Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Multiple infections [Split and merged]


  • Please log in to reply
6 replies to this topic

#1 cpu food poisoning

cpu food poisoning

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:28 AM

Posted 11 August 2009 - 06:00 PM

I bumped into the very same difficulties about 3 nights ago- been working slowly through the symptoms ever since. I've now gotten to the point where there's no obvious infection running while I'm in windows, and functionality has returned, however it's obvious theres a remnant running somewhere (mbr?) as more scans through the windows directory will fail/close immediately, and then the exe will be corrupted.

Here's how it started-

I'm pretty confident my only recent exposure to anything I acknowledged was installing a WMP 6.4 shim from a trusted news media webpage, and an email with "3:21:39 PM Fotos 31/07. :

Imagens anexadas: DSC_0467.jpg - DSC_0468.jpg - DSC_0469.jpg

"
As the body- the "images" were actually links to tiny url pages that all gave bogus looking 404's.

So initially, while running on a boot that was over a month old, Windows Antivirus Pro popped up- I responded to everything it asked in the negative, but quickly found myself penned in and unable to do much else other than buy the software. I unplugged from the next and began looking for processes to kill in the Task Manager- soon after the task manager stopped working.

I opened the MMC and began looking for new services- being comfortable with what is normally on my box and running, I found a hose of new garbage. The first I killed, and the only thing I've not found a trace of since (which worries me more) was listed as "6to4" (seemingly pretending to be an IPv6 translator) but had a poorly cut/pasted description from a photoshop image filter in it's description. Upon disabling it it vanished from the list.

Also I found Secret Security, SofatNet, EvdO Server, SvcHast, and a number of random names in the c:\windows folder (many totally random, many with msXXXXX.exe).

Cleaning everything that I could through the services panel I ended up without the ability to open IE- during the process it had already been hijacked however, as I was unable to research removal. I actually found this forum while looking for a way to remove AntiVirus Pro, but was redirected to a search for adult bookstores in IL (i'm in NY).

In the background it sounded like a spanish movie was playing, trailers and all- but I couldn't identify what it was, or where it came from. I decided to pull up your forum on my iphone and shut down.

Upon a reboot into safe mode I was advised I would now need to re-activate windows and could not use safe mode. I tried again repeatedly (hoping it was fake) until I made it in under safe mode w/out networking. Regedit was disabled, the windows installer wouldn't allow me to install anything, taskmanager and folder options were both gone.

Deciding I didn't want to slave the HDD into another box for cleaning, as I didn't yet know exactly what I had, following advice here I tried installing various packages recommended. The -only- one, after trying malware bytes, root repeal, superantispyware, PrevX, Avast, and AdAware, to work and actually complete a scan (even GMER failed out after file scanning through \windows\) was sysclean from trendmicro, with current virus definitions in place, though it somehow missed my spyware defs.

It found and quarantined a host of the very same files I'd seen from my services panel, and after playing with gpedit.msc and some registry edits I got regedit open again and cleaned the traces to those files again.

20 reboots later, and a lot of lather/rinse/repeat I still had something opening my windows firewall up and adding "services.exe" to the exceptions despite restoring defaults and disabling that particular entry every 3 minutes. I got Symantec's Corp Client v.9 running in auto protect without closing, and Avast running it's other 4 options (skipping scan on run) and finally booted back to normal mode.

I did have to reactivate, which went smoothly, but I'd hoped was only fake windows. I still can't scan, with anything other than sysclean from TrendMicro through the windows directory without it failing and being corrupted (requires reinstall) which includes using HiJackthis.

I have clean (everything expected) netstat -a when run, and no processes I don't recognize (not to say there's not something piggybacked with another 40 payloads just waiting to drop). So mostly it seems clean, but I know there's something left, but I can't find a tool tough enough to be rid of it.

Jack, the best advise I have for you is to not be frustrated, and download the newest defs and sysclean from trendmicro, starting there- then find the registry key that says it will reenable task manager, and one for regedit.

Run gpedit.msc from start > run and see if anything looks way out of place or abnormal, and at the very least you can turn back on the ability to see (and thus rename) file extensions and hidden files.

Otherwise, I'm sure someone here will soon have some advice- and hopefully they'll skip the "grab MalWareBytes and scan" route, as I'd already tried that.

Thoughts/Comments/Questions welcomed- and thanks to EVERYONE on this board, both for their problems, and for the 150 different solutions I mashed together to get working again- sincerely.

It's been a good 15 years since I bumped into anything that worked any quicker than I did, and it's a humbling experience to find your hands tied and just short of booting to dos to manually kill files you don't recognize.

Thanks,

Split from this topic: http://www.bleepingcomputer.com/forums/t/248693/every-attempt-fails-programs-close-malwarebytes-avast-hijackthis-housecall-moved/ ~ OB

Edited by Orange Blossom, 12 August 2009 - 08:45 PM.


BC AdBot (Login to Remove)

 


#2 cpu food poisoning

cpu food poisoning
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:28 AM

Posted 11 August 2009 - 06:17 PM

I've had the EXACT same troubles listed here- the inability to clean whatever is killing the AV/Scanner software is the last piece I think I have left to clean.

Even GMER errors out while scanning through c:\windows

As Beauty Dies- I suggest you reinstall, but not run yet any of the failed scanning programs. When they're closed/killed mid scan, the exe is modified- I haven't found anyone with a decent understanding of what exactly is running, so it's conceivable it could be redistributing new payloads into those executables.

Also not having any luck with: RootRepeal, MalWareBytes, SuperAntiSpyware, PreVX, Avast, AdWare, HiJackThis- all die within seconds, or upon hitting the \windows\ dir

Note: Symantec AV Corporate Client 9 with updated defs runs autoprotect, but doesn't find/clean it
TendMicro Sysclean with updated defs in the same directory will run and scan through that directory, but doesn't find anything anymore
SmitFraudX doesn't find anything it lists as a problem, or at least only seems to be finding files it lists as being created by the same guy who created SmitFraudFix, but it does at least complete it's scan.

As this is someone elses' topic, I won't post the scan results here unless asked.

Hope these additional thoughts help...

Split from this topic: http://www.bleepingcomputer.com/forums/t/248331/all-anti-virus-restore-programs-unaccessable-moved/ ~ OB

Edited by Orange Blossom, 12 August 2009 - 08:45 PM.


#3 cpu food poisoning

cpu food poisoning
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:28 AM

Posted 13 August 2009 - 07:28 AM

...the story so far:

Ok, so here's where we now stand- prior to these comments being separated/merged and promptly driven to the bottom of the pile, boopme suggested Sophos Anti RootKit- ran it repeatedly and came up with an infected version of virtually every one of the programs I mentioned earlier having been killed mid-scan. I know some have boot level helpers, but they all showed up. Ditto ieframe and iexplore. So I blew out everything listed, and rebooted to uninstall/reinstall all the same software again.

This time I tried renaming the main MalwareBytes executable to winlogon.exe and setting it's priority at realtime. It completed a scan for the first time ever.

Malwarebytes' Anti-Malware 1.40
Database version: 2551
Windows 5.1.2600 Service Pack 3

8/13/2009 5:00:16 AM
mbam-log-2009-08-13 (05-00-16).txt

Scan type: Quick Scan
Objects scanned: 93072
Time elapsed: 5 minute(s), 59 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 21
Registry Values Infected: 20
Registry Data Items Infected: 4
Folders Infected: 0
Files Infected: 27

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\xml.xml (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\xml.xml.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{bd56a320-23f2-42ad-f4e4-00aac39caa53} (Trojan.Ertfor) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{500bca15-57a7-4eaf-8143-8c619470b13d} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{f54af7de-6038-4026-8433-cc30e3f17212} (Rogue.ASC-AntiSpyware) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{e24211b3-a78a-c6a9-d317-70979ace5058} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{bd56a320-23f2-42ad-f4e4-00aac39caa53} (Trojan.Ertfor) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{f54af7de-6038-4026-8433-cc30e3f17212} (Rogue.ASC-AntiSpyware) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\evdoserver (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\evdoserver (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\evdoserver (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Windows AntiVirus Pro (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Win AntiVirus Pro (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SystemSecurity2009 (Rogue.SystemSecurity) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Monopod (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\AntipPro2009_12 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\Root\LEGACY_ANTIPPRO2009_12 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Windows antiVirus pro (Rogue.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\NordBull (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\netcard (Rootkit.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\idstrf (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\WINID (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\BuildW (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\FirstInstallFlag (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\guid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\i (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\mso (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\udso (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\uid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Ulrn (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Update (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\UpdateNew (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\exec (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\mEv (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Hijack.Shell) -> Bad: (Explorer.exe rundll32.exe beforeglav) Good: (Explorer.exe) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\.bat\(default) (Hijacked.BatFile) -> Bad: (csfile) Good: (batfile) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\.com\(default) (Hijacked.ComFile) -> Bad: (csfile) Good: (comfile) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\.exe\(default) (Hijacked.exeFile) -> Bad: (csfile) Good: (exefile) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\Fonts\services.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\EvdoServer.dll (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wiwow64.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\dvdpaly.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\L4WUMTR4\w[1].bin (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\ZUG8C1KR\w[1].bin (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Desktop\Windows Antivirus Pro.lnk (Rogue.WindowsAntiVirus2008) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\FInstall.sys (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\bng1.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\bng2.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\bng3.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\bng4.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\bng5.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\bng6.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\bng7.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\bng8.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\bng9.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\bngA.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\bngB.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\bngC.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\bngD.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\bngE.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\bngF.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\netcard.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Tasks\{BB65B0FB-5712-401b-B616-E69AC55E2757}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\msxm192z.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Tasks\{7B02EF0B-A410-4938-8480-9BA26420A627}.job (Trojan.Downloader) -> Quarantined and deleted successfully.


Even after this cleaning I'm still getting a lag when loading basic explorer screens- such as below... the little sidebar initially appears instantly but then vanishes. Likewise, I still have random screen flashes, windows occasionally losing focus, etc. If I open "my computer" it lags, and then the top of the screen flashes briefly.
Posted Image
Also, the time in the taskbar keeps changing formats after I fix it

All of these are new symptoms to this box.

I ran repeated malwarebytes scans until they came up empty, once empty I was able to finally reinstall IE8- it had previous been dying on the mid install malware scan. I finally deleted the mrt.exe from system32, if it's not working I guess I don't need microsoft's attempt to help.

upon reboot I got this:
(pardon the legit "screenshot" plz)
Posted Image
boot order was normal in bios- so i ensured the "overwrite bios protection" was enabled and just rebooted.

I was able to get AdAware reinstalled, it completed a scan finding only cookies. So I've reinstalled Avast, and will run a full scan after my next reboot with it. Again, most of the tools are saying I'm clean, but after 3-5 reboots, the various symptoms increase in regularity, and then something will show up on the scans when retried- so I'm still just wondering how to get at whatever I've got. Any thoughts appreciated...

r

#4 cpu food poisoning

cpu food poisoning
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:28 AM

Posted 13 August 2009 - 08:24 AM

I meant to add also I still have some odd traffic if I run a netstat -a..

particularly, or most consistently to llnw.net? but see the screenshot below for some weird virtual port routing I have no IDEA what's behind...

Posted Image

llnw appears to be something called LimeLight networks, they talk about "content distribution" - how do these guys stay in business? Should one of these multi-payload deployments onto a single attorney general's system handle it?

Incidentally this is the affiliate ID / url for purchase for the first piece of ransomware to pop up in this mess, if anyone has any idea how to report them: http://www.onlinepurchasesolution.com/out.php?affid=01107

(didn't make that a link as i don't recommend clicking it unless you feel prepared)

Thanks...

r

#5 cpu food poisoning

cpu food poisoning
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:28 AM

Posted 13 August 2009 - 08:39 AM

Posted Image

Panther Content Delivery Networks (another unsolicited traffic connection)


Ditto from some guy on roadrunner? 209-18-42-154.chi10.tbone.rr.com:http ?

Posted Image

...*grumble*

unplugging until tomorrow, or hopefully an thread response email.

Thanks again for reading...

r

#6 cpu food poisoning

cpu food poisoning
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:28 AM

Posted 13 August 2009 - 08:42 AM

Oh, also- anytime I attempt to connect the the various odd IP connecting to me, I get this very same bogus "error" screen, I'm guessing the error "code" listed is probably either an identifier, or somehow a password/vulnerability workup for the guy who started this mess.
Posted Image

then again, this might just be a stock google chrome error message? (I only installed it when this all began, so it's new to me)

Thoughts?

r

#7 cpu food poisoning

cpu food poisoning
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:28 AM

Posted 16 August 2009 - 06:19 AM

...i'm still brokenish- the whole system runs like it's been turned down to 7, and i don't understand most of the ports that are open, where once none were. this is disappointing.

anyone have thoughts?

r




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users