Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

RootKit Infection?


  • Please log in to reply
1 reply to this topic

#1 Irvine_himself

Irvine_himself

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:04:22 AM

Posted 03 September 2009 - 02:16 AM

This post does involves logs and malware, but not specificaly Hijackthis. If I am in the wrong place, I appologise.

I have been cleaning up a massive infection on a friends PC running Xp.

When I first started to analyze the infections, the installed PC tools anti-virus was being disabled. The first things I did was isolate the PC from the internet, to avoid further Trojan downloads. I then removed PC tools and installed Avast, which after a boot scan declared it had cleaned the infection. Trying to scan after boot, I still had a live virus.

The steps so far:

1/ After removing avast, I ran Dr Web Cure It, which unhooked a lot of nasties.

2/ Using a combination of HijackThis, WinPatrol, and ProcMon I was able to identify and remove more crap.

3/ Eyeballing services and processes I discovered "Alert AlertAlg" which I could not remove but was able to disable as a service and then delete the registry keys. There was also a start reference to a crypticaly named dll, that did not seem to belong to anybody. I deleted both the dll and the registry key .

4/ Re-installed a fresh copy of Avast, did a boot scan which discovered even more nightmares, then followed this up with thorough scan of archive files. This discovered, among other things, four "Data Bombs" and a few corrupted/unreadable files. I manually deleted everything.

Although the system appeared clean, there was still some curiosities... among these was the fact that I could not scan the MBR. So I downloaded Rootkit buster..... the MBR and a few other files were declared suspicious so I told it to fix them all.

The penultimate check was using Rootkit revealer which show the following traces in the registry

HKU\S-1-5-21-57989841-1177238915-682003330-1004\Software\Skype\Toolbars\Firefox\ExtensionVersion 14/08/2009 15:53 9 bytes Data mismatch between Windows API and raw hive data.

HKLM\SECURITY\Policy\Secrets\SAC* 24/04/2008 16:53 0 bytes Key name contains embedded nulls (*)

HKLM\SECURITY\Policy\Secrets\SAI* 24/04/2008 16:53 0 bytes Key name contains embedded nulls (*)

HKLM\SOFTWARE\Pure Networks\Platform\LastTimeAVRefresh 03/09/2009 06:46 8 bytes Data mismatch between Windows API and raw hive data.



Given the size of the infection I double checked this with Rootkit Unhooker. I can explain and identify most of the large Report this generated, But I am very suspicious about a few hooks:

ntkrnlpa.exe+0x0002AC40, Type: Inline - RelativeJump at address 0x80501C40 hook handler located in [ntkrnlpa.exe]
ntkrnlpa.exe+0x0006AA6A, Type: Inline - RelativeJump at address 0x80541A6A hook handler located in [ntkrnlpa.exe]
[1864]explorer.exe-->kernel32.dll-->GetProcAddress, Type: IAT modification at address 0x01001268 hook handler located in [shimeng.dll]
[448]searchindexer.exe-->kernel32.dll-->WriteFile, Type: Inline - RelativeJump at address 0x7C810E27 hook handler located in [mssrch.dll]
[448]searchindexer.exe-->kernel32.dll-->WriteFile, Type: Inline - SEH at address 0x7C810E2C hook handler located in [unknown_code_page]
[448]searchindexer.exe-->kernel32.dll-->WriteFile, Type: Inline - SEH at address 0x7C810E2D hook handler located in [unknown_code_page]
[676]services.exe-->advapi32.dll-->CreateProcessAsUserW, Type: IAT modification at address 0x01001094 hook handler located in [unknown_code_page]
[676]services.exe-->kernel32.dll-->CreateProcessW, Type: IAT modification at address 0x01001114 hook handler located in [unknown_code_page]


Up until now, I have been surgically ruthless, but we are getting down to the real core of the system kernel and I would really like to hear some expert opinions. I think some of these can be explained by the fact he is running the Microsoft Search utility, though I am not certain. I am also very suspicious about ntkrnlpa.exe

Does anybody have any views

BC AdBot (Login to Remove)

 


#2 Irvine_himself

Irvine_himself
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:04:22 AM

Posted 03 September 2009 - 10:46 AM

Since it has just been moved, I feel can update my own research without being accused of bumping.

ntkrnlpa.exe
and the way it is hooked appears to be a legitimate MS executable.

[1864]explorer.exe hooked to the shimeng.dll also appears to be legitimate MS code.

[448]searchindexer.exe hook to mssrch.dll I suspect, but am not certain, that this is legitimate since he is using MS Desktop "Search Indexer"

Which only leaves the four hooks that reference the [unknown_code_page]

Any advice or opinion will be gratefully received.

Ps,

Now that at least one RootKit has been removed, I am in the process of re-scanning all archives with Avast and am turning up dozens of infections that were previously being masked by the RootKit. I suppose the real test will be whether Avast can scan the MBR?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users