PDA

View Full Version : Strange symptom persists - after I think I'm clean? Is something hiding?



nairos
2009-06-10, 21:54
This is strange - I'll try to be concise about what I'm encountering.


1) I CANNOT launch Spybot, HijackThis, Malwarebytes, etc normally.

2) I CAN run all of the above if I rename their EXEs to something random.

3) I was infected with viruses / spyware, but I think I've removed it all.

4) My computer now comes up clean in scans by: Spybot, Malwarebytes, F-Secure Easy Clean, and Symantec Anti Virus.

5) When I run the normal Spybot exe, it actually appears in the task manager list, but doesn't show up on screen. In other words SpybotSD.exe appears to start running, and stay running, but nothing ever shows up on screen.


So I'm puzzled. Is it possible that the disabling of these security programs is caused by a lingering registry key, or something else other than a running process?

I've attached a HJT log below. You'll see spybot in the running processes, but it is NOT running visibly on screen. Additionally, you'll see "Renamed-HJT.exe" - this is simply the renamed HijackThis executable (I had to rename it to get it to run.






Logfile of HijackThis v1.99.1
Scan saved at 2:38:06 PM, on 6/10/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Documents and Settings\User\Desktop\Renamed-HJT.exe

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\RunOnce: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\blah.exe" /runcleanupscript
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [RocketDock] "C:\Program Files\RocketDock\RocketDock.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

Just a quick note - when I said "I was infected by viruses / spyware" - that gives the impression that I was using a majorly compromised PC.

In reality, I had just recently reinstalled, so it's a fairly clean machine. I made the mistake of running one EXE that I shouldn't have. I recognized the mistake immediately, and tried to clean everything ASAP.

Not sure if that has any impact on anything though.

Follow-up.

I used Regmon to see what was going on once I closed most of what was running. The following registry access is occuring constantly. Over and over and over again, without pause.

1 1.37612486 System:4 CreateKey HKLM\system\currentcontrolset\services\MSIVXserv.sys SUCCESS Access: 0x40000000
2 1.37613988 System:4 CloseKey HKLM\system\currentcontrolset\services\MSIVXserv.sys SUCCESS
3 1.37617743 System:4 CreateKey HKLM\system\currentcontrolset\services\MSIVXserv.sys\modules SUCCESS Access: 0x40000000
4 1.37618923 System:4 CloseKey HKLM\system\currentcontrolset\services\MSIVXserv.sys\modules SUCCESS
5 1.37622643 System:4 OpenKey HKLM\system\currentcontrolset\services\MSIVXserv.sys\modules SUCCESS Access: 0x1
6 1.37624216 System:4 QueryValue HKLM\system\currentcontrolset\services\MSIVXserv.sys\modules\MSIVXserv SUCCESS "\\?\globalroot\systemroot\system32\drivers\MSIVXqnayckekcbqewuhbsoqodsrjuxjtarmr.sys"
7 1.37625325 System:4 CloseKey HKLM\system\currentcontrolset\services\MSIVXserv.sys\modules SUCCESS
8 1.37629282 System:4 CreateKey HKLM\system\currentcontrolset\services\MSIVXserv.sys SUCCESS Access: 0x40000000
9 1.37630367 System:4 CloseKey HKLM\system\currentcontrolset\services\MSIVXserv.sys SUCCESS
10 1.37633777 System:4 CreateKey HKLM\system\currentcontrolset\services\MSIVXserv.sys\modules SUCCESS Access: 0x40000000
11 1.37636125 System:4 CloseKey HKLM\system\currentcontrolset\services\MSIVXserv.sys\modules SUCCESS
12 1.37639630 System:4 OpenKey HKLM\system\currentcontrolset\services\MSIVXserv.sys\modules SUCCESS Access: 0x1
13 1.37641037 System:4 QueryValue HKLM\system\currentcontrolset\services\MSIVXserv.sys\modules\MSIVXl SUCCESS "\\?\globalroot\systemroot\system32\MSIVXmfifoukdubtckhmwxtakdrkrvqqaohbq.dll"
14 1.37642121 System:4 CloseKey HKLM\system\currentcontrolset\services\MSIVXserv.sys\modules SUCCESS
15 1.37645745 System:4 OpenKey HKLM\system\currentcontrolset\services\MSIVXserv.sys SUCCESS Access: 0x1
16 1.37646902 System:4 QueryValue HKLM\system\currentcontrolset\services\MSIVXserv.sys\start SUCCESS 0x1
17 1.37647951 System:4 CloseKey HKLM\system\currentcontrolset\services\MSIVXserv.sys SUCCESS
18 1.37651169 System:4 OpenKey HKLM\system\currentcontrolset\services\MSIVXserv.sys SUCCESS Access: 0x1
19 1.37652326 System:4 QueryValue HKLM\system\currentcontrolset\services\MSIVXserv.sys\type SUCCESS 0x1
20 1.37653351 System:4 CloseKey HKLM\system\currentcontrolset\services\MSIVXserv.sys SUCCESS
21 1.37656593 System:4 OpenKey HKLM\system\currentcontrolset\services\MSIVXserv.sys SUCCESS Access: 0x1
22 1.37657928 System:4 QueryValue HKLM\system\currentcontrolset\services\MSIVXserv.sys\imagepath SUCCESS "\systemroot\system32\drivers\MSIVXqnayckekcbqewuhbsoqodsrjuxjtarmr.sys"
23 1.37658954 System:4 CloseKey HKLM\system\currentcontrolset\services\MSIVXserv.sys SUCCESS
24 2.32949328 System:4 OpenKey HKLM\System\CurrentControlSet\Services\SymEvent\Parameters SUCCESS Access: 0x20019
25 2.32950807 System:4 QueryValue HKLM\System\CurrentControlSet\Services\SymEvent\Parameters\LPNtoSPN SUCCESS 0x1
26 2.32952118 System:4 CloseKey HKLM\System\CurrentControlSet\Services\SymEvent\Parameters SUCCESS
27 2.37616611 System:4 CreateKey HKLM\system\currentcontrolset\services\MSIVXserv.sys SUCCESS Access: 0x40000000
28 2.37617850 System:4 CloseKey HKLM\system\currentcontrolset\services\MSIVXserv.sys SUCCESS
29 2.37621474 System:4 CreateKey HKLM\system\currentcontrolset\services\MSIVXserv.sys\modules SUCCESS Access: 0x40000000
30 2.37622619 System:4 CloseKey HKLM\system\currentcontrolset\services\MSIVXserv.sys\modules SUCCESS
31 2.37627554 System:4 OpenKey HKLM\system\currentcontrolset\services\MSIVXserv.sys\modules SUCCESS Access: 0x1
32 2.37628961 System:4 QueryValue HKLM\system\currentcontrolset\services\MSIVXserv.sys\modules\MSIVXserv SUCCESS "\\?\globalroot\systemroot\system32\drivers\MSIVXqnayckekcbqewuhbsoqodsrjuxjtarmr.sys"
33 2.37630057 System:4 CloseKey HKLM\system\currentcontrolset\services\MSIVXserv.sys\modules SUCCESS
34 2.37633991 System:4 CreateKey HKLM\system\currentcontrolset\services\MSIVXserv.sys SUCCESS Access: 0x40000000
35 2.37635088 System:4 CloseKey HKLM\system\currentcontrolset\services\MSIVXserv.sys SUCCESS
36 2.37638474 System:4 CreateKey HKLM\system\currentcontrolset\services\MSIVXserv.sys\modules SUCCESS Access: 0x40000000
37 2.37639570 System:4 CloseKey HKLM\system\currentcontrolset\services\MSIVXserv.sys\modules SUCCESS
38 2.37642956 System:4 OpenKey HKLM\system\currentcontrolset\services\MSIVXserv.sys\modules SUCCESS Access: 0x1
39 2.37644339 System:4 QueryValue HKLM\system\currentcontrolset\services\MSIVXserv.sys\modules\MSIVXl SUCCESS "\\?\globalroot\systemroot\system32\MSIVXmfifoukdubtckhmwxtakdrkrvqqaohbq.dll"
40 2.37645411 System:4 CloseKey HKLM\system\currentcontrolset\services\MSIVXserv.sys\modules SUCCESS
41 2.37649035 System:4 OpenKey HKLM\system\currentcontrolset\services\MSIVXserv.sys SUCCESS Access: 0x1
42 2.37650204 System:4 QueryValue HKLM\system\currentcontrolset\services\MSIVXserv.sys\start SUCCESS 0x1
43 2.37651229 System:4 CloseKey HKLM\system\currentcontrolset\services\MSIVXserv.sys SUCCESS
44 2.37654448 System:4 OpenKey HKLM\system\currentcontrolset\services\MSIVXserv.sys SUCCESS Access: 0x1
45 2.37655592 System:4 QueryValue HKLM\system\currentcontrolset\services\MSIVXserv.sys\type SUCCESS 0x1
46 2.37656617 System:4 CloseKey HKLM\system\currentcontrolset\services\MSIVXserv.sys SUCCESS
47 2.37659788 System:4 OpenKey HKLM\system\currentcontrolset\services\MSIVXserv.sys SUCCESS Access: 0x1
48 2.37661099 System:4 QueryValue HKLM\system\currentcontrolset\services\MSIVXserv.sys\imagepath SUCCESS "\systemroot\system32\drivers\MSIVXqnayckekcbqewuhbsoqodsrjuxjtarmr.sys"

And rootkit revealer revealed this:

HKLM\SECURITY\Policy\Secrets\SAC* 6/8/2009 1:40 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SECURITY\Policy\Secrets\SAI* 6/8/2009 1:40 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\MSIVX 6/10/2009 3:20 AM 0 bytes Hidden from Windows API.
HKLM\SYSTEM\ControlSet001\Services\MSIVXserv.sys 6/10/2009 2:42 PM 0 bytes Hidden from Windows API.
HKLM\SYSTEM\ControlSet002\Services\MSIVXserv.sys 6/10/2009 2:42 PM 0 bytes Hidden from Windows API.


It looks like "MSIVX" is a rootkit, because it seems to be what is causing the rapid-fire registry activity.

Does anyone know how to remove it?

"BEFORE you POST"(READ this Procedure BEFORE Requesting Assistance) (http://forums.spybot.info/showthread.php?t=288)

Shaba
2009-06-11, 16:33
Hi nairos

Download gmer.zip (http://gmer.net/gmer.zip) and save to your desktop.
alternate download site (http://hype.free.googlepages.com/gmer.zip)

Unzip/extract the file to its own folder. (Click here (http://www.bleepingcomputer.com/tutorials/tutorial105.html) for information on how to do this if not sure. Win 2000 users click here (http://www.bleepingcomputer.com/tutorials/tutorial106.html).
When you have done this, disconnect from the Internet and close all running programs.
There is a small chance this application may crash your computer so save any work you have open.
Double-click on Gmer.exe to start the program.
Allow the gmer.sys driver to load if asked.
If it gives you a warning at program start about rootkit activity and asks if you want to run a scan...click NO.
Click on the Rootkit tab.
Look at the right hand side (under Files) and uncheck all drives with the exception of your C drive.
Make sure all other boxes on the right of the screen are checked, EXCEPT for "Show All".
Click on the "Scan" and wait for the scan to finish.
Note: Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan.
When completed, click on the Copy button and right-click on your Desktop, choose "New" > Text document. Once the file is created, open it and right-click again and choose Paste or Ctrl+V. Save the file as gmer.txt and copy the information in your next reply.
Note: If you have any problems, try running GMER in SAFE MODE (http://www.bleepingcomputer.com/forums/tutorial61.html)"
Important! Please do not select the "Show all" checkbox during the scan..

Shaba
2009-06-17, 22:33
Due to the lack of feedback this Topic is closed.

If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than four days since your last response and you need the thread re-opened, please send a private message (pm). A valid, working link to the closed topic is required. Please do not add any logs that might have been requested in the closed topic, you would be starting fresh.

Everyone else please begin a New Topic.