Last week my laptop got infected through Java vulnerability and and got a couple of Java downloader viruses. I was able to disinfect the laptop using Avast and SDFix but there is one nasty bugger that lies somewhere in explorer.exe modules and none of the scanners I’ve tried (Avast, F-Secure, BitDefender, MalwareBytes) is able to recognise it.

Only symptom is http network connections to hosts noname.inferno.name and random servers in servernap.net. Procmon shows, that the connecting process is explorer.exe and list of explorer modules is attached. It is not started if I change the login shell from explorer.exe to cmd.exe. I can’t find anything like this using Google and I’m pretty sure this is either malicious bot or most likely some adware gone bad (the visible part of the program has been cleaned but the back-office is still running).

I installed good ole ZoneAlarm to block communication, but is there any way to clean it properly?

Check the information on the first post of this thread under Virus/Worms for you to check your machine for malware: http://forum.avast.com/index.php?topic=53253.0.

Follow the directions for obtaining the OTS log. Post the OTS log as an attachment (Additional Options > Attach > Post).

I am going to refer you to our Certified Malware expert, named Essexboy. He will also review your log and give you further instructions, however he comes on the forum late UK time. He will respond to you in this thread, so remember to check this thread daily.

Please do not make any further changes to your machine after you have provided the log.

IMPORTANT: If you are on a home network, disconnect the affected machine from the network. Do not share a USB/flash drive with this affected machine. Do not use this machine unless Essexboy instructs you do to malware removal instructions; use a different machine to check email, sync your phone, etc. if possible.

Let me know if you have any questions. Thank you.

Edit: Essexboy has been notified and will await OP’s log.

Thanks. Here’s the OTS log without “No Company Info”-section and “Created/Modified” section. File too big otherwise and nothing interesting there.

I don’t read these logs, but for the one that does…

It seems as though the log is saved as unicode, which jumbles up the text. It needs to be saved in ANSI
Image here: http://forum.avast.com/index.php?topic=65104.msg554427#msg554427

You are absolutely right, but it is the OTS that writes the log in Unicode. Here’s the same in 8-bit for you Unicode-challenged…

Yes, just tried a scan with it, the save as window produces Unicode, whereas a normal notepad window gives ASCI…I guess that is a question for essexboy

The log is readable now.
He should be able to look at the log when he is online.

With the logs there is no need to select save as, as the log is automatically saved to the desktop ;D

First a question - could you confirm that you placed the proxy settings within your system ? 172.21.255.254:3128

I see you have also run Combofix - could I have a look at the log please

Start OTS. Copy/Paste the information in the quotebox below into the panel where it says “Paste fix here” and then click the Run Fix button.

[Unregister Dlls]
[Registry - Safe List]
< Internet Explorer Settings [HKEY_USERS\S-1-5-21-3107237242-2222905568-1701479351-1006\] > -> 
YN -> HKEY_USERS\S-1-5-21-3107237242-2222905568-1701479351-1006\: SearchURL\\"provider" -> gogl
[Custom Items]
:Files
ipconfig /flushdns /c
:end
[Empty Temp Folders]
[EmptyFlash]
[CreateRestorePoint]
  

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here

I will review the information when it comes back in.

It actually required reboot. The log is attached as well as ComboFix log. Nothing there.

Are you still getting the network connections ?

Yup, nothing’s changed. ZoneAlarm firewall is blocking them and I’m not too worried since I believe the resident part is not harmful as long as it can’t access network to download any new programs or be part of bot network.

I have WireShark log of the connections and the destinations include hosts in servernap.net, hostnoc.net, advancedhosters.com and level3.net. Now I’m pretty sure my machine would be part of bot network without firewall. This is very subtle Trojan, apart from the network traffic it does not give any signs of its presence and it is not detected by any of the scanners I’ve tried. I’m not even sure if this was result of last weeks infection, it may have been there already undetected.

Here’s example of the communication: My laptop sends http GET with URI /td?aid=A91452&said=442-direc10&q=french%20food and Referer field http://www.findconfused.org/search.php?q=french+food&aid=442&sid=direc10 and Accept-Encoding: gzip, deflate. Return data is garbage, probably gzipped.

Edit: Here’s a list of IP addresses it tries to connect initially: 69.65.49.114,69.65.49.122, 69.65.63.122, 95.211.22.217, 209.212.157.208. If it manages to connect those hosts then more connections are made to number of hosts.

OK lets use a different analysis tool, you get an extra AV scan on this one - but I feel the answer may be in the analysis log

Download AVPTool from Here to your desktop

Run the programme you have just downloaded to your desktop (it will be randomly named )

First we will run a virus scan

On the first tab select all elements down to Computer and then select start scan
Once it has finished select report and post that.

http://i1224.photobucket.com/albums/ee362/Essexboy3/avpfront.jpg

Do not close AVPTool or it will self uninstall, if it does uninstall - then just rerun the setup file on your desktop

Now an analysis scan

Select the Manual Disinfection tab
Press the Gather System Information button
Once done Open the last report saved folder then upload to Mediafire and post the sharing link.
The file is located at C:\Users[i]your name[/i]\Desktop\Virus Removal Tool\setup_9.0.0.722_05.01.2011_20-34\LOG\avptool_sysinfo.zip

http://i1224.photobucket.com/albums/ee362/Essexboy3/avpmanual.jpg

Some progress, Kaspersky detected MEM:Rootkit.Win32.Sst.a in memory. Link to log: http://www.mediafire.com/?6p0l903q1v5gkuw

BTW I’m aware, that SpyNoMore is rogue. I deleted the files manually since uninstall was suspicious and registry entry was left behind.

Could you re-run AVP and kill this Untreated: MEM:Rootkit.Win32.Sst.a

Also is putty running with your agreement (Telnet client)

File Scanner
There are some files I need you to upload for checking

[]Make sure to use Internet Explorer for this
[]Please go to VirSCAN.org FREE on-line scan service
[*]Copy and paste the following file path into the “Suspicious files to scan” box on the top of the page:

[*]C:\WINDOWS\gmchReg.sys

[*]Click on the Upload button
[*]If a pop-up appears saying the file has been scanned already, please select the ReScan button.
[*]Once the Scan is completed, click on the “Copy to Clipboard” button. This will copy the link of the report into the Clipboard.
[*]Paste the contents of the Clipboard in your next reply.

Putty was running on purpose, no worries. AVP was not able to disinfect this virus. It’s probably just generic message program has detected memory SST not matching the initial SST from ntoskernel.exe. However it doesn’t know who modified it and how to fix it. Found this interesting article http://www.articlesbase.com/security-articles/simple-antirootkit-2003035.html about SST rootkits, unfortunately the sources and executable of this AntiRootkit-tool were missing.

Nothing in this file either:

VirSCAN.org Scanned Report :
Scanned time : 2011/04/14 21:18:56 (EEST)
Scanner results: Scanners did not find malware!
File Name : gmchReg.sys
File Size : 16896 byte
File Type : PE32 executable for MS Windows (native) Intel 80386 32-bit
MD5 : 45ca6300263c8677edbf642bdf37a598
SHA1 : a6d74481902c3e748c04553f083abfe8bffedcb7
Online report : http://virscan.org/report/3d06611a993d0ddc31942d7adf7a615e.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 5.1.0.2 20110415013156 2011-04-15 7.03 -
AhnLab V3 2011.04.14.00 2011.04.14 2011-04-14 10.20 -
AntiVir 8.2.4.208 7.11.6.129 2011-04-14 0.34 -
Antiy 2.0.18 20110205.7694535 2011-02-05 0.02 -
Arcavir 2011 201103241627 2011-03-24 0.02 -
Authentium 5.1.1 201104141051 2011-04-14 1.50 -
AVAST! 4.7.4 110414-1 2011-04-14 0.01 -
AVG 8.5.850 271.1.1/3572 2011-04-14 0.28 -
BitDefender 7.90123.7115271 7.37082 2011-04-15 6.89 -
ClamAV 0.96.5 12981 2011-04-14 0.01 -
Comodo 4.0 8340 2011-04-14 1.38 -
CP Secure 1.3.0.5 2011.04.15 2011-04-15 0.04 -
Dr.Web 5.0.2.3300 2011.04.15 2011-04-15 11.59 -
F-Prot 4.4.4.56 20110413 2011-04-13 1.46 -
F-Secure 7.02.73807 2011.04.14.07 2011-04-14 0.25 -
Fortinet 4.2.257 13.111 2011-04-14 0.25 -
GData 22.75/22.37 20110414 2011-04-14 14.20 -
ViRobot 20110414 2011.04.14 2011-04-14 1.16 -
Ikarus T3.1.32.20.0 2011.04.14.78172 2011-04-14 6.13 -
JiangMin 13.0.900 2011.03.30 2011-03-30 2.67 -
Kaspersky 5.5.10 2011.04.14 2011-04-14 0.17 -
KingSoft 2009.2.5.15 2011.4.14.18 2011-04-14 3.46 -
McAfee 5400.1158 6316 2011-04-14 8.62 -
Microsoft 1.6702 2011.04.14 2011-04-14 4.94 -
NOD32 3.0.21 6040 2011-04-14 0.02 -
Norman 6.07.08 6.07.00 2011-04-13 16.03 -
Panda 9.05.01 2011.04.14 2011-04-14 2.98 -
Trend Micro 9.200-1012 7.974.10 2011-04-14 0.03 -
Quick Heal 11.00 2011.04.14 2011-04-14 2.89 -
Rising 20.0 23.53.03.06 2011-04-14 2.86 -
Sophos 3.18.0 4.64 2011-04-15 3.49 -
Sunbelt 3.9.2488.2 9013 2011-04-14 0.82 -
Symantec 1.3.0.24 20110414.002 2011-04-14 0.35 -
nProtect 20110414.01 3356712 2011-04-14 6.29 -
The Hacker 6.7.0.1 v00173 2011-04-12 0.45 -
VBA32 3.12.16.0 20110413.1306 2011-04-13 3.97 -
VirusBuster 5.2.0.28 13.6.305.0/49657232011-04-14 0.00 -

OK lets see if we can find the sst hook

Download GMER from Here. Note the file’s name and save it to your root folder, such as C:.

[*]Disconnect from the Internet and close all running programs.
[*]Temporarily disable any real-time active protection so your security program drivers will not conflict with this file.
[*]Click on this link to see a list of programs that should be disabled.
[*]Double-click on the downloaded file to start the program. (If running Vista, right click on it and select “Run as an Administrator”)
[*]Allow the driver to load if asked.
[*]You may be prompted to scan immediately if it detects rootkit activity.
[*]If you are prompted to scan your system click “No”, save the log and post back the results.
[*]If not prompted, click the “Rootkit/Malware” tab.
[*]On the right-side, all items to be scanned should be checked by default except for “Show All”. Leave that box unchecked.
[*]Select all drives that are connected to your system to be scanned.
[*]Click the Scan button to begin. (Please be patient as it can take some time to complete)
[*]When the scan is finished, click Save to save the scan results to your Desktop.
[*]Save the file as Results.log and copy/paste the contents in your next reply.
[*]Exit the program and re-enable all active protection when done.

Too late, I think it’s gone now. Unfortunately infected file was lost in the process. Running the AVP scan again after it logged failure of removing the reported SST.A it found this:

14.4.2011 22:09:34 Detected: Virus.Win32.TDSS.e C:\WINDOWS\system32\drivers\volsnap.sys
14.4.2011 22:10:35 Will be deleted on system restart: Virus.Win32.TDSS.e C:\WINDOWS\system32\drivers\volsnap.sys

It recommended deleting this file. I answered “Yes” and as expected the boot halted with blue screen. I booted from live Linux CD and copied clean copy of volsnap.sys and after reboot the computer seems to be clean. AVP check is clear and no extra Internet connections are detected.

Thank you so much for the effort. I’m sorry that the file was lost but I was so sure it was just false positive that I didn’t save a copy.

It was infected - the TDL3 rootkit

But as it is clear now - although I am surprised that Avast did not report it

Run OTS and hit the cleanup button to remove it - then just delete AVP from your desktop

Avast was not running when the computer was infected. And after infection it had zero chance of finding it any more.

Any further problems or are you happy ?