I've been investigating a newer rootkit, which seems to be keeping up with Google redirects even after the machine appears to be disinfected. (I have three users with the same issue even after full disinfection)
I will show a couple of sample logs below, but first I want to say is that in searching for TDL3, the search failed. And in searching for a Goored infection, the search failed. Lastly, in searching for Max++ infection, the search failed. All of which means those infections did not exist.
So, my issue is, is finding out what has been infected, and attempting to disinfect it. Whatever it is, it has evaded every rootkit tool, and malware scanner. It must be pretty close to the kernel, possibly at Ring1.
========================
Analysis of first computer infected...
had TDL3, and XUL infection. Delete infection, via these files:
==ComboFix==
c:\documents and settings\Miki\Local Settings\Application Data\{3DA17406-C493-440F-A1C9-7D19A583FF4A}
c:\documents and settings\Miki\Local Settings\Application Data\{3DA17406-C493-440F-A1C9-7D19A583FF4A}\chrome.manifest
c:\documents and settings\Miki\Local Settings\Application Data\{3DA17406-C493-440F-A1C9-7D19A583FF4A}\chrome\content\_cfg.js
c:\documents and settings\Miki\Local Settings\Application Data\{3DA17406-C493-440F-A1C9-7D19A583FF4A}\chrome\content\overlay.xul
c:\documents and settings\Miki\Local Settings\Application Data\{3DA17406-C493-440F-A1C9-7D19A583FF4A}\install.rdf
c:\program files\Shared
c:\windows\ahamukimupewu.dll
c:\windows\Downloaded Program Files\popcaploader.inf
c:\windows\eqorahemile.dll
c:\windows\msvcirt32.dll
c:\windows\ojudetayol.dll
c:\windows\opixixoyen.dll
c:\windows\system32\Drivers\tjrrkyur.sys
c:\windows\udusuzog.dll
c:\windows\uhoyojiyedohaqit.dll
c:\windows\unexaxeda.dll
c:\windows\xdrhiscl.dll
c:\windows\Rdesexasuxomo.bin
c:\windows\Sradupu.dat
Infected copy of c:\windows\system32\drivers\compbatt.sys was found and disinfected
==Malwarebytes' Anti-Malware==
C:\Documents and Settings\Miki\Local Settings\Application Data\rssuxikfq\wmbfgmmtssd.exe (Rogue.AntivirusSuite.Gen) -> Quarantined and deleted successfully.
C:\Documents and Settings\Miki\Local Settings\temp\svchost.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\isnxibtt (Rogue.AntivirusSuite.Gen) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\isnxibtt (Rogue.AntivirusSuite.Gen) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\avsuite (Rogue.AntivirusSuite) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\avsuite (Rogue.AntivirusSuite) -> Quarantined and deleted successfully.
==Dr. Web CureIt==
rexiy.exe;c:\documents and settings\miki\application data\ytki;Trojan.PWS.Panda.354;Deleted
-----------
However, the infection still showed its face.
I found evidence of Trojan.SpyEye:
C:\CLEANSWEPX.EXE\CLEANSWEPX.EXE
However, on trying to delete it, the tool says the file or folder cannot be found.
I have attached logs that I would need reviewed, if anyone is willing to help me find this infection.
-RKU
-SpiderKill
Right now, I am going to have the user re-run RootkitUnhooker.
Let's see what can be found.
Attachments
(85.2 KiB) Downloaded 48 times
(111.77 KiB) Downloaded 45 times
Jay
seCURE Connexion Consultant
