Author Topic: What can sefely be fixed?  (Read 7928 times)

0 Members and 1 Guest are viewing this topic.

December 23, 2019, 02:39:10 PM

Satchfan

  • Newbie

  • Offline
  • *

  • 11
  • Reputation:
    0
    • View Profile
What can sefely be fixed?
« on: December 23, 2019, 02:39:10 PM »
I have a user whose PC is heavily infected and before dealing with locked files and fixes using FRST, I'd like to know what to do with these - is it safe to 'fix' them?

Quote
¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ Processes ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤
[Proc.Svchost (Malicious)] svchost.exe (3980) -- C:\Windows\SysWOW64\svchost.exe -> Found
[Proc.Svchost (Malicious)] svchost.exe (3992) -- C:\Windows\SysWOW64\svchost.exe -> Found
[Proc.Svchost (Malicious)] svchost.exe (2332) -- C:\Windows\SysWOW64\svchost.exe -> Found
[Proc.Svchost (Malicious)] svchost.exe (9800) -- C:\Windows\SysWOW64\svchost.exe -> Found
 
¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ Process Modules ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤
 
¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ Services ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤
[Hidden.From.Registry (Malicious)] Msfs (0) -- N/A -> Found
[Hidden.From.Registry (Malicious)] mshidkmdf (0) -- \SystemRoot\System32\drivers\mshidkmdf.sys -> Found
[Hidden.From.Registry (Malicious)] mshidumdf (0) -- \SystemRoot\System32\drivers\mshidumdf.sys -> Found
[Hidden.From.Registry (Malicious)] MSKSSRV (0) -- \SystemRoot\System32\drivers\MSKSSRV.sys -> Found
[Hidden.From.Registry (Malicious)] msiserver (0) -- C:\WINDOWS\system32\msiexec.exe /V -> Found

Satchfan

Reply #1December 23, 2019, 04:38:17 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: What can sefely be fixed?
« Reply #1 on: December 23, 2019, 04:38:17 PM »
Hi Satchfan,

At first sight, these look like legit Windows files.
Could you please ask the user to export RogueKiller full JSON scan report and attach it with your next reply ? A link to the disinfection thread will also be useful.

EDIT : An Adlice Diag full log could also prove to be helpful.

Regards.
« Last Edit: December 23, 2019, 05:01:03 PM by Curson »

Reply #2December 23, 2019, 05:44:30 PM

Satchfan

  • Newbie

  • Offline
  • *

  • 11
  • Reputation:
    0
    • View Profile
Re: What can sefely be fixed?
« Reply #2 on: December 23, 2019, 05:44:30 PM »
Will do when I hear from them.

Reply #3December 23, 2019, 11:32:55 PM

Satchfan

  • Newbie

  • Offline
  • *

  • 11
  • Reputation:
    0
    • View Profile
Re: What can sefely be fixed?
« Reply #3 on: December 23, 2019, 11:32:55 PM »

Reply #4December 25, 2019, 09:54:19 AM

Satchfan

  • Newbie

  • Offline
  • *

  • 11
  • Reputation:
    0
    • View Profile
Re: What can sefely be fixed?
« Reply #4 on: December 25, 2019, 09:54:19 AM »
I asked them to run a cmd command as follows:

RogueKillerCMD.exe -scan -params "-reportpath """C:\report.json""""

It didn't work. Please see the topic.


Reply #5December 26, 2019, 01:40:18 AM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: What can sefely be fixed?
« Reply #5 on: December 26, 2019, 01:40:18 AM »
Hi Satchfan,

Thanks for your feedback.
RogueKillerCMD cannot be used like that anymore. We didn't have the time to update the documentation yet, sorry about that.

The best way is to directly use RogueKiller with this method to export the JSON log.
After opening the last report, it's possible to export it into JSON using the "Export" button > "Json file".

Additionally, I read the FRST log and I think it's possible that the rootkit is messing with some drivers keys enumeration, so it might not be safe to delete these files :
Code: [Select]
[Hidden.From.Registry (Malicious)] mshidkmdf (0) -- \SystemRoot\System32\drivers\mshidkmdf.sys -> Found
[Hidden.From.Registry (Malicious)] mshidumdf (0) -- \SystemRoot\System32\drivers\mshidumdf.sys -> Found
[Hidden.From.Registry (Malicious)] MSKSSRV (0) -- \SystemRoot\System32\drivers\MSKSSRV.sys -> Found
[Hidden.From.Registry (Malicious)] msiserver (0) -- C:\WINDOWS\system32\msiexec.exe /V -> Found

I recommend to zip them from recovery using FRST and manually analyse them.
By the way, is this infection common ? I asked my colleges at Adlice and they didn't have heard of it.

Regards.

Reply #6December 26, 2019, 12:54:36 PM

Satchfan

  • Newbie

  • Offline
  • *

  • 11
  • Reputation:
    0
    • View Profile
Re: What can sefely be fixed?
« Reply #6 on: December 26, 2019, 12:54:36 PM »
Thanks for the information.

It doesn't appear to be a SmartService infection, which was my first thought, but a Baidu Cloud infection.

I haven't come across anything quite as bad as this but this topic also had a similar one:

https://www.bleepingcomputer.com/forums/t/633736/some-unknown-program-is-trying-to-change-my-homepage-some-pop-up-ads/

I've asked for the json log and will post here when I get it.

Reply #7December 27, 2019, 06:35:06 AM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: What can sefely be fixed?
« Reply #7 on: December 27, 2019, 06:35:06 AM »
Hi Satchfan,

Thanks for the feedback.
This is a really curious infection because, even when the rootkit driver cannot be removed from Normal Mode, RogueKiller is able to detect it and that's not the case here.

Regards.

Reply #8December 28, 2019, 10:01:49 PM

Satchfan

  • Newbie

  • Offline
  • *

  • 11
  • Reputation:
    0
    • View Profile
Re: What can sefely be fixed?
« Reply #8 on: December 28, 2019, 10:01:49 PM »
Haven't got a clue if this is the report you wanted bt this is what the OP sent:

https://forums.whatthetech.com/index.php?showtopic=132142&view=findpost&p=889977

The FRST log I asked for was incomplete and have asked for the whole log. I'll let you know the outcome.

Reply #9December 29, 2019, 01:38:01 AM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: What can sefely be fixed?
« Reply #9 on: December 29, 2019, 01:38:01 AM »
Hi Satchfan,

Yes, this is the JSON report, but incomplete as well.

Regards.

Reply #10December 29, 2019, 03:44:46 PM

Satchfan

  • Newbie

  • Offline
  • *

  • 11
  • Reputation:
    0
    • View Profile
Re: What can sefely be fixed?
« Reply #10 on: December 29, 2019, 03:44:46 PM »
OP has sent another json which is all gobbldygook to me. Too long to post but reply is here:

https://forums.whatthetech.com/index.php?showtopic=132142&view=findpost&p=889986

Thanks

Nina

Reply #11December 30, 2019, 09:37:53 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: What can sefely be fixed?
« Reply #11 on: December 30, 2019, 09:37:53 PM »
Hi Nina,

The interesting part is here :
Code: [Select]
{
"scan_what": 0,
"scan_how": [1, 2, 3, 4, 8, 6, 5, 7],
"vendors": ["Hidden.From.Registry"],
"name": "Msfs",
"name_process": "",
"target": "",
"pid": 0,
"path_process": "",
"path": "",
"file_md5": "",
"file_sha256": "",
"file_exists": false,
"file_signed": false,
"file_signer": "",
"file_vtscore": -1,
"file_vttotal": 0,
"is_malicious": true,
"detection_level": 2,
"status_str": "Found",
"status_choice": 2,
"status_kill": 0,
"malpe_score": -1.0,
"id": 6
},
{
"scan_what": 0,
"scan_how": [1, 2, 3, 4, 8, 6, 5, 7],
"vendors": ["Hidden.From.Registry"],
"name": "mshidkmdf",
"name_process": "",
"target": "C:\\Windows\\System32\\drivers\\mshidkmdf.sys",
"pid": 0,
"path_process": "",
"path": "\\SystemRoot\\System32\\drivers\\mshidkmdf.sys",
"file_md5": "22813FD068277CC4994CB3FB5547AA23",
"file_sha256": "AA5FCFEE8161EA12ED65FAB5A662EE3BFF5B7D725DEFF081FCB45C534FAC976A",
"file_exists": true,
"file_signed": false,
"file_signer": "",
"file_vtscore": -1,
"file_vttotal": 0,
"is_malicious": true,
"detection_level": 2,
"status_str": "Found",
"status_choice": 2,
"status_kill": 0,
"malpe_score": -1.0,
"id": 7
},
{
"scan_what": 0,
"scan_how": [1, 2, 3, 4, 8, 6, 5, 7],
"vendors": ["Hidden.From.Registry"],
"name": "mshidumdf",
"name_process": "",
"target": "C:\\Windows\\System32\\drivers\\mshidumdf.sys",
"pid": 0,
"path_process": "",
"path": "\\SystemRoot\\System32\\drivers\\mshidumdf.sys",
"file_md5": "ED11DC4C201FF6C06F171E18B379B589",
"file_sha256": "37E1901ECF54A22D016B844B68847B3894EDCA7854D713C46951BD41684735BB",
"file_exists": true,
"file_signed": false,
"file_signer": "",
"file_vtscore": -1,
"file_vttotal": 0,
"is_malicious": true,
"detection_level": 2,
"status_str": "Found",
"status_choice": 2,
"status_kill": 0,
"malpe_score": -1.0,
"id": 8
},
{
"scan_what": 0,
"scan_how": [1, 2, 3, 4, 8, 6, 5, 7],
"vendors": ["Hidden.From.Registry"],
"name": "MSKSSRV",
"name_process": "",
"target": "C:\\Windows\\System32\\drivers\\mskssrv.sys",
"pid": 0,
"path_process": "",
"path": "\\SystemRoot\\System32\\drivers\\MSKSSRV.sys",
"file_md5": "E3B4680BAB18D0898E80C6E4FE05BF55",
"file_sha256": "2F215EB0122A796674123241D7F34849B4A77E9376A373968D5ADAFAB4D428B2",
"file_exists": true,
"file_signed": false,
"file_signer": "",
"file_vtscore": -1,
"file_vttotal": 0,
"is_malicious": true,
"detection_level": 2,
"status_str": "Found",
"status_choice": 2,
"status_kill": 0,
"malpe_score": -1.0,
"id": 9
},
{
"scan_what": 0,
"scan_how": [1, 2, 3, 4, 8, 6, 5, 7],
"vendors": ["Hidden.From.Registry"],
"name": "msiserver",
"name_process": "",
"target": "C:\\Windows\\System32\\msiexec.exe",
"pid": 0,
"path_process": "",
"path": "C:\\WINDOWS\\system32\\msiexec.exe /V",
"file_md5": "2D9F692E71D9985F1C6237F063F6FE76",
"file_sha256": "199B3890D28A1F5906F4014E73615A268B3C4414F1F71697BF13E0D464258D54",
"file_exists": true,
"file_signed": false,
"file_signer": "",
"file_vtscore": -1,
"file_vttotal": 0,
"is_malicious": true,
"detection_level": 2,
"status_str": "Found",
"status_choice": 2,
"status_kill": 0,
"malpe_score": -1.0,
"id": 10
}

According to the hashes reported by RogueKiller and after submitting them to VirusTotal, these files are legit.
It may be a bug with RogueKiller or, like I said earlier, the rootkit is messing with the files enumeration functions. In any case, it could be interesting to see if those detections are still present after the rootkit removal.

I will follow at thread at whatthetech with great interest.

Regards.

Reply #12December 31, 2019, 10:47:15 AM

Satchfan

  • Newbie

  • Offline
  • *

  • 11
  • Reputation:
    0
    • View Profile
Re: What can sefely be fixed?
« Reply #12 on: December 31, 2019, 10:47:15 AM »
Thanks for the reply and your help so far. I'll see how it pans out.

As this is not a SmartService infection and the OP is having trouble with the RE, I may try MBAR to deal with the rootkit and take it from there.

Nina


Reply #13January 01, 2020, 06:26:58 AM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: What can sefely be fixed?
« Reply #13 on: January 01, 2020, 06:26:58 AM »
Hi Nina,

You are very welcome.
MBAR may work. At least, RogueKiller driver wasn't unable to load. With a little chance, it will be the same with MBAR driver.

Regards.

Reply #14January 06, 2020, 05:40:42 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: What can sefely be fixed?
« Reply #14 on: January 06, 2020, 05:40:42 PM »
Hi Nina,

I just saw that MBAR was able to detect and delete the rootkit successfully. Could you please ask the user to upload this file from MBAR quarantine ?
Quote
c:\windows\system32\msdd0c5c30app.dll (Trojan.Crypt) -> Delete on reboot. [d5ced26c0fc7e6503f612d3009f8b64a]

It will be very interesting for us to analyse it so we can improve RogueKiller detection efficiency of this particular malware.

Regards.