I have a nasty rootkit that not tools seem to be able to idenity. I know for sure it's a rootkit, but I can figure out which rootkit it is. Here's what I gathered so far:
It creates multiple copies of itself in %HOME%\Local Settings\Temp with names like Q.EXE, IAJARZ.exe, etc., and install them as hidden services. These EXE have SysInternals identifiers in them so they're definitely rootkits.
It hooked very deep in the system, including file read/write, security policies, registry read/write, and possibly WinSock/TCP/IP.
When going to Sophos.com to download their software, the rootkit inject something called Microsoft Ajax Tootkit into the page, which injects code into the email submission form in order to redirect it. (EDIT: I might have panicked. Looks like Sophos does use an AJAZ email form, their form is just broken on Chrome so it looked like a mail form injection attack, the link is http://www.sophos.com/en-us/products/free-tools/virus-removal-tool/download.aspx )
Super-Antispyware found a lot of spyware cookies, in the name of .kaspersky.2o7.net, etc. (just chedk 2o7.net, looks like it's a legit ad company)
I tried comparing DNS lookup from the infected systems and from system in other physical locations, no DNS redirections it seems.
I used dd to copy the MBR and compared it with the MBR provided by ms-sys package, no differences so it's not infecting MBR.
No antivirus or rootkit scanner be able to identify it. Most of them can't even find it. I tried scanning, in-situ (normal mode), in safe mode, and boot to linux live CD. Scanners used: Avast, Sophos anti rootkit, Kasersky TDSSKiller, GMER, RootkitRevealer, and many others.
Kaspersky reported some unsigned system files that ought to be signed (e.g. tcpip.sys), and reported a number of MD5 mismatches. But otherwise couldn't identify anything based on signature.
When running Sysinternal RootkitRevealer and Sophos AntiRootkit, CPU usage goes up to 100% and gets stucked. The Rootkit is blocking them.
When trying running/installing HiJackThis, RootkitRevealer and some other scanners, it tells me system security policy prevent running/installing it.
The list of malicious acitivities go on and on. here's a sample of logs from all my scans. In particular,
aswSnx.SYS, apnenfno.sys and PROCMON20.SYS has a huge number of hooks. It's hard to tell if the rootkit replaced legit program files like aswSnx.SYS (from Avast) and PROCMON20.SYS (from Sysinternal Process Monitor). I can't find whether apnenfno.sys is from a legit program.
Help to identify it is appreciated.
Trend Micro RootkitBuster
------
[HIDDEN_REGISTRY][Hidden Reg Value]:
KeyPath : HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg
Root : 586bfc0
SubKey : Cfg
ValueName : g0
Data : 38 23 E8 D0 BF F2 2D 6F ...
ValueType : 3
AccessType: 0
FullLength: 61
DataSize : 32
[HOOKED_SERVICE_API]:
Service API : ZwCreateMutant
Image Path : C:\WINDOWS\System32\Drivers\aswSnx.SYS
OriginalHandler : 0x8061758e
CurrentHandler : 0xaa66cce8
ServiceNumber : 0x2b
ModuleName : aswSnx.SYS
SDTType : 0x0
[HOOKED_SERVICE_API]:
Service API : ZwCreateThread
Image Path : c:\windows\system32\drivers\apnenfno.sys
OriginalHandler : 0x805d1038
CurrentHandler : 0xaa5f118c
ServiceNumber : 0x35
ModuleName : apnenfno.sys
SDTType : 0x0
[HOOKED_SERVICE_API]:
Service API : ZwDeleteKey
Image Path : C:\WINDOWS\system32\Drivers\PROCMON20.SYS
OriginalHandler : 0x80624472
CurrentHandler : 0xa709b0f8
ServiceNumber : 0x3f
ModuleName : PROCMON20.SYS
SDTType : 0x0
HiJackThis
------
O23 - Service: JWAHQAGZ - Sysinternals - www.sysinternals.com - C:\DOCUME~1\jeff\LOCALS~1\Temp\JWAHQAGZ.exe
O23 - Service: LHIJ - Sysinternals - www.sysinternals.com - C:\DOCUME~1\jeff\LOCALS~1\Temp\LHIJ.exe
Kaspersky TDSSKiller
------
21:05:58.0375 3936 C:\WINDOWS\system32\ati2sgag.exe - copied to quarantine
21:05:59.0217 3936 ATI Smart ( UnsignedFile.Multi.Generic ) - User select action: Quarantine
21:05:59.0342 3936 C:\WINDOWS\system32\BUFADPT.SYS - copied to quarantine
21:05:59.0856 3936 BUFADPT ( UnsignedFile.Multi.Generic ) - User select action: Quarantine
21:05:59.0965 3936 C:\Program Files\CrashPlan\CrashPlanService.exe - copied to quarantine
21:06:00.0152 3936 CrashPlanService ( UnsignedFile.Multi.Generic ) - User select action: Quarantine
21:06:00.0246 3936 C:\WINDOWS\system32\epmntdrv.sys - copied to quarantine
21:06:00.0433 3936 epmntdrv ( UnsignedFile.Multi.Generic ) - User select action: Quarantine
21:06:00.0464 3936 C:\WINDOWS\system32\EuGdiDrv.sys - copied to quarantine
21:06:00.0526 3936 EuGdiDrv ( UnsignedFile.Multi.Generic ) - User select action: Quarantine
21:06:00.0604 3936 C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe - copied to quarantine
21:06:01.0181 3936 FLEXnet Licensing Service ( UnsignedFile.Multi.Generic ) - User select action: Quarantine
21:06:01.0321 3936 C:\Program Files\AddinForUNCFAT\UNCFATDMS.exe - copied to quarantine
21:06:01.0430 3936 OTFSDMS ( UnsignedFile.Multi.Generic ) - User select action: Quarantine
21:06:01.0492 3936 C:\WINDOWS\system32\DRIVERS\tcpip.sys - copied to quarantine
21:06:01.0539 3936 Tcpip ( UnsignedFile.Multi.Generic ) - User select action: Quarantine
21:06:01.0601 3936 C:\DOCUME~1\jeff\LOCALS~1\Temp\TULPUWOX.exe - copied to quarantine
21:06:01.0664 3936 HKLM\SYSTEM\ControlSet003\services\TULPUWOX - will be deleted on reboot
21:06:01.0664 3936 C:\DOCUME~1\jeff\LOCALS~1\Temp\TULPUWOX.exe - will be deleted on reboot
21:06:01.0664 3936 TULPUWOX ( UnsignedFile.Multi.Generic ) - User select action: Delete
21:06:01.0757 3936 C:\WINDOWS\system32\Drivers\usbaapl.sys - copied to quarantine
21:06:01.0866 3936 USBAAPL ( UnsignedFile.Multi.Generic ) - User select action: Quarantine
21:06:01.0913 3936 C:\Program Files\VMware\VMware Player\vmware-authd.exe - copied to quarantine
21:06:02.0443 3936 VMAuthdService ( UnsignedFile.Multi.Generic ) - User select action: Quarantine
21:06:02.0443 3936 vmount2 ( UnsignedFile.Multi.Generic ) - skipped by user
21:06:02.0443 3936 vmount2 ( UnsignedFile.Multi.Generic ) - User select action: Skip
21:06:02.0459 3936 vstor2 ( UnsignedFile.Multi.Generic ) - skipped by user
21:06:02.0459 3936 vstor2 ( UnsignedFile.Multi.Generic ) - User select action: Skip
