Solved Infected - Any ideas?

[Resolved] Infected - Any ideas?

I have a particularly nasty issue.
OS: XP SP3

First-off, I have read this: http://www.windowsbbs.com/malware-virus-removal/announcements.html

Unfortunately, the nasty little bug I have seems to prevent this from getting any useful information.

I installed MBAM before coming across this forum, restarted in safe mode and ran a scan (if I tried to run it without first going into safe mode, the virus kills the process, and then modifies the executable and prevents me from using it - I needed to re-install after getting into safe mode).

The virus behaves in a similar manner for any tool that seems to stumble across its handle information.
Examples:
process explorer (sysinternals)
HiJackThis

As soon as the program initializes, the virus catches it, kills the process and then somehow modifies the exe to prevent execution. I checked the files for e.g. read-only attributes, or modified ACLs that would prevent execution, but cannot find out why the execution is prevented. I can't even delete the files through the windows explorer at that point - I need a 3rd party tool such as Unlocker, or alternatively I found I can use the del command from cmd.exe

It produces the following error message: Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item. The usual rename methodology does not work.

Other behavior I have noticed for this virus:
System Restore has been disabled. I ran this once to try to restore to before I noticed any symptoms, but now I cannot start the system restore service (Error 5: Access is Denied) I checked all registry settings and etc. in regard to system restore and I see no reason for it to be disabled, but have a feeling it is the same exact issue that plagues procexp.exe and etc. after trying to run it.
All desktop icons hidden hidden attribute set, easily fixed
Most everything else also hidden C:\program files, C:\windows, etc. etc. The Programs menu under start menu is set to hidden for all users, and "All Users ". It seems to me the actual links under "All Users" are actually removed.
Website redirection I can search google, but trying to navigate to the page brings me elsewhere. (noticed that there is no proxy configured, so it is doing this through some other means)
Card Reader software trying to read card Although I have no card inserted, it is trying to activate the software to read the card, I'm guessing so it can steal my card pin and other info


As I said, I tried the process from the "Read First ", but unfortunately, I'm guessing this is meant to be run not from safe mode. Results:

MBAM: It did remove several viruses/trojans, including:
Backdoor.Bot
Exploit.Drop.2
Trojan.Downloader
Rogue.OpenCloudSecurity
Malware.Trace
Trojan.ZbotR.Gen

These were all removed.
I restarted, expecting my woes were over (again, this was prior to coming across this site). Some of the problems persisted. It seems the very obvious Open Cloud Security symptoms have disappeared, however, the Exploit.Drop.2 keeps coming back (if I go back to safe mode and re-scan with MBAM).

I have also ran ESET NOD32 (found nothing really) - and unfortunately the virus killed McAfee on me, which I don't have the install CD for (not sure when this got installed, honestly, either my company pushed it out, or it came as a software add-on somewhere, which seems unlikely but possible)

Downloaded SuperAnti-Spyware and that only found cookies, nothing related to my issues.

The persisting issue seems to be related to a process called 962772537:3326188998 (I can find no info on this online). I searched the registry for this file and found two entries under HKLM\SYSTEM\ControlSet002\Services\39be6239
And the corresponding location ControlSet004. There was a key under this that pointed at the binary systemroot\962772537:3326188998.exe

I tried to submit this to MBAM, but in doing so found that the binary file had 0 byte size, so none of the analyzers will pick it up - however, even after deleting both reg keys and the exe, they seem to all keep coming back, consistently in the same spot.

I am unable to install STOPzilla at all on the machine, in safe mode or not, the installation is blocked.

Next I stumbled across this site.
Re-ran MBAM, which removed more Exploit.Drop.2 files.

GMER doesn't find much from safe mode (will attach the logs from the infected PC in another post, currently running from my Linux PC).
aswMBR also doesn't find much in safe mode (will attach logs)
dds never completed (safe mode)

Logged on not in safe mode, and ran GMER - the execution was prevented and the exe disabled.
Ran aswMBR - this made it a ways in, and I could clearly see that some items were detected that were not detected when run in safe mode - but as soon as these items were picked up, the execution was halted, and the exe rendered unusable.
dds had the same results.

I re-downloaded aswMBR in safe mode and ran FixMBR (because, why not? - after all, I have linux live CDs laying around, worse comes to worse, I'm going to safe what files I need and nuke the HDD anyway)
Re-ran Quick Scan (no reboot).. log file will be attached in the next post (found much more infections)

Installing Avast AV now to see if it is more successful.

 

Hi Broni, thank you.

Here are my logs:
Original MBAM:

 

Thank you broni! I think we are getting somewhere!

I did vary from your guidance ever-so-slightly. While waiting, I manually deleted 3 registry keys:
HKLM\SYSTEM\ControlSet001\Services\39be6239
HKLM\SYSTEM\ControlSet002\Services\39be6239
HKLM\SYSTEM\ControlSet004\Services\39be6239

I then deleted the offending file %systemroot%\962772537:3326188998.exe . I then re-created the file, and set it as read-only. I then rebooted.

When Windows started back up, I verified that the persistent process did not come back. I then verified that I could run MBAM and process explorer without having them get killed by the virus. I then followed your instructions and received the following:

Thank you for your help, I think the process itself has been removed. Please guide me on how to verify the computer is now clean - I can now run AV software from Windows without trouble.

 

Thank you, I hadn't run any other scans on my own, just verified that they would open without issue.

 

ComboFix appears to have only locked the system up. Nearly 7 hours later it is sill running.
It did: install the recovery console.

After this completed, I did not click on the window it runs in, but it appears to have locked the system up - the clock still indicates the time at which I started the program.

Re-ran with rkill, same behavior.
Re-ran in Safe mode, same behavior.
Re-ran in Safe mode with rkill, same behavior.

Rkill log:

For reference, when ComboFix freezes I am unable to do anything - can't open taskkiller, etc. My only option for abort is hard reboot.

 

No threats found.

 

After running a google search, clicking on links brings me to the wrong location (www.google.com/go) - no other behavior indicates there is still an infection.

Running aswMBR now, will post log when finished.

 

aswMBR version 0.9.8.986 Copyright(c) 2011 AVAST Software
Run date: 2011-10-04 20:40:13
-----------------------------
20:40:13.656 OS Version: Windows 5.1.2600 Service Pack 3
20:40:13.656 Number of processors: 2 586 0xF0D
20:40:13.656 ComputerName: NKULAS UserName:
20:40:16.531 Initialize success
20:40:26.109 AVAST engine defs: 11100401
20:40:28.718 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-e
20:40:28.718 Disk 0 Vendor: TOSHIBA_MK6037GSX DL340D Size: 57231MB BusType: 3
20:40:30.781 Disk 0 MBR read successfully
20:40:30.781 Disk 0 MBR scan
20:40:30.812 Disk 0 Windows XP default MBR code
20:40:30.812 Disk 0 scanning sectors +117210240
20:40:30.875 Disk 0 scanning C:\WINDOWS\system32\drivers
20:40:43.625 Service scanning
20:40:46.609 Modules scanning
20:40:55.031 Disk 0 trace - called modules:
20:40:55.046 ntkrnlpa.exe CLASSPNP.SYS disk.sys atapi.sys hal.dll pciide.sys PCIIDEX.SYS
20:40:55.046 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a878ab8]
20:40:55.062 3 CLASSPNP.SYS[ba138fd7] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP1T0L0-e[0x8a982940]
20:40:55.453 AVAST engine scan C:\WINDOWS
20:40:58.953 AVAST engine scan C:\WINDOWS\system32
20:42:53.375 AVAST engine scan C:\WINDOWS\system32\drivers
20:43:08.015 AVAST engine scan C:\Documents and Settings\nathan.kulas
20:46:08.015 AVAST engine scan C:\Documents and Settings\All Users
20:46:08.015 Scan finished successfully
20:47:25.703 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\nathan.kulas\Desktop\MBR.dat "
20:47:25.718 The log file has been saved successfully to "C:\Documents and Settings\nathan.kulas\Desktop\aswMBR.txt "

 

I am experiencing some difficulties, example: windows cannot find 'nircmd'

It appears to be that (possibly) one of my AV programs was still running in processes in the background (there were none in the system tray) and was deleting these files when ComboFix tried to access them.

I uninstalled all AV software. I tried uninstalling combofix with combofix /uninstall, but this didn't work, same error messages.

I extracted combofix with uniextract and found the missing binaries, and copied them into C:\WINDOWS. rebooting.

Note: That worked, I am no longer receiving error messages. Letting ComboFix run.

 

Thank you, I re-downloaded the binary and after removing all other AV from the PC it is now running.