Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Deep Rootkit


  • Please log in to reply
No replies to this topic

#1 JohnnyD45123

JohnnyD45123

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:07:53 PM

Posted 02 June 2011 - 03:32 AM

Hello Bleeping Community! Long time reader, first time poster. Here goes. I've been trying to clean my parents computers for about a month now but no luck. Let me start at the beginning. I donated an old Dell Desktop (Dimension 8300, P4 3.0HT, 1gbDDR2 400mhz, Nvidia 6200 256 mb AGP) to them about 2 months ago. I had this computer running perfectly for about 9 years using all original hardware minus the video card. To say the least, I was very familiar with this PC. This was the status of the PC when I dropped it off: fresh install of Windows XP service pack 2a via Dell recovery disk, updated to service pack 3, activated Norton360, start up took about 14 seconds, 23-25 background processes at any given time, very quiet, never struggled on any regular task. Cadillac. Mint.

They called me about a week later complaining that it was slow, loud, and hot. Somehow, I managed not to curse at them for speaking so ill of my former love. When I checked into it, I found that it certainly wasn't running normal. Every single process that had anything to do with Remote connections, netbios, clientacess, workstations, taskschedule and managing were activated and many were somehow given system critical status. Stopping the non critical ones resulted in a failure to connect to the lan. I loaded up Safe Mode with command prompt and discovered that the tcpip driver had several unneccessary dependencies on other processes/drivers that clearly were not correct. On top of that, once connected to the internet, all traffic seemed to be filtered. I checked the other three computers in the house and unfortunately, found similar infections on them. Additionally, every computer had a minimum of 10 svchost processes. First I thought, definitely WIN32/Conficker.some variant. The more I read, the more I thought I was correct. I followed several removal guides. I downloaded all necessary patches, and tools to a non infected network and PC, burned them to a disk and finalized the burn. I tried to repair my old Dell first. I disconnected it from the network, ran MSRT, came up with nothing. Did some additional regediting on top of that suggested by Microsoft, ran MSRT again, and nothing. Tried Sophos, and acouple other Conficker tools and they all came back clean. At this point, I decided to cut my looses, reinstall, and update. I had done this so many times over the years that I could do it very quickly. With the PC offline, I booted from the Recovery CD. I immediately knew something was different. The drivers, .dlls etc. that normally load when the bluescreen starts were different and much more numerous. I convinced myself I must be tripping and pushed on. The rest of the install was normal. When I rebooted though, something was wrong. I used to have to load additional drivers for sound, video, and NIC. When I came to the desktop I was sitting at 1600x1200, windows startup sound playing, and a taskbar icon telling me that my NIC card (PCI, the integrated one broke years ago) was disconnected from the network. And the rogue processes were still there. After weeks of failure, long story short, I believe all the PC's have a very stubborn malicous rootkit. I tried reinstalling windows on all of them (XP, Vista, and 7) but nothing changes in the infection.


I'm a long time reader of this forum and I knew that one day I would probably have to ask for some help. That day is today. To simplify the repair process, I've decided to pick the machine running windows 7 for repair first. Specs and Done Doings below.

Presario CQ62 Notebook PC Windows 7 (last update KB2505428)
2.00 GB
Intel Celeron 900 2.20 GHz
amd64

I did a Minimized Image recovery through the system recovery options. This was data on another partition of the current HD, not a disk. I also messed with the registry quite a bit so that the infected processes weren't always running. Should have taken notes but did not. Below is current process log along with a GMER log from about 2 days ago.

Current Processes via Process Explorer:

Process PID CPU Private Bytes Working Set Description Company Name
System Idle Process 0 45.12 0 K 24 K
System 4 1.10 112 K 780 K
Interrupts n/a 5.71 0 K 0 K Hardware Interrupts and DPCs
smss.exe 284 356 K 884 K Windows Session Manager Microsoft Corporation
csrss.exe 412 0.04 1,716 K 3,192 K Client Server Runtime Process Microsoft Corporation
wininit.exe 468 1,308 K 3,584 K Windows Start-Up Application Microsoft Corporation
services.exe 572 4,404 K 6,276 K Services and Controller app Microsoft Corporation
svchost.exe 696 3,308 K 7,404 K Host Process for Windows Services Microsoft Corporation
WmiPrvSE.exe 944 2,364 K 5,688 K WMI Provider Host Microsoft Corporation
HpqToaster.exe 1096 1,908 K 6,572 K HpqToaster Module
hpCaslNotification.exe 2012 28,976 K 5,292 K hpCaslNotification Hewlett-Packard Development Company L.P.
svchost.exe 764 3,236 K 6,368 K Host Process for Windows Services Microsoft Corporation
svchost.exe 820 14,704 K 13,772 K Host Process for Windows Services Microsoft Corporation
audiodg.exe 2104 16,936 K 17,380 K Windows Audio Device Graph Isolation Microsoft Corporation
svchost.exe 952 0.04 52,088 K 55,756 K Host Process for Windows Services Microsoft Corporation
dwm.exe 1156 19.16 55,916 K 27,272 K Desktop Window Manager Microsoft Corporation
svchost.exe 976 0.47 19,180 K 29,384 K Host Process for Windows Services Microsoft Corporation
svchost.exe 416 5,724 K 11,544 K Host Process for Windows Services Microsoft Corporation
svchost.exe 1020 0.05 12,280 K 12,908 K Host Process for Windows Services Microsoft Corporation
spoolsv.exe 1176 5,880 K 10,372 K Spooler SubSystem App Microsoft Corporation
taskhost.exe 1244 2,760 K 5,952 K Host Process for Windows Tasks Microsoft Corporation
svchost.exe 1268 10,612 K 10,864 K Host Process for Windows Services Microsoft Corporation
AERTSr64.exe 1588 752 K 1,996 K Andrea filters APO access service (64-bit) Andrea Electronics Corporation
HPWMISVC.exe 1632 1,124 K 2,856 K
hpqWmiEx.exe 1964 1,492 K 4,156 K hpqwmiex Module Hewlett-Packard Company
SearchIndexer.exe 1624 14,108 K 9,492 K Microsoft Windows Search Indexer Microsoft Corporation
svchost.exe 2396 1,360 K 4,652 K Host Process for Windows Services Microsoft Corporation
HPHC_Service.exe 2784 22,676 K 13,724 K HP Health Check Service Hewlett-Packard
sppsvc.exe 2832 2,424 K 7,176 K Microsoft Software Protection Platform Service Microsoft Corporation
svchost.exe 2860 71,228 K 26,700 K Host Process for Windows Services Microsoft Corporation
TrustedInstaller.exe 2304 5,460 K 10,148 K Windows Modules Installer Microsoft Corporation
lsass.exe 580 3,456 K 8,064 K Local Security Authority Process Microsoft Corporation
lsm.exe 588 2,028 K 3,336 K Local Session Manager Service Microsoft Corporation
csrss.exe 476 3.49 2,100 K 10,904 K Client Server Runtime Process Microsoft Corporation
winlogon.exe 536 2,424 K 5,356 K Windows Logon Application Microsoft Corporation
explorer.exe 1188 0.94 44,224 K 60,636 K Windows Explorer Microsoft Corporation
firefox.exe 2336 2.79 224,260 K 243,288 K Firefox Mozilla Corporation
plugin-container.exe 3060 9,596 K 13,836 K Plugin Container for Firefox Mozilla Corporation
mmc.exe 1296 7,204 K 9,408 K Microsoft Management Console Microsoft Corporation
HPWAMain.exe 1468 30,028 K 18,112 K HP Wireless Assistant Main Program Hewlett-Packard
procexp64.exe 2368 21.08 18,644 K 37,064 K Sysinternals Process Explorer Sysinternals - www.sysinternals.com


Here is a GMER log run a couple days ago indicating some kind of rootkit.
GMER 1.0.15.15640 - http://www.gmer.net
Rootkit scan 2011-05-29 21:20:51
Windows 6.1.7600
Running: fy52g8qn.exe


---- Files - GMER 1.0.15 ----

File C:\ProgramData\Microsoft\RAC\Temp\sql2FE6.tmp 20480 bytes
File C:\ProgramData\Microsoft\RAC\Temp\sql3016.tmp 20480 bytes

---- EOF - GMER 1.0.15 ----


All the computers currently behave as though they are on a network at a school or business with client/user actions allowed and admin priviledges revoked/hidden. In regular mode, I have no power to do anything. I need some help.

BC AdBot (Login to Remove)

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users