Friday, January 20, 2012

XP Antispyware 2012 (FakeAV) - 01.20.2012 - Analysis and Removal

This was performed on a live (not Virtual) machine.

Important to note that this particular machine came with two different FakeAVs: XP Antispyware 2012 and System Check which I've covered earlier here.
__________________________________________________________________________________
RogueKiller






¤¤¤ Bad processes: 4 ¤¤¤
[WINDOW : System Check] aG6mmkUgRr179B.exe -- C:\Documents and Settings\All Users\Application Data\aG6mmkUgRr179B.exe -> KILLED [TermProc]
[SUSP PATH] arpwrmsg.exe -- C:\WINDOWS\ARPWRMSG.EXE -> KILLED [TermProc]
[SUSP PATH] UIWWFDnoJEOaR.exe -- C:\Documents and Settings\All Users\Application Data\UIWWFDnoJEOaR.exe -> KILLED [TermProc]
[SUSP PATH] qkm.exe -- C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\qkm.exe -> KILLED [TermProc]

¤¤¤ Registry Entries: 11 ¤¤¤
[SUSP PATH] HKCU\[...]\Run : ae46da13 (C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\qkm.exe) -> FOUND
[SUSP PATH] HKLM\[...]\Run : UIWWFDnoJEOaR.exe (C:\Documents and Settings\All Users\Application Data\UIWWFDnoJEOaR.exe) -> FOUND
[SUSP PATH] HKLM\[...]\Run : wvgmkfnxrI.exe (C:\Documents and Settings\All Users\Application Data\wvgmkfnxrI.exe) -> FOUND
[SUSP PATH] HKUS\S-1-5-21-2216767945-41830626-3922640483-1007[...]\Run : ae46da13 (C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\qkm.exe) -> FOUND
[SUSP PATH] Memeo AutoBackup Launcher.lnk : C:\Documents and Settings\HP_Administrator\Application Data\Microsoft\Installer\{6BCEB97B-F315-455D-BC2D-565A1A6781E8}\NewShortcut4_51A847D327C24F7797772AF2A4E486ED.exe -> FOUND
[HJPOL] HKLM\[...]\System : DisableTaskMgr (1) -> FOUND
[HJPOL] HKCU\[...]\Explorer : NoDesktop (1) -> FOUND
[WallPP] HKCU\[...]\Desktop : Wallpaper () -> FOUND
[HJ] HKCU\[...]\Advanced : Start_ShowMyComputer (0) -> FOUND
[HJ] HKCU\[...]\Advanced : Start_ShowSearch (0) -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Infection : Rogue.FakeHDD|Root.MBR|ZeroAccess ¤¤¤
[ZeroAccess] (LOCKED) windir\NtUpdateKBxxxx present!

+++++ PhysicalDrive0: +++++
--- User ---
[MBR] bf2ee68d3eb0a197c05e0152bcdefae2
[BSP] 05e3161cf4ce79602881f99911e8893d : MBR Code unknown
Partition table:
0 - [ACTIVE] NTFS [VISIBLE] Offset (sectors): 63 | Size: 290566 Mo
1 - [XXXXXX] FAT32 [VISIBLE] Offset (sectors): 567528255 | Size: 9491 Mo
User = LL1 ... OK!
User != LL2 ... KO!
--- LL2 ---
[MBR] 004c402e0306e2f8ba947eacd4148327
[BSP] 33db9831113af5b866680bf417fa5a5d : PiHar MBR Code!
Partition table:
0 - [ACTIVE] NTFS [VISIBLE] Offset (sectors): 63 | Size: 290566 Mo
1 - [XXXXXX] FAT32 [VISIBLE] Offset (sectors): 567528255 | Size: 9491 Mo

+++++ PhysicalDrive1: +++++
--- User ---
[MBR] 8da38b9ec667eb12484664792003e81b
[BSP] 9c39957118038b3040b5edd3b3224b1e : Windows 7 MBR Code
Partition table:
0 - [ACTIVE] NTFS [VISIBLE] Offset (sectors): 2048 | Size: 8034 Mo
User = LL1 ... OK!
Error reading LL2 MBR!
__________________________________________________________________________________
TDSSKiller






Backup copy found, using it..
C:\WINDOWS\system32\DRIVERS\netbt.sys - will be cured on reboot
NetBT ( Virus.Win32.ZAccess.k ) - User select action: Cure 
\Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.b ) - will be cured on reboot
\Device\Harddisk0\DR0 - ok
\Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.b ) - User select action: Cure 
\Device\Harddisk0\DR0\TDLFS - deleted
\Device\Harddisk0\DR0 ( TDSS File System ) - User select action: Delete 

Two different rootkits here!
__________________________________________________________________________________
SAS





Disabled.TaskManager
    HKU\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM#DISABLETASKMGR
    HKU\S-1-5-18\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM#DISABLETASKMGR

Trace.Known Threat Sources
    C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Local Settings\Temporary Internet Files\Content.IE5\55420F1N\7922f78e7b923_2176335[1].flv [ cache:wista ]
    C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Local Settings\Temporary Internet Files\Content.IE5\6Y3T1ZD7\fc548d3114a0c_2176313[1].flv [ cache:wista ]

Adware.IWinGames
    HKU\S-1-5-21-2216767945-41830626-3922640483-1007\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{8CA5ED52-F3FB-4414-A105-2E3491156990}

Trojan.Agent/Gen-FakeAlert[Local]
    C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\AG6MMKUGRR179B.EXE
    C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\UIWWFDNOJEOAR.EXE
    C:\DOCUMENTS AND SETTINGS\HP_ADMINISTRATOR\DESKTOP\SYSTEM CHECK.LNK
    C:\DOCUMENTS AND SETTINGS\HP_ADMINISTRATOR\START MENU\PROGRAMS\SYSTEM CHECK\SYSTEM CHECK.LNK
    C:\DOCUMENTS AND SETTINGS\HP_ADMINISTRATOR\START MENU\PROGRAMS\SYSTEM CHECK\UNINSTALL SYSTEM CHECK.LNK
    C:\WINDOWS\Prefetch\AG6MMKUGRR179B.EXE-3A625C98.pf
    C:\WINDOWS\Prefetch\UIWWFDNOJEOAR.EXE-0493FF7A.pf

Trojan.Agent/Gen-FakeAnitSpy
    C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\WVGMKFNXRI.EXE
    C:\DOCUMENTS AND SETTINGS\HP_ADMINISTRATOR\DESKTOP\RK_QUARANTINE\WVGMKFNXRI.EXE.VIR
    C:\WINDOWS\Prefetch\WVGMKFNXRI.EXE-1D475FEC.pf

Trojan.Agent/Gen-BOPE
    C:\DOCUMENTS AND SETTINGS\HP_ADMINISTRATOR\DESKTOP\RK_QUARANTINE\AG6MMKUGRR179B.EXE.VIR
    C:\DOCUMENTS AND SETTINGS\HP_ADMINISTRATOR\DESKTOP\RK_QUARANTINE\UIWWFDNOJEOAR.EXE.VIR
    C:\DOCUMENTS AND SETTINGS\LOCALSERVICE\APPLICATION DATA\SUN\JAVA\DEPLOYMENT\CACHE\6.0\9\7CE9E4C9-58FB998C

Trojan.Agent/Gen-MSFraud
    C:\DOCUMENTS AND SETTINGS\HP_ADMINISTRATOR\DESKTOP\RK_QUARANTINE\QKM.EXE.VIR
    C:\DOCUMENTS AND SETTINGS\HP_ADMINISTRATOR\LOCAL SETTINGS\APPLICATION DATA\HIUEKWE.EXE
    C:\DOCUMENTS AND SETTINGS\HP_ADMINISTRATOR\LOCAL SETTINGS\APPLICATION DATA\QKM.EXE

Trojan.Agent/Gen-FraudLoad
    C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\LOCAL SETTINGS\APPLICATION DATA\VVQRPXQA.EXE
    C:\WINDOWS\Prefetch\VVQRPXQA.EXE-35F084AC.pf

Notes: Read the Trace.Known Threat Sources section. May indicate where the infection came from (flash player exploit).
__________________________________________________________________________________
CF






(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Administrator\WINDOWS
c:\documents and settings\All Users\Application Data\~aG6mmkUgRr179B
c:\documents and settings\All Users\Application Data\~aG6mmkUgRr179Br
c:\documents and settings\All Users\Application Data\aG6mmkUgRr179B
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\Default User\WINDOWS
c:\documents and settings\HP_Administrator\Application Data\HPSU_48BitScanUpdate.log
c:\documents and settings\HP_Administrator\Start Menu\Programs\System Check
c:\documents and settings\HP_Administrator\WINDOWS
c:\documents and settings\QBDataServiceUser17\WINDOWS
c:\windows\$NtUninstallKB49832$
c:\windows\$NtUninstallKB49832$\123586037\@
c:\windows\$NtUninstallKB49832$\123586037\bckfg.tmp
c:\windows\$NtUninstallKB49832$\123586037\cfg.ini
c:\windows\$NtUninstallKB49832$\123586037\Desktop.ini
c:\windows\$NtUninstallKB49832$\123586037\keywords
c:\windows\$NtUninstallKB49832$\123586037\kwrd.dll
c:\windows\$NtUninstallKB49832$\123586037\L\aqaeidou
c:\windows\$NtUninstallKB49832$\123586037\lsflt7.ver
c:\windows\$NtUninstallKB49832$\123586037\U\00000001.@
c:\windows\$NtUninstallKB49832$\123586037\U\00000002.@
c:\windows\$NtUninstallKB49832$\123586037\U\00000004.@
c:\windows\$NtUninstallKB49832$\123586037\U\80000000.@
c:\windows\$NtUninstallKB49832$\123586037\U\80000004.@
c:\windows\$NtUninstallKB49832$\123586037\U\80000032.@
c:\windows\$NtUninstallKB49832$\4256935209
c:\windows\bcm225.tmp
c:\windows\bcm226.tmp
c:\windows\bcm227.tmp
c:\windows\bcm228.tmp
c:\windows\HPCPCUninstaller-6.3.2.116-9972322.exe
c:\windows\kb913800.exe
c:\windows\system32\config\systemprofile\WINDOWS
c:\windows\system32\drivers\etc\hosts.ics
D:\Autorun.inf
.
c:\windows\system32\drivers\intelppm.sys . . . is missing!!

Found a legit copy using SystemLook.
__________________________________________________________________________________ 
TST





Thisisu's Scanning Tool (TST) is a program I am working on for finding traces of malware. It's in the very early stages of development but I thought I'd give it some practice to see how it performs ;)

----a-w-  2012-01-18 03:00:00  C:\Documents and Settings\HP_Administrator\Application Data\1c464a42
----a-w-  2012-01-18 03:00:00  C:\Documents and Settings\HP_Administrator\templates\31dd8447
----a-w-  2012-01-18 03:00:00  C:\Documents and Settings\All Users\Application data\48013ce3
----a-w-  2012-01-18 03:00:00  C:\Documents and Settings\HP_Administrator\local settings\application data\930ef073
__________________________________________________________________________________ 
Misc Notes: 
No residual OS damage. 
No hidden partition.
___________________________________________________________________________________

Tuesday, January 17, 2012

System Check (FakeAV) - 01.17.2012 - Analysis and Removal

 
This was performed on a live (not Virtual) machine.

It's important to note that this particular computer was not booting properly when I first received it. Most likely it was due to the rootkit present (Virus.Win32.Rloader.a) and not the FakeAV as has been the case with other PCs with this type of infection.

After booting off a Windows 7 RE disc and performing a sfc /scannow while offline (sfc /scannow/offbootdir=c:\ /offwindir=c:\windows) I was able to at least boot all the way to the desktop.

Here is what I was presented with upon the successful boot. These type of infections are often called "Fake.Hdd". I did a full report with video back in November 2011 on a similar infection with the FakeAV: System Restore here




__________________________________________________________________________________
RogueKiller





¤¤¤ Bad processes: 4 ¤¤¤
[WINDOW : System Check] sJqEf1fzZrkuVm.exe -- C:\ProgramData\sJqEf1fzZrkuVm.exe -> KILLED [TermProc]
[SUSP PATH] dplayx.dll -- C:\Users\Ruby\AppData\Local\dplayx.dll -> UNLOADED
[SUSP PATH] Temp:winupd.exe -- C:\Users\Ruby\AppData\Local\Temp:winupd.exe -> KILLED [TermProc]
[SUSP PATH] ipyJfmDvPvAd.exe -- C:\ProgramData\ipyJfmDvPvAd.exe -> KILLED [TermProc]

¤¤¤ Registry Entries: 14 ¤¤¤
[SUSP PATH] HKCU\[...]\Run : winupd (C:\Users\Ruby\AppData\Local\Temp:winupd.exe) -> DELETED
[SUSP PATH] HKCU\[...]\Run : ipyJfmDvPvAd.exe (C:\ProgramData\ipyJfmDvPvAd.exe) -> DELETED
[SUSP PATH] winupd.job : C:\Users\Ruby\AppData\Local\Temp:winupd.exe -> DELETED
[SUSP PATH] OneNote 2007 Screen Clipper and Launcher.lnk : C:\Users\Ruby\AppData\Local\Temp\ONENOTEM.EXE -> DELETED
[DNS] HKLM\[...]\ControlSet001\Parameters\Interfaces\{CA928F52-3A87-4C95-905C-652CCEEE5D23} : NameServer (10.133.20.11 10.132.20.11) -> NOT REMOVED, USE DNSFIX
[DNS] HKLM\[...]\ControlSet002\Parameters\Interfaces\{CA928F52-3A87-4C95-905C-652CCEEE5D23} : NameServer (10.133.20.11 10.132.20.11) -> NOT REMOVED, USE DNSFIX
[WallPP] HKCU\[...]\Desktop : Wallpaper () -> REPLACED (C:\Users\Ruby\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper.jpg)
[HJ] HKCU\[...]\Advanced : Start_ShowMyComputer (0) -> REPLACED (1)
[HJ] HKCU\[...]\Advanced : Start_ShowSearch (0) -> REPLACED (1)
[HJ] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> REPLACED (0)
[HJ] HKCU\[...]\ClassicStartMenu : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> REPLACED (0)
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)
[HJ] HKCU\[...]\ClassicStartMenu : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)
[HJ] HKCU\[...]\ClassicStartMenu : {645FF040-5081-101B-9F08-00AA002F954E} (1) -> REPLACED (0)

¤¤¤ Infection : Rogue.FakeHDD ¤¤¤
__________________________________________________________________________________
TDSSKiller





C:\windows\system32\drivers\Wdf01000.sys - will be cured on reboot
Wdf01000 ( Virus.Win32.Rloader.a ) - User select action: Cure
__________________________________________________________________________________
SAS





Rogue.E-SET 2011
    C:\Program Files\E-SET 2011\e-set.exe
    C:\Program Files\E-SET 2011\e-set.exe.tmp1
    C:\Program Files\E-SET 2011

Trojan.Agent/Gen-FakeAlert[Local]
    C:\PROGRAMDATA\IPYJFMDVPVAD.EXE
    C:\PROGRAMDATA\SJQEF1FZZRKUVM.EXE
    C:\USERS\RUBY\APPDATA\ROAMING\MICROSOFT\INTERNET EXPLORER\QUICK LAUNCH\SYSTEM CHECK.LNK
    C:\USERS\RUBY\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\PROGRAMS\SYSTEM CHECK\SYSTEM CHECK.LNK
    C:\USERS\RUBY\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\PROGRAMS\SYSTEM CHECK\UNINSTALL SYSTEM CHECK.LNK
    C:\USERS\RUBY\DESKTOP\SYSTEM CHECK.LNK

Heuristic.Backdoor
    C:\USERS\RUBY\APPDATA\LOCAL\TEMP\EXPLORER.EXE
    C:\USERS\RUBY\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\PROGRAMS\ACCESSORIES\WINDOWS EXPLORER.LNK

Trojan.Agent/Gen-Tracur
    C:\USERS\RUBY\APPDATA\LOCAL\TEMP\NSI14AA.TMP\MJLWXJN.V4N
__________________________________________________________________________________
MBAM






Files Detected: 19
C:\Users\Ruby\AppData\Local\Temp\cmd.exe (Trojan.Zbot.CBCGen) -> Quarantined and deleted successfully.
C:\Users\Ruby\AppData\Local\Temp\control.exe (Trojan.Zbot.CBCGen) -> Quarantined and deleted successfully.
C:\Users\Ruby\AppData\Local\Temp\osk.exe (Trojan.Zbot.CBCGen) -> Quarantined and deleted successfully.
C:\Users\Ruby\AppData\Local\Temp\iexplore.exe (Trojan.Zbot.CBCGen) -> Quarantined and deleted successfully.
C:\Users\Ruby\AppData\Local\Temp\magnify.exe (Trojan.Zbot.CBCGen) -> Quarantined and deleted successfully.
C:\Users\Ruby\AppData\Local\Temp\msiexec.exe (Trojan.Zbot.CBCGen) -> Quarantined and deleted successfully.
C:\Users\Ruby\AppData\Local\Temp\narrator.exe (Trojan.Zbot.CBCGen) -> Quarantined and deleted successfully.
C:\Users\Ruby\AppData\Local\Temp\notepad.exe (Trojan.Zbot.CBCGen) -> Quarantined and deleted successfully.
C:\Users\Ruby\AppData\Local\Temp\ONENOTEM.EXE (Trojan.Zbot.CBCGen) -> Quarantined and deleted successfully.
C:\Users\Ruby\AppData\Local\Temp\eudcedit.exe (Trojan.Zbot.CBCGen) -> Quarantined and deleted successfully.
C:\Users\Ruby\AppData\Local\Temp\gdfyghret.exe (Trojan.CryptPro.Gen) -> Quarantined and deleted successfully.
C:\Users\Ruby\AppData\Local\Temp\tue0.03518007376125176.exe (Trojan.CryptPro.Gen) -> Quarantined and deleted successfully.
C:\Users\Ruby\AppData\Local\Temp\_28B7E701AB5EA204F8C52F.exe (Trojan.Zbot.CBCGen) -> Quarantined and deleted successfully.
C:\Users\Ruby\AppData\Local\Temp\_34779EA62C4957E16DBB3E.exe (Trojan.Zbot.CBCGen) -> Quarantined and deleted successfully.
C:\Users\Ruby\AppData\Local\Temp\_3A20CF231F6F0812B6B942.exe (Trojan.Zbot.CBCGen) -> Quarantined and deleted successfully.
C:\Users\Ruby\AppData\Local\Temp\_B5F2DCEFB6AA5671D1D39E.exe (Trojan.Zbot.CBCGen) -> Quarantined and deleted successfully.
C:\Users\Ruby\AppData\Local\Temp\_EC348ADB6AC3A2B2EA675D.exe (Trojan.Zbot.CBCGen) -> Quarantined and deleted successfully.
C:\Users\Ruby\Local Settings\Temporary Internet Files\Content.IE5\3K50ABTU\klmcristmas_com[2].htm (Trojan.CryptPro.Gen) -> Quarantined and deleted successfully.
c:\users\ruby\appdata\local\temp:winupd.exe (Trojan.Agent) -> Quarantined and deleted successfully.
__________________________________________________________________________________
CF





Got this message first:

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\~sJqEf1fzZrkuVm
c:\programdata\~sJqEf1fzZrkuVmr
c:\programdata\eoakaaa.tmp
c:\programdata\foakaaa.tmp
c:\programdata\goakaaa.tmp
c:\programdata\gxvubaa.tmp
c:\programdata\hxvubaa.tmp
c:\programdata\ioakaaa.tmp
c:\programdata\ixvubaa.tmp
c:\programdata\jxvubaa.tmp
c:\programdata\kloycaa.tmp
c:\programdata\kxvubaa.tmp
c:\programdata\lloycaa.tmp
c:\programdata\mloycaa.tmp
c:\programdata\nloycaa.tmp
c:\programdata\oloycaa.tmp
c:\programdata\sJqEf1fzZrkuVm
c:\programdata\xp
c:\programdata\xp\EBLib.dll
c:\programdata\xp\TPwSav.sys
c:\users\Ruby\AppData\Local\dplaysvr.exe
c:\users\Ruby\AppData\Local\dplayx.dll.vir
c:\users\Ruby\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Check
c:\windows\expl.dat
c:\windows\system32\svch.dat
c:\windows\system32\winl.dat
.
c:\windows\system32\winlogon.exe . . . is infected!!
.
Infected copy of c:\windows\system32\svchost.exe was found and disinfected
Restored copy from - c:\windows\winsxs\x86_microsoft-windows-services-svchost_31bf3856ad364e35_6.1.7600.16385_none_b591afc466a15356\svchost.exe
.
Infected copy of c:\windows\explorer.exe was found and disinfected
Restored copy from - c:\combofix\HarddiskVolumeShadowCopy8_!windows!winsxs!x86_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.20910_none_525b5180f3f95373!explorer.exe

Later replaced winlogon.exe manually using SystemLook to find a legit copy
 __________________________________________________________________________________
MGtools





"C:\Users\Ruby\AppData\Roaming\Microsoft\Windows\Templates\"
566b42~1      Jan 14 2012       12270  "566b42m18naieo4r8gdr3q"
"C:\Users\Ruby\AppData\Local\"
566b42~1      Jan 14 2012       12270  "566b42m18naieo4r8gdr3q"
"C:\ProgramData\"
566b42~1      Jan 14 2012       12270  "566b42m18naieo4r8gdr3q"
aawjaaa.tmp   Jan 17 2012         868  "aawjaaa.tmp"
bawjaaa.tmp   Jan 17 2012         854  "bawjaaa.tmp"
cawjaaa.tmp   Jan 17 2012         826  "cawjaaa.tmp"
dawjaaa.tmp   Jan 17 2012         849  "dawjaaa.tmp"
eawjaaa.tmp   Jan 17 2012         827  "eawjaaa.tmp"   __________________________________________________________________________________
Misc Notes:

Later had to replace target links like the following:
It seems that the Zbot infection broke certain shortcuts (check the MBAM log again).

No hidden partition. Unsure if there was a MBR infection or not but I restored a Win7 MBR whenever I was trying to get the system to boot. Restoring the MBR alone did not do the trick. The sfc offline scan is what really did the trick in this case.

Other than the system not booting at first, there was not any significant OS damage.




___________________________________________________________________________________

Tuesday, January 10, 2012

Vista Security 2012 (FakeAV) - 01.10.2012 - Analysis and Removal


This was performed on a live (not Virtual) machine.


Here is what was loaded when I first turned on the computer in Normal Mode. 

Lots of pop-ups as you see, this one was a bit more aggressive than some of the others I've seen.

On top of it all I would get constant application errors regarding Norton Antivirus. ZeroAccess rootkit had a snack ;-)



Here is the screen you will be brought to if you try to "activate" Vista Security 2012. Remember this is all faked and created by the malware creators.







__________________________________________________________________________________
RogueKiller





¤¤¤ Bad processes: 2 ¤¤¤
[WINDOW : Vista Security 2012] ddj.exe -- C:\Users\Owner\AppData\Local\ddj.exe -> KILLED [TermProc]
[WINDOW : Vista Security 2012] ddj.exe -- C:\Users\Owner\AppData\Local\ddj.exe -> KILLED [TermProc]

¤¤¤ Registry Entries: 3 ¤¤¤
[HJ] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
[FILEASSO] HKLM\[...]Software\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command :  ("C:\Users\Owner\AppData\Local\ddj.exe" -a "C:\Program Files\Internet Explorer\iexplore.exe") -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver: [LOADED] ¤¤¤

¤¤¤ Infection : Rogue.AntiSpy-AH ¤¤¤

¤¤¤ HOSTS File: ¤¤¤


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: +++++
--- User ---
[MBR] 47e38b333fde87e38dd55d5145eda893
[BSP] 2322b9887f89ec6bfba12db29d773349 : Windows Vista MBR Code
Partition table:
0 - [ACTIVE] NTFS [VISIBLE] Offset (sectors): 2048 | Size: 160038 Mo
User = LL1 ... OK!
User = LL2 ... OK!

+++++ PhysicalDrive1: +++++
--- User ---
[MBR] 8da38b9ec667eb12484664792003e81b
[BSP] 9c39957118038b3040b5edd3b3224b1e : Windows 7 MBR Code
Partition table:
0 - [ACTIVE] NTFS [VISIBLE] Offset (sectors): 2048 | Size: 8034 Mo
User = LL1 ... OK!
Error reading LL2 MBR!
 __________________________________________________________________________________
TDSSKiller






C:\Windows\system32\drivers\afd.sys - will be cured on reboot
AFD ( Rootkit.Win32.ZAccess.aml ) - User select action: Cure
__________________________________________________________________________________
CF





(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\$NtUninstallKB40500$
c:\windows\$NtUninstallKB40500$\2367755029\@
c:\windows\$NtUninstallKB40500$\2367755029\bckfg.tmp
c:\windows\$NtUninstallKB40500$\2367755029\cfg.ini
c:\windows\$NtUninstallKB40500$\2367755029\Desktop.ini
c:\windows\$NtUninstallKB40500$\2367755029\keywords
c:\windows\$NtUninstallKB40500$\2367755029\kwrd.dll
c:\windows\$NtUninstallKB40500$\2367755029\L\qnbwvoto
c:\windows\$NtUninstallKB40500$\2367755029\lsflt7.ver
c:\windows\$NtUninstallKB40500$\2367755029\U\00000001.@
c:\windows\$NtUninstallKB40500$\2367755029\U\00000002.@
c:\windows\$NtUninstallKB40500$\2367755029\U\00000004.@
c:\windows\$NtUninstallKB40500$\2367755029\U\80000000.@
c:\windows\$NtUninstallKB40500$\2367755029\U\80000004.@
c:\windows\$NtUninstallKB40500$\2367755029\U\80000032.@
c:\windows\$NtUninstallKB40500$\753632677
 __________________________________________________________________________________
MGtools





"C:\Users\Owner\AppData\Local\"
kb316p~1      Jan 10 2012        9208  "kb316pt716feqc24537sy13050q20yb545k0qc1w1dk647"
"C:\Users\Owner\AppData\Roaming\Microsoft\Windows\Templates\"
kb316p~1      Jan 10 2012        9208  "kb316pt716feqc24537sy13050q20yb545k0qc1w1dk647"
"C:\ProgramData\"
kb316p~1      Jan 10 2012        9208  "kb316pt716feqc24537sy13050q20yb545k0qc1w1dk647"
 __________________________________________________________________________________
Misc notes:
Residual OS Damage: Windows Firewall broken - Repaired after all traces of malware were gone.

I did scan with SAS first (found 6 threats) but I forgot to save the log for review :(
MBAM found 0 threats after SAS was run.

___________________________________________________________________________________

Sunday, January 08, 2012

How To: Use Kaspersky Rescue Disk To Scan and Remove Malware

Kaspersky Rescue Disk 10 can be downloaded here
Only to be used in extreme cases where normal malware methods are not working


You have to press any key on the keyboard in order to continue using the Kaspersky Rescue Disk.







Choose your language. English is the default selected language. Press Enter to make your selection.







Press Enter for "Graphic Mode".








Please be patient, ultimately you will be brought to the Agreement as shown below:







Here you need to type the letter "A" on your keyboard to "Accept" the agreement.






 


The next couple of screens are as follows:





Then you will be brought to this screen, we need to update the virus definitions first. See the screenshot for details.







You should be here updating the virus definitions. Be patient.








Update completed! Now click the "Objects Scan" tab








Place checkmarks in all 3 boxes given. The first two should be selected by default. When you have done this, click the Settings button as seen in the below screenshot:






Here are the settings we want you to use. Click "Apply" and then "OK"





 
 

Now begin scanning.





 
 

When the scan completes, click the Report button so that we may analyze your results.




  
 

Please save it to a location that you can find later and upload it here.
Then retry booting into Windows.

How To: Use GParted To Remove Hidden TDL4 Partition


These are based on the original instructions I created for a user on November 17th 2011, when we first started seeing this types of infections on the Malware Removal forums at MajorGeeks.

For those that do not know about the latest TDL4 infections, more can be read at: TDL4 Infection Update Win32/Olmasco MAXSS Pihar

I have updated the tutorial guide for the latest stable version of GParted v0.11.0-7. Also updated the instructions for clarity. Hope you enjoy!
__________________________________________________________________________________

Now boot off of the newly created GParted CD.



You should be here...

By default, "do not touch keymap" is highlighted. Leave this setting alone and just press ENTER.

Choose your language and press ENTER. English is default [33]

Once again, at this prompt, press ENTER
You will now be taken to the main GUI screen below:

According to your logs, the partition that you want to delete is XX MiB (XX MB)
Click the trash can icon to delete and then click Apply.

You should now be here confirming your actions:


Now you should be here:

Is "boot" next to your OS drive? According to your logs, your OS drive is the XX GB sized partition.

If "boot" is not next to your OS drive under Flags, right-mouse click the OS drive while in GParted and select Manage Flags


In the menu that pops up, place a checkmark in boot like the picture below:


 Now press the Close button to save these changes.

Now double-click the Exit button



Choose reboot and then press OK.