How to remove and identify virus

[REAP]

Hello

 

I have a Win 7 computer that has been infected with a bruteforce password virus.

 

When the computer is able to connect to a DC the computer constantly tries to determine the password for some user account that it has chosen.

 

I've tried scanning the computer with a number of AV's without success:

 

MBAM

MBAR

TDSKiller

Gmer

Vipre

 

After doing some analysis on the computer I've been able to determine that the infected process on the computer is the Windows System process. Worked this out by identifying which ports the virus was using from the server logs and then using CurrPorts (from Nirsoft) and Process Monitor (SysInternals) to monitor the desktop.

 

I've also tried SysMon (SysInternals) but while SysMon does log activity, it doesn't log the relevant virus activity.

 

The questions that I have:

 

1. If I were to replace ntoskrnl.exe on this computer with a "clean" version of ntoskrnl.exe from another W7 system am I likely to remove the virus from this computer.

 

OK as I expected it's not as simple as that I can see from Process Explorer that there are many threads reported as "System". Even if replacing ntoskrnl were to work then this would fix this computer, but it wouldn't prevent a future infection.

 

2. Suggestions on how to identify or remove this malware?

 

greetz

Edited September 5, 2014 by REAP

[redblkjck]

Wouldn't start replacing files until you identify what is infected. 

Try using a boot cd for the scan.  Bitdefender rescue cd or KAV rescue disk should work.  

Perhaps this attack is coming remotely by a trusted resource after it's authenticated on the network instead.

[REAP]

I'll try KAV. Thanks

 

But if that doesn't detect anything, are there any programs that allow you to easily compare a binary hash / checksum of two sets of files?

 

This would be some sort of WinPE type utility that you could use to compute a set of hashes on the infected computer (for selected files) and then do the same thing against a "clean" computer. Then compare the results, which would identify those files that are different (of course they could be different for valid reasons - different Windows Updates etc). But if it didn't take that much work to do the compare, then it might be worth trying before rebuilding the desktop.

 

In this case rebuilding the desktop is not a big deal, but it means that the malware could get through again.

[simple]

By installing all these programs you've installed toolbars, adware and various garbage u dont need that slows u down. The AV software (all of them) isn't going to detect the majority of bad code out there, and for the small part it does get - the malware authors change packers, change a few lines of source, etc and reinfect you the next day. Just read some of the many docs on how easy/practical AV evasion is for more info.

 

I wouldn't worry about hash checks, etc - just reformat.

[redblkjck]

Several md5sum sfv type utilities out there to create file lists.  

 

Since you say it only happens after the logging into the DC it might be a remote network attack instead.  Another PC in the network that has elevated membership in the domain.  Maybe an audit check is being run by the admins.   How are you detecting this?  

[REAP]

Since you say it only happens after the logging into the DC it might be a remote network attack instead.  Another PC in the network that has elevated membership in the domain.  Maybe an audit check is being run by the admins.   How are you detecting this?  

 

Definitely this PC. Detected by monitoring the Event logs on the DC.

 

When the PC is on the domain network, connects to the DC constantly.

 

When the PC is off the domain network periodically tries to connect to the DC.

[REAP]

Using Process Monitor I am able to identify the following:

 

Process Name: System

PID: 4

TID: 0

Parent PID: 0

 

In Process Explorer I can see PID: 4, but when I look at the Threads of the System process there is no TID of 4 or 0

 

How can I identify the actual process being executed?

[REAP]

I've made some progress on this, have been able to narrow down the suspect packets to two files: ntoskrnl.exe and tcpip.sys

 

Will replace these files with known good versions and see what happens.

 

Thanks for feedback and suggestions

[ewwink]

try to scan in safe mode.