Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malware surviving MBAM and Spybot


  • This topic is locked This topic is locked
24 replies to this topic

#1 Capn Easy

Capn Easy

  • Members
  • 597 posts
  • OFFLINE
  •  
  • Location:New Jersey
  • Local time:04:42 PM

Posted 04 December 2008 - 11:38 PM

I somehow picked up a nasty piece of "ransom-ware."

This afternoon I ran Ad-Aware (the free version) and it complained that it found a trojan. The file it identified was the executable of "Free Hi-Q Recorder," a free program I installed almost a year ago and have not run in at least 6 months. I was suspicious so I exited without removing or quarantining the program.

I then ran MB Anti-Malware. The first thing I did was check for updates -- one was found. While downloading it I got an alert from Spybot S&D that a value was being changed. I assumed (probably incorrectly) that this was MBAM and I okayed it. I then started MBAM.

Avast! immediately began reporting viruses and, while MBAM was running, reports that too many identical emails were being sent. I manually stopped each one. I got a "license" form for something similar to Superantivirus 2008," Firefox windows opened and tried to connect to the Superantivirus site and another site for something like "SuperiorAntiVirus 2008," etc. (Firefox blocked those sites.)

When MBAM finally stopped it found many (maybe 20+) infected files. I "fixed" them all. I then ran Spybot and got rid of all the threats it found. I ran CCleaner and dumped my temp files, etc.

I then ran MBAM again. It found a few more trojans, etc. I fixed them and it warned me to run MBAM again in "Safe mode" to make sure I cleaned them all. I did. Then I ran MBAM and it came up clean. I ran Ad-Aware again (still in Safe Mode) and it picked up Hi-Q again. I quarantined it. I ran Spybot and it came up clean.

I then shut down out of Safe Mode and re-booted normally. I immediately got a little red shield in my system tray with a bubble warning me that my firewall is turned off, I might be at risk, and to click on it to start the firewall. (Yeah. Right.) Of course, I did NOT click it!

I ran MBAM again and it picked up 3 infected files again -- notably "RS32UPS.ru" -- and I "fixed" them. At this point Spybot came up 3 seperate times warning me that each of the identified files was trying to make changes (I think to the Registry). I did not allow the changes.

Anyway, traces of whatever I've got is still in the computer, surviving MBAM in Safe Mode. The little red shield is still there.

Should I have allowed the changes after I ran MBAM?

What else can I do to get rid of this pest?

Thanks in advance!

BC AdBot (Login to Remove)

 


#2 Capn Easy

Capn Easy
  • Topic Starter

  • Members
  • 597 posts
  • OFFLINE
  •  
  • Location:New Jersey
  • Local time:04:42 PM

Posted 05 December 2008 - 01:10 AM

Okay, I read some additional posts and saw that I should permit changes to values after I run MBAM -- I did that and I seem to be clean.

Firefox seemed to be hijacked -- my first selection whenever I ran a Google search sent me to a shopping site. I solved that by clearing all my cookies.



I still have the red shield in the tray, and I'm wondering if it's a valid Windows alert. I went in through:

Start >> Control Panel >> Security Center

And it appears that the Windows firewall is down. I'm on a small network of family computers behind a router. My wife uses her business computer behind that router and I believe she has a firewall set up, but her business computer is critical and she's in charge of security settings for our network. I'll check with her. In the meantime, since I never had this warning before, I assume I had it running before (it's been years since I set this up) and I suppose I can set it up to run at minimum settings. Whatever virus this was, it disabled the Windows Security Center and I assume that's when the firewall went down.


Anyway, I'd still appreciate any comments or advice I can get. I'm already adhering to all the safe internetting principles I've read about. I'd appreciate any advice.

Thanks.

#3 Capn Easy

Capn Easy
  • Topic Starter

  • Members
  • 597 posts
  • OFFLINE
  •  
  • Location:New Jersey
  • Local time:04:42 PM

Posted 05 December 2008 - 04:16 AM

One additional piece of the puzzle.

Two of the entries that I remember from the removal process were "RS32UPS.ru" and "Win32.Agent.amwr" -- both apparently associated with the fake Antivirus 2008 program.

But I also had "Nurech" -- the info I've found on it says it usually infects a computer by means of an EXE attachment to an email. Trust me, I have never run anything that came in as an email attachment!


Anyway, any comments or advice would still be welcome!


Thanks.

#4 Capn Easy

Capn Easy
  • Topic Starter

  • Members
  • 597 posts
  • OFFLINE
  •  
  • Location:New Jersey
  • Local time:04:42 PM

Posted 05 December 2008 - 01:07 PM

Well, I ran an overnight scan with Avast! and it found one more infected file. The file's name and location appeared legit -- it was in the IBM support files that came with my computer, a ThinkCentre -- but I moved it to "the chest."

It also picked up what it called a "decompression bomb" in \Application Data\Thunderbird\Profiles. I've never had anything there before. Is this likely to be part of the email crap that my computer was going through yesterday?

My gut feeling is to delete it, but I'd be interested in someone's opinion before I do.

Thanks.

Edited by Capn Easy, 05 December 2008 - 01:07 PM.


#5 ruby1

ruby1

    a forum member


  • Members
  • 2,375 posts
  • OFFLINE
  •  
  • Local time:08:42 PM

Posted 05 December 2008 - 01:30 PM

It might help folks to help YOU if you could update the malawarebytes program , reboot the computer and run another scan in NORMAL mode with the fresh definitions; then give us the log reports from it and the previous maybe two scans for someone to check out ?

#6 Capn Easy

Capn Easy
  • Topic Starter

  • Members
  • 597 posts
  • OFFLINE
  •  
  • Location:New Jersey
  • Local time:04:42 PM

Posted 05 December 2008 - 04:40 PM

Thanks for the reply, ruby1. I didn't want to post logs until I knew what logs would be significant. Whenever I run MBAM I update first.

My most recent MBAM log, from this afternoon:

Malwarebytes' Anti-Malware 1.31
Database version: 1463
Windows 5.1.2600 Service Pack 3

12/5/2008 4:14:11 PM
mbam-log-2008-12-05 (16-14-11).txt

Scan type: Quick Scan
Objects scanned: 54600
Time elapsed: 3 minute(s), 17 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


===============================================

This log is from last night, after a few passes to try to clean my computer:

Malwarebytes' Anti-Malware 1.31
Database version: 1460
Windows 5.1.2600 Service Pack 3

12/4/2008 9:04:41 PM
mbam-log-2008-12-04 (21-04-41).txt

Scan type: Quick Scan
Objects scanned: 54826
Time elapsed: 4 minute(s), 21 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 3
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gadcom (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rs32net (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ttool (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

===============================================

This was the first run of MBAM taken as soon as I knew I had an active virus:

Malwarebytes' Anti-Malware 1.31
Database version: 1460
Windows 5.1.2600 Service Pack 3

12/4/2008 8:40:25 PM
mbam-log-2008-12-04 (20-40-25).txt

Scan type: Full Scan (C:\|)
Objects scanned: 161836
Time elapsed: 1 hour(s), 11 minute(s), 9 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 6
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 9

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\virusremover2008 (Rogue.VirusRemove) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\virusremover2008 (Rogue.VirusRemove) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\xpre (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\new_drv (Rootkit.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gadcom (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rpiqad (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\arucidohugilidup (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rs32net (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rs32net (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ttool (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Documents and Settings\Kevin\Application Data\gadcom (Trojan.Agent) -> Delete on reboot.

Files Infected:
C:\Documents and Settings\Kevin\Local Settings\Temporary Internet Files\Content.IE5\85ABS9QF\eyhviww[1].txt (Trojan.Spambot) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kevin\Application Data\gadcom\gadcom.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kevin\Application Data\gadcom\gadcom.exe72b (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\Mkuha.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\ufepediw.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\rs32net.exe (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\9129837.exe (Trojan.Agent) -> Delete on reboot.
C:\fjytg.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\bflkwx.exe (Trojan.Agent) -> Quarantined and deleted successfully.


=============================================

And this log was from a routine run a few days before the attack:

Malwarebytes' Anti-Malware 1.30
Database version: 1439
Windows 5.1.2600 Service Pack 3

11/30/2008 10:24:37 PM
mbam-log-2008-11-30 (22-24-37).txt

Scan type: Quick Scan
Objects scanned: 55196
Time elapsed: 4 minute(s), 31 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)



I'm still having some Google searches redirected to random shopping sites -- from what I've read here I'm thinking I should download and run ATF Cleaner.

I still don't have any idea how a year-old program (that had not been run in more than 8 months) could suddenly have become infected with a Trojan.


Again, any advice or comments from anyone who can help me understand what happened and help keep it from happening again would be very welcome!

Thanks.

#7 Capn Easy

Capn Easy
  • Topic Starter

  • Members
  • 597 posts
  • OFFLINE
  •  
  • Location:New Jersey
  • Local time:04:42 PM

Posted 05 December 2008 - 04:44 PM

Oh, and from what I've found online I now think that the "decompression bomb" in Thunderbird might be my compressed email messages. It doesn't have a .zip, .rar, or other recognizable extension.

#8 ruby1

ruby1

    a forum member


  • Members
  • 2,375 posts
  • OFFLINE
  •  
  • Local time:08:42 PM

Posted 05 December 2008 - 04:50 PM

the top malawarebytes report appears clean

ATF cleaner is here

Please download ATF Cleaner by Atribune & save it to your Desktop.
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose: Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.

  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

then maybe run a scan with superantispyware




Please download and scan with SUPERAntiSpyware Free
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your Desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates".

    (If you encounter any problems while downloading the updates, manually download them from here and unzip into the program's folder.)
  • In the Main Menu, click the Preferences... button.
  • Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen and exit the program.
  • Do not run a scan just yet.
Reboot your computer in "Safe Mode" using the F8 method.

To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with SUPERAntiSpyware as follows:
  • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes" and reboot normally.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.


see how that goes?

Oh, and from what I've found online I now think that the "decompression bomb" in Thunderbird might be my compressed email messages. It doesn't have a .zip, .rar, or other recognizable extension.

( which reminds ME I need to compress mine!!)

#9 Capn Easy

Capn Easy
  • Topic Starter

  • Members
  • 597 posts
  • OFFLINE
  •  
  • Location:New Jersey
  • Local time:04:42 PM

Posted 05 December 2008 - 11:11 PM

Thanks again, ruby1.

I ran ATF Cleaner. It removed some junk but didn't report on the contents. I haven't done a thorough test, but I appear to be going to the right places via Google. (EDIT: No. I'm not. Rats. See below.)

I then ran SUPERAntiSpyware Free. That took about 6 hours (I really have to clean some of my own junk out of there). SAS found two registry entries associated with TDSSserv.sys. I quarantined and removed them -- and hopefully they're really gone. I'll be following this up over the weekend with multiple anti-virus, spyware and malware scans. Some bat rastard hacker owes me for a couple days work!



On a related note, to anyone who can answer, the attack seemed to start when a formerly trusted program (installed about a year ago and not used in at least 8 months) got compromised and was identified as a trojan. Ad-Aware pegged it first, and the main executable has been quarantined. But I assume I'll have to use non-standard methods to uninstall the remnants of this program -- the icon on my desktop is now a generic square.

Can anyone offer advice? Or is there somewhere else I should be looking?

Continued thanks!

Edited by Capn Easy, 05 December 2008 - 11:44 PM.


#10 Capn Easy

Capn Easy
  • Topic Starter

  • Members
  • 597 posts
  • OFFLINE
  •  
  • Location:New Jersey
  • Local time:04:42 PM

Posted 05 December 2008 - 11:55 PM

Okay, something survived ATF Cleaner, and possibly SUPERAntiSpyware.

First, Google searches are still being redirected, mostly to shopping sites. For instance, I just ran a pretty generic search as a test. I searched on "Digital Camera." The first entry on the Google list was:

http://www.dpreview.com/



but when I clicked on it I was redirected to

http://www.alibaba.com/showroom/Digital_Cameras.html?src=ibdm_d03p0020e02r37&ibdm_KW=digital+camera

When I use the "Go Back One Page" arrow and try again I do go to dpreview correctly.

I'll try running ATF Cleaner again.




Beyond that, there appears to be at least a remnant of TDSSserv on the computer -- I'm not expert enough to know.

Right click on "My Computer" >> Hardware >> Device Manager >> View >> Show Hidden Devices

and TDSSserv shows up in "Non Plug and Play drivers." It is marked with a gray diamond with a small yellow ball in it and a black exclamation point in the yellow ball. Does this mean that the entries are still there?

Also, the same list of drivers shows three starting with "Remote Access" -- starting with:

Remote Access Auto Connection Manager

These entries have gray diamonds without yellow balls or exclamation points. Should they be there?




Any other info or suggestions for either of these two problems would be more than welcome!

Thanks!

Edited by Capn Easy, 06 December 2008 - 12:02 AM.


#11 ruby1

ruby1

    a forum member


  • Members
  • 2,375 posts
  • OFFLINE
  •  
  • Local time:08:42 PM

Posted 06 December 2008 - 04:01 AM

I suggest please you update both the Malawarebytes and Superantispyware programs so you have current definitions on there, reboot the computer and rerun their scans again .

we need you to post both old and new reports from both programs to see what has been on there please :thumbsup:

#12 Capn Easy

Capn Easy
  • Topic Starter

  • Members
  • 597 posts
  • OFFLINE
  •  
  • Location:New Jersey
  • Local time:04:42 PM

Posted 06 December 2008 - 05:29 PM

After my last post last night I updated MBAM, Spybot, SUPERAntiSpyware, Ad-Aware, and Avast! -- I always update before running, but I did deliberately update them all. I manually deleted cookies from Firefox. Then I rebooted in Safe Mode. I ran all of them, plus ATF Cleaner.

I'll post the logs, but I ran them all -- SUPERAntiSpyware and Avast! both take several hours, so I just got back on.

This time all programs reported "no infections found."


As soon as I rebooted back into Normal mode I tried Google again -- searching for "digital camera" as before. Once again, my first click was highjacked to alibaba. The address bar very briefly flashed something to the effect of "redirect/goored.com ..." first, but too quickly for me to catch the full address.

The logs will follow.

Thanks


EDIT: The redirect has happened a couple of times, still too fast for me to really catch, but it looks more like "redirect ... google.goored"

Edited by Capn Easy, 07 December 2008 - 12:36 AM.


#13 Capn Easy

Capn Easy
  • Topic Starter

  • Members
  • 597 posts
  • OFFLINE
  •  
  • Location:New Jersey
  • Local time:04:42 PM

Posted 06 December 2008 - 05:31 PM

MBAM log from last night's run in Safe Mode:


Malwarebytes' Anti-Malware 1.31
Database version: 1466
Windows 5.1.2600 Service Pack 3

12/6/2008 12:30:56 AM
mbam-log-2008-12-06 (00-30-56).txt

Scan type: Quick Scan
Objects scanned: 54618
Time elapsed: 3 minute(s), 24 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#14 Capn Easy

Capn Easy
  • Topic Starter

  • Members
  • 597 posts
  • OFFLINE
  •  
  • Location:New Jersey
  • Local time:04:42 PM

Posted 06 December 2008 - 05:33 PM

Uhmm -- where does SUPERAntiSpyware keep it's logs? I don't want to go mucking around in there blindly.

Thanks

#15 Capn Easy

Capn Easy
  • Topic Starter

  • Members
  • 597 posts
  • OFFLINE
  •  
  • Location:New Jersey
  • Local time:04:42 PM

Posted 06 December 2008 - 05:46 PM

Also, I found some info at the Mozilla forum, here:

http://forums.mozillazine.org/viewtopic.php?f=38&t=948945&p=4987275



For the record, I had to find it with Google, and I had a very difficult time getting there. I had to open a cached version of a page that linked to this one and then follow the link. I assume this worm is trying to defend itself.

Again, I appreciate all your help, and I remain very concerned about my computer's health!

Thanks

Edited by Capn Easy, 06 December 2008 - 05:46 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users