Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Win32 Worm Zhelatin


  • This topic is locked This topic is locked
3 replies to this topic

#1 Enigm@

Enigm@

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:05:04 PM

Posted 15 March 2009 - 05:19 AM

Hello,

I've been infected with Worm Zhelatin and it took me 15 days to detect where was the problem.
Finally I've detected it with Lavasoft Ad-Aware and I've put in quarantine.

Now I need additional help and to make sure everything is clean.

The sympthoms I've had is that shortly after start up (some 15 minutes) my computer got frozen in the morning and sometimes even randomly in the afternoon.
In the event log I've found these errors related to Zone Alarm firewall:

The error I receive is:

Event Type: Error
Event Source: TrueVector Service
Event Category: None
Event ID: 5007
Date: 13.3.2009
Time: 6:43:36
User: N/A
Computer: OEM
Description:
TrueVector engine: File "C:\WINDOWS\Internet Logs\IAMDB.RDB" was corrupt, restoring from backup "C:\WINDOWS\Internet Logs\BACKUP.RDB".


Event Type: Error
Event Source: TrueVector Service
Event Category: None
Event ID: 5007
Date: 13.3.2009
Time: 6:43:36
User: N/A
Computer: OEM
Description:
TrueVector engine: File "C:\WINDOWS\Internet Logs\IAMDB.RDB" was corrupt and has been copied to "C:\WINDOWS\Internet Logs\xDB4.tmp". File "C:\WINDOWS\Internet Logs\IAMDB.RDB" was corrupt and has been deleted.


Event Type: Error
Event Source: TrueVector Service
Event Category: None
Event ID: 5007
Date: 13.3.2009
Time: 6:43:37
User: N/A
Computer: OEM
Description:
TrueVector engine: File "C:\WINDOWS\Internet Logs\OEM.ldb" was corrupt and has been copied to "C:\WINDOWS\Internet Logs\xDB5.tmp". File "C:\WINDOWS\Internet Logs\OEM.ldb" was corrupt and has been deleted.


When it freezes I couldn't do anything but restart, my mouse and keyboard don't respond, I couldn't access Task manager, even the clock in the tray was frozen. After reboot it took a lot to get to the desktop. (two or more minutes)

I also get cdrom error no.11 in the event log, which I thought it was because recently I bought new burning cd rom and after a lot of searching on the internet I found it is also related to this worm.

Event Type: Error
Event Source: Cdrom
Event Category: None
Event ID: 11
Date: 14.3.2009
Time: 22:01:15
User: N/A
Computer: OEM
Description:
The driver detected a controller error on \Device\CdRom0.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 0f 00 68 00 01 00 b8 00 ..h....
0008: 00 00 00 00 0b 00 04 c0 .......
0010: 01 01 00 00 00 00 00 00 ........
0018: 00 00 00 00 00 00 00 00 ........
0020: 00 00 00 00 00 00 00 00 ........
0028: 5b 70 02 00 00 00 00 00 [p......
0030: ff ff ff ff 02 00 00 00 ....
0038: 40 00 00 84 02 00 01 00 @..„....
0040: ff 20 06 12 08 01 00 10 ......
0048: 00 00 00 00 14 00 00 00 ........
0050: 00 00 00 00 50 fe c3 89 ....P‰
0058: 00 00 00 00 88 23 b0 89 ....ˆ#‰
0060: 01 00 00 00 00 00 00 00 ........
0068: 00 00 00 00 00 00 00 00 ........
0070: 00 00 00 00 00 00 00 00 ........
0078: 70 00 04 00 00 00 00 0a p.......
0080: 00 00 00 00 08 03 00 00 ........
0088: 00 00 00 00 00 00 00 00 ........


Before I've detected it last night I've run scans with my CA eTrust Internet Security Suite (including eTrust Pest Patrol), Malwarebytes' Antimalware, SAS, online scan with Bitdefender, NOD32, TrendMicro RUBotted, F-Secure’s Blacklight rootkit,
Rootkit Unhooker, Spyhunter, and none of them showed infection. Last night I've also run Ccleaner to clean up my registry.
As far as I can analize my Hijackthis log to me it seems OK and never showed infection.

I've found the following about this worm and I've had the exactly the same symptoms.

"It also disables Windows File Protection and then infects the C:\Windows\system32\dllcache copy of tcpip.sys.

After doing all this, it goes dormant until the next reboot to further avoid detection.

The code patched into tcpip.sys is designed to load the spooldr.sys driver, which is the main rootkit component of the Zhelatin worm. Once active, spooldr.sys attempts to hide spooldr.exe, spooldr.sys.

Interestingly, the trojan disables a number of security utilities, such as F-Secure’s Blacklight rootkit detector and the ZoneAlarm firewall."


Currently I'm running Windows Firewall to avoid computer freezing, but I still cannot use burning programs.

I need your help to make my system clean if there are maybe still some infected parts remained, so I can activate Zone Alarm firewall again.

Thank you in advance for your help.

Ragards

Edited by Enigm@, 15 March 2009 - 05:20 AM.


BC AdBot (Login to Remove)

 


#2 KoanYorel

KoanYorel

    Bleepin' Conundrum


  • Staff Emeritus
  • 19,461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:65 miles due East of the "Logic Free Zone", in Md, USA
  • Local time:11:04 AM

Posted 27 March 2009 - 01:29 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

R,
K
The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)

#3 Enigm@

Enigm@
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:05:04 PM

Posted 29 March 2009 - 08:41 AM

Thank you for your help but I've had to do format, because it'was badly infected, in fact in was infected with Storm worm / Botnet.

You can close this topic.
Thanks once more.

#4 KoanYorel

KoanYorel

    Bleepin' Conundrum


  • Staff Emeritus
  • 19,461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:65 miles due East of the "Logic Free Zone", in Md, USA
  • Local time:11:04 AM

Posted 29 March 2009 - 08:43 AM

Thanks for informing us what you have done.

The formatting was probably the best choice.

Good luck.

This thread is closed.
The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users