Posted 24 December 2010 - 06:43 PM
My son's computer was attacked a couple of days ago when he browsed to a malicious website.
He ran MBAM (1.50.1, database version 5383), which detected and deleted *most* of the malicious attack artifacts, but not all.
The attack disabled his Microsoft Security Essentials -- removed the MSSE entry from HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run, disabled the MsMpSvc service, and launched a malicious service (in a rundll32.exe launched by the regular svchost.exe for the netsvcs service group).
The maliciously launched rundll32.exe loaded a dll named ntmsdba2.dll that had been dropped in c:\windows\system32.
When that process was running, MSSE was unable to initialize when launched -- it exited within seconds of being launched manually.
The attack-dropped ntmsdba2.dll had been attributed system, hidden, read-only, and ACLed to prevent deletion.
MBAM did not detect it when in that state.
I killed the rundll32.exe and then used cacls.exe to overwrite the ACLs with EVERYONE:F, and removed the S H & R attributes.
After doing that, I ran another MBAM scan, which *did* detect it, and an apparently associated registry key as well:
Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\H3O8CABBPI (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\ntmsdba2.dll (Trojan.Agent) -> Quarantined and deleted successfully.
We have a remaining issue however -- the svchost.exe is still attempting to launch the malicious service. The rundll32.exe does not exit, even though the dll has been deleted. Its command line is:
However there doesn't seem to be a service in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services, or an entry in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\netsvcs, corresponding to this process.
It's unclear to me what the mechanism is by which the process is being launched. It appears to be launched at boot time, but not in safe mode.
I have searched the registry for the string "ntmsdba2" anywhere in any key, value, or data -- nothing found. If the dll filename is being stored in the registry anywhere it must be in something other than clear text.
I have searched the file system (with Explorer set to view hidden and system files, of course) for files containing the string "ntmsdba2" -- no luck. Again, if it's being stored in the file system, it's not in clear text.
The svchost.exe and rundll32.exe program files themselves appear to be OK -- they byte-compare identical to copies of the respective file taken from an uninfected system running the same OS revision (WinXP SP3, with all critical updates pushed by Microsoft through 12/23/10).
I have checked the system for rootkits using GMER, RootRepeal, Sysinternals RootkitRevealer, HitManPro 3.5, and Kaspersky's TDSSKiller -- none of them reported anything that didn't have a legitimate explanation.
Can anyone briefly explain the possible mechanisms by which svchost.exe can be induced to launch a rundll32.exe, suggest additional places and/or formats to look for a stored representation of the rundll32 command line or dll filename ("ntmsdba2"), or know enough about the propagation and operation of Trojan.Agent to help identify how the rogue service process is still being launched? (And does anyone know why the rundll32.exe doesn't exit, if the dll named on its command line doesn't exist in the file system?)
At least with the dll itself gone, MSSE now has no trouble coming up and initializing at boot.
Any help appreciated -- please let me know if I can run and post any diagnostics that will help.