A Very Sophisticated Rootkit?

[I've recently posted, on other Norton Discussion Forums, here, about some computer and GHOST problems I'm having.

 

This all seems to be evolving into a rootkit issue that seems rather "unusual."

 

In addition to trying to determine if I have a rootkit problem --or not -- one of my main concerns is, "Why is this stuff happening to me so frequently?"  And, "How is it getting past NIS?".  {BTW, I also posted this on MS's RootkitRevealer Forum.}  Appreciate any thoughts.]

 

___________________________________________________

 

 

Been having problems with my computer for the last week or so (2004 Toshiba laptop, Win XP SP3, running NIS 2009 and GHOST 14).

[In fact, I've had some rather serious, "repair shop" (rootkit/virus, etc?) issues over the last year or so.  Feeling a bit "targeted," by someone, via the Web.]

 

Most recently, 25 July 2009, Saturday, about 7pm my time (US, MDT) -- while I was simply looking at a MySpace page (I don't do porno, crack-code, etc, sites, at all -- just "mainstream" stuff) -- the computer went dead -- screen blank/black, but the power button light was on.

[This was somewhat similar to an event, about 1-year ago, where I had to take the computer in for repair and a complete "restore"; several hundred bucks!  Fortunately, this time, it restarted (see below).]

Couldn't turn the power button off.  Had to unplug from the wall.  I restarted, and OK -- except GHOST now showed to be "at risk."  GHOST -- the main mode of recovering my computer, all of a sudden went on the fritz.  Also, it wouldn't do a "Recovery Point" save.

I posted all this to the Norton Forums, and someone suggested maybe it was a rootkit problem.  So, I tried various detectors.

Results were quite "suspicious" -- at least to me.  Ran SysProt and GMER (on suggestion from the Norton Forum).

SysProt crashed my system, immediately, upon selecting scan (later, it did it again, on selecting the "Kernel" tab).  In both cases, Windows said (on restart) "Windows has recovered from a serious error."  [I did Screen Shots of this and the details of the error messages -- seemed to have something to do with "Drivers"?]

GMER ran for 5.5 hours! and never finished (80GB HD, with only about 23GB used; 3.3GHz dual-core processor).

Results from RootkitRevealer (RKR) is particularly curious.


Ran RKR yesterday and it found 944 discrepancies!  That seems like a lot?  No other programs were running during the scan (AFAIK), and I was off-line (DSL modem OFF).

When I tried to save the log, it just froze.  Had to go to Task Manager to x-out.

Before doing that, I was at least able to get a screen shot of the first page (with a big area blanked out by the "freeze").

Mostly, what this (first page only) showed was, "Visible in Windows API, but not in MFT or directory index," on a list of System Volume Information\_restore (then a bunch of capital letters and numbers) discrepancies.

 

Then, a bunch of "Hidden from Windows API," and "Visible in Windows API, but not in MFT or directory index" (but not related to System Volume Information) discrepancies.

Also, got (1) "access is denied," [which the RKR write-up says, "RootkitRevealer should never report this discrepancy..."] (2) "Key name contains embedded nulls," and (1) "Data mismatch between Windows API and raw hive data."  Since these were the first things that came up in RKR, I did write these down.

"Access denied": HKLM\SYSTEM\Control Set001\Services\sptd\Cfg

"Key name contains embedded nulls":  (first one) HKLM\SECURITY\Policy\Secrets\SAC*
(second one) HKLM\SECURITY\Policy\Secrets\SAI*

["Secrets"???]

 

The last one ("Data mismatch...") was:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\3475520BB5615DB4D88A73FD9B390041\Usage\Shared

OK, that's all strange, I thought.  So, I reran RKR today.  Only got 29 discrepancies?  BIG difference from 944!  Same "environment" as yesterday.

So, I'm thinking maybe a very sophisticated person implementing such a rootkit has a way to hide it even better after it has been scanned by RKR (and others, like SysProt/GMER, etc)?

Or (preferably), they deleted much of it, for fear of being "discovered"?

Would greatly appreciate any thoughts on all this.

 

[And, if you got this far in reading, thank you very much.]

 

Kind Regards,
Robby

 

Tks for reply, delphinium.

 

I got log/text files from SysProt, on the (2) times I tried it (both crashed) -- but these logs are empty.

 

On GMER, yes I got a log.  After the 5.5 hr run (that never finished).  Not sure how useful, but I'll Atach it.

 

[Maybe there are others, too.  But, I don't know exactly where to look -- could be somewhere in Doc's and Settings, as a default mode, etc?  I searched there, for "log" -- but didn't see anything that stood out.]

 

Didn't try SysProt in Safe Mode.  I could do that.  But... getting kinda concerned over the "serious error" it induces in Windows.  Done this twice already.

 

I'm running XP Home.

 

Don't think I need to run as Administrator?  I am that.  Only one using this computer.

 

The RKR logs are only Screen Shots -- "image" files -- in Word (.doc).  And the Forum here only allows Attachments of .txt and .log extensions.  So, I can't send those Screen Shots -- unless you know of another way?

 

I also ran Malwarebytes-Anti Malware.  It found 75 hits of "Adware" from SkyMediaPack (a *bunch* in the Registry, etc), and deleted those.  MWBAW did give me a log.  I'll Attach.  Also, ran F-Secure's Blacklight -- as well as Panda.  They found nothing (and no logs).

 

[BTW, if a rootkit detector program doesn't generate its own "random name," I'm changing the execute name to somehing "innocuous," before running.]

 

Going to try RKR in "command mode," today, to automatically generate a "report."  Also, going to try RootRepeal program.  I'll send those logs if I get 'em.

 

On the "memory and hard drive problem":  Brand new 80 GB (Main) HDD and new 1 GB memory (0.5 GB old memory still there, though).  Repair shop replaced those, last time this sort of thing happened (tho, that time, it *really* killed my computer -- before I had GHOST).  Maybe little over a year ago?  I'm not a very heavy user of computers -- and esp conscious of MTBF's, etc, on HDD's -- so would be surprised if these components had already gone bad.

______________________

 

Latest Status: GHOST won't do an "incremental" rp anymore (it did for awhile, couple of days ago -- after I'd uninstalled and reinstalled).

 

And Windows System Restore (SR) not working again, either.

 

[Wish I knew how NIS handles this SR thing.  When doing a SR point, and/or Restoring -- does NIS "Norton Product Tamper Protection" need to be OFF or ON?  Or... does it matter?  I've tried several combinations, but can't really tell.  Sometimes it works -- most times, not.]

_____________________

 

Again, *really* appreciate the help.  Kinda at my wits ends, here.

 

Kind Regards,

Robby

Robby:

 

With both GMER and SysProt, you will find safety blocks on them now that were not there before.

 

For both programs right click on the icon, go to properties, click Unblock and apply.  See if that helps.  

 

I also don't recommend posting more threads on related problems until we find out if you have a rootkit.  Nothing can be fixed until that is removed, if that is the problem.

[I've recently posted, on other Norton Discussion Forums, here, about some computer and GHOST problems I'm having.

 

This all seems to be evolving into a rootkit issue that seems rather "unusual."

 

In addition to trying to determine if I have a rootkit problem --or not -- one of my main concerns is, "Why is this stuff happening to me so frequently?"  And, "How is it getting past NIS?".  {BTW, I also posted this on MS's RootkitRevealer Forum.}  Appreciate any thoughts.]

 

___________________________________________________

 

 

Been having problems with my computer for the last week or so (2004 Toshiba laptop, Win XP SP3, running NIS 2009 and GHOST 14).

[In fact, I've had some rather serious, "repair shop" (rootkit/virus, etc?) issues over the last year or so.  Feeling a bit "targeted," by someone, via the Web.]

 

Most recently, 25 July 2009, Saturday, about 7pm my time (US, MDT) -- while I was simply looking at a MySpace page (I don't do porno, crack-code, etc, sites, at all -- just "mainstream" stuff) -- the computer went dead -- screen blank/black, but the power button light was on.

[This was somewhat similar to an event, about 1-year ago, where I had to take the computer in for repair and a complete "restore"; several hundred bucks!  Fortunately, this time, it restarted (see below).]

Couldn't turn the power button off.  Had to unplug from the wall.  I restarted, and OK -- except GHOST now showed to be "at risk."  GHOST -- the main mode of recovering my computer, all of a sudden went on the fritz.  Also, it wouldn't do a "Recovery Point" save.

I posted all this to the Norton Forums, and someone suggested maybe it was a rootkit problem.  So, I tried various detectors.

Results were quite "suspicious" -- at least to me.  Ran SysProt and GMER (on suggestion from the Norton Forum).

SysProt crashed my system, immediately, upon selecting scan (later, it did it again, on selecting the "Kernel" tab).  In both cases, Windows said (on restart) "Windows has recovered from a serious error."  [I did Screen Shots of this and the details of the error messages -- seemed to have something to do with "Drivers"?]

GMER ran for 5.5 hours! and never finished (80GB HD, with only about 23GB used; 3.3GHz dual-core processor).

Results from RootkitRevealer (RKR) is particularly curious.


Ran RKR yesterday and it found 944 discrepancies!  That seems like a lot?  No other programs were running during the scan (AFAIK), and I was off-line (DSL modem OFF).

When I tried to save the log, it just froze.  Had to go to Task Manager to x-out.

Before doing that, I was at least able to get a screen shot of the first page (with a big area blanked out by the "freeze").

Mostly, what this (first page only) showed was, "Visible in Windows API, but not in MFT or directory index," on a list of System Volume Information\_restore (then a bunch of capital letters and numbers) discrepancies.

 

Then, a bunch of "Hidden from Windows API," and "Visible in Windows API, but not in MFT or directory index" (but not related to System Volume Information) discrepancies.

Also, got (1) "access is denied," [which the RKR write-up says, "RootkitRevealer should never report this discrepancy..."] (2) "Key name contains embedded nulls," and (1) "Data mismatch between Windows API and raw hive data."  Since these were the first things that came up in RKR, I did write these down.

"Access denied": HKLM\SYSTEM\Control Set001\Services\sptd\Cfg

"Key name contains embedded nulls":  (first one) HKLM\SECURITY\Policy\Secrets\SAC*
(second one) HKLM\SECURITY\Policy\Secrets\SAI*

["Secrets"???]

 

The last one ("Data mismatch...") was:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\3475520BB5615DB4D88A73FD9B390041\Usage\Shared

OK, that's all strange, I thought.  So, I reran RKR today.  Only got 29 discrepancies?  BIG difference from 944!  Same "environment" as yesterday.

So, I'm thinking maybe a very sophisticated person implementing such a rootkit has a way to hide it even better after it has been scanned by RKR (and others, like SysProt/GMER, etc)?

Or (preferably), they deleted much of it, for fear of being "discovered"?

Would greatly appreciate any thoughts on all this.

 

[And, if you got this far in reading, thank you very much.]

 

Kind Regards,
Robby

 

OK, I right clicked on the .exe files, selected Properties and clicked unblock, apply.  [BTW, how did this "block" get there?  And, why?]

 

I'll re-run these and let you know how things go.

 

And, I agree -- "first things first."  No more posts on related items, until we find out what's going on.

 

Kind Regards,

Robby

I think it is a Microsoft update that sneaked in last week.  Who knew???  This problem has been driving us crazy.

I ran RootRepeal.  DSL modem OFF; no Screen Saver, etc; nothing else running AFAIK.

 

It ran OK (super fast -- about 15 minutes; small 80GB HDD w/about 24GB used).  Completed and gave me a log file.  I saved it and all the "detailed" ones, too.

 

The "overview" report is Attached.

___________________________

 

I also ran RootkitRevealer (RKR) again.  Same environment as above (No DSL, etc).

 

The scan ran about 1-hour.  A few items appeared in the on-screen-while-scanning report (about 4).  Then it went through all my C: drive files, past System Volume Information, Windows, etc.

 

Then, it did C: \bin.  Hung there a while, with no HDD activity.  Then some started.

 

Then the PROGRAM CRASHED -- with a MS Windows "report error message" popping up.

 

I turned on my DSL modem and sent the error report (but, stupidly, I forgot to look at -- and Screen Shot -- the "details" of the error report). Duh!

____________________________

 

Dunno.  Seems strange.

 

Appreciate any help.

 

Kind Regards,

Robby

 

 

Robby:

 

Rookitrevealer didn't.  Can you try the SysProt please.

I found a small Log file for my RKR scan that crashed (posted just above).  It has the (4) events logged onto the on-screen reporting, before it crashed.

 

Here it is Attached.

 

Kind Regards,

Robby

Robby:

 

I hate to nag.  A SysProt  please.

Getting late here, my time.  If I run it, and it crashes my System (likely?) -- I'll lie awake all night long worrying about it.  [Yeah, I'm a tad compulsive -- engineer, and all that, etc.]

 

But, if you think "time is of the essence," I'll do it right now.  Lemme know.  I'll be up for about another hour, or so.

 

Kind Regards,

Robby

OK, I went ahead and ran SysProt.

 

It crashed my System, just like before.  Same "serious error" message, from MS.  I sent them the error report.

 

Well, we tried.

 

Let me know what you think.

 

Surely appreciate all your help.

 

Kind Regards,

Robby

Have a good night Robby and we will try something else in the morning.

delphinium (and others),

 

Maybe you're right about your earlier post on my having disk problems.

 

I ran a bunch of chkdsk's this morning.

 

Started out with NSW Basic 12.  Ran Norton Disk Doctor (DD) and did a "Diagnose" (without checking the "Fix errors" box). 

 

It ran and put out a summary list that said "errors not fixed" in "Indexes" and  "Security Descriptors."

 

[I apologize for the typed-text below -- but I could not find any way to save the NSW DD output as an uploadable/Attached file.]

 

The "details" list of these errors for "Indexes," showed (2) instances of "Recovering orphaned file [bunch of numbers] into directory file 62684."

 

Details for the "Security Descriptors" showed errors  "in the MFT BITMAP attribute and Volume Bitmap."

 

In both the Indexes and Security Descriptors error cases, it says it did not fix these errors -- and to check the "Fix errors" box (in DD) to schedule a chkdsk upon restart of Windows.

 

I did that.  Chkdsk comes up at Windows start-up and proceeds to run, giving a list of what it's doing.  Then, after completion, it restarts Window.

________________

 

Well, I expected that this would fix the errors.  So, re-ran NWS DD a 2d time, to see what it said.  Same procedure as above --"Fix errors" not checked.

 

It gave me some different results this 2d time.

 

Still errors in Indexes -- but completely different ones.  This time it said something about "Correcting error in index $I30 for file 62324."  Then listed (3) instances of "Deleting index entry...[with a bunch of numbers]" [regarding .edb and .DAT] in $I30 of file 62324.

 

For the Security Descriptors, it said "No security descriptor errors."  ["OK, good on that," I thought.]

________________

 

Concerned about the "inconsistencies" of all this, I ran chkdsk C: /r in command mode.

 

Then reran NSW DD, for a 3d time, same unchecked box "Fix errors."

 

It gave me index errors -- but, again, completely different ones: (2) instances of "Recovering orphaned file _FOI_ [bunch of numbers] into directory file 63624."

 

And, this 3d time, it said there *were* errors in  the Security Descriptors --same as 1st run:  MFT BITMAP attributes and Volume Bitmap.  Curious.

_________________

 

Reran NSW DD for a 4th time, with "Fix errors" box checked.  It wanted to know if I intended a dskchk on start-up and I said, "Yes."  Then it wanted to reboot the System.  So, I did.

 

Dskchk ran again, completed and restarted Windows.

 

I reran NSW DD, to see if things had been fixed.  Nope.

 

Index errors were completely different.  (2) instances of "Recovering orphaned file SYMEFA [bunch of numbers]  into directory file 62684"; and (1) instance of such a recovery on "00002655.ZIP (84826) into directory file 62324."

 

Same Security Descriptor errors as before.

_________________

 

"This is getting weird," I thought.  Ran Windows chkdsk, again, in command mode.

 

Then ran NSW DD again (no "Fix errors" checked).  5th time.

 

Index errors, again, completely different.  (2) entries on "Recovering orphaned files.." related to SYMFEA [that had appeared in the 4th run, but with *slightly* different numbers] "into directory file 62684."

 

Same Security Descriptors errors as before.

 

 

_________________

 

So, I'm getting nowhere it seems.  Would any of you resident experts care to venture an opinion as to what's going on here?  Could a rootkit be creating these random errors on my C: drive?

 

Or, do I just have a very flaky HDD? [As I mentioned in an earlier post, this drive is relatively new -- about 1-year ago, or so; 80GB with only abou 24GB used.  No heavy use, at all.]

 

[Oh, and one other thing.  In several cases of the above runs, upon Windows startup (where the screen just shows the "Toshiba" lettering and logo), Windows would just hang.  Not load at all.  I had to do a "Ctrl-Alt-Del" (once) to get it to load.

 

Admittedly, this problem of Windows "hanging" at start-up, has occurred a number of times in the past 1-year or so.  I'd say maybe 30% of the time.]

 

________________

 

Greatly appreciate any help.

 

Kind Regards,

Robby

Hi

 

It looks like a Corrupt partition,   get as much personal files and data that you can, photos, docs etc.

 

Quads 

Hi Quads,

 

Tks for reply.  I think what you're telling me is that the HDD is about to fail?  Surprised, being such a new drive (Maxtor).

 

And, yes, I have all of my "critical" data saved to CD/DVDs.

 

I also have Norton's Partition Magic (2008).  Could this help in any way?

 

Kind Regards,

Robby

Hi

 

The HD in terms of hardware may not be about to fail, but it's the partition,  Once you have all the data off you need, You have to fix the partition or remove the partition, etc.  and then repartition.

 

http://www.maximumpc.com/article/news/how_to_repartition_your_hard_drive_for_free_without_formatting_or_losing_data

 

Worse case to to wipe the HD to DoD standard then Partition and install Windows etc.

 

 

 

Quads 

I just posted a reply to the Sysinternals [RootkitRevealer Program] Forum, about reviewing the Windows Event Log.

 

I was typing that reply, and commenting how that, under the Security Tab for the Event Log, there was a whole bunch of "Security Failures" (around 20), and "Anonymous Logons" associated with those failures.  I wondered (in the post) what that could be about.

 

Then as I went back to the Security Tab to check on this once more....

 

THEY WERE ALL GONE!!  All the text "Anonymous Logon" had been replaced with "Policy Change"!!

 

Below is my post about this on Sysinternals.

 

As usual, I would greatly appreciate any comments/thoughts.

 

Kind Regards,

Robby

 

__________________________________________________________________________________________

 

EDIT: In my just prior post [to Sysinternals Forum], I forgot to "quote" molotov's post context, re the Windows Event log.  Here is his post:

molotov: "Pay attention to warning and error events.  Eventid.net is a helpful site for attempting to decipher entries in the log."

[Sure wish there was a way to "Edit" prior posts.  Is there? ...and, I'm just being stupid?  Brain is a tad "fried" from all this rootkit/spying stuff.]

Originally posted by RobbyStellarSeed

I had looked it over.  Shows quite a few "red-circle x" errors, and "yellow signs" for caution.

_________________________
Application tab shows:

red circles:

-"Application Error" [probably rootkit programs crashing -- like SysProt?]
-"Application Hang" [probably GMER hanging and/or RKR hang on saving log?]
-"WinMgmt"
-"MsiInstaller"

caution signs:

-COM+
-userenv
-MsiInstaller

Security tab shows:

failures (padlock):

-"Network Services"
-"Anonymous Logon"  [*Bunch* of these; that seems strange??]

__________________
WOW!! I just watched these  "Anonymous Logons" *disappear*, right before my very eyes, as I was typing this Reply!!  [I'm on-line with my DSL, throughout this typing.]

*Every* "Anonymous Logon" (probably 20 or more) was replaced with the text, "Policy Change."!

THAT IS VERY WEIRD!

Could someone with access to a rootkit, on my computer, do this??
___________________

System tab:

red-circles:

-Dhcp
-DCOM
-"Service Control Manager"
_________________________

You make any sense out of this?

I'm esp curious about the "Anonymous Logon" failures in the Security tab.

Tks for the help.

Kind Regards,
Robby

 

________________________________________________________________________

Hi again, Quads,

 

Per my recent post here, about the Windows Event Log, I'm getting more and more convinced that I have a *very* devious, perhaps undetectable rootkit/spyware system, on my computer.  This might explain the HDD problems -- at least some.

 

But, on the "wipe" and re-load.  This laptop Toshiba that I have (2004) did not come with an XP disk.  It was pre-loaded.  Besides, when I had this catastrophic computer failure (maybe the same person/rootkit) about a year ago, the repair shop loaded in XP SP3.  So, I don't have that either.

 

I guess I could buy a copy.  And, I think I do have a DVD of Drivers -- somewhere.

 

But, geez.... trying to fit all that into my "life's schedules."  Almost impossible.

 

Tks for the links, though.

 

Kind Regards,

Robby

[Hope I'm not becoming a "nuisance" on these matters.]

 

But.. I have now gone over my NIS "History" log -- mostly for today (4 August 2009, Tu), but also farther back, too.

 

Some seeminlgy strange events there.

 

For instance, going back to this morning, when I spent the entire time (up until around 2p) off-line, doing chkdsks/NSW Disk Doctor on my C: HDD --

 

The Window Event Viewer Security tab log shows an  "Anonymous Logon" at 10:07:50 am this morning.  Not sure what they mean by Logon/Logoff... but, whatever, it's there.  I was using my computer, off-line, since about 9am.

 

NIS log shows "No user is logged in" at 9:33:29 am.  Then at 9:44:13 am, it says, "....preparing to access the Internet."  But, my DSL modem is completely turned OFF, as I'm doing chkdsk's, etc. No power to it at all.

 

[I wonder... can someone access my compter, even when I'm off-line?  The DSL connector cord is, of course, still attached to my LAN socket.  Also, I have Wi-FI wireless capabilities on this computer -- but the switch for this (on the side of the computer) is turned off.]

 

At 9:44:28 the NIS log says, "Connected to a protected network [gives IP's]."  Then at 9:44:37 am it says, "An instance of "C:\WINDOS\system32\alg.exe" is preparing to access the Internet.

 

Next is quite interesting:

 

At 9:44:53 and :56  it gives (2) "Medium Severity" alerts saying, "Unauthorized access blocked (Duplicate Object)."  The target is C:\Progam Files\Norton Ghost\Agent\VProSvc.exe [which is the GHOST executable program].

 

This same pattern repeats over-and-over, all day long -- and go back to as far as the log goes, 26 July 2009.  This happens whether I'm on-line, or not.  Is someone (or something) targeting GHOST??

 

[There are also a number of other "Medium Severity" alerts for attacks on "Live Update," "System Restore," "Norton Systems Works," etc.  A significant proportion of these do not say "Blocked," but rather just "Logged," or "Detected."  That doesn't seem right?]

 

I have saved these NIS and Event Viewer logs.  If anyone would like to view them, I can attach.

_______________________

 

As always, thanks for any help.

 

Kind Regards,

Robby

 

 

 

 

 

Message Edited by Robby on 08-04-2009 08:20 PM
Message Edited by Robby on 08-04-2009 08:22 PM
Message Edited by Robby on 08-04-2009 08:42 PM
Message Edited by Robby on 08-04-2009 08:47 PM