Do I have a virus?

Symptoms

For a couple weeks, from time to time, the Windows XP SP3 PC is freezing and the user is being bumped out of programs.

From time to time, Symantec.cloud reports it has “Blocked” a “High-Risk Intrusion Detected” (Once on my bench, I figured out it was, twice, every time the user logs in.)

Task Manager shows a svchost.exe is leaking memory

First actions

Check Symantec Health, Update and Full Scan – No items found, analyze history

MSCONFIG – nothing unusual is listed
Trouble getting to MSCONFIG? Run MSCONFIG from the Command Prompt…
F8 during boot and select Command Prompt
Log in as an Admin
At the Command Prompt, type the following command:
C:\windows\pchealth\helpctr\binaries\msconfig

System Restore back a month– Did not help
Trouble getting to System Restore? Run System Restore from the Command Prompt…
F8 during boot and select Command Prompt
Log in as an Admin
At the Command Prompt, type the following command:
C:\windows\system32\restore\rstrui.exe

Thoughts

The Symantec warning is really just reporting that it is doing its job. (Hmm, but inbound web traffic is always a response to an outbound request.) Plus, now it’s repeatable each time the user logs on. The memory leak could be one of a half dozen Windows issues, not to mention, an indication of a virus. The memory leak could be causing the performance issues… err. A couple weeks ago, Symantec reports that it found, blocked and removed “A program that was behaving suspiciously.” OK. I am going to look for malware until that memory leak and inbound “Block” go away.

I will use all free utilities and software, here…

My approach

Process Explorer – short of the leak, all looks normal

Hijackthis – looks ok

Autoruns – Could be used here to look for anything unusual

Internet Explorer – Restore Default settings and Delete all personal settings and data. Empty recycle bin

Run Disk Cleanup – select all options. helps to increase speed of scans

Eset Online Scan – would not run

TrendMicro HouseCall – 2 items removed. issue continues

Malwarebytes – 55 items removed. issue continues

SUPERantispyware – Could be used here to remove threats. Uninstall after use.

SpyBot – 1 item removed. issue continues

Windows Update fails

More thoughts

OK. I am pretty sure this is a virus, but nothing is detecting/killing it. I am about four hours in and know I could just Format, reinstall everything and configure in less than eight. Other than the memory leak, the system is pretty stable. And Windows hasn’t really been “broken”. If stuff like System Restore, Task Manager and Control Panel were not working, I would Format… But what the heck, I think I can fix this. I will look for another couple hours.

Next actions

Created a new Local Admin and logged in to see if bad guy was associated with user’s profile – No help

GMER identified Rootkit TLD4 Gotcha, sucka!

Use Symantec Backdoor.Tidserv Removal Tool (FixTDSS.exe) to remove rootkit – Successful! Run again, and it is gone! No more memory leak! No more Symantec alerts!

System Restore – Disable System Restore, then re-enable to clean out any possibility of anyone else restoring the malware

Windows Updates installed. And Updates and Updates until there are no more…

System File Checker – Go to Start, then to Run, and type in “SFC.EXE /SCANNOW”

Run Windows Update again – no new items found

Ccleaner Free – re-run until no items found

Ad-Aware Free – no items found. Remove Ad Aware

Run catchme.exe – no items found

Run mbr.exe – no items found

Run Power Eraser within Symantec Endpoint Protection Support Tool – no probs

Check the health of Symantec software with Symantec Endpoint Protection Support Tool – all good

System Restore – Create a good restore point

Run Hijackthis and compare – rootkit doesn’t appear before or after…

Deliver to user

Have her change her system password and any other passwords she has used in her recent web travels on this machine!

Rootkit Defined -from Wikipedia

A rootkit is a stealthy type of malicious software (malware) designed to hide the existence of certain processes or programs from normal methods of detection and enables continued privileged access to a computer.

Typically, an attacker installs a rootkit on a computer after first obtaining root-level access by exploiting a known vulnerability. Once a rootkit is installed, it allows an attacker to mask the ongoing intrusion and maintain privileged access to the computer by circumventing normal authentication and authorization mechanisms. Although rootkits can serve a variety of ends, they have gained notoriety primarily as malware, hiding applications that misappropriate computing resources or steal passwords without the knowledge of administrators and users of affected systems. Rootkits can target firmware, a hypervisor, the kernel, or—most commonly—user-mode applications.

Rootkit detection is difficult because a rootkit may be able to subvert the software that is intended to find it. Detection methods include using an alternative, trusted operating system; behavioral-based methods; signature scanning; difference scanning; and memory dump analysis. Removal can be complicated or practically impossible, especially in cases where the rootkit resides in the kernel; reinstallation of the operating system may be the only available solution to the problem.

Rootkit, kicked your ass!

Advertisements

2 thoughts on “Do I have a virus?

  1. Good job… What was your estimated total time spent?
    Excellent documentation. I hope I never have to use it but since it’s there I will reference it if needed.

    Joe A

    • About eight hours total. But that’s not eight hours of my attention. Some scans took over an hour, so I was working on other stuff too. (Note: scan times are greatly improved if you can run Disk Cleanup and delete Temporary Internet stuff early on) It was on her desk the next day and the beauty is that every icon and program was right where she left it. Unlike if I had blown it out…
      The biggest factor was that while Symantec allowed the rootkit to get embedded, it had not allowed it to “phone home” for more damage. Sometimes I jump right to a Format if Windows is broken. Often you can’t even work within Windows. In that case, I try a System Restore from the Command Prompt. If that doesn’t work, it aint gonna help to get rid of the virus when the patient is already dead.
      System Restore is always my first go to option.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s