Tuesday, January 17, 2012

System Check (FakeAV) - 01.17.2012 - Analysis and Removal

 
This was performed on a live (not Virtual) machine.

It's important to note that this particular computer was not booting properly when I first received it. Most likely it was due to the rootkit present (Virus.Win32.Rloader.a) and not the FakeAV as has been the case with other PCs with this type of infection.

After booting off a Windows 7 RE disc and performing a sfc /scannow while offline (sfc /scannow/offbootdir=c:\ /offwindir=c:\windows) I was able to at least boot all the way to the desktop.

Here is what I was presented with upon the successful boot. These type of infections are often called "Fake.Hdd". I did a full report with video back in November 2011 on a similar infection with the FakeAV: System Restore here




__________________________________________________________________________________
RogueKiller





¤¤¤ Bad processes: 4 ¤¤¤
[WINDOW : System Check] sJqEf1fzZrkuVm.exe -- C:\ProgramData\sJqEf1fzZrkuVm.exe -> KILLED [TermProc]
[SUSP PATH] dplayx.dll -- C:\Users\Ruby\AppData\Local\dplayx.dll -> UNLOADED
[SUSP PATH] Temp:winupd.exe -- C:\Users\Ruby\AppData\Local\Temp:winupd.exe -> KILLED [TermProc]
[SUSP PATH] ipyJfmDvPvAd.exe -- C:\ProgramData\ipyJfmDvPvAd.exe -> KILLED [TermProc]

¤¤¤ Registry Entries: 14 ¤¤¤
[SUSP PATH] HKCU\[...]\Run : winupd (C:\Users\Ruby\AppData\Local\Temp:winupd.exe) -> DELETED
[SUSP PATH] HKCU\[...]\Run : ipyJfmDvPvAd.exe (C:\ProgramData\ipyJfmDvPvAd.exe) -> DELETED
[SUSP PATH] winupd.job : C:\Users\Ruby\AppData\Local\Temp:winupd.exe -> DELETED
[SUSP PATH] OneNote 2007 Screen Clipper and Launcher.lnk : C:\Users\Ruby\AppData\Local\Temp\ONENOTEM.EXE -> DELETED
[DNS] HKLM\[...]\ControlSet001\Parameters\Interfaces\{CA928F52-3A87-4C95-905C-652CCEEE5D23} : NameServer (10.133.20.11 10.132.20.11) -> NOT REMOVED, USE DNSFIX
[DNS] HKLM\[...]\ControlSet002\Parameters\Interfaces\{CA928F52-3A87-4C95-905C-652CCEEE5D23} : NameServer (10.133.20.11 10.132.20.11) -> NOT REMOVED, USE DNSFIX
[WallPP] HKCU\[...]\Desktop : Wallpaper () -> REPLACED (C:\Users\Ruby\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper.jpg)
[HJ] HKCU\[...]\Advanced : Start_ShowMyComputer (0) -> REPLACED (1)
[HJ] HKCU\[...]\Advanced : Start_ShowSearch (0) -> REPLACED (1)
[HJ] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> REPLACED (0)
[HJ] HKCU\[...]\ClassicStartMenu : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> REPLACED (0)
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)
[HJ] HKCU\[...]\ClassicStartMenu : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)
[HJ] HKCU\[...]\ClassicStartMenu : {645FF040-5081-101B-9F08-00AA002F954E} (1) -> REPLACED (0)

¤¤¤ Infection : Rogue.FakeHDD ¤¤¤
__________________________________________________________________________________
TDSSKiller





C:\windows\system32\drivers\Wdf01000.sys - will be cured on reboot
Wdf01000 ( Virus.Win32.Rloader.a ) - User select action: Cure
__________________________________________________________________________________
SAS





Rogue.E-SET 2011
    C:\Program Files\E-SET 2011\e-set.exe
    C:\Program Files\E-SET 2011\e-set.exe.tmp1
    C:\Program Files\E-SET 2011

Trojan.Agent/Gen-FakeAlert[Local]
    C:\PROGRAMDATA\IPYJFMDVPVAD.EXE
    C:\PROGRAMDATA\SJQEF1FZZRKUVM.EXE
    C:\USERS\RUBY\APPDATA\ROAMING\MICROSOFT\INTERNET EXPLORER\QUICK LAUNCH\SYSTEM CHECK.LNK
    C:\USERS\RUBY\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\PROGRAMS\SYSTEM CHECK\SYSTEM CHECK.LNK
    C:\USERS\RUBY\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\PROGRAMS\SYSTEM CHECK\UNINSTALL SYSTEM CHECK.LNK
    C:\USERS\RUBY\DESKTOP\SYSTEM CHECK.LNK

Heuristic.Backdoor
    C:\USERS\RUBY\APPDATA\LOCAL\TEMP\EXPLORER.EXE
    C:\USERS\RUBY\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\PROGRAMS\ACCESSORIES\WINDOWS EXPLORER.LNK

Trojan.Agent/Gen-Tracur
    C:\USERS\RUBY\APPDATA\LOCAL\TEMP\NSI14AA.TMP\MJLWXJN.V4N
__________________________________________________________________________________
MBAM






Files Detected: 19
C:\Users\Ruby\AppData\Local\Temp\cmd.exe (Trojan.Zbot.CBCGen) -> Quarantined and deleted successfully.
C:\Users\Ruby\AppData\Local\Temp\control.exe (Trojan.Zbot.CBCGen) -> Quarantined and deleted successfully.
C:\Users\Ruby\AppData\Local\Temp\osk.exe (Trojan.Zbot.CBCGen) -> Quarantined and deleted successfully.
C:\Users\Ruby\AppData\Local\Temp\iexplore.exe (Trojan.Zbot.CBCGen) -> Quarantined and deleted successfully.
C:\Users\Ruby\AppData\Local\Temp\magnify.exe (Trojan.Zbot.CBCGen) -> Quarantined and deleted successfully.
C:\Users\Ruby\AppData\Local\Temp\msiexec.exe (Trojan.Zbot.CBCGen) -> Quarantined and deleted successfully.
C:\Users\Ruby\AppData\Local\Temp\narrator.exe (Trojan.Zbot.CBCGen) -> Quarantined and deleted successfully.
C:\Users\Ruby\AppData\Local\Temp\notepad.exe (Trojan.Zbot.CBCGen) -> Quarantined and deleted successfully.
C:\Users\Ruby\AppData\Local\Temp\ONENOTEM.EXE (Trojan.Zbot.CBCGen) -> Quarantined and deleted successfully.
C:\Users\Ruby\AppData\Local\Temp\eudcedit.exe (Trojan.Zbot.CBCGen) -> Quarantined and deleted successfully.
C:\Users\Ruby\AppData\Local\Temp\gdfyghret.exe (Trojan.CryptPro.Gen) -> Quarantined and deleted successfully.
C:\Users\Ruby\AppData\Local\Temp\tue0.03518007376125176.exe (Trojan.CryptPro.Gen) -> Quarantined and deleted successfully.
C:\Users\Ruby\AppData\Local\Temp\_28B7E701AB5EA204F8C52F.exe (Trojan.Zbot.CBCGen) -> Quarantined and deleted successfully.
C:\Users\Ruby\AppData\Local\Temp\_34779EA62C4957E16DBB3E.exe (Trojan.Zbot.CBCGen) -> Quarantined and deleted successfully.
C:\Users\Ruby\AppData\Local\Temp\_3A20CF231F6F0812B6B942.exe (Trojan.Zbot.CBCGen) -> Quarantined and deleted successfully.
C:\Users\Ruby\AppData\Local\Temp\_B5F2DCEFB6AA5671D1D39E.exe (Trojan.Zbot.CBCGen) -> Quarantined and deleted successfully.
C:\Users\Ruby\AppData\Local\Temp\_EC348ADB6AC3A2B2EA675D.exe (Trojan.Zbot.CBCGen) -> Quarantined and deleted successfully.
C:\Users\Ruby\Local Settings\Temporary Internet Files\Content.IE5\3K50ABTU\klmcristmas_com[2].htm (Trojan.CryptPro.Gen) -> Quarantined and deleted successfully.
c:\users\ruby\appdata\local\temp:winupd.exe (Trojan.Agent) -> Quarantined and deleted successfully.
__________________________________________________________________________________
CF





Got this message first:

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\~sJqEf1fzZrkuVm
c:\programdata\~sJqEf1fzZrkuVmr
c:\programdata\eoakaaa.tmp
c:\programdata\foakaaa.tmp
c:\programdata\goakaaa.tmp
c:\programdata\gxvubaa.tmp
c:\programdata\hxvubaa.tmp
c:\programdata\ioakaaa.tmp
c:\programdata\ixvubaa.tmp
c:\programdata\jxvubaa.tmp
c:\programdata\kloycaa.tmp
c:\programdata\kxvubaa.tmp
c:\programdata\lloycaa.tmp
c:\programdata\mloycaa.tmp
c:\programdata\nloycaa.tmp
c:\programdata\oloycaa.tmp
c:\programdata\sJqEf1fzZrkuVm
c:\programdata\xp
c:\programdata\xp\EBLib.dll
c:\programdata\xp\TPwSav.sys
c:\users\Ruby\AppData\Local\dplaysvr.exe
c:\users\Ruby\AppData\Local\dplayx.dll.vir
c:\users\Ruby\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Check
c:\windows\expl.dat
c:\windows\system32\svch.dat
c:\windows\system32\winl.dat
.
c:\windows\system32\winlogon.exe . . . is infected!!
.
Infected copy of c:\windows\system32\svchost.exe was found and disinfected
Restored copy from - c:\windows\winsxs\x86_microsoft-windows-services-svchost_31bf3856ad364e35_6.1.7600.16385_none_b591afc466a15356\svchost.exe
.
Infected copy of c:\windows\explorer.exe was found and disinfected
Restored copy from - c:\combofix\HarddiskVolumeShadowCopy8_!windows!winsxs!x86_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.20910_none_525b5180f3f95373!explorer.exe

Later replaced winlogon.exe manually using SystemLook to find a legit copy
 __________________________________________________________________________________
MGtools





"C:\Users\Ruby\AppData\Roaming\Microsoft\Windows\Templates\"
566b42~1      Jan 14 2012       12270  "566b42m18naieo4r8gdr3q"
"C:\Users\Ruby\AppData\Local\"
566b42~1      Jan 14 2012       12270  "566b42m18naieo4r8gdr3q"
"C:\ProgramData\"
566b42~1      Jan 14 2012       12270  "566b42m18naieo4r8gdr3q"
aawjaaa.tmp   Jan 17 2012         868  "aawjaaa.tmp"
bawjaaa.tmp   Jan 17 2012         854  "bawjaaa.tmp"
cawjaaa.tmp   Jan 17 2012         826  "cawjaaa.tmp"
dawjaaa.tmp   Jan 17 2012         849  "dawjaaa.tmp"
eawjaaa.tmp   Jan 17 2012         827  "eawjaaa.tmp"   __________________________________________________________________________________
Misc Notes:

Later had to replace target links like the following:
It seems that the Zbot infection broke certain shortcuts (check the MBAM log again).

No hidden partition. Unsure if there was a MBR infection or not but I restored a Win7 MBR whenever I was trying to get the system to boot. Restoring the MBR alone did not do the trick. The sfc offline scan is what really did the trick in this case.

Other than the system not booting at first, there was not any significant OS damage.




___________________________________________________________________________________

1 comment: