A couple weeks back (9/15/2007 at around 7:30am) an active-x object was inadvertently allowed to install onto my system. It then began to install various other nasties (including changing the screen background to a "your system's been infected" display and then attempting to get you to download some bogus anti-spyware). S&D Tea Timer was getting flooded with registry change attempts. In any case, I killed all of the running browser sessions and disconnected my network cable.
Before continuing, here are some details on my system...
System: Gateway P4 2.4Ghz (a little over 5 years old)
Hard drives: 2 (non SCSI)
OS: Windows XP Professional SP2 (with autoupdate enabled)
(also had the firewall (that comes with SP2) and S&D tea timer active as well)
I also have a second (uninfected) system that is effectively the infected system's twin (there are some differences in the software that is loaded on each).
I started off by running a Spybot S&D (version 1.4) scan - which came back reporting most of the above infections (plus a registry entry that disabled the Task Manager). It was able to take care of a number of them, but said there were some files that it could not delete. I allowed it to try again on reboot (to delete the files). Upon rebooting, most of what it had removed was back - and it again failed to delete the files that it had failed to delete before (see below for a list of files - I have marked the ones that could not be deleted by Spybot or, apparently, though any other means (Spybot didn't catch them all) with an asterisk). I reran Spybot. Instead of rebooting, I then ran an Adaware SE (version 1.06r1) scan. It found and I removed a few more things. I then ran AVG 7.5 - which didn't report anything new.
I reconnected the network cable and downloaded the latest profiles for these three apps. I also installed AVG Anti-Spyware, SpywareBlaster and a-squared (trial version). I also wiped out my browser temp files, cookies and history. I then did the following...
1) changed my file-view settings so that system/hidden files would be displayed and all file extensions would appear as well
2) turned off system restore
3) ran the disk clean in System Tools
4) ran an Ad-Aware scan (which found a bunch of cookies)
5) ran Spybot S&D (which found the same stuff as before that it could not delete - this time, I removed any reportedly suspicious active-x items, blank or suspicious BHOs, startup items, etc.)
6) ran AVG Anti-Spyware (which found one more thing that I then deleted)
7) ran AVG anti-virus (nothing new)
8) ran SpywareBlaster (nothing new)
9) ran a-squared (trial version) for a full scan. Mid way through the scan, the computer rebooted itself.
When the crash happended, I started hitting F8 until I was able to boot into safe mode. After once again disconnecting the network cable and then logging in, I...
1) ran msconfig and set the system to automatically boot into safe mode the next time it was reset. I had as little enabled as possible (using msconfig). Selective startup with a check by "Process SYSTEM.INI File" and a dimmed check by "Load Startup Items". ctfmon is the only process checked in the startup list. Everything is checked in the SYSTEM.INI list. In services, DCOM Server Process, RPC Locator and RPC are the only things checked (and the locator is stopped). This is curious since the services group is unchecked. Finally, "Use Modified BOOT.INI" was selected and the SAFEBOOT option was selected in the BOOT.INI tab.
2) changed windows explorer's file view to details and re-enabled being able to see system/hidden files and all file extensions (this always seems to get reset when I reboot in safe mode).
3) re-ran steps 3-9 (see above). AVG Anti-Spyware would not run in safe mode and a-squared (doing the “full” scan) did not crash the system this time.
Noting that the files that the above apps had deleted (or attempted to delete) all had the same (or very similar) timestamp, I ran a search for everything that had been modified in the past week (it was 9/18 by this time). I sorted them by date and began working my way down. The top-most files were mostly system log files (a whole lot more than were on the infected system's twin). I googled a number of them and they seemed to be legitimate - though I don't know if the services/whatever that produce them should be running. I'm a bit concerned that some of the malware turned on a bunch of logging in order to try and get as much info about the infected system as possible. Over the following week, I worked my way down to the time period when the initial infection happened. I noted the files that were still present and continued on until it looked like I was well past the point (i.e. well before when the infection(s) happened) where the infection happened. The entire time I was doing this, I was googling a lot of the files to see whether or not they were legitimate as well as comparing files between the infected system and its twin. This approach was far from perfect, (I suspect this was doing things "the hard way") but it did help identify a lot of the "bad" files. It turns out that almost all of them were in either WINNT or WINNT\System32.
Unfortunately, I don't have a list of all the log files that I came across at the time, but I have included a list (using the same type of search) of a number of the files that are more recent than the infection period (excluding stuff like the S&D updates). It's not a complete list as there are quite a number of them.
C:\Documents and Settings\test\ntuser.dat.LOG
C:\Documents and Settings\test\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG
Here is the list of the "bad" files (that have a timestamp matching the time of infection) that survived the above scans or were able to somehow resurrect themselves. Note that comments in parenthesis that are to the right of the filename are my comments and not part of the filename. The same applies to asterisks to the right of filenames...
C:\WINNT\system32\drivers\ (a bunch of jpg, gif, htm and css files)
C:\WINNT\absolute key logger (empty folder)
assist\asbar.dll (this and two other files in this folder - which seems to have no root)
* These files could not be deleted. Spybot S&D could not do it and when I tried to delete them using windows explorer, the error message indicated that some other application was currently using them (I had no other application running). This happens to be a superset of the files that Spybot had detected and failed to delete.
** I tried to unregister each DLL before deleting it ("regsvr32 /u <disk:\path\filename.dll>" in a command window). The file oembios32.dll was the only dll file that actually turned out to be registered.
On a hunch, I started up a CMD window, pulled up the task manager and killed the explorer.exe task. I was then able to use the command window to delete each of the above files marked with a "*". Afterwards, I restarted explorer.exe with no apparent problem. Even after rebooting (I'm still in safe mode), the files did not return.
I then ran regedit with the intent of searching for the deleted filenames. On the first search, regedit sat and trundled for a bit (while searching) before the system displayed a blue screen for all of about a half of a second and then rebooted. I tried this again with several other strings (including some random characters) and found that the same thing would happen each time. If I searched for something that was near the top of the registry, the search would work - but anything that took it well down into the registry would cause the system to reboot.
Suspecting bad memory, I swapped memory sticks with the infected system's twin. The problem persisted. So much for the bad-memory-stick theory. Next, I wondered if it had to do with how little was actually loaded into memory. I thought perhaps there was some crucial "something or other" that might need to be loaded - so I ran msconfig to try and add some additional start-up items. I found that any time I hit "OK" to save my changes (even if I didn't actually make any change), a dialog would appear saying "An Access Denied error was returned while attempting to change a service. You may need to log on using an Administrator account to make the specified changes.". The account I was using did have admin privileges. Also, despite the error, it seemed that the settings would persist (though I didn't test this too thoroughly). As this seemed rather suspicious, I have not tried rebooting with more stuff loaded (much less rebooting in "normal" mode).
So my infected system is still running in safe mode right now (and I'm not sure how to proceed). I'm guessing that there is going to be some additional stuff that I'm going to need to install in my infected system in order to clean it - so I'll ask this ahead of time... Should I download whatever I need to download onto my clean system and sneaker-net it over to the infected system or should I try to reboot the infected system back into "normal" mode and try to load things directly onto it? In its current state, thumb drives don't work (driver not loaded?) on the infected system - so I'm not sure how I'd sneaker-net anything over to it.
The HJT on the infected system is version 1.99.1. As this has been on the system for a while, I don't know if it is new enough to provide useful information for you (which is why I didn't provide an HJT listing in this post). Will I need to upgrade it? When you have me run it, should I run it in safe mode or in some other configuration?
Also, your “Preparation Guide For Use Before Posting A Hijackthis Log...” post mentioned loading Housecall Anti Virus, Panda Anti Virus and Bit Defender. Do these all behave well when on the same system (along with the above-mentioned things I already have installed)? I was under the (mistaken?) impression that you should only have one antivirus app installed on a machine at any given time.
1) System was infected with (7FaSSt, Accoona, Aconti, AdBreak, CusMin, DeskWizz, INetSpeak, SmitFraud-C, SWAgent) plus who-knows-what-else.
2) Updated adaware, Spybot, AVG antivirus (free) and loaded AVG anti-spyware, Spyware Blaster and a-squared.
3) Turned off system restore and set file properties to show system/hidden files, all file extensions
4) The scans reported multiple infections
5) The initial a-squared run crashed the system - causing it to reboot.
6) Disconnected the network cable and booted into safe mode
7) Ran msconfig to make safe mode the default and have a little loaded as possible
8) Reran Adaware, Spybot S&D, AVG anti-virus, Spyware Blaster and a-squared and removed what threats I could.
9) Sorted all files on the hard drive in chrono order and began googling anything I didn’t recognize.
10) Hand deleted all of the “bad” files that I could - including trying to unregister each of the dll files (in the above list)
11) Started a command window, killed explorer.exe task and was able to delete the rest of the bad files.
12) Upon restarting (still in safe mode), system appeared to be clean
13) Most regedit searches cause the system to (very) briefly display a blue-screen and then reboot
14) msconfig complains when I try to save the configuration by clicking “OK”
15) HJT version is 1.99.1. Will this version be adequate?
16) Should I go ahead and install Housecall, Panda and Bit Defender? If so, should they be run in safe mode?
17) Given the machine’s current state, it’s still in safe mode. If anything needs to be loaded onto it, should I sneaker-net it from its uninfected twin or try to bring up the infected machine in normal mode and use it to load whatever needs to be loaded?
Any help/advice on how to proceed would be greatly appreciated...
~Mod Edit: Topic moved from HJT Logs and Malware Removal forum~ TMacK
Edited by TMacK, 28 September 2007 - 01:08 AM.