RootKit?

Hi all!

Having a problem with this machine I'm working on.

Trend Micro, Malwarebytes and ComboFix all stall out during their respective scans. After TM failed I disabled it before trying the other scans, normal and safe boot and after rkill. I did get GMER to run finally, and got the attached output. Any help would be greatly appreciated!

Hi.

Please do not attach logs. Go ahead and copy and paste please.

Launch GMER and in the right panel, untick all except the following:

• Processes
• Sections
• Show All

Then click the scan button & show me the log it produces.

Thanks for the quick reply. Sorry for attaching the log, I thought that was the protocol. Here's the output from GMER in safe mode with the specifications you requested.


GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-04-25 15:00:46
Windows 5.1.2600 Service Pack 3
Running: c1xl9snt.exe; Driver: C:\DOCUME~1\JEFFFR~1.000\LOCALS~1\Temp\pxtoapoc.sys


---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!KiDispatchInterrupt + 2C0 804DCB22 18 Bytes [E0, 25, 7F, FF, FF, FF, 0F, ...]
.text ntoskrnl.exe!KiDispatchInterrupt + 2D8 804DCB3A 1 Byte [00]
.text ntoskrnl.exe!KiDeliverApc + C9C 804DDA9D 1 Byte [06]
.text ntoskrnl.exe!RtlPrefetchMemoryNonTemporal 804E5511 1 Byte [90]

---- User code sections - GMER 1.0.15 ----

UPX1 C:\Documents and Settings\JEFF FRY.D59KLFC1.000\Desktop\c1xl9snt.exe[964] C:\Documents and Settings\JEFF FRY.D59KLFC1.000\Desktop\c1xl9snt.exe entry point in "UPX1" section [0x004B3F40]

---- Processes - GMER 1.0.15 ----

Process System Idle 0
Process System 4
Process C:\WINDOWS\System32\smss.exe (Windows NT Session Manager/Microsoft Corporation) 184
Process C:\WINDOWS\system32\csrss.exe (Client Server Runtime Process/Microsoft Corporation) 232
Process C:\WINDOWS\system32\winlogon.exe (Windows NT Logon Application/Microsoft Corporation) 256
Process C:\WINDOWS\system32\services.exe (Services and Controller app/Microsoft Corporation) 300
Process C:\WINDOWS\system32\lsass.exe (LSA Shell (Export Version)/Microsoft Corporation) 312
Process C:\WINDOWS\system32\svchost.exe (Generic Host Process for Win32 Services/Microsoft Corporation) 464
Process C:\WINDOWS\system32\svchost.exe (Generic Host Process for Win32 Services/Microsoft Corporation) 508
Process C:\WINDOWS\system32\svchost.exe (Generic Host Process for Win32 Services/Microsoft Corporation) 580
Process C:\WINDOWS\Explorer.EXE (Windows Explorer/Microsoft Corporation) 852
Process C:\Documents and Settings\JEFF FRY.D59KLFC1.000\Desktop\c1xl9snt.exe 964

---- EOF - GMER 1.0.15 ----


I'm still trying to decide if this is truly malware or a hardware problem. The machine gets the BSOD booting from the install CD or Recovery console. I've also flashed the BIOS.

*** A little background****

This machine (without my knowledge) was run off of a portable generator last summer when the plant was without power and it really hosed it. It took out the power supply, hard drive and a stick of RAM. I was able to salvage the system from the old HD (the company has know idea what a backup is) and get the system up and going. It still took quite a bit of tinkering to get the system patched back together, but it has been working for the last year.

Last edited by Golfer on 25th April 2010, 8:17 pm; edited 1 time in total

Please visit this webpage for a tutorial on downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

See the area: Using ComboFix, and when done, post the log back here.

Would be happy to, but ComboFix stalls out after Stage 50. I let it sit there for a couple hours and finally restarted the machine (I've done this 3-4 times). Malware Bytes does the same thing at 70% of the scan.

Go to Start → Run → paste in the single line command & click OK

%systemdrive%\ComboFix\Combobatch.bat

Let me know if that does anything.

Well, that didn't go as planned.

I ran the command and briefly the autorun window popped up stating something about "couldn't find file" that started with a "w" and then the window disappeared before I could get more. I let it sit for 20 minutes or so with nothing happening and it froze again. Restarted and a big no go: "could not start because following file is missing or corrupt: \Windows\system32\config\system".

I've had enough of this machine for today, I'll start anew in the morning and let you know if I have any progress.

Got the machine booted again. The file in question had gotten moved to the root level of the HD, once I put it back in the config folder the machine booted, although still with the original problems.

Try to run ComboFix once more.

I did try rerunning ComboFix run command, the window pops up and disappears so quick you barely notice it. Running it from the desktop still results in a stall after Stage 50.

Please download DrWeb-CureIt and save it to your Desktop. Do NOT perform a scan yet

• Double-click on drweb-cureit.exe to start the program.
  An Express Scan of your PC notice will appear.
  
• Under Start the Express Scan Now, Click OK to start the scan.
  This is a short scan that will scan the files currently running in memory.
  If something is found, click the Yes button when it asks you if you want to cure it.
  
• Once the short scan has finished, Click Options > Change settings
  
• Choose the Scan tab and UNcheck Heuristic analysis
  
• Back at the main window, click Custom Scan, then Select drives (a red dot will show which drives have been chosen).
  
• Then click the Start/Stop Scanning button (green arrow on the right, and the scan will start.
  
• When finished, a message will be displayed at the bottom advising if any viruses were found.
  
• Click Yes to all if it asks if you want to cure/move the file.
  
• When the scan has finished, look if you can see the icon next to the files found.
  If so, click it, then click the next icon right below and select Move incurable.
  (This will move it to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if it can't be cured)
  
• Next, in the Dr.Web CureIt menu on top, click file and choose save report list.
  
• Save the DrWeb.csv report to your Desktop.
  
• Exit Dr.Web Cureit when you have finished.
  
• Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  
• After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)
  

DragonMaster Jay,

Wanted to thank you for all your help, and let you know what was actually wrong. I got busy and this machine got pushed back for a week or so. Restarting with a different approach was the eventual solution. As a last grasp, since the machine wouldn't complete any scans (from any program, virus, hd check, etc) or boot to recovery console, bios flash utility or windows install disc, I tried installing the latest Ubuntu on it. And much to my surprise it installed and ran. It did report some hard drive errors and the smart status failed (and it suffered total failure a couple hours later). Getting that hurdle over was the first step, next came the fixing the CD/floppy boot problem. Disabling AHCI and going with compatibility mode was the fix. I'm not sure I understand why, as AHCI is set as default when the machine shipped from the factory. Guess this is what you get when you have a Mac guy work in a Windows PC.

Again, thanks for your time/help.

Golfer

ok