Показано с 1 по 17 из 17.

Need help with CLOAKED malware

  1. #1
    Junior Member Репутация
    Регистрация
    16.02.2009
    Сообщений
    9
    Вес репутации
    29

    Need help with CLOAKED malware

    Hi, I am having a problem with a virus/malware that appears to be cloaked according to some tools like Exterminate It! and CSI. No other antivirus software manages to remove it. I get the message "computer shutdown 1:00 minute" but I manage to stop it using the shutdown -a command. So far I have tried, AVG, Avast, Malwarebytes, Spybot, Mcafee and others with no result.

    I cant upload my logs as I get this error on this forum: "Bobrowo, вы не имеете прав для доступа к этой странице. Это может быть вызвано несколькими причинами:"

    Thanks
    Последний раз редактировалось Bobrowo; 16.02.2009 в 20:47.

  2. #2
    Junior Member Репутация
    Регистрация
    16.02.2009
    Сообщений
    9
    Вес репутации
    29
    ok here are my logs.
    Вложения Вложения

  3. #3
    Senior Member Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Аватар для drongo
    Регистрация
    17.09.2004
    Адрес
    Israel
    Сообщений
    7,165
    Вес репутации
    967
    when you did windows update ? I see you don't have sp3 at all.
    Remember: before lunching avz you always should unload/disable all your protection software.
    please execute this script in avz: ( how-to: http://virusinfo.info/showthread.php?t=9207 )
    Код:
    begin
    SearchRootkit(true, true);
    SetAVZGuardStatus(True);
     QuarantineFile('C:\System Volume Information\_restore{D58645F6-0897-4594-B262-E3E5BC665738}\RP72\A0056604.dll','');
     QuarantineFile('C:\WINDOWS.0\system32\DRIVERS\tcpip.sys','');
     QuarantineFile('C:\WINDOWS.0\0\system32\ntkrnlpa.exe','');
     QuarantineFile('C:\WINDOWS.0\0\system32\ntdll.dll','');
     QuarantineFile('C:\WINDOWS.0\0\system32\hal.dll','');
     QuarantineFile('C:\WINDOWS.0\0\system32\BOOTVID.dll','');
     QuarantineFile('C:\WINDOWS.0\System32\Drivers\aney2j27.SYS','');
    BC_ImportAll;
    BC_Activate;
    RebootWindows(true);
    end.
    Your system will reboot. Don't worry, this script for copying, it will not solve your problem immediately. .

    Upload all quarantined files according to Appendix #3 of Rules: http://virusinfo.info/showthread.php?t=9184 , using http://virusinfo.info/upload_virus_eng.php?tid=39828

    Let us know, when you done.
    Последний раз редактировалось drongo; 16.02.2009 в 21:24.

  4. #4
    Junior Member Репутация
    Регистрация
    16.02.2009
    Сообщений
    9
    Вес репутации
    29
    I havent done windows update in a long time, didnt even realise SP3 was out!

    I have ran the script and uploaded the quarantine files as requested.

  5. #5
    Senior Member Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Аватар для drongo
    Регистрация
    17.09.2004
    Адрес
    Israel
    Сообщений
    7,165
    Вес репутации
    967
    Uninstall kaspersky virus removal tool along with other antiviruses - they just bring mess in the logs.
    Please download in my signature special version of avz and keep using it.
    Disable system restore,internet, lunch avz special version and execute this script:
    Код:
    begin
    SearchRootkit(true, true);
    SetAVZGuardStatus(True);
     DeleteFile('C:\System Volume Information\_restore{D58645F6-0897-4594-B262-E3E5BC665738}\RP72\A0056604.dll');
     DeleteFile('C:\WINDOWS.0\System32\Drivers\aney2j27.SYS');
    BC_ImportDeletedList;
    BC_DeleteSvc('aney2j27');
    ExecuteSysClean;
    BC_Activate;
    ExecuteRepair(6);
    ExecuteRepair(8);
    ExecuteRepair(9);
    SetAVZPMStatus(true);
    RebootWindows(true);
    end.
    System will reboot.
    lunch your internet browser (IE, Firefox, etc) and create a new virusinfo_syscure.zip
    Attach it to your next reply.
    Последний раз редактировалось drongo; 17.02.2009 в 14:46.

  6. #6
    Junior Member Репутация
    Регистрация
    16.02.2009
    Сообщений
    9
    Вес репутации
    29
    After running the last script and rebooting I still get "NT AUTHORITY\your computer will shutdown in 1:00 min"

    I have uploaded latest syscure using yor avz.
    Вложения Вложения

  7. #7
    Senior Member Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Аватар для drongo
    Регистрация
    17.09.2004
    Адрес
    Israel
    Сообщений
    7,165
    Вес репутации
    967
    Very good, at least now i am able to see some interesting files Lets try to copy them for investigation.
    execute this script in special avz:
    Код:
    begin
     SearchRootkit(true, true);
     SetAVZGuardStatus(True);
     QuarantineFile('C:\WINDOWS.0\system32\athgina.dll','');
     QuarantineFile('C:\WINDOWS.0\system32\drivers\UACxtlwbymb.sys','');
     QuarantineFile('C:\WINDOWS.0\System32\drivers\f2773d53.sys','');
     QuarantineFile('C:\WINDOWS.0\System32\drivers\ecab543b.sys','');
     QuarantineFile('C:\WINDOWS.0\System32\drivers\7ea20a86.sys','');
     QuarantineFile('C:\WINDOWS.0\system32\MsSip3.dll','');
     QuarantineFile('C:\WINDOWS.0\system32\MsSip2.dll','');
     QuarantineFile('C:\WINDOWS.0\system32\MsSip1.dll','');
    BC_ImportAll;
    BC_Activate;
    RebootWindows(true);
    end.
    Please send a quarantine according to Appendix #3 of the rules by link: http://virusinfo.info/upload_virus_eng.php?tid=39828
    Let us know, when you done.
    Последний раз редактировалось drongo; 17.02.2009 в 18:01.

  8. #8
    Junior Member Репутация
    Регистрация
    16.02.2009
    Сообщений
    9
    Вес репутации
    29
    Files uploaded.

  9. #9
    Senior Member Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Аватар для drongo
    Регистрация
    17.09.2004
    Адрес
    Israel
    Сообщений
    7,165
    Вес репутации
    967
    Ok, according to kaspersky UACxtlwbymb.sys it is a rootkit- Rootkit.Win32.TDSS.gwh, all the rest don't even exist, just traces. lets delete them all
    Please execute this script:
    Код:
    begin
    SearchRootkit(true, true);
    SetAVZGuardStatus(True);
     DeleteFile('C:\WINDOWS.0\system32\drivers\UACxtlwbymb.sys');
     DeleteFile('C:\WINDOWS.0\system32\athgina.dll');
     DeleteFile('C:\WINDOWS.0\System32\drivers\f2773d53.sys');
     DeleteFile('C:\WINDOWS.0\System32\drivers\ecab543b.sys');
     DeleteFile('C:\WINDOWS.0\System32\drivers\7ea20a86.sys');
     DeleteFile('C:\WINDOWS.0\system32\MsSip1.dll');
     DeleteFile('C:\WINDOWS.0\system32\MsSip2.dll');
     DeleteFile('C:\WINDOWS.0\system32\MsSip3.dll');
    BC_ImportDeletedList;
    BC_DeleteSvc('UACxtlwbymb');
    ExecuteSysClean;
    BC_Activate;
    ExecuteRepair(6);
    ExecuteRepair(8);
    ExecuteRepair(9);
    RebootWindows(true);
    end.
    after restart, please make all set of logs according to rules and attach them to next post.
    Finally we did find your CLOAKED malware :-) Let see if it clocks something interesting.

  10. #10
    Junior Member Репутация
    Регистрация
    16.02.2009
    Сообщений
    9
    Вес репутации
    29
    Ok, I have ran your script and upon restart that "system shutdown 1;00min" doesn't appear anymore!
    I have attached the log files and a jpg file Virus_Screen.jpg, its a screen of what Exterminate It! program found before I started this thread. The reason I am attaching the file is that this program found lots of files relating to this UAC virus and the file "UACxtlwbymb" that you have found and deleted. Now, the program says the files are in windows\temp but i do not see them even with "view hidden files" option enabled. Should I be concerned about this or is that false reading by Exterminate it program?

    Thanks
    Изображения Изображения
    Вложения Вложения

  11. #11
    Senior Member Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Аватар для drongo
    Регистрация
    17.09.2004
    Адрес
    Israel
    Сообщений
    7,165
    Вес репутации
    967
    Lets find out together:
    execute this script:
    Код:
    begin
     clearquarantine;
     SearchRootkit(true, true);
     SetAVZGuardStatus(True);
     QuarantineFile('C:\WINDOWS.0\system32\uacalouuyku.dll','');
     QuarantineFile('C:\WINDOWS.0\system32\uacfpmnvmfd.dll','');
     DeleteFileMask('%tmp% ','*.* ',true );
     BC_ImportAll;
    BC_Activate;
    RebootWindows(true);
    end.
    Please upload new quarantine.
    Fix in hijack this :
    Код:
    O13 - DefaultPrefix: 
    O13 - WWW Prefix: 
    O13 - Home Prefix: 
    O13 - Mosaic Prefix: 
    O13 - FTP Prefix: 
    O13 - Gopher Prefix:
    Uninstall your old antivirus and firewall, always these programs should be updated to latest versions.
    Don't install every programe that you may find. Adware and spybot, Exterminate It! etc. -> uninstall all.
    Remember one simple rule: no overlapping.1 antivirus+adware, 1 firewall etc, or all of them in one product. I prefer kaspersky, but it is up to you
    Do System update too
    Sp3 :
    http://www.microsoft.com/DownLoads/d...displaylang=en Better way to install it is in safe mode.( click on F8 after restart, before windows loading. )
    and all other system updates.
    Последний раз редактировалось drongo; 17.02.2009 в 23:29.

  12. #12
    Junior Member Репутация
    Регистрация
    16.02.2009
    Сообщений
    9
    Вес репутации
    29
    new quarantine files uploaded.

  13. #13
    Senior Member Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Аватар для drongo
    Регистрация
    17.09.2004
    Адрес
    Israel
    Сообщений
    7,165
    Вес репутации
    967
    Exterminate It- much improved in detection, it is real malware. According to kaspersky it is Rootkit.Win32.TDSS.eyj
    here script for curing:
    Код:
    begin
    SearchRootkit(true, true);
    SetAVZGuardStatus(True);
     DeleteFile('C:\WINDOWS.0\system32\uacalouuyku.dll');
     DeleteFile('C:\WINDOWS.0\system32\uacfpmnvmfd.dll');
    BC_ImportDeletedList;
    ExecuteSysClean;
    BC_Activate;
    SetAVZPMStatus(false);
    ExecuteStdScr(6);
    ExecuteRepair(6);
    ExecuteRepair(8);
    ExecuteRepair(9);
    RebootWindows(true);
    end.
    After this script, i am wonder what your Exterminate It will tell.

  14. #14
    Junior Member Репутация
    Регистрация
    16.02.2009
    Сообщений
    9
    Вес репутации
    29
    Hi, I have ran your script.
    It appears i got confused a bit and it turns out that that screenshot that i uploaded before was not from Exterminate It but from program called Prevx CSI. I am uploading jpg's from results of both of these programs after I ran your script. It appears they both detect this UAC virus and some other things.
    Изображения Изображения

  15. #15
    Senior Member Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Аватар для drongo
    Регистрация
    17.09.2004
    Адрес
    Israel
    Сообщений
    7,165
    Вес репутации
    967
    well, they are showing different files.
    Please execute this script
    Код:
    begin
     clearquarantine;
     SearchRootkit(true, true);
     SetAVZGuardStatus(True);
     QuarantineFile('C:\WINDOWS.0\system32\uacalog.dll','');
     QuarantineFile('C:\WINDOWS.0\system32\uacfruosurp.dll','');
     QuarantineFile('C:\WINDOWS.0\system32\famzwon.sys','');
     QuarantineFile('C:\WINDOWS.0\system32\uacqrdkberq.sys','');
     QuarantineFile('C:\WINDOWS.0\System32\drivers\UACd.sys','');     
     QuarantineFile('C:\WINDOWS.0\System32\UACpwqwmqpp.dat','');
     DeleteFile('C:\WINDOWS.0\system32\uacalog.dll');
     DeleteFile('C:\WINDOWS.0\system32\famzwon.sys');
     DeleteFile('C:\WINDOWS.0\system32\uacqrdkberq.sys');
     DeleteFileMask('%tmp% ','*.* ',true);
     BC_ImportDeletedList;
    ExecuteSysClean;
    BC_Activate;
    ExecuteRepair(6);
    ExecuteRepair(8);
    ExecuteRepair(9);
    RebootWindows(true);
    end.
    upload quarantine.
    Please download latest avptool http://devbuilds.kaspersky-labs.com/devbuilds/AVPTool/ , in safe mode make an installation and scan your driver. Cure what it will find.Uninstall it.(just click on button complete protection, click yes, and do restart.
    Also, please scan in safe mode with cureit( ftp://ftp.drweb.com/pub/drweb/cureit/setup.exe ) all your drivers and cure what it will find
    After that make a new set of logs.

    Very important:


    I have being consulting with author of avz about your case, the cause that avz don't see malware is simple: your antivirus Mcafee is blocking avz from working properly.
    Please go to add/remove programs and completely uninstall McAfee, make a restart. Only after this step, please execute my script in previous post and make a new set of logs.
    Последний раз редактировалось drongo; 19.02.2009 в 21:15. Причина: Добавлено

  16. #16
    Junior Member Репутация
    Регистрация
    16.02.2009
    Сообщений
    9
    Вес репутации
    29
    I have removed Mcafee and ran Kasperky tool and CureIT and then your script. There is only one file in quarantine, I guess CureIt deleted the others. Exterminate It and CSI dont seem to report any more UAC files but they do report this files as still being around despite running your script C:\WINDOWS.0\system32\famzwon.sys.

    I am attaching Logs and Quarantine file.
    Вложения Вложения

  17. #17
    Senior Member Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Аватар для drongo
    Регистрация
    17.09.2004
    Адрес
    Israel
    Сообщений
    7,165
    Вес репутации
    967
    at least a couple of rootkit we did defeated
    In last log i steel see a lot of hooks of your zonealarm firewall, perhaps it is cloak something to

    uninstall it.
    Disable tea-timer , Exterminate It and CSI from running
    execute this script.
    Код:
     begin
    clearquarantine;
     SearchRootkit(true, true);
     SetAVZGuardStatus(True);
     QuarantineFile('C:\WINDOWS.0\system32\famzwon.sys','');
     DeleteFile('C:\WINDOWS.0\System32\UACpwqwmqpp.dat');
     DeleteFile('C:\WINDOWS.0\System32\famzwon.sys');
     BC_DeleteSvc('famzwon.sys');
    BC_ImportDeletedList;
    ExecuteSysClean;
    BC_Activate;
    ExecuteRepair(2);
    ExecuteRepair(6);
    ExecuteRepair(8);
    ExecuteRepair(9);
    SetAVZPMStatus(true);
    RebootWindows(true);
    end.
    Upload new quarantine.
    make new virusinfo_syscure.zip

Похожие темы

  1. malware
    От thomaspsyy в разделе Malware Removal Service
    Ответов: 1
    Последнее сообщение: 11.08.2010, 21:03
  2. Need some help with malware
    От itsmoe в разделе Malware Removal Service
    Ответов: 1
    Последнее сообщение: 04.08.2010, 10:20
  3. Some malware
    От Kipp в разделе Malware Removal Service
    Ответов: 3
    Последнее сообщение: 16.08.2009, 11:06
  4. Ответов: 12
    Последнее сообщение: 11.06.2009, 11:55
  5. Malware Bytes Anti Malware (mbam)
    От dfinc в разделе AntiViruses, Anti-Adware / Spyware / Hijackers
    Ответов: 0
    Последнее сообщение: 28.05.2009, 10:09

Свернуть/Развернуть Ваши права в разделе

  • Вы не можете создавать новые темы
  • Вы не можете отвечать в темах
  • Вы не можете прикреплять вложения
  • Вы не можете редактировать свои сообщения
  •  
Page generated in 0.00723 seconds with 20 queries