It is the 1746th of March 2020 (aka the 10th of December 2024)
You are 18.97.9.171,
pleased to meet you!
mailto:blog-at-heyrick-dot-eu
The world didn't end
Bugger.
Now I have nothing planned for the holidays. I was going to kick back and enjoy the apocalypse with a bowl of popcorn.
Meh. The End Of The World was about as boring as Christmas telly.
Chasing ghosts
So I'm looking at my Event logs and I see something is playing with the Windows Firewall. Looking it up, this is common behaviour for a rootkit. So I give my computer a scan with Avast!. Nothing found.
I recall TDSS so I looked out a little command-line thingy from McAfee called "rootkitremover". It said:
[TimeStamp: 20121224000257]
Rootkit Remover v0.8.9.160 [Dec 4 2012 - 17:44:01]
McAfee Labs.
Windows build 5.1.2600 x86 Service Pack 3
Checking for updates ...
Now Scanning...
Malware Found --> ZeroAccess trojan detected!!!
--> Registry key: HKEY_CLASSES_ROOT\CLSID\{f3130cdb-aa52-4c3a-ab32-85ffc23af9c1}\InprocServer32 ( fixed )
--> Malicious file: C:\WINDOWS\system32\wbem\wbemess.dll ( will be deleted after restart )
--> Registry key: HKEY_CLASSES_ROOT\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InprocServer32 ( fixed )
--> Malicious file: C:\WINDOWS\system32\wbem\fastprox.dll ( will be deleted after restart )
ZeroAccess trojan was cleaned successfully!
Scan Finished
PLEASE REBOOT IMMEDIATELY TO COMPLETE CLEANING.
Other recommendations:
1. Perform full scan with McAfee VirusScan product after reboot.
Press any key to exit.
Reboot, rescan, same thing.
At this point, panic, drag out the big guns. The system gets patted down with ComboFix, which does the following:
Tells me Notepad.exe is infected (it isn't, I replaced it with NotePad+).
Tells me the user MBR is not the same as the kernel MBR. This might be an indication of something, but given it is an SSD with some sort of (empty) EFI partition at the end, it might be down to that?
Deletes a number of links and files bunged in C:\ for no good reason other than overzealous tidying.
Resets loads of parameters (Firefox is no longer my default browser, for instance); in the process breaking stuff so the delay at shutdown between the icons clearing to backdrop and the "logging off" screen appearing can be measured in minutes (it ought to be nowt but a flicker).
Broke Avast! - it still worked, but no spinny-ball UI.
And it found no rootkit. Or anything of note.
Next step was MalwareBytes Anti-Rootkit. This marked two system files (the sound driver and something else) as being forgeries; and pointed out that two entirely innocuous Explorer configuration flags in the registry was evidence of a rootkit. I threw the "forged" files to VirusTotal which gave them both a clean bill of health. Ditto for the wbem stuff found by rootkitremover.
Next step was HitmanPro which scanned through my system querying a lot of stuff it shouldn't (like core VB5 components - never seen those before!?) and it said nothing was found; other than some tracking cookies in IE which wasn't a bother as I only use IE these days because YouTube's caption upload doesn't appear to work on Firefox 3.6.27...
Finally, the Kaspersky tdsskiller which is aware of stuff like ZeroAccess. Scanned, passed, nothing.
In addition, I have not noticed any unexpected behaviour - search redirects, unknown programs loading, and so on. The only oddity is every now and then (like once a week or so) I hear the duh-ding of a hardware device being removed. I think this is Bluetooth crashing - certainly nothing I actually use is affected, and this has happened for a long time, it's nothing new.
In addition, there are no unexpected programs holding ports open...
"alg.exe" is Microsoft's Application Layer Gateway, necessary for networking. "jqs.exe" is Java Quick Starter. I ought to turn that off. The rest is internal stuff or Avast!.
Continuing... ListParts does not show any hidden rootkit partition:
======================= Partitions =========================
1 Drive c: (Local Disk) (Fixed) (Total:3.72 GB) (Free:0.12 GB) NTFS
==>[Drive with boot components (Windows XP)]
2 Drive d: (Local Disk) (Fixed) (Total:7.51 GB) (Free:0.48 GB) NTFS
Disk ### Status Size Free Dyn Gpt
-------- ---------- ------- ------- --- ---
Disk 0 Online 3844 MB 0 B
Disk 1 Online 7687 MB 0 B
Partitions of Disk 0:
===============
Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 3811 MB 32 KB
Partition 2 Unknown 32 MB 3812 MB
===================================================================
Disk: 0
Partition 1
Type : 07
Hidden: No
Active: Yes
Volume ### Ltr Label Fs Type Size Status
---------- --- ----------- ----- ---------- ------- ------
* Volume 0 C Local Disk NTFS Partition 3811 MB Healthy
===================================================================
Disk: 0
Partition 2
Type : EF
Hidden: Yes
Active: No
There is no volume associated with this partition.
===================================================================
Partitions of Disk 1:
===============
Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 7687 MB 32 KB
===================================================================
Disk: 1
Partition 1
Type : 07
Hidden: No
Active: No
Volume ### Ltr Label Fs Type Size Status
---------- --- ----------- ----- ---------- ------- -------
* Volume 1 D Local Disk NTFS Partition 7687 MB Healthy
===================================================================
NTFS supports Alternate Data Streams; a sort of metadata thing that can be used by malicious programs to hide data and such. These streams are not visible in Explorer or from the command line. I ran ADS Spy to check everything. A few entries in the IE "Favorites" folder giving information on the bookmark, but other than that, nothing.
So I get the feeling I've been on a ghost chase here. Again.
My main object of cursing though is the stuff Combofix did in the background. I've reinstalled Avast! on top of itself, and that works now. I've also installed UPHClean which seems to have sorted out the shutdown times. It's something to do with system processes running as the user so the registry can't be unloaded until the process has finished... or something like that.
Recreated the deleted links - it kept the StartUp menu "BTTray" (Bluetooth system tray tool) but got rid of StartUp menu "SuperHybridEngine" (system tray tool to adjust processor speed).
Firefox is now my default browser - no thank you Avast! I do not want Chrome.
There's probably some other stuff, but I'll see to that when I notice it.
I guess it is good to give the system a good examination once in a while. It is just a shame that the system isn't left completely intact (there ought to be a "don't touch unless you have to" option to Combofix) and that the various antivirus tools not agreeing. I'm going to go with a majority vote and say that McAfee may well be broken in some way. Either that, or the rootkit is excellent at hiding. However since rootkitremover found the problem instantly (didn't search), I remain somewhat suspicious that it isn't just flagging anomalies (like Combofix saying my replaced Notepad is "infected" - it probably has a hash of known versions of Notepad and anything that doesn't match is considered an infection; as opposed to actually looking to see if it is infected with anything).
Thus, I feel I can say Azumi is clean.
So it just remains to say...
MERRY CHRISTMAS!
Happy Dongzhi!
Have a good Dies Natalis Solis Invicti!
Happy Yule, Malkh, and Saturnalia!
Merry Kwanzaa, Saint Sylvester's,
New Years Eve, Hogmanay... Too late for Hanukkah so have a Happy Tu Bishvat!
Have a nice Guru Gobind Singh Gurpurab!
Yay Malanka!
Merry Newtonmas! And, finally, Happy Ōmisoka! or 幸せ大晦日。
(phew!)
Your comments:
Please note that while I check this page every so often, I am not able to control what users write; therefore I disclaim all liability for unpleasant and/or infringing and/or defamatory material. Undesired content will be removed as soon as it is noticed. By leaving a comment, you agree not to post material that is illegal or in bad taste, and you should be aware that the time and your IP address are both recorded, should it be necessary to find out who you are. Oh, and don't bother trying to inline HTML. I'm not that stupid! ☺ ADDING COMMENTS DOES NOT WORK IF READING TRANSLATED VERSIONS.
You can now follow comment additions with the comment RSS feed. This is distinct from the b.log RSS feed, so you can subscribe to one or both as you wish.
This web page is licenced for your personal, private, non-commercial use only. No automated processing by advertising systems is permitted.
RIPA notice: No consent is given for interception of page transmission.