Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible Rootkit or Variant thereof


  • Please log in to reply
11 replies to this topic

#1 iform

iform

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:38 PM

Posted 11 June 2010 - 12:03 AM

Hi,
My name is Carl. My computer was taken down last week due to a malware infection. I am somewhat computer literate, so I tried my usual virus scans/removals etc. However, the problem remains. I use Norton Antivirus and called their support, however their solution did not work. My system is Windows XP Professional SP3 (Core2Duo E6600+2GB RAM).

Software Used:
Norton Antivirus 2010
MalwareBytes Antimalware
SuperAntiMalware
ProcessHacker

Infection Details:
There are two files that appear to be the root of the problem.
C:\System Volume Information\services.exe
C:\System Volume Information\smss.exe

The above files are started at login (in addition to the legitimate processes). However, the two files above use a significant amount more of RAM (like 40MB instead of 1.5MB). Also, it is impossible to kill these two processes (they always restart when killed). When removed, the files are regenerated. Each process is started as a child of winlogon.exe

Multiple iexplore.exe processes start and attempt to connect to the internet. These iexplore.exe processes do not show themselves on screen. They only start when there is an active internet connection, in which case they attempt to connect of hundreds of IP addresses (See picture).

When not connected to the internet, there is a lot of disk activity by these two process (lots of reads and writes). I do not know what it is reading or writing to the disk.

This malware runs in Safe Mode as well. SuperAntimalware does not detect much (just my browser cookies). MalwareBytes detected something at first and cleaned, but problem came back and subsequent scans do not detect anything.

I suspect a possible rootkit infection as it has evaded all my attempts to detect/remove it.
I would greatly appreciate the expert advice that is offered on these forums. I have tried googling the symptoms and I do not find anything relevant.

Posted Image
This is the running process (without internet connection)

Posted Image
Here is the details of the bogus smss.exe (Notice the parent is winlogon.exe)

Posted Image
The attempted connections made by all the iexplore.exe threads.

Posted Image
Process details of iexplore.exe

!-------UPDATE-------!
Apparently, there are 4 winlogon.exe processes running (with 4 different PIDs). However, only one shows up in ProcessHacker.

Edited by iform, 11 June 2010 - 12:11 AM.


BC AdBot (Login to Remove)

 


#2 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,816 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:02:38 AM

Posted 11 June 2010 - 06:32 AM

Hello, this looks like a new piece of malware called Bootkit Whistler. This is a piece of malware that alters the Master Boot Record of your Harddisk. Once done that it can facilitate all kinds of malware, as in your case the two processes running from the System Restore directory.

To confirm this, do the following:

In case you don't have an archive extracter installed already:
Please download 7zip and install the program on your computer (we need this program in order to be able to unzip the tool that can delete Bootkit Whistler).

When 7zip is succesfully installed, please download bootkit_remover.rar and save the file to your desktop.

Right click on the file and select "extract/unzip here".

This will create two readme files and remover.exe on your desktop.
Double click on remover.exe; a command window will open. Please copy/paste the text under "MBR Status" and post that in your next reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#3 iform

iform
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:38 PM

Posted 11 June 2010 - 07:55 AM

hi elise025,

I downloaded and ran remover.exe

Here is the result

Size Device Name MBR Status

--------------------------------------------

298 GB \\.\PhysicalDrive0 Unknown boot code (This is the C: drive)

189 GB \\.\PhysicalDrive1 Unknown boot code

298 GB \\.\PhysicalDrive2 Unknown boot code

233 GB \\.\PhysicalDrive3 Unknown boot code



Unknown boot code has been found on some of your physical disks.

To inspect the boot code manually, dump the master boot sector:

remover.exe dump <device_name> [output_file]

To disinfect the master boot sector, use the following command:

remover.exe fix <device_name>


I also did a dump to file (if you need those too).

Edited by iform, 11 June 2010 - 08:01 AM.


#4 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,816 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:02:38 AM

Posted 11 June 2010 - 07:59 AM

Do you have multiple Operating Systems (like linux) installed, or do you have a DELL computer or do you use drive enctyption software?

Also, can you confirm you have indeed 4 drives connected to this computer?

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#5 iform

iform
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:38 PM

Posted 11 June 2010 - 08:10 AM

Hi,

Yes...there are 4 physical drives in this computer. It is a homebuilt computer and I don't use drive encryption.

No, only windows XP is installed.

Does this bootkit affect external drives connected to the computer?

Edited by iform, 11 June 2010 - 08:12 AM.


#6 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,816 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:02:38 AM

Posted 11 June 2010 - 08:31 AM

I am not sure if this infection affects external drives. If they were connected when doing the scan, its okay.

Lets try to fix this.

Click Start > Run, type Notepad and press enter.
Copy/paste the following text into notepad and save it as fix.bat to your desktop.
@ECHO OFF 
remover.exe fix \\.\PhysicalDrive0
remover.exe fix \\.\PhysicalDrive1
remover.exe fix \\.\PhysicalDrive2
remover.exe fix \\.\PhysicalDrive3
EXIT
Exit Notepad and double click fix.bat to run it. When done, your computer should reboot automatically.

When succesfully done and restarted, please double click on remover.exe and let me know what is now shown under MBR status.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#7 iform

iform
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:38 PM

Posted 11 June 2010 - 08:52 AM

It did not automatically reboot. So, I just rebooted manually.
Upon reboot.

Running remover.exe again.

Size Device Name MBR Status

--------------------------------------------

298 GB \\.\PhysicalDrive0 OK(DOS/Win32 Boot code found) (This is the C: drive)

189 GB \\.\PhysicalDrive1 OK(DOS/Win32 Boot code found)

298 GB \\.\PhysicalDrive2 OK(DOS/Win32 Boot code found)

233 GB \\.\PhysicalDrive3 OK(DOS/Win32 Boot code found)


However, windows now gives a popup.
"Systems Settings Change: Windows has finished installing new devices. The software that supports your device requires that you restart your computer. You must restart your computer before the new settings will take effect. Do you want to restart your computer now? [Yes] [No]"

Should I reboot again?

#8 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,816 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:02:38 AM

Posted 11 June 2010 - 08:55 AM

Yes, please restart.
Afterwards, run Malwarebytes Antimalware, update it and run a full scan. Post me the resulting log and let me know how everything else is running.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#9 iform

iform
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:38 PM

Posted 11 June 2010 - 02:48 PM

Hi,
I ran the MalwareBytes fullscan and here is a readout of the log:
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4189

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

6/11/2010 1:37:36 PM
mbam-log-2010-06-11 (13-37-36).txt

Scan type: Full scan (C:\|F:\|G:\|H:\|I:\|J:\|K:\|L:\|)
Objects scanned: 635595
Time elapsed: 4 hour(s), 20 minute(s), 46 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
___
After running on C, F, G, H and part of "i", I stopped the scan because of time involved (and most all files on other drives are only audio and video).
All seems to be working well now, with no extra phantom services running, and the Internet download seems to have improved.

Thank-you Soooooo much!! Is there anything else I should do?

Two more quick questions:
I should mentioned that in the process the drive designations were changed and I simply renamed them back to what they were (so data links would work properly) and moved the pagefile back to facilitate the renaming. However, when I rebooted, Windows wanted to rescan the drive (sectors/clusters,etc) and I opted out of it. It booted up fine. Should I force a rescan of sectors/etc. for that drive??

I had an E-Sata Drive plugged in during this past week for backing up folders on Cdrive. We checked it's status with Remove.exe and status showed "OK". Can I safely plug that E-Sata drive back in and run Malwarebytes on it without risk of reinfecting the computer? (if had backed up any malware this past week)

#10 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,816 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:02:38 AM

Posted 11 June 2010 - 03:16 PM

Hi, if remover.exe reported that e drive was OK, you can safely connect it.

Its difficult to say what caused the problem with the drive designations; a drive designation is in fact a partition designation and since the MBRs of those drives were fixed, its most likely this caused the partition drive letter mess-up.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#11 iform

iform
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:38 PM

Posted 11 June 2010 - 05:51 PM

It was easy to rename them-all worked fine.
Again, thank you VERY MUCH (only shouting in jubilation!)
You've really helped out!
Have a great weekend!

#12 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,816 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:02:38 AM

Posted 12 June 2010 - 01:58 AM

You are welcome :thumbsup:

I hope you have a nice weekend as well!

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users