Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Extremely Resilient Rootkit in XP SP3/ Referred from log forum


  • Please log in to reply
4 replies to this topic

#1 zedhed

zedhed

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:03:29 PM

Posted 05 March 2010 - 09:43 PM

I have a rootkit problem that just will not go away. I have been reinstalling XP over and over to no avail, using every "clean install" method I can think of, but I seem to be pwned before the installation is even finished.

I ran a session with M0le on the Removal Logs forum and he made sure there was nothing "scannable", e.g. virus/spyware/trojan on the system. We found some evidence of previous trojans that I had cleaned earlier but other than that, the system is clean. Here's the topic:

http://www.bleepingcomputer.com/forums/t/293583/infected-with-unknown-rootkit/

M0le suggested I take it to a non-malware forum to see if anyone may have a suggestion. The main issue is that once my "clean install" of XP has completed, when I disable a service, a different version of the same service will run from ControlSet001, usually a ROOT/LEGACY service or device. It seems to run using alternate DLLs from the Side-by-Side folder. And at that point I must admit, I'm out of my depth. I'm not a programmer but I have been trying to figure this out since early December and would really like to get my computer back. Hey, it's MINE.

I run as lean as possible when it comes to services and autorun programs because I use the computer primarily for multitrack audio recording and only need online access for program updates and email. All of the details are in the other topic. I eventually gave up trying to install clean after a dozen attempts or so and spent some time simply fighting it. It disables anti-virus programs upon installation, and seems to hook every process that runs. I use Process Explorer/Handles to see what's happening and I'm pretty sure it sets up tunneling server connections to ????, using older versions of Terminal Services/Remote Desktop. An iis website seems to be installed somewhere as well but I can't find it - only the iis.log file indicating the installation. Even the TCP/IP connections are hidden, at least from TcpView and Wireshark, but I suppose they're hooked like everything else. (I don't sound paranoid, do I?) Lemme tellya - at this point I AM PARANOID! I'm denied access to the Programs folder, different areas of the registry... It's like boxing with a ghost. At this point I'd just like to be able to clean install the OS - no way I can fight it once it's dug in.

If anyone has any suggestions, I'd love to hear from you. If the initial insult is in a BIOS somewhere, I simply don't know how to find it or clean it out.

Oh, one more thing. I never got a chance to thank M0le for his excellent help, so if you see this M0le - THANKS from Zed!

Zed

BC AdBot (Login to Remove)

 


#2 hamluis

hamluis

    Moderator


  • Moderator
  • 55,727 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Killeen, TX
  • Local time:03:29 PM

Posted 06 March 2010 - 09:17 AM

I guess that I have to wonder....why you post such a provocative title...after stating that your system/situation has already been reviewed by one of the BC malware forums.

Louis

#3 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:08:29 PM

Posted 06 March 2010 - 11:54 AM

Sounds to me like your system isn't clean or possible got re-infected.

#4 Ken-in-West-Seattle

Ken-in-West-Seattle

  • Members
  • 518 posts
  • OFFLINE
  •  
  • Local time:01:29 PM

Posted 06 March 2010 - 12:21 PM

I read the linked thread. While you have symptoms, you have no actionable clues.

As a former sysadmin and corporate IT manager perhaps I should remind you of what I have to remind myself sometimes.

The forest and the trees are not always identical.


Put a new drive in the thing and do a tedious basic xp install with all the usual default crap installed and functioning. Keep your old drive on your desk. Do not use your slipstream disk since it may have the malware embedded on it.


If this works with no production software installed and no symptoms, start installing the recording software after doing windows updates (all of them , resist the urge to pick and choose) AV and AM of your choice (preferably via fresh download or from mfg cd), let it run for 24 hours. Isolate it from your local network if possible. (a second router gatewayed to the primary router via a nat static would do this)

Microsoft keeps adding "user friendly" stuff via updates that often make complex tools and workarounds that worked in the past into useless junk.

If the really clean install fixes the problem then you may want to consider continuing the process of rebuilding the production software on the new drive.

If not, you may get some clues that will help identify the stage at which it all starts to go wrong.


New malware, trojans and rootkits sometimes take a while before they are identified and added to the detection tools.

I got no quick fix but I have had clients computers in a similar position. Sometimes you have to go with what works even though you know you should have enough knowledge to fix the damn thing.


good luck

#5 zedhed

zedhed
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:03:29 PM

Posted 08 March 2010 - 04:28 AM

hamluis:

"I would suggest you try a non-malware forum at Bleeping Computer to continue to try and fix the problems you are experiencing. Make sure you link to this topic so they are able to see what we have already done to make sure the PC is malware-free. Good luck, m0le"

Just following directions; didn't mean to be provocative (blush).


Ken-in-West-Seattle,

Thanks for the suggestion. I have tried different drives and my original XP CD, but not simultaneously, so I'll buy a drive and another router (good idea) and do what you suggest. If I still have the problem (or THINK I have the problem :thumbsup: ) I'll see if I can ID something more than symptoms. Yeah, "Access Denied to my Programs folder" is meaningless when troubleshooting.

The problem is that the "malware" that runs is mostly legitimate remote control software of some ilk, tunneling protocols, and often some VSS service like Volsnap (remote backup?), all of which I have disabled in Services and Device Mgr. And those are just symptoms. I guess the trick is to learn how they get started on a certified clean computer in the first place.

I'm generally functional as long as I stay offline but 15 minutes online can result in the disappearence of malware programs and scan results, network utilities... Early on I lost a full file backup of my original system drive. Destructive bugger.

I'll post results either way.

Zed




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users