Repairing Windows XP system files corrupted by kernel mode root kit

For the past four days I have been fighting a persistent infection in my OS.  I have run a number of anti-virus, anti-malware and utilities to clean the infection.  Initially the problem was a massive increase in hardware interrupts consuming over 80-90% of the CPU and causing dithering in media player.  I assumed at first that this was a problem with my hardware or drivers.  I ran RATT (driver trace app) in the background and read the log finding that there was extensive activity for a driver referred to as unknown. 
       I figured that this most be some kind of serious malware and started scanning with different apps.  I also ran a number of rootkit revealers and small utilities to determine what 'ghost' driver(s) were running.  Nothing could be detected in safe-mode and the only clues were provided by rootkit reveal (running in normal windows).  It showed I had a number of drivers that were in operation that did not exist in the file system.  Essentially what I found was that I had a 'kernel mode' root kit rather than a 'userland' version.  It still took me a couple days to figure out what I should've known which was that the drivers are all part of the same image and in the same memory address.  Worst of all they have taken over ntkrnlpa.exe. 
       After learning this I ran a command console with sfc /scannow , then checked my system folder analyzing all of the nt kernel files with filealyzer (hex+PE editor) and to my horror everyone of them is infected! including those files in an old windows installation on an attached hard drive. So now Im pretty worried as I am unsure that I will be able to remove this infection from my system without reinstalling XP. 
       I have been pretty conservative so far with the exception of no backups and shutting off system restore which was to prevent reinfection should I manage to clean the system.  I just would like to know what my options are and could I fix this as easily as running windows XPPE and repairing or possibly replace in safe mode console?
|
Back up your data by booting with a Linux Live CD like Knoppix and copying the data files to an external hard drive. Then format all internal hard drives and clean-iinstall Windows. Not having backups and turning off System Restore is not being "pretty conservative".

http://www.elephantboycomputers.com/page2.html#Reinstalling_Windows

Here is general information on using Knoppix for this:

You will need a computer with two cd drives, one of which is a CD/DVD burner OR a USB thumb drive with enough capacity to hold your data OR an external USB hard drive formatted FAT32 (not NTFS)*. Download the Knoppix .iso and create your bootable CD. If you are doing this in an older operating system (XP or Vista), you'll need third-party burning software like Nero, Roxio, or the free ImgBurn (Windows 7 can burn .isos natively). Burn as an image, not as data. Then boot with the CD you created and Knoppix will be able to see the Windows files. If you are using the USB thumb drive or the external hard drive, right-click on its icon (on the Desktop) to get its properties and uncheck the box that says "Read Only". Then click on it to open it. Note that the default mouse action in the window manager used by Knoppix (KDE) is a single click to open instead of the traditional MS Windows' double-click. If you want to burn CD/DVDs, use the K3b program.

*My understanding is that you can now write to an NTFS partition from Linux. If you wish to do this, Google for instructions about using the NTFS driver.

http://www.knoppix.net

For future disaster recovery strategies:

http://www.elephantboycomputers.com/page2.html#Backing_Up
MS-MVP - Elephant Boy Computers - Don't Panic!
Elephant Boy Computers - Don't Panic!

1 person found this reply helpful

·

Was this reply helpful?

Sorry this didn't help.

Great! Thanks for your feedback.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this reply?

Thanks for your feedback.

So just so I have this straight... You want me to back up all data on the corrupted HD (223Gb+) to my external HD using a linux live cd and then reformat said internal HD with NTFS and then reinstall Windows XP?  Why is it necessary to transfer that data with something as slow as a linux flavor running as a live cd to an external drive?  And do I have to do that for every internal HD connected in my computer which would mean something on the order of 400 Gb worth of data over a USB 2.0?  This seems quite extreme... even if you are trying to be sure it wouldn't as there is always the possibility that the infection is somewhere in the data and then the two to three days spent transferring the data, reinstalling the OS, reinstalling applications, transferring data back and then updating XP to try to make it 'secure' would be academic at best.  So you are saying that there is no solution you know to exist that would repair the registry and system files without the old 'genesis torpedo' of a complete reformat and reinstall.  If Im going to use linux live cd why not use it to kill the rootkit itself and its progeny throughout the file system in restore points\undelete folders?  I appreciate you taking your time to suggest a solution that may work and I will consider that option after I have exhausted more surgical solutions that wouldn't require undoing several months of work on a computer that still performs close to standard.

Was this reply helpful?

Sorry this didn't help.

Great! Thanks for your feedback.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this reply?

Thanks for your feedback.

You didn't mention how much data you had so I had no way of knowing. My Crystal Ball(tm) was on holiday. ;-) Normally retrieving data using a Linux Live CD (and yes, I do this so there is no chance of infection) is not particularly slow under normal circumstances.

On severely infected machines where there was a rootkit (and you are the one who diagnosed that) I don't believe in trying to clean them. You will never be 100% sure they are clean since the nature of a rootkit is to be invisible to Windows. The rootkit(s) will not be active in the data and scanning said data will be effective. But of course you should do what you want.

Sorry I was unable to help you.
MS-MVP - Elephant Boy Computers - Don't Panic!
Elephant Boy Computers - Don't Panic!

Was this reply helpful?

Sorry this didn't help.

Great! Thanks for your feedback.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this reply?

Thanks for your feedback.

So I did take part of your suggestion to heed and made part of the focus on custom linux based live cd analysis and recovery.  As well as study the EB Site link you provided.  I also did significant research based upon what I observed and recorded to date, I am still a relative novice to this... my background is more in sound design and production with only a smattering of knowledge in drivers, file systems, objects and processes.  Of course now I know too much hahaha.  I'll cut to the chase early so if someone is just quickly scanning this they will see it and follow the rest, hope it helps.
    How do I make it stand out? Lets see. >>>>> Windows XPSP2 infected with Mebroot Sinowal Torpig Advanced Variant <<<<<<
Hope that works for everyone if not maybe someone will quote this.
       Anyway my first intuition when I noticed the problems with my computer were to check hardware, then drivers, which is where I found the issue with the hidden driver in RATT3 named unknown <unknown> ... Using Root Repeal I found the most useful information (to me at least) in the drivers section which showed I had the following suspect drivers (to me again as they did not exist in file system)
ACPI_HAL                         \Driver\ACPI_HAL
dump_atapi.sys                 C:\WINDOWS\System32\Drivers\dump_atapi.sys
dump_WMILIB.SYS            C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
RAW                                \FileSystem\RAW
PnpManager                      \Driver\PnpManager
Win32k                             \Driver\Win32k
WMIxWDM                        \Driver\WMIxWDM

I did a dump of them all (and a few others) read them with file analyzer (hex, PE, signatures, permissions, etc) and started matching some of the signatures upand found that the ones which are the core are ACPI_HAL ,RAW, PnpManager, and WMIxWDM
They were all internally linked to C:\WINDOWS\system32\ntkrnlpa.exe and then I saw that they all held both the same memory address 0x804D7000 and size 2056832.  I should have known this as it is a kernel mode root kit and most of this is completely undetectable or indeterminable in most security  applications, but then again I'm not a programmer or security specialist so...
I ran a number of programs that are designed to find rootkits and malware.  The most useful were RootRepeal, Avenger, HiJackThis, and unhackme.  Some were more helpful than others, especially in this case those that didnt do too much interpretation or active search methods or filter drivers but were more passive and allowed good logs or clipboard export of info for logs.  The most helpful for my case was GMER ... look it up ... here is an informational page that applies http://www2.gmer.net/mbr/  
Looking at the different logs and doing some comparative and deductive reasoning to different signatures provided led to determination that this is a Mebroot - Sinowal family rootkit.  Well what is that? 
It is a MBR rootkit that works in kernel mode that has a high degree of stealth, variance and persistence.  Part of this I believe at least is due to how little most of us users know about how our windows system nowadays.
This rootkit Mebroot Sinowal loads itself into the mbr as well as the system folders and all of their backups and references all throughout.  There are an awful lot of these backups and restores and caches and references etc.  So many I have yet to clear or repair them all, maybe I never will. 
As Im starting to ramble and feel the need to post and continue my crusade, this is what I have done most recently to fight this advanced version of w32.Mebroot-Sinowal-Torpig
Most discussions regarding eliminating this are of course focused on using your XP Install CD to go into
1) delete\wipe Prefetch, and System Restore.  I also ran CMD -> SFC /Purgecache and then SFC / Scannow
2) repair using recovery console -> MAP -> find first partition (in my case it locked after MAP but I wrote it down \Device0\Harddisk0\Partition1 or similar)
                                                ->FIXMBR \Device0\Harddisk0\Partition1
                                                ->FIXBOOT C:
                                                ->EXIT
3) Reboot F8 Safe Mode w console   run antivirus/antimalware or rootkit detector
                                                    I ran SDFix
4) Reboot Normal Mode               ->run antivirus/antimalware or rootkit detector.
                                                    I ran Avert Stinger, Norman Sinowal detector, HiJackThis and Avast! Home
No real success to date.  Why? Well I was recently informed by a former coworker and IT professional that FIXMBR is no silver bullet as there is a good chance that the mbr used to replace the infected one is corrupted.  That tells me that my new focus needs to be on rewriting my mbr.  Like thats easy write? hahaha If anyone reads this and has some juicy intel on how to fight this or where / how to go about replacing mbr and system files so that they aren't refreshed or reloaded from the previous instances please let me know.
Thanks

Was this reply helpful?

Sorry this didn't help.

Great! Thanks for your feedback.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this reply?

Thanks for your feedback.

Hello

There has been a significant lag in reporting current status due to a number of factors which had both complicated and expedited the procedure of both finding and removing this threat.  I will probably post a more complete report elsewhere as it is extensive :/   This infection which is essential modular, abstracted, and persistent is quite similar to windows ... Essentially I knew the primary way to both diagnose, record and defeat this was to educate myself on windows to the level of proficiency attached to the account privilege used (administrator) and to learn the process\procedure involved on my system. 
Sounds like a good idea?  Especially when its winter and a lot of time indoors.. ;-)

Being an administrator is a big deal and I swear next time I will be very conscientious about my usage at this level.  So thinks run at this level can essentially have freehand once you have initiated them, especially if it is close to the system i.e. drivers, file system, media, and shell.  This I've heard referred to as "userland" where you reign as somewhat absolute ruler of your fief.  "Userland" all can be seen if one was to look as king with the right auditors and investigators.  But beneath "Userland" is the magic dimension of "Kernelmode", things are quite abstract in there and few can divine their intent much less their origin.. I for one cannot.  But I know when I see evil magic and that is what I witnessed.  The most vile evil magic with most insidious intent and persistence.  This imp is of three parts which it is commonly referred to : Mebroot . essentially a new spin on an old hat in the blackest of ways.  weakness of everything NT based allows user access to disk and mbr\boot\partition information. Well of course sometimes you need to fix that especially as Lord of "Userland" sometimes you need to audit, divide, or expand the extent of your dominion.  So this exploits that and attaches itself to an application, driver or object you initiate in user as administrator which myself realize the fault of doing.  Some temp files loaded which I lost running CCleaner on the advice of an old colleague, then makes a boot loader that loads into the MBR (hence the name of mebroot) .... well this is a boot sector virus ... I haven't seen this since IdK maybe 94-96 ? Maybe that is why it was used.  There is much in terms of backwards compatibility and continuity, so the MBR injects code on boot and runs more parts of itself including patching the kernel !!! WTF@! yes it did even leaves a unique tag viewable in hex... Thanks guys I'll be sure to pack the 3Extinguisher for now.   Then the next parts of it become abstracted to the extreme by the loading of . Sinowal .  perhaps means Subverted Integration of Objects While Allowed Load hahaha... Well there is not a whole lot of this that can be posted without losing whoever is left :-)  Besides there wasn't much I could do or see about this highly stealthy operation.   I detected it following the 'hole' that it left in its wake.  Mostly in terms of its use of drivers for access and memory.   Research to those with similar problems suggested fixmbr in the recovery console.  That doesnt work as the mbr in this variant is backed- up in its corrupt state across all parts referred or cached in windows as the kernel objects across accessed hard drives are patched as well.  The Torpig module I had little observation\record of its operation other than these two key pieces - Unable to change modes in LAN\WLAN and ref to send to a 'cybersquatted' obviously generated string between 4 and 6 characters.  I guess a network dump of collected data.  
So what did I do?  After much failure trying to detect, log and clean the problem from my system I 'punted' I essentially wrote a Unix boot code to the MBR and reinstalled windows to an attached hard drive with a previous and subsequently patched core system.  I retained access to the other partition on infected disc and data and geometry correct on other partition remained correct.  This new XPSP1-2 install updated to xpsp3 - level and hardened as far as access, auditing, and system file core install imaged and set for unattended reinstall :-) I used a win32 sourceforge apps to help read and dump suspect sectors which affirmed existence of malicious code.

Solutions? 
If you have an advanced version like I have and anything posted is not working then you need to disconnect your system run a liveCD to investigate your system and do dumps of your mbr and last sector to file and compress\encrypt and then replace or rewrite your mbr using a trusted app run in console mode from liveCD.  Lots of fun right? Welcome to the 21st century is what I thought.

4 people found this reply helpful

·

Was this reply helpful?

Sorry this didn't help.

Great! Thanks for your feedback.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this reply?

Thanks for your feedback.

u will need to backup the data by using any portable linux like [puppy linux]
boot it and backup data. after that...........INSERT THE XP DISC N DO A C PARTITION DELETE N CREATE METHOD...
THIS SAVES UR HDD LIFE
then after u install xp,
dont open anything, just place a CD only not usb n install any antivirus software and do a full scan of pc....this prevents ur pc from further attacks and then u install others...be careful this time!!!

MY WARNING TO U!!!!PLZ BE CAREFUL

Was this reply helpful?

Sorry this didn't help.

Great! Thanks for your feedback.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this reply?

Thanks for your feedback.

USE ANTI ROOTKIT PROGRAM FROM ANY OF ANTIVIRUS VENDORS.ONLY THEN YOU WILL FIND THE SOLUTION TO THIS PROBLEM.YOU MAY HAVE TO BUY THAT.MAYBE

Was this reply helpful?

Sorry this didn't help.

Great! Thanks for your feedback.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this reply?

Thanks for your feedback.

 
 

Question Info


Last updated June 9, 2021 Views 10,555 Applies to: