Rick's b.log - 2012/12/24
It is the 21st of November 2024 You are 3.145.75.238, pleased to meet you!

The world didn't end

Meh. The End Of The World was about as boring as Christmas telly.

Chasing ghosts

[TimeStamp: 20121224000257]

Rootkit Remover v0.8.9.160 [Dec  4 2012 - 17:44:01]
McAfee Labs.

Windows build 5.1.2600 x86 Service Pack 3
Checking for updates ...
 
Now Scanning...
    Malware Found --> ZeroAccess trojan detected!!!
    --> Registry key: HKEY_CLASSES_ROOT\CLSID\{f3130cdb-aa52-4c3a-ab32-85ffc23af9c1}\InprocServer32 ( fixed )
    --> Malicious file: C:\WINDOWS\system32\wbem\wbemess.dll ( will be deleted after restart )
    --> Registry key: HKEY_CLASSES_ROOT\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InprocServer32 ( fixed )
    --> Malicious file: C:\WINDOWS\system32\wbem\fastprox.dll ( will be deleted after restart )
    ZeroAccess trojan was cleaned successfully! 

Scan Finished

PLEASE REBOOT IMMEDIATELY TO COMPLETE CLEANING.

Other recommendations:
   1. Perform full scan with McAfee VirusScan product after reboot.


Press any key to exit.

At this point, panic, drag out the big guns. The system gets patted down with ComboFix, which does the following:

• Tells me Notepad.exe is infected (it isn't, I replaced it with NotePad+).
• Tells me the user MBR is not the same as the kernel MBR. This might be an indication of something, but given it is an SSD with some sort of (empty) EFI partition at the end, it might be down to that?
• Deletes a number of links and files bunged in C:\ for no good reason other than overzealous tidying.
• Resets loads of parameters (Firefox is no longer my default browser, for instance); in the process breaking stuff so the delay at shutdown between the icons clearing to backdrop and the "logging off" screen appearing can be measured in minutes (it ought to be nowt but a flicker).
• Broke Avast! - it still worked, but no spinny-ball UI.
• And it found no rootkit. Or anything of note.

Next step was MalwareBytes Anti-Rootkit. This marked two system files (the sound driver and something else) as being forgeries; and pointed out that two entirely innocuous Explorer configuration flags in the registry was evidence of a rootkit. I threw the "forged" files to VirusTotal which gave them both a clean bill of health. Ditto for the wbem stuff found by rootkitremover.

Next step was HitmanPro which scanned through my system querying a lot of stuff it shouldn't (like core VB5 components - never seen those before!?) and it said nothing was found; other than some tracking cookies in IE which wasn't a bother as I only use IE these days because YouTube's caption upload doesn't appear to work on Firefox 3.6.27...

Finally, the Kaspersky tdsskiller which is aware of stuff like ZeroAccess. Scanned, passed, nothing.

In addition, I have not noticed any unexpected behaviour - search redirects, unknown programs loading, and so on. The only oddity is every now and then (like once a week or so) I hear the duh-ding of a hardware device being removed. I think this is Bluetooth crashing - certainly nothing I actually use is affected, and this has happened for a long time, it's nothing new.

In addition, there are no unexpected programs holding ports open...

C:\>netstat -a -b -o

Active Connections

  Proto  Local Address          Foreign Address        State           PID
  TCP    Azumi:epmap            Azumi:0                LISTENING       1068
  c:\windows\system32\WS2_32.dll
  C:\WINDOWS\system32\RPCRT4.dll
  c:\windows\system32\rpcss.dll
  C:\WINDOWS\system32\svchost.exe
  -- unknown component(s) --
  [svchost.exe]

  TCP    Azumi:microsoft-ds     Azumi:0                LISTENING       4
  [System]

  TCP    Azumi:1025             Azumi:0                LISTENING       172
  [alg.exe]

  TCP    Azumi:5152             Azumi:0                LISTENING       116
  [jqs.exe]

  TCP    Azumi:12025            Azumi:0                LISTENING       1672
  [AvastSvc.exe]

  TCP    Azumi:12080            Azumi:0                LISTENING       1672
  [AvastSvc.exe]

  TCP    Azumi:12110            Azumi:0                LISTENING       1672
  [AvastSvc.exe]

  TCP    Azumi:12119            Azumi:0                LISTENING       1672
  [AvastSvc.exe]

  TCP    Azumi:12143            Azumi:0                LISTENING       1672
  [AvastSvc.exe]

  TCP    Azumi:12465            Azumi:0                LISTENING       1672
  [AvastSvc.exe]

  TCP    Azumi:12563            Azumi:0                LISTENING       1672
  [AvastSvc.exe]

  TCP    Azumi:12993            Azumi:0                LISTENING       1672
  [AvastSvc.exe]

  TCP    Azumi:12995            Azumi:0                LISTENING       1672
  [AvastSvc.exe]

  TCP    Azumi:27275            Azumi:0                LISTENING       1672
  [AvastSvc.exe]

  TCP    Azumi:netbios-ssn      Azumi:0                LISTENING       4
  [System]

  TCP    Azumi:1028             r-054-044-234-077.avast.com:http  ESTABLISHED
  1672
  [AvastSvc.exe]

  TCP    Azumi:1047             149.7.241.116:http     TIME_WAIT       0
  UDP    Azumi:microsoft-ds     *:*                                    4
  [System]

  UDP    Azumi:ntp              *:*                                    1128
  c:\windows\system32\WS2_32.dll
  c:\windows\system32\w32time.dll
  ntdll.dll
  C:\WINDOWS\system32\kernel32.dll
  [svchost.exe]

  UDP    Azumi:ntp              *:*                                    1128
  c:\windows\system32\WS2_32.dll
  c:\windows\system32\w32time.dll
  ntdll.dll
  C:\WINDOWS\system32\kernel32.dll
  [svchost.exe]

  UDP    Azumi:netbios-dgm      *:*                                    4
  [System]

  UDP    Azumi:netbios-ns       *:*                                    4
  [System]

Continuing... ListParts does not show any hidden rootkit partition:

======================= Partitions =========================
1 Drive c: (Local Disk) (Fixed) (Total:3.72 GB) (Free:0.12 GB) NTFS
  ==>[Drive with boot components (Windows XP)]
2 Drive d: (Local Disk) (Fixed) (Total:7.51 GB) (Free:0.48 GB) NTFS

  Disk ###  Status      Size     Free     Dyn  Gpt
  --------  ----------  -------  -------  ---  ---
  Disk 0    Online      3844 MB      0 B         
  Disk 1    Online      7687 MB      0 B         

Partitions of Disk 0:
===============
  Partition ###  Type              Size     Offset
  -------------  ----------------  -------  -------
  Partition 1    Primary           3811 MB    32 KB
  Partition 2    Unknown             32 MB  3812 MB
===================================================================
Disk: 0
Partition 1
Type  : 07
Hidden: No
Active: Yes

  Volume ###  Ltr  Label        Fs     Type        Size     Status
  ----------  ---  -----------  -----  ----------  -------  ------
* Volume 0     C   Local Disk   NTFS   Partition   3811 MB  Healthy
===================================================================
Disk: 0
Partition 2
Type  : EF
Hidden: Yes
Active: No

There is no volume associated with this partition.
===================================================================

Partitions of Disk 1:
===============
  Partition ###  Type              Size     Offset
  -------------  ----------------  -------  -------
  Partition 1    Primary           7687 MB    32 KB
===================================================================
Disk: 1
Partition 1
Type  : 07
Hidden: No
Active: No

  Volume ###  Ltr  Label        Fs     Type        Size     Status
  ----------  ---  -----------  -----  ----------  -------  -------
* Volume 1     D   Local Disk   NTFS   Partition   7687 MB  Healthy            
===================================================================

NTFS supports Alternate Data Streams; a sort of metadata thing that can be used by malicious programs to hide data and such. These streams are not visible in Explorer or from the command line. I ran ADS Spy to check everything. A few entries in the IE "Favorites" folder giving information on the bookmark, but other than that, nothing.

So I get the feeling I've been on a ghost chase here. Again.

My main object of cursing though is the stuff Combofix did in the background. I've reinstalled Avast! on top of itself, and that works now. I've also installed UPHClean which seems to have sorted out the shutdown times. It's something to do with system processes running as the user so the registry can't be unloaded until the process has finished... or something like that.
Recreated the deleted links - it kept the StartUp menu "BTTray" (Bluetooth system tray tool) but got rid of StartUp menu "SuperHybridEngine" (system tray tool to adjust processor speed).
Firefox is now my default browser - no thank you Avast! I do not want Chrome.
There's probably some other stuff, but I'll see to that when I notice it.

I guess it is good to give the system a good examination once in a while. It is just a shame that the system isn't left completely intact (there ought to be a "don't touch unless you have to" option to Combofix) and that the various antivirus tools not agreeing. I'm going to go with a majority vote and say that McAfee may well be broken in some way. Either that, or the rootkit is excellent at hiding. However since rootkitremover found the problem instantly (didn't search), I remain somewhat suspicious that it isn't just flagging anomalies (like Combofix saying my replaced Notepad is "infected" - it probably has a hash of known versions of Notepad and anything that doesn't match is considered an infection; as opposed to actually looking to see if it is infected with anything).

Thus, I feel I can say Azumi is clean.

So it just remains to say...

Your comments:

No comments yet...