Win32:Alureon-BH [RTK] Rootkit gingersonny

gingersonny · #11 26th Jun 2009, 13:53

OK I still cant get into Normal Mode (hence no admin priviledges) but I ran ComboFix anyway and when it scanned instead of anything that was meant to happen in the instructions it told me to make a note of these files:

'C:\Windows\system32\drivers\SKYNETihqierfr.sys'
'C:\Windows\system32\drivers\msqpdxpkjrfbfi.sys'
'C:\Windows\system32\msqpdxwcqbnxmp.dll'

and that the system would need to reboot, and the only option it gave me was Okay so I clicked it, it rebooted, I tried to log in Normal Mode, same problem as before, it hung on the Welcome screen, so here I am back in Safe Mode with Networking. But these are the same files that Avast! discovered and seemingly couldnt do anything about...

**evilfantasy** · #12 26th Jun 2009, 13:56

Look in C:\Combofix.txt for the log. I need it to know what to do next.

gingersonny · #13 26th Jun 2009, 14:02

OK I cant find that file, however there is a 'File' saved in C:\ called ComboFix, and when i double click it it just gives me a list of my drives like on My Computer (eg C:\, D:\, etc) and if I click on them it just takes me straight to that drive (hence clicking on C:\ it takes me to the standard explorer folder of my C: drive....

**evilfantasy** · #14 26th Jun 2009, 14:05

Click the Start button and type in C:\Combofix.txt then press Enter and see if the log comes up.

gingersonny · #15 26th Jun 2009, 14:06

Yeah I already did that, and ran a full search of C:, and it didn't find the file

**evilfantasy** · #16 26th Jun 2009, 14:08

Try running ComboFix again please.

gingersonny · #17 26th Jun 2009, 14:17

Okay, I tried running it again, again I couldn't enable admin access (the UAC prompt didn't come up, I'm presuming this is because I can only log on in safe mode) and it followed all the steps up to the scan but was saying occasionally something like 'Admin access required' at each stage, but continuing anyway...then it did the scan, and the same prompt came up with the same three files listed and said it needed a reboot, I clicked Okay again, it rebooted, tried logging in normal mode, it hung on the welcome screen again...so I had to hard reboot and come back into safe mode to post this..At all stages in the ComboFix process I followed the instructions to the letter, and didnt touch the window or the computer at all during the process except to answer the pop up windows related to ComboFix...

**evilfantasy** · #18 26th Jun 2009, 14:24

Download The Avenger by Swandog46

* Unzip/extract it to your desktop.
* Now start The Avenger by double clicking on its icon on your desktop and click OK when to the warning.
* Leave the box for Scan for rootkits checked.
* Then place a check in the box next to Disable any rootkits found
* Now click on Execute to begin the scan.
* You will be asked No script has been entered. Do you want to execute a rootkit scan only?.
* Click Yes.
* You will now be asked 'First step completed ... The Avenger has been successfully set up to run on next boot. Reboot now?'
* Click Yes
* Your PC will now be rebooted.
* After your PC has completed the necessary reboots, a log should automatically open. If it does not automatically open, then the log can be found at
%systemdrive%avenger.txt (typically C:\avenger.txt)

* Please post the Avenger log in your next reply.

gingersonny · #19 26th Jun 2009, 14:43

OK, I ran it, it's still hanging on the Welcome screen when I try and log into Normal Mode, so I'm back in safe mode...however, it DID save a .txt file this time which said this:

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows Vista

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.

Hidden driver "awx984md" found!
Could not open driver awx984md for rootkit scan. Error:c0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Rootkit scan completed.

Completed script processing.

*******************

Finished! Terminate.

**evilfantasy** · #20 26th Jun 2009, 15:14

Download DrWeb CureIt & save it to your desktop. Scan with DrWeb-CureIt as follows:

Double-click on drweb-cureit.exe and then click Start
An information notice will appear, click OK.
This starts a short scan that will scan the files currently running in memory.
If you get a prompt to buy the full version just exit out of the window. The scanner will still work without buying the full version
If or when something is found, click the Yes button when it asks you if you want to cure it.

Once the short scan has finished, Click Settings > Change Settings
Under the Scanning tab UNcheck Heuristic analysis and click OK
Back at the main window, select the Complete scan button and then click the Green Arrow Start Scanning button on the right and the scan will start.
Click Yes to all if it asks if you want to cure/move any file(s).
When the scan is done.
In the Dr.Web CureIt menu on top left, click File and choose Save report list.
Save the DrWeb.csv report to your Desktop.
Exit Dr.Web Cureit.
Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.

* After reboot, Right-click the Dr.Web log on the desktop and choose Open With > Notepad
* Copy and paste that log in the next reply