A Hidden Rootkit In Svchost.exe...

Tayseer
Tayseer
edited September 2009 in Bitdefender 2009 products

:mellow:


Hello,


every time i run a scan with bt, it shows a rootkit-hidden items in


C:\WINDOWS\SYSTEM32\SVCHOST.EXE


and there is no action to take..


I don't know what to do since it is a system file..


it causes many problems and i need to solve it as quick as possible..


I tried to search manually for svchost.exe "with show hidden files" in system32 but i couldn't find it..


please help me quickly.


thanks in advance


:huh:

/applications/core/interface/file/attachment.php?id=5503" data-fileid="5503" rel="">hijackthis.log

Comments

  • Alex Stanciu
    Alex Stanciu ✭✭

    Hello Tayseer,


    Please go to the next link :http://kb.bitdefender.com/KB490 and run the Avis and the Gmer tools as described in the article . After you obtain these reports , you will need to upload them here then reply with the download links . My colleagues from the Virus Analysis team will analyze these files and we will contact you back with further instructions after the analysis is complete . Besides these reports , please run another Deep System Scan and then save the scan log. You can upload it here , when you will add your new post .


    Thank you .

  • Tayseer
    Tayseer
    Hello Tayseer,


    Please go to the next link :http://kb.bitdefender.com/KB490 and run the Avis and the Gmer tools as described in the article . After you obtain these reports , you will need to upload them here then reply with the download links . My colleagues from the Virus Analysis team will analyze these files and we will contact you back with further instructions after the analysis is complete . Besides these reports , please run another Deep System Scan and then save the scan log. You can upload it here , when you will add your new post .


    Thank you .


    Thanks a lot for your help,


    right now I'm running a deep system scan.. but when I tried to download AVIS.zip and GMER.zip


    it says can't open file>> not a valid archive...


    note: I have winrar and winzip both..but I can't open these files... any other links.. -_-

  • Tayseer
    Tayseer

    <_< well there was an error but never mind..


    here is the links of logs,


    bitdefender deep scan log file,


    http://www.sendspace.com/file/wg8yb0


    AVIS Report,


    http://www.sendspace.com/file/gs2eoh


    GMER report,


    http://www.sendspace.com/file/tv1s2m


    Thanks again and waiting for solutions


    ;)

  • alexcrist
    alexcrist

    Hello Tayseer,


    It seems you have a rootkit in your system. Please follow these steps to try to remove it:


    • first of all, close all unnecessary applications (like browsers, media players, open documents, or anything that's not needed)
    • open GMER
    • wait for the quick startup scan to finish, then click on the tab with the text "> > >". Multiple tabs will appear
    • click on the Processes tab.
    • find the hidden svchost process (it should be marked in red), select it and kill it. Also, kill the processes Firefox.exe and Explorer.exe. After killing Explorer, your Desktop and taskbar will disappear, which is normal.
    • go to the Files tab. There you will find an Explorer-like interface (with folders and files)
    • find this file:


      C:\Windows\system32\hjgruimtkiqqow.dll

      select it and click Delete. Navigation through folders will be a lot slower than normal, because at every step GMER will also search for hidden files, which takes longer.

    • also, there are 2 drivers (from what I can see) that seem at least suspicious:


      c:\\windows\\system32\\drivers\\psxqlkplxcjhinc.sys
      c:\\windows\\system32\\drivers\\lqyqbhzec.sys

      Find these files using GMER, select them, and click Copy. Copy them in a new, empty folder. Also, when copying the files, change their extension (from .sys to anything else, like .vir). Afterwards, remove them from their original location.

    • at the end, reboot the system (you can open TaskManager using Ctrl+Alt+Del, and reboot the system from there).


    After system reboot, make a new scan with gmer and post the log here, like you did above.


    Also, find the 2 files (drivers) you copied, put them in a password protected archive (with the password infected), upload it somewhere and send me the download link by PM. Details about password protected archives: http://forum.bitdefender.com/index.php?s=&...post&p=1222


    Cris.

  • Tayseer
    Tayseer
    edited September 2009

    Hello Mr Cris,


    Thanks a lot for you help. i did what you said exactly


    [*] go to the Files tab. There you will find an Explorer-like interface (with folders and files)


    [*] find this file:


    I waited for a long time but there is no single folder appears,


    I tried to search for these 3 files using windows search with show hidden files but no hope


    I'm exhausted of trying to get rid of the root-kit :(


    anyway here is the GMER report......


    http://www.sendspace.com/file/82fegb

  • alexcrist
    alexcrist

    Please reboot your system, then unplug your network cable and disable BitDefender Realtime Protection so it won't interfere in any way with GMER's functions.


    Afterwards, try again to look for the files. If it doesn't work, please post a screenshot of what happens, so I can understand exactly your situation.


    Searching for the files using Windows Search is useless, because those files aren't hidden as a result of their Hidden or System attribute(s) being set. Those files are hidden by an invisible running process (called a rootkit), which makes the files completely invisible in the system. There are specific ways to search and eliminate such threats, and GMER was designed to do just that.


    If it still doesn't work, there is another alternative you can try. But it's a little more complicated, so we'll cross that bridge if/when we get to it.


    Cris

  • Tayseer
    Tayseer

    I apologize for causing you so much troubles -_-


    After I rebooted my pc I received this message..


    http://www.sendspace.com/file/ugsxva


    I ignored it and did what you have said....


    after I killed explorer.exe it appears again and again until I killed it from task manager..... <_<


    and again I can't explore files from GMER


    here are some screen shots


    http://www.sendspace.com/file/a7qh5q


    http://www.sendspace.com/file/gmd60c


    I did another scan and I found svchost rootkit gone.......


    only C:\Windows\system32\hjgruimtkiqqow.dll still in my pc


    and another one appeared


    here is bitdefender logs


    http://www.sendspace.com/file/w1tyl2


    :mellow:

  • alexcrist
    alexcrist
    edited September 2009
    I apologize for causing you so much troubles -_-


    You haven't caused me any troubles. :)


    OK, first screenshot: it means that when you reboot your system, it caused a fatal error (Blue Screen of Death). Because of the default Windows XP settings, you probably didn't see the actual error and BSOD because the system automatically rebooted. The message in your screenshot is the way Windows tells you that something went seriously wrong and rebooted automatically. Normally, there isn't anything you can do at that point, except send an error report to Microsoft. But since Windows XP is already at the end of it's life cycle, I doubt anyone from MS will care about a random error.


    Also, that critical error might have been caused by the rootkit's drivers, so if you get rid of it, you'll probably get rid of thoe errors.


    Screenshot #3 (with file/folder interface) doesn't look as it should, because, as you noticed, no files/folders are shown. However, I noticed that you use an older version of GMER (probably on BitDefender's site it's an older version. I'll let someone know that it needs a update).


    Please get the latest version from here: http://www.gmer.net/#files


    Click the Download EXE button, which will download an EXE with a random name. Please save that file somewhere. The random name is intended to try to fool some malware which block processes named "gmer.exe". Then try browsing for files with it, maybe it works.


    As the last BD scan log shows a new infected file, if gmer works this time, also find the file:


    C:\WINDOWS\SYSTEM32\MSSRV32.EXE

    and delete it.


    If GMER still doesn't work, try to read this article: http://forum.bitdefender.com/index.php?showtopic=1054


    It's a little more complicated, but if you manage to remove the files that way, it should be OK. It's not written in that article, but to change the current folder you can use this command:


    dir "<dir name>"

    after which you press Enter. Quotes ("") are mandatory to be written only if <dir name> contains spaces. Otherwise, they are optional. For instance:


    dir system32
    dir "Program Files"


    As a hint, before trying to delete/rename files this way, first use the attrib command (as explained in that article) to remove all file attributes.


    Also, instead of directly deleting the files, I recommend only moving and renaming them (with ren). This way, if anything goes wrong, you can undo it.


    Cris.

  • Tayseer
    Tayseer
    edited September 2009

    hello,


    Hope you all doing fine,


    I didn't try last solution because I don't have windows cd......


    But I've tried this,


    I used GMER CMD B) >> very smart girl lol


    http://www.sendspace.com/file/4lfb1r


    then I had these 2 files in C:\windows I deleted Mssrv32 and svchost still there


    http://www.sendspace.com/file/q5zzfu


    but the only problem i still have is this


    http://www.sendspace.com/file/ujnx45


    Now I want to know how can I access globalroot


    please don't say c:\windows\system32\hjgruimtkiqqow.dll because I always get file not found.....


    it affects explorer and iexploere and firefox


    I also had these 2 drivers


    http://www.sendspace.com/file/o54mdv


    look what I've done,


    http://www.sendspace.com/file/1o4nu7


    under non- plug and play I found these drivers i disabled 2 of them and i couldn't disabled the third one,


    now for sure it has something to do with the trojan.generic right ?? :huh:


    could you please help me with that

  • Tayseer
    Tayseer

  • Tayseer
    Tayseer
    http://www.sendspace.com/file/5qj8su
  • csalgau
    csalgau ✭✭

    Please also try to access the files interface from the Processes tab(files button on the right). See if it makes a difference.


    You should be able to find the service with that name under the Services tab. Try selecting hjgruimtkiqqow and right clicking then hitting the delete option then rebooting.


    If this doesn't work, you can use also try using the Safe.. button under Processes to restart the computer in a more controlled manner, but that might not always work.


    The best way I can think of of removing the files is by downloading a BitDefender Rescue CD image, burning it and running then scanning/manually removing the files. Please keep in mind not to remove system files.


    The list should be, more or less:


    C:\WINDOWS\SYSTEM32\MSSRV32.EXE


    c:\windows\system32\hjgruimtkiqqow.dll


    c:\windows\system32\hjgrui.dat


    c:\windows\system32\hjgruicmd.dll


    c:\windows\system32\hjgruilog.dat


    c:\windows\system32\hjgruirk.sys


    c:\windows\system32\hjgruiwsp.dll


    c:\windows\system32\hjgruiwsp8.dll


    It would be useful if you could save of copy somewhere, along with C:\WINDOWS\system32\drivers\synsenddrv.sys and upload the files somewhere.


    Have a nice day!

  • Tayseer
    Tayseer

    Hello,


    I think the virus was preventing me from viewing files using GMER explorer,


    The second problem was that every time I delete these files using CMD they back again,


    So I could change the values of the virus in registry using GMER "it was hidden"


    the virus is no longer control my P.C..... another BIOS problem Jump, I'm going to search for a solution :huh:


    It was really serious, but I could overcome the problem with your great help and my intelligence :P:D


    thanks everyone for your help, u can close the topic now,


    See you soon with another rootkit :P

All Time Leaders

Categories

Defenders of the month