Posted 03 September 2009 - 02:16 AM
This post does involves logs and malware, but not specificaly Hijackthis. If I am in the wrong place, I appologise.
I have been cleaning up a massive infection on a friends PC running Xp.
When I first started to analyze the infections, the installed PC tools anti-virus was being disabled. The first things I did was isolate the PC from the internet, to avoid further Trojan downloads. I then removed PC tools and installed Avast, which after a boot scan declared it had cleaned the infection. Trying to scan after boot, I still had a live virus.
The steps so far:
1/ After removing avast, I ran Dr Web Cure It, which unhooked a lot of nasties.
2/ Using a combination of HijackThis, WinPatrol, and ProcMon I was able to identify and remove more crap.
3/ Eyeballing services and processes I discovered "Alert AlertAlg" which I could not remove but was able to disable as a service and then delete the registry keys. There was also a start reference to a crypticaly named dll, that did not seem to belong to anybody. I deleted both the dll and the registry key .
4/ Re-installed a fresh copy of Avast, did a boot scan which discovered even more nightmares, then followed this up with thorough scan of archive files. This discovered, among other things, four "Data Bombs" and a few corrupted/unreadable files. I manually deleted everything.
Although the system appeared clean, there was still some curiosities... among these was the fact that I could not scan the MBR. So I downloaded Rootkit buster..... the MBR and a few other files were declared suspicious so I told it to fix them all.
The penultimate check was using Rootkit revealer which show the following traces in the registry
HKU\S-1-5-21-57989841-1177238915-682003330-1004\Software\Skype\Toolbars\Firefox\ExtensionVersion 14/08/2009 15:53 9 bytes Data mismatch between Windows API and raw hive data.
HKLM\SECURITY\Policy\Secrets\SAC* 24/04/2008 16:53 0 bytes Key name contains embedded nulls (*)
HKLM\SECURITY\Policy\Secrets\SAI* 24/04/2008 16:53 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Pure Networks\Platform\LastTimeAVRefresh 03/09/2009 06:46 8 bytes Data mismatch between Windows API and raw hive data.
Given the size of the infection I double checked this with Rootkit Unhooker. I can explain and identify most of the large Report this generated, But I am very suspicious about a few hooks:
ntkrnlpa.exe+0x0002AC40, Type: Inline - RelativeJump at address 0x80501C40 hook handler located in [ntkrnlpa.exe]
ntkrnlpa.exe+0x0006AA6A, Type: Inline - RelativeJump at address 0x80541A6A hook handler located in [ntkrnlpa.exe]
explorer.exe-->kernel32.dll-->GetProcAddress, Type: IAT modification at address 0x01001268 hook handler located in [shimeng.dll]
searchindexer.exe-->kernel32.dll-->WriteFile, Type: Inline - RelativeJump at address 0x7C810E27 hook handler located in [mssrch.dll]
searchindexer.exe-->kernel32.dll-->WriteFile, Type: Inline - SEH at address 0x7C810E2C hook handler located in [unknown_code_page]
searchindexer.exe-->kernel32.dll-->WriteFile, Type: Inline - SEH at address 0x7C810E2D hook handler located in [unknown_code_page]
services.exe-->advapi32.dll-->CreateProcessAsUserW, Type: IAT modification at address 0x01001094 hook handler located in [unknown_code_page]
services.exe-->kernel32.dll-->CreateProcessW, Type: IAT modification at address 0x01001114 hook handler located in [unknown_code_page]
Up until now, I have been surgically ruthless, but we are getting down to the real core of the system kernel and I would really like to hear some expert opinions. I think some of these can be explained by the fact he is running the Microsoft Search utility, though I am not certain. I am also very suspicious about ntkrnlpa.exe
Does anybody have any views