heyrick1973 -at- yahoo -dot- co -dot uk

The world didn't end

Bugger.
Now I have nothing planned for the holidays. I was going to kick back and enjoy the apocalypse with a bowl of popcorn.

Meh. The End Of The World was about as boring as Christmas telly.

 

Chasing ghosts

So I'm looking at my Event logs and I see something is playing with the Windows Firewall. Looking it up, this is common behaviour for a rootkit. So I give my computer a scan with Avast!. Nothing found.
I recall TDSS so I looked out a little command-line thingy from McAfee called "rootkitremover". It said:
[TimeStamp: 20121224000257]

Rootkit Remover v0.8.9.160 [Dec  4 2012 - 17:44:01]
McAfee Labs.

Windows build 5.1.2600 x86 Service Pack 3
Checking for updates ...
 
Now Scanning...
    Malware Found --> ZeroAccess trojan detected!!!
    --> Registry key: HKEY_CLASSES_ROOT\CLSID\{f3130cdb-aa52-4c3a-ab32-85ffc23af9c1}\InprocServer32 ( fixed )
    --> Malicious file: C:\WINDOWS\system32\wbem\wbemess.dll ( will be deleted after restart )
    --> Registry key: HKEY_CLASSES_ROOT\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InprocServer32 ( fixed )
    --> Malicious file: C:\WINDOWS\system32\wbem\fastprox.dll ( will be deleted after restart )
    ZeroAccess trojan was cleaned successfully! 

Scan Finished

PLEASE REBOOT IMMEDIATELY TO COMPLETE CLEANING.

Other recommendations:
   1. Perform full scan with McAfee VirusScan product after reboot.


Press any key to exit.
Reboot, rescan, same thing.

At this point, panic, drag out the big guns. The system gets patted down with ComboFix, which does the following:

  • Tells me Notepad.exe is infected (it isn't, I replaced it with NotePad+).
  • Tells me the user MBR is not the same as the kernel MBR. This might be an indication of something, but given it is an SSD with some sort of (empty) EFI partition at the end, it might be down to that?
  • Deletes a number of links and files bunged in C:\ for no good reason other than overzealous tidying.
  • Resets loads of parameters (Firefox is no longer my default browser, for instance); in the process breaking stuff so the delay at shutdown between the icons clearing to backdrop and the "logging off" screen appearing can be measured in minutes (it ought to be nowt but a flicker).
  • Broke Avast! - it still worked, but no spinny-ball UI.
  • And it found no rootkit. Or anything of note.

Next step was MalwareBytes Anti-Rootkit. This marked two system files (the sound driver and something else) as being forgeries; and pointed out that two entirely innocuous Explorer configuration flags in the registry was evidence of a rootkit. I threw the "forged" files to VirusTotal which gave them both a clean bill of health. Ditto for the wbem stuff found by rootkitremover.

Next step was HitmanPro which scanned through my system querying a lot of stuff it shouldn't (like core VB5 components - never seen those before!?) and it said nothing was found; other than some tracking cookies in IE which wasn't a bother as I only use IE these days because YouTube's caption upload doesn't appear to work on Firefox 3.6.27...

Finally, the Kaspersky tdsskiller which is aware of stuff like ZeroAccess. Scanned, passed, nothing.

In addition, I have not noticed any unexpected behaviour - search redirects, unknown programs loading, and so on. The only oddity is every now and then (like once a week or so) I hear the duh-ding of a hardware device being removed. I think this is Bluetooth crashing - certainly nothing I actually use is affected, and this has happened for a long time, it's nothing new.

In addition, there are no unexpected programs holding ports open...

C:\>netstat -a -b -o

Active Connections

  Proto  Local Address          Foreign Address        State           PID
  TCP    Azumi:epmap            Azumi:0                LISTENING       1068
  c:\windows\system32\WS2_32.dll
  C:\WINDOWS\system32\RPCRT4.dll
  c:\windows\system32\rpcss.dll
  C:\WINDOWS\system32\svchost.exe
  -- unknown component(s) --
  [svchost.exe]

  TCP    Azumi:microsoft-ds     Azumi:0                LISTENING       4
  [System]

  TCP    Azumi:1025             Azumi:0                LISTENING       172
  [alg.exe]

  TCP    Azumi:5152             Azumi:0                LISTENING       116
  [jqs.exe]

  TCP    Azumi:12025            Azumi:0                LISTENING       1672
  [AvastSvc.exe]

  TCP    Azumi:12080            Azumi:0                LISTENING       1672
  [AvastSvc.exe]

  TCP    Azumi:12110            Azumi:0                LISTENING       1672
  [AvastSvc.exe]

  TCP    Azumi:12119            Azumi:0                LISTENING       1672
  [AvastSvc.exe]

  TCP    Azumi:12143            Azumi:0                LISTENING       1672
  [AvastSvc.exe]

  TCP    Azumi:12465            Azumi:0                LISTENING       1672
  [AvastSvc.exe]

  TCP    Azumi:12563            Azumi:0                LISTENING       1672
  [AvastSvc.exe]

  TCP    Azumi:12993            Azumi:0                LISTENING       1672
  [AvastSvc.exe]

  TCP    Azumi:12995            Azumi:0                LISTENING       1672
  [AvastSvc.exe]

  TCP    Azumi:27275            Azumi:0                LISTENING       1672
  [AvastSvc.exe]

  TCP    Azumi:netbios-ssn      Azumi:0                LISTENING       4
  [System]

  TCP    Azumi:1028             r-054-044-234-077.avast.com:http  ESTABLISHED
  1672
  [AvastSvc.exe]

  TCP    Azumi:1047             149.7.241.116:http     TIME_WAIT       0
  UDP    Azumi:microsoft-ds     *:*                                    4
  [System]

  UDP    Azumi:ntp              *:*                                    1128
  c:\windows\system32\WS2_32.dll
  c:\windows\system32\w32time.dll
  ntdll.dll
  C:\WINDOWS\system32\kernel32.dll
  [svchost.exe]

  UDP    Azumi:ntp              *:*                                    1128
  c:\windows\system32\WS2_32.dll
  c:\windows\system32\w32time.dll
  ntdll.dll
  C:\WINDOWS\system32\kernel32.dll
  [svchost.exe]

  UDP    Azumi:netbios-dgm      *:*                                    4
  [System]

  UDP    Azumi:netbios-ns       *:*                                    4
  [System]
"alg.exe" is Microsoft's Application Layer Gateway, necessary for networking. "jqs.exe" is Java Quick Starter. I ought to turn that off. The rest is internal stuff or Avast!.

Continuing... ListParts does not show any hidden rootkit partition:

======================= Partitions =========================
1 Drive c: (Local Disk) (Fixed) (Total:3.72 GB) (Free:0.12 GB) NTFS
  ==>[Drive with boot components (Windows XP)]
2 Drive d: (Local Disk) (Fixed) (Total:7.51 GB) (Free:0.48 GB) NTFS

  Disk ###  Status      Size     Free     Dyn  Gpt
  --------  ----------  -------  -------  ---  ---
  Disk 0    Online      3844 MB      0 B         
  Disk 1    Online      7687 MB      0 B         

Partitions of Disk 0:
===============
  Partition ###  Type              Size     Offset
  -------------  ----------------  -------  -------
  Partition 1    Primary           3811 MB    32 KB
  Partition 2    Unknown             32 MB  3812 MB
===================================================================
Disk: 0
Partition 1
Type  : 07
Hidden: No
Active: Yes

  Volume ###  Ltr  Label        Fs     Type        Size     Status
  ----------  ---  -----------  -----  ----------  -------  ------
* Volume 0     C   Local Disk   NTFS   Partition   3811 MB  Healthy
===================================================================
Disk: 0
Partition 2
Type  : EF
Hidden: Yes
Active: No

There is no volume associated with this partition.
===================================================================

Partitions of Disk 1:
===============
  Partition ###  Type              Size     Offset
  -------------  ----------------  -------  -------
  Partition 1    Primary           7687 MB    32 KB
===================================================================
Disk: 1
Partition 1
Type  : 07
Hidden: No
Active: No

  Volume ###  Ltr  Label        Fs     Type        Size     Status
  ----------  ---  -----------  -----  ----------  -------  -------
* Volume 1     D   Local Disk   NTFS   Partition   7687 MB  Healthy            
===================================================================

NTFS supports Alternate Data Streams; a sort of metadata thing that can be used by malicious programs to hide data and such. These streams are not visible in Explorer or from the command line. I ran ADS Spy to check everything. A few entries in the IE "Favorites" folder giving information on the bookmark, but other than that, nothing.

 

So I get the feeling I've been on a ghost chase here. Again.

 

My main object of cursing though is the stuff Combofix did in the background. I've reinstalled Avast! on top of itself, and that works now. I've also installed UPHClean which seems to have sorted out the shutdown times. It's something to do with system processes running as the user so the registry can't be unloaded until the process has finished... or something like that.
Recreated the deleted links - it kept the StartUp menu "BTTray" (Bluetooth system tray tool) but got rid of StartUp menu "SuperHybridEngine" (system tray tool to adjust processor speed).
Firefox is now my default browser - no thank you Avast! I do not want Chrome.
There's probably some other stuff, but I'll see to that when I notice it.

I guess it is good to give the system a good examination once in a while. It is just a shame that the system isn't left completely intact (there ought to be a "don't touch unless you have to" option to Combofix) and that the various antivirus tools not agreeing. I'm going to go with a majority vote and say that McAfee may well be broken in some way. Either that, or the rootkit is excellent at hiding. However since rootkitremover found the problem instantly (didn't search), I remain somewhat suspicious that it isn't just flagging anomalies (like Combofix saying my replaced Notepad is "infected" - it probably has a hash of known versions of Notepad and anything that doesn't match is considered an infection; as opposed to actually looking to see if it is infected with anything).

Thus, I feel I can say Azumi is clean.

Azumi

 

So it just remains to say...

MERRY CHRISTMAS!
Happy Dongzhi!
Have a good Dies Natalis Solis Invicti!
Happy Yule, Malkh, and Saturnalia!
Merry Kwanzaa, Saint Sylvester's,
New Years Eve, Hogmanay...
Too late for Hanukkah so have a Happy Tu Bishvat!
Have a nice Guru Gobind Singh Gurpurab!
Yay Malanka!
Merry Newtonmas!
And, finally, Happy Ōmisoka! or 幸せ大晦日。

(phew!)

 

Your comments:

Please note that while I check this page every so often, I am not able to control what users write; therefore I disclaim all liability for unpleasant and/or infringing and/or defamatory material. Undesired content will be removed as soon as it is noticed. By leaving a comment, you agree not to post material that is illegal or in bad taste, and you should be aware that the time and your IP address are both recorded, should it be necessary to find out who you are. Oh, and don't bother trying to inline HTML. I'm not that stupid! ☺
 
You can now follow comment additions with the comment RSS feed. This is distinct from the b.log RSS feed, so you can subscribe to one or both as you wish.

No comments yet... why not post one now?

Add a comment (v0.08) [help?] . . . try the comment feed!
Your name
Your email (optional)
Validation Are you real? Please type 08553 backwards.
Your comment
Calendar
«   December 2012   »
MonTueWedThuFriSatSun
     12
345678
101113141516
181920212223
26282930
31      

Japan - can you help?
Japanese Red Cross
日本 赤十字社

Earthquake relief donations have closed.

Read about the JRC
Make a general donation

Last 5 entries

List all b.log entries

Return to the site index

Search

Search Rick's b.log!

Etc...

Thank you:
  • Fred
  • Bernard
  • Michael
  • David

Last read at 22:37 on 2017/11/18.

QR code


Valid HTML 4.01 Transitional
Valid CSS
Valid RSS 2.0

 

© 2012 Rick Murray
This web page is licenced for your personal, private, non-commercial use only. No automated processing by advertising systems is permitted.
RIPA notice: No consent is given for interception of page transmission.

 

Have you noticed the watermarks on pictures?
Next entry - 2012/12/25
Return to top of page