A Hidden Rootkit In Svchost.exe...

Tayseer

:mellow:

Hello,

every time i run a scan with bt, it shows a rootkit-hidden items in

C:\WINDOWS\SYSTEM32\SVCHOST.EXE

and there is no action to take..

I don't know what to do since it is a system file..

it causes many problems and i need to solve it as quick as possible..

I tried to search manually for svchost.exe "with show hidden files" in system32 but i couldn't find it..

please help me quickly.

thanks in advance

:huh:

/applications/core/interface/file/attachment.php?id=5503" data-fileid="5503" rel="">hijackthis.log

Find more posts tagged with

Comments

Alex Stanciu

Hello Tayseer,

Please go to the next link :http://kb.bitdefender.com/KB490 and run the Avis and the Gmer tools as described in the article . After you obtain these reports , you will need to upload them here then reply with the download links . My colleagues from the Virus Analysis team will analyze these files and we will contact you back with further instructions after the analysis is complete . Besides these reports , please run another Deep System Scan and then save the scan log. You can upload it here , when you will add your new post .

Thank you .

Tayseer

Hello Tayseer,

Please go to the next link :http://kb.bitdefender.com/KB490 and run the Avis and the Gmer tools as described in the article . After you obtain these reports , you will need to upload them here then reply with the download links . My colleagues from the Virus Analysis team will analyze these files and we will contact you back with further instructions after the analysis is complete . Besides these reports , please run another Deep System Scan and then save the scan log. You can upload it here , when you will add your new post .

Thank you .

Thanks a lot for your help,

right now I'm running a deep system scan.. but when I tried to download AVIS.zip and GMER.zip

it says can't open file>> not a valid archive...

note: I have winrar and winzip both..but I can't open these files... any other links..

Tayseer

<_< well there was an error but never mind..

here is the links of logs,

bitdefender deep scan log file,

http://www.sendspace.com/file/wg8yb0

AVIS Report,

http://www.sendspace.com/file/gs2eoh

GMER report,

http://www.sendspace.com/file/tv1s2m

Thanks again and waiting for solutions

alexcrist

Hello Tayseer,

It seems you have a rootkit in your system. Please follow these steps to try to remove it:

first of all, close all unnecessary applications (like browsers, media players, open documents, or anything that's not needed)
open GMER
wait for the quick startup scan to finish, then click on the tab with the text "> > >". Multiple tabs will appear
click on the Processes tab.
find the hidden svchost process (it should be marked in red), select it and kill it. Also, kill the processes Firefox.exe and Explorer.exe. After killing Explorer, your Desktop and taskbar will disappear, which is normal.
go to the Files tab. There you will find an Explorer-like interface (with folders and files)
find this file:
```
C:\Windows\system32\hjgruimtkiqqow.dll
```
select it and click Delete. Navigation through folders will be a lot slower than normal, because at every step GMER will also search for hidden files, which takes longer.
also, there are 2 drivers (from what I can see) that seem at least suspicious:
```
c:\\windows\\system32\\drivers\\psxqlkplxcjhinc.sys
c:\\windows\\system32\\drivers\\lqyqbhzec.sys
```
Find these files using GMER, select them, and click Copy. Copy them in a new, empty folder. Also, when copying the files, change their extension (from .sys to anything else, like .vir). Afterwards, remove them from their original location.
at the end, reboot the system (you can open TaskManager using Ctrl+Alt+Del, and reboot the system from there).

After system reboot, make a new scan with gmer and post the log here, like you did above.

Also, find the 2 files (drivers) you copied, put them in a password protected archive (with the password infected), upload it somewhere and send me the download link by PM. Details about password protected archives: http://forum.bitdefender.com/index.php?s=&...post&p=1222

Cris.

Tayseer

Hello Mr Cris,

Thanks a lot for you help. i did what you said exactly

[*] go to the Files tab. There you will find an Explorer-like interface (with folders and files)

[*] find this file:

I waited for a long time but there is no single folder appears,

I tried to search for these 3 files using windows search with show hidden files but no hope

I'm exhausted of trying to get rid of the root-kit

anyway here is the GMER report......

http://www.sendspace.com/file/82fegb

alexcrist

Please reboot your system, then unplug your network cable and disable BitDefender Realtime Protection so it won't interfere in any way with GMER's functions.

Afterwards, try again to look for the files. If it doesn't work, please post a screenshot of what happens, so I can understand exactly your situation.

Searching for the files using Windows Search is useless, because those files aren't hidden as a result of their Hidden or System attribute(s) being set. Those files are hidden by an invisible running process (called a rootkit), which makes the files completely invisible in the system. There are specific ways to search and eliminate such threats, and GMER was designed to do just that.

If it still doesn't work, there is another alternative you can try. But it's a little more complicated, so we'll cross that bridge if/when we get to it.

Cris

Tayseer

I apologize for causing you so much troubles

After I rebooted my pc I received this message..

http://www.sendspace.com/file/ugsxva

I ignored it and did what you have said....

after I killed explorer.exe it appears again and again until I killed it from task manager..... <_<

and again I can't explore files from GMER

here are some screen shots

http://www.sendspace.com/file/a7qh5q

http://www.sendspace.com/file/gmd60c

I did another scan and I found svchost rootkit gone.......

only C:\Windows\system32\hjgruimtkiqqow.dll still in my pc

and another one appeared

here is bitdefender logs

http://www.sendspace.com/file/w1tyl2

:mellow:

alexcrist

I apologize for causing you so much troubles

You haven't caused me any troubles.

OK, first screenshot: it means that when you reboot your system, it caused a fatal error (Blue Screen of Death). Because of the default Windows XP settings, you probably didn't see the actual error and BSOD because the system automatically rebooted. The message in your screenshot is the way Windows tells you that something went seriously wrong and rebooted automatically. Normally, there isn't anything you can do at that point, except send an error report to Microsoft. But since Windows XP is already at the end of it's life cycle, I doubt anyone from MS will care about a random error.

Also, that critical error might have been caused by the rootkit's drivers, so if you get rid of it, you'll probably get rid of thoe errors.

Screenshot #3 (with file/folder interface) doesn't look as it should, because, as you noticed, no files/folders are shown. However, I noticed that you use an older version of GMER (probably on BitDefender's site it's an older version. I'll let someone know that it needs a update).

Please get the latest version from here: http://www.gmer.net/#files

Click the Download EXE button, which will download an EXE with a random name. Please save that file somewhere. The random name is intended to try to fool some malware which block processes named "gmer.exe". Then try browsing for files with it, maybe it works.

As the last BD scan log shows a new infected file, if gmer works this time, also find the file:

C:\WINDOWS\SYSTEM32\MSSRV32.EXE

and delete it.

If GMER still doesn't work, try to read this article: http://forum.bitdefender.com/index.php?showtopic=1054

It's a little more complicated, but if you manage to remove the files that way, it should be OK. It's not written in that article, but to change the current folder you can use this command:

dir "<dir name>"

after which you press Enter. Quotes ("") are mandatory to be written only if <dir name> contains spaces. Otherwise, they are optional. For instance:

dir system32
dir "Program Files"

As a hint, before trying to delete/rename files this way, first use the attrib command (as explained in that article) to remove all file attributes.

Also, instead of directly deleting the files, I recommend only moving and renaming them (with ren). This way, if anything goes wrong, you can undo it.

Cris.

Tayseer

hello,

Hope you all doing fine,

I didn't try last solution because I don't have windows cd......

But I've tried this,

I used GMER CMD >> very smart girl lol

http://www.sendspace.com/file/4lfb1r

then I had these 2 files in C:\windows I deleted Mssrv32 and svchost still there

http://www.sendspace.com/file/q5zzfu

but the only problem i still have is this

http://www.sendspace.com/file/ujnx45

Now I want to know how can I access globalroot

please don't say c:\windows\system32\hjgruimtkiqqow.dll because I always get file not found.....

it affects explorer and iexploere and firefox

I also had these 2 drivers

http://www.sendspace.com/file/o54mdv

look what I've done,

http://www.sendspace.com/file/1o4nu7

under non- plug and play I found these drivers i disabled 2 of them and i couldn't disabled the third one,

now for sure it has something to do with the trojan.generic right ?? :huh:

could you please help me with that

Tayseer

http://www.sendspace.com/file/5qj8su

csalgau

Please also try to access the files interface from the Processes tab(files button on the right). See if it makes a difference.

You should be able to find the service with that name under the Services tab. Try selecting hjgruimtkiqqow and right clicking then hitting the delete option then rebooting.

If this doesn't work, you can use also try using the Safe.. button under Processes to restart the computer in a more controlled manner, but that might not always work.

The best way I can think of of removing the files is by downloading a BitDefender Rescue CD image, burning it and running then scanning/manually removing the files. Please keep in mind not to remove system files.

The list should be, more or less:

C:\WINDOWS\SYSTEM32\MSSRV32.EXE

c:\windows\system32\hjgruimtkiqqow.dll

c:\windows\system32\hjgrui.dat

c:\windows\system32\hjgruicmd.dll

c:\windows\system32\hjgruilog.dat

c:\windows\system32\hjgruirk.sys

c:\windows\system32\hjgruiwsp.dll

c:\windows\system32\hjgruiwsp8.dll

It would be useful if you could save of copy somewhere, along with C:\WINDOWS\system32\drivers\synsenddrv.sys and upload the files somewhere.

Have a nice day!

Tayseer

Hello,

I think the virus was preventing me from viewing files using GMER explorer,

The second problem was that every time I delete these files using CMD they back again,

So I could change the values of the virus in registry using GMER "it was hidden"

the virus is no longer control my P.C..... another BIOS problem Jump, I'm going to search for a solution :huh:

It was really serious, but I could overcome the problem with your great help and my intelligence

thanks everyone for your help, u can close the topic now,

See you soon with another rootkit