Infection by nasty malware 2

[johncp]

Folks

Over the past few weeks my PC has been repeatedly infected with a very nasty piece of malware, the purpose of which seems to be to redirect web searches to ad. sites, particularly for Groupon. It creates hidden dirs in the root dir. and reg. keys to run exes located in user/../temp dirs. Reinfections occur by crashing my browser (Firefox 3.6.17). If I remove the malware/keys I get reinfected again within a day or two.

I suspect that Silverlight is involved. Here is a dir /s listing of C:\Users\johnp\AppData\LocalLow\Microsoft\Silverlight
I know very little about Silverlight so would be grateful if someone more knowledgable can comment on whether its contents are 'kosher'

dir /s C:\Users\johnp\AppData\LocalLow\Microsoft\Silverlight
gives:-

31/05/2011 23:04 <DIR> is
11/07/2011 21:56 77 mssl.lck
Directory of C:\Users\johnp\AppData\LocalLow\Microsoft\Silverlight\is
31/05/2011 23:04 <DIR> utb2fraa.jah
Directory of C:\Users\johnp\AppData\LocalLow\Microsoft\Silverlight\is\utb2fraa.jah
31/05/2011 23:04 <DIR> zgznrtuj.qtb
Directory of C:\Users\johnp\AppData\LocalLow\Microsoft\Silverlight\is\utb2fraa.jah\zgznrtuj.qtb
31/05/2011 23:04 <DIR> 1
Directory of C:\Users\johnp\AppData\LocalLow\Microsoft\Silverlight\is\utb2fraa.jah\zgznrtuj.qtb\1
18/06/2011 12:03 <DIR> g
31/05/2011 23:04 <DIR> l
18/06/2011 12:03 <DIR> s
Directory of C:\Users\johnp\AppData\LocalLow\Microsoft\Silverlight\is\utb2fraa.jah\zgznrtuj.qtb\1\g
31/05/2011 23:04 <DIR> gcdjzxxajx2n1cbv4jurqx3yfvqbgmuprn5pq5wiiwc0vhfzmyaaagha
18/06/2011 12:03 <DIR> zyrvs3qsra0qmqdkjnogznvtdjoizt0kfep5hwwtoqo4itg5elaaaaba
Directory of C:\Users\johnp\AppData\LocalLow\Microsoft\Silverlight\is\utb2fraa.jah\zgznrtuj.qtb\1\g\gcdjzxxajx2n1cbv4jurqx3yfvqbgmuprn5pq5wiiwc0vhfzmyaaagha
31/05/2011 23:04 34 id.dat
31/05/2011 23:04 8 quota.dat
31/05/2011 23:04 8 used.dat
Directory of C:\Users\johnp\AppData\LocalLow\Microsoft\Silverlight\is\utb2fraa.jah\zgznrtuj.qtb\1
\g\zyrvs3qsra0qmqdkjnogznvtdjoizt0kfep5hwwtoqo4itg5elaaaaba
18/06/2011 12:03 18 id.dat
18/06/2011 12:03 8 quota.dat
18/06/2011 12:03 8 used.dat
Directory of C:\Users\johnp\AppData\LocalLow\Microsoft\Silverlight\is\utb2fraa.jah\zgznrtuj.qtb\1\l
File not found
Directory of C:\Users\johnp\AppData\LocalLow\Microsoft\Silverlight\is\utb2fraa.jah\zgznrtuj.qtb\1\s
31/05/2011 23:04 <DIR> gcdjzxxajx2n1cbv4jurqx3yfvqbgmuprn5pq5wiiwc0vhfzmyaaagha
18/06/2011 12:03 <DIR> pkbdxfnitekap1o0ei3wfxgq5twsk5xgoqkxhmx3bj4gdqbtpdaaacca
Directory of C:\Users\johnp\AppData\LocalLow\Microsoft\Silverlight\is\utb2fraa.jah\zgznrtuj.qtb\1
\s\gcdjzxxajx2n1cbv4jurqx3yfvqbgmuprn5pq5wiiwc0vhfzmyaaagha
31/05/2011 23:04 <DIR> f
31/05/2011 23:04 56 group.dat
31/05/2011 23:04 34 id.dat
Directory of C:\Users\johnp\AppData\LocalLow\Microsoft\Silverlight\is\utb2fraa.jah\zgznrtuj.qtb\1
\s\gcdjzxxajx2n1cbv4jurqx3yfvqbgmuprn5pq5wiiwc0vhfzmyaaagha\f
31/05/2011 23:05 2,989 __LocalSettings
Directory of C:\Users\johnp\AppData\LocalLow\Microsoft\Silverlight\is\utb2fraa.jah\zgznrtuj.qtb\1
\s\pkbdxfnitekap1o0ei3wfxgq5twsk5xgoqkxhmx3bj4gdqbtpdaaacca
18/06/2011 12:06 <DIR> f
21/06/2011 15:56 56 group.dat
18/06/2011 12:03 64 id.dat
Directory of C:\Users\johnp\AppData\LocalLow\Microsoft\Silverlight\is\utb2fraa.jah\zgznrtuj.qtb\1
\s\pkbdxfnitekap1o0ei3wfxgq5twsk5xgoqkxhmx3bj4gdqbtpdaaacca\f
18/06/2011 15:48 154 __LocalSettings

Regards

John

 

[goombawaho]

Download the following in regular mode and run them in the order indicated with a reboot after each runs IF results are positive.

0. Ccleaner to clean out temp files (no need to reboot)
1. TDSSKiller
2. MalwareByte's Anti-Malware
only if needed - you will need internet access to install recovery console. You could do that ahead of time as well.
3. combofix

 

[johncp]

Hi Goombawho

Thanx for the help. I didn't employ CCleaner as it is listed as being a system optimization, privacy and cleaning tool and this was unneccessary in my case. I did use Kapersky's TDSSKiller and this removed a root kit. Since then I've had no browser redirections. Thanx again.

For the benefit of others searching for info. on malware here are some details I found.

My infection stated with the conima bug, an infection from the internet Conima opens ports, downloads files and spawns new processess if existing exes are killed. Its purpose seems to be to redirect browser searches, particularly to Groupon sites

The malware first infects users/ . . ./roaming with

69,120 conima.exe
4 inlog
88 Input.bat
87 LocalAccountAuthority.bat
69,632 lssas.exe
69,632 manager.exe
364 mlog
89 MouseDriver.bat
89 Plug.bat
4 ylog

After removing the above and corresponding reg keys, new exes appear in user/ . ./temp directories with new keys. Simultaneously or after ?more downloads it creates a hidden directory at the root of the master drive. After further downloads the infection disappears (no longer found by searching for visible/hidden/secret files). It has morphed into the TDSS Rootkit. This can be removed by Kapersky's TDSSKiller.

The bug is not removed by Microsoft updates current at 13/7/2011 and Microsoft Defender scans only identify eyeqehexopakenup.dll (see below) as a threat.

Some of the exes spawned by this malware are:-

68K 5y8f33ul.exe
MD5 : be505df456a353f6759189736d3c9b82
SHA1 : c9e40e52ee4b62a30db350d847c84f8eb9629b13
SHA256: 68ecea0f9e4ba623a1744e2dfcb1bbbda146d53d72c3cd749167a1b912b458ef

14K 7b9hst89f.exe
MD5 : e4240d79585e8fd6b2603458edaff8e0
SHA1 : c7f73ec3624e85a634a263cf4f3f2e7e3a4479e7
SHA256: 566a8926dc3bf0efd50b55f6c47252584f480a35029ab7f8da467eb104c132c0

176K 7pvdz9u.exe
MD5 : c54fddaf3a366798aeaee716565133f3
SHA1 : a759cd8683749d1dd218b808a6c883c98cd12f8a
SHA256: dd570c154d608378f73c81310866bfc2af00d98fdfeb24f61464a8dd25dfc626

3K hHH2F9C.exe
MD5 : 29090b6b4d6605a97ac760d06436ac2d
SHA1 : d929d3389642e52bae5ad8512293c9c4d3e4fab5
SHA256: 98a24f0caf5b578e230e6f1103a5fba6aecb28a9128cad5520fcde546d643272

252K eyeqehexopakenup.dll
MD5 : 6e1be3298502cff46cf81a49afa345a5
SHA1 : c9c5dfe01bbdc01aae8ea2c2d09a343c9f67d2a7
SHA256: 87b16b214c25c84b43f19c35e1e3778ee28923b2af5bab2ad3c0bddc2e6ee269

These are the files TDSSkiller identifies:-
\Device\Harddisk0\DR0 - copied to quarantine
\Device\Harddisk0\DR0\TDLFS\cfg.ini - copied to quarantine
\Device\Harddisk0\DR0\TDLFS\mbr - copied to quarantine
\Device\Harddisk0\DR0\TDLFS\ldr16 - copied to quarantine
\Device\Harddisk0\DR0\TDLFS\ldr32 - copied to quarantine
\Device\Harddisk0\DR0\TDLFS\ldr64 - copied to quarantine
\Device\Harddisk0\DR0\TDLFS\drv32 - copied to quarantine
\Device\Harddisk0\DR0\TDLFS\drv64 - copied to quarantine
\Device\Harddisk0\DR0\TDLFS\cmd.dll - copied to quarantine
\Device\Harddisk0\DR0\TDLFS\cmd64.dll - copied to quarantine
\Device\Harddisk0\DR0\TDLFS\bckfg.tmp - copied to quarantine
\Device\Harddisk0\DR0\TDLFS\lsash.xp - copied to quarantine

John

 

[goombawaho]

You didn't follow my directions. The reason I advised you to use CCleaner is to clean out the temp files (where malware OFTEN hides or runs from) AND to lessen the time it takes to run the programs I mentioned (less stuff to scan).

Please do so at this time. Then, I would run Combofix at this point EVEN if you think things are clean. I'll bet it will find something interesting.

Disconnect your PC from the internet once the recovery console is installed as part of combofix to prevent any downloading of "new friends" while combofix is running.

 

[johncp]

Hi goombawahoo

"Since then I've had no browser redirections".
I spoke too soon.

My system was OK for 24 hours but Saturday 15:12 I got redirected again. Taskman revealed:
184416 ukcya.exe
MD5 : 5c6d1e89b22aaca6b02f78f5f9c2d1ea
SHA1 : d92833255626304b05f8a68302805c6fe6374463
SHA256: 499eea35c6cecd6b527f1ea952ab7cd340cbf5056d74bc05e00922c93fed3a95

This ?reinfection occurred shortly after running Firefox 5.0.1 for the 1st time, having completely removed 3.6.17 in the malware elimination.

I ran CCleaner & AVG (Combifix). AVG found the malware exes/dlls I'd quarantined, except ukcya.exe. It also generated 3 false +ves. It didn't find new malware

Among other stuff the malware may be screwing file attributes, as I've just noticed ukcya.exe is timestamped 27/12/2010. Sadly AVG moved my other quarantined exes/dlls to its own quarantine without asking/warnimg me & restorating them changed their time stamps.

Currently a process is trying to access a site in China every 10 minutes, but identifying which one has to be postponed 'till Monday.

John

 

[goombawaho]

Combofix then reload windows if it doesn't work.

 

[johncp]

Hi goombawaho

"reload windows "
Only in extremis, and I'm not sure I'm there yet . . .

The OS disk with my PC is ominously marked "External Recovery"
I believe it allows a fresh install but this is sure to be pain, f'instance cos. of driver issues.

OK. A quick rap up on this bug

In addition to Kapersky's TDSSKiller, Malwarebytes and AVG I've only had time to run UnHackMe and tdl-detector. Neither found anything.
But I'm still getting search redirections, very occasionally a flash on the desktop of what looks like a command window, and
malawarebytes still detects attempts to reach 60.190.223.75, 'though I've (AFAIK) blocked this IP in Windows Firewall.

Here is a good characterisation of my bug:-

http://www.threatexpert.com/report.aspx?md5=be505df456a353f6759189736d3c9b82

Thanx again

John

 

[kjv1611]

Have you tried using System Restore, and then further scanning from there? Perhaps that'll get you by?

Also, since your disk says "External Recovery", my guess is (and this is quite common) that you have a recovery partition on your hard drive. Sure it takes you back to square one, but is that really so bad? It would take less time to get it "up to date" than it's taken for you to go through all you've been through so far... and you're apparently still not finished.

If you do a recovery, the only thing to be sure of is that you've backed up all your important data. System Restore doesn't touch the data, but a system recovery will. So, if you use Outlook, backup your .pst file (or newer versions of Office use a different extension, I forget what it is), then back up your internet favorites, documents, pictures, videos, music, whatever.

An external hard drive will be worth it's cost, especially right now, if you don't already have a backup.

 

[johncp]

Hi kjv1611

"you have a recovery partition"
Yes, but the CD with my PC allowed a complete reinstall of Vista x64 which I've done. Thankfully the malware no longer wakes my PC from sleep in the early hours or "phones home". I'd liked to have done more investigating but not enought time.

It might be a coincidence but a week or two after my PC became infected I got a cold call from a woman with a asian accent.
"We have received a crash log report from your PC"
"Who are you".
She doesn't answer.
"Are you Microsoft"
"No we are not Microsoft. The report tells us your PC is full of viruses"
I call the woman a rude name and hang up.
I've never had such a call before. Maybe I'm paranoid but my phone number is most of my emails.

kjv1611 - Thanx for the advice.

John

 

[IPGuru]

the phone call may be a coincidence
I have received similar telling my they need to fix my copy of windows.

I tried to get more info from them without answering any questions but they would not even answer basic questions like what they though was wrong or how they got my details.

Amusing really as I do not use windoze @ home

I do not Have A.D.D. im just easily, Hey look a Squirrel!

 

[papadba]

It might be a coincidence but a week or two after my PC became infected I got a cold call from a woman with a asian accent.
"We have received a crash log report from your PC"
"Who are you".
She doesn't answer.
"Are you Microsoft"
"No we are not Microsoft. The report tells us your PC is full of viruses"
I call the woman a rude name and hang up.
I've never had such a call before. Maybe I'm paranoid but my phone number is most of my emails.

My daughter received the same call only it was an Asian fellow. . . The phone number was blocked and they told her that her system had lots of viruses and was sending thousnds of e-mails. They told her they were the "Internet Overseer". They wouldn't answer questions, provide contact names or phone numbers, or be the slightest bit helpful. What they did (daughter and family) was to change their phone to no longer accept calls from blocked phone numbers. The call has not been repeated. . .

Just because you're paranoid does not mean they are not trying to get you Methinks (these days) a bit of paranoia is healthy. . .

 

[goombawaho]

Uh oh - the "internet overseer" is now monitoring us for virus, worms, etc. and then contacting us. I would have asked the guy, "how do you get to be an internet overseer?". It sound like a great job.

I would really have liked to know what they wanted you to do or to pay - you know, what their angle was.

 

[papadba]

From what i could tell, they were trying to get $ for their pc cleanup and virus prevention software. They wouldn't tell her the name of the product. . .

 

[kjv1611]

I think I found the Internet Overseer.

 

[IPGuru]

I assume the 1st star was also for the pic


I do not Have A.D.D. im just easily, Hey look a Squirrel!

 

[ANFPS26]

John Ritter? 1980, Hero at Large.

Jim

 

[G0AOZ]

Goom, these scam artists are pretty active over here in the U.K. They usually say they're from 'Microsoft' and get you to downland something like AMMYY, and then take control of your machine. They reputedly show the user a screen which purports to have found loads errors, viruses, trojans, you name it. You are asked if you'd like to get 'em all cleaned out, and if so, just type in your credit card details at the bottom of the screen!

Two of my clients have lost £100 or so, but, the machine was then freshly infected with nice new viruses etc! Talk about taking the proverbial...

One call last week was a good 'un... Client was rung and told they had today just observed his machine running with loads of viruses and malware installed on it. Could they assist in cleaning it up? Bemused, my client asked what did they want him to do. "Connect to the Internet and log on to blah blah blah website". At this point client laughs and says "Since I have been without an Internet connection for over week, this must be a con. Goodbye!".

ROGER - G0AOZ.

 

[goombawaho]

Well, I guess everyone has to make a living somehow. I hope one of them calls me. I would have some fun with them.

 

[Mako2345]

guys ive had this virus for a while now. IT seems to be a recurring issue. I got it a month ago and didnt pay much attention to it, since MBAM didnt detect anything. It later blocked some of my commonly used Internet Ports. I installed Norton and it deleted many tracking cookies, after which my internet connection worked fine and there were no more redirects.

Now 2 weeks later im getting redirects again and MBAM doesnt detect it. Could please help me with this, im gonna try steps from the first reply though.

 

[kjv1611]

Mako2345,

You really need to start your own thread. However, the fix for this is pretty simple. Being you've dealt with this for a while, I'd suggest no other than a clean install.

[ol][li]Download Ultimate Boot CD from

http://www.ultimatebootcd.com/download.html

- look under the Mirrors list at bottom of page[/li]
[li]Burn the image to disk. I'd use ImgBurn - you can get at download.com if you don't have it or some other means. If you have Windows 7, it's got Image Burning built in now, so you can just use Windows.[/li]
[li]Backup your files you want to keep if possible - thumb drive, external hard drive, CD/DVD, whatever.[/li]
[li]Make sure you've got your Windows CD and Product ID as well as any other registered software you might need/use. If it's freeware, then don't worry about it.[/li]
[li]Reboot the machine, and either get to your BIOS settings or boot settings (look at the black screen, look for any <F12> or <Del> type instructions on the black screen at startup.[/li]
[li]Make sure it boots from CD first, not hard drive... save settings if in BIOS[/li]
[li]Make sure your Ultimate Boot CD is in your CD/DVD drive before booting... if you didn't, go back and repeat..
[li]When it boots to the UBCD menu, use either Darik's Boot 'N' Nuke (DBAN) or Active KillDisk. I've had some times where DBAN wouldn't read the hard drive, so I went with KillDisk. Both work equally as well for removing a virus.[/li]
[li]Go to bed, take a walk, go to lunch, whatever. It'll take a while.[/li]
[li]After it completes, or if you want, after it's run a fair amount through the process, say at least 15 to 20 % for DBAN, and maybe 30% or so for KillDisk, you can just reboot and start installing Windows if you like. Or if you want absolute surety on it, just wait for it to complete. Whichever you choose... next step is to install Windows[/li]
[li]Hopefully you're behind a firewalled router. If not, go buy one. Otherwise, this will likely be labor spent in vian.[/li]
[li]After Windows is installed, get it up to date via Windows Update. If it won't connect to the web, you'll need to find the network adapter driver. If your machine was custom built, you'll need to find the motherboard info or LAN card info, whichever it is in your case. If it's an OEM build, such as Dell or HP, you can go to their site from another PC, download the correct driver package, and put on a thumb drive or whatever... move to your sick PC, and install. Then run Windows Update.
[li]Install your AV software of choice, firewall, etc. If you want an easy way to install most apps you'd probably use, look at

http://ninite.com

and use their installer. It works VERY well, including skipping all the toolbars, etc. If you're using MS Office, you can also install that from there, assuming they have the same version you're using. You can also install Libre Office and/or Open Office from there. AV and Antimalware apps are there as well as multimedia, utilities, etc. Just check the box next to the ones you want, "Get Installer", download that file, and run it. It does the rest - and very quickly too.... especially if you have a fast Internet connection.[/li]
[li]Verify Windows up to date[/li]
[li]Verify the AV software is up to date[/li]
[li]Be sure to set a Windows Restore point, calling it something like "Clean Install" so you know what it is. Then again, I usually don't do this step, but ideally, this would be the best time to do so. Another great idea is to create an image of the install at this point, and keep it somewhere else - on DVD, another computer, external hard drive, whatever... so if you had something happen again, you could just restore from the image quicker than the entire setup process.[/li][/ol]

Well, otherwise, if you have any further questions on it, please do start your own thread... I shouldn't have posted as much here as I did, I'm sure.