Просмотр полной версии : Maybe, Trojan Downloader.

28.02.2008, 03:03
This is a virtualized malware infection!! This must be at the top of the list of difficult to clean.
Maybe, Trojan Downloader. Attaches to partitions and attached drives. May have stealth or defense. Cripples KAV 7.0. Affects web connections to anti spy and like sites.
Does not like Returnil with vista, crashes my computer, only possible to reinstall OS.

Sorry I can't be more specific, I have wiped the original install that the infector came from. Too scared to plug in usb flash, unless I plan to wipe.

I have plugged it in to reinfect myself. :crazy: I know.

and pinfect.zip.

Upon load it takes a snapshot of everywhere. **[{update--It is doing this to virtualize the computer for self preservation}]**So I guess it is determining a course of action by gathering information. A report is probably sent to someone, then Pinfect.zip appears later. It's not a virus, some type of RAT. The root never seems to leave, which means it probably is on a device, or peripheral device. That explains why crashes occur with Returnil, because they are inside already. With virtualization they can't update their root with more tools. Eventually they will get to a point where they will install a frag router if I compensate for the infection. I currently cannot access online security scanners, Trend, Panda...this occurring from the root portion. Which means they are using java in some way to manage my computer. My ability to help myself is injured.

I feel there is a part A and Part B. A. being a rootkit that is independent of the infection. B. is the Trojan downloader.
The rootkit is interfering with the function of the security tools, like AVZ, Gmer, RKR, RKHookanalyzer, Raide, Vice, HJT, and online scans, Trend, Panda and the like. That explains why crashes occur with Returnil, because they are inside already. With virtualization they can't update their root with more tools.

The reason I know what the Trojan does, I have plugged the flash drive in while running Process monitor. To determine what occurs. It checks everywhere, systematically.

This is where HJT is storing the Hijackthis Log-
C:\Users\N00dleIT\AppData\Local\VirtualStore\Progr am Files\Hijackdis\hijackthis.log
Too long to be the HJT folder.

These scans-----v will not show anything in a virtualized malware infection!!!

01.03.2008, 11:17
Execute in AVZ:

SearchRootkit(true, true);
QuarantineFile('C:\Users\N00dleIT\AppData\Local\Te mp\ECAAMBP.exe','');
QuarantineFile('C:\Users\N00dleIT\AppData\Local\Te mp\UUBREX.exe','');

Send the quarantine according to the rules - http://virusinfo.info/upload_virus_eng.php?tid=18811

01.03.2008, 13:12
Strange thing occured. I ran the script, it rebooted.
After the reboot this message appeared:

Toshiba flash card could not be started.
Close the program and check for a solution online
Close the program <----I chose this.****

Problem signature:
Problem Event Name: BEX
Application Name: TCrdMain.exe
Application Version:
Application Timestamp: 46529c16
Fault Module Name: mscorwks.dll
Fault Module Version: 2.0.50727.312
Fault Module Timestamp: 45372457
Exception Offset: 00226cd3
Exception Code: c0000409
Exception Data: 00000000
OS Version: 6.0.6000.
Locale ID: 1033
Additional Information 1: d637
Additional Information 2: f0c24c321e1d972d395dee47d493e07e
Additional Information 3: 4421
Additional Information 4: 8848fe80b1d05c672b12c7817a4b4986

Read our privacy statement:

I went to AVZ Quarentine folder view, empty. Checked the physical location, because there is a virtual part to this infection. There is a modify date of 3/1 but no files. I checked some of the virtual locations to see if it were there, no luck.

01.03.2008, 16:59

Can you pack them manually and send? Don't forget to protect quarantine by password "virus"

02.03.2008, 12:49
Those Two files do not exist at that location. Either through AVZ or windows search.
I did some research and found these files on my computer:


Apparently, it may be a Virtuamonde infection as referenced here:

This file is not found on google: uzm2ndi3.sys
It exists on my computer at this location: C:\Windows\System32\drivers\uzm2ndi3.sys
Zero information is a bad thing?

The original threat probably had been crafted in Javascript as part of a web page.
Are there limits to the type of threat developed in Javascript?

This is not good:
The presentation will first present how to generically (i.e. not relaying on any implementation bug) insert arbitrary code into the latest Vista Beta 2 kernel (x64 edition), thus effectively bypassing the (in)famous Vista policy for allowing only digitally singed code to be loaded into kernel. The presented attack does not requite system reboot.

Next, the new technology for creating stealth malware, code-named Blue Pill, will be presented. Blue Pill utilizes the latest virtualization technology from AMD - Pacifica - to achieve unprecedented stealth.
Subverting Vista Kernel For Fun And Profit
Joanna Rutkowska, Senior Security Researcher, COSEINC

Добавлено через 11 часов 22 минуты

I scanned with MWAV/Escan and there were some hits.
Here are the highlights:
Object "kazaa Spyware/Adware" found in file system
Object "trojan-downloader.bat.ftp.ab Trojan-Downloader" found in file system
Object "trojan-downloader.bat.ftp.ab Trojan-Downloader" found in file system
Entry "HKLM\Software\Microsoft\Windows\current version\SharedDlls" refers to invalid object "C:\Windows\Microsoft.NET\Framework\V1.0.3705\vsavb 7rt.dll"
Entry "HKLM\Software\Microsoft\Windows\current version\SharedDlls" refers to invalid object "C:\Windows\Microsoft.NET\Framework\V1.0.3705\syste m.enterpriseservices.dll"
Entry "HKLM\Software\Microsoft\Windows\current version\SharedDlls" refers to invalid object "C:\Windows\Microsoft.NET\Framework\V1.0.3705\mscor rc.dll"
Entry "HKLM\Software\Microsoft\Windows\current version\SharedDlls" refers to invalid object "C:\Windows\Microsoft.NET\Framework\V1.0.3705\mscor dbi.dll"
Entry "HKLM\Software\Microsoft\Windows\current version\SharedDlls" refers to invalid object "C:\Windows\Microsoft.NET\Framework\V1.0.3705\mscor sec.dll"
Entry "HKLM\Software\Microsoft\Windows\current version\SharedDlls" refers to invalid object "C:\Windows\Microsoft.NET\Framework\V1.0.3705\syste m.configuration.install.dll"
Entry "HKLM\Software\Microsoft\Windows\current version\SharedDlls" refers to invalid object "C:\Windows\Microsoft.NET\Framework\V1.0.3705\micro soft.vsa.vb.codedomprocessor.dll"
Entry "HKLM\Software\Microsoft\Windows\current version\SharedDlls" refers to invalid object "C:\Windows\Microsoft.NET\Framework\V1.0.3705\wmine t_utils.dll"
Entry "HKLM\Software\Microsoft\Windows\current version\SharedDlls" refers to invalid object "C:\Windows\Microsoft.NET\Framework\V1.0.3705\micro soft.jscript.dll"
Entry "HKLM\Software\Microsoft\Windows\current version\SharedDlls" refers to invalid object "C:\Windows\Microsoft.NET\Framework\V1.0.3705\diasy mreader.dll"
Entry "HKLM\Software\Microsoft\Windows\current version\SharedDlls" refers to invalid object "C:\Windows\Microsoft.NET\Framework\V1.0.3705\iehos t.dll"
Entry "HKLM\Software\Microsoft\Windows\current version\SharedDlls" refers to invalid object "C:\Windows\Microsoft.NET\Framework\V1.0.3705\syste m.data.dll"
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Ins taller\Folders" refers to invalid object "C:\Programdata\Kaspersky Lab\AVP7\Data"
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Ins taller\Folders" refers to invalid object "C:\Programdata\Kaspersky Lab\AVP7\Dskm"
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Exp lorer\FileExts" refers to invalid object ".22"
" " ".C7483456-A289-439d-8115-601632D005A0"
" " ".rar"
File "C:\Program Files\Toshiba\Configfree\CFSSERV.EXE" infected by "NULL.Corrupted" Virus!

I can't attach the Log. The .txt is 10.8MB and the .zip is 755kb. The available space is 355kb

02.03.2008, 21:45
This file is not found on google: uzm2ndi3.sys
That is AVZ driver.


Pack the sysinfo.txt and attach it

02.03.2008, 22:19
Here you go.

02.03.2008, 23:35
Mmm... nothing strange.
So, what are the reasons that make you sure in infection?

03.03.2008, 10:38
1. Hijackthis saves log reports not in C:\Program Files\Trendmicro\Hijackthis, but in C:\Users\N00dleIT\AppData\Local\VirtualStore\Progr am Files\Hijackdis\hijackthis.log. I did not set it this way it did this by it self. As far as I know, it is not supposed to do that.
Does that mean some type of virtualization?
Previously on this computer it saved logs where it was supposed to.

2. All Vista compatible Rootkit scanners do not work properly. including AVZGuard.

Gmer shows some issues but does not highlight in red problems. It shows export tables and ntdll.dll hook.
Rootkit Revealer runs in a different window, I get, Interactive Services Dialog Detection, the screen blanks out and the scan is performed in a different environment, finding 285,000+ discrepencies.
VICE opens but will not run.
RAIDE opens but does not run.
RK Hook Analyzer is directly affected by the virtualization and does not run.
RKU in combination with Webroot Registry guard, if I allow the random file it does not run. If I don't allow the the random file it will produce results.
Rogue Remover, the scan takes only 2 seconds to complete, literally and finds nothing.
Combofix originally would not run, so I waited a week and downloaded again, it worked this time but am not sure if it cleaned the trojan infection. It definately had no effect on the Rootkit.
HijackThis is affected by the virtualization, saving the file in a place called virtual store instead of the root folder where the program is installed; C:\Users\N00dleIT\AppData\Local\VirtualStore\Progr am Files\Hijackdis.
AVZ Runs but the AVZGuard driver is not allowed to load. Also detects export tables and an API CODE HIJACK ntdll.dll.
F-Secure Blacklight runs but shows nothing.
Panda, before the not working Combofix, I could get to the website but not click the scan button. After the working version of Combofix it would open a window that would stay blank. I believe Java is involved.
Trend Micro Housecall 6.6, I can get to the Java kernal page but after that it does not function as it should. And this window pops up:

Java Plug-in 1.6.0_04
Using JRE version 1.6.0_04 Java HotSpot™ Client VM
User home directory = C:\Users\N00dleIT

c: clear console window
f: finalize objects on finalization queue
g: garbage collect
h: display this help message
l: dump classloader list
m: print memory usage
o: trigger logging
p: reload proxy configuration
q: hide console
r: reload policy configuration
s: dump system and deployment properties
t: dump thread list
v: dump thread stack
x: clear classloader cache
0-5: set trace level to <n>

2008-02-28 19:35:19.726 SEVERE [java:hc.util.MachineInfo] Cannot get hostid for using commandline utility (Return code:0 ) stdout:[] stderr:[]
2008-02-28 19:35:19.729 SEVERE [java:hc.util.MachineInfo] Cannot run program "C:\Users\N00dleIT\.housecall6.6\getMac.exe": CreateProcess error=5, Access is denied
2008-02-28 19:35:23.33 SEVERE [java:hc.impl.lib.activeupdate.UpdateImpl#Native] Update error=19, ActiveUpdate was unable to execute the patch update module. It may be missing or non-executable.

Process Monitor, and it shows "service" opening every reg key, open, enum,close, on occasion create. It also did it with every file. This when I intentionally installed the infected usb flash drive so that Process Monitor could see what was occurring.
These are the files that the trojan infection places on the computer:
logo1_.exe - a folder 11:57pm
rundl132.dll - a folder 11:57pm
rundll16.exe - a folder 11:57pm
zts2.exe - a folder 11:57pm
Lic.xxx - a 1k file 11:57pm containing:
iifgfgf.dll - a folder 11:57pm
sol374 - a folder 11:57pm
systems - a folder 11:57pm
vcmgcd32.dll - a folder 11:57pm
si - a folder 11:43pm
tmp - a folder 11:34pm
pinfect.zip .98megabytes 11:54pm

3. My HD cranks during periods of inactivity. It used to crank all the time, but after saying something on the forums that changed.

It has something to do with virtualization on my system. I have not set up any virtualization. No Returnil, No BufferZone, No Deep Freeze, No Virtual PC, NO Virtual Machine, and yet files are duplicated and security tools do not work.

It is Virtualization Malware.

Of course, all of this is just my uneducated opinion.

I purchased my first computer in 2002, a lap top in 2003, both were 0wn3d before I heard about a virus scanner or a firewall. I have been behind the entire time and it sucks.

I was at another forum and somebody crafted something specifically for my box. He is a developer of OS. He was attacking me, and I fought back. For my ideas and my position and openly targeted him. This guy pretty much Runs the Forum, he is many of the posters. After the altercation, He, inpersona, or a friend, in a post that I was asking for help, suggested that I go to an off forum web page, for information that he could have posted on the site. That is when I got this thing, the virtual malware.

Not only have I wiped the computer twice since then, I have change the HD and memory. The anti rootkits not working behavior continues acrossed this.
For the uneducated part I did reconnect to the internet with not much security. So if the issue is in a peripheral device like a Modem or router, when I download anything I would become infected.

If anything else occurs inside my squirrel exerciser, I will post it here. I just hope I am not a lab mouse helping the scientists to improve the maze.

I am happy that you are looking into this. Thank you for your help.

Добавлено через 2 минуты


03.03.2008, 18:17
1. Where HiJackthis.exe is saved itself?
2. Do you run these antirootkits as "Run as administrator"?

04.03.2008, 00:27
1. Where HiJackthis.exe is saved itself?
2. Do you run these antirootkits as "Run as administrator"?

1. C:\Users\N00dleIT\AppData\Local\VirtualStore\Progr am Files\Hijackdis\hijackthis.log

Executing, Scan and save a log- the scan occurs, the notepad log opens but is blank. When I looked in the programs folder there was no log file. I had to search for something else, all .txt and found the hijackthis log by accident.

2. I have done both just run and "Run as administrator" the results are the same.
What bug in Vista would cause Rootkit Revealer to run in an altered environment?
Does Vista use Virtualization as security that gets hijacked by malware?

Is it possible that two installs are running, Vista and WinPE? Not a virtualization but two environments alternating depending on what is running. When security tools are executed in one environment they are run in the other.
One of the tools reports that a usb drive is installed when none is. This would be where the alternate OS is installed from.

Found this:
Implementing malware with virtual machines

We evaluate a new type of malicious software that gains
qualitatively more control over a system. This
new type of malware, which we call a virtual-machine
based rootkit (VMBR), installs a virtual-machine monitor
underneath an existing operating system and hoists
the original operating system into a virtual machine.

The garbage collector (GC) [13] is an important part of the JVM and is responsible for automatic reclamation of heap-allocated storage after its last use by a Java application. Various aspects of the GC and heap subsystems can be congured at JVM runtime. This allows control over the amount of memory in the embedded device that is available to the JVM,the object allocation strategy, how often a GC cycle is triggered, and the type of GC invoked. We exploit the interaction of these tunable parameters along with a banked-memory organization to effectively reduce the memory energy (leakage and dynamic) consumption in an embedded Java environment.

I believe that Java is involved (posted earlier). I believe that embedding is involved (also posted earlier), but now think it is in a different manner than I originally thought, not a custom crafted rootkit, but using proven techniques I had no knowledge of. The techniques utilize newer methods not well known among the general masses (Me, for one), including the implementation of embedded java and a Virtual Machine Monitor or Virtual Machine Emulation at a Lower Layer. It is extremly likely a rootkit of this type.
The individual who crafted this isn't worried about its discovery, which explains why it is buggy with respect to security tools; Or, he wasn't very thorough due to a laziness that all of us succumb to from time to time, showcasing its less than seamless integration.
My money is on the latter of course, because these type of programmers live in a self deluded world of invincibilities predominantly fostered by there ill-stroked egoes. :P

So where on this laptop would it be? Since java was used, it is probably on a java embedded device. Would that device be bluetooth?

Your input rubin is greatly appreciated.

04.03.2008, 13:33
1. C:\Users\N00dleIT\AppData\Local\VirtualStore\Progr am Files\Hijackdis\hijackthis.log
It is saved in the same directory, as HiJackthis itself, am I right?

I can't speak about Vista surely cause I have no experience... but it restricts user and running soft greatly - it can be the reason of the bad antirootkits' work

04.03.2008, 21:37
Hijackthis program is here---v
C:\Program Files\Trendmicro\Hijackthis

Log files get saved here----v
C:\Users\N00dleIT\AppData\Local\VirtualStore\Progr am Files\Hijackdis\hijackthis.log

The scan occurs, the notepad log opens but is blank. When I looked in the programs folder, where hijackthis is, there was no log file. I found the log file accidentally searching for something else.

I have found these in services, in the administrative tools of control panel. I have disabled them in the properties menu.

Would you like a services log from Hijackthis?

Sorry about my novel, I will work on reducing that type of input. Maybe write in notepad before posting.

Update from RKR folks:
RKR uses an interactive service. Services in Vista run in session 0, and session 0 isolation in Vista means that interactive services can't display a UI in the user's session. So ui0detect.exe detects that the RKR service is trying to interact with the user, and presents the "Interactive Services Dialog Detection" message you see.

concern-Its malware, causing this. ahh

reply-Not likely causing this specific behavior.

concern-I have two unknowns in services, have disabled them via properties. ECAAMBP and UUBREX

reply-Sounds like leftover RKR services.

My noobness is shining through.

06.03.2008, 10:58
rubin, and all. Thank You for your kind assistance. I have found a helper on another forum. I know rubin your were poking around when you had duties on russian area, thank you for taking a look. I promise to let the helper come to a completion and final diagnosis.
You guys are great and I like the site. A little thin though. I'll be back with some more Hi-tech posts. I will report back the final outcome. Jenkooya

06.03.2008, 17:48
I will report back the final outcome.
We are looking forward to hearing from you soon...

16.03.2008, 05:33
Thank you for taking the time out of your other area to help. I appreciate it.
I was asked to report back that I am clean.
I asked him if he could put a name to it and he said it's unknown driver infection.
For my usb drive he suggested Flash Disinfector. I've used it but not tried the usb flash yet.
Also, I have made some n00b errors, surprise surprise. The AVZGuard error was caused by not running with >right click on AVZ4>Run as Administrator. This allowed AVZGuard to run.
Also, Vista uses virtualization to protect the writing to registry HKLM/...Run and Program Files. Programs that create a log in Program Files will not find the log in the progs folder, but in the virtualized location.

Thank you again,