HKEY_LOCAL_MACHINE\SOFTWARE\MSIVX 

 

Here is a screenshot (script updated since shot)

 

Avenger.jpg

 

Make sure the "Automatically disable any rootkits found" is NOT selected

 

4. Click "Execute"

 

You will be asked to restart the PC click "Yes", when the PC restarts the load screen will takes slightly longer, then when it looks as though windows is loading the PC will restart again.

Then when Windows fully loads the Avenger log will be loaded, showing files it could or could not find.

 

5. Restart the PC again, then see if you can install  Update and run Malwarebytes

 

Quads 

9

Hi Quads,

 

Sorry for jumping in, only because of a short question.

 

You wrote

 

"Now  (read carefully) If you have Spybot S&D uninstall it."

 

Why is it needed to uninstall Spybot in this case ?

Does it block any removal process ?

 

Your answer will most probably remove some of my questionmarks.

10

Hi Kurt:

 

Spybot S & D has prevented rootkits from being removed on other threads.  We post a request to remove it at the beginning of the scripting now.

11

It's to do with Spybot's TeaTimer, so it's easier to just say Uninstall it.

 

The script above is for that person only, as it is for their individual files.

 

Quads 

12

Hi delphinium,

 

Thanks for you rapid answer.

 

I´ve had a feeling of this earlier, but haven´t had a good enough answer on it.

 

This clearifies a lot of unexpected behaviors in the past.

 

Very good to know !

 

Thanks again !

13

Hi Quads,

 

The behaviors I´ve meantioned weren´t easily related to any part of any

security software installed on my system.

 

I´ll test this the next time a removal takes place again !

 

Thanks for your answer ! 

14

Hi Kurt:

 

If Quads' work has solved your problem, it might be useful for others if you push the green button, which is in all posts, in the one which provided the solution.  Only the original poster gets to choose.

15

Kurt didn't start the thread

 

Quads 

16

It gets very confusing when we don’t get them split early.

17

Hi Quads,

Sorry it has taken a while for me to get back on here.

I ran the ascript in avenger exactly as you said, and windows restarted into a system repair utility. This took a while to reboot, but once it did I restrted the computer again.

Avenger never came back up, and my downloaded notrton install files, along with the extracted gmer and rootrepel run files had gone.

I tried to download them again, but can save no exe files, even if i change the name to something random.

I tried to extract the zipped gmer folder, and again it would not save the extracted exe file.

The mbam program was still installed, so i'll paste the log below.

I'm going to download the other files to a usb from another computer today and will try and run them when I get home and let you know how I go.

 

mbam log:

 

Malwarebytes' Anti-Malware 1.28
Database version: 1222
Windows 6.0.6001 Service Pack 1

26/06/2009 7:19:54 AM
mbam-log-2009-06-26 (07-19-38).txt

Scan type: Quick Scan
Objects scanned: 44746
Time elapsed: 7 minute(s), 21 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 3
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Service (Backdoor.Bot) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Service (Backdoor.Bot) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\windows service (Backdoor.Bot) -> No action taken.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

 

18

Ok, do you have like a Toshiba, which because of the double restart the Manufacturers software kicks in cos it thinks windows didn't load properly.

 

Another forum User had similar, but when he went into the startup untilty, he just told it to start normally instead of going through the utility.

 

This is the post about the startup utility  after the Avenger log

 

http://community.norton.com/norton/board/message?board.id=nis_feedback&message.id=57837&query.id=1276302#M57837 

 

Quads 

Message Edited by Quads on 06-26-2009 09:44 AM
19

Thanks Quads,

I ran avenger again, watched the reboot and told windows to start normally, rebooted it again and now all is good.

I really appreciate your help!

20

Hi Quads, I've marked this thread as solved, as the virus has been removed. Yay!
However, I now have no sound. The normal volume button is visible in the task bar, but there is an additional volume button with a cross on it. When I click on it, it says that the windows volume control applet is not running, would I like to turn it on? I say yes but still nothing happens. I've checked the device manager and all seems well in there.

Also, i'm no longer able to save or run any downloaded .exe files. I tried to download adobe reader version 9, and once the download was complete, the file was nowhere to be found. I also tried clicking on run instead of save and nothing happened after the download was complete. I can however run the .exe file if I download it from another computer and run it from a flash drive.

I've tried using the windows fixing tool to no avail.

I seem to think there may be a problem with windows. It's not a big deal if I can't fix it, as I can live without sound and I can download from my brother's computer. And i'm also looking to upgrade to windows 7 when it comes out in October.

Interesting!