Rootkit corrupting MSWSOCK/WSOCK32

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by opendave, Oct 24, 2010.

  1. opendave

    opendave Private E-2

    Hi All,

    I got the happy job of working on an XP laptop that belongs to a friend of my wife. Lucky me. Nothing better to do with my weekend than fight rootkits :)

    Anyhow, there were a number of symptoms: slow performance, redirects in IE to shopping portals, sometimes refusing to connect to the network at all.

    I thought I was going to get lucky when I noticed a proxy entered in IE. Clearing that did not resolve all of the issues.

    When attempting to check out the routing tables, ROUTE fails with a missing entry point in MSWSOCK.DLL. I tried putting a known good copy of the DLL in, but it kept getting overwritten with the corrupted copy. Using Recovery Console I was able to delete it altogether and when I dropped the good DLL in the ROUTE started working again. A couple of minutes later though, it was re-corrupted. NETSH commands also fail with similar errors in MSWSOCK or WSOCK32.DLL.

    I have attached my logs. All show clear except ComboFix which does detect the Rootkit but does not get rid of it.

    NOTE: SAS reports Malware Bytes as a fake, but I intentionally renamed it winlogon.exe to keep the rootkit from corrupting the executable and killing the scan process.

    SUPERAntiSpyware Scan Log
    http://www.superantispyware.com

    Generated 10/24/2010 at 03:18 PM

    Application Version : 4.44.1000

    Core Rules Database Version : 5743
    Trace Rules Database Version: 3555

    Scan type : Complete Scan
    Total Scan Time : 01:48:38

    Memory items scanned : 567
    Memory threats detected : 0
    Registry items scanned : 8514
    Registry threats detected : 0
    File items scanned : 94158
    File threats detected : 1

    Trojan.Agent/Gen-FakeAlert
    C:\PROGRAM FILES\MALWAREBYTES' ANTI-MALWARE\WINLOGON.EXE


    Any ideas what I am dealing with and how I can get rid of it?

    Thanks,
    Dave
     

    Attached Files:

  2. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Uninstall this outdated java:

    • Java(TM) 6 Update 3

    Now we need to use ComboFix
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    • If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
    • Open Notepad and copy/paste the text in the below quote box. Ensure you scroll down to select ALL the lines:
    Code:
    KILLALL::
    
    Driver::
    DFBCFDBA
    File::
    c:\windows\system32\drivers\kxeqyr.sys
    c:\windows\system32\drivers\klmdb.sys
    c:\windows\system32\wbem\SET13.tmp
    c:\windows\system32\wbem\SETF.tmp
    c:\windows\system32\wbem\SETB.tmp
    c:\windows\system32\wbem\SETA.tmp
    c:\windows\system32\wbem\SET9.tmp
    c:\windows\system32\wbem\SET8.tmp
    c:\windows\system32\wbem\SET14.tmp
    
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe

      http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    Please also download MBRCheck to your desktop

    • Double click MBRCheck.exe to run (vista and Win 7 right click and select Run as Administrator)
    • It will show a Black screen with some data on it
    • Right click on the screen and select > Select All
    • Press Control+C
    • Open a notepad and press Control+V
    • now please ATTACH that report to this thread

    Go to VirusTotal and submit this file for analysis. Let me know the results.

    • c:\windows\system32\mswsock.dll

    Also delete all files in the below bold folders except ones from the current date (Windows will not let you delete the files from the current day).

    Reboot your machine and install the most current and up to date version of Java available here at the below link:

    Java Runtime 6

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this.

    Let me know how things are running. :)
     
  3. opendave

    opendave Private E-2

    Thanks for the assist.

    - Uninstalled Java

    - Ran Combofix with script. It still indicated rootkit activity, and the errors from ROUTE still occur because of the bad MSWSOCK.DLL.

    - Submitted the MSWSOCK.DLL to VirusTotal and they say it is clean. Maybe the rootkit is just using an out-of-date copy?

    - Temp folders were already clean

    - MGTools also has complaints about MSWSOCK.DLL when running nslookup and route.

    - Updated Java.

    - Attached new logs for ComboFix, MGTools, and MBRCheck.

    Thanks again,
    Dave
     

    Attached Files:

  4. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    So what is it reporting exactly when it says it detects rootkit activity? Usually when it finds rootkit activity it needs a reboot and then once you get back to your desktop, combofix continues to run, and then proceeds to disinfect the infected file if that is possible. So tell me, is it actually saying that c:\windows\system32\mswsock.dll is infected or something else?
     
  5. opendave

    opendave Private E-2

    ComboFix does prompt for a reboot with the message that rootkit activity has been detected.

    This is from the log:
    detected MBR rootkit hooks:
    \Driver\Disk -> CLASSPNP.SYS @ 0xf762df28
    \Driver\ACPI -> ACPI.sys @ 0xf7580cb8
    \Driver\atapi -> atapi.sys @ 0xf751a852
    IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0615
    ParseProcedure -> ntoskrnl.exe @ 0x8056c3ac
    \Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0615
    ParseProcedure -> ntoskrnl.exe @ 0x8056c3ac
    NDIS: LAN-Express AS IEEE 802.11g miniPCI Adapter -> SendCompleteHandler -> NDIS.sys @ 0xf7427bd4
    PacketIndicateHandler -> NDIS.sys @ 0xf7433a21
    SendHandler -> NDIS.sys @ 0xf7427d44

    It reboots the laptop and continues to run, but the rootkit survives.

    ComboFix does not report that MSWSOCK.DLL is infected, but it does raise error messages when ComboFix attempts to use the ROUTE and NSLOOKUP commands. Some procedure entry points are missing in the copy of the DLL that the rootkit keeps placing in system32.
     
  6. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!


    Be sure to download TDSSKiller.exe (v2.4.0.0) from Kaspersky's website and not TDSSKiller.zip which appears to be an older version 2.3.2.2 of the tool.

    • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
      Vista/Windows 7 users right-click and select Run As Administrator.
    • If TDSSKiller does not run, try renaming it.
    • To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
    • Click the Start Scan button.
    • Do not use the computer during the scan
    • If the scan completes with nothing found, click Close to exit.
    • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
    • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
    • A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_14.17.05_log.txt) will be created and saved to the root directory ( usually Local Disk C ).
    • Attach this log to your next message
     
  7. opendave

    opendave Private E-2

    I ran the latest version, 2.4.5 and it found one suspicius object: ALCXSENS.SYS

    I told it to delete the file on reboot, but it either did not delete or was recreated on reboot. Based on what I have read it is part of the drivers for the Realtek AC97 audio.

    I have attached the log file.

    Thanks,
    Dave
     

    Attached Files:

  8. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Try running TDSSKiller again in safe mode and attach the resulting log.
     
  9. opendave

    opendave Private E-2

    I ran in safe mode and it does not appear that TDSSKiller detected anything. The log is attached.

    I tried deleting MSWSOCK.DLL from recover console again, then placing a known good copy in SYSTEM32. ROUTE PRINT worked again, but after a couple of minutes the errors returned stating that MSWSOCK.DLL was missing a procedure entry point - something must have replaced/corrupted it.

    Any other ideas?
     

    Attached Files:

  10. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    SystemLook

    Please download SystemLook from one of the links below and save it to your Desktop.
    Download Mirror #1
    Download Mirror #2

    • Double-click SystemLook.exe to run it.
    • Copy the content of the following codebox into the main textfield:
      Code:
      :filefind
      MSWSOCK.DLL
      WSOCK32.DLL
    • Click the Look button to start the scan.
    • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
    Note: The log can also be found on your Desktop entitled SystemLook.txt

    Run this

    GMER - running with a random name


    Attach the log to your next message.
     
  11. opendave

    opendave Private E-2

    SystemLook seems ok - files match in each location found (except an old SP uninstall directory):

    SystemLook 04.09.10 by jpshortstuff
    Log created at 18:00 on 26/10/2010 by Tawna Thorpe
    Administrator - Elevation successful

    ========== filefind ==========

    Searching for "MSWSOCK.DLL"
    C:\WINDOWS\ERDNT\cache\mswsock.dll --a---- 245248 bytes [16:35 24/10/2010] [17:46 20/06/2008] 832E4DD8964AB7ACC880B2837CB1ED20
    C:\WINDOWS\system32\mswsock.dll --a---- 245248 bytes [23:48 26/10/2010] [17:46 20/06/2008] 832E4DD8964AB7ACC880B2837CB1ED20
    C:\WINDOWS\system32\dllcache\mswsock.dll --a--c- 245248 bytes [23:48 26/10/2010] [17:46 20/06/2008] 832E4DD8964AB7ACC880B2837CB1ED20

    Searching for "WSOCK32.DLL"
    C:\WINDOWS\$NtServicePackUninstall$\wsock32.dll -----c- 22528 bytes [08:51 26/09/2009] [12:00 04/08/2004] 53AF9F2B2CE4B6EFF41C70417359D010
    C:\WINDOWS\ServicePackFiles\i386\wsock32.dll ------- 22528 bytes [21:29 19/08/2008] [00:12 14/04/2008] 67156D5A9AC356DC99D7BCCB388E3316
    C:\WINDOWS\system32\wsock32.dll --a---- 22528 bytes [06:59 09/11/2004] [00:12 14/04/2008] 67156D5A9AC356DC99D7BCCB388E3316
    C:\WINDOWS\system32\dllcache\wsock32.dll --a--c- 22528 bytes [06:59 09/11/2004] [00:12 14/04/2008] 67156D5A9AC356DC99D7BCCB388E3316

    -= EOF =-


    But GMER still sees the rootkit:

    GMER 1.0.15.15477 - http://www.gmer.net
    Rootkit scan 2010-10-27 05:57:00
    Windows 5.1.2600 Service Pack 3
    Running: teqyci5w.exe; Driver: C:\DOCUME~1\TAWNAT~1\LOCALS~1\Temp\uxtciaob.sys


    ---- Kernel code sections - GMER 1.0.15 ----

    init C:\WINDOWS\system32\drivers\tifmsony.sys entry point in "init" section [0xF776B280]

    ---- User code sections - GMER 1.0.15 ----

    .text C:\WINDOWS\system32\SearchIndexer.exe[516] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 00585C0C C:\WINDOWS\system32\MSSRCH.DLL (mssrch.dll/Microsoft Corporation)

    ---- Devices - GMER 1.0.15 ----

    Device \Driver\Disk \GLOBAL??\ACPI#PNP0303#2&da1a3ff&0 F766611B

    ---- Modules - GMER 1.0.15 ----

    Module (noname) (*** hidden *** ) F7911000-F7918000 (28672 bytes)
    Module (noname) (*** hidden *** ) F7671000-F767A000 (36864 bytes)
    Module (noname) (*** hidden *** ) F7901000-F7909000 (32768 bytes)

    ---- Threads - GMER 1.0.15 ----

    Thread System [4:112] F7904730
    Thread System [4:116] F7675078
    Thread System [4:120] F7666E8A
    Thread System [4:3468] B1295254
    Thread System [4:3492] B1295254

    ---- EOF - GMER 1.0.15 ----
     
  12. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Not quite sure about that, let's run another tool.

    Scan With RKUnHooker
    • Please Download Rootkit Unhooker Save it to your desktop.
    • Now double-click on RKUnhookerLE.exe to run it.
    • Click the Report tab, then click Scan.
    • Check (Tick) Drivers, Stealth, Files, Code Hooks. Uncheck the rest. then Click OK.
    • Wait till the scanner has finished and then click File, Save Report.
    • * This can take a while. Please be patient *.
    • Save the report somewhere where you can find it. Click Close.
    • Attach the entire contents of this log in you're next reply.
    • Note: You may get the following warning - it is ok - just ignore it:
    • "Rootkit Unhooker has detected a parasite inside itself!
    • It is recommended to remove parasite, okay?"
     
  13. opendave

    opendave Private E-2

    Here is the log from RkUnHooker (I only saved the report and did not select any of the Unhook buttons):


    Thanks!
    Dave
     

    Attached Files:

    Last edited by a moderator: Oct 27, 2010
  14. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    I want you to run TDSSKiller again.

    Then this -
    Radix Rootkit Detection Tool
    • Right click on your Desktop and select New and fhen Folder to create a new folder on your Desktop. Name the folder Radix.
    • Download Radix from usec.at. Scroll down to the bottom of the page and click the Download Radix icon. Save it to your Desktop in the new Radix folder just created.
    • Unzip the archive into this Radix folder you created.
    • Run the program by double-clicking the radixgui.exe.
    • Click Yes to accept the license agreement.
    • Do not change any settings and click check to start the search.
    • When the scan is finished, DO NOT, I repeat, DO NOT click the Fix selected button.
    • You also do not to click on Save log button because it is already saved..
    • The logfile is auto saved as log.txt in the Radix folder on your Desktop.
    • Close the program window of Radix.
    • Attach the logfile to the next message in your thread.
    Important: Radix has many options, some of which can cause serious and lasting damage to your computer if not properly applied. Please, do not experiment on your own. Just scan with the default settings or settings only given to you by an expert.

    Then run ComboFix

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this.
     
  15. opendave

    opendave Private E-2

    I have attached the logs for TDSSKiller and Radix - I see you prefer that :)

    Radix actually crashed, so I did not continue on to ComboFix. Radix offered to let me continue anyhow, but said that was 'not recommended', so I opted for 'No'.

    The failure occurred when Radix was examining the hooking between ntdll.dll and mswsock.dll. I must admit it is good to finally see a tool identify that dll as flaky too. Maybe I am not crazy after all.

    Anyhow, if you want me to rerun radix (to completion even if a test crashes), or run ComboFix & MGTools, just let me know.

    Dave
     

    Attached Files:

  16. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Yes indeed we do, it stops forum clutter and makes posts easier to read.

    TDSSKiller found and dealt with a problem and that should be the end of your malware problems. However let's do an extra sweep of both Combofix and MGTools.
    Double click combofix to run it
    Then:

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this.
     
    Last edited by a moderator: Oct 27, 2010
  17. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

    There are 4 different versions. If one of them won't run then download and try to run the other one.

    Vista and Win7 users need to right click and choose Run as Administrator


    You only need to get one of them to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

    1. Rkill.exe
    2. Rkill.com
    3. Rkill.scr
    4. Rkill.pif


    * Double-click on the Rkill desktop icon to run the tool.
    * If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    * A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    * If not, delete the file, then download and use the one provided in Link 2.
    * If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
    * Do not reboot until instructed.

    If you are having problems running Rkill, you can download iExplore.exe or eXplorer.exe, which are renamed copies of Rkill.com, and try them instead.
     
  18. opendave

    opendave Private E-2

    Ok -- downloaded all referenced versions of Rkill except the PIF which returned a 404 error.

    I have attached two logs:
    rkill.log - identical results from all versions except rkill.src, showing the only process terminated during the run was rkill itself.

    rkill-scr.log - also show imapi.exe being killed. The laptop does have a couple of files 'waiting to be burnt to cd', which I think would normally be handled by imapi.exe, but it is odd that only one version of rkill chose to kill the process. If I run rkill.scr again it usually (but not always) lists imapi.exe again.
     

    Attached Files:

  19. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Did you install the Remote Management Software for Windows yourself?

    Run the below from a command prompt and then get me the c:\lsp.txt log:

    Log retrievable @ > c:\lsp.txt

    Next...
    • Click the Start menu and click Run.
    • Type "regedit" and click OK.
    • Navigate to this key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2
    • Click Registry in the Registry Editor toolbar.
    • Or File > Click Export Registry File.
    • Select the directory for the exported file and type a file name. Use a specific name so that you can identify the file easily
    • Click OK to export the Registry file.

    Zip it up and attach it here for our reviewal.
     
  20. opendave

    opendave Private E-2

    Sorry for the slow response.

    I have zipped the reg file and attached to this post.

    I was not able to get the catalog file though, because NETSH will not run due to missing entry points in MSWSOCK.DLL.

    I was considering running sfc to see if it might be able to get a correct copy of the dll in place. Do you see any down side to that?
     

    Attached Files:

  21. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Absolutely no downside to running sfc. As long as you have your OS cd and run it at least twice.
     
  22. opendave

    opendave Private E-2

    Unfortunately I still cannot get NETSH or ROUTE to run. I have even tried copying known good copies of WSOCK32.DLL and MSWSOCK.DLL from another XP SP3 machine to no avail.

    I could try to uninstall/reinstall SP3 to fix this issue.

    How criticial is the winsock catalog dump to figuring out the infection?
     
  23. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Hang in there. I am seeking further advice. :)
     
  24. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Downloading and running Win32kDiag
    1. Download Win32kDiag from any of the following locations and save it to your Desktop.
    2. Double-click Win32kDiag.exe to run it and and let it finish.
    3. When it states Finished! Press any key to exit..., press any key to close the program.
    4. It will save a Win32kDiag.txt file to your desktop automatically. Attach this log file to your next message.


    • Download bootkit_remover.rar
    • Click the underlined DOWNLOAD text to download the file and save it to your Desktop.
    • You then need to extract the remover.exe file from the RAR using a program capable of extracing RAR compressed files. If you don't have an extraction program, you can use 7-Zip
    • After extracing remover.exe to your Desktop, double click the remover.exe file to run the program.
    • Attach or post inline here, the output from remover.exe
    NOTE: The Command Prompt window text can be copied to the clip board by right clicking on the top bar of the window and using the Edit commands to Mark, Copy, and Paste.
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds