Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible rootkit on my system


  • Please log in to reply
10 replies to this topic

#1 Namelesss

Namelesss

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:38 PM

Posted 31 July 2013 - 06:23 AM

Hi! My girlfriend recently bought an android smartphone from a colleague at work. Since my gf isn't the most technically minded, I agreed to set it up for her. Since it is a Sony branded android, I installed the Sony PC Companion software that came pre-installed on the phone to update the firmware. All good, until a week later I went to uninstall the software on my machine - Avast picked up a rootkit named Sony somethingorrather.

 

Avast offered the option to delete it, which I selected. Avast then asked me if I wanted to run a boot-time scan, which I chose to do. The boot-time scan picked up nothing. Once it had finished, I went to the Avast log files where it stated that Avast couldn't delete the file it had found! It also had an error message appear a few times regarding the above-mentioned file.

 

I ran a full system scan with Avast, TDSSKiller from Kaspersky and Malwarebytes' Rootkit-scanning software - to no avail. Finally, out of desperation and paranoia, I reformatted my C: Drive and did a clean install of Win7. (hence I cannot upload avast's log - it no longer exists).

 

Before I did the clean install, I also tried to install Windows Defender Offline scanner onto a USB, but on my system it kept failing. I suspected that perhaps the malware wasn't letting me install it, so I went to my brother's place with a USB stick - installed first time.

 

I guess my questions are these:

  • Have my actions been enough to remove the rootkit? If not, how can I be certain?
  • My gf also installed the Sony PC Companion software, but after I had done a firmware update on the phone. Is her system also possibly infected?
  • I've read on this forum that rootkits can spread from a PC to routers, and even android phones (my phone, not my gf's Sony). Are there steps I can take to check and, if required, to remove the malware from all devices?

Before someone writes this off as a false positive, please understand that the workplace as of late has been very hostile towards me and my gf, so I have very good reason to suspect that the malware was intentionally planted onto the android phone mentioned above.

 

My thanks in advance.

 



BC AdBot (Login to Remove)

 


#2 Namelesss

Namelesss
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:38 PM

Posted 31 July 2013 - 11:06 AM

More info - I just did a scan of my gf's phone with avast mobile security - found 3 items (i knew it!) I'm asking the ppl on the avast forums where I can find details on what was found.

 

screenshot - http://imagebin.org/266103

 



#3 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,608 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:38 PM

Posted 31 July 2013 - 12:30 PM

Not all rootkits detected by anti-rootkit (ARK)/anti-virus scanners and security tools are malicious. It is normal for a Firewall, anti-virus and anti-malware software, CD Emulators/Virtual drives, sandboxes, virtual machines and Host based Intrusion Prevention Systems (HIPS) to exhibit rootkit-like behavior or hook into the OS kernal/SSDT (System Service Descriptor Table) in order to protect your system. SSDT is a table that stores addresses of functions that are used by Windows. Whenever a function is called, Windows looks in this table to find the address for it. Both legitimate programs and rootkits can hook into and alter this table.

API Kernel hooks are not always bad since some system monitoring software and security tools use them as well. If no hooks are active on a system it means that all system services are handled by ntoskrnl.exe which is a base component of Windows operating systems and the process used in the boot-up cycle of a computer. ARK scanners do not differentiate between what is good and what is bad...they only report what is found. Therefore, even on a clean system some hidden essential components may be detected when performing a scan to check for the presence of rootkits.

Generally when a system is infected with a malicious rootkit, there are other indications (symptoms of infection) something is wrong such as slow performance, high CPU usage, browser redirects, BSODs, etc.

In most cases further investigation is required after the initial ARK scan by someone trained in rootkit detection or with advanced knowledge of the operating system. Report logs need to be analyzed and detected components identified in order to determined if they are benign, system critical or malevolent before attempted removal.




Avast picked up a rootkit named Sony somethingorrather.

Sony's association and use of rootkits goes back many years to when the term "rootkit" first surfaced.
Sony BMG copy protection rootkit scandal
Sony BMG rootkit scandal: 5 years later
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#4 Namelesss

Namelesss
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:38 PM

Posted 31 July 2013 - 09:20 PM

Thanks for your informative reply quietman7.

 

Avast picked up a rootkit named Sony somethingorrather.

Sony's association and use of rootkits goes back many years to when the term "rootkit" first surfaced.
Sony BMG copy protection rootkit scandal
Sony BMG rootkit scandal: 5 years later

 

I'd already searched for possible Sony software being picked up as rootkits or false positives - the articles you linked to referred to the rootkit-like software that was found present in Sony music CDs. Nowhere else have I found mention of said software coming preinstalled on Sony android phones, hence my concern.



#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,608 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:38 PM

Posted 01 August 2013 - 07:02 AM

The articles I linked to were intended to show that Sony's has a long history of association with rootkits.

I don't use any android phones. I would check with avast! Customer & Technical Support if no one at the forms is able to provide details of the detection.

Another option is to contact and ask Sony Mobile Support.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#6 Namelesss

Namelesss
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:38 PM

Posted 01 August 2013 - 07:18 AM

Any possibility you could just help me check if the systems are infected or not? I would be grateful and more at ease...



#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,608 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:38 PM

Posted 01 August 2013 - 07:38 AM

In post #1 you said you ran Avast, TDSSKiller and Malwarebytes' Rootkit-scanning software, then reformatted and did a clean install.

What steps have you done since the clean install?
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#8 Namelesss

Namelesss
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:38 PM

Posted 01 August 2013 - 08:06 AM

I've installed Avast, Malwarebytes and Spybot S&D. I may have done scans with all of them, I don't remember at this time - it was all a blur (it was 3am by the time I'd completed the reinstall) - I'm happy to do them again though with your guidance. Also, I didn't reformat the whole drive, just the OS partition - I kept the data partition with all my stored data - could this be a problem?

 

Progress on the Avast Mobile Security log - seems the app doesn't keep a detailed log of what was removed and when... Still posting with a mod of their forum to ascertain whether I can find more detailed info.


Edited by Namelesss, 01 August 2013 - 08:19 AM.


#9 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,608 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:38 PM

Posted 01 August 2013 - 08:25 AM


Then rescan with TDSSKiller and Malwarebytes' Anti-Rootkit like you did before.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#10 Namelesss

Namelesss
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:38 PM

Posted 01 August 2013 - 09:43 AM

OK, I did that - MBAR came up clean. TDSSKiller came up with one suspicious file (but I think it's an unsigned driver I installed) - I chose to skip...

 

http://imagebin.org/26620

 

What else should I do to check?


Edited by Namelesss, 01 August 2013 - 09:44 AM.


#11 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,608 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:38 PM

Posted 01 August 2013 - 10:01 AM

Since neither these scans nor avast's rootkit scan on startup are finding anything, I don't believe you have anything to worry about. If the original detection was related to Sony, it most likely wasn't anything malicious in the first place.

If you want a more comprehensive look at your system, then you will need to create and post a DDS log for further investigation. Many of the tools we use in this forum are not capable of detecting all malware variants so more advanced tools are needed to investigate.

Please follow the instructions in the Malware Removal and Log Section Preparation Guide starting at Step 6.
  • If you cannot complete a step, then skip it and continue with the next.
  • In Step 6 there are instructions for downloading and running DDS which will create two logs.
When you have done that, post your logs in the Virus, Trojan, Spyware, and Malware Removal Logs forum, NOT here, for assistance by the Malware Response Team.

Start a new topic, give it a relevant title and post your log(s) along with a brief description of your problem, a summary of any anti-malware tools you have used and a summary of any steps that you have performed on your own. If you cannot produce any of the required logs, then still start the new topic and explain that you followed the Prep. Guide, were unable to create the logs, and describe what happened when you tried to create them. A member of the Malware Removal Team will walk you through, step by step, on how to clean your computer.

After doing this, it would be helpful if you replied back in this thread with a link to the new topic so we can closed this one. Good luck and be patient.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users