Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Permanent SSDT Hooks


  • Please log in to reply
29 replies to this topic

#1 billyplatt

billyplatt

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:09:41 PM

Posted 28 July 2009 - 09:51 AM

I am a netadmin and have always helped my co-workers by cleaning their home computers in exchange for the experience of removing malware and a gained knowledge that it brings me, but now I am dejected.

The latest infections have gone beyond perhaps anybody's ability to undo, short of a clean install. In two cases, I did a paralell install of XP, and the new install also featured the same hooked entries, implying to me at least that the infection might be in the BIOS or the boot record itslef.

The symptoms are always the same, and I can undo most of them, however, the NtConnectPort is hooked by an unknown module, it's address has been offset from the kernel. I have even booted from CD and replaced the kernel file with a known clean versioin, but upon reboot, the modification is back, leading me to believe that I have a rootkit running from within an encryption engine that controls the system modifications at reboot, and since the suspected infection is encrypted, it is invisible to the OS. The infections I have observed likely came from infected banner adds as I have examined the browsing habits of the infected users, and they do not surf unsafetly, rather, they visit known websites like CNN or MSNBC and somehow get infected there , not meaning to lay blame on them specifically.

So I read and read and read. One post on a popular rootkit creation site even comments that if it were not for the SSDT hooks, we wouldn't even know they were there at all, and a group of evildoers are proceeding with ideaology about how to hide the SSDT hooks themselves and render themselves invisible.

I have one such infected computer here in my lab, disconnected from the internet, and no tool I have found or been presented with reverses the hooks permanently, nor does any known scanner appear to find the unknown module. Please help. I will gladly donate money for good advice.

Mod Edit: Topic moved from HJT to more appropriate forum~ TMacK

Edited by TMacK, 28 July 2009 - 09:59 AM.


BC AdBot (Login to Remove)

 


m

#2 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,701 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:08:41 PM

Posted 30 July 2009 - 12:22 AM

Hello billyplatt and :flowers: to BleepingComputer.

Let us see what we're dealing with here. We just got a new version of RootRepeal released to us, so we'll start with that. :thumbsup:

Please install RootRepeal
Note: Vista users ,, right click on desktop icon and select "Run as Administrator."

Go HERE, and download RootRepeal.zip to your Desktop.
Tutorial with images ,if needed >> L@@K.

Disconnect from the Internet or physically unplug you Internet cable connection.
Close all open programs, scheduling/updating tasks and background processes that might activate during the scan including the screensaver.
Temporarily disable your anti-virus and real-time anti-spyware protection.
After starting the scan, do not use the computer until the scan has completed.
When finished, re-enable your anti-virus/anti-malware (or reboot) and then you can reconnect to the Internet.

Unzip the download,(7-zip tool if needed) and then click RootRepeal.exe to open the scanner.
Next click on the Report tab, now click on Scan. A Window will open asking what to include in the scan. Check all of the below and then click OK.

Drivers
Files
Processes
SSDT
Stealth Objects
Hidden Services


Now you'll be asked which drive to scan. Check C: and click OK again and the scan will start. Please be patient as the scan runs. When the scan has finished, click on Save Report.
Name the log RootRepeal.txt and save it to your Documents folder (it should automatically save it there).
Please copy and paste that into your next reply.


~Blade



In your next reply, please include the following:
RootRepeal log

Edited by Blade Zephon, 30 July 2009 - 12:23 AM.

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#3 billyplatt

billyplatt
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:09:41 PM

Posted 31 July 2009 - 08:04 AM

I am disconnected from the internet, have stopped my antivirus process, downloaded the version or rootrepeal you indicated, extracted to a thumb drive, but when attempting to launch it, I get the initializing, please wait dialog box, and the process never opens, and the computer becomes unresponsive.

I had an older version or RootRepeal, but it would crash when scanning the SSDT table.

#4 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,701 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:08:41 PM

Posted 31 July 2009 - 08:10 AM

The rootkit is interfering; try and run RootRepeal (newest version) in Safe Mode.

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#5 billyplatt

billyplatt
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:09:41 PM

Posted 31 July 2009 - 09:33 AM

Running in Safe mode, RootRepeal is again unresponsive. The initialize screen comes up, the computer becomes unresponsive, and then the initialize box goes away, but the screen behind it does not refresh.

renaming a copy of rootrepeal and running it result in the same unresponsive behavior

#6 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,701 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:08:41 PM

Posted 31 July 2009 - 01:28 PM

:thumbsup:....

Alright, let's try another ARK tool.

Please download gmer.zip and save to your desktop.
  • Extract (unzip) the file to its own folder such as C:\Gmer. (Click here for information on how to do this if not sure.)
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security program drivers will not conflict with gmer's driver.
  • Click on this link to see a list of programs that should be disabled.
  • Double-click on gmer.exe to start the program.
  • Allow the gmer.sys driver to load if asked.
  • You may be prompted to scan immediately if GMER detects rootkit activity.
  • If you are prompted to scan your system click "Yes" to begin the scan.
  • If not prompted, click the "Rootkit/Malware" tab.
  • On the right-side, all items to be scanned should be checked by default except for "Show All". Leave that box unchecked.
  • Select all drives that are connected to your system to be scanned.
  • Click the Scan button to begin. (Please be patient as it can take some time to complete)
  • When the scan is finished, click Save to save the scan results to your Desktop.
  • Save the file as gmer.log and copy/paste the contents in your next reply.
  • Exit GMER and re-enable all active protection when done.
~Blade


In your next reply, please include the following:
GMER log

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#7 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,701 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:08:41 PM

Posted 01 August 2009 - 10:47 PM

Also, could you please provide me with a list of tools you've already tried, and the results of running those tools? That way we don't waste time with me asking you to run stuff that you've already done unsuccessfully. :thumbsup:

Thanks,
~Blade

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#8 billyplatt

billyplatt
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:09:41 PM

Posted 03 August 2009 - 06:34 AM

Attached is the gmer.log file. Sorry for the delay in replying. I don't know why all the symantec entries show up here, Symantec is NOT installed.



GMER 1.0.15.15011 [gmer.exe] - http://www.gmer.net
Rootkit scan 2009-08-03 07:31:38
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.15 ----

SSDT 83ACD790 ZwConnectPort

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \FileSystem\Fastfat \Fat SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----

#9 billyplatt

billyplatt
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:09:41 PM

Posted 03 August 2009 - 09:18 AM

Basically, i have tried everything.

AVG Free,
AVG AntiRootkit, (finds no rootkit)
Mawarebytes, finds infections, but does not find rootkit
SuperAntiSpyware. finds infections but no rootkit
Darkspy BSOD's the computer
gmer finds ssdt hooks
PEID (crashes)
RootRepeal (hangs and causes computer to become unresponsive.
IceSword shows the NtConnectPort is hooked by unknown
Panda 2010 reports machine clean
Panda CloudAntivirus found a virus after install, but that was it.
Hookshark reports an explorer hook in Shimeng.dll and some HW BreakPoint - OnExecution hooks
Radix reports ZWConnectPort hooked by process with no reported name
SystemVirginityVerifier reports the ntoskrnl.exe is DEEPRED
The old version of RootRepeal when launged reported that the ntoskrnl.exe was missing or not present on disk.
I have also tried ComboFix, the latest version of ComboFix,
SDTRestore
RKU crashes when run
HJT Shows nothing out of the ordinary
ModGreper shows 9 suspicious processes, with ntoskrnl and hal.dll, kdcom.dll, bootvid.dll, wmilib.sys, PCIIDEX.sys, and classpnp.sys showing as hidden processes
Helios Lie crashes
I've run some others, like SEEM, but don't know enough about what it is telling me to make any interpretations

#10 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:09:41 PM

Posted 03 August 2009 - 09:42 AM

Before we start fixing anything you should print out these instructions or copy them to a NotePad file so they will be accessible. Some steps will require you to disconnect from the Internet or use Safe Mode and you will not have access to this page.

Please download DrWeb-CureIt and save it to your desktop. DO NOT perform a scan yet.

Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with Dr.Web CureIt as follows:
  • Double-click on launch.exe to open the program and click Start. (There is no need to update if you just downloaded the most current version
  • Read the Virus check by DrWeb scanner prompt and click Ok where asked to Start scan now? Allow the setup.exe to load if asked by any of your security programs.
  • The Express scan will automatically begin.
    (This is a short scan of files currently running in memory, boot sectors, and targeted folders).
  • If prompted to dowload the Full version Free Trial, ignore and click the X to close the window.
  • If an infected object is found, you will be prompted to move anything that cannot be cured. Click Yes to All.
  • When complete, click Select All, then choose Cure > Move incurable.
    (This will move any detected files to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if they can't be cured)
  • Now put a check next to Complete scan to scan all local disks and removable media.
  • In the top menu, click Settings > Change settings, and UNcheck "Heuristic analysis" under the "Scanning" tab, then click Ok.
  • Back at the main window, click the green arrow "Start Scanning" button on the right under the Dr.Web logo.
  • When the scan is complete, a message will be displayed at the bottom indicating if any viruses were found.
  • Click "Yes to all" if asked to cure or move the file(s) and select "Move incurable".
  • In the top menu, click file and choose save report list.
  • Save the DrWeb.csv report to your desktop.
  • Exit Dr.Web Cureit when done.
  • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)

Chewy

No. Try not. Do... or do not. There is no try.

#11 billyplatt

billyplatt
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:09:41 PM

Posted 03 August 2009 - 02:11 PM

Dr Web didn't find anything in safe mode, but in boot mode, it found several nasty bits. Here is the log.


tbsetup.exe\data004;C:\Documents and Settings\All Users\Application Data\AOL Downloads\triton_suite_install_6.0.28.3\tbsetup.exe;Trojan.PWS.GoldSpy.origin;;
tbsetup.exe;C:\Documents and Settings\All Users\Application Data\AOL Downloads\triton_suite_install_6.0.28.3;Archive contains infected objects;Moved.;
Twain_32.8BA;C:\Program Files\Adobe\Photoshop Album Starter Edition\2.0\Apps\plugins;Trojan.MulDrop.origin;Incurable.Moved.;
A0003093.exe\data004;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP6\A0003093.exe;Trojan.PWS.GoldSpy.origin;;
A0003093.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP6;Archive contains infected objects;Moved.;
A0003094.8BA;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP6;Trojan.MulDrop.origin;Incurable.Moved.;
Gjxlbt.exe;C:\WINDOWS;BackDoor.Noko;Deleted.;
Adobe Photoshop Album 2.0 Starter Edition.msi/stream008\Twain_32.8BA;C:\WINDOWS\Downloaded Installations\{30F65707-62BC-4443-BB21-86DA6E7F8A55}\Adobe Photoshop Album 2.0 Starter Edition.msi/stream;Trojan.MulDrop.origin;;
stream008;C:\WINDOWS\Downloaded Installations\{30F65707-62BC-4443-BB21-86DA6E7F8A55};Archive contains infected objects;;
Adobe Photoshop Album 2.0 Starter Edition.msi;C:\WINDOWS\Downloaded Installations\{30F65707-62BC-4443-BB21-86DA6E7F8A55};Archive contains infected objects;Moved.;
process.exe;C:\WINDOWS\SYSTEM32;Tool.Prockill;Incurable.Deleted.;
restart.exe;F:\SmitfraudFix;Tool.ShutDown.14;Incurable.Deleted.;

Let me know what to do next.

#12 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:09:41 PM

Posted 03 August 2009 - 04:40 PM

Hit it with MBAM and rootrepeal again
Chewy

No. Try not. Do... or do not. There is no try.

#13 billyplatt

billyplatt
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:09:41 PM

Posted 04 August 2009 - 08:32 AM

Safe Mode, RootRepeal still does the same thing, btw, dumprep launches after trying to open rootRepeal.

#14 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:09:41 PM

Posted 04 August 2009 - 08:36 AM

Did you download the newest version of RootRepeal and follow the standard procedure before running a RootKit Scan?

Always try normal mode first
Chewy

No. Try not. Do... or do not. There is no try.

#15 billyplatt

billyplatt
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:09:41 PM

Posted 04 August 2009 - 08:47 AM

I take that back, in safe mode, dumpprep is not launched. rootrepeal begins gobbling cpu cylces and never launches.

When gmer is launched in safe mode, it does not automatically scan as it had previously. It reports C:\windows\system32\drivers\rootrepeal.sys with Value The system cannot find the file specified. Does that tell you anything usefull? (I am running rootrepeal from a thumb)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users