Jump to content

Suspect Rootkit Activity - Help please!


rrepas

Recommended Posts

I believe my system's been compromised by a rootkit.

Some malware-like activity kicked off on 11/24. I used Sysinternals Process Explorer (PE) to reveal multiple objects running with suspicious names and from suspicious locations. I updated the definitions for my already installed Malware Bytes (MB) software. It detected and cleaned multiple malware objects. MB now scans clean but my system is still compromised.

Most noticeably, PE reveals an instance of SVCHOST.EXE that consumes a disproportionate amount of memory and CPU resources (see screen shots). Eventually it grows so large it crashes. PE also shows that instance of SVCHOST.EXE initiating TCP/IP connections to multiple foreign IP hosts on a periodic basis. This was confirmed with the netstat command. Occasionally PE reveals an instance of MSHTA.EXE that has a command line argument that includes "funnymonkeysshow.com" (see screen shot). That can't be good.

Defogger:

Per instructions I found on this web site I downloaded and ran Defogger. It did not appear to find any CD-ROM emulation software (see log).

DDS:

I then downloaded and ran DDS unsuccessfully twice. It started to scan both times but locked up about 3/4 of the way through. Process Explorer showed DDS was interrogating the master boot record at the time it locks up.

GMER:

I then downloaded and ran GMER which reported possible root kit activity in the MBR (see log).

I've zipped up a few screen shots, multiple MB logs and the other requested utility logs including a HijackThis scan.

I don't know where to go from here. I'm willing to follow instruction. Can you help?

Thanks, R.

attach.zip

Link to post
Share on other sites

rrepas:

icon11.gif Download ComboFix from one of the following locations:

Link 1

Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link

  • Double click on ComboFix.exe & follow the prompts.

As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

RC1.png

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

RC2-1.png

  • Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Notes:

1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.

2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.

Please include the following in your next post:

  • ComboFix log

Link to post
Share on other sites

I downloaded and executed ComboFix. It installed the recovery console as you advised it might. It began the scan and detected an infected MBR. It then asked if any installed AV software was disabled (yes). The scan (presumably) continued. However, it's now been about 50 minutes with no sign of activity from ComboFix. The system seems hung. I have avoided clicking on the AutoScan window as advised. The mouse cursor is still alive but I can not open the Start menu. I was unable to call Task Mgr with either CTL-ALT-DEL or CTL-ESC. The HDD activity light is solid on (no blinking/flashing).

It looks like I will have to power down the system to regain control. Any recommendations/suggestions before doing that? Should I attempt ComboFix again afterward?

Thanks, R.

Link to post
Share on other sites

I had to force a power down to regain control. The system booted up OK. I saw the Recovery Console screen flash by during boot. So, it looks like that installed.

I checked for a ComboFix log in the root directory - nada.

I re-ran ComboFix. It seemed to have some issues when it tried to set a restore point. (I forgot to mention it seemed to have those same issues on the first run as well.) After that it went right into scanning. It advised of an infected MBR again and to disable any AV software. I clicked "OK" to continue. Shortly after that it seemed to hang again (HDD light on solid again). I waited about 20-25 minutes just to be safe. Eventually I had to power down again to regain control. I checked for a ComboFix log file again - still no joy.

Recommendations? Would ComboFix perhaps benefit from being ran in safe mode? I'll hold off on doing anything else until I hear back.

Thanks, R.

Link to post
Share on other sites

rrepas:

Let's try this instead:

icon11.gif Download TDSSKiller.zip and extract TDSSKiller.exe to your desktop

  • Execute TDSSKiller.exe by doubleclicking on it.
  • Press Start Scan
  • If Malicious objects are found then ensure Cure is selected. Important - If there is no option to "Cure" it is critical that you select "Skip"
  • Then click Continue > Reboot now
  • Once complete, a log will be produced at root (c:\). It will be named for example, TDSSKiller.2.4.0.0_24.07.2010_13.10.52_log.txt
  • Attach that log, please.

Please include the following in your next post:

  • TDSSKiller log

Link to post
Share on other sites

I'm still unable to run ComboFix successfully.

I ran the fresh copy of ComboFix as advised. Existing AV software is disabled. ComboFix didn't advise of any MBR infection this time. So, it seems TDSSKiller did help. However, ComboFix locked up again shortly after beginning the scan process. The symptoms are the same as the last two tries. The HDD light flashes typically at first then eventually goes to a solid on condition. The system desktop becomes semi-unresponsive at that point. The Start menu doesn't come up, I can't invoke Task Manager, and I noticed the realtime clock on the lower right corner of the task bar isn't updating either. I have to force a power down to regain control of the system. There was no ComboFix log found in the root directory.

I take it that ComboFix not running successfully confirms there is still some corruption on my system? What next?

Thanks, R.

Link to post
Share on other sites

rrepas:

I'd like you to remove your current ComboFix.exe from your desktop and download another. This time, rename it to iexplore.exe before saving it. Instead of saving it to your desktop, save it directly to c:\

Once you've done that, boot into the safe mode and try running ComboFix (c:\iexplore.exe) again.

Please include the following in your next post:

  • ComboFix log

Link to post
Share on other sites

I'm still unsuccessful with ComboFix.

I downloaded a fresh, renamed copy of ComboFix into the root directory and ran it from Safe Mode. Like happened during the other iterations the HDD light flashed initially then went to solid on fairly quickly. However, the clock on the taskbar kept updating this time. So, I let it run untouched for 45+ minutes but there were no additional signs of activity. When I tried to bring up the Start Menu it quickly froze up and the clock stopped updating as well. I was unable to bring up Task Manager. I had to power down to regain control. There was no sign of a log file in the root directory. Those are pretty much the same results as the previous attempts at running ComboFix.

I think we might be flogging a dead horse with respect to running ComboFix on my system. Any other recommendations/suggestions?

Thanks, R.

Link to post
Share on other sites

OK, here's the latest...

OTL: OTL runs but it's only producing the OTL.txt file now (see attached). It's no longer producing the Extras.txt file like it did on the first run. Is this normal?

GMER: This utility no longer runs successfully. It seems to now cause similar system lock up issues as when running ComboFix. Consequently, I can't provide the output for this one.

MBAM: I know you didn't ask for this one. I chose to run at least the scan portion as I knew I'd be away from the system for several hours. I performed a full scan with the latest definitions. MBAM did not detect any infected objects. However, I'm certain there are still remnants of the infection/attack on my system. See below.

Other: I noticed a number of scheduled tasks (job files) in the OTL log file. Many have names like "At21.job". I examined those and see their schedules began on 11/25/10 when most of this trouble started. I also found they were starting instances of MSHTA.EXE with that "funnymonkeysshow.com" argument I mentioned earlier. By the way, because of the double "s" that domain name doesn't resolve. I wonder if that was a typo on the part of the vandal who wrote the script. There was also one very suspect task entry called "ofjaiec.job" that ran JavaScript referencing a now non-existent file in the Windows temp folder. The only jobs that looked legit were those related to updating Google (and I'm even a bit suspect of those). To keep these scheduled tasks from possibly re-infecting my system I removed all of them from the tasks folder. I did however keep them around for forensic purposes if needed.

In my opinion, any file or folder with a creation date of 11/25/10 (event onset) or newer should be considered suspect. The good news is that I'm no longer seeing inexplicable files showing up in the temp folders. I'm no longer seeing the system establishing inexplicable connections with foreign TCP/IP hosts. I'm no longer seeing certain hyperlinks in IE and Firefox being redirected. I think I've found the source of (and hopefully stopped) the process instances of MSHTA.EXE (and funnymonkeysshow.com).

At this point, it doesn't look like I'm "actively" infected. Although, as I noted I suspect there are "remnants" that need to be cleaned up. I certainly don't want anything like bogus scheduled tasks or corrupt system restore points to "trigger" and re-infect the system.

I appreciate your help and patience. What's next?

Thanks, R.

OTL_02.zip

Link to post
Share on other sites

rrepas:

icon11.gif You have IObit Advanced SystemCare 3 installed. IObit has been accused of stealing and incorporating Malwarebytes AntiMalware's proprietary database and intellectual property into their software. More information is available HERE and HERE. I strongly recommend that you unistall it.

icon11.gif Run OTL.exe

  • Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL
    :OTL
    DRV - [2010/11/26 11:36:50 | 000,000,000 | ---- | M] () [Kernel | Boot | Stopped] -- C:\WINDOWS\System32\drivers\weudt.sys -- (weudt)
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Main present
    [5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
    [2 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
    [1 C:\Program Files\*.tmp files -> C:\Program Files\*.tmp -> ]
    [2010/11/27 15:28:00 | 000,000,346 | ---- | M] () -- C:\WINDOWS\tasks\ofjaiec.job
    [5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
    [2 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
    [1 C:\Program Files\*.tmp files -> C:\Program Files\*.tmp -> ]
    [2010/11/28 12:40:31 | 003,981,232 | R--- | C] () -- C:\iexplorer.exe
    [2010/11/25 19:28:04 | 000,000,346 | ---- | C] () -- C:\WINDOWS\tasks\ofjaiec.job
    [2010/11/25 14:17:32 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\drivers\weudt.sys
    [2010/11/25 14:15:44 | 000,001,072 | ---- | C] () -- C:\WINDOWS\System32\Improve Your PC.lnk
    O4 - HKLM..\Run: [SBAMTray] c:\documents and settings\all users\application data\microsoft\ofjaiec\ofjaiec.exe File not found
    O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - Reg Error: Key error. File not found
    O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab (Reg Error: Key error.)
    O16 - DPF: Garmin Communicator Plug-In https://static.garmincdn.com/gcp/ie/2.9.2.0/GarminAxControl.CAB (Reg Error: Key error.)
    :Files
    C:\winodws\tasks\At*.job
    :Commands
    [EmptyFlash]
    [EmptyTemp]
    [Purity]


  • Then click the Run Fix button at the top
  • Let the program run unhindered, it will reboot when it is done and produce a log

icon11.gif You have this program installed, Malwarebytes' Anti-Malware (MBAM). Please update it and run a scan.

Open MBAM

  • Click the Update tab
  • Click Check for Updates
  • If an update is found, it will download and install the latest version.
  • The program will close to update and reopen.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

Please include the following in your next post:

  • OTL Fix log
  • MBAM log

Link to post
Share on other sites

I believe I've solved another minor mystery. At some point I lost the tray icon for my VIPRE anti-virus software. I think this entry from the OTL log explains how that happened...

O4 - HKLM..\Run: [sBAMTray] c:\documents and settings\all users\application data\microsoft\ofjaiec\ofjaiec.exe File not found

I know "SBAMTray" to be the name of the process for VIPRE's tray icon. It looks like that startup service was usurped by that "ofjaiec" malware object. How ironic is that? It can't just be coincidence that it picked an anti-virus service as its launch point, can it?

Regardless, waiting on next steps.

Thanks, R.

Link to post
Share on other sites

IObit:

As a demonstration of solidarity I uninstalled the IObit software after reading the links you provided. I see IObit still shows up in OTL scans. It looks like it left some folders behind.

OTL Fix:

I ran the OTL fix with the requested parameters. The fix log is attached.

Here are notes on some of the fix log entries:

1. This TMP file is still present and in play...

File delete failed. C:\WINDOWS\SB266A36C.tmp scheduled to be deleted on reboot.

File move failed. C:\WINDOWS\SB266A36C.tmp scheduled to be moved on reboot.

SB266A36C.tmp is locked and in use. Sysinternals Process Explorer reveals SB266A36C.tmp is a file handle in use by the main SYSTEM process.

What do you think this TMP file is?

2. These tasks/jobs were listed as not found because I had already moved them as mentioned earlier:

File C:\WINDOWS\tasks\ofjaiec.job not found.

File\Folder C:\winodws\tasks\At*.job not found.

3. This file was not found because I had already cleaned it up (deleted it). This was that renamed copy of ComboFix we tried running from the root directory.

File C:\iexplorer.exe not found.

OTL:

I ran a fresh OTL scan after the fix was complete. The latest log (OTL_04.txt) is attached.

MBAM:

I updated MBAM and ran a quick scan. No malicious items were detected. The log is attached.

How are we doing so far? What's next?

Thanks, R.

OTL_04.zip

Link to post
Share on other sites

rrepas:

icon11.gifYour Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.

Please follow these steps to remove older version Java components and update.

  • Go to this page.
  • Scroll down to where it says "Java Platform, Standard Edition."
  • Click the "Download JRE" button to the right.
  • Select the Windows platform from the dropdown menu.
  • Read the License Agreement and then check the box that says: " I agree to the Java SE Runtime Environment 6 with JavaFX License Agreement". Click on Continue.The page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Now go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE or Java 6) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java version.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u21-windows-i586-p.exe to install the newest version.
  • After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)
    • On the General tab, under Temporary Internet Files, click the Settings button.
    • Next, click on the Delete Files button
    • There are two options in the window to clear the cache - Leave BOTH Checked
      Applications and AppletsTrace and Log Files

    [*]Click OK on Delete Temporary Files Window

    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.

    [*]Click OK to leave the Temporary Files Window

    [*]Click OK to leave the Java Control Panel.

icon11.gif Please run ESET Online Scanner

  • Place a check mark in the box YES, I accept the Terms Of Use
  • Click the Start button.
  • Now click the Install button.
  • Click Start. The scanner engine will initialize and update.
  • Do Not place a check mark in the box beside Remove found threats.
  • Click the Scan button. The scan will now run, please be patient.
  • When the scan finishes click the Details tab.
  • Copy and paste the contents of the C:\ProgramFiles\EsetOnlineScanner\log.txt into your next reply.

Please include the following in your next post:

  • ESET log

Link to post
Share on other sites

Here's the latest requested info...

Java: I removed all old instances of Java and installed the latest version from Sun. I subsequently cleared the file caches as instructed.

ESET: I ran the ESET online scanner. It found one instance of an infection (see attached log). The affected file is from a utility that I do not use. I have no problem deleting the file and/or un-installing the utility (whichever is safer). Please advise.

Next steps?

Thanks, R.

eset.zip

Link to post
Share on other sites

rrepas:

If you don't use that utility, I'd recommend uninstalling it.

report.gif You need to update your OS. Windows XP SP2 is no longer supported, thus you are not receiving critical updates

Download the latest Windows XP service pack from the Microsoft Download Center. This page will say that this installation package is intended for IT professionals and developers. However, you can safely download this file.

http://www.microsoft.com/downloads/details...;displaylang=en

Let me know once you have this completed and we can finish cleaning your PC up.

Link to post
Share on other sites

Here's the latest...

Notes on the previous ESET scan:

The ESET online scanner flagged this one file:

- C:\Program Files\Replay Converter\ffmpeg2theora.exe a variant of Win32/Kryptik.AE trojan

Replay Converter is a video utility I haven't used in about four years. I tried to uninstall it just now via Add/Remove programs but Windows said it looks like it had already been uninstalled.

I found this in the setup log for Replay Converter:

- [uninstall]

- C:\WINDOWS\iun6002.exe C:\Program Files\Replay Converter\irunin.ini

The file iun6002.exe is no longer on my system. A little online research reveals that iun6002.exe was likely a trojan. Consequently, it was likely removed at some point by my AV software.

I did remove the folder "C:\Program Files\Replay Converter\". However, according to the Replay Converter setup log it also installed files in the c:\windows\system32 directory and made registry changes. I've attached the file "Setup Log.txt" that was generated during installation.

Since I can't do a proper uninstall, should I worry about cleaning these additional files and registry entries up manually?

Notes on the request to update Windows:

Sorry, but I will not be installing Windows Service Pack 3 on my system. Personal preference. I hope that's not an issue.

What's next?

Thanks, R.

Setup_Log.txt

Link to post
Share on other sites

rrepas:

I will leave those remaining file to your discretion. If you do decide to remove them be very careful in that System32 folder - one wrong move in there and you could render your PC unbootable. I would recommend that you leave the registry alone as well unless you have a backup and are totally comfortable with what you are doing.

The SP3 upgrade is also entirely up to you - it's your computer. Just be aware that SP2 is no longer supported or updated which makes you more vulnerable to malware.

I have another update and some very important cleanup for you to take care of now:

icon11.gif Your Adobe reader needs to be updated. Please visit Adobe's site and grab the newest version.

icon11.gif Clean up with OTL:

  • Double-click OTL.exe to start the program.
  • Close all other programs apart from OTL as this step will require a reboot
  • On the OTL main screen, press the CLEANUP button
  • Say Yes to the prompt and then allow the program to reboot your computer.
  • Manually delete any remaining logs or tools.

icon11.gif Finally, I'd like to make a couple of suggestions to help you stay clean in the future:

  • Restart any anti-malware programs that we disabled while we were cleaning your machine.
  • Keep your antivirus application and MBAM current and updated. Scan with them at least weekly.
  • Avoid using P2P programs. Refer back to my earlier post for more information.
  • Please visit this General Computer Security Forum and review this post for some helpful information.

Please post once more so I know you are all set and I can mark this thread resolved. Good luck and stay safe!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.