LebGeeks

mir

Member

malware :S - help

hi guys ,

it is been long time since i didn't have anymalware on my computer

yesterday , i was with ppl , we were in a hurry, i wanted to take necessary files from them
usually i would scan usb.. but it was a big usb with lots of files
so i said. wtf . let me just copy the files

w wil3it
i have a malware on my laptop ma byifham
i am trying not to use internet on it as much as possible .. only updates

hala2 the symptoms of the malware are a disabled taskmanager so far and for regedit
from the internet some ppl are having problems with msconfig also (i am not having that problem )

i have tune up utilities .. i can check the process running
on msconfig , the weird thing is that notepad is added to the startup

i have kaspersky internet security
everything is running , even the proactive defence
antivirus and everything is set on high security level
and it has been updated
i did scan for startup and critical area
nothing is detected
and the funny thing is that proactive defense is working fine
ye3neh if i try for example to do a search or change something in the setting i would get a proactive message tellin me to block or to allow

but i am not receiving alerts all day long (ka2ano no virus activity )

has anyone faced this same problem
and what did u use as removal tool and how

i tried SDFix .. didn't work
kaspersky scan .. didn't work
i also disabled system restore (read this somewhere on some forum)

anything u want me to post .. a hijackthis log .. the tasks running (from tuneup utilities )
ur help guys is really appreaciated

i am gonna kill those ppl

Padre

Member

Re: malware :S - help

if u can get me a copy of the malware i would be able to help you out
im sure u removed the notepad from the startup right ?
cause if ur on NTFS u can hide programs into another program entry without 2 files showing (dunno if i explained it well tho )
gl !

mir

Member

Re: malware :S - help

well i removed the startup of notepad and of a system.com i have also
but when restarting.. they will be at startup

using tuneup utitilities, they have a registry editor.. i searched for system.com and removed its entry

restarted..
still same problem

how do u want me to infect you

i did a CCleaner .. cuz some malware hide in temporary files or something like that so they don't get detected by anti virus

i am downloading now the AVG Family of anti - malware

if i can use vmware , kint halla2 3milt restore  w khallasna
i also had the idea of using deepfreeze
i think my important data is safe cuz it is truecrypted ..

this is the last thing i need now .. cuz already have work la fo2 raseh .. and can't afford delay..

i will post the HJT log :
on :
http://www.battikh.com/mir/hijackthis.log

w really thanks for offerin help ya Padre

Last edited by mir (May 15 2007)

battikh

Member

Re: malware :S - help

could it be rapidblaster? try getting a rapidblaster remover, it might be it, it shows up as notepad.exe
and i also wanted to tell u to download avg antispyware, bass shattoura :)

mir

Member

Re: malware :S - help

It downloads advertising from the Internet and displays it periodically.

that isn't happening

only taskmanager and regedit are disabled and notepad.exe is running at startup and i can't change that from msconfig

i checked for rootkit using avg anti rootkit
now downloading the avg
but when i was searchin on the net .. ppl with avg also were reported having the same problem
hope it doesn't turn to be true :S

how can i get the name of that malware .. so i can search for removal utiltiy for it ?

battikh

Member

Re: malware :S - help

can u get a list of services on ur machine?

mir

Member

Re: malware :S - help

is that what u meant ?
http://www.battikh.com/mir/Services2.JPG
http://www.battikh.com/mir/Services1.JPG

i am removing this data as soon as you check them

so, hope it is gonna be as fast as possible

thanks

karim soubra

Member

Re: malware :S - help

try ad-aware from lavasoft

Padre

Member

Re: malware :S - help

GET ME A COPY OF THIS MALWARE !!!
get the guy from whom u took the USB, plug it, and copy me the hidden system files.
i want a copy to analyse it, not get infected !
sincerely yours,
Padre

Last edited by Padre (May 15 2007)

Padre

Member

Re: malware :S - help

ok now WTF is this:

C:\WINDOWS\system32\taskmger.com
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\TPSBattM.exe

O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [Systry] C:\WINDOWS\system32\notepad.exe
O4 - HKLM\..\Run: [userd] C:\WINDOWS\RECYCLER\systems.com

how come u still have those entries ???

mir

Member

Re: malware :S - help

GET ME A COPY OF THIS MALWARE !!!
get the guy from whom u took the USB, plug it, and copy me the hidden system files.
i want a copy to analyse it, not get infected !
sincerely yours,
Padre

tikram 3aynak i will send u files that i think are infected
check ur gmail in 5 mins
w ba3dena not guy , girls
when i see them again, i won't ask nicely for a usb .. badeh shuton shi shawta hiton 3al marikh
shi 10 anwe3 malware b 5 min
bas ta khalis their project w 2o2bad minon..

Best Regards,
mir

ok now WTF is this:
Code:
C:\WINDOWS\system32\taskmger.com
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\TPSBattM.exe
Code:
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [Systry] C:\WINDOWS\system32\notepad.exe
O4 - HKLM\..\Run: [userd] C:\WINDOWS\RECYCLER\systems.com

I narrowed the problem to the same files:
taskmgre and notepad and O4 - HKLM\..\Run: [userd] C:\WINDOWS\RECYCLER\systems.com
i googled C:\WINDOWS\RECYCLER\systems.com .. nothing found
and the location windowns\recycler  doesn't exist
print screen for c:\windows in safe mode on
http://www.battikh.com/mir/NoRecycler.jpg

the other are safe  but i am double checking them anyway
C:\WINDOWS\RTHDCPL is realtek hd audio control panel company
TPSBattM.exe : toshiba battery manager
DLA : Drive letter acces  componenet from sonic solutions

I booted into safe mode and tried to delete the taskmger.exe .. didn't work
i even scanned it with update kapersky and avg .. nothing detected
i searched the registry using the tune up cuz regedit doesn't work
i located entries, i deleted some . or edited them to blank or good values
but on start up old values are the same
specially those values :
hkey_local_machine\software\microsoft\windows nt \ current version \ winlogon    "Shell"="Explorer.exe taskmger.com"

some other values that i changed are blank .. but this particular one can't change it

i am trying to find something that automatically removes them
cuz manually i may not know about some entry

Last edited by mir (May 15 2007)

Padre

Member

Re: malware :S - help

kk, check ur email :)

Padre

Member

Re: malware :S - help

Thank Mir, no need for the rest, its just a copy of the same program.
just took a quick glance on what it does, it should be enought for u to remove it manurally.

its checks for the following File:
C:\WINDOWS\TEaM_DEViANCE.txt

COPY taskmger.com TO
C:\WINDOWS\system32\taskmger.com
C:\RECYCLER\systems.com
F:\MyPictures.exe
F:\system.com

CREATE:
C:\autorun.inf
F:\autorun.inf

As for the keys in reg:

reads the followin:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\SystemShared\ Key:CUAS
HKEY_CURRENT_USER\Keyboard Layout\Toggle Key:Language Hotkey
HKEY_CURRENT_USER\Keyboard Layout\Toggle Key:Hotkey
HKEY_CURRENT_USER\Keyboard Layout\Toggle Key:Layout Hotkey
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\ Key:EnableAnchorContext
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\IMM Key: Ime File
HKEY_CURRENT_USER\SOFTWARE\Microsoft\CTF Key:Disable Thread Input Manager
HKEY_LOCAL_MACHINE\Software\Microsoft\CTF\SystemShared Key: CUAS
HKEY_CURRENT_USER\Control Panel\desktop\ResourceLocale

And most importantly wrtie the following into the registry:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon subkey_or_value=Shell data:Explorer.exe taskmger.com
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\system Key:DisableTaskmgr data:[REG_DWORD, value: 00000001]
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\system Key:DisableRegistryTools data:[REG_DWORD, value: 00000001]
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\system KEy:DisableCMD data:[REG_DWORD, value: 00000000]
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\system Key:NoFolderOptions data=[REG_DWORD, value: 00000001]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Key:Systry data:C:\WINDOWS\system32\notepad.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Key:userd data:C:\WINDOWS\RECYCLER\systems.com

as you can see, and ur right, ma fi chi ismo c:\windows\recycler\ that's why it never runs from there.
now i still need to work on what's the payload, but maybe later, im not that interested. eventho that Team_deviance seems nifty
it dosen't only stop Taskmgr and Regedit, it also removes the folder options
fix them all, get procxp and kill the process tree.
but u need to kill the prog first, cause it keeps on re-writing the files/reg

Last edited by Padre (May 15 2007)

mir

Member

Re: malware :S - help

really thanks padre for the details
appreciate it a lot

I got my laptop with me at work
i just cleaned it
hope didn't miss something

this is my HJT after reboot :
http://www.battikh.com/mir/hijackthis.log

will be thanksful if you drop few eyes on it to make sure things are okay
i quick read it .. yalla me back to work

Last edited by mir (May 16 2007)

red phoenix

Banned

Re: malware :S - help

Hello everybody, since this little trojan hasn't been added YET to any major antiviral database i had to write this litte nifty cleaner to make my life easier.
although i made it for private use, i think it's proper to share it, i hope it will be usefull.

here's the rapidshare link: (updated)
http://rapidshare.com/files/35904200/Ou … r.exe.html

note: u might want to turn off heuristics in ur antivirus software though, since ironically it might protest that this cleaner has a hidden process !!

anyhows, i think this little trojan is locally made(beirut?) bcuz no one bothered yet to send a sample for study (i wonder why ! hehe) and bcuz the way this trojan works is shabby at best !! (no process injection for starters!), so i took the liberty to call it the 'OUTLAWS' trojan seing how stupid that moral msg that pops up when u right click on ur drives.

that's it, take care to not REINFECT urselves since this is just a cleaner, and to whoever wrote this STUPID trojan "GET A LIFE MAN, U ARE FREAKIN LAME!"

Last edited by red phoenix (June 8 2007)

mir

Member

Re: malware :S - help

by the way , as an update on this topic
haida l malware is really spreading a lot in lebanon
bi shakel mush tabi3a
i know couple of friends at works , at their personal computers , at unis who have this

that is really weird
some frnds are not able to remove it cuz it has been on their system for too long

i gave them the link for the file above.. but a frnd reported that it did nothing
so i didn't give it to the others cuz i maybe don't want to send them another malware
(sorry if offended red phoenix, but i don't easily trust ... it is a maybe ,maybe ur only doing good)

so wondering .. anyone infected ?

Padre

Member

Re: malware :S - help

with the info i posted, it's easy to remove the malware

red phoenix

Banned

Re: malware :S - help

hi mir, hi everybody, no offense taken there man, u are just being rational.
the cleaner probably didn't work for ur friend probably for one of 3 reasons

first, he/she has a different trojan or OUTLAWS with a mix of other trojans
second, he might have reinfected himself again with an uncleaned usb stick
third, he has proactive defence on (KASpersKY) or something similar (heuristics)

i think the third possibility is the one most plausible

at any rate, before i release the source batch code for this cleaner so that everbody can know what it does, can u tell me Mir if this cleaner helped ur other friends ? i know it did for me and the pcs i fixed lately, awaiting ur info ;)

Last edited by red phoenix (June 6 2007)

red phoenix

Banned

Re: malware :S - help

btw, i forgot to add, i didn't release the batch code earlier because i thought that the average user will be be scared when he sees the console poping up quickly with commands executing( not because someone would change the code to put his name/email instead in it hehe)
tomorrow i'll bring the script file with me to post it as is ...

laterz then

Padre

Member

Re: malware :S - help

that's the most messy and fucked up cleaner i ever saw. with respects to ur work.
man wtf :S batchfiles and vbs ??? just use API. and why the hell do u need all those processes ????
anyway, i'm gonna go throught all the actions of the cleaner later. dosen't seem to be a malware at first glance.

red phoenix

Banned

Re: malware :S - help

cool, i just thought of a way of extracting the script code from the executable right away, no need to wait for tomorrow then, here it is :

Cleaner.bat

echo call wscript.echo("OUTLAWS-trojan Cleaner 2007, by Red_phoenix2k@hotmail.com, NO WARRANTY on usage") > %windir%\temp\msg.vbs
%windir%\temp\msg.vbs
del /f %windir%\temp\msg.vbs

echo call wscript.echo("Plz CLOSE all background applications, press OK and then WAIT for the finished message") > %windir%\temp\msg.vbs
%windir%\temp\msg.vbs
del /f %windir%\temp\msg.vbs

taskkill /f /im notepad.exe /t
taskkill /f /im taskmger.com /t
taskkill /f /im systems.com /t
taskkill /f /im mypictures.exe /t

for %%x in ( c d e f g h i j k l m n o p q r s t u v w x y z ) do attrib -s -r -h %%x:\autorun.inf
for %%x in ( c d e f g h i j k l m n o p q r s t u v w x y z ) do del /f %%x:\autorun.inf

for %%x in ( c d e f g h i j k l m n o p q r s t u v w x y z ) do attrib -s -r -h %%x:\recycler\systems.com
for %%x in ( c d e f g h i j k l m n o p q r s t u v w x y z ) do del /f %%x:\recycler\systems.com

for %%x in ( c d e f g h i j k l m n o p q r s t u v w x y z ) do attrib -s -r -h %%x:\systems.com
for %%x in ( c d e f g h i j k l m n o p q r s t u v w x y z ) do del /f %%x:\systems.com

for %%x in ( c d e f g h i j k l m n o p q r s t u v w x y z ) do attrib -s -r -h %%x:\mypictures.exe
for %%x in ( c d e f g h i j k l m n o p q r s t u v w x y z ) do del /f %%x:\mypictures.exe


attrib -s -r -h %windir%\system32\notepad.exe
del /f %windir%\system32\notepad.exe

attrib -s -r -h %windir%\system32\taskmger.com
del /f %windir%\system32\taskmger.com

copy /y %windir%\notepad.exe %windir%\system32\notepad.exe

reg add "hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Shell" /t reg_sz /d "Explorer.exe" /f

reg add "hkcu\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskmgr" /t reg_dword /d 0 /f
reg add "hkcu\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableRegistryTools" /t reg_dword /d 0 /f
reg add "hkcu\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "NoFolderOptions" /t reg_dword /d 0 /f

reg delete "hklm\Software\Microsoft\Windows\CurrentVersion\Run" /v "systry" /f
reg delete "hklm\Software\Microsoft\Windows\CurrentVersion\Run" /v "userd" /f


echo call wscript.echo("Finished cleaning up, Plz RESTART ur computer now ;)") > %windir%\temp\msg.vbs
%windir%\temp\msg.vbs
del /f %windir%\temp\msg.vbs

if this looks like malware code to u guys just tell me and i'll remove the link from rapidshare hehe

red phoenix

Banned

Re: malware :S - help

Padre, no need to get nasty, if u don't like it don't use it. :)
if u think it can be done with a better style , be my guest and make it so
if u think it hurts the valuable data on the pc, just plz tell me how
just don't issult people like that plz, this is not the place for it

as for using apis, this gets the job done way more easily, it's more practical, i'm not using apis and frameworks to program games here. (it took me 30 minutes to write it, and if it works y should i change it)
if the trojan used process injection then i would have probably needed to use the windows api to kill it's process child, but clearly it is not, it's a lame trojan.

at any rate, that's it's, if u'r not gonna throw a fit again then i'd advise u to read it again, i thought it would be ok to share this little PRIVATE toy and that's all that's to it hehe, nothing evil or stupid i assure u

peace then

Last edited by red phoenix (June 6 2007)

mir

Member

Re: malware :S - help

well red phoenix
i hope u didn't feel offended...i think that  u were trying to help .. but it was ur first post.. with no background on u personally, so i think u may understand (call me stupid, but i don't run everything ppl tell me to )
by the way, red phoenix , welcome  ..

anyway.. there are other registry values that should also be cleaned So the Just a Game and the freedom slogan can be removed

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{series of numbers and letters }\Shell
under the Shell u will find Read , Start , AutoRun

if u click on start the REG_SZ Data contains the "if freedom is outlawed..blablabla"
in the subkey that means :
shell\start\command
there is the command run wich is recycler\systems.com
or f:\systems.com

deleting those will stop u from seeing those slogan when right clicking on a volume

in autorun you will also find :
C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RECYCLER\systems.com

Padre, i think i can get u a copy of the malware so u can run it inside vmware
if ur intrested tell me

and guys, i know couple of companies and ppl who are having terrible time from this malware
so if anyone intrested in doing maintenance for them or selling them the script , let me know , so i can put u in contact  (i am busy at my work and don't have time to go to other companies )
and any info on who wrote this malware
is it detected by any anti-malware (avg, kaspersky ..... )

Last edited by mir (June 6 2007)

red phoenix

Banned

Re: malware :S - help

Mir, thks for ur clarification, i personally know u are correct by being rational.
but like u said i was just trying to be helpful. plus i thought sending a raw script would be just too much user unfriendly for most ppl.

as for the remaining registry entries- the ones dealing with the right click msgs-
i thought those actualy went away after the cleaner deleted the autorun.inf and AFTER the system rebooted, on the pcs i cleaned this is what happened.
i think those keys might be dynamic or something

at any rate, i'm done with the script now, feel free to improve it guys :)

there's a forum here on game development that currently has my attention and so i am busy reading it

laterz !

rolf

Member

Re: malware :S - help

Download spyware terminator. It's free and works great.