JJG Journal

Addendum: The story below is somewhat dated….today I would use SDFix and the Microsoft Malicious Software Removal Tool to remove a rootkit infection.

At my work, had to repair WindowsXP machine infected with variant of the Win32/cutwail rootkit virus (among several others, as it turned out). First noticed the PC in my role as system administrator, because of increased network traffic which is to be expected, as this is a Trojan that sends mass-mail.

Running CA online virus scan detects the problem but is unable to remove the infection. Repeated scans (after reboot) report the file ip6fw.sys (win firewall driver) as infected. So upon boot the PC re-infects itself again.Also notice that the Win Firewall is turned off and can not be enabled. Trying to enable the Windows Firewall returns “Firewall can not be started because of unknown error”. Followed these instructions to get the Firewall to work again.

Next noticed that upon boot the message “Cannot lock volume for direct access” is returned from chkdsk when it tries to run. Microsoft has a KB out that describes the issue but states that installing the latest service pack should help. It does not.

Additionally the process “csrss.exe” hogs the CPU by using 80% of CPU time without any programs running on the PC which is probably a side effect of the Trojan infestation. Also machine runs multiple instance of iExplorer.exe that "come and go" when viewed in the task manager. Use Windows Boot CD in repair mode and perform chkdsk “manually”. Notice that the files core.sys and cache.core.sys in the windows/system32/drivers/ directory have a file date from around the time of the PC’s virus infection. So take a chance and delete the files using the repair console (gotta have aWinXP installation disk for that). Now upon normal boot the chkdsk utility works again(!) and goes thru a long process of checking the HD. Install McAfee AV but when trying to run McAfee for virus scan, get “Blue Screen” with message “irql_not_less_or_equal”, meaning that a kernel mode app tried to access memory outside of its scope. Next try to boot in safe mode (F8), but then the system hangs upon loading “agpCQ.sys”, a video device driver.

Next boot from CD again and rename the offending device driver from “”agpCQ.sys” to “agpCQ.sy$”. Now Safe Boot works and the system does not fail with “irql_not_less_or_equal” anymore, BUT the system refuses to execute McAfee virus scan in safe mode…any attempt to run McAfee is simply ignored…looks like removal of the cutwail virus is tricky.So boot system in safe mode with networking, run CA online virus scan, which now finds two infected files that I remove. Next boot in normal mode. Now McAfee finds a rootkit infection and removes it…good. But McAfee says that a reboot is required…and upon rebooting the system shuts down with “irql_not_less_or_equal” again (!). So it looks like the McAfee virus scanner causes the “irql_not_less_or_equal” blue screen when it tries to clean up the rootkit virus…

So decide to boot normally into administrator account, then run CA online virus scan to temporarily deactivate the active cutwail rootkit virus, then run McAfee virus scanner. No go…still get “irql_not_less_or_equal” message with blue screen. Ergo: McAfee virus scan driver causes blue screen when trying to clean PC, probably when trying to do the rootkit part of its cleanup routines.

Next decide to download new virus scan utility: CounterSpy from Sunbelt Software. Run a full system scan with CounterSpy. It detects several threads but is unable to clean system.

Next download F-Secure Rootkit removal tool Blacklight-Beta. It finds the hidden process iExplore.exe in the c:\Program Files\Internet Explorer directory. This file is locked so the only way to rename it is to rename the directory that contains the file, thereby blocking access to it. After that, the file unlocks and can be renamed.

The key to finally cleaning up the system is to delete the Windows\Temp directory. Notice that this directory contains a lot of suspisiously named files that can not be removed during normal operation, so use the Repair Console to do this. After deleting the Temp direcory do not forge to create a new (empty) Windows\Temp directory or Windows will not work correctly.

So in summary this worked:

re-instate windows firewall…this was probably deactivated by the Trojan-Proxy.Win32.Xorpix backdoor virus found by CounterSpy
manually delete core.sys and core.cache.sys in the system32 directory using the Windows Repair console to get chkdsk to work again
rename offending agpCQ.sys to be able to do a safe boot (F8 key)
rename folder that contains iExplore.exe (gotta do this in Safe Mode from Command prompt, else folder is locked) to prevent multiple instance of iExplore.exe that eat up processor time
In Safe Mode with Command Prompt, delete \Windows\Temp\ folder. This folder contains Rootkit Win32.Agent.eq virus which is detected by CounerSpy but NOT removed.
Boot normally and run CounterSpy again to make sure all infections are gone.
Re-create Windows\Temp folder as it is being used by Windows for temporary storage when programms are executed.

It took one full day of work to get the PC (a Dell Lattitude Laptop) back to normal.

Trevor responded on 18 Jan 2009 at 3:17 am #

THANK YOU for taking the time to post this. I think this is the one I’ve got…. it’s taken me hours of research to figure it out. It’s still hard to believe that all the major anti - spyware/malware/virus programs are missing this one! Can I buy ya a beer? I’m so thankful …

Life, the Universe and Everything

Rootkit Virus Removal, csrss.exe hogs CPU, multiple Instances of iExplore.exe, chkdsk not working, firewall disabled…

One Response to “Rootkit Virus Removal, csrss.exe hogs CPU, multiple Instances of iExplore.exe, chkdsk not working, firewall disabled…”

What do you think about this?

Change Language

Categories

Recent Comments

Archives

Facts and Opinions