malware :S - help

mir

hi guys ,

it is been long time since i didn't have anymalware on my computer

yesterday , i was with ppl , we were in a hurry, i wanted to take necessary files from them
usually i would scan usb.. but it was a big usb with lots of files
so i said. wtf . let me just copy the files

w wil3it
i have a malware on my laptop ma byifham
i am trying not to use internet on it as much as possible .. only updates

hala2 the symptoms of the malware are a disabled taskmanager so far and for regedit
from the internet some ppl are having problems with msconfig also (i am not having that problem )

i have tune up utilities .. i can check the process running
on msconfig , the weird thing is that notepad is added to the startup

i have kaspersky internet security
everything is running , even the proactive defence
antivirus and everything is set on high security level
and it has been updated
i did scan for startup and critical area
nothing is detected
and the funny thing is that proactive defense is working fine
ye3neh if i try for example to do a search or change something in the setting i would get a proactive message tellin me to block or to allow

but i am not receiving alerts all day long (ka2ano no virus activity )

has anyone faced this same problem
and what did u use as removal tool and how

i tried SDFix .. didn't work
kaspersky scan .. didn't work
i also disabled system restore (read this somewhere on some forum)

anything u want me to post .. a hijackthis log .. the tasks running (from tuneup utilities )
ur help guys is really appreaciated :D

i am gonna kill those ppl

Padre

if u can get me a copy of the malware i would be able to help you out :P
im sure u removed the notepad from the startup right ?
cause if ur on NTFS u can hide programs into another program entry without 2 files showing (dunno if i explained it well tho :P)
gl !

mir

well i removed the startup of notepad and of a system.com i have also
but when restarting.. they will be at startup

using tuneup utitilities, they have a registry editor.. i searched for system.com and removed its entry

restarted..
still same problem

how do u want me to infect you :P

i did a CCleaner .. cuz some malware hide in temporary files or something like that so they don't get detected by anti virus

i am downloading now the AVG Family of anti - malware

if i can use vmware , kint halla2 3milt restore :P w khallasna
i also had the idea of using deepfreeze
i think my important data is safe cuz it is truecrypted ..

this is the last thing i need now .. cuz already have work la fo2 raseh .. and can't afford delay..

i will post the HJT log :
on :
http://www.battikh.com/mir/hijackthis.log

w really thanks for offerin help ya Padre

battikh

could it be rapidblaster? try getting a rapidblaster remover, it might be it, it shows up as notepad.exe
and i also wanted to tell u to download avg antispyware, bass shattoura :)

mir

It downloads advertising from the Internet and displays it periodically.

that isn't happening

only taskmanager and regedit are disabled and notepad.exe is running at startup and i can't change that from msconfig

i checked for rootkit using avg anti rootkit
now downloading the avg
but when i was searchin on the net .. ppl with avg also were reported having the same problem
hope it doesn't turn to be true :S

how can i get the name of that malware .. so i can search for removal utiltiy for it ?

battikh

can u get a list of services on ur machine?

mir

is that what u meant ?
http://www.battikh.com/mir/Services2.JPG
http://www.battikh.com/mir/Services1.JPG

i am removing this data as soon as you check them

so, hope it is gonna be as fast as possible :D

thanks

karim-soubra

try ad-aware from lavasoft

Padre

GET ME A COPY OF THIS MALWARE !!! :P
get the guy from whom u took the USB, plug it, and copy me the hidden system files.
i want a copy to analyse it, not get infected ! :P
sincerely yours,
Padre :P

Padre

ok now WTF is this:

C:\WINDOWS\system32\taskmger.com
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\TPSBattM.exe

O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [Systry] C:\WINDOWS\system32\notepad.exe
O4 - HKLM\..\Run: [userd] C:\WINDOWS\RECYCLER\systems.com

how come u still have those entries ???

mir

GET ME A COPY OF THIS MALWARE !!!
get the guy from whom u took the USB, plug it, and copy me the hidden system files.
i want a copy to analyse it, not get infected !
sincerely yours,
Padre

tikram 3aynak i will send u files that i think are infected
check ur gmail in 5 mins
w ba3dena not guy , girls
when i see them again, i won't ask nicely for a usb .. badeh shuton shi shawta hiton 3al marikh
shi 10 anwe3 malware b 5 min
bas ta khalis their project w 2o2bad minon..

Best Regards,
mir

ok now WTF is this:
Code:
C:\WINDOWS\system32\taskmger.com
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\TPSBattM.exe
Code:
O4 - HKLM..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM..\Run: [Systry] C:\WINDOWS\system32\notepad.exe
O4 - HKLM..\Run: [userd] C:\WINDOWS\RECYCLER\systems.com

I narrowed the problem to the same files:
taskmgre and notepad and O4 - HKLM..\Run: [userd] C:\WINDOWS\RECYCLER\systems.com
i googled C:\WINDOWS\RECYCLER\systems.com .. nothing found
and the location windowns\recycler doesn't exist
print screen for c:\windows in safe mode on
http://www.battikh.com/mir/NoRecycler.jpg

the other are safe but i am double checking them anyway
C:\WINDOWS\RTHDCPL is realtek hd audio control panel company
TPSBattM.exe : toshiba battery manager
DLA : Drive letter acces componenet from sonic solutions

I booted into safe mode and tried to delete the taskmger.exe .. didn't work
i even scanned it with update kapersky and avg .. nothing detected :P
i searched the registry using the tune up cuz regedit doesn't work
i located entries, i deleted some . or edited them to blank or good values
but on start up old values are the same
specially those values :
hkey_local_machine\software\microsoft\windows nt \ current version \ winlogon "Shell"="Explorer.exe taskmger.com"

some other values that i changed are blank .. but this particular one can't change it

i am trying to find something that automatically removes them
cuz manually i may not know about some entry

Padre

kk, check ur email :)

Padre

Thank Mir, no need for the rest, its just a copy of the same program.
just took a quick glance on what it does, it should be enought for u to remove it manurally.

its checks for the following File:
C:\WINDOWS\TEaM_DEViANCE.txt

COPY taskmger.com TO
C:\WINDOWS\system32\taskmger.com
C:\RECYCLER\systems.com
F:\MyPictures.exe
F:\system.com

CREATE:
C:\autorun.inf
F:\autorun.inf

As for the keys in reg:

reads the followin:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\SystemShared\ Key:CUAS
HKEY_CURRENT_USER\Keyboard Layout\Toggle Key:Language Hotkey
HKEY_CURRENT_USER\Keyboard Layout\Toggle Key:Hotkey
HKEY_CURRENT_USER\Keyboard Layout\Toggle Key:Layout Hotkey
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\ Key:EnableAnchorContext
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\IMM Key: Ime File
HKEY_CURRENT_USER\SOFTWARE\Microsoft\CTF Key:Disable Thread Input Manager
HKEY_LOCAL_MACHINE\Software\Microsoft\CTF\SystemShared Key: CUAS
HKEY_CURRENT_USER\Control Panel\desktop\ResourceLocale

And most importantly wrtie the following into the registry:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon subkey_or_value=Shell data:Explorer.exe taskmger.com
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\system Key:DisableTaskmgr data:[REG_DWORD, value: 00000001]
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\system Key:DisableRegistryTools data:[REG_DWORD, value: 00000001]
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\system KEy:DisableCMD data:[REG_DWORD, value: 00000000]
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\system Key:NoFolderOptions data=[REG_DWORD, value: 00000001]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Key:Systry data:C:\WINDOWS\system32\notepad.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Key:userd data:C:\WINDOWS\RECYCLER\systems.com

as you can see, and ur right, ma fi chi ismo c:\windows\recycler\ that's why it never runs from there.
now i still need to work on what's the payload, but maybe later, im not that interested. eventho that Team_deviance seems nifty :P
it dosen't only stop Taskmgr and Regedit, it also removes the folder options :P
fix them all, get procxp and kill the process tree.
but u need to kill the prog first, cause it keeps on re-writing the files/reg

mir

really thanks padre for the details
appreciate it a lot :D

I got my laptop with me at work
i just cleaned it
hope didn't miss something

this is my HJT after reboot :
http://www.battikh.com/mir/hijackthis.log

will be thanksful if you drop few eyes on it to make sure things are okay
i quick read it .. yalla me back to work

red-phoenix

Hello everybody, since this little trojan hasn't been added YET to any major antiviral database i had to write this litte nifty cleaner to make my life easier.
although i made it for private use, i think it's proper to share it, i hope it will be usefull.

here's the rapidshare link: (updated)
http://rapidshare.com/files/35904200/Outlaws_-_Trojan_Remover.exe.html

note: u might want to turn off heuristics in ur antivirus software though, since ironically it might protest that this cleaner has a hidden process !!

anyhows, i think this little trojan is locally made(beirut?) bcuz no one bothered yet to send a sample for study (i wonder why ! hehe) and bcuz the way this trojan works is shabby at best !! (no process injection for starters!), so i took the liberty to call it the 'OUTLAWS' trojan seing how stupid that moral msg that pops up when u right click on ur drives.

that's it, take care to not REINFECT urselves since this is just a cleaner, and to whoever wrote this STUPID trojan "GET A LIFE MAN, U ARE FREAKIN LAME!"

mir

by the way , as an update on this topic
haida l malware is really spreading a lot in lebanon
bi shakel mush tabi3a
i know couple of friends at works , at their personal computers , at unis who have this

that is really weird
some frnds are not able to remove it cuz it has been on their system for too long

i gave them the link for the file above.. but a frnd reported that it did nothing
so i didn't give it to the others cuz i maybe don't want to send them another malware :P
(sorry if offended red phoenix, but i don't easily trust ... it is a maybe ,maybe ur only doing good)

so wondering .. anyone infected ?

Padre

with the info i posted, it's easy to remove the malware :P

red-phoenix

hi mir, hi everybody, no offense taken there man, u are just being rational.
the cleaner probably didn't work for ur friend probably for one of 3 reasons

first, he/she has a different trojan or OUTLAWS with a mix of other trojans
second, he might have reinfected himself again with an uncleaned usb stick
third, he has proactive defence on (KASpersKY) or something similar (heuristics)

i think the third possibility is the one most plausible

at any rate, before i release the source batch code for this cleaner so that everbody can know what it does, can u tell me Mir if this cleaner helped ur other friends ? i know it did for me and the pcs i fixed lately, awaiting ur info ;)

red-phoenix

btw, i forgot to add, i didn't release the batch code earlier because i thought that the average user will be be scared when he sees the console poping up quickly with commands executing( not because someone would change the code to put his name/email instead in it hehe)
tomorrow i'll bring the script file with me to post it as is ...

laterz then

Padre

that's the most messy and fucked up cleaner i ever saw. with respects to ur work.
man wtf :S batchfiles and vbs ??? just use API. and why the hell do u need all those processes ????
anyway, i'm gonna go throught all the actions of the cleaner later. dosen't seem to be a malware at first glance.