Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malware blocks scanners, search engines, and IE7


  • Please log in to reply
6 replies to this topic

#1 Smedlow

Smedlow

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:05:47 PM

Posted 26 February 2009 - 08:41 PM

OK,
I am the dutiful son who is trying to help out Dad. From 3000 miles away, and not for the first time.

Here are the particulars.

Internet Antivirus Pro was installed, much to my chagrin, but walking him through its removal was impossible. A few days later, I logged in to his XP SP3 computer and uninstalled it as well as removed the files and registry keys associated with it. I used NTR Control (which I recommend, by the way. The only disadvantage with the free edition is no file transfer) He was running AVG Antivirus Free which would not update and did not find any viruses. After being unable to update it, I uninstalled it and installed and updated ETrust Antivirus, and with the current definitions, found one virus (Win32/VMalum.ENIQ) for which I deleted the file. About this time I discovered that IE7 wouldn't load and wanted to send a message to Microsoft. Also, using Firefox, links in the Google or Yahoo search engine would switch to something else when clicked on. Dogpile worked OK though.

I downloaded and installed Ad-aware which I couldn't update normally. I downloaded the definitions on my computer and installed them remotely. Only a dozen cookies and two malware were found which surprised me because there is usually a bigger list of fairly innocuous stuff. I tried to download Spybot Seach and Destroy, but the site was blocked. I downloaded it along with current definitions and uploaded to his computer, but it will not run.

I can get to Microsoft.com on Firefox, but can not get to Windows Update or Microsoft Update. I get sidetracked to Google.

In safe mode, I downloaded SDFix which found nothing I could see. In safe mode, I put Malbytes Anti Malware and it found the following:

Scan type: Full Scan (C:\|E:\|)
Objects scanned: 101118
Time elapsed: 13 minute(s), 2 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\coolplay (Trojan.DNSChanger) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\internet antivirus pro_is1 (Rogue.InternetAntivirus) -> No action taken.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.39,85.255.112.40 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.39,85.255.112.40 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.39,85.255.112.40 -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Program Files\Common Files\InternetAntivirusPro.exe (Rogue.Installer) -> No action taken.
C:\Program Files\Mozilla Firefox\components\iamfamous.dll (Trojan.Agent) -> No action take

I rescanned with Etrust and found nothing.

IE7 still will not run. Update....I reset all the IE7 settings from Internet Options in the control panel and I got IE7 running again.
Spybot S and D will not run or update
Ad Aware will not update
Malwarebytes Anti Malware won't update, but its definitions are from Feb 11, 2009

Running Malwarebytges Anti Malware again NOT in Safe Mode gave me two Trojans noted below:

Files Infected:
C:\WINDOWS\system32\gaopdxppexrmql.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\gaopdxewmyqvpa.sys (Trojan.Agent) -> Quarantined and deleted successfully.


Windows firewall is running, but I created exceptions for all the above programs.
There are no odd processes running.
TCP/IP addresses for the computer and DNS server are being assigned automatically.
LMHosts file has nothing in it.
Something is obviously still going on. I would love some help finding it. Thanks in Advance


Update....Not to waste everyone's time but I reset all the IE7 settings from Internet Options in the control panel and I got IE7 running again. Then I tried to run Spybot and update Adaware, and they ran and updated properly. There was something in IE7 settings, apparently, that was limiting normal internet access. This may be something that could help others in the future.

WAIT.....I scanned again with Spybot and it brought out the W32.TDSS.rtk and said it removed it from two files. I thought I would go ahead and run Combofix and tried to file transfer from my computer, but although it transferred, it wasn't there when I went to run it. Then, I tried to download it from the links in this forum. From link 1, it downloaded, but wasn't there. Then link 1 was dead. From link 2, same story. From link 3, I changed the name and file type to a zip file just to get it downloaded, and the file download crashed. Now that's weird. OK....now Any Ideas.......

Edited by garmanma, 27 February 2009 - 10:49 AM.


BC AdBot (Login to Remove)

 


#2 Smedlow

Smedlow
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:05:47 PM

Posted 27 February 2009 - 12:47 AM

OK, I tried to be trickier. I zipped the file into an random file name, then file transferred it to Dad's computer, and it was there on the desktop until I closed the tranfer window, and it disappeared. More suggestions? And by the way, another Spybot S and D scan showed nothing.

Edited by Smedlow, 27 February 2009 - 12:47 AM.


#3 Queen-Evie

Queen-Evie

    Official Bleepin' G.R.I.T.S. (and proud of it)


  • Members
  • 16,485 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:My own little corner of the universe (somewhere in Alabama). It's OK, they know me here
  • Local time:09:47 PM

Posted 27 February 2009 - 01:26 AM

Please note the message text in blue at the top of the Am I infected? What do I do? forum.

ComboFix It is an extremely powerful tool which should only be used when
instructed to do so by someone who has been properly trained in the use of the program.
ComboFix is intended by its creator to be "used under the guidance
and supervision of an expert
", NOT for private use.
Please read Combofix's Disclaimer.. Using this tool incorrectly could
lead to disastrous problems with your operating system such as preventing
it from ever starting again.


It may be a good thing that you are having issues getting Combofix to work.

Someone who is more knowlegable than I am will have to give you guidance in malware removal.
Please be patient until an expert shows up to help you.
I can also put out a call for one of them to review your topic.

Mods and malware experts have been informed. One of them will advise you on what you need to do. If he/she feels a HJT log is needed, the expert will send you to the proper forum for HJT logs. A member of the HJT team will view your log, and if combofix is called for will guide you thtough it's use.

Edited by Queen-Evie, 27 February 2009 - 03:04 AM.


#4 garmanma

garmanma

    Computer Masochist


  • Members
  • 27,809 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cleveland, Ohio
  • Local time:10:47 PM

Posted 27 February 2009 - 10:48 AM

Note 2:
-- MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes (like Spybot's Teatimer), they may interfere with the fix or alert you after scanning with MBAM. Please disable such programs until disinfection is complete or permit them to allow the changes. To disable these programs, please view this topic: How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs


Moving to AII
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#5 Eric RBA

Eric RBA

  • Members
  • 252 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:State College, PA
  • Local time:09:47 PM

Posted 27 February 2009 - 11:08 AM

Might I also add that you will need to run the removal/fix programs while not in Safe Mode, particularly Malwarebytes, because Malware will not actually run and operate in a way that will be found and resolved by most removal programs and tools.

#6 Smedlow

Smedlow
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:05:47 PM

Posted 27 February 2009 - 11:40 AM

I have run Malwarebytes AntiMalware in normal mode and have closed down all the malware scanners. The fact that either a zip file containing ComboFix or the program itself can't exist on the comptuer in normal mode is intriguing. A rar archive with combofix in it can exist but not a zip. Changing the name of ComboFix doesn't matter. It is immediately deleted.

I restarted the computer in Safe Mode and have successfully gotten ComboFix on the desktop. I have not yet run it.


I ran RootRepeal and it reveals the following:

ROOTREPEAL © AD, 2007-2008
==================================================
Scan Time: 2009/02/27 09:03
Program Version: Version 1.2.3.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xA8B87000 Size: 98304 File Visible: No
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xBA5EC000 Size: 8192 File Visible: No
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xA8B37000 Size: 45056 File Visible: No
Status: -

Hidden/Locked Files
-------------------
Path: C:\Program Files\NTR global\NTRconnect\ntrsm.log
Status: Size mismatch (API: 4246674, Raw: 4245153)

SSDT
-------------------
#: 041 Function Name: NtCreateKey
Status: Hooked by "Lbd.sys" at address 0xba0f887e

#: 247 Function Name: NtSetValueKey
Status: Hooked by "Lbd.sys" at address 0xba0f8c10

Hidden Services
-------------------
Service Name: gaopdxserv.sys
Image Path: C:\WINDOWS\system32\drivers\gaopdxewmyqvpa.sys

Lbd.sys is apparently part of Ad-Aware.
The hidden service with the funny name however, I can't find on the computer.
The file name doesn't exist. Even from the command prompt.
I tried to delete the file RootRepeal and it can't find it either.

It seems that whoever programmed this thing was scared of ComboFix.
Can I run ComboFix in Safe Mode?
Suggestions?

#7 Smedlow

Smedlow
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:05:47 PM

Posted 27 February 2009 - 01:30 PM

From Safe Mode, I was able to run ComboFix which eliminated (permanently, I hope) gaopdxewmyqvpa.sys from hidden services. As I said before, it has always been invisible in the System32/drivers/ directory, even to the program that reported that is was present and running (RootRepealer). Anyway, I brought Windows back from Safe Mode to normal and, as I feared, ComboFix was no longer on the desktop. I tried again unsuccessfully to extract if from the .rar archive I have it stored in.

Something will not let it exist anywhere in the explorer shell. Without being able to see the file or see it run, it is quite perplexing. The computer seems to be running normally other than that.

Edited by Smedlow, 27 February 2009 - 01:31 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users