Need help with rootkit using my firewall and antivirus drivers

I am infected with a rootkit that RogueKiller has identified, but RogueKiller can't fix the rootkit.

The initial symptoms of the infection is my sound card not functioning properly. Sounds would play but would sound like static. One diagnositic tool indicated that another process was using the sound card but what that process is remains a mystery.

The second symptom was that my processing speed slowed to the point it seemed like 100% of my CPU was being used. However, the list of running processes in the taskmanager and Norton's CPU usage warning guide indicated there were no processes using high memory at all.

Norton said only 15% of my CPU was engaged in running processes but otherwise it is taking 4-5 hours to run Malwarebytes (normal time is one hour approx.).

Then, when I killed some processes that ProcessLibrary describes as iffy (nst.exe, was one of them), a previously hidden process suddenly appears in the taskmanager. The process was named with numbers- "30.0.1599.101_30.0.1599.6".

It's shown here:

Image Name PID Session Name Session# Mem Usage
========================= ====== ================ ======== ============
System Idle Process 0 Console 0 28 K
GoogleUpdate.exe 3244 Console 0 4,536 K
GoogleUpdate.exe 4008 Console 0 10,648 K
30.0.1599.101_30.0.1599.6 4072 Console 0 556 K

I then killed the process from the command prompt but the issue with the sound card remained. Processing speed sort of improved when I killed this but not enough to write home about.

I then ran all the standard malware scans (MBAM, TDSSKiller, MGTools, HitmanPro). Only TDSSKiller found problems but it resolved them and didn't fix the main problem. When I first ran Norton it found nothing, too.

RogueKiller also found nothing initially, but later, after I removed something called Armadillo http://www.checkfilename.com/view-details/Armadillo/RespageIndex/0/sTab/2/ Roguekiller evidence of rootkits and Norton found 2 errors and fixed them. What Norton found didn't fix the slow processing speed nor fix what Roguekiller detected.

Roguekiller has found the rootkits won't eliminate them. A log is attached. I already fixed the "EAT @firefox.exe" and "EAT @firefox.exe" entries which RogueKiller found. The other issues still persist.

BTW, the locations listed as "unknown" in the Roguekiller logs were orginally drivers associated with my Online Armor Firewall. I uninstalled it in the hopes of fixing the rootkit.

I've also disabled my sound card and the Microsoft Kernel Audio Device drivers and this has improved the processor speed.

Unfortunately, I also disabled Symevent.sys in the property manager to see if this would getting rid of this stuff. The problem is that Windows says that it can't re-enable Symevent.sys. :-o

Any help would be appreciated.:confused

Note: I found out accidentally (by trying to upload reports here) that there is a folder on my computer with the same label as that process that is named "30.0.1599.101_30.0.1599.6." This is the location of the folder and its contents:

Directory of C:\Program Files\Google\Chrome\Application\30.0.1599.101
10/19/2013 12:06 AM <DIR> .
10/19/2013 12:06 AM <DIR> ..
10/08/2013 08:01 PM 47,672,784 chrome.dll
10/08/2013 06:18 PM 954,068 chrome_100_percent.pak
10/08/2013 08:01 PM 57,296 chrome_frame_helper.dll
10/08/2013 08:01 PM 83,408 chrome_frame_helper.exe
10/08/2013 08:01 PM 120,784 chrome_launcher.exe
10/08/2013 06:18 PM 966,551 chrome_touch_100_percent.pak
10/08/2013 06:18 PM 2,106,216 d3dcompiler_43.dll
10/08/2013 06:18 PM 3,231,688 d3dcompiler_46.dll
10/19/2013 12:06 AM <DIR> default_apps
10/08/2013 08:01 PM 1,482,704 delegate_execute.exe
10/19/2013 12:06 AM <DIR> Extensions
10/08/2013 08:01 PM 1,604,560 ffmpegsumo.dll
10/08/2013 08:01 PM 9,962,960 icudt.dll
10/19/2013 12:06 AM <DIR> Installer
10/08/2013 08:01 PM 99,792 libegl.dll
10/08/2013 08:01 PM 698,832 libglesv2.dll
10/08/2013 08:01 PM 2,122,704 libpeerconnection.dll
10/19/2013 12:06 AM <DIR> Locales
10/08/2013 08:02 PM 887,760 metro_driver.dll
10/08/2013 08:02 PM 1,858,000 nacl64.exe
10/08/2013 06:18 PM 5,705,472 nacl_irt_x86_32.nexe
10/08/2013 06:18 PM 4,078,080 nacl_irt_x86_64.nexe
10/08/2013 08:02 PM 2,099,664 npchrome_frame.dll
10/08/2013 08:02 PM 4,055,504 pdf.dll
10/19/2013 12:06 AM <DIR> PepperFlash
10/08/2013 08:02 PM 415,184 ppgooglenaclpluginchrome.dll
10/08/2013 06:18 PM 5,370,692 resources.pak
10/08/2013 06:18 PM 2,455 secondarytile.png
10/19/2013 12:06 AM <DIR> VisualElements
10/08/2013 08:02 PM 96,720 widevinecdmadapter.dll
10/08/2013 06:18 PM 81,768 xinput1_3.dll
25 File(s) 95,815,646 bytes


This folder also is next to another folder whose label would makes up the second half of the name of the process named "30.0.1599.101_30.0.1599.6"

Directory of C:\Program Files\Google\Chrome\Application
10/19/2013 12:07 AM <DIR> .
10/19/2013 12:07 AM <DIR> ..
10/19/2013 12:06 AM <DIR> 30.0.1599.101
10/14/2013 12:54 PM <DIR> 30.0.1599.69
10/08/2013 08:02 PM 844,752 chrome.exe
10/03/2013 01:15 PM <DIR> Dictionaries
09/21/2013 12:45 AM 40,216 master_preferences
10/19/2013 12:06 AM 399 VisualElementsManifest.xml
3 File(s) 885,367 bytes
5 Dir(s) 59,948,978,176 bytes free

I'm just starting, but nacl64.exe seems to be malware. Still, any help in untangling this mess would be much appreciated!

 

RK lists exploits in the drivers section.

I'm not sure about the rest. I have no Nokia products. I don't have an id on what is causing the problems, so I'm removing things that have been listed as part of possible exploits. One website suggested nst.exe is suspicious if you don't have Nokia products on your machine.

Nacl64.exe is Google? Ok, I guess it is good I didn't delete it. nacl.exe itself is considered malware most definitely.

 

I heard that nst.exe might be malware if you don't have Nokia products installed on your computer; I don't have any Nokia products.

As for the Chrome thing, I haven't deleted anything yet, thankfully. Not that I like Google.

Roguekiller is telling me that I have shadow SSDT hooks using some of my drivers. The hooks originally were in drivers for my antivirus software and my firewall. I uninstalled the firewall, but the code for the hook remains.

The hooks in one Symantec driver- Symevent.sys- are listed as SSDT hooks. The hooks in the firewall were listed as shadow SSDT hooks. When I disable symevent.sys, Roguekiller doesn't report any SSDT hooks whatsoever. I don't want to keep my Norton shut down to deal with the problem. I'd like to rid my machine of the hooks and be done with it.

I'm reading trying to understand SSDT hooks better. Rootkits are frustrating. I had some very basic knowledge of what they are about, but this isn't sufficient to get rid of the danged thing I have on my computer right now. :cry

 

I get the impression that you don't think I know what I'm doing here. First of all this was the information I was going by insofar as the removal of which stated nst.exe can be malware (0r more likely, associated with or misused by malware):
http://www.spyprocessdb.com/nst-exe

In my case, I think NST.exe is being used by the actual malware.

I actually did get improvements when I killed the nst.exe process. Again, I have no Nokia products. I did get immediate improvement on some issues when I killed that process.


About the rootkit(s) on my machine- here is where Roguekiller is showing rootkits/inline hooks on my machine:

"¤¤ Driver : [LOADED] ¤¤¤
[Address] SSDT[12] : NtAlertResumeThread @ 0x805D3328 -> HOOKED (Unknown @ 0x89A62760)
[Address] SSDT[13] : NtAlertThread @ 0x805D32D8 -> HOOKED (Unknown @ 0x89AA06C8)
[Address] SSDT[17] : NtAllocateVirtualMemory @ 0x805A74C6 -> HOOKED (Unknown @ 0x89C09750)
[Address] SSDT[19] : NtAssignProcessToJobObject @ 0x805D4DEC -> HOOKED (Unknown @ 0x89D17780)
[Address] SSDT[43] : NtCreateMutant @ 0x806154B0 -> HOOKED (Unknown @ 0x8835E7B0)
[Address] SSDT[52] : unknown @ 0x805C35D0 -> HOOKED (Unknown @ 0x89AF8770)
[Address] SSDT[53] : NtCreateThread @ 0x805CF822 -> HOOKED (Unknown @ 0x88399228)
[Address] SSDT[57] : NtDebugActiveProcess @ 0x80640F68 -> HOOKED (Unknown @ 0x89D18708)
[Address] SSDT[68] : NtDuplicateObject @ 0x805BC878 -> HOOKED (Unknown @ 0x89C37730)
[Address] SSDT[83] : NtFreeVirtualMemory @ 0x805B192E -> HOOKED (Unknown @ 0x89CC7708)
[Address] SSDT[89] : NtImpersonateAnonymousToken @ 0x805F7252 -> HOOKED (Unknown @ 0x88362760)
[Address] SSDT[91] : NtImpersonateThread @ 0x805D5FAC -> HOOKED (Unknown @ 0x89A626C8)
[Address] SSDT[108] : unknown @ 0x805B09B6 -> HOOKED (Unknown @ 0x89B9E760)
[Address] SSDT[114] : NtOpenEvent @ 0x8060CE9A -> HOOKED (Unknown @ 0x8835E738)
[Address] SSDT[122] : NtOpenProcess @ 0x805C9C64 -> HOOKED (Unknown @ 0x89A8E760)
[Address] SSDT[123] : NtOpenProcessToken @ 0x805EBF42 -> HOOKED (Unknown @ 0x89A6FB68)
[Address] SSDT[125] : NtOpenSection @ 0x805A8DFA -> HOOKED (Unknown @ 0x8835D728)
[Address] SSDT[128] : NtOpenThread @ 0x805C9EF0 -> HOOKED (Unknown @ 0x89C6A6D0)
[Address] SSDT[137] : NtProtectVirtualMemory @ 0x805B6D8A -> HOOKED (Unknown @ 0x89D176F8)
[Address] SSDT[206] : NtResumeThread @ 0x805D3164 -> HOOKED (Unknown @ 0x89AA0760)
[Address] SSDT[213] : NtSetContextThread @ 0x805CFF5C -> HOOKED (Unknown @ 0x89B9D6D8)
[Address] SSDT[228] : NtSetInformationProcess @ 0x805CC6AE -> HOOKED (Unknown @ 0x89B9D770)
[Address] SSDT[240] : NtSetSystemInformation @ 0x8060DB52 -> HOOKED (Unknown @ 0x89D18780)
[Address] SSDT[253] : NtSuspendProcess @ 0x805D322C -> HOOKED (Unknown @ 0x8835D7C0)
[Address] SSDT[254] : NtSuspendThread @ 0x805D309E -> HOOKED (Unknown @ 0x89AA16C8)
[Address] SSDT[257] : NtTerminateProcess @ 0x805D118C -> HOOKED (Unknown @ 0x89A6FBA0)
[Address] SSDT[258] : unknown @ 0x805D1386 -> HOOKED (Unknown @ 0x89AA1760)
[Address] SSDT[267] : NtUnmapViewOfSection @ 0x805B17C4 -> HOOKED (Unknown @ 0x89B9E6E8)
[Address] SSDT[277] : NtWriteVirtualMemory @ 0x805B2D44 -> HOOKED (Unknown @ 0x89CC77B0)
[Address] Shadow SSDT[428] : NtUserGetRawInputData -> HOOKED (Unknown @ 0x89A24E28)
[Inline] EAT @firefox.exe (NtMapViewOfSection) : ntdll.dll -> HOOKED (Unknown @ 0x06100048)
[Inline] EAT @firefox.exe (NtSetInformationProcess) : ntdll.dll -> HOOKED (Unknown @ 0x0610012A)
[Inline] EAT @firefox.exe (ZwMapViewOfSection) : ntdll.dll -> HOOKED (Unknown @ 0x06100048)
[Inline] EAT @firefox.exe (ZwSetInformationProcess) : ntdll.dll -> HOOKED (Unknown @ 0x0610012A)

I have succeeded in removing the inline hooks involving ntdll.dll and Firefox. I can't remove the rest. I know the hooks are using the Norton driver SYMEVENT.SYS. One reason being that if I disable the Norton driver SYMEVENT.SYS, Roguekiller reports my machine is free of rootkits.

The problem is that when I reinstall Norton, Roguekiller reports the same hooks with the drivers on my machine.

I know Google Chrome is not a virus. I'm not an idiot. I know NST.exe is not a virus and maybe should have been more clear about this. I apologize for being vague but I was writing my post by memory by in large, since I didn't keep notes. I'm sorry if this made things confusing.

As far as Chrome is concerned I think it is being used/ compromised by the actual malware on my machine. Firefox was compromised and I fixed this. Furthermore, I ran Combofix which indicated that there were atypical entries related to Chrome. Combofix has been a big help on this issue and what it reported reflected what I am seeing. I'm still deciding how to handle what it reported- i.e. what registry entries I should keep or remove. It also reported issues with the GoogleUpdater service. I did remove Google Chrome, as per your suggestion.

I don't know specifically how the hooks are fashioned on my machine right now so I can't get rid of them. More than for just what Roguekiller is reporting, the sound on my machine fades in and out and crackles. This is not normal in any way. I had one report that a process was using the sound card.

I think this is indication of how this rootkit has targeted my drivers.

My problem is very similar to the problem someone is reporting here:
https://forums.malwarebytes.org/index.php?showtopic=128610

 

Sorry if I sound indignant but I really am trying hard to fix my problem. :-o

I can't get online with my computer, I am having such slow speed on my PC that it takes 3-4 hours to run Malwarebytes. I wrote my first post late at night and I was way too vague in describing the problem and I think this may have been confusing for you.

I know that the code listed as hooks by Roguekiller are a normal parts of Symantec's AV. There is still a problem here. The problem is that when I killed SYMEVENT.SYS, a Symantec driver, my machine behaves normally, runs fast again and does what it is supposed to.

Moreover, Roguekiller stops reporting the hooks in the driver section. I ran Roguekiller two months ago with the same software on my machine (Symantec) and before it didn't report issues.

After doing much reading and work, I think what I am dealing with is this: http://malwaresurvival.wordpress.com/tag/ssdt-exploit/.

This article describes an attack using kernel driver hooks. I think in my case, the attack on my machine involves using the Microsoft Kernel Audio driver, and the Microsoft Kernel Wave Audio Mixer.

In fact, I think this is exactly why the audio on my computer is scratchy, and sounds like static fading in and out. I did much digging on my computer and I did find issues with these drivers. Don't ask me how because I don't remember- again I needed to keep notes and I didn't (see below).

All the same, with my relatively uneducated opinion, what the above article describes does seem to match the symptoms on my PC. Here is a brief synopsis of the article: