Rootkit Problem :S

Norton Security | Norton Internet Security
1

Hi.

 

It seems I have a rootkit problem like many others recently which is preventing Norton 360 from scanning and is also hijacking my browser aat times. I did a GMER scan and it brought up a positive result unfortunately (as in a Rootkit found) and I have attached my log below for help.

 

Out of interest how would I have been infected by this? I haven't had any type of infection for five or six years now since I began using Norton products.

 

Thanks in advance.

 

 

2

Just an update as I can't seem to edit my original post.

 

I did a Malware-Bytes scan and got the results on the first attachment below that contained two pieces of malware, before restarting my computer to complete the removal. This seemingly did nothing however as when I rebooted the PC the two pieces of malware remained. I then did a GMER scan again to confirm this. These GMER scans are scans with all the boxes ticked for your information.

3

Hi TMDaines

 

Your problem with the geyekrxaevbvtm.dll is a bit different from the basic Tidserv rootkit variants that are common these days and needs to be adressed as such.

 

On first sight I would say that your problem originates from the C:\Users\Tom\Desktop\n7c3x76k.exe file. Is this a file you know of? If it is visible and you do not know of it I would suggest that you upload it to www.virustotal.com for a scan.

 

Before doing anything else I would like you to download and run Silent Runners. This is a script that will create a logfile in the same directory as the script. Save it on the desktop and run it, click yes on the question to skip supplementary search and wait for about a minute until the "All Done" box appear. Post the log here.


jAW

4

Hi TMdaines:

 

Could you also provide a bit more info on your operating system, and service pack.  Also 64 bit or 32 bit.  Your GMER is shortened, we dont' have registry entries or files.

 

Could you try to run GMER in safe mode with those two boxes checked to see if we can get a few more files for Quads to work with?

He will be along later in the day to assist you due to time zone differences.

 

You could also try Rootrepeal 

 

http://homepages.slingshot.co.nz/~crutches/RootRepel/ 

5

 

jAW wrote:

Hi TMDaines

 

Your problem with the geyekrxaevbvtm.dll is a bit different from the basic Tidserv rootkit variants that are common these days and needs to be adressed as such.

 

On first sight I would say that your problem originates from the C:\Users\Tom\Desktop\n7c3x76k.exe file. Is this a file you know of? If it is visible and you do not know of it I would suggest that you upload it to www.virustotal.com for a scan.

 

Before doing anything else I would like you to download and run Silent Runners. This is a script that will create a logfile in the same directory as the script. Save it on the desktop and run it, click yes on the question to skip supplementary search and wait for about a minute until the "All Done" box appear. Post the log here.


jAW

n7c3x76k.exe is a copy of GMER.exe :S.

 

I'll go download a copy of Silent Runners anyway.

 

delphinium wrote:

Hi TMdaines:

 

Could you also provide a bit more info on your operating system, and service pack.  Also 64 bit or 32 bit.  Your GMER is shortened, we dont' have registry entries or files.

 

Could you try to run GMER in safe mode with those two boxes checked to see if we can get a few more files for Quads to work with?

He will be along later in the day to assist you due to time zone differences.

 

You could also try Rootrepeal 

 

http://homepages.slingshot.co.nz/~crutches/RootRepel/ 

My OS is Windows Vista 32bitand is completely up-to-date with the latest service packs and all.

 

As I said that was a GMER log in safe mode with all the boxes checked, but I'll go back and attempt it with just registry entries and files.

 

I'll take a look at Rootrepeal also.

Message Edited by TMDaines on 07-14-2009 09:50 AM
Message Edited by TMDaines on 07-14-2009 09:51 AM
6
TMDaines wrote:

 

n7c3x76k.exe is a copy of GMER.exe :S.

 

Well, then I guess that one is clean. :)

 

SR log will still be good to check for any malicious startup entries (SR does not detect rootkits).

 

 

7

geyekrxaevbvtm.dll is now giving me major problems when booting in safe mode.

 

WerFault.exe - Bad Image

"globalroot\systemroot\system32\geyekrxaevbvtm.dll is either not designed to run on Windows or it contains an error...."

 

I get spammed with that around 10-15 times upon loading the desktop. It also occurs when opening Firefox or IE.

Message Edited by TMDaines on 07-14-2009 10:22 AM
8

Hi TMdaines:

 

Some rootkits are able to interfere with the GMER log as well as the Rootrepeal log.  Sometimes we require both in order to ensure that the scripting is correct for your machine.  Quads is the only member on the forum qualified to safely remediate these kinds of problems.  He will be along later to check.

9

OK. I’ve ran the Silent Runners script but had three different copies of GMER crash when attempting to scan with them, followed by a bluescreen on the fourth. I’ll try again.

Message Edited by TMDaines on 07-14-2009 10:44 AM

10

If you still have problems running the tools we can create a log manually.

 

Are you using the F8 method to get into safeboot now? If not this is how you do it.

 

1. Restart your computer and start pressing the F8 key on your keyboard. On a computer that is configured for booting to multiple operating systems, you can press the F8 key when the Boot Menu appears.

 

2. Select Enable Boot Logging when the Windows Advanced Options menu appears, and then press ENTER.

 

This will create a logfile called Ntbtlog.txt in C:\Windows

Post that log here.

Message Edited by jAW on 07-14-2009 10:49 AM
11

Rootrepeal "Could not load driver (0xc0000035)! It therefore crashes on initializing. Any workaround?

12
jAW wrote:

If you still have problems running the tools we can create a log manually.

 

Are you using the F8 method to get into safeboot now? If not this is how you do it.

 

1. Restart your computer and start pressing the F8 key on your keyboard. On a computer that is configured for booting to multiple operating systems, you can press the F8 key when the Boot Menu appears.

 

2. Select Enable Boot Logging when the Windows Advanced Options menu appears, and then press ENTER.

 

This will create a logfile called Ntbtlog.txt in C:\Windows

Post that log here.

Message Edited by jAW on 07-14-2009 10:49 AM

When I do that I only get a menu that allows me to choose which device to boot from i.e. either hard drive or floppy or cd/dvd drive.

13

OK. My log/scan status now is:

 

Silent Runners log is attached below

GMER with all boxes ticked crashes whichever copy I use

GMER with only registry and files ticked finds nothing

Rootrepeal crashes on initializing as it cannot find a driver

Not: All of these were attempted in Safe Mode with Networking. Is that the correct boot?

 

Attached below is the Silent Runners log.

 

 

14

Hi TMdaines:

 

Please do nothing more for the time being and wait for Quads for any further instructions.  He is a malware specialist and has undoubtedly dealt with this variant before.  I will let him know that scans are not proceeding. 

 

Are you running a Toshiba by any chance?

 

Also, I'm seeing group policy entries.  Were you running the scans as administrator?

 

 

15

TMDaines wrote:

 

When I do that I only get a menu that allows me to choose which device to boot from i.e. either hard drive or floppy or cd/dvd drive.

Choose hard drive and start tapping the F8 key right away again and you should get the menu.

 

As for running the tools in Safe Mode you can actually do it in basic Safe Mode, no network needed. The less that can interfere the better.

16

 I’v got the ntbtlog.txt now. It is attached below.

 

 Are you running a Toshiba by any chance?

 

Also, I’m seeing group policy entries.  Were you running the scans as administrator?

 

No, it’s a custom built PC I built myself in Jan 2008. I can confirm the scans were ran as an administrator.

 

 

Desktop PC is now turned off and I’ll wait for further instructions from you before I do anything else.

17

What you have is a variant of the tidserv and not that different as I first said. It should be as easy to remove as the other versions.

 

The driver file is the \systemroot\system32\drivers\geyekrerbtrckm.sys and with a little luck the driver is called geyekr.sys. This will show when you get the tools to work..

 

However, I have worked a lot with these things but not on this forum and is not "known" here, so I suggest that you wait for one of the guys that are as that seem to be the recommendation (understandable). I do belive that there will be no problem cleaning your PC though.

 

Good luck

jAW

18

Thank you, I'll wait for Quads to assist me.

 

But I also have a couple of questions I could do with having answered regarding this whole matter:

 

1) Where did this "infection" likely come from? The only thing I remember seeing is Norton 360 giving me alert in the bottom right-hand corner of the screen before saying it has detected a Trojan Horse after which it would no longer scan. I have been doing a fair bit of torrenting lately but of course I have only been using trusted torrents that many users have had zero problems with before so I doubt it was from them. My instinct says it came through my browser (FF 3.5) as I recall being unusually bombared with adds upon opening a page shortly before this begun. This is the first real infection I have had in years as I'm a sensible user online. Norton currently doesn't support FF 3.5 so would this be a logical assumption to make?

 

2) How did this "infection" bypass Norton? Is it a new piece of malware or is Norton simply incapable of detecting and protecting against malware of this type?

 

3) Presumably just using Norton 360 isn't enough. What other pieces of anti-malware would you recommend that would give me a reasonable increase in the level of protection over that which I have now? Malwarebytes Anti-Malware is suggested repeatedly here. Anything else that would be consider must have?

 

19

TMdaines:

 

I believe the patch is available now for FF 3.5.  There may still be an upcoming patch for IPS.  I find Noscript very satisfactory for blocking unwanted material that may show up in web pages.

 

The more popular the site, like Face book, and download sites, and torrents are where the malware will be inserted.  There is no profit for them in choosing unpopular sites.  The malware is specifically written to bypass antivirus engines, in compressed files or script.  It's hard to keep up with it.

 

While Norton is constantly being updated with new definitions, the malware is as well.  In one of Quads' rootkit repairs he was able to recover the disallowed list for that particular rootkit.  It included Malwarebytes, Superantispyware, and variations on those names.  So they also use a similar approach to stop us from removing them.

 

It is only in the last couple of weeks that we have seen MBAM even take out rootkit files, but possibly not the whole thing.

20

Hi

 

Think I have worked out the driver name,  

 

I will slowly piece the script together

 

Quads