Hacktool.Rootkit Strikes Back

[wissamyoussif]

Hi all,
I have this machine hit by a hacktool.rootkit: I have an always-up-to-date Norton Antivirus 2006 that pops up a "Virus Alert" saying that the virus "was automatically deleted" whenever I try to open a partition(C: or D: ... etc.). Whenever I run a full system scan it says no threats are in the computer but it keeps behaving weird: a "Can't run 6-bit Windows program" message pops when the OS loads, Hidden Files and Folders cannot be shown (yes, I checked the Show box), partition opens in another window than the My Computer one, and it runs really slow. I've googled a lot of blogs to solve the probem and knew that the first thing to do is to turn off System Restore. What should I do then? Attached is the Hijack This! report.
P.S. The machine is not, and not likely to be, connected to the internet
Thanks.

[saving space - attachment deleted by admin]

[Broni]

1. Print this post out, since you won't have an access to it, at some point.

2. Close all windows, except for HijackThis.

3. Put a checkmark next to the following HijackThis entries:

- F3 - REG:win.ini: load= D:TCWIN45PIPELINEremind.exe D:TCWIN45PIPELINE\remind.exe

- O4 - HKCU\..\Run: [amva] D:\WINDOWS\system32\amvo.exe

4. Click on "Fix checked" button.

5. Restart your computer in Safe Mode (keep tapping F8 key, when your computer starts)

6. Open Windows Explorer. Go Tools>Folder Options>View tab, put a checkmark next to "Show hidden files, and folders".

7. Delete following files/folders (if present):

- amvo.exe from D:\WINDOWS\system32

8. Turn off System Restore:

- Windows XP:
   1. Click Start.
   2. Right-click the My Computer icon, and then click Properties.
   3. Click the System Restore tab.
   4. Check "Turn off System Restore".
   5. Click Apply.   
   6.  When turning off System Restore, the existing restore points will be deleted. Click Yes to do this.
   7. Click OK.
- Windows Vista:
   1. Click Start.
   2. Right-click the Computer icon, and then click Properties.
   3. Click on System Protection under the Tasks column on the left side
   4. Click on Continue on the "User Account Control" window that pops up
   5. Under the System Protection tab, find Available Disks
   6. Uncheck the box for any drive you wish to disable system restore on (in most cases, drive "C:")
   7. When turning off System Restore, the existing restore points will be deleted. Click "Turn System Restore Off" on the popup window to do this.
   8. Click OK

9. Restart in Normal Mode.

10. Turn System Restore on.

11. Run HijackThis again, and post back its log back here.

[wissamyoussif]

thanks Broni for your prompt response, done it all (except for deleting amvo.exe-- didn't find it) but the symptoms are still the same (except for the "Can't run 16-bit Windows program" popup-- it's gone). What next? Here is the other HiJack This report.

[saving space - attachment deleted by admin]

[Broni]

Print this out.

Go Start>Run, type in:
regedit
Click OK.
Registry Editor will open.
Go File>Export, and save your registry to known location.

Navigate to:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Right click on:
"amva" = amvo.exe
Click Delete

Navigate to:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced     
Right click on:
"Hidden"
Click Modify
Enter 01 in Value data field.
Click OK.
Right click on:
"ShowSuperHidden"
Click Modify
Enter 01 in Value data field.
Click OK.

Navigate to:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL
Right click on:
"CheckedValue"
Click Modify
Enter 01 in Value data field.
Click OK.
   
Close the Windows Registry Editor.

Restart your computer in Safe Mode (keep tapping F8 key, when your computer starts)

Open Windows Explorer. Go Tools>Folder Options>View tab, put a checkmark next to "Show hidden files, and folders".

Delete following files/folders (if present):

- amvo.exe from D:\WINDOWS\system32

Turn off System Restore:

- Windows XP:
   1. Click Start.
   2. Right-click the My Computer icon, and then click Properties.
   3. Click the System Restore tab.
   4. Check "Turn off System Restore".
   5. Click Apply.   
   6.  When turning off System Restore, the existing restore points will be deleted. Click Yes to do this.
   7. Click OK.

9. Restart in Normal Mode.

10. Turn System Restore on.

11. Run HijackThis again, and post back its log back here.

[wissamyoussif]

Hi Broni and thanks again. Done what you've said this time also (and I didn't find the amvo.exe yet) but, again, with the same symptoms and here is the 3rd HiJack_This report.
P.S. the really bad news is that I've got my other machine, a laptop, hit by the same virus.

[file cleanup - saving space - attachment deleted by admin]

[patio]

Because it is a different machine you will have to start from the beginning with the first set of instructions...
Don't despair...these guys will get you home safely.

[Broni]

amvo.exe is still there...

Download Combofix.exe(http://download.bleepingcomputer.com/sUBs/Beta/ComboFix.exe) to your desktop.
Physically disconnect from the internet.
Now STOP all your monitoring programs (Firewall, Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
Double click combofix.exe, and follow the prompts.
A window will open with a warning. Type "1" (and Enter) to start the fix.
When the scan completes it will open a text window.
Please attach that log back here together with a fresh HJT log.
Caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.

Combofix will automatically save the log file to C:\combofix.txt
Attach its log.

Post new HJT log.

[wissamyoussif]

Hi Broni, and all, and thanks for your interest and help. I have run ComboFix on both my machines, and we have some progress: partitions open properly now and my pc feels less frustrating. However, I still get the message that my Norton Antivirus "has detected and removed a virus: D:\windows\system32\wincab.sys" every startup, another "amvo.exe- Application Error" message, and every now and then some NAV "All Detected Risks Have Been Resolved" messages, and my (Show Hidden Files and Folders) problem. My laptop, on the other hand, is completely fine now (hit by the same virus, done same steps as the other pc we're talking about).
Attached are the ComboFix and HJT reports for both my pc and laptop.
P.S. Sorry for being late in replying, I'd have to go to a cafe to get in contact with you.


[file cleanup - saving space - attachment deleted by admin]

[Broni]

Normally, I'd complain about dealing with two computers at the same time, but in this case, it may be helpful.
Your laptop HJT log is clean. One question, though:
- E:\Programs\That One.exe
What is your E drive, and do you know what "That One" is?

As for your desktop...
When you went through steps from my post #3:

Delete following files/folders (if present):

- amvo.exe from D:\WINDOWS\system32

did you actually see that file, and deleted it?
If no, I have a question about this:
- O23 - Service: Hide Files and Folders (HideFilesAndFolders_S) - Unknown owner - D:\WINDOWS\system32\hffsrv.exe
Is this a program, you installed?
Reading about it, it says, that it works at the Windows kernel level, and it may interfere with our cleaning process. Amva
may be using it to hide itself.

[CBMatt]

Your laptop HJT log is clean. One question, though:
- E:\Programs\That One.exe
What is your E drive, and do you know what "That One" is?

Based on the location of That One.exe in the log, I would say it's most likely HijackThis with a different filename.  Same goes for that program.exe on the desktop.

I'm more concerned with these files from the desktop computer...
D:\WINDOWS\system32\amvo0.dll
C:\n1deiect.com
D:\n1deiect.com
E:\n1deiect.com
D:\WINDOWS\system32\fooool.exe
And of course:  D:\WINDOWS\system32\amvo.exe

These bad boys definitely need to be removed.  These files (except for fooool.exe) also appear to be on the laptop and need to be promptly removed.

[Broni]

These bad boys definitely need to be removed.

This is what we've been trying to do.
For some reason, amvo is not present in laptop's HJT log anymore, but it's still present on desktop.

[wissamyoussif]

Hi all, now it's getting serious!! thank you all for your help and support.
Hide Files and Folders is a program I have installed long ago to (hide files and folders?) and with no problem whatsoever. However, if you say it's good to remove it now, I'll do.
Not only didn't I remove D:\WINDOWS\system32\amvo.exe but I also didn't see it yet, and I said that in my posts.
Yes, (That One) and (That Program) are code names for HiJack This: I've glimpsed in some blog sites that rootkits hide themselves from HJT once they feel it's there so it better be renamed.
And E: is a partition in my local HDD.
I hope I'm always clearly stating my problem, I'd be glad to answer any other unclear thing. What should I do now?

[evilfantasy]

I have not looked at the Desktop logs yet but the Laptop has an Autorun worm infection.

If you are using a flash drive on both computers then it is likely you are cross infecting yourself each time you plug in the USB drive.

Try running sUBs Flash Disinfector on both computers as it will target alot of auto run infections and create a hidden folder named autorun.inf on each partition and any USB drive you plug in, these dummy autorun.inf files will help protect your PC from reinfection because if the infected flash drive is then inserted, autorun looks for autorun.inf which would normally run the worm but its then prevented by the dummy autorun.inf that is in place. If you have any USB drives please insert them when prompted when running the tool


Download Flash_Disinfector.exe by sUBs and save it to your desktop:

• Double-click Flash_Disinfector.exe to run it.
• Follow any prompts that may appear.
• Wait until the program has finished scanning, then please exit the program.
• The tool may ask you to insert your flash drive, or other removable drives. Please do so and allow the tool to clean it up as well.

[/LIST]

• Please restart your computer.

Post a new Combofix log from both computers after the Flash Disinfector is finished.

[Broni]

Hide Files and Folders is a program I have installed long ago to (hide files and folders?) and with no problem whatsoever. However, if you say it's good to remove it now, I'll do.

You don't have to, yet.
Go Start>Run, type in:
services.msc
Click OK.
Look for:
Hide Files and Folders service
Right click on it, click Stop
Right click again, click Properties, and under Startup type pick Disable from drop down menu.

Restart in Safe Mode, and look again for amvo.exe in D:\WINDOWS\system32

[wissamyoussif]

Hi all, and thank you for "bring me home safely" at last. I don't know what exactly went (right) this time-- and I'm sorry I didn't jot them down, but here is a sketch of what happened:
NAV prompted that it's about time to "check for virus definitiond update" (happens every 3 weeks or so) so I downloaded and run the update of Jan. 6t, 2008 then suddenly I've got several "virus found and deleted" messages-- this time not with the name hackool.rootkit but other name (sorry, too excited to write down then), it could be something like (data getter) or (info grabber), in every partition in my laptop (then pc, did the same there), and I also glimpsed an "n1deiect.com". Then I had the heart to do it all over from scratch: removed Hide Files and Folder (too soon to get your last post, Broni), modified the registry (before then every value used to return to its original 2 or 0 after I edit to 01, but not anymore), restarted in safe mode, checked Show Hidden Files and Folders and looked for amvo.exe (didn't find it this time also but found and deleted amvo0.dll instead), stopped System Restore and restarted to see my hidden files and folders for the first time.
I think everything is doing good after all (or is it?) (if you say, and for the public use, I'll post HJT reports in a day or two).
Yu're right, evilfantasy; but do I still need the dummy Autorun.inf in my thumb drive? Its look freaks me out.