Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with GUMBLAR DAONAL variant


  • This topic is locked This topic is locked
14 replies to this topic

#1 TB-Kane2010

TB-Kane2010

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:52 AM

Posted 30 June 2010 - 03:37 PM

I'm working with a machine that appears to have an infection. The first indication of a problem was a message at logon that said - "Invalid access to memory location". Windows XP SP3, IE 7, Sophos AV, Office 2007, Acrobat 8, Windows patched through June 2010 updates.

Google search results indicated a bug. I removed the drive from the computer, slaved it to another computer and ran a full scan with Sophos Antivirus. Scan found nothing. I put the drive back into the original computer, booted into safe mode with networking and proceeded to install and run Malwarebytes. Malwarebytes installed but would not run for more that a few seconds.

I knew I was in for a fun time now. While in safe mode - I ran a Trendmicro Houscall scan. Housecall found nothing. Kasperski's on-line scanner is currently off-line. mad.gif ESET on-line scanner finally gave me something to work with. ESET on-line scan found these two:

JS/Trojan Downloader.GUMBLAR.J Trojan
Win32/DAONOL.DF Trojan

ESET removed them but there is still something present after rebooting. Ok now I know I'm really going to have fun.

I started to collect stuff - I Defogged and DDS logs were generated. Then I ran GMER. The computer rebooted all by itsself around 2/3 through the GMER scan.

I can logon in normal mode as long as I have the network cable unplugged. Malwarebytes still would only run for a few seconds. I ran RKill which reported that it did not kill anything but Malwarebytes will now run. Now I'm making progress smile.gif OR so I thought. I plugged in the network cable updated Malwarebytes and ran a quick scan. Malwarebytes found nothing! I started another GMER scan and decided to disconnect the network cable just in case the bug was trying to phone home... The machine is now unresponsive and I'm going to have to push and hold the power button.

I've uploaded the DDS logs.

Thank you in advance for your help. BleepingComputer has been a great resource for me over the years.

Attached Files


Edited by TB-Kane2010, 30 June 2010 - 03:39 PM.


BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:04:52 PM

Posted 01 July 2010 - 12:37 AM

Hi,

QUOTE
ESET on-line scan found these two:

JS/Trojan Downloader.GUMBLAR.J Trojan
Win32/DAONOL.DF Trojan


Can you tell me what exact files are detected and exact location?
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 TB-Kane2010

TB-Kane2010
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:52 AM

Posted 01 July 2010 - 09:44 AM

miekiemoes,

Thank you for responding quickly. I have uploaded the log that the ESET scan generated.

Attached Files



#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:04:52 PM

Posted 01 July 2010 - 12:16 PM

Hi,

Are you able to run HIjackThis?
If so..

* Open hijackthis, click 'config' (bottom right)
Choose the tab 'misc Tools' on top.
Choose 'delete a file on reboot'
In the field, copy and paste next:

C:\Documents and Settings\tsak\Local Settings\Temp\ovxwsh.old

Click open.
Hijackthis will tell you that this file will be deleted on next reboot and if you want to reboot now. Click Yes/ok
Your system should reboot now.

Let me know if that worked.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 TB-Kane2010

TB-Kane2010
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:52 AM

Posted 01 July 2010 - 01:56 PM

I was able to install HijackThis and remove the file. I'm not sure if this is important but upon reboot, logging on as local admin, I got two Windows saying could not load profile. This could have been a function of the reboot.

I shut the machine down and did a cold boot and the profile loaded fine. Should I try to run GMER again?

#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:04:52 PM

Posted 01 July 2010 - 02:13 PM

Hi,

No need for GMER though.

Does Malwarebytes run now?

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 TB-Kane2010

TB-Kane2010
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:52 AM

Posted 01 July 2010 - 02:53 PM

Malwarebytes is running now. I updated it and I'm running a full scan.

I will let you know the results of the scan.

Thanks again for your help!

#8 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:04:52 PM

Posted 01 July 2010 - 03:12 PM

Well, that's good news.
If mbam is able to run, then it means that the infection is gone. Because I know that when the infection is active, mbam won't run, regedit won't run and many other programs won't work either smile.gif
Here's more information about the infection: http://www.microsoft.com/security/portal/T...=Win32%2FDaonol
As you will read there, if you can access this forum from the computer again, then it means the infection is gone. This one also targets my "nickname" and blocks access to everything that has my nickname in the url. So as an extra test, if you can access my blog: http://miekiemoes.blogspot.com/ again, you should be ok.

As a final cleanup, please do the following (because I need an export of the key branch first to verify):


Open notepad and copy and paste next present in the quotebox in it:

QUOTE
regedit /e look.txt "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32"
start notepad look.txt

Save this as look.bat , choose to save as *all files and place it on your desktop.
It should look like this:
Doubleclick on it and notepad should open.
Copy and paste the contents of it in your next reply.


AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 TB-Kane2010

TB-Kane2010
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:52 AM

Posted 01 July 2010 - 05:09 PM

The latest Malwarebytes scan did not find anything. I'm writing this from the machine that was infected and I visited your blog without any trouble thumbup2.gif

Look.txt

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32]
"midimapper"="midimap.dll"
"msacm.imaadpcm"="imaadp32.acm"
"msacm.msadpcm"="msadp32.acm"
"msacm.msg711"="msg711.acm"
"msacm.msgsm610"="msgsm32.acm"
"msacm.trspch"="tssoft32.acm"
"vidc.cvid"="iccvid.dll"
"vidc.I420"="msh263.drv"
"vidc.iv31"="ir32_32.dll"
"vidc.iv32"="ir32_32.dll"
"vidc.iv41"="ir41_32.ax"
"vidc.iyuv"="iyuv_32.dll"
"vidc.mrle"="msrle32.dll"
"vidc.msvc"="msvidc32.dll"
"vidc.uyvy"="msyuv.dll"
"vidc.yuy2"="msyuv.dll"
"vidc.yvu9"="tsbyuv.dll"
"vidc.yvyu"="msyuv.dll"
"wavemapper"="msacm32.drv"
"msacm.msg723"="msg723.acm"
"vidc.M263"="msh263.drv"
"vidc.M261"="msh261.drv"
"msacm.msaudio1"="msaud32.acm"
"msacm.sl_anet"="sl_anet.acm"
"msacm.iac2"="C:\\WINDOWS\\system32\\iac25_32.ax"
"vidc.iv50"="ir50_32.dll"
"msacm.l3acm"="C:\\WINDOWS\\system32\\l3codeca.acm"
"wave"="wdmaud.drv"
"midi"="wdmaud.drv"
"mixer"="wdmaud.drv"
"vidc.3IV2"="3ivxVfWCodec_dec.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\Terminal Server]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\Terminal Server\RDP]
"wave"="rdpsnd.dll"
"mixer"="rdpsnd.dll"
"MaxBandwidth"=dword:000056b9
"wavemapper"="msacm32.drv"
"EnableMP3Codec"=dword:00000001
"midimapper"="midimap.dll"



#10 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:04:52 PM

Posted 02 July 2010 - 12:54 AM

Hi,

The export here looks OK as well. The affecting value was most probably deleted by another scanner already... unless it's hooked under another key (new variant).
That's why, just as an extra check, please do the following:

Download the Registry Search Tool from next page:
http://www.billsway.com/vbspage/
Unzip it and run it.
If your antivirus interferes, you have to disable script blocking in the antivirus.
Put the following in the search box:

ovxwsh.old

Let it start the scan.
Post the results of the textfile you get in your next reply.

Edited by miekiemoes, 02 July 2010 - 12:55 AM.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 TB-Kane2010

TB-Kane2010
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:52 AM

Posted 02 July 2010 - 09:43 AM

The registry search script reported "No instances found". BTW - Thanks for the link there are some nice scripts I'll add to my tool kit.

Thanks for your help. Is there anything else you think I need to do? Can I consider this machine "clean".

#12 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:04:52 PM

Posted 02 July 2010 - 09:56 AM

Good no instances are found, so there's nothing to clean anymore either. The main file was already deleted anyway, so you should be OK again.

I don't know if this computer belongs to you or someone else, but it is important that all passwords should be changed, especially passwords for FTP accounts.

Other than that, yes, Consider this machine clean again. smile.gif

Glad I could help.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#13 TB-Kane2010

TB-Kane2010
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:52 AM

Posted 02 July 2010 - 10:49 AM

I informed the user to change ALL passwords that he has used on this computer before I even posted the issue on BleepingComputer.

Thanks again for your help. I think we can close this case.

#14 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:04:52 PM

Posted 02 July 2010 - 11:07 AM

You're most welcome smile.gif
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#15 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:04:52 PM

Posted 08 July 2010 - 08:12 AM

Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users