Weird problems + suspicious hook

Discussion in 'Malware Help (A Specialist Will Reply)' started by maxorator, Dec 14, 2008.

  1. maxorator

    maxorator Private E-2

    The machine I'm talking about is not mine. It is running Windows XP Home SP3. It had a bunch of rootkits and trojans which I manually removed from a Live CD (no AV managed to do it). Now the system generally seems to be clean (and no, I'm not making a HijackThis log to verify this, ARK tools showed everything was OK, drivers/startup/processes is OK too, RKU report was clean except one hook I will mention later), but is having some weird problems:
    1. Copying/pasting/dragging files doesn't work in shell windows (in Windows Explorer and in all kinds of Open File/Save File dialogs), on dragging it simply doesn't even show I started dragging it (tried reregistering a lot of DLLs, still nothing).
    2. Taskbar doesn't show any windows (registry patches didn't help).
    3. Windows key doesn't spawn the Start Menu.
    4. Some applications like MS Excel and explorer.exe take a long time to start (approx. 1 minute).
    5. Task Manager and Process Explorer fail to start - when I monitor the system with Process Monitor and set it to log processes starting, then I see that task manager is never started - instead, the Symbolic Debugger (ntsd.exe) is the only one to start(!!!).

    There is this one hook RKU reported.
    Code:
    [1244]explorer.exe-->kernel32.dll-->GetProcAddress, Type: IAT modification at address 0x01001268 hook handler located in [shimeng.dll] (5CB77774)
    So I looked up that address in shimeng.dll:
    Code:
    5CB77774   8BFF             MOV EDI,EDI
5CB77776   55               PUSH EBP
5CB77777   8BEC             MOV EBP,ESP
5CB77779   81EC 10010000    SUB ESP,110
5CB7777F   A1 2CF0B75C      MOV EAX,DWORD PTR DS:[5CB7F02C]
5CB77784   8B4D 0C          MOV ECX,DWORD PTR SS:[EBP+C]
5CB77787   8B15 EC0AB85C    MOV EDX,DWORD PTR DS:[5CB80AEC]          ; kernel32.GetProcAddress
5CB7778D   53               PUSH EBX
5CB7778E   8945 FC          MOV DWORD PTR SS:[EBP-4],EAX
5CB77791   8B45 08          MOV EAX,DWORD PTR SS:[EBP+8]
5CB77794   51               PUSH ECX
5CB77795   50               PUSH EAX
5CB77796   FFD2             CALL EDX
5CB77798   8BD8             MOV EBX,EAX
5CB7779A   85DB             TEST EBX,EBX
5CB7779C   899D F4FEFFFF    MOV DWORD PTR SS:[EBP-10C],EBX
5CB777A2   74 56            JE SHORT ShimEng.5CB777FA
5CB777A4   8B15 F0F5B75C    MOV EDX,DWORD PTR DS:[5CB7F5F0]
5CB777AA   56               PUSH ESI
5CB777AB   57               PUSH EDI
5CB777AC   33FF             XOR EDI,EDI
5CB777AE   85D2             TEST EDX,EDX
5CB777B0   76 44            JBE SHORT ShimEng.5CB777F6
5CB777B2   8B35 9800B85C    MOV ESI,DWORD PTR DS:[5CB80098]
5CB777B8   8B0E             MOV ECX,DWORD PTR DS:[ESI]
5CB777BA   83A5 F0FEFFFF 00 AND DWORD PTR SS:[EBP-110],0
5CB777C1   85C9             TEST ECX,ECX
5CB777C3   76 26            JBE SHORT ShimEng.5CB777EB
5CB777C5   A1 E4F5B75C      MOV EAX,DWORD PTR DS:[5CB7F5E4]
5CB777CA   8B04B8           MOV EAX,DWORD PTR DS:[EAX+EDI*4]
5CB777CD   83C0 0C          ADD EAX,0C
5CB777D0   3918             CMP DWORD PTR DS:[EAX],EBX
5CB777D2   74 33            JE SHORT ShimEng.5CB77807
5CB777D4   FF85 F0FEFFFF    INC DWORD PTR SS:[EBP-110]
5CB777DA   8B9D F4FEFFFF    MOV EBX,DWORD PTR SS:[EBP-10C]
5CB777E0   83C0 18          ADD EAX,18
5CB777E3   398D F0FEFFFF    CMP DWORD PTR SS:[EBP-110],ECX
5CB777E9  ^72 E5            JB SHORT ShimEng.5CB777D0
5CB777EB   47               INC EDI
5CB777EC   81C6 9C000000    ADD ESI,9C
5CB777F2   3BFA             CMP EDI,EDX
5CB777F4  ^72 C2            JB SHORT ShimEng.5CB777B8
5CB777F6   8BC3             MOV EAX,EBX
5CB777F8   5F               POP EDI
5CB777F9   5E               POP ESI
5CB777FA   8B4D FC          MOV ECX,DWORD PTR SS:[EBP-4]
5CB777FD   5B               POP EBX
5CB777FE   E8 E1240000      CALL ShimEng.5CB79CE4
5CB77803   C9               LEAVE
5CB77804   C2 0800          RETN 8
5CB77807   8D85 F4FEFFFF    LEA EAX,DWORD PTR SS:[EBP-10C]
5CB7780D   50               PUSH EAX
5CB7780E   53               PUSH EBX
5CB7780F   E8 F9E6FFFF      CALL ShimEng.5CB75F0D
5CB77814   8BF0             MOV ESI,EAX
5CB77816   33C0             XOR EAX,EAX
5CB77818   3BF0             CMP ESI,EAX
5CB7781A   75 1A            JNZ SHORT ShimEng.5CB77836
5CB7781C   3905 A000B85C    CMP DWORD PTR DS:[5CB800A0],EAX
5CB77822  ^74 D2            JE SHORT ShimEng.5CB777F6
5CB77824   53               PUSH EBX
5CB77825   68 9022B75C      PUSH ShimEng.5CB72290                    ; ASCII "[StubGetProcAddress] failed to construct the chain for pfn 0x%p
"
5CB7782A   6A 02            PUSH 2
5CB7782C   E8 64E5FFFF      CALL ShimEng.5CB75D95
5CB77831   83C4 0C          ADD ESP,0C
5CB77834  ^EB C0            JMP SHORT ShimEng.5CB777F6
5CB77836   3905 ECF5B75C    CMP DWORD PTR DS:[5CB7F5EC],EAX
5CB7783C   75 52            JNZ SHORT ShimEng.5CB77890
5CB7783E   3905 A000B85C    CMP DWORD PTR DS:[5CB800A0],EAX
5CB77844   8B7D 04          MOV EDI,DWORD PTR SS:[EBP+4]
5CB77847   74 10            JE SHORT ShimEng.5CB77859
5CB77849   57               PUSH EDI
5CB7784A   68 6022B75C      PUSH ShimEng.5CB72260                    ; ASCII "[StubGetProcAddress] Stack capture caller 0x%p
"
5CB7784F   6A 01            PUSH 1
5CB77851   E8 3FE5FFFF      CALL ShimEng.5CB75D95
5CB77856   83C4 0C          ADD ESP,0C
5CB77859   85FF             TEST EDI,EDI
5CB7785B   74 33            JE SHORT ShimEng.5CB77890
5CB7785D   8D85 F4FEFFFF    LEA EAX,DWORD PTR SS:[EBP-10C]
5CB77863   50               PUSH EAX
5CB77864   8D85 F8FEFFFF    LEA EAX,DWORD PTR SS:[EBP-108]
5CB7786A   50               PUSH EAX
5CB7786B   57               PUSH EDI
5CB7786C   E8 98FEFFFF      CALL ShimEng.5CB77709
5CB77871   85C0             TEST EAX,EAX
5CB77873   74 1B            JE SHORT ShimEng.5CB77890
5CB77875   FFB5 F4FEFFFF    PUSH DWORD PTR SS:[EBP-10C]
5CB7787B   8D85 F8FEFFFF    LEA EAX,DWORD PTR SS:[EBP-108]
5CB77881   56               PUSH ESI
5CB77882   50               PUSH EAX
5CB77883   E8 F1ECFFFF      CALL ShimEng.5CB76579
5CB77888   85C0             TEST EAX,EAX
5CB7788A  ^0F85 66FFFFFF    JNZ ShimEng.5CB777F6
5CB77890   8B46 04          MOV EAX,DWORD PTR DS:[ESI+4]
5CB77893   3D FFFF0000      CMP EAX,0FFFF
5CB77898   73 17            JNB SHORT ShimEng.5CB778B1
5CB7789A   833D A000B85C 00 CMP DWORD PTR DS:[5CB800A0],0
5CB778A1   74 2D            JE SHORT ShimEng.5CB778D0
5CB778A3   FF76 08          PUSH DWORD PTR DS:[ESI+8]
5CB778A6   53               PUSH EBX
5CB778A7   50               PUSH EAX
5CB778A8   FF36             PUSH DWORD PTR DS:[ESI]
5CB778AA   68 2022B75C      PUSH ShimEng.5CB72220                    ; ASCII "[StubGetProcAddress] called for "%s!#%d" 0x%p changed to 0x%p
"
5CB778AF   EB 15            JMP SHORT ShimEng.5CB778C6
5CB778B1   833D A000B85C 00 CMP DWORD PTR DS:[5CB800A0],0
5CB778B8   74 16            JE SHORT ShimEng.5CB778D0
5CB778BA   FF76 08          PUSH DWORD PTR DS:[ESI+8]
5CB778BD   53               PUSH EBX
5CB778BE   50               PUSH EAX
5CB778BF   FF36             PUSH DWORD PTR DS:[ESI]
5CB778C1   68 E021B75C      PUSH ShimEng.5CB721E0                    ; ASCII "[StubGetProcAddress] called for "%s!%s" 0x%p changed to 0x%p
"
5CB778C6   6A 04            PUSH 4
5CB778C8   E8 C8E4FFFF      CALL ShimEng.5CB75D95
5CB778CD   83C4 18          ADD ESP,18
5CB778D0   8B46 08          MOV EAX,DWORD PTR DS:[ESI+8]
5CB778D3  ^E9 20FFFFFF      JMP ShimEng.5CB777F8
    Then I restarted the process with OllyDbg and set a hardware breakpoint on the IAT entry, these are the registers when it stopped, the function that it occured in:
    Code:
    EAX 5CB77774 ShimEng.5CB77774
ECX 0007EF6C
EDX 7C90E4F4 ntdll.KiFastSystemCallRet
EBX 7C90D6D0 ntdll.ZwProtectVirtualMemory
ESP 0007EF88
EBP 0007F0C8
ESI 01001268 <&KERNEL32.GetProcAddress>
EDI 5CB80AE0 ShimEng.5CB80AE0
EIP 5CB76A4F ShimEng.5CB76A4F
C 0  ES 0023 32bit 0(FFFFFFFF)
P 1  CS 001B 32bit 0(FFFFFFFF)
A 0  SS 0023 32bit 0(FFFFFFFF)
Z 1  DS 0023 32bit 0(FFFFFFFF)
S 0  FS 003B 32bit 7FFDF000(FFF)
T 0  GS 0000 NULL
D 0
O 0  LastErr ERROR_ENVVAR_NOT_FOUND (000000CB)
EFL 00000246 (NO,NB,E,BE,NS,PE,GE,LE)
ST0 empty -UNORM BDEC 01050104 0069006E
ST1 empty 0.0
ST2 empty 0.0
ST3 empty 0.0
ST4 empty 0.0
ST5 empty 0.0
ST6 empty 0.0
ST7 empty 0.0
               3 2 1 0      E S P U O Z D I
FST 0000  Cond 0 0 0 0  Err 0 0 0 0 0 0 0 0  (GT)
FCW 027F  Prec NEAR,53  Mask    1 1 1 1 1 1

--------------------------------------------------------------

5CB76830   8BFF             MOV EDI,EDI
5CB76832   55               PUSH EBP
5CB76833   8BEC             MOV EBP,ESP
5CB76835   81EC 34010000    SUB ESP,134
5CB7683B   A1 2CF0B75C      MOV EAX,DWORD PTR DS:[5CB7F02C]
5CB76840   53               PUSH EBX
5CB76841   56               PUSH ESI
5CB76842   8B75 10          MOV ESI,DWORD PTR SS:[EBP+10]
5CB76845   57               PUSH EDI
5CB76846   8B7D 08          MOV EDI,DWORD PTR SS:[EBP+8]
5CB76849   8945 FC          MOV DWORD PTR SS:[EBP-4],EAX
5CB7684C   33DB             XOR EBX,EBX
5CB7684E   8D85 F8FEFFFF    LEA EAX,DWORD PTR SS:[EBP-108]
5CB76854   53               PUSH EBX
5CB76855   8985 D4FEFFFF    MOV DWORD PTR SS:[EBP-12C],EAX
5CB7685B   56               PUSH ESI
5CB7685C   8D85 D0FEFFFF    LEA EAX,DWORD PTR SS:[EBP-130]
5CB76862   50               PUSH EAX
5CB76863   89BD E8FEFFFF    MOV DWORD PTR SS:[EBP-118],EDI
5CB76869   66:899D D0FEFFFF MOV WORD PTR SS:[EBP-130],BX
5CB76870   66:C785 D2FEFFFF>MOV WORD PTR SS:[EBP-12E],104

5CB76879   FF15 C410B75C    CALL DWORD PTR DS:[<&ntdll.RtlUnicodeStr>; ntdll.RtlUnicodeStringToAnsiString
5CB7687F   85C0             TEST EAX,EAX
5CB76881   7D 21            JGE SHORT ShimEng.5CB768A4
5CB76883   391D A000B85C    CMP DWORD PTR DS:[5CB800A0],EBX
5CB76889   74 12            JE SHORT ShimEng.5CB7689D
5CB7688B   FF76 04          PUSH DWORD PTR DS:[ESI+4]
5CB7688E   68 4C1AB75C      PUSH ShimEng.5CB71A4C                    ; ASCII "[SeiHookImports] Cannot convert "%S" to ANSI
"
5CB76893   6A 02            PUSH 2
5CB76895   E8 FBF4FFFF      CALL ShimEng.5CB75D95
5CB7689A   83C4 0C          ADD ESP,0C
5CB7689D   33C0             XOR EAX,EAX
5CB7689F   E9 7E020000      JMP ShimEng.5CB76B22
5CB768A4   8B47 3C          MOV EAX,DWORD PTR DS:[EDI+3C]
5CB768A7   8BB438 80000000  MOV ESI,DWORD PTR DS:[EAX+EDI+80]
5CB768AE   3BF3             CMP ESI,EBX
5CB768B0   0F84 69020000    JE ShimEng.5CB76B1F
5CB768B6   391D A000B85C    CMP DWORD PTR DS:[5CB800A0],EBX
5CB768BC   74 17            JE SHORT ShimEng.5CB768D5
5CB768BE   8D85 F8FEFFFF    LEA EAX,DWORD PTR SS:[EBP-108]
5CB768C4   50               PUSH EAX
5CB768C5   57               PUSH EDI
5CB768C6   68 201AB75C      PUSH ShimEng.5CB71A20                    ; ASCII "[SeiHookImports] Hooking module 0x%p "%s"
"
5CB768CB   6A 04            PUSH 4
5CB768CD   E8 C3F4FFFF      CALL ShimEng.5CB75D95
5CB768D2   83C4 10          ADD ESP,10
5CB768D5   8D0437           LEA EAX,DWORD PTR DS:[EDI+ESI]
5CB768D8   8D48 10          LEA ECX,DWORD PTR DS:[EAX+10]
5CB768DB   3919             CMP DWORD PTR DS:[ECX],EBX
5CB768DD   0F84 FD010000    JE ShimEng.5CB76AE0
5CB768E3   83C0 0C          ADD EAX,0C
5CB768E6   898D F4FEFFFF    MOV DWORD PTR SS:[EBP-10C],ECX
5CB768EC   8985 ECFEFFFF    MOV DWORD PTR SS:[EBP-114],EAX
5CB768F2   8B85 ECFEFFFF    MOV EAX,DWORD PTR SS:[EBP-114]
5CB768F8   8B30             MOV ESI,DWORD PTR DS:[EAX]
5CB768FA   03F7             ADD ESI,EDI
5CB768FC   391D F0F5B75C    CMP DWORD PTR DS:[5CB7F5F0],EBX
5CB76902   899D F0FEFFFF    MOV DWORD PTR SS:[EBP-110],EBX
5CB76908   76 72            JBE SHORT ShimEng.5CB7697C
5CB7690A   A1 9800B85C      MOV EAX,DWORD PTR DS:[5CB80098]
5CB7690F   83A5 E4FEFFFF 00 AND DWORD PTR SS:[EBP-11C],0
5CB76916   833C03 00        CMP DWORD PTR DS:[EBX+EAX],0
5CB7691A   76 44            JBE SHORT ShimEng.5CB76960
5CB7691C   33FF             XOR EDI,EDI
5CB7691E   A1 E4F5B75C      MOV EAX,DWORD PTR DS:[5CB7F5E4]
5CB76923   8B8D F0FEFFFF    MOV ECX,DWORD PTR SS:[EBP-110]
5CB76929   8B0488           MOV EAX,DWORD PTR DS:[EAX+ECX*4]
5CB7692C   8B0407           MOV EAX,DWORD PTR DS:[EDI+EAX]
5CB7692F   85C0             TEST EAX,EAX
5CB76931   74 0E            JE SHORT ShimEng.5CB76941
5CB76933   56               PUSH ESI
5CB76934   50               PUSH EAX
5CB76935   FF15 C810B75C    CALL DWORD PTR DS:[<&ntdll._stricmp>]    ; ntdll._stricmp
5CB7693B   85C0             TEST EAX,EAX
5CB7693D   59               POP ECX
5CB7693E   59               POP ECX
5CB7693F   74 4E            JE SHORT ShimEng.5CB7698F
5CB76941   FF85 E4FEFFFF    INC DWORD PTR SS:[EBP-11C]
5CB76947   A1 9800B85C      MOV EAX,DWORD PTR DS:[5CB80098]
5CB7694C   8B8D E4FEFFFF    MOV ECX,DWORD PTR SS:[EBP-11C]
5CB76952   83C7 18          ADD EDI,18
5CB76955   3B0C03           CMP ECX,DWORD PTR DS:[EBX+EAX]
5CB76958  ^72 C4            JB SHORT ShimEng.5CB7691E
5CB7695A   8BBD E8FEFFFF    MOV EDI,DWORD PTR SS:[EBP-118]
5CB76960   FF85 F0FEFFFF    INC DWORD PTR SS:[EBP-110]
5CB76966   8B85 F0FEFFFF    MOV EAX,DWORD PTR SS:[EBP-110]
5CB7696C   81C3 9C000000    ADD EBX,9C
5CB76972   3B05 F0F5B75C    CMP EAX,DWORD PTR DS:[5CB7F5F0]
5CB76978  ^72 90            JB SHORT ShimEng.5CB7690A
5CB7697A   33DB             XOR EBX,EBX
5CB7697C   8385 ECFEFFFF 14 ADD DWORD PTR SS:[EBP-114],14
5CB76983   8385 F4FEFFFF 14 ADD DWORD PTR SS:[EBP-10C],14
5CB7698A   E9 43010000      JMP ShimEng.5CB76AD2
5CB7698F   8B85 F4FEFFFF    MOV EAX,DWORD PTR SS:[EBP-10C]
5CB76995   8B30             MOV ESI,DWORD PTR DS:[EAX]
5CB76997   03B5 E8FEFFFF    ADD ESI,DWORD PTR SS:[EBP-118]
5CB7699D   E9 10010000      JMP ShimEng.5CB76AB2
5CB769A2   8D8D F0FEFFFF    LEA ECX,DWORD PTR SS:[EBP-110]
5CB769A8   51               PUSH ECX
5CB769A9   50               PUSH EAX
5CB769AA   E8 5EF5FFFF      CALL ShimEng.5CB75F0D
5CB769AF   8BF8             MOV EDI,EAX
5CB769B1   85FF             TEST EDI,EDI
5CB769B3   0F84 F6000000    JE ShimEng.5CB76AAF
5CB769B9   FF75 14          PUSH DWORD PTR SS:[EBP+14]
5CB769BC   8D85 F8FEFFFF    LEA EAX,DWORD PTR SS:[EBP-108]
5CB769C2   57               PUSH EDI
5CB769C3   50               PUSH EAX
5CB769C4   E8 B0FBFFFF      CALL ShimEng.5CB76579
5CB769C9   85C0             TEST EAX,EAX
5CB769CB   0F85 DE000000    JNZ ShimEng.5CB76AAF
5CB769D1   8B47 04          MOV EAX,DWORD PTR DS:[EDI+4]
5CB769D4   3D FFFF0000      CMP EAX,0FFFF
5CB769D9   73 1A            JNB SHORT ShimEng.5CB769F5
5CB769DB   833D A000B85C 00 CMP DWORD PTR DS:[5CB800A0],0
5CB769E2   74 33            JE SHORT ShimEng.5CB76A17
5CB769E4   8D8D F8FEFFFF    LEA ECX,DWORD PTR SS:[EBP-108]
5CB769EA   51               PUSH ECX
5CB769EB   50               PUSH EAX
5CB769EC   FF37             PUSH DWORD PTR DS:[EDI]
5CB769EE   68 EC19B75C      PUSH ShimEng.5CB719EC                    ; ASCII "[SeiHookImports] Hooking API "%s!#%d" for DLL "%s"
"
5CB769F3   EB 18            JMP SHORT ShimEng.5CB76A0D
5CB769F5   833D A000B85C 00 CMP DWORD PTR DS:[5CB800A0],0
5CB769FC   74 19            JE SHORT ShimEng.5CB76A17
5CB769FE   8D8D F8FEFFFF    LEA ECX,DWORD PTR SS:[EBP-108]
5CB76A04   51               PUSH ECX
5CB76A05   50               PUSH EAX
5CB76A06   FF37             PUSH DWORD PTR DS:[EDI]
5CB76A08   68 B819B75C      PUSH ShimEng.5CB719B8                    ; ASCII "[SeiHookImports] Hooking API "%s!%s" for DLL "%s"
"
5CB76A0D   6A 04            PUSH 4
5CB76A0F   E8 81F3FFFF      CALL ShimEng.5CB75D95
5CB76A14   83C4 14          ADD ESP,14
5CB76A17   8B1D 4811B75C    MOV EBX,DWORD PTR DS:[<&ntdll.NtProtectV>; ntdll.ZwProtectVirtualMemory
5CB76A1D   6A 04            PUSH 4
5CB76A1F   58               POP EAX
5CB76A20   8D8D D8FEFFFF    LEA ECX,DWORD PTR SS:[EBP-128]
5CB76A26   51               PUSH ECX
5CB76A27   50               PUSH EAX
5CB76A28   8985 E0FEFFFF    MOV DWORD PTR SS:[EBP-120],EAX
5CB76A2E   8D85 E0FEFFFF    LEA EAX,DWORD PTR SS:[EBP-120]
5CB76A34   50               PUSH EAX
5CB76A35   8D85 DCFEFFFF    LEA EAX,DWORD PTR SS:[EBP-124]
5CB76A3B   50               PUSH EAX
5CB76A3C   6A FF            PUSH -1
5CB76A3E   89B5 DCFEFFFF    MOV DWORD PTR SS:[EBP-124],ESI
5CB76A44   FFD3             CALL EBX
5CB76A46   85C0             TEST EAX,EAX
5CB76A48   7C 4B            JL SHORT ShimEng.5CB76A95
5CB76A4A   8B47 08          MOV EAX,DWORD PTR DS:[EDI+8]
5CB76A4D   8906             MOV DWORD PTR DS:[ESI],EAX
5CB76A4F   8D85 CCFEFFFF    LEA EAX,DWORD PTR SS:[EBP-134]
5CB76A55   50               PUSH EAX
5CB76A56   FFB5 D8FEFFFF    PUSH DWORD PTR SS:[EBP-128]
5CB76A5C   8D85 E0FEFFFF    LEA EAX,DWORD PTR SS:[EBP-120]
5CB76A62   50               PUSH EAX
5CB76A63   8D85 DCFEFFFF    LEA EAX,DWORD PTR SS:[EBP-124]
5CB76A69   50               PUSH EAX
5CB76A6A   6A FF            PUSH -1
5CB76A6C   C785 E0FEFFFF 04>MOV DWORD PTR SS:[EBP-120],4
5CB76A76   FFD3             CALL EBX
5CB76A78   85C0             TEST EAX,EAX
5CB76A7A   7D 33            JGE SHORT ShimEng.5CB76AAF
5CB76A7C   833D A000B85C 00 CMP DWORD PTR DS:[5CB800A0],0
5CB76A83   74 2A            JE SHORT ShimEng.5CB76AAF
5CB76A85   68 8019B75C      PUSH ShimEng.5CB71980                    ; ASCII "[SeiHookImports] Failed to change back the protection
"
5CB76A8A   6A 02            PUSH 2
5CB76A8C   E8 04F3FFFF      CALL ShimEng.5CB75D95
5CB76A91   59               POP ECX
5CB76A92   59               POP ECX
5CB76A93   EB 1A            JMP SHORT ShimEng.5CB76AAF
5CB76A95   833D A000B85C 00 CMP DWORD PTR DS:[5CB800A0],0
5CB76A9C   74 11            JE SHORT ShimEng.5CB76AAF
5CB76A9E   56               PUSH ESI
5CB76A9F   50               PUSH EAX
5CB76AA0   68 3019B75C      PUSH ShimEng.5CB71930                    ; ASCII "[SeiHookImports] Failed 0x%X to change protection to PAGE_READWRITE. Addr 0x%p
"
5CB76AA5   6A 02            PUSH 2
5CB76AA7   E8 E9F2FFFF      CALL ShimEng.5CB75D95
5CB76AAC   83C4 10          ADD ESP,10
5CB76AAF   83C6 04          ADD ESI,4
5CB76AB2   8B06             MOV EAX,DWORD PTR DS:[ESI]
5CB76AB4   85C0             TEST EAX,EAX
5CB76AB6  ^0F85 E6FEFFFF    JNZ ShimEng.5CB769A2
5CB76ABC   8385 ECFEFFFF 14 ADD DWORD PTR SS:[EBP-114],14
5CB76AC3   8385 F4FEFFFF 14 ADD DWORD PTR SS:[EBP-10C],14
5CB76ACA   8BBD E8FEFFFF    MOV EDI,DWORD PTR SS:[EBP-118]
5CB76AD0   33DB             XOR EBX,EBX
5CB76AD2   8B85 F4FEFFFF    MOV EAX,DWORD PTR SS:[EBP-10C]
5CB76AD8   3918             CMP DWORD PTR DS:[EAX],EBX
5CB76ADA  ^0F85 12FEFFFF    JNZ ShimEng.5CB768F2
5CB76AE0   A1 280DB85C      MOV EAX,DWORD PTR DS:[5CB80D28]
5CB76AE5   8B4D 0C          MOV ECX,DWORD PTR SS:[EBP+C]
5CB76AE8   69C0 8C000000    IMUL EAX,EAX,8C
5CB76AEE   FF05 280DB85C    INC DWORD PTR DS:[5CB80D28]
5CB76AF4   89B8 400DB85C    MOV DWORD PTR DS:[EAX+5CB80D40],EDI
5CB76AFA   8988 440DB85C    MOV DWORD PTR DS:[EAX+5CB80D44],ECX
5CB76B00   8B4D 14          MOV ECX,DWORD PTR SS:[EBP+14]
5CB76B03   8988 C80DB85C    MOV DWORD PTR DS:[EAX+5CB80DC8],ECX
5CB76B09   8D8D F8FEFFFF    LEA ECX,DWORD PTR SS:[EBP-108]
5CB76B0F   8D80 480DB85C    LEA EAX,DWORD PTR DS:[EAX+5CB80D48]
5CB76B15   8A11             MOV DL,BYTE PTR DS:[ECX]
5CB76B17   41               INC ECX
5CB76B18   8810             MOV BYTE PTR DS:[EAX],DL
5CB76B1A   40               INC EAX
5CB76B1B   84D2             TEST DL,DL
5CB76B1D  ^75 F6            JNZ SHORT ShimEng.5CB76B15
5CB76B1F   33C0             XOR EAX,EAX
5CB76B21   40               INC EAX
5CB76B22   8B4D FC          MOV ECX,DWORD PTR SS:[EBP-4]
5CB76B25   5F               POP EDI
5CB76B26   5E               POP ESI
5CB76B27   5B               POP EBX
5CB76B28   E8 B7310000      CALL ShimEng.5CB79CE4
5CB76B2D   C9               LEAVE
5CB76B2E   C2 1000          RETN 10
    All of this plus the stack and some functions it calls are in the text file I attached. In the stack I noticed AcGenral.dll, that may have something to do with this too.

    It might be a legit hook though, judging by that those functions always exist in shimeng.dll and have very descriptive errors.

    If this hook is legit, could you help me with the other problems?

    Thanks in advance.
     

    Attached Files:

    maxorator, Dec 14, 2008
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Major Geeks!

    None of these are malware problems. We can check your PC for malware by having you run our READ & RUN ME FIRST sticky thread cleaning procedure but the things you mentioned are more probably related Windows issues. Not sure what you have been doing on your own so we cannot comment on whether you have been removing things you should not remove and whether that has anything to do with the problems.

    Perhaps you should use System Restore in an attempt to return the PC to the condition it was previously and then come here and run our cleaning procedure to look for malware.
     
    chaslang, Dec 16, 2008
    #2
  3. maxorator

    maxorator Private E-2

    At the beginning, Task Manager and Process Explorer didn't work. The system popped up a BSOD every 15 minutes. Here's what I did:
    1) I ran Dr.Web Live CD and did a check on the Windows drive. It reported some things incurable but fixed a few.
    2) After that a few things that weren't working before in Windows started working (Start Menu and maybe something more).
    3) I ran Dr.Web scanner in Windows. This time it removed a lot of things. By the list of files it looked as if it caught a few rootkits too.
    4) Copying/pasting files and taskbar window buttons are gone. RKU still shows rootkit activity.
    5) I booted from a Windows XP Live CD and manually moved all files in system32 directory with the creation date within the last week.
    6) No rootkit acitivity anymore. System is clean.

    The machine doesn't have system restore enabled. It looks like Dr.Web was the one who caused the copy/paste bug and taskbar bug. 1 minute app startups and Task Manager and Process Explorer bugs existed already before I had touched the machine.
     
    maxorator, Dec 18, 2008
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    We can check your PC for any additional malware if you like. The procedure is below.

    Please follow the instructions in the below link and attach the requested logs when you finish these instructions.


    READ & RUN ME FIRST. Malware Removal Guide
    • If something does not run, write down the info to explain to us later but keep on going.
    • Do not assume that because one step does not work that they all will not.
    Notes:

    1. If you run into problems trying to run the READ & RUN ME or any of the scans in normal boot mode. You can run steps in safe boot mode but make sure you tell us what you did later when you post logs. See the below if you do not know how to boot in safe mode:
    2. If you have problems downloading on the problem PC, download the tools on another PC and burn to a CD. Then copy them to the problem PC. You will have to skip getting updates if (and only if) your internet connection does not work. Yes you could use a flash drive too but flash drives are writeable and infections can spread to them.
     
    chaslang, Dec 21, 2008
    #4

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds