Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Copyright Violation: Copyrighted Content Detected - new strain??


  • This topic is locked This topic is locked
2 replies to this topic

#1 T3kn0m0nk3Y

T3kn0m0nk3Y

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:04:36 PM

Posted 04 May 2010 - 11:10 AM

Brief intro: I've been an IT pro for about 8 years now, so I've been around the block in terms of virus/spyware/adware/malware cleaning. I've used this site countless times since for getting information and downloading tools - thanks to everyone who contributes! Even though I've successfully cleaned this nasty, I had very little success finding any information about it online, and certainly don't wish what I've just been through on anyone out there.

After a 1.5 day long struggle with this one (potentially the toughest one I've had in years), I finally got it all cleaned, and said to myself "self, someones gotta put this info up on the web for anyone else who gets this." So in the vain of thank you's to BC and the community for so much great info over the years, I thought I'd make sure anyone else who has to deal with it can make some use of the following information:

There are several variations of the Copyright Violation scam infection. There is actually some great information about it out there already, however, this version/strain of it was particularly nasty. In most cases you can follow S!Ri's guides to input a known registration key to bypass the lockout screen and at least get into explorer to launch the task manager and get a few cleaning programs installed. I've had great success with these steps in the past, so I am specifically describing a situation where following any/all of THOSE steps do NOT WORK.

I wish I kept screen shots of the various steps, but alas I was not expecting this to be nearly as aggravating as it turned out to be, so I'll do my best to verbally describe as many portions of the process as I can.

The Environment:

Windows XP sp3 not updated since about November last year - my fault, but I've been on big projects and the road a lot and didn't realize this systems windows updates had broken.
Java 6 update 12 <- you will see later this was a large culprit
partially uninstalled Avast Pro Managed Anti-virus
A broken install of Sophos Anti-virus
The users account was a domain account and the system was bound to our corporate domain (making certain aspects of cleaning rather difficult)
system restore was ON


First off let me explain what DIDN'T work:

Doing ANYTHING in the users domain account was impossible. First off, imputing S!Ri's key to bypass the scam pop-up did not work, even trying several keys proved futile, this newer variation must have been updated to ignore any web posted keys. Very irritating. The task-manager had been locked out with a group policy hack, all windows key shortcuts disabled, and even command prompt had been hijacked to prevent any exe's from running, and any NEW .com processes were halted and deleted within seconds of running. -yeah NASTY.

Logging into local administrator account allowed download of latest Combofix.exe and Malware-Bytes Anti-Malware, but neither program worked as you will see. First I ran combofix which requested a reboot, but on reboot the process was not re-initiated. Later you will see this was due to a java bot that held a fixed state of registry and cleared out the run-once entries.

Running MBAM resulted in the program terminating and the exe being deleted from the install directory within seconds of opening the program. This was fun because after about 3 attempts, the bot actually LEARNED my attempt to run this program and then deleted it upon uninstall and reinstall before I could even rename the program from "mbam.exe" to "mbam.com" resulting in a fresh install with NO mbam.exe...

Even safemode did not allow any further progress. Somehow this nasty was able to function even in command prompt only safe mode....

I don't know for sure if there would have been a faster way of dealing with this than what I did, but the steps listed below is what got me forward movement towards cleaning it.

FIX:

Start by removing the drive from the machine entirely. I used a SATA to USB adapter and plugged the drive into another machine altogether. I ran both combofix.exe and MBAM from that machine on the drive. some 60ish items were found and deleted. I put the drive back in the original machine after cleaning and was able to get some progress from there.

At this point the Copyright scam pop-up was still present, but now task-manager was no longer disabled. However, I was still unable to run .exe's or .com's. so I dropped back into safe mode with local admin and was now able to turn off system restore, and then ran combofix again. this DID find more items for deletion. I'm guessing dll's that were re-loaded into the kernel once it was rebooted back int he machine. Following the signs of progress I also tried to run MBAM, no dice.

I then went old-school and tried "roguescanfix" an old favorite of mine from a few years ago for rootkit removal. It did find some things and clear them. I also installed and ran hijackthis and cleared out everything that looked questionable (admittedly I did not save the log at this point.... sorry guys! - but I do have a later log attached).

A reboot got me into the domain account, and with no copyright pop up lock! (i neither confirm nor deny that my arms may have been thrown up in excitement.... and there may have been some dancing involved...) However there was an error on some gibberish dll so I knew there were still some lingering registry entries to contend with.

I fired up hijackthis and ran it again. much fewer entries since the first attempt, but there were still some gibberish dll's listed. I clicked, I cleaned (still no log at this point) and I rebooted. Here I made a stupid assumption that Hijackthis did it's job, so I then tried to run MBAM again figuring some junk would be loaded in the user profile.... Then BAM disappeared and "mbam.exe" was gone again..... (at this point I neither confirm nor deny the use of several four letter words that are more common in our warehouses than our offices...).

Fired up hijack this again (YES the log that is attached) and noticed several of the entries I tried to delete one reboot ago where right back where they started....

SOOOO I tried it again..., this time I rescanned immediately after removal. Yup, you guessed it, right back. No matter what I tried, these stubborn entries would not be removed. In each case, some vanished, and some came back, but if I waited long enough, they all eventually returned. I also tried using local admin to regedit the entries manually once I found them - again they reappeared before my eyes each time I deleted them.

I spent a good part of the afternoon googling all the listed dll files for some kind of hint on how to get rid of them. NOTHING. Luckily though, through a fluke search for the original Copyright scam problem I saw a poster berating someone for having a very old version of Java, which gave me a clue. I then uninstalled java completely and finally admitted to myself I had to delete these files externally.

The major culprit here was the entry "AppInit: gawubuwo.dll". I slowly began to figure out that this file was the ring-leader, and ultimately the only actually physical file. So after many various attempts to find and delete this file with no success I pulled out my old standby - Knoppix Live. As we all know there is no better brute force method for deletion than if you can mount an NTFS drive in any Unix/Linux environment. I assume here BartPE might have worked well also, but I've had mixed results over the years, so I just go straight for a Unix/Linux distro.

Once booted up, I mounted the drive with write permissions and browsed to the [device root]\windows\system32\gawubuwo.dll and deleted that sucker.

After reboot, there were still an error pop-up for gibberish dll, so I loaded up Hijackthis and gave the entries another shot. Sure enough they cleared out this time.

At this point the system was more or less clean. I used regedit to verify any entries with either the "ladegize.dll" or "gawubuwo.dll" were cleared out and did one more reboot.

CLEAN AS A WHISTLE! (I definitely confirm that there was much rejoicing at this point). As a follow up I also reinstalled the latest java (necessary for one of our corporate applications) , fully updated, and reinstalled SOPHOS AV. Life was good.

Attached Files



BC AdBot (Login to Remove)

 


#2 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Instructor
  • 23,222 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:10:36 PM

Posted 06 May 2010 - 11:21 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE



Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.


  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#3 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Instructor
  • 23,222 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:10:36 PM

Posted 09 May 2010 - 11:18 PM

Due to the lack of feedback, this topic is now closed.
If you need this topic reopened, please PM a staff member and we will reopen it for you (include the address of this thread in your request). This applies to the original topic starter only. Everyone else with similar problems, please start a new topic.
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users