Malware from heck

I'm hoping by posting this here, I might get some insight.

Posting this here in case anyone else has seen the like.

Will keep updating the blog until it's resolved in case that helps anyone with the same problem.

http://sami_mikhail.posterous.com/virusmal...-anyone-know-wh

Details are in the blog rather than posting whole saga here because I'm hoping to chase this down through multiple forums. Hope this is acceptable.

Thanks in advance for any help and/or suggestions.

Edited by thesamim, 10 August 2009 - 01:29 AM.

The names of those advertisements are important, that's what identifies the family of malware.

The names of those advertisements are important, that's what identifies the family of malware.

Thanks Chewy.

The ads were for a number of unrelated consumer products (Chevy, Netflix, MyPyramid.gov (in spannish of all things!) etc) that didn't seem to have a relating pattern.

Does that tell us anything?

Posted an update to http://sami_mikhail.posterous.com/

Edited by thesamim, 10 August 2009 - 09:12 AM.

Since you have thread posted over at the MBAM HJT forum we should close this thread

I see you have an open HJT topic here: Malwarebytes Please follow only the advice of the HJT team member @ Malwarebytes who takes you topic. Altering your computer by running scans from two forums will confuse the clean process and possibly crash your computer.

If you have any questions, please send me a message.

Thanks,
rigel
BleepingComputer Forums Moderator

This thread has been reopened per request of the member. The thread at Malwarebytes has been closed.

Please refrain from posting a link to your blog with every reply. It is visible in the several posts in this topic. Thanks

Would you copy and paste the startup list and process list into a reply here, the attached files are basically unreadable.

Rigel: Thanks for re-opening the thread.

DaChew: Thanks for the offer to help.

I THINK I am clean now, but am not positive. Please see the last blog post for the steps I took.

Here is the Hijackthis log after cleaning and remounting the hard drive.

****Combofix and HJT logs cannot be worked in this forum.
If you see anything else I need to do I would certainly appreciate hearing about it.

Thanks again for the support and for providing a forum for that support.

Edited by rigel, 17 August 2009 - 07:06 PM.

Download Sophos Anti-rootkit & save it to your desktop.
Be sure to read the Sophos Anti-Rookit User Manual. A copy of this manual sarman.pdf can also be found inside the program folder after installation.

• Double-click sarsfx.exe to begin the installation, read the license agreement and click Accept.
• Allow the default location of C:\Program Files\Sophos\Sophos Anti-Rootkit and click Install.
• A message will appear "Sophos Anti-Rootkit was successfully installed. Click 'yes' to start it now". Click Yes.
• Make sure the following are checked:
  • Running processes
  • Windows Registry
  • Local Hard Drives
• Click "Start scan".
• Sophos Anti-Rootkit will scan the selected areas and display any suspicious files in the upper panel.
• When the scan is complete, a pop-up screen will appear with "Rootkit Scan Results". Click OK to continue.
• Click on the suspicious file to display more information about it in the lower panel which also includes whether the item is recommended for removal.
  • Files tagged as Removable: No are not marked for removal and cannot be removed.
  • Files tagged as Removable: Yes (clean up recommended) are marked for removal by default.
  • Files tagged as Removable: Yes (but clean up not recommended) are not marked for removal because Sophos did not recognize them. These files will require further investigation.
• Select only items recommended for removal, then click "Clean up checked items". You will be asked to confirm, click Yes.
• A pop up window will appear advising the cleanup will be done when you restart your computer. Click "Restart Now".
• After reboot, a dialog box displays the files you selected for removal and the action taken.
• Click Empty list and then click Continue to re-scan your computer a second time to ensure everything was cleaned.
• When done, go to Start > Run and type or copy/paste: %temp%\sarscan.log
• This should open the log from the rootkit scan. Please post this log in your next reply. If you have a problem, you can find sarscan.log in C:\Documents and Settings\<username>\Local Settings\Temp\.

Note: If the scan is performed while the computer is in use, false positives may appear in the scan results. This is caused by files or registry entries being deleted, including temporary files being deleted automatically.

[...]
[*]Select only items recommended for removal, then click "Clean up checked items". You will be asked to confirm, click

It only found hidden files marked as "Removable: Yes (but clean up not recommended for this file)". None recommended for removal.

Should I go ahead and paste the log here?

Post the log

Post the log

Here it is:


Sophos Anti-Rootkit Version 1.5.0 © 2009 Sophos Plc
Started logging on 8/18/2009 at 15:43:41 PM
User "Jenny" on computer "MAMA"
Windows version 5.1 SP 3.0 Service Pack 3 build 2600 SM=0x300 PT=0x1 Win32
Info: Starting process scan.
Info: Starting registry scan.
Info: Starting disk scan of C: (NTFS).
Hidden: file C:\Program Files\mbam\zztoy.com
Hidden: file C:\WINDOWS\system32\hkcmd.exe
Hidden: file C:\WINDOWS\system32\igfxtray.exe
Hidden: file C:\WINDOWS\foo
Hidden: file C:\sas\SUPERAntiSpyware.exe
Hidden: file C:\Program Files\mbam\winlogon.exe
Hidden: file C:\sasII\sas.exe
Hidden: file C:\hjt\llll.com
Hidden: file C:\WINDOWS\$NtUninstallKB828035_RTM$\wkssvc.dll
Hidden: file C:\WINDOWS\$NtUninstallKB828035_RTM$\msgsvc.dll
Hidden: file C:\WINDOWS\$NtUninstallKB824141_RTM$\user32.dll
Hidden: file C:\WINDOWS\$NtUninstallKB824141_RTM$\win32k.sys
Hidden: file C:\WINDOWS\$NtUninstallKB828035$\wkssvc.dll
Hidden: file C:\WINDOWS\$NtUninstallKB828035$\msgsvc.dll
Hidden: file C:\WINDOWS\$NtUninstallKB824141$\user32.dll
Hidden: file C:\WINDOWS\$NtUninstallKB824141$\win32k.sys
Hidden: file C:\WINDOWS\$NtUninstallQ828026$\msdxm.ocx
Hidden: file C:\WINDOWS\$NtUninstallQ828026$\wmpcore.dll
Hidden: file C:\auto\aa.exe
Hidden: file C:\WINDOWS\system32\MRT.exe
Info: Starting disk scan of E: (FAT).
Stopped logging on 8/18/2009 at 17:15:04 PM

Edit to add:
In case it's not entirely obvious:
C:\Program Files\mbam\zztoy.com
C:\Program Files\mbam\winlogon.exe
C:\sas\SUPERAntiSpyware.exe
C:\sasII\sas.exe
C:\hjt\llll.com

were my attempts at renaming malwarebytes, superantispyware and hijackthis executables to run while the virus was active.

Also: not understanding why they are identified as hidden files, because I can see them with a regular "dir" command from the prompt...

Edited by thesamim, 18 August 2009 - 11:08 PM.

Your rootkit is a new one that hides/terminates all those scanners, it's extremely complicated and hard to remove, forget your blog as all techniques have to be custom designed to fit the infection, this will require a trained expert to remove, and even then it's an iffy proposition and can mean a lengthy wait.

We can throw some heavy duty removal tools at it but might just be wasting our time.

The best option is just format and reload the OS.

Your rootkit is a new one that hides/terminates all those scanners, it's extremely complicated and hard to remove, forget your blog as all techniques have to be custom designed to fit the infection, this will require a trained expert to remove, and even then it's an iffy proposition and can mean a lengthy wait.

We can throw some heavy duty removal tools at it but might just be wasting our time.

The best option is just format and reload the OS.

Formatting and Reloading is an option of last resort.

So, talk to me about the heavy duty removal tools and how we proceed.

BTW: Does the behavior of the rootkit change? Because I am now able to run all those scanners. The one bit of oddity left is: I set up the dos prompt properties for quick edit and did the registry entry change for auto-completion, but those changes have reverted back.

http://www.bleepingcomputer.com/forums/t/250928/instructions-for-posting-advice-in-am-i-infected/

The advice I can give you, is to read this post.