Any idea if this is a rootkit (TDSS or ZeroAccess)?

[iladelf]

Hey all,

Dealing with what I believe to be a rootkit, but can't figure out what specifically it is. What's been done so far (32-bit Windows XP Home machine):

1. TDSSKiller; initial scans showed "No threats", but under found said "1 threat". Clicking "Details" showed "Supicious---\Device\Hardisk 0\DR0 (TDSS File System). Had to check all options for 2 threats to show, which included the above and "PXHelp20" Service. I deleted these both and rebooted; subsequent scans with TDSSKiller showed clean.

2. GMER, however, showed the following:


GMER 1.0.15.15641 - http://www.gmer.net
Rootkit quick scan 2011-10-19 00:11:20
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-e rev.
Running: T5I9SbfA.com; Driver: C:\DOCUME~1\Owner\LOCALS~1\Temp\kxxdrpob.sys


---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 00: rootkit-like behavior

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs ComcastSecureBackupShare.sys (Mozy Change Monitor Filter Driver/Mozy, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp fssfltr_tdi.sys (Family Safety Filter Driver (TDI)/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----



Naturally, I didn't like this, but had no idea what the heck it meant, so I ran aswMBR, which said the following:




aswMBR version 0.9.8.986 Copyright(c) 2011 AVAST Software
Run date: 2011-10-18 22:17:16
-----------------------------
22:17:16.203 OS Version: Windows 5.1.2600 Service Pack 3
22:17:16.203 Number of processors: 1 586 0x401
22:17:16.203 ComputerName: OWNER-361108A6C UserName: Owner
22:17:16.453 Initialize success
22:17:31.156 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-e
22:17:31.156 Disk 0 Vendor: Size: 0MB BusType: 0
22:17:31.156 Disk 1 \Device\Harddisk1\DR3 -> \Device\00000060
22:17:31.156 Disk 1 Vendor: Size: 0MB BusType: 0
22:17:33.171 Disk 0 MBR read successfully
22:17:33.171 Disk 0 MBR scan
22:17:33.171 Disk 0 Windows XP default MBR code
22:17:33.171 Disk 0 MBR hidden
22:17:33.218 Disk 0 scanning C:\WINDOWS\system32\drivers
22:17:38.328 Service scanning
22:17:39.203 Modules scanning
22:17:43.421 Disk 0 trace - called modules:
22:17:43.453 ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys atapi.sys hal.dll pciide.sys PCIIDEX.SYS
22:17:43.453 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86584ab8]
22:17:43.453 3 CLASSPNP.SYS[f7630fd7] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP1T0L0-e[0x8657bb00]
22:17:43.453 Scan finished successfully
22:18:12.156 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Owner\Desktop\MBR.dat"
22:18:12.171 The log file has been saved successfully to "C:\Documents and Settings\Owner\Desktop\aswMBR.txt"




So, from this, I couldn't tell if the two programs are telling me CLASSPNP.SYS is infected, so I thought I'd just boot into a Windows XP CD and run FIXMBR and FIXBOOT, however, the two disks I ran went straight to the partition listings without giving me an option for repair or the Recovery Console, and weirdly showed a C and an H partition that were identical in size of partition, but not of size used (H partition shows up as I: New Volume---free and used space of 74.4 in Windows---drive is a 160GB Hitachi, nothing shows on the I volume but a "Recycler" folder). So...

I booted the Windows Recovery Console on the existing partition, ran FIXMBR then FIXBOOT and...everything still looks the same to GMER and aswMBR. So now I'm stumped. Any ideas?


Customer's initial issue was that AVG Internet Security 2011 suddenly disappeared on her (not in Program Files, systray or Add/Remove), but after seeing the uninstall tool for AVG suddenly stop after execution, I was starting to suspect other issues, ergo how I've gotten to this point.

BTW, Combofix found several items, but nothing rootkit-wise. Here's the partial file: Look forward to everyone's thoughts. One other note: the DVD-RW is not working either, with a Code 19 error in the Device Manager. Leads me to believe possible ATAPI.SYS infection, but not sure.






ComboFix 11-10-18.04 - Owner 10/18/2011 21:31:24.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.596 [GMT -5:00]
Running from: c:\documents and settings\Owner\Desktop\D7\3rd Party Tools\cf8675309.exe
AV: AVG Internet Security 2011 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: AVG Firewall *Enabled* {8decf618-9569-4340-b34a-d78d28969b66}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Owner\Favorites\.url
c:\documents and settings\Owner\WINDOWS
c:\program files\CouponAlert_2p
c:\program files\CouponAlert_2p\bar\1.bin\CHROME.MANIFEST
c:\program files\CouponAlert_2p\bar\1.bin\INSTALL.RDF
c:\program files\CouponAlert_2p\bar\1.bin\LOGO.BMP
c:\program files\CouponAlert_2pEI
c:\program files\SelectRebates
c:\program files\SelectRebates\FFToolbar\chrome.manifest
c:\program files\SelectRebates\FFToolbar\chrome\sahtoolbar.jar
c:\program files\SelectRebates\FFToolbar\defaults\preferences\sahtoolbar.js
c:\program files\SelectRebates\FFToolbar\install.rdf
c:\program files\SelectRebates\SahImages\alert.png
c:\program files\SelectRebates\SahImages\check.png
c:\program files\SelectRebates\SahImages\close.png
c:\program files\SelectRebates\SelectAlerts.dat
c:\program files\SelectRebates\SelectRebates.exe
c:\program files\SelectRebates\SelectRebates.ini
c:\program files\SelectRebates\SelectRebatesA.dat
c:\program files\SelectRebates\SelectRebatesApi.exe
c:\program files\SelectRebates\SelectRebatesB.dat
c:\program files\SelectRebates\SelectRebatesBT.dat
c:\program files\SelectRebates\SelectRebatesDownload.exe
c:\program files\SelectRebates\SelectRebatesH.dat
c:\program files\SelectRebates\SelectRebatesUninstall.exe
c:\program files\SelectRebates\SRebates.dll
c:\program files\SelectRebates\SRFF3.dll
c:\program files\SelectRebates\Toolbar\AddtoList.bmp
c:\program files\SelectRebates\Toolbar\basis.xml
c:\program files\SelectRebates\Toolbar\Basis.xml.dym
c:\program files\SelectRebates\Toolbar\Blank.bmp
c:\program files\SelectRebates\Toolbar\CashBack.bmp
c:\program files\SelectRebates\Toolbar\Coupons.bmp
c:\program files\SelectRebates\Toolbar\GroceryCoupon.bmp
c:\program files\SelectRebates\Toolbar\i_magnifying.bmp
c:\program files\SelectRebates\Toolbar\icons.bmp
c:\program files\SelectRebates\Toolbar\ImageCache\alert-red.bmp
c:\program files\SelectRebates\Toolbar\logo.bmp
c:\program files\SelectRebates\Toolbar\logo_24.bmp
c:\program files\SelectRebates\Toolbar\logo_HotSpots.bmp
c:\program files\SelectRebates\Toolbar\ReviewSite.bmp
c:\program files\SelectRebates\Toolbar\RightControls.dym
c:\program files\SelectRebates\Toolbar\sahtb-alert.bmp
c:\program files\SelectRebates\Toolbar\sahtb-go.bmp
c:\program files\SelectRebates\Toolbar\sahtb-grocerycoupons.bmp
c:\program files\SelectRebates\Toolbar\sahtb-icons.bmp
c:\program files\SelectRebates\Toolbar\sahtb-restaurant.bmp
c:\program files\SelectRebates\Toolbar\sahtb-wishlist.bmp
c:\program files\SelectRebates\Toolbar\Scissors.bmp
c:\program files\SelectRebates\Toolbar\ShopAtHomeToolbar.dll
c:\windows\system32\d3d9caps.dat
.
---- Previous Run -------
.
c:\documents and settings\Owner\WINDOWS
c:\program files\Search Toolbar

 

[ZenTree]

I'll have a deeper look later on but sounds initially like something could be putting the mbr code back in there upon reboot.

Search for unsigned drivers with sigverif.
Run D7 and look for shell hijacks, ADS (quick scan should do it) and the usual suspects. Shell hijacks seem to have made a come back for me recently.

 

[MobileTechie]

Sounds like you have or had an infected MBR which would imply there should be infected drivers or other files related to the infection.

I'd have a scan with some other tools like Hitman, MBAM and straight AV apps like MSE and so on to see if any other information is forthcoming because if the MBR is infected then you'd expect there to be related files too. Odd that Combofix wouldn't find them though.

I'm not familiar with aswMBR so not sure what that log is saying to be honest.

 

[othersteve]

Odd. I'd say reboot once more, then run MBRCheck to see if it reports default MBR code. Then run antizeroaccess just to be certain no fragments of that fast-evolving rootkit are not still present.

I think I'd follow it up with an OTL analysis or something else similar also just to be certain nothing else is hiding. You may wish to have OTL calculate MD5 hashes for all system drivers. The following custom scan would reveal much information to parse:

%SYSTEMDRIVE%\*.exe
msconfig
safebootminimal
safebootnetwork
activex
drivers32
%SYSTEMDRIVE%\*.exe
%ALLUSERSPROFILE%\Application Data\*.exe
%APPDATA%\*.
%systemroot%\*. /mp /s
hklm\software\clients\startmenuinternet|command /rs
hklm\software\clients\startmenuinternet|command /64 /rs
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\system32\drivers\*.sys /lockedfiles
CREATERESTOREPOINT
/md5start
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
*.sys
/md5stop

Even if you aren't 100% sure what you're looking at, it'll reveal useful MD5 hashes you can Google to check up on the integrity of the critical drivers.

 

[iladelf]

Well, we can mark this as SOLVED!!! After digging around all over the place with several utilities, I saw something bizarre in Autoruns, called GuardedID. Apparently, it's a "keystroke-stealing" software protector that Comcast is foisting onto folks. I noticed it in Winlogon and other locations in Autoruns, so I decided to disable it and reboot, which created a Device Manager error for the keyboard (Code 32), and when I'd try to use the keyboard, the machine would lock up! A-HA!, I said...re-enabled all of it through Autoruns via mouse after reboot, and lo and behold, the keyboard error was gone from the Device Manager. YES!!! I looked at the drivers for the keyboard and, sure enough, a dratted file for GuardedID was tagging along in there from the system32 folder. So, after uninstalling it with customer approval...BAM!, no rootkit activity showing in GMER, and MBRCheck was finally able to run (a service had been blocking it---gee, ya think it was the GuardedID file?), which showed a clean MBR.

Stick a fork in it, it's done! I'm exhausted, but finally kicked it in the hind quarters. Who would have thunk it?

 

[Martyn]

Well, we can mark this as SOLVED!!! After digging around all over the place with several utilities, I saw something bizarre in Autoruns, called GuardedID. Apparently, it's a "keystroke-stealing" software protector that Comcast is foisting onto folks. I noticed it in Winlogon and other locations in Autoruns, so I decided to disable it and reboot, which created a Device Manager error for the keyboard (Code 32), and when I'd try to use the keyboard, the machine would lock up! A-HA!, I said...re-enabled all of it through Autoruns via mouse after reboot, and lo and behold, the keyboard error was gone from the Device Manager. YES!!! I looked at the drivers for the keyboard and, sure enough, a dratted file for GuardedID was tagging along in there from the system32 folder. So, after uninstalling it with customer approval...BAM!, no rootkit activity showing in GMER, and MBRCheck was finally able to run (a service had been blocking it---gee, ya think it was the GuardedID file?), which showed a clean MBR.

Stick a fork in it, it's done! I'm exhausted, but finally kicked it in the hind quarters. Who would have thunk it?

Nice one, thanks for the info as well.

 

[ZenTree]

Good result, it's really satisfying when that hard work pays off

thanks for the info

 

[PC Ops]

Haha I recognize that 'yeehaw'-feeling
Good show!

 

[Mr.Mike]

Nothing like getting a difficult knot untied! I appreciate your sharing the process and all.

 

[RegEdit]

+ 2 for MBR check. Very quick to run it. I always run it on PC's that I work on.
http://majorgeeks.com/MBRCheck_d7076.html

 

[AdamC]

Well, we can mark this as SOLVED!!! After digging around all over the place with several utilities, I saw something bizarre in Autoruns, called GuardedID. Apparently, it's a "keystroke-stealing" software protector that Comcast is foisting onto folks. I noticed it in Winlogon and other locations in Autoruns, so I decided to disable it and reboot, which created a Device Manager error for the keyboard (Code 32), and when I'd try to use the keyboard, the machine would lock up! A-HA!, I said...re-enabled all of it through Autoruns via mouse after reboot, and lo and behold, the keyboard error was gone from the Device Manager. YES!!! I looked at the drivers for the keyboard and, sure enough, a dratted file for GuardedID was tagging along in there from the system32 folder. So, after uninstalling it with customer approval...BAM!, no rootkit activity showing in GMER, and MBRCheck was finally able to run (a service had been blocking it---gee, ya think it was the GuardedID file?), which showed a clean MBR.

Stick a fork in it, it's done! I'm exhausted, but finally kicked it in the hind quarters. Who would have thunk it?

Wow... I'm shocked at what these companies can get away with!
I would call them to explain I had removed their crappy software and move to another provider.

 

[citizensmith]

Groundhug Day

Nice to see Comcast's "ongoing efforts to continuously improve the quality of our service" doesnt' extend to quality of thier software
From July this year http://www.technibble.com/forums/showthread.php?t=28536

 

[iladelf]

Nice to see Comcast's "ongoing efforts to continuously improve the quality of our service" doesnt' extend to quality of thier software
From July this year http://www.technibble.com/forums/showthread.php?t=28536

Whoops! Didn't realize there had been an earlier post regarding this...well, guess it's just a confirmation that the Constant Guard software is, well....Constant C#?p!

 

[citizensmith]

Whoops! Didn't realize there had been an earlier post regarding this...

Hi, I was'tn having a go at you, just highlighting the many ways that "quality software" can jerk you around. A million years ago ms access used to fail to start due to a "no licence on the machine" error and the solution was to delete the hattenschweiler font Go figure. I know that you dont know what you dont know, but why should you need to know that?