Daily Tweak

Symptoms

For a couple weeks, from time to time, the Windows XP SP3 PC is freezing and the user is being bumped out of programs.

From time to time, Symantec.cloud reports it has “Blocked” a “High-Risk Intrusion Detected” (Once on my bench, I figured out it was, twice, every time the user logs in.)

Task Manager shows a svchost.exe is leaking memory

First actions

Check Symantec Health, Update and Full Scan – No items found, analyze history

MSCONFIG – nothing unusual is listed
Trouble getting to MSCONFIG? Run MSCONFIG from the Command Prompt…
F8 during boot and select Command Prompt
Log in as an Admin
At the Command Prompt, type the following command:
C:\windows\pchealth\helpctr\binaries\msconfig

System Restore back a month– Did not help
Trouble getting to System Restore? Run System Restore from the Command Prompt…
F8 during boot and select Command Prompt
Log in as an Admin
At the Command Prompt, type the following command:
C:\windows\system32\restore\rstrui.exe

Thoughts

The Symantec warning is really just reporting that it is doing its job. (Hmm, but inbound web traffic is always a response to an outbound request.) Plus, now it’s repeatable each time the user logs on. The memory leak could be one of a half dozen Windows issues, not to mention, an indication of a virus. The memory leak could be causing the performance issues… err. A couple weeks ago, Symantec reports that it found, blocked and removed “A program that was behaving suspiciously.” OK. I am going to look for malware until that memory leak and inbound “Block” go away.

I will use all free utilities and software, here…

My approach

Process Explorer – short of the leak, all looks normal

Hijackthis – looks ok

Autoruns - Could be used here to look for anything unusual

Internet Explorer – Restore Default settings and Delete all personal settings and data. Empty recycle bin

Run Disk Cleanup – select all options. helps to increase speed of scans

Eset Online Scan – would not run

TrendMicro HouseCall – 2 items removed. issue continues

Malwarebytes – 55 items removed. issue continues

SUPERantispyware – Could be used here to remove threats. Uninstall after use.

SpyBot – 1 item removed. issue continues

Windows Update fails

More thoughts

OK. I am pretty sure this is a virus, but nothing is detecting/killing it. I am about four hours in and know I could just Format, reinstall everything and configure in less than eight. Other than the memory leak, the system is pretty stable. And Windows hasn’t really been “broken”. If stuff like System Restore, Task Manager and Control Panel were not working, I would Format… But what the heck, I think I can fix this. I will look for another couple hours.

Next actions

Created a new Local Admin and logged in to see if bad guy was associated with user’s profile – No help

GMER – identified Rootkit TLD4 Gotcha, sucka!

Use Symantec Backdoor.Tidserv Removal Tool (FixTDSS.exe) to remove rootkit – Successful! Run again, and it is gone! No more memory leak! No more Symantec alerts!

System Restore – Disable System Restore, then re-enable to clean out any possibility of anyone else restoring the malware

Windows Updates installed. And Updates and Updates until there are no more…

System File Checker – Go to Start, then to Run, and type in “SFC.EXE /SCANNOW”

Run Windows Update again – no new items found

Ccleaner Free – re-run until no items found

Ad-Aware Free – no items found. Remove Ad Aware

Run catchme.exe – no items found

Run mbr.exe – no items found

Run Power Eraser within Symantec Endpoint Protection Support Tool – no probs

Check the health of Symantec software with Symantec Endpoint Protection Support Tool – all good

System Restore – Create a good restore point

Run Hijackthis and compare – rootkit doesn’t appear before or after…

Deliver to user

Have her change her system password and any other passwords she has used in her recent web travels on this machine!

Rootkit Defined -from Wikipedia

A rootkit is a stealthy type of malicious software (malware) designed to hide the existence of certain processes or programs from normal methods of detection and enables continued privileged access to a computer.

Typically, an attacker installs a rootkit on a computer after first obtaining root-level access by exploiting a known vulnerability. Once a rootkit is installed, it allows an attacker to mask the ongoing intrusion and maintain privileged access to the computer by circumventing normal authentication and authorization mechanisms. Although rootkits can serve a variety of ends, they have gained notoriety primarily as malware, hiding applications that misappropriate computing resources or steal passwords without the knowledge of administrators and users of affected systems. Rootkits can target firmware, a hypervisor, the kernel, or—most commonly—user-mode applications.

Rootkit detection is difficult because a rootkit may be able to subvert the software that is intended to find it. Detection methods include using an alternative, trusted operating system; behavioral-based methods; signature scanning; difference scanning; and memory dump analysis. Removal can be complicated or practically impossible, especially in cases where the rootkit resides in the kernel; reinstallation of the operating system may be the only available solution to the problem.

Rootkit, kicked your ass!