Friday, December 10, 2010

Using Sysinternals Desktops to assist in removing a virus

Sysinternals Desktops

I was asked to look at a computer that was acting funny by a friend; they thought that it had a virus. After working on the computer for a little while I didn’t notice anything that really popped out. But I went to install Microsoft Security Essentials and it would never complete. It wouldn’t lock up the computer and the scroll bar kept rotating. I also noticed that shutting down and starting up was taking longer than it should.
After realizing something was up I opened task manger and didn’t notice anything odd. Winlogon was being more active than it should be though; something I only noticed because I was trying to see what would maybe be conflicting with the MSE install.

So I decided to start diagnosing and pulled over the Sysinternals suite to look around. Weirdly though anytime I started to try and open Process Monitor, Process Explorer or Rootkit Revelear they would open for about a second than close again.

I was confident at this time that their existed a virus on the computer. For testing I named a text document “Process Explorer” and opened it. It also was force closed shortly after that. I knew this was a pretty sure sign that I had something to wrestle with. Also I noticed a weird rar.exe file sitting hidden on my jump drive I used to move files over. I would delete it and it would return while being plugged into the computer. So I had a pretty good guess that the program would propagate itself using jump drives. I was after a reboot able to get MSE to install but left it alone so I could figure out the virus.

So I set out to find out a way to start process monitor or Process Explorer, since I knew if the virus didn’t want me opening these tools, then I would be able to use them to find my solution. So in trying to figure out how to trick the program I tried renaming the programs which still didn’t work. After a little bit I saw the Sysinternals desktops application in their suite and wondered how it went about creating multiple desktops on the background. I thought maybe (or had a small hope) that maybe the virus wasn’t smart enough to notice apps running inside a different desktops. After running desktops and opening a second desktop I was able to open, in that second desktop, process monitor and process explorer.

I restarted the computer wanting to ensure that it was desktops and not something I had done earlier allowing me this. After windows loaded I had the same problem of not being able to run Process Monitor and Process Explorer. I Fired up Desktops again and in the second desktop again I was able to get them running fine. Desktops will forever be in my antivirus removal box because of this.

I didn’t notice anything funny in process explorer and everything listed as Microsoft signed. The machine was actually very clean for a home user. So I ran Process Monitor for a minute and stopped it looking for any peculiar behavior. After looking through I noticed what I noticed earlier, winlogon was showing up way more than normal. After filtering to include only winlogon I noticed that about a little under every second it would check a key here:

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\acdcacaeaacbafbeaa

Process Monitor of Winlogon Activty - Part 1

Process Monitor of Winlogon Activty - Part 2
And then all the subkeys. The funny random name of the key was a bad sign. I popped up regedit and saw the it also had a dll with the same random key name, as it’s, file name located in the system32 folder of windows. I was pretty confident this was my problem. I exported the key just for sure and then deleted it. Right away the key was back.

I also noticed it would look at Pending File Rename Operations and then also a value called Blud under the Winlogon key. With all this info I then, went back to installing MSE and after it installed and manually installed the latest defenitions which I had downloaded earlier. I right-clicked the DLL acdcacaeaacbafbeaa.dll in the System32 folder and told MSE to scan it. It then said that it had found WORM:Win32/Swimnag.gen!A.dll I did a search and came up with this link from google.

I checked the dll was gone, good job MSE on keeping it gone. I was then able to go into the registry and delete the blub key located at HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\

I also noticed the associated key "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\acdcacaeaacbafbeaa" was no longer there. After reviewing the scan history on the computer I pulled up the log and noticed MSE had removed it too.

After watching taskmgr.exe and running a Process Monitor session I could see that winlogon was back to normal. I restarted the computer one more time to see if this time it would boot normally. It did. Also the computer stopped placing the hidden Autorun.inf and rar.exe on the jump drive. The computer was overall a lot more responsive. At this point I did a full scan with MSE and discovered no further problems.

CONCLUSION – I have tried to see if anyone else has used desktops to prevent a virus from closing applications and posted the story online but haven’t seen it. I don’t think this was an intended use of desktops but very interesting none the less. I would love to hear if this works for other viruses.

NOTE - Microsoft's stance is normally that after your system has been compromised you should reinstall the computer. I didn't do it here because I was feeling challenged at the time, and didn't have the disks for this persons computer. Normally I do reinstall since.

UPDATE - Shared this with Mark Russinovich and based on what I said the program was checking the Window titles, using window enumeration and that it only works for the current desktop. That is why I was able to use Sysinterlas Desktops to create another desktop to open Process Monitor and Process Explorer.

No comments:

Post a Comment

Keep it Clean.