 |
Spyware Warrior
Help with Spyware, Hijacking & Other Internet Nuisances
|
| View previous topic :: View next topic |
| Author |
Message |
BobWoofer
Newbie
Joined: 09 Dec 2005
Last Visit: 09 Dec 2005
Posts: 1
|
 Posted: Fri Dec 09, 2005 3:29 am Post subject: Apropos Rootkit infection |
 |
|
Hi,
I'm trying to help a friend who evidiently has an Apropos rootkit infection.
I have already run the standard Spybot - Search & Destroy and Ad-aware utilities and cleaned up the system. I used HiJackThis and removed suspect items. Norton Antivirus is active and up to date. I also installed Zone Alarm. I still saw lots of very strange programs trying to access the net and if I disabled ZA the pop-ups were back.
I then ran RootkitRevealer and found the General.dll (not exact name, since I'm not on that PC right now) and other 'hidden' stuff all in one main concealed directory. Searching the net I found this indicated an Apropos infection.
I tried a tool I found on the Symantec web site and ran it but it didn't even detect Apropos. I have since realized that even thought Symantec's instructions did not mention it, I should have restarted in Safe mode first.
I've see other posts on this site about Apropos. The fixes required posted (and reposting) lots of HiJackThis logs and logs from a number of other tools. The problem is I'm going away next Tuesday and my friend could NEVER do all this on her own.
Would running Symantec's tool in Safe mode kill at least the 'active' part of Apropos without all the other steps. (Or using the 'other Apropos killer, AproposFix, that I found.) I could then instruct her to keep ZoneAlarm blocking any 'weird' progams and at least 'contain' the problem while I'm away.
I will be on her system tomorrow and can post the HiJack this and Rootkit Revealer logs (and I'll recheck the other posts, and run the other programs that the advisors indicated and post those logs too) but its unlikely I'll be able to follow up more than one more day before I travel. I feel that considering the number of back and forth posts I've seen as replies for other people. This won't be enough.
As part of the steps I've seen in the other threads, I've noted that when one of you advisors analyse the logs, you have specific file names and directories the user has to enter when they run the tools. Perhaps, if you can tell me where in the logs you 'find' the appropriate file names and paths, I can find them for myself. This would eliminate at least one 'round' of posts.
I know this sounds like an invitation to trouble, but I am relatively compent with system analysis and in regards to 'fixing' things (even though this rootkit stuff had me going in circles for quite a bit). I'd just like to 'speed things up' if possible.
By the way, the RootkitReveal showed only a very limited number of 'hidden' files all in one directory, and I think I got rid of all the 'minor' problems with the other utilities and the Hijack this log is pretty much 'normal', so I 'hope' what remains is a relatively 'minor' infection.
--------------
If I can't 'solve' this before my trip, I 'think' I can just have her continue to deny access to any 'new' programs via Zone Alarm and then go through a complete analysis when I get back.
--------------
By the way, thanks for the great work on the responses on this site. You guys are really helping a lot of people with some very difficult problems.
Hope you can help me with this,
Bob
PS
This will sound unsophisticated, but once I 'find' the hidden directory - If I simply deleted the directory, would that 'cripple' the Apropos infection. [Yes, the registry entries would still be there, but without any of the executable and dll files and no access to the internet becasue of ZoneAlarm, could it still 'regenerate' itself?] |
|
| Back to top |
|
 |
Kimberly
Moderator & HJT Expert
Joined: 03 Aug 2005
Last Visit: 04 Mar 2010
Posts: 1419
|
| Posted: Fri Dec 09, 2005 9:23 am Post subject: |
|
|
Hello BobWoofer,
Only the apropos fix or a manual removal are the possibilities to remove it. You will have to work in Safe Mode, nothing will show up in Normal Mode. Everything is random, so I can't tell you what to delete or do before I see a log. The regkey is random, the folder is random and the folder is random.
First thing to try : the Apropos fix. If the log is empty, as in the sample below, a manual removal is required.
| Quote: |
Log of AproposFix v1
************
Running from directory:
C:\Documents and Settings\<removed>\Desktop\aproposfix
************
Registry entries found:
************
No service found!
Removing hidden folder:
No folder found!
Deleting files:
Backing up files:
Done!
Removing registry entries:
REGEDIT4
Done!
Finished!
|
Prepare Ewido, we will need it to. Don't run it yet. If we are lucky there won't be much to fix on the PC and we will be able to fix it quickly. Depends what else we find. We will focus on Apropos for the moment. If a manual removal is needed, once I have the keys, it's easy to remove.
Please download the trial version of Ewido Security Suite 3.5 from here:
http://www.ewido.net/en/download/
- Install Ewido Security Suite.
- When installing, under Additional Options uncheck Install background guard and Install scan via context menu.
- When you run Ewido for the first time, you could get a warning "Database could not be found!". Click Ok.
- The program will prompt you to update. Click the Ok button.
- The program will now go to the main screen.
You will need to update Ewido to the latest definition files.
- On the left-hand side of the main screen click the Update Button.
- Click on Start.
The update will start and a progress bar will show the updates being installed.
Once finished updating, close Ewido.
If you are having problems with the updater, you can use this link to manually update ewido.
Ewido manual updates. Make sure to close Ewido before installing the update.
______________________________
You may want to print out these instructions for reference, since you will have to restart your computer during the fix. You MUST run this tool in Safe Mode or it won't detect anything.
Please download AproposFix from here:
http://swandog46.geekstogo.com/aproposfix.exe
Save it to your desktop but do NOT run it yet.
Then please reboot your computer in Safe Mode by doing the following:
- If the computer is running, shut down Windows, and then turn off the power.
- Wait 30 seconds, and then turn the computer on.
- Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
- Ensure that the Safe Mode option is selected.
- Press Enter. The computer then begins to start in Safe mode.
Once in Safe Mode, please double-click aproposfix.exe and unzip it to the desktop. Open the aproposfix folder on your desktop and run RunThis.bat. Follow the prompts.
Please post the entire contents of the log.txt file in the aproposfix folder.
______________________________
If Apropos fix did work
post a HIjackThis log and the content of the Apropos fix.
If Apropos did fail
post a HijackThis log and the content of Rootkit Revealer log and the registry export if found (see below).
Note for the RR log, you might have hundred lines that contain the folder Cache in Program Files. Just post the first one and the last one that contain the word Cache, you may leave out the rest because the log might be huge.
Example : C:\Program Files\<random name>\Cache\00000029_4356cce3_000a4083
A "cleaned up RR log" will thus look like this:
| Quote: |
HKLM\SOFTWARE\CzXltAFmegF5 10/23/2005 1:24 PM 0 bytes Hidden from Windows API.
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_SFL350P 10/18/2005 8:59 PM 0 bytes Hidden from Windows API.
HKLM\SYSTEM\ControlSet001\Services\Sfl350p 11/4/2005 10:11 PM 0 bytes Hidden from Windows API.
C:\Program Files\Ituadobe 11/4/2005 12:16 PM 0 bytes Hidden from Windows API.
C:\Program Files\Ituadobe\ace.dll 10/18/2005 8:59 PM 568.00 KB Hidden from Windows API.
C:\Program Files\Ituadobe\AI_01-11-2005.log 11/1/2005 8:53 PM 3 bytes Hidden from Windows API.
C:\Program Files\Ituadobe\AI_31-10-2005.log 10/31/2005 8:12 PM 3 bytes Hidden from Windows API.
C:\Program Files\Ituadobe\Cache 11/4/2005 3:14 PM 0 bytes Hidden from Windows API.
C:\Program Files\Ituadobe\Cache\00000029_4356cce3_000a4083 11/4/2005 10:14 PM 12 bytes Hidden from Windows API.
<hundreds of lines containing C:\Program Files\Ituadobe\Cache
C:\Program Files\Ituadobe\Cache\index 11/4/2005 10:14 PM 231.99 KB Hidden from Windows API.
C:\Program Files\Ituadobe\data.bin 10/18/2005 8:59 PM 114.14 KB Hidden from Windows API.
C:\Program Files\Ituadobe\iedstapi.exe 10/27/2005 6:27 PM 912.00 KB Hidden from Windows API.
C:\Program Files\Ituadobe\jobccvid.exe 10/18/2005 8:59 PM 160.00 KB Hidden from Windows API.
C:\Program Files\Ituadobe\WinGenerics.dll 10/18/2005 8:59 PM 576.00 KB Hidden from Windows API.
C:\WINDOWS\SYSTEM32\DRIVERS\viaitter.sys 10/18/2005 8:59 PM 12.00 KB Hidden from Windows API.
C:\WINDOWS\SYSTEM32\shacxpnt.exe 10/18/2005 8:59 PM 460.00 KB Hidden from Windows API. |
Look at this line in the sample RR log (First line)
HKLM\SOFTWARE\CzXltAFmegF5
If you find a similar key in your RR log, open regedit in Safe Mode, navigate to:
HKEY_LOCAL_MACHINE\SOFTWARE\<key you did see in RR log> select the key and export that key. File > Export. Open the reg export with Notepad and post the content of the reg file in your reply.
With those elements, if a manual removal is requested, I can put together a fix that will remove it.
Kim
Topic locked. If you need it re-opened please pm me.
New issues please start a new topic.
Thank you.
_________________
Microsoft MVP Windows-Security 2006 - 2009
Help us to take down malicious Flash ads
 |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
smartBlue Style © 2002 Smartor
Powered by phpBB © 2001, 2002 phpBB Group
|
