bowan
2009-04-18, 16:09
i've had a problem with this rootkit for the past week now and it still keeps coming back :(
i've found your program rootalyzer and scanned with it using deep scan and it found the files i knew were there, but i can't find an option to remove them with this program.
i checked the log tab and clicked on pack suspicious files and it packed all the stuff into a .cab file which is 134mb. it shouldn't be that big i think it picked up some stuff that wasn't the virus. i know the trojan and what files it uses but they can't be found cause its hidden it self and hidden the reg keys it created as well.
also i have used avira to scan the rootkit as its the only other rootkit scanner that has detected the thing and whenever i move what it finds to quarintine whenever i scan again it finds the same files over and over, so basically whenever it gets removed it almost instantly re propogates it self.
i dont know what else to do cause i can't find the registry keys i know it creates because it has a way to hide them, and whatever program i have found that can detect it after removing it the thing comes back straight away again :(
any help would be greatly appreciated.
here is the log.
// info: Rootkit removal help file
// copyright: (c) 2008-2009 Safer-Networking Ltd. All rights reserved.
:: RootAlyzer Results
File:"Hidden file","C:\Windows\System32\ovfsthxekctnpfc.dll"
File:"Hidden file","C:\Windows\System32\ovfsthxekctnpfc.dll.XXX"
File:"Hidden file","C:\Windows\System32\ovfsthxjqysbjfs.dll"
File:"Hidden file","C:\Windows\System32\ovfsthxouimpciq.dat"
File:"Hidden file","C:\Windows\System32\ovfsthxpegeeqca.dll"
File:"Hidden file","C:\Windows\System32\ovfsthxsmispsst.dat"
File:"No admin in ACL","C:\Windows\temp\ZLT0456a.TMP"
File:"No admin in ACL","C:\Windows\temp\ZLT06ad9.TMP"
File:"Invisible to Win32","C:\Windows\System32\ovfsthxekctnpfc.dll"
File:"Invisible to Win32","C:\Windows\System32\ovfsthxekctnpfc.dll.XXX"
File:"Invisible to Win32","C:\Windows\System32\ovfsthxjqysbjfs.dll"
File:"Invisible to Win32","C:\Windows\System32\ovfsthxouimpciq.dat"
File:"Invisible to Win32","C:\Windows\System32\ovfsthxpegeeqca.dll"
File:"Invisible to Win32","C:\Windows\System32\ovfsthxsmispsst.dat"
File:"Invisible to Win32","C:\Windows\System32\drivers\ovfsthxkrybotct.sys"
File:"Invisible to Win32","C:\Users\bowan\AppData\Local\Temp\ovfsthxridutpnb000"
File:"Unknown ADS","C:\Users\All Users\TEMP:8927A071:$DATA"
File:"Unknown ADS","C:\Users\All Users\TEMP:8CEFE51A:$DATA"
File:"No admin in ACL","C:\Users\All Users\NOS\getUninst_Adobe.dat"
File:"No admin in ACL","C:\Users\All Users\NOS\Adobe_Downloads\nos_11909.dat"
File:"No admin in ACL","C:\Users\All Users\Microsoft\OFFICE\DATA\OPA12.BAK"
File:"No admin in ACL","C:\Users\All Users\Microsoft\OFFICE\DATA\opa12.dat"
File:"No admin in ACL","C:\ProgramData\NOS\getUninst_Adobe.dat"
File:"No admin in ACL","C:\ProgramData\NOS\Adobe_Downloads\nos_11909.dat"
File:"Unknown ADS","C:\Program Files\Cake Poker:MID:$DATA"
File:"Unknown ADS","C:\Program Files\Cake Poker\cake.exe:info:$DATA"
Directory:"No admin in ACL","C:\Windows\Internet Logs"
Directory:"No admin in ACL","C:\Users\bowan\AppData\LocalLow\NOS"
Directory:"No admin in ACL","C:\Users\All Users\NOS"
Directory:"No admin in ACL","C:\Users\All Users\NOS\Adobe_Downloads"
Directory:"No admin in ACL","C:\Users\All Users\Microsoft\OFFICE\DATA"
Directory:"No admin in ACL","C:\ProgramData\NOS"
Directory:"No admin in ACL","C:\ProgramData\NOS\Adobe_Downloads"
Directory:"No admin in ACL","C:\ProgramData\Microsoft\OFFICE\DATA"
RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SOFTWARE\","NOS"
RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SOFTWARE\NOS\","{CF40ACC5-E1BB-4aff-AC72-04C2F616BCA7}_bowan"
RegyKey:"Zero char in key name","HKEY_LOCAL_MACHINE","\SOFTWARE\Microsoft\Cryptography\","RNG\0"
// Attention: entries with a zero character will not be displayed correctly and may not work!
RegyValue:"Zero char in value name","HKEY_LOCAL_MACHINE","\SOFTWARE\Microsoft\Cryptography\RNG\0\","Seed\0TRY-8BE26640-0000"
// Attention: entries with a zero character will not be displayed correctly and may not work!
RegyValue:"Invisible to Win32","HKEY_LOCAL_MACHINE","\SOFTWARE\Microsoft\Cryptography\RNG\0\","Seed\0TRY-8BE26640-0000"
// Attention: entries with a zero character will not be displayed correctly and may not work!
i've found your program rootalyzer and scanned with it using deep scan and it found the files i knew were there, but i can't find an option to remove them with this program.
i checked the log tab and clicked on pack suspicious files and it packed all the stuff into a .cab file which is 134mb. it shouldn't be that big i think it picked up some stuff that wasn't the virus. i know the trojan and what files it uses but they can't be found cause its hidden it self and hidden the reg keys it created as well.
also i have used avira to scan the rootkit as its the only other rootkit scanner that has detected the thing and whenever i move what it finds to quarintine whenever i scan again it finds the same files over and over, so basically whenever it gets removed it almost instantly re propogates it self.
i dont know what else to do cause i can't find the registry keys i know it creates because it has a way to hide them, and whatever program i have found that can detect it after removing it the thing comes back straight away again :(
any help would be greatly appreciated.
here is the log.
// info: Rootkit removal help file
// copyright: (c) 2008-2009 Safer-Networking Ltd. All rights reserved.
:: RootAlyzer Results
File:"Hidden file","C:\Windows\System32\ovfsthxekctnpfc.dll"
File:"Hidden file","C:\Windows\System32\ovfsthxekctnpfc.dll.XXX"
File:"Hidden file","C:\Windows\System32\ovfsthxjqysbjfs.dll"
File:"Hidden file","C:\Windows\System32\ovfsthxouimpciq.dat"
File:"Hidden file","C:\Windows\System32\ovfsthxpegeeqca.dll"
File:"Hidden file","C:\Windows\System32\ovfsthxsmispsst.dat"
File:"No admin in ACL","C:\Windows\temp\ZLT0456a.TMP"
File:"No admin in ACL","C:\Windows\temp\ZLT06ad9.TMP"
File:"Invisible to Win32","C:\Windows\System32\ovfsthxekctnpfc.dll"
File:"Invisible to Win32","C:\Windows\System32\ovfsthxekctnpfc.dll.XXX"
File:"Invisible to Win32","C:\Windows\System32\ovfsthxjqysbjfs.dll"
File:"Invisible to Win32","C:\Windows\System32\ovfsthxouimpciq.dat"
File:"Invisible to Win32","C:\Windows\System32\ovfsthxpegeeqca.dll"
File:"Invisible to Win32","C:\Windows\System32\ovfsthxsmispsst.dat"
File:"Invisible to Win32","C:\Windows\System32\drivers\ovfsthxkrybotct.sys"
File:"Invisible to Win32","C:\Users\bowan\AppData\Local\Temp\ovfsthxridutpnb000"
File:"Unknown ADS","C:\Users\All Users\TEMP:8927A071:$DATA"
File:"Unknown ADS","C:\Users\All Users\TEMP:8CEFE51A:$DATA"
File:"No admin in ACL","C:\Users\All Users\NOS\getUninst_Adobe.dat"
File:"No admin in ACL","C:\Users\All Users\NOS\Adobe_Downloads\nos_11909.dat"
File:"No admin in ACL","C:\Users\All Users\Microsoft\OFFICE\DATA\OPA12.BAK"
File:"No admin in ACL","C:\Users\All Users\Microsoft\OFFICE\DATA\opa12.dat"
File:"No admin in ACL","C:\ProgramData\NOS\getUninst_Adobe.dat"
File:"No admin in ACL","C:\ProgramData\NOS\Adobe_Downloads\nos_11909.dat"
File:"Unknown ADS","C:\Program Files\Cake Poker:MID:$DATA"
File:"Unknown ADS","C:\Program Files\Cake Poker\cake.exe:info:$DATA"
Directory:"No admin in ACL","C:\Windows\Internet Logs"
Directory:"No admin in ACL","C:\Users\bowan\AppData\LocalLow\NOS"
Directory:"No admin in ACL","C:\Users\All Users\NOS"
Directory:"No admin in ACL","C:\Users\All Users\NOS\Adobe_Downloads"
Directory:"No admin in ACL","C:\Users\All Users\Microsoft\OFFICE\DATA"
Directory:"No admin in ACL","C:\ProgramData\NOS"
Directory:"No admin in ACL","C:\ProgramData\NOS\Adobe_Downloads"
Directory:"No admin in ACL","C:\ProgramData\Microsoft\OFFICE\DATA"
RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SOFTWARE\","NOS"
RegyKey:"No admin in ACL","HKEY_LOCAL_MACHINE","\SOFTWARE\NOS\","{CF40ACC5-E1BB-4aff-AC72-04C2F616BCA7}_bowan"
RegyKey:"Zero char in key name","HKEY_LOCAL_MACHINE","\SOFTWARE\Microsoft\Cryptography\","RNG\0"
// Attention: entries with a zero character will not be displayed correctly and may not work!
RegyValue:"Zero char in value name","HKEY_LOCAL_MACHINE","\SOFTWARE\Microsoft\Cryptography\RNG\0\","Seed\0TRY-8BE26640-0000"
// Attention: entries with a zero character will not be displayed correctly and may not work!
RegyValue:"Invisible to Win32","HKEY_LOCAL_MACHINE","\SOFTWARE\Microsoft\Cryptography\RNG\0\","Seed\0TRY-8BE26640-0000"
// Attention: entries with a zero character will not be displayed correctly and may not work!