Do we have a new rootkit in the field?

[coffee]

I recieved in a laptop from a customer of mine and ran Avast, Kaperskey boot disk (antivirus) and found nothing. I also booted normally and ran tdsskiller (sp?) and it didnt find anything. But I couldnt run anything in control panel and the laptop soon would lockup with spinning windows curser. I ruled out hardware as a problem and also ran a chckdisk and sfc and they came back clean.

bootpartition - 100 mg
2nd partition - restore (dell)
3rd partition - windows (only about 30 gigs ???)
4th partition - virtual - D: 4xx gigs.

Looking at the boot partition I was able to determine there was a rootkit basically installed. Alot of chinease type characters for folders/files. Not curruption as I first thought. I wiped the boot partition and recreated it. Then it would boot/login/no desktop just a curser. Couldnt do anything. I ended up N/P.

Nothing I ran on it discovered the rootkit. Here is a close up pick from my cell phone for curiosity sake of the boot partition readout:

Later yesterday I took in an older dell desktop and it is experiencing the same type of symptoms.

Partitions on the deskop showup as:

boot partition - 39 megs
2nd par. - c: 52 gigs NTFS
3rd par. - d: 17 gigs - backup
4th par. - 4 gigs unallocated.

Admin has no rights to do stuff on the box. I dont know if this is important but there is a startup program called driver detective that I cannot get rid of. Was in the add/remove programs and also did it with revo uninstaller. But comes back every boot. So, There is a clue hopefully.

Just dont know what Im dealing with here. This desktop computer is running XP.

Just finding this very interesting as I have not ran into this before yesterday. Now I have 2 with it??

Your thoughts are welcome,

Best Regards,

coffee

UPDATE: Running a program called Roguekiller on it right now. Found 3 things right off the bat. I guess its probably not new rootkit but nothing else picked it up. Ill post more when its done scanning.

 

[iisjman07]

I think I've heard Galdorf mention something like this, you may want to shoot him a PM. What's the feasibility of a nuke and pave?

 

[coffee]

I think I've heard Galdorf mention something like this, you may want to shoot him a PM. What's the feasibility of a nuke and pave?

Well, I can nuke and pave it. But I would like to investigate it. Oh, Made a mistake on this rogue program. Its name is driverfinder.

Im going to collect a bunch of info on it. Its just gonna make things easier in the future. I think Ill start seeing more of these.

Ill PM Galdorf. Thanks!

Best Regards,

coffee

 

[NYJimbo]

Not curruption as I first thought.

That cell phone pick looks like a master file table corruption to me. Do you know if the customer tried to "fix" it themselves before you got it ?

 

[coffee]

That cell phone pick looks like a master file table corruption to me. Do you know if the customer tried to "fix" it themselves before you got it ?

They didnt. Seems that chkdsk would have found the curruption if it were wouldnt it??? Perhaps different language set instead?

So I ran this RogueKiller app and it quarantined some stuff on a folder on the desktop. These appear to be registry entries (??)

NewStartPanel_{20D04FE0-3AEA-1069-A2D8-08002B30309D}0.reg
PhysicalDrive0_User.dat
PhysicalDrive1_User.dat
Security Center_UpdatesDisableNotify0.reg
System_EnableLUA0.reg

5 files in all. Properties shows: Windows registry extract.



NewStartPanel_{20D04FE0-3AEA-1069-A2D8-08002B30309D}0.reg:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel]
"{20D04FE0-3AEA-1069-A2D8-08002B30309D}"=dword:00000001

The two dat files are unreadable machine code.

System_EnableLUA0.reg:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]
"EnableLUA"=dword:00000000

Security Center_UpdatesDisableNotify0.reg:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"UpdatesDisableNotify"=dword:00000001

Got rid of the driverfinder program. Edited the registry and removed DriverFinder.exe entry. Then cleaned out the app directory/shortcuts/menu items.

 

[glricht]

Not sure if it's the same as what you're working on, but I've two instances in the last few weeks where the PC had a rootkit which resided in a small partition at the end of the drive. Most of the scanners missed the boot kit, those that found it supposedly fixed it, but it was back on the next reboot.

I used Acronis Disk Director stand-alone to find the partition. Deleted it, rebuilt the boot partition, and then was able to to do a successful boot and then proceeded with normal cleaning procedures.

 

[Galdorf]

There is a new version of zero access going around that was modified in china nothing other than newest combofix atm can find and remove it.
I have tried all major av rescue disks none find it even today kaspersky still missed it.

 

[iisjman07]

There is a new version of zero access going around that was modified in china nothing other than newest combofix atm can find and remove it.
I have tried all major av rescue disks none find it even today kaspersky still missed it.

I'm sure my trusty copy of DBAN will find and remove it....

 

[coffee]

Explains why I couldnt find it. Wish I had more time to try and find these things but I have a one day turn around. So, If its not removed via virus software its a nuke and pave situation.

Thanks all. I have combo fix now and a copy of D7. Ill even check into Dban. One question on combofix - Is there any advantage to running it in safe mode or should it just be ran in normal mode with most programs closed?

Best Regards,
coffee

 

[iladelf]

Just my opinion, coffee, but I believe it's best if it runs in normal mode, IF you can get it to run there. That said, don't think I ever remember see it fail to run in Safe Mode (memory could be short though).

What I would do...if it doesn't run in normal mode, run it in Safe Mode, let it finish after a reboot, then run it again in normal mode, in case it missed a few items during the Safe Mode run. That's what I do, anyway.

FYI, doesn't matter what OS you use it on anymore, either. Used to be it borked Vista and 7 installs sometimes; haven't seen that in a very, very long time.

 

[dgast]

Explains why I couldnt find it. Wish I had more time to try and find these things but I have a one day turn around. So, If its not removed via virus software its a nuke and pave situation.

Thanks all. I have combo fix now and a copy of D7. Ill even check into Dban. One question on combofix - Is there any advantage to running it in safe mode or should it just be ran in normal mode with most programs closed?

Best Regards,
coffee

If you can find a copy of killdisk it is about 30% faster than Dban.

 

[coffee]

Just want to thank everyone for all your help and advice.

Ok, Ill run it normal mode. Interesting that there isnt much of a website for combofix. Normally you see documentation links, forum links ect but I didnt see too much.

In the morning I have a infection removal call. I will probably use it then. I did run it in a VM on win7. Looks interesting and seems to run faster than a Mbam scan.

Best Regards,
coffee

 

[NYJimbo]

There is a new version of zero access going around that was modified in china nothing other than newest combofix atm can find and remove it.
I have tried all major av rescue disks none find it even today kaspersky still missed it.

Yeah, but thats true for all new viruses. Think about it, is there any virus out there that we can't remove once the virus guys get on it ? Unless it destroys the contents of the drive, I have not seen any virus I couldn't clean with our existing tools. This new china virus will go through the process and it will be cleanable.

 

[coffee]

Yeah, but thats true for all new viruses. Think about it, is there any virus out there that we can't remove once the virus guys get on it ? Unless it destroys the contents of the drive, I have not seen any virus I couldn't clean with our existing tools. This new china virus will go through the process and it will be cleanable.

couldnt resist

http://youtu.be/Hj-qhIGTXdU

We always get our man!