Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

New Virus that locks taskmgr, registry and corrupts hijackthis?


  • This topic is locked This topic is locked
9 replies to this topic

#1 Richard Sharpe

Richard Sharpe

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:12:08 PM

Posted 16 December 2008 - 02:39 AM

I have been struggling with a virus infestation on a Win XP Home machine. It does the following:

1. Locks regedit and taskmgr out
2. Writes an autorun.inf file to any USB or other drives and puts a random .exe, .pif, or whatever file on there.
3. Prevents SystemInternals tools from running by causing a floating point exception of some sort.
4. Prevents HiJackThis and ComboFix from running by doing something to them.

It does not prevent malwarebytes from running, and you can delete an offending registry entry that prevents running taskmgr, but you have to change a registry setting and then you only get one chance to run taskmgr. After that, it is locked out.

Has anyone seen this? Are there any tools or hints on how to remove it?

BC AdBot (Login to Remove)

 


#2 Richard Sharpe

Richard Sharpe
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:12:08 PM

Posted 16 December 2008 - 10:36 AM

In looking at the delivery vehicle (the .cmd, .exe, .pif) I notice what looks like a fragment of a registry key:

CLSID\{ADB880A6-D8FF-11CF-9377-00AA003B7A11}\InprocServer32

#3 Richard Sharpe

Richard Sharpe
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:12:08 PM

Posted 16 December 2008 - 10:56 AM

Based on the Unicode strings in the infection vector it seems to masquerade as NotePad ... even has a Microsoft Copyright in it.

#4 Richard Sharpe

Richard Sharpe
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:12:08 PM

Posted 16 December 2008 - 12:08 PM

The size of the file written to the USB drive was 171519 bytes, which is more than twice the size of notepad.exe and notepad.exe looks OK in C:\Windows and C:\Windows\System32 but I only took a cursory glance ...

Time to run a Linux rescue CD by the look of things.

#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,073 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:08 PM

Posted 16 December 2008 - 01:14 PM

Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives. Please do so and allow the utility to clean up those drives as well. Hold down the Shift key when inserting the drive until Windows detects it to keep autorun.inf from executing if it is present.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive that is plugged in when you ran it. Don't delete this folder...it will help protect your drives from future infection.

Rescan again with MBAM (Quick Scan) in normal mode and check all items found for removal. Don't forgot to reboot afterwards. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. When done, click the Logs tab and copy/paste the contents of the new report in your next reply.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#6 Richard Sharpe

Richard Sharpe
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:12:08 PM

Posted 16 December 2008 - 10:12 PM

Thank you for your reply. Those steps did not help.

I first ran mbam and removed the Hijack.Taskmanager thing and rebooted.

Then I downloaded the Flash_Disinfector.exe utility as you suggested and ran it. I then let the system reboot and ran mbam again. Here is the log:

Malwarebytes' Anti-Malware 1.31
Database version: 1504
Windows 5.1.2600 Service Pack 3

12/16/2008 6:52:50 PM
mbam-log-2008-12-16 (18-52-50).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 154432
Time elapsed: 1 hour(s), 12 minute(s), 22 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

After I rebooted, I then plugged the USB Key back in, I had manually removed the autorun.inf file and xdnwfx.cmd file via a Linux machine, so I know they were gone, and in any event, I had crippled xdnwfx.cmd by changing the names of all the DLLs early on in the file and changing one byte in the header (and indeed, plugging that key in caused the automatic action to fail).

Now, lo-and-behold, I have a new autorun.inf file and a file called nlncwy.exe. They are both the same size: 171519, but they differ in content. The various sections have been moved around, as if to prevent discovery. It might be possible to find this thing by doing a file scan, however, because they each contain the following:

00008920: 0700 4d00 4100 4900 4e00 4100 4300 4300 ..M.A.I.N.A.C.C.
00008930: 0900 5300 4c00 4900 5000 5500 5000 4100 ..S.L.I.P.U.P.A.
00008940: 4300 4300 1000 4e00 5000 4500 4e00 4300 C.C...N.P.E.N.C.
00008950: 4f00 4400 4900 4e00 4700 4400 4900 4100 O.D.I.N.G.D.I.A.
00008960: 4c00 4f00 4700 0000 0000 0000 0000 0000 L.O.G...........
00008970: 3c3f 786d 6c20 7665 7273 696f 6e3d 2231 <?xml version="1
00008980: 2e30 2220 656e 636f 6469 6e67 3d22 5554 .0" encoding="UT
00008990: 462d 3822 2073 7461 6e64 616c 6f6e 653d F-8" standalone=
000089a0: 2279 6573 223f 3e0d 0a3c 6173 7365 6d62 "yes"?>..<assemb
000089b0: 6c79 2078 6d6c 6e73 3d22 7572 6e3a 7363 ly xmlns="urn:sc
000089c0: 6865 6d61 732d 6d69 6372 6f73 6f66 742d hemas-microsoft-
000089d0: 636f 6d3a 6173 6d2e 7631 2220 6d61 6e69 com:asm.v1" mani
000089e0: 6665 7374 5665 7273 696f 6e3d 2231 2e30 festVersion="1.0
000089f0: 223e 0d0a 3c61 7373 656d 626c 7949 6465 ">..<assemblyIde
00008a00: 6e74 6974 790d 0a20 2020 206e 616d 653d ntity.. name=
00008a10: 224d 6963 726f 736f 6674 2e57 696e 646f "Microsoft.Windo
00008a20: 7773 2e53 6865 6c6c 2e6e 6f74 6570 6164 ws.Shell.notepad
00008a30: 220d 0a20 2020 2070 726f 6365 7373 6f72 ".. processor
00008a40: 4172 6368 6974 6563 7475 7265 3d22 7838 Architecture="x8
00008a50: 3622 0d0a 2020 2020 7665 7273 696f 6e3d 6".. version=
00008a60: 2235 2e31 2e30 2e30 220d 0a20 2020 2074 "5.1.0.0".. t
00008a70: 7970 653d 2277 696e 3332 222f 3e0d 0a3c ype="win32"/>..<
00008a80: 6465 7363 7269 7074 696f 6e3e 5769 6e64 description>Wind
00008a90: 6f77 7320 5368 656c 6c3c 2f64 6573 6372 ows Shell</descr
00008aa0: 6970 7469 6f6e 3e0d 0a3c 6465 7065 6e64 iption>..<depend
00008ab0: 656e 6379 3e0d 0a20 2020 203c 6465 7065 ency>.. <depe
00008ac0: 6e64 656e 7441 7373 656d 626c 793e 0d0a ndentAssembly>..
00008ad0: 2020 2020 2020 2020 3c61 7373 656d 626c <assembl
00008ae0: 7949 6465 6e74 6974 790d 0a20 2020 2020 yIdentity..
00008af0: 2020 2020 2020 2074 7970 653d 2277 696e type="win
00008b00: 3332 220d 0a20 2020 2020 2020 2020 2020 32"..
00008b10: 206e 616d 653d 224d 6963 726f 736f 6674 name="Microsoft
00008b20: 2e57 696e 646f 7773 2e43 6f6d 6d6f 6e2d .Windows.Common-
00008b30: 436f 6e74 726f 6c73 220d 0a20 2020 2020 Controls"..
00008b40: 2020 2020 2020 2076 6572 7369 6f6e 3d22 version="
00008b50: 362e 302e 302e 3022 0d0a 2020 2020 2020 6.0.0.0"..
00008b60: 2020 2020 2020 7072 6f63 6573 736f 7241 processorA
00008b70: 7263 6869 7465 6374 7572 653d 2278 3836 rchitecture="x86

#7 Richard Sharpe

Richard Sharpe
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:12:08 PM

Posted 16 December 2008 - 10:14 PM

When I say both above, I mean both the virus payload files.

If need be I can upload them.

#8 Richard Sharpe

Richard Sharpe
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:12:08 PM

Posted 16 December 2008 - 10:18 PM

OK, it seems to be a variant of this:

http://www.trendmicro.com/vinfo/virusencyc...N-O&VSect=T

#9 Richard Sharpe

Richard Sharpe
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:12:08 PM

Posted 17 December 2008 - 02:40 AM

As soon as I plug in the network this thing tries to connect to hosts all over the place via UDP. Places like India and so forth. I have everything but a few ports blocked. However, would like to know if I have to reinstall this machine from scratch.

#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,073 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:08 PM

Posted 17 December 2008 - 08:25 AM

I have moved (split away) your HijackThis log to the HijackThis Logs and Malware Removal forum as they are not permitted in this forum. Please go here, click on the Options button in the upper right corner of that thread and choose Track this topic. Subscribe to that topic to ensure you are notified when a helper replies.

Now that your log is posted, you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a HJT Team member, nor should you continue to ask for help elsewhere. Doing so can result in system changes which may not show it the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the HJT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the HJT Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT "bump" your post or make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

If after 5 days you still have received no response, then post a link to your HJT log in the thread titled "Post in this thread when you haven't received an answer in five days.".
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users