Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

BackDoor.Maosboot.35 Infection


  • This topic is locked This topic is locked
2 replies to this topic

#1 Clowntoon

Clowntoon

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:11 PM

Posted 05 May 2010 - 01:55 PM

This is probably hopeless. Picked up this nasty thing seemingly through a simple click on a Web site link served by Google search for a Windows font. Tried to fight it myself for a while, then tried to get help from a good guy in another forum, but located in an inconvenient time zone. ComboFix, DrWeb and other tools were not able to clean infection shown by GMER and the tools themselves. GMER can't disable the hidden service - maybe it's just a vestige of the registry keys I can't seem to open, delete, or change permissions on. DrWeb shows MBR infection, but hangs at the 'reboot to delete' bit. Currently scanning with Avira boot CD. Will post results when available. I'm not a novice and can follow explicit instructions faithfully. I'll give this about one more day before I rebuild the system with a new hard drive (what I should have done in the first place if I knew it would take this long). No data lost - it would just be more convenient to have it work again rather than install all of that software. ****SPECIAL LIMITATION**** This computer has Autodesk product installed so the .scr file extension is associated to the AutoCAD application NOT whatever the heck else it's supposed to be... I have DDS outputs from a couple of days ago, but obviously the lack of boot capability prevents me from regenerating now. No file sharing, no music sites, no porn, no other shady BS on this system - just the crappy XP Pro SP3 O/S with ridiculously sorry security design.

OK, here is the result of the Avira scan from the boot CD - just the noteworthy items:

checking the master boot record of drive 128
error (2): cannot read record

ALERT:[TR/Patched.Gen] /media/Devices/sda1/Qoobox/Quarantine/C/Windows/system32/drivers/pcmcia.sys.vir.XXX <<< Is the Trojan horse TR/Patched.Gen

ALERT: [TR/Dldr.Mufanom.rhu] /media/devices/sda1/windows/sretPINC.dll.XXX <<< Is the Trojan horse TR/Dldr.Mufanom.rhu

I believe these were renamed by one or another tool - maybe Avira - on an earlier scan because they couldn't be moved.

UPDATE: Created a BitDefender Rescue CD, ran that on the system, and boot capability is now restored. The action that caused the boot problem was running ComboFix. It was getting strange errors about Windows delayed write causing data loss of various files and folders. This included Windows\System32. This did not seem to be true because the folder was visible from a UBCD environment I ran afterward.


GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-05-04 11:13:15
Windows 5.1.2600 Service Pack 3
Running: isp3vtt9(remgr).exe; Driver: C:\DOCUME~1\MAIN\LOCALS~1\Temp\pxtdapog.sys


---- Kernel code sections - GMER 1.0.15 ----

? Combo-Fix.sys The system cannot find the file specified. !
.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xBA1CC380, 0x22091D, 0xE8000020]
? C:\DOCUME~1\MAIN\LOCALS~1\Temp\mbr.sys The system cannot find the file specified. !
? C:\Combo-Fix\catchme.sys The system cannot find the path specified. !
? C:\WINDOWS\system32\Drivers\PROCEXP113.SYS The system cannot find the file specified. !

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 VMkbd.sys (VMware keyboard filter driver (32-bit)/VMware, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 VMkbd.sys (VMware keyboard filter driver (32-bit)/VMware, Inc.)

Device \Driver\usbhub \Device\00000091 hcmon.sys (VMware USB monitor/VMware, Inc.)
Device \Driver\usbhub \Device\00000093 hcmon.sys (VMware USB monitor/VMware, Inc.)
Device \Driver\usbhub \Device\00000095 hcmon.sys (VMware USB monitor/VMware, Inc.)
Device \Driver\usbhub \Device\00000097 hcmon.sys (VMware USB monitor/VMware, Inc.)
Device \Driver\usbuhci \Device\USBFDO-0 hcmon.sys (VMware USB monitor/VMware, Inc.)
Device \Driver\usbuhci \Device\USBFDO-1 hcmon.sys (VMware USB monitor/VMware, Inc.)
Device \Driver\usbuhci \Device\USBFDO-2 hcmon.sys (VMware USB monitor/VMware, Inc.)
Device \Driver\usbuhci \Device\USBFDO-3 hcmon.sys (VMware USB monitor/VMware, Inc.)
Device \Driver\usbehci \Device\USBFDO-4 hcmon.sys (VMware USB monitor/VMware, Inc.)

---- Services - GMER 1.0.15 ----

Service (*** hidden *** ) PRAGMAvstiwuycye <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\0010c67ed041
Reg HKLM\SYSTEM\CurrentControlSet\Services\PRAGMAvstiwuycye
Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\0010c67ed041 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\PRAGMAvstiwuycye (not active ControlSet)

---- EOF - GMER 1.0.15 ----

Attached Files


Edited by Clowntoon, 05 May 2010 - 06:19 PM.


BC AdBot (Login to Remove)

 


#2 Clowntoon

Clowntoon
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:11 PM

Posted 06 May 2010 - 05:25 PM

Moved to this thread after computer was able to boot and dds logs were obtained:

http://www.bleepingcomputer.com/forums/t/315138/rootkitted/



#3 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:05:11 AM

Posted 07 May 2010 - 07:03 PM

Since the issues are being dealt with in another thread this topic is now closed.

unite.jpg





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users