Rootkit Removed, but still have suspicious remnents

I work for a very large technology company, that outsources its IT to another big company. Because it is a big company, the internal websites require that we stick with IE 6.0, and WindowsXP SP2. There is a firewall, and Symantec Endpoint installed. The Symantec Endpoint software is constantly updated.

On Friday Feb 19th in the early afternoon, I was at work on my company laptop behind the company firewall. Something was compiling, so I went on the internet to buy a microwave that I found the night before at home. I was having a lot of problems with IE 6 and web sites locking up, so I Loaded a 3.5.x Firefox browser. When Firefox loaded, it told me that it had been upgraded to a new 3.5.x version for me. I thought this was strange, especially since I was pretty sure that 3.6 was the latest.

Not long after that, I saw a really ugly looking popup that said something about software that could not be installed. The majority of the dialog was a grayed text window, in "Console" font, and a lot of garbage characters in it. I dismissed it by hitting the OK button, then I realized (too late) that it was really suspicious. I should have gone to task manger, and terminated all tasks associated with web browsers. In my research over the next few weeks, I did see a post someplace that had the same or similar dialog.

My compile finished, and I still had not found the microwave I was looking for. My computer started to freeze up at random times. I downloaded a freeware clock, so I could tell instantly when the freezing occurred. When the computer froze, I could hit Cntrl-Alt_Del, and bring up task manager, but the data on the task manager tabs was static. If I pressed the "CPU" column to see who was using all the cpu, the User interface would update, but every single entry was zero percent. I could shutdown the computer, but it would take several tries.


I began to notice two patterns about the freezeups..

The first Freezup pattern: The computer would either freeze while I was browsing the web, and I was clicking on controls that executed java script. For example, it froze one time when I was looking at a gmail, and I clicked on the button to return to the inbox. Another time, I was composing a reply to an outlook email in HTML format, and I pressed the button to change the text color.

The Second Freezeup Pattern: I would be away from my desk, and the laptop would freeze sometime between 6 and 12 minutes past the hour. I eventually was able to conclude that these corresponded to Symantec Endpoint starting a background scan six minutes earlier.

Another Symptom: Multiple shutdown attempts required to shutdown normally:
Whenever I tried to shutdown the laptop normally, it would always take two tries. Once I realized this, I went to the system log, and I noticed the following message:
Event Type: Warning
Event Source: USER32
Event Category: None
Event ID: 1073
Date: 3/16/2010
Time: 5:34:42 PM
User: NT AUTHORITY\SYSTEM
Computer: WTK346-01
Description:
The attempt to power off WTK346-01 failed

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 00 00 00 00 ....

Note: that WTK346-01 is the name of my computer.
Note: that the first attempt to "shutdown" the computer, would still allow me to open the system event log, and the message would be present. I could still see all of the icons on my desktop.
Note: I researched this message, and I installed the User Profile Unloader service from Microsoft. It made no difference.


OK I spent a weekend cleaning up temporary directories, and defragging my drive. I attempted to run Symantec Deep scan several times overnight, and it locked up at shortly after 1 AM both times. I tried disabling Symantec (with no network connection), and it would last at least a day without crashing. I tried Avira AV, and it completed without finding anything.

I resisted contacting the IT support company. They have a reputation for saying "oh we can't do that, we can only re-image your computer". I contacted them on Feb 25th, and they assigned someone in New Delhi to fix my problem using Net Meeting. I am dead serious... they expect someone in India to fix a computer that freezes up, using phone and Netmeeting. After several sessions of him poking around, and him asking "can I uninstall this", I figured I had wasted too much of my company's time. I even witnessed the guy from India trying to delete the following files which could not be deleted (which will become important later):

$$$dq3e
$67we.$
xsw2

I did my own research over the weekend of March 6, and discovered that those file names are associated with a rootkit. This information was here in MG in a thread started Dec 10 2009 called "Rootkit Activity, Invalid PE, Hidden /Windows/System Temp files". This led me to a tool "Stealth MBR rootkit":

C:\>e:\embre
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\atapi -> 0x8a6d3178
NDIS: Broadcom NetXtreme Gigabit Ethernet -> SendCompleteHandler -> 0x896ac330
Warning: possible MBR rootkit infection !
copy of MBR has been found in sector 0x0950E4C1
malicious code @ sector 0x0950E4C4 !
PE file found in sector at 0x0950E4DA !
MBR rootkit infection detected ! Use: "mbr.exe -f" to fix.


So it found I had a rootkit. I planed to fix it when I got home Monday the 8th. Then I realized, that you can only fix the problem in "Safe" mode, and the IT company does not allow us users to know the Admin password required for Safe mode.

Tuesday overnight, I had the "on site" IT guy run tests on the laptop. He still thought it could be hardware. I told him I knew I had a rootkit.

Wednesday, He tells me he can't fix it, he can only re-image it. I strongly encouraged me to accept the re-image. I told him I would lose weeks of work while I tried to figure out all the crazy setting of our software (and all the useful tools of my own). I asked if he could change the system password, so I could try myself. He consented, saying that I have access to tools that he is not allowed to use.

That night, I booted into safe mode with system restore turned off. I ran MBR.exe, and was able to delete the three files temp files. The rootkit returned when I rebooted normally. I then noticed a user profile on my system called "HelpAssistant" I noticed that the folder create dates corresponded to the time and date of infection. I also noted that user had administrative rights to my computer. I deleted the files from that profile, and removed the user. I then ran MBR in safe mode, and all crashes have stopped!

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK
copy of MBR has been found in sector 0x0950E4C1
malicious code @ sector 0x0950E4C4 !
PE file found in sector at 0x0950E4DA !

OK so the laptop no longer crashes. I didn't trust that Symantec Endpoint was clean, so I got a different employee in India to uninstall and re-install endpoint. That process has gone well. I ran several thorough scans overnight that weekend.

THE ONGOING ISSUES:

I forgot to mention that I noticed the following message that also appeared in the system event log a few days after the infection:
Event Type: Information
Event Source: BITS
Event Category: None
Event ID: 16384
Date: 3/16/2010
Time: 7:44:29 PM
User: N/A
Computer: WTK346-01
Description:
The administrator NT AUTHORITY\SYSTEM canceled job "C:\WINDOWS\TEMP\GUR1.exe" on behalf of DS\wtk346. The job ID was {EA30C67A-A4A7-4917-9566-10AA3EA1F269}.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

I have seen about 30 of these messages in the event log, and 5 have occurred after Symantec was re-installed.

Also, requiring a double shutdown still occurs. On March 16th, I noticed that two files that cannot be deleted keep appearing in the Windows Temp Directory. The both are of the form

Perflib_Perfdata_xxx.dat

Someone told me about "Process Explorer" originally from SysInternals, but now on Microsoft's technet site. This tool allowed me to figure out who is opening the files.

One of the files is always opened by "jsq.exe". "Java Quick Start" is a service that is present to help Java run faster. I disabled that service, and now shutdowns work normally, and the file is no longer created. One of my original symptoms was freezing when using java on a web page, so I think there is still a remnant of the virus, that has infected java somehow. I did update my Java a week ago, and I uninstalled the 2 old versions I had. I can live without Java Quick Start for now, but this remnant worries me.

The other file alternates who starts it.
- rtvscan.exe (part of Symantec EndPoint)
- one of 4 instances of wmiprvse.exe *

NOTE: if the undeletable file is ownd by rtvscan.exe, then there will only be 3 instances of wmiprvse.exe

 

Sorry for the delay on the last log

 

BTW: I have added the following batch file to my startup folder. Maybe other people might find it useful. It calls a renamed version of mbr.exe. If it finds something, it will tell me the next time I boot. If I could figure out how to cause beeps to come from my laptop, even when muted, I could get rid of the pause.

@echo off
@echo "Testing Master Boot Record"
C:\embre | find "user & kernel MBR OK"
if not %errorlevel% EQU 0 GOTO ERROR

GOTO END

:ERROR
Echo "*********************************************"
Echo "*********************************************"
Echo.
Echo "MASTER BOOT RECORD CORRUPTION DETECTED !!!"
Echo.
Echo "*********************************************"
Echo "*********************************************"
Echo.
c:\embre
:END
pause

 

Thanks for the update. I am truly thankful that you folks do this.

Updates:
My issue with needing to shutdown twice has returned. The message in the event log for User32 not being able to shut down the power has also returned. This is in spite of disabling Java Quick Start.

I have done research on the "BITS" messages I am seeing in the log. They could have started because I installed Google Toolbar for Firefox, a day or two after I got infected. "GURnnn.exe" might be GoogleUpdateR; or it could be the virus trying to look like Google Updater. Note that I have had the Google Toolbar for IE6 for 3 years, and there are no BITS messages prior to February 22, 2010.

It appears that the BITS service does not provide any monitoring tools, unless you install the complete .NET development framework. That is LAME.

 

I just checked my Home PC (which is not infected) which is running XP SP3 with IE-8 and Firefox 3.6, with both browsers having Google Toolbar installed. I do not see a single event in the event log from the BITS service, so I am not seeing the error where the BITS service terminated "C:\Windows\Temp\GURnnn.exe". This has me thinking that the BITS services messages seen on my Laptop (XP SP2 and IE-6 + Firefox 3.6) are indicating something nefarious.

 

I understand your policy.

I was hoping that the fact that the only alternative was to re-image the machine, I could get guidance on fixing it myself. I invested a lot of my non-work time researching this this problem, and managed to fix the main problem. I only posted my logs, when I wasn't sure that a backdoor for re-infection was left behind.