Suggestions needed

Discussion in 'malware problems & news' started by HURST, Jun 23, 2008.

Thread Status:
Not open for further replies.
  1. HURST

    HURST Registered Member

    Joined:
    Jul 20, 2007
    Posts:
    1,419
    Hi.
    I need some suggestions, because I'm running out of ideas.:doubt: :doubt:
    I'm cleaning an infected laptop. The laptop has Vista Home Premium SP1.
    The infection took place after a crack was executed.
    VirusTotal showed only 5/33 detections, and mainly "Packed.Themida".
    I executed it sandboxed on my laptop. It created "stsystra.exe" and executed it. This is a copy of the original executable (same MD5), wich took the name of a legit exe on my system. Reboot and Returnil took charge.
    But on the infected computer, it took the name of "apoint.exe" (another legit executable). After each reboot another service was disabled:
    -No access to hosts file
    -No internet connection
    -No windows firewall
    -No windows defender
    -AV can't run

    I could run CureIt, but it found nothing (it also scanned VERY slow).
    SAS no success installing, BSOD
    MBAM: installs, but hangs when it gets to the heuristic scan
    Kaspersky AVP tool: succesful install, unable to execute

    Tried VundoFix, WinsockFix and others--> explorer.exe hangs.
    HJT log looks clean, and hijackthis.de's automated analysis also shows nothing wrong.

    The USB stick I was using to transfer files to my laptop, now has a "nideitect.com" file in it, which is launched by an autorun.inf
    This file shows the same 5/33 dtections from VirusTotal. (EDIT: this file has the same MD5 than the original crack)

    So, I'm posting here asking for ideas.
    If I can't get rid of it, in exactly 20 hours the computer will be reformated.:D


    EDIT2: I scanned the USB stick with SAS, it DOESN'T detect it... Nick, I can send you the sample. Haven't tried with MBAM yet.
     
    Last edited: Jun 23, 2008
  2. HURST

    HURST Registered Member

    Joined:
    Jul 20, 2007
    Posts:
    1,419
    UPDATE:

    By manually disabling all startup entries, a MBAM scan could be performed under normal mode.
    Heuristics detected Rootkit.Bagle and Rootkit.Agent, but most problems are still there:
    -No Windows Defender
    -No Firewall
    -No \Windows\system32\drivers\etc folder
    -AV's still can't scan


    EDIT: In another forum it is advised to run ComboFix, so I tried it, but it wouldn't run (Message: "ComboFix is not a valid Win 32 application")
     
    Last edited: Jun 23, 2008
  3. stapp

    stapp Global Moderator

    Joined:
    Jan 12, 2006
    Posts:
    7,313
    Location:
    England
    Have you tried saving combofix as combofix.txt on download to try and fool the virus?

    Also running it in safe mode if you can.
     
  4. HURST

    HURST Registered Member

    Joined:
    Jul 20, 2007
    Posts:
    1,419
  5. CogitoErgoSum

    CogitoErgoSum Registered Member

    Joined:
    Aug 22, 2005
    Posts:
    641
    Location:
    Cerritos, California
    Hello HURST,

    Other than using Process Explorer to check for and/or terminate suspicious processes/applications, you may be interested in the following links below.

    http://gladiator-antivirus.com/forum/index.php?showtopic=73840
    http://gladiator-antivirus.com/forum/index.php?showtopic=73834

    If you have not yet done so, temporarily disable system restore and run both CCleaner(http://www.ccleaner.com/) and ATF-Cleaner(http://www.atribune.org/index.php?option=com_content&task=view&id=25&Itemid=25 or http://majorgeeks.com/ATF_Cleaner_d4949.html) and perform all on-demand scans in safe mode.

    Hope this helps.


    Peace & Gratitude,

    CogitoErgoSum
     
  6. jrmhng

    jrmhng Registered Member

    Joined:
    Nov 4, 2007
    Posts:
    1,268
    Location:
    Australia
  7. HURST

    HURST Registered Member

    Joined:
    Jul 20, 2007
    Posts:
    1,419
    I runned ATF cleaner.
    The problem is, that almost all tools that need an install, end up with the "not a valid win32" message when attempted to run.

    I'm really thinking that zeroing the HDD and reinstalling the OS is the way to go, but now this has become a personal challenge :D

    I will check out your links, thanks
     
  8. HURST

    HURST Registered Member

    Joined:
    Jul 20, 2007
    Posts:
    1,419
    Won't this cause any conflict between the OSs?

    Would the steps be:
    -boot my computer
    -plug the HDD
    -scan
     
  9. jrmhng

    jrmhng Registered Member

    Joined:
    Nov 4, 2007
    Posts:
    1,268
    Location:
    Australia
    If you dont have a usb enclosure and must use the IDE/SATA interface, it isnt very safe to be playing with the wires when the computer is on. If your BIOS is set to boot from the first master harddisk then you should be fine and it will boot into your normal os.

    Otherwise use the downloadable CDs. I think they are actually an easier solution.
     
  10. HURST

    HURST Registered Member

    Joined:
    Jul 20, 2007
    Posts:
    1,419
    Yeah
    I'm downloading the 3 of them.
    Don't know why I didn't think of that o_O
    Thanks a lot for this. If it won't work, I'll try moving the HDD.
     
  11. CogitoErgoSum

    CogitoErgoSum Registered Member

    Joined:
    Aug 22, 2005
    Posts:
    641
    Location:
    Cerritos, California
  12. HURST

    HURST Registered Member

    Joined:
    Jul 20, 2007
    Posts:
    1,419
    I tried Avira RescueCD, and it found sound Bagle related files.
    It couldn't remove them so it renamed the files. After that I booted in safe mode and tried to run Kaspersky AVP tool, but it wasn't able to run. Avast couldn't run either.

    F-Secure BootCD didn't run, it hanged loading the kernel.


    Because of my pride and my curiosity I'm now avoiding the reformat, but I realize that this will have to be done if I ever want to get some sleep again.


    BTW... it seems that the file Windows\system32\drivers doesn't exist... I only can find Windows\system32\spool\drivers
    I'm not familiar with Vista, is this normal?
     
  13. CogitoErgoSum

    CogitoErgoSum Registered Member

    Joined:
    Aug 22, 2005
    Posts:
    641
    Location:
    Cerritos, California
    Hello HURST,

    No, it is not normal as I have this folder in Vista 32 SP1. Have you checked to see if "Show hidden files and folders" is selected and "Hide extensions for known file types" is unchecked within Folder Options?


    Peace & Gratitude,

    CogitoErgoSum
     
  14. HURST

    HURST Registered Member

    Joined:
    Jul 20, 2007
    Posts:
    1,419
    I have the option to "show system files" and "hide known extensions"
    But "show hidden files" is missing. Last night I found this weird, but I thought it was some "vista new feature" and haven't thought more about that.
    So I'll probably need a fix for this.:mad: :mad:


    EDIT: I manually restored the "show hidden files" option. Now I can see the hidden folders, but still I can't access many of them (for example: \start menu\ --- control panel is also crippled)

    Is there an app for Vista like there is xp_secconsole?
     
    Last edited: Jun 23, 2008
  15. thanatos_theos

    thanatos_theos Registered Member

    Joined:
    Apr 28, 2007
    Posts:
    540
    Bagle is messing with your security applications. You need to remove the rootkit(s) first. Did you try any antirootkits? Why not go to a malware removal forum or avail of SAS's free support?

    thanatos
     
  16. HURST

    HURST Registered Member

    Joined:
    Jul 20, 2007
    Posts:
    1,419
    Yep I know bagle is messing up things, but I can't locate it.
    I runned GMER and RKU, but I can't exactly find out where the bad ones are, and I don't want to make things worse.
    As I'm writing here, I'm also posting on SAS forums.
     
  17. CogitoErgoSum

    CogitoErgoSum Registered Member

    Joined:
    Aug 22, 2005
    Posts:
    641
    Location:
    Cerritos, California
    Hello HURST,

    Have you downloaded and taken a look at the free AVZ Antiviral Toolkit?(http://64.233.179.104/translate_c?hl=en&langpair=ru|en&u=http://z-oleg.com/secur/avz/download.php); (File>System Restore>Restore system settings; among other things one can clear the HOSTS file, Automatically correct SPI/LSP Settings and Reset SPI/LSP & TCP/IP Settings)

    Have you downloaded and taken a look at the free Remove Restrictions Tool(RRT)?(http://www.softpedia.com/get/Security/Security-Related/RRT-Remove-Ristrictions-Tool.shtml)
    (*Note: Download free v1.0.4 from the Softpedia Secure Download (RO) location to obtain this version.);(Among other things, one can enable the Windows firewall.)

    Have you taken a look at SuperAntiSpyware free's(Preferences>Repairs tab)? (Among other things, one can enable Windows Control Panel and Repair broken Network Connections(WinSock LSP Chain.)

    Have you downloaded and taken a look at System Repair Engineer?(http://www.kztechs.com/eng/download.html)
    (Under System Repair, the Windows Shell/IE tab and the Advanced Repair tab may be of interest to you.)

    Hope this helps.


    Peace & Gratitude,

    CogitoErgoSum
     
  18. HURST

    HURST Registered Member

    Joined:
    Jul 20, 2007
    Posts:
    1,419
    CogitoErgoSum
    Thanks for the links
    Will start trying them out now :)
     
  19. HURST

    HURST Registered Member

    Joined:
    Jul 20, 2007
    Posts:
    1,419
    OK.
    I'm done with this.

    Bottom line:

    AVZ found nothing falled on a loop.
    SAS couldn't even install.
    MBAM can't run.
    CureIt finds nothing.
    AVP Tool can't run.
    Avira RescueCD found some traces but didn't solve the problem.
    F-Secure RescueCD didn't work.
    PCTools BootCD couldn't find partitions to scan.

    Folders are still locked.

    So, my patiente and my lack-of-time are bigger than my curiosity and pride.
    Next step: Zero the HDD and clean install.

    I only have one question:
    Is it possible that the BIOS is infected? How can I check this? And fix it if needed?
     
  20. PiCo

    PiCo Registered Member

    Joined:
    Apr 9, 2008
    Posts:
    352
    Location:
    Athens, Greece
    Both BIOS by using BIOS's function and Boot Sector of a drive. Sounds like quite a bug!
     
  21. HURST

    HURST Registered Member

    Joined:
    Jul 20, 2007
    Posts:
    1,419
    Last edited: Jun 25, 2008
  22. PiCo

    PiCo Registered Member

    Joined:
    Apr 9, 2008
    Posts:
    352
    Location:
    Athens, Greece
    Oh sorry, I ment both BIOS and the boot sector of a drive can get infected by rootkits.

    edit://Pulling out the BIOS battery for 10 minutes or so should allow it to return to default state. So if any nasty changes have been made, they will seize to exist.
     
    Last edited: Jun 25, 2008
  23. HURST

    HURST Registered Member

    Joined:
    Jul 20, 2007
    Posts:
    1,419
    Yes, I know... Thats why I want to know how do I check the BIOS?
     
  24. PiCo

    PiCo Registered Member

    Joined:
    Apr 9, 2008
    Posts:
    352
    Location:
    Athens, Greece
    F-Prot for DOS?

    I saw this in a forum:
    -Does anyone know which program is the best for checking a bios for virus infection?
    -F-PROT for DOS from http://www.f-prot.com/ is free for personal use. Take care and all the best
     
  25. HURST

    HURST Registered Member

    Joined:
    Jul 20, 2007
    Posts:
    1,419
    Thanks PiCo
    Will try it out
     
Thread Status:
Not open for further replies.