Very tricky malware - what is it? how do I recover? at the end of my wits...

Discussion in 'malware problems & news' started by hihat, Oct 24, 2010.

Thread Status:
Not open for further replies.
  1. hihat

    hihat Registered Member

    Joined:
    Oct 24, 2010
    Posts:
    10
    I have downloaded an ebook from worid-of-ebooks.com.
    I shall not link to the link which brought disaster as I have read in the sticky post with the rules...
    Just search for "Raymond W. Bernard" on "worid-of-ebooks.com"... and only download the ebook if your protection is rocksolid. Mine (smart security 4 and adaware) was not! I didn't get any warning / complaint and opera executed the ebook which happened to be a .pdf.exe...

    Afterwards I had a security tool application which started from a file with many random numbers .exe and was not in the program list... I deleted the process and the file and got rid of what I thought is just nagging shareware.
    I was forced to an abrupt reboot soon thereafter - I had a black screen. I first thought due to missing power but I had the power supply plugged in...

    When I rebooted I couldn't start programs anymore and couldn't copy files. The system load stuck when eset smart security partially loaded only to report then "error communicating with kernel" and stop. Only some system (windows) programs started (taskmgr.exe did not but after renaming it to iexplore.exe did) and a few x64 versions like internet explorer 64bit (no hope that it would install the activeX for an online scan). I started researching the internet and have spent days not hours since, trying to get around reinstalling my system (windows 7 64bit with lots of software).

    I found a many reports about malware in connection with that security tool application, but the proposed strategies didn't work. Even in safe mode and making sure no questionable process is running I couldn't run software from a USB stick nor from my system. I also couldn't uninstall smart security although I tried to run the uninstaller program downloaded from eset.com (although in safe mode too).

    I tried to run malware remover from a usb stick, but even in safemode and after renaming filenames no software is loaded / running! I compiled an ultimate bootcd for windows (ubcd4win) and cleaned 1 virus (buzus.duat or something) with avira and and some spyware found by superantispyware with it, but still same behaviour. When I want to start egui.exe (in safemode) nothing happens.

    My system seems to be messed up. There is no restore points and when I try to repair windows with the installation medium I get a complaint the system was not compatible (altough it's the disc I used for installing).

    Does somebody has an idea what kind of malware this could be?
    And a strategy how to save my system and reinstall smart security?

    Any advice / help appreciated. I am a longterm customer of eset software and this is the first time that I have severe problems due to a threat from the internet. I currently don't know how to help myself.

    Thanks for hints.
     
  2. Franklin

    Franklin Registered Member

    Joined:
    May 12, 2005
    Posts:
    2,517
    Location:
    West Aussie
    Rejuvenation.PDF.exe - 12/ 41 which drops the rogue AV "Smart Engine" which unfortunately is VM aware but I did get it to partially install via Sandboxie with BSA/Hide Driver active.

    Defined file type created: C:\3aa568\mozcrt19.dll
    Defined file type created: C:\3aa568\SM3aa_2212.exe
    Defined file type created: C:\3aa568\sqlite3.dll

    SM3aa_2212.exe - 9/ 43

    All I can recommend at this stage is to either boot from a live cd and manually delete the created files above or do a scan with an Avira Antivus live cd as that one seems to be hitting both the downloader and main.exe.

    Edit:
    Malwarebytes Smart Enginge Removal Guide

    Se1.JPG
     
    Last edited: Oct 24, 2010
  3. katio

    katio Guest

    Reinstall and make regular backups from now on. There is no other easy way.
    Who knows what this SM3aa might have done to the system. Once infected it can't be trusted anymore, because OSs aren't verifiable.
     
  4. tobacco

    tobacco Frequent Poster

    Joined:
    Nov 7, 2005
    Posts:
    1,497
    Location:
    British Columbia
    Good link there Franklin

    Not to poke fun but how ironic that Eset Smart Security gets "the boots" from Smart Engine! They continue to live on their past achievements and just aren't adapting like some of the others are.

    A few recommendations for you once you have recovered hihat:

    #1 - Do Not, i repeat, "DO NOT" rely on an AV to protect you. As you just discovered, you'll get the "short end" of the stick!. Use them as an opinion and an opinion only as they are built to fail based on their "reactive approach"

    #2 - Put your reliance instead on the pro-active approach. Virtualize your browsers and/or your entire system. Use virtual machines.

    #3 - Most importantly, don't put any reliance on windows "system Restore". For anything major, it is utterly "useless". Put in place "full disk imaging" with the ability to go back in time to restore your machine to a clean state. This will clean and protect your machine better than any AV software will.
     
  5. Franklin

    Franklin Registered Member

    Joined:
    May 12, 2005
    Posts:
    2,517
    Location:
    West Aussie
    This family of rogues manipulates the Image File Execution Options reg settings to disable a lot of major security apps which will never be able to start if their entry is in there.

    Malwabytes does check and delete any entries in there.
     
  6. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
    The best advice.

    I believe one should always configure their OS first. LUA, software restriction, sandboxing along with an image of the system for backup should come before anything else.
     
  7. hihat

    hihat Registered Member

    Joined:
    Oct 24, 2010
    Posts:
    10
    thanks for your efforts and trying out yourself. I guess they rotate the kind of kit they send you to download every once in a while. It happened last wednesday or tuesday and I had an application with only random numbers in the name. I had that already deleted and all processes stopped at that time. I searched for those filenames you listed from a "ultimate boot cd 4 windows" with which I had done an avira scan as well (there was a buzus.duat virus found and cleaned without noticable effect).

    I suspect to have a variant of TLD3 rootkit adapted for x64, as hitman pro suggested so and as described in its behaviour (http://www.computersecurityarticles.info/antivirus/x64-tdl3-rootkit-follow-up/) I had an immediate reboot.

    I haven't resolved the situation yet but will try replacing the MBR...
     
  8. hihat

    hihat Registered Member

    Joined:
    Oct 24, 2010
    Posts:
    10
    thanks for the other advice as well. I indeed was kind of naive, thinking eset smart security knows them all... I am learning some lessons the hard way right now... I have backups but half a year old and have a limited account as well but for convenience didn't start using it. I was shocked how clever this trojan was acting. No chance to start malwarebytes. The only thing I managed to load was x64 hitman pro. It's competitors failed to start as well.

    What software would you guys recommend for sandboxed browsing and maybe for virus detection with an emphasis on rootkits, key loggers, trojans?

    Thanks again!
     
  9. Franklin

    Franklin Registered Member

    Joined:
    May 12, 2005
    Posts:
    2,517
    Location:
    West Aussie
    If possible to get into Malwarebytes Programs folder you could try renaming mbam.exe to iexplore.exe, firefox.exe, explorer.exe or mbam.com and see if you can get a scan up and running. Updated first if possible?
     
  10. hihat

    hihat Registered Member

    Joined:
    Oct 24, 2010
    Posts:
    10
    Thanks for the suggestion. I couldn't install it due to the restrictions described. I tried to rename the setup-file in several ways without success.
     
  11. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    Maybe try Rkill.
     
  12. Franklin

    Franklin Registered Member

    Joined:
    May 12, 2005
    Posts:
    2,517
    Location:
    West Aussie
    You could also use "hold left control" and execute Hitmanpro which does the same sorta thing as RKill in killing all malware process then try a scan with other security apps?
     
  13. ALookingInView

    ALookingInView Registered Member

    Joined:
    Sep 14, 2009
    Posts:
    365
    +1 for giving Hitman Pro's Force Breach Mode a go (if you're dead-set on not wiping/nuking the drive and reinstalling Windows).
     
  14. scott1256ca

    scott1256ca Registered Member

    Joined:
    Aug 18, 2009
    Posts:
    144
    If you can't remove it with ubcd4win, you could be in real trouble! If you want to try again, perhaps check here for more tips. Basically run SAS then DrWeb Curit.
    Also consider rootkitty, since that should give you 2 lists of files which you can run a difference on, and then remove the likely offenders. Good luck.
     
  15. scott1256ca

    scott1256ca Registered Member

    Joined:
    Aug 18, 2009
    Posts:
    144
    Also, you might try this but I don't know how old that advice is. They imply the rogues aren't that difficult to remove. Yours sounds worse than they suggest.
     
  16. hihat

    hihat Registered Member

    Joined:
    Oct 24, 2010
    Posts:
    10
    thanks again for your very appreciated support.
    I managed to start my system again, including most programs, thanks to curit from drweb, the only software tried that discovered and cleaned the tdss which was already suspected by hitman (but which didn't remove it)... I still had to repair the mbr respectively the boot loader after the mbr manipulated by the tdss was replaced by curit, but for the first time, my windows 7 64bit installation dvd let me do that. When I tried before (as I have replaced the MBR several times myself with no luck but bluescreens booting thereafter so that I was forced to restore the infected mbr), I was told the system was not compatible but I had the original medium and tried any win7 64 installation dvd I had. I ask myself whether this was due to a mbr comparison from the system...

    rkill, malwarebytes and smitfraudfix didn't install neither with ubcd4win nor in safemode before cureit has done it's job.

    The links were good, but somewhat outdated. I already followed these videos in my very first attempts before I found this forum.

    so this was now a somewhat shocking experience with a tld3 for 64bit! I am still not an expert although a never-give-up enduser with interest in technical questions and learnt something from it. Above all that the traditional av applications have a big problem at hand. Although I had a fairly good one, fully updated and activated, it did just nothing when the rootkit installed, overwrote the MBR and forced an immediate reboot of the machine. It also did not recover to function when most of my system did - still "error communicating with kernel" so that I could only remove it in safemode (which was prohibited as well before drweb did the job). I wonder how many people which do not want to bother will run into similar problems and what the karma of people distributing such rootkits is, thinking of all the time stolen from rather innocent pc users (and probably av licence payers)...

    Your help was deeply appreciated, god / life / spirit or whatever you believe in bless you.

    David
     
  17. tobacco

    tobacco Frequent Poster

    Joined:
    Nov 7, 2005
    Posts:
    1,497
    Location:
    British Columbia
    Good Job :thumb:

    Now get on that fresh image :D
     
  18. Pandorian

    Pandorian Registered Member

    Joined:
    Sep 25, 2009
    Posts:
    11
    @hihat

    Did you have UAC enabled on your Windows 7 installation?
     
  19. Franklin

    Franklin Registered Member

    Joined:
    May 12, 2005
    Posts:
    2,517
    Location:
    West Aussie
    Good work and glad you got it sorted. :)

    Did the rootkit get installed with the installation of the rogue AV?
     
  20. hihat

    hihat Registered Member

    Joined:
    Oct 24, 2010
    Posts:
    10
    I make use of UAC but I was logged in as an administrator user when that happened. I can't tell for sure whether it was rogue AV that brought in the rootkit, but as it happened just after rogue AV was installed, I have to guess so.
    Winsocks and wireless use (could only switch from disabled to deactivated and not open to properties for the wifi network device) was destroyed as well, I got that fixed with a small freeware "winsocksfix for windows 7" I found in the net.
    ¨
    So as soon as I get everything straight I am eager to make my next backup...
    Thanks again!
     
Loading...
Thread Status:
Not open for further replies.