Hacktool.Rootkit Strikes Back

[wissamyoussif]

Hi all,
I have this machine hit by a hacktool.rootkit: I have an always-up-to-date Norton Antivirus 2006 that pops up a "Virus Alert" saying that the virus "was automatically deleted" whenever I try to open a partition(C: or D: ... etc.). Whenever I run a full system scan it says no threats are in the computer but it keeps behaving weird: a "Can't run 6-bit Windows program" message pops when the OS loads, Hidden Files and Folders cannot be shown (yes, I checked the Show box), partition opens in another window than the My Computer one, and it runs really slow. I've googled a lot of blogs to solve the probem and knew that the first thing to do is to turn off System Restore. What should I do then? Attached is the Hijack This! report.
P.S. The machine is not, and not likely to be, connected to the internet
Thanks.

[saving space - attachment deleted by admin]

[Broni]

1. Print this post out, since you won't have an access to it, at some point.

2. Close all windows, except for HijackThis.

3. Put a checkmark next to the following HijackThis entries:

- F3 - REG:win.ini: load= D:TCWIN45PIPELINEremind.exe D:TCWIN45PIPELINE\remind.exe

- O4 - HKCU\..\Run: [amva] D:\WINDOWS\system32\amvo.exe

4. Click on "Fix checked" button.

5. Restart your computer in Safe Mode (keep tapping F8 key, when your computer starts)

6. Open Windows Explorer. Go Tools>Folder Options>View tab, put a checkmark next to "Show hidden files, and folders".

7. Delete following files/folders (if present):

- amvo.exe from D:\WINDOWS\system32

8. Turn off System Restore:

- Windows XP:
   1. Click Start.
   2. Right-click the My Computer icon, and then click Properties.
   3. Click the System Restore tab.
   4. Check "Turn off System Restore".
   5. Click Apply.   
   6.  When turning off System Restore, the existing restore points will be deleted. Click Yes to do this.
   7. Click OK.
- Windows Vista:
   1. Click Start.
   2. Right-click the Computer icon, and then click Properties.
   3. Click on System Protection under the Tasks column on the left side
   4. Click on Continue on the "User Account Control" window that pops up
   5. Under the System Protection tab, find Available Disks
   6. Uncheck the box for any drive you wish to disable system restore on (in most cases, drive "C:")
   7. When turning off System Restore, the existing restore points will be deleted. Click "Turn System Restore Off" on the popup window to do this.
   8. Click OK

9. Restart in Normal Mode.

10. Turn System Restore on.

11. Run HijackThis again, and post back its log back here.

[wissamyoussif]

thanks Broni for your prompt response, done it all (except for deleting amvo.exe-- didn't find it) but the symptoms are still the same (except for the "Can't run 16-bit Windows program" popup-- it's gone). What next? Here is the other HiJack This report.

[saving space - attachment deleted by admin]

[Broni]

Print this out.

Go Start>Run, type in:
regedit
Click OK.
Registry Editor will open.
Go File>Export, and save your registry to known location.

Navigate to:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Right click on:
"amva" = amvo.exe
Click Delete

Navigate to:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced     
Right click on:
"Hidden"
Click Modify
Enter 01 in Value data field.
Click OK.
Right click on:
"ShowSuperHidden"
Click Modify
Enter 01 in Value data field.
Click OK.

Navigate to:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL
Right click on:
"CheckedValue"
Click Modify
Enter 01 in Value data field.
Click OK.
   
Close the Windows Registry Editor.

Restart your computer in Safe Mode (keep tapping F8 key, when your computer starts)

Open Windows Explorer. Go Tools>Folder Options>View tab, put a checkmark next to "Show hidden files, and folders".

Delete following files/folders (if present):

- amvo.exe from D:\WINDOWS\system32

Turn off System Restore:

- Windows XP:
   1. Click Start.
   2. Right-click the My Computer icon, and then click Properties.
   3. Click the System Restore tab.
   4. Check "Turn off System Restore".
   5. Click Apply.   
   6.  When turning off System Restore, the existing restore points will be deleted. Click Yes to do this.
   7. Click OK.

9. Restart in Normal Mode.

10. Turn System Restore on.

11. Run HijackThis again, and post back its log back here.

[wissamyoussif]

Hi Broni and thanks again. Done what you've said this time also (and I didn't find the amvo.exe yet) but, again, with the same symptoms and here is the 3rd HiJack_This report.
P.S. the really bad news is that I've got my other machine, a laptop, hit by the same virus.

[file cleanup - saving space - attachment deleted by admin]

[patio]

Because it is a different machine you will have to start from the beginning with the first set of instructions...
Don't despair...these guys will get you home safely.

[Broni]

amvo.exe is still there...

Download Combofix.exe(http://download.bleepingcomputer.com/sUBs/Beta/ComboFix.exe) to your desktop.
Physically disconnect from the internet.
Now STOP all your monitoring programs (Firewall, Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
Double click combofix.exe, and follow the prompts.
A window will open with a warning. Type "1" (and Enter) to start the fix.
When the scan completes it will open a text window.
Please attach that log back here together with a fresh HJT log.
Caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.

Combofix will automatically save the log file to C:\combofix.txt
Attach its log.

Post new HJT log.

[wissamyoussif]

Hi Broni, and all, and thanks for your interest and help. I have run ComboFix on both my machines, and we have some progress: partitions open properly now and my pc feels less frustrating. However, I still get the message that my Norton Antivirus "has detected and removed a virus: D:\windows\system32\wincab.sys" every startup, another "amvo.exe- Application Error" message, and every now and then some NAV "All Detected Risks Have Been Resolved" messages, and my (Show Hidden Files and Folders) problem. My laptop, on the other hand, is completely fine now (hit by the same virus, done same steps as the other pc we're talking about).
Attached are the ComboFix and HJT reports for both my pc and laptop.
P.S. Sorry for being late in replying, I'd have to go to a cafe to get in contact with you.


[file cleanup - saving space - attachment deleted by admin]

[Broni]

Normally, I'd complain about dealing with two computers at the same time, but in this case, it may be helpful.
Your laptop HJT log is clean. One question, though:
- E:\Programs\That One.exe
What is your E drive, and do you know what "That One" is?

As for your desktop...
When you went through steps from my post #3:

Delete following files/folders (if present):

- amvo.exe from D:\WINDOWS\system32

did you actually see that file, and deleted it?
If no, I have a question about this:
- O23 - Service: Hide Files and Folders (HideFilesAndFolders_S) - Unknown owner - D:\WINDOWS\system32\hffsrv.exe
Is this a program, you installed?
Reading about it, it says, that it works at the Windows kernel level, and it may interfere with our cleaning process. Amva
may be using it to hide itself.

[CBMatt]

Your laptop HJT log is clean. One question, though:
- E:\Programs\That One.exe
What is your E drive, and do you know what "That One" is?

Based on the location of That One.exe in the log, I would say it's most likely HijackThis with a different filename.  Same goes for that program.exe on the desktop.

I'm more concerned with these files from the desktop computer...
D:\WINDOWS\system32\amvo0.dll
C:\n1deiect.com
D:\n1deiect.com
E:\n1deiect.com
D:\WINDOWS\system32\fooool.exe
And of course:  D:\WINDOWS\system32\amvo.exe

These bad boys definitely need to be removed.  These files (except for fooool.exe) also appear to be on the laptop and need to be promptly removed.

[Broni]

These bad boys definitely need to be removed.

This is what we've been trying to do.
For some reason, amvo is not present in laptop's HJT log anymore, but it's still present on desktop.

[wissamyoussif]

Hi all, now it's getting serious!! thank you all for your help and support.
Hide Files and Folders is a program I have installed long ago to (hide files and folders?) and with no problem whatsoever. However, if you say it's good to remove it now, I'll do.
Not only didn't I remove D:\WINDOWS\system32\amvo.exe but I also didn't see it yet, and I said that in my posts.
Yes, (That One) and (That Program) are code names for HiJack This: I've glimpsed in some blog sites that rootkits hide themselves from HJT once they feel it's there so it better be renamed.
And E: is a partition in my local HDD.
I hope I'm always clearly stating my problem, I'd be glad to answer any other unclear thing. What should I do now?

[evilfantasy]

I have not looked at the Desktop logs yet but the Laptop has an Autorun worm infection.

If you are using a flash drive on both computers then it is likely you are cross infecting yourself each time you plug in the USB drive.

Try running sUBs Flash Disinfector on both computers as it will target alot of auto run infections and create a hidden folder named autorun.inf on each partition and any USB drive you plug in, these dummy autorun.inf files will help protect your PC from reinfection because if the infected flash drive is then inserted, autorun looks for autorun.inf which would normally run the worm but its then prevented by the dummy autorun.inf that is in place. If you have any USB drives please insert them when prompted when running the tool


Download Flash_Disinfector.exe by sUBs and save it to your desktop:

• Double-click Flash_Disinfector.exe to run it.
• Follow any prompts that may appear.
• Wait until the program has finished scanning, then please exit the program.
• The tool may ask you to insert your flash drive, or other removable drives. Please do so and allow the tool to clean it up as well.

[/LIST]

• Please restart your computer.

Post a new Combofix log from both computers after the Flash Disinfector is finished.

[Broni]

Hide Files and Folders is a program I have installed long ago to (hide files and folders?) and with no problem whatsoever. However, if you say it's good to remove it now, I'll do.

You don't have to, yet.
Go Start>Run, type in:
services.msc
Click OK.
Look for:
Hide Files and Folders service
Right click on it, click Stop
Right click again, click Properties, and under Startup type pick Disable from drop down menu.

Restart in Safe Mode, and look again for amvo.exe in D:\WINDOWS\system32

[wissamyoussif]

Hi all, and thank you for "bring me home safely" at last. I don't know what exactly went (right) this time-- and I'm sorry I didn't jot them down, but here is a sketch of what happened:
NAV prompted that it's about time to "check for virus definitiond update" (happens every 3 weeks or so) so I downloaded and run the update of Jan. 6t, 2008 then suddenly I've got several "virus found and deleted" messages-- this time not with the name hackool.rootkit but other name (sorry, too excited to write down then), it could be something like (data getter) or (info grabber), in every partition in my laptop (then pc, did the same there), and I also glimpsed an "n1deiect.com". Then I had the heart to do it all over from scratch: removed Hide Files and Folder (too soon to get your last post, Broni), modified the registry (before then every value used to return to its original 2 or 0 after I edit to 01, but not anymore), restarted in safe mode, checked Show Hidden Files and Folders and looked for amvo.exe (didn't find it this time also but found and deleted amvo0.dll instead), stopped System Restore and restarted to see my hidden files and folders for the first time.
I think everything is doing good after all (or is it?) (if you say, and for the public use, I'll post HJT reports in a day or two).
Yu're right, evilfantasy; but do I still need the dummy Autorun.inf in my thumb drive? Its look freaks me out.

[evilfantasy]

It sounds like the updates did their job.

It is suggested to submit a fresh Hijackthis log so someone can go over it and make sure all of the entries are actually gone.

[wissamyoussif]

yes, evilfantasy, I agree and I'm real sorry but up till now I couldn't get the HJT report because I have no electricity these days (it's Baghdad, another story) and I'll post these reports as soon as I can, but do I still need the Autorun.inf folder in my flash drive, and will it do me good everytime I plug it in an affected pc?
thanks

[evilfantasy]

No the autorun can be deleted. You will either need to disinfect the flash drive or reinfect every computer you plug it in to.

Or reformat it.

[wissamyoussif]

At last, electricity is back and my machines are alive again, and here are the HJT reports for both of them, and sorry again for being so late. I hope they're as good as they look. Thanks Broni, evilfantasy, CBMatt, patio, and everyone who've helped me recover my machines as well as those who just viewed my post.
But, again, are you recommending me to reformat my thumb drive just to get rid of the dummy Autorun.inf folder? And would you advise me to any place where I can learn more of Flash_Disinfector?

[file cleanup - saving space - attachment deleted by admin]

[evilfantasy]

you recommending me to reformat my thumb drive just to get rid of the dummy  Autorun.inf folder?

No, it sounded as if you didn't want to use the flash disinfector. So I mentioned that a reformat would be the next alternative. Without doing one or the other you will be infecting everything you plug it in to. Maybe I misunderstood what you had said.

Welcome back

[wissamyoussif]

...and welcome to you, evilfantasy, since you're online now I want to use Flash_Disinfector if it protects my thumb drive and pc's from being really infected, and as I understand it's the job that the program is doing, am I right and is there any more details that I can get of it?

[evilfantasy]

You can Google Flash Disinfector, but the information I gave in the instructions is probably more then you will easily find in a search. Most of the time the directions are for a link to download it and to plug it in when prompted. The author of the tool sUBs is one of the most respected members of the malware fighting community. He doesn't release much information on his tools. If he did then the bad guys would quickly figure out a way to exploit their use in removal and they would not be as effective.

Do you know what these are?
That One.exe
xstart.exe
RealClip.exe
If so then the logs look fine. Although the 1.99 version of HijackThis is the old version and the use of the new 2.02 version are suggested.

Both machines Java is out of date.

Your Java is out of date leaving your system vulnerable.
Older versions of Java have vulnerabilities that malware can use to infect your system.

Go to >> http://java.sun.com/javase/downloads/index.jsp

On the Sun Java page scroll to the 4th download Java Runtime Environment (JRE) 6 Update 4 to install the new version.

Next go to add/remove programs and remove all older versions.

Then go to C:\Program Files\Java and delete the old folders.

Be sure to keep jre1.6.0_04



Cleanup:

• Click START then RUN
  
• Now type Combofix /u in the runbox
  
• Make sure there's a space between Combofix and /u

then hit Enter.

[/LIST]The above procedure will:

• Delete the following:
• ComboFix and its associated files and folders.
• Reset the clock settings.
• Hide file extensions, if required.
• Hide System/Hidden files, if required.
• Set a new, clean Restore Point.

-

This is a good time to clear your infected system restore points and establish a new clean restore point:

• Go to Start > All Programs > Accessories > System Tools > System Restore
  
• Select Create a restore point, and click Next.
  
• Next, go to Start > Run and type in cleanmgr
  
• Select the More options tab
  
• Next to System Restore click Clean up...

This will remove all restore points except the new one you just created.


Let us know how everything went.

[wissamyoussif]

Thanks, again, evilfantasy. That One.exe is a code name for Hijack This (said that before: someone tipped that rootkits may hide themselves from HJT and suggested renaming it; and I'm considering dowloading a fresh copy of it); xstart looks familiar but forgot what it was (I think it was a system tray manager, it's uninstalled, but the registry value seems still hiding so I've manually deleted it using Regseeker and everything went just fine); and RealClip is a clipboard enhancer that works for me.
I've done all fixes suggested by you, and it all went as planned, and here's the HJT reports.

[file cleanup - saving space - attachment deleted by admin]

[evilfantasy]

Everything looks fine now.


This is a good time to clear your infected system restore points and establish a new clean restore point:

• Go to Start > All Programs > Accessories > System Tools > System Restore
  
• Select Create a restore point, and click Next.
  
• Next, go to Start > Run and type in cleanmgr
  
• Select the More options tab
  
• Next to System Restore click Clean up...

This will remove all restore points except the new one you just created.

Here are some great tools to help you keep from getting infected again.

Spybot Search & Destroy - A safe and effective spyware scanner.
* Official Spybot Tutorial
* Spybot FAQ

AVG Anti-Spyware Free Edition - Very reliable with a high detection rate.
* AVG Anti-Spyware User Manual

SpywareBlaster - Secure your Internet Explorer to make it harder for these ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.
* SpywareBlaster Tutorial

Comodo BOClean - Stops trojans and many more malicious attacks.

Use a Firewall - It can not be stressed enough how important it is that you use a Firewall on your computer. Without a firewall your computer is susceptible to being hacked and taken over.
* Click here for a list of free firewalls.
* Why would I consider a third party firewall?

UPDATE UPDATE UPDATE!!! - If you do not have automatic updates enabled then visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer.
* Help with Windows updates

Learn more about how to protect yourself while on the internet read this article by Tony Klien: So how did I get infected in the first place?

Let us know if anything else comes up.