Pragma Trojan Deleted MBAM!

[doogieschnauzer]

XP Pro SP3

I did a search for Arial Outline Font and hit a Web site that made a real mess for me. I already had Task Manager open, but a dialog came up that said it was disabled by the admin when I tried to switch to it - too scared to push the OK button. I went for MBAM and the executable had been deleted or moved. I also had some rootkit tools readily available and tried to run rkill - not sure if that succeeded or not.

Got the network connection yanked. Was able to start regedit (or it was already running). Ran gmer and was informed I was rootkitted. Ran group policy to get task man turned back on, but it didn't really seem to be disabled. Finally had courage enough to OK the message about task man being disabled. Used task manager to start killing some suspect looking processes. Fake AV and copyright boxes started popping up and two iexplere processes kept restarting themselves. May have used gmer to kill some other processes. Got HiJackThis fired up. Got the fake AV noise tamped down and used HiJackThis to clean up obvious problems. HiJackThis could not remove some items or they kept coming back.

Rebooted off the Ultimate Boot CD for windows CD and went on a search and destroy for items I had seen in gmer and HiJackThis. Deleted the Prefetch folder contents, temp files and temp internet files. Creamed some obvious malware files in the Windows and System32 folders. Fired up UBCD remote registry tools and went on another search and destroy. Found several Pragmavstiwuycye registry keys that I can't delete AND can't change permissions on. But was able to get rid of the LEGACY_PRAGMA keys in the HKLM\System\xxControlSetxx.

Noted that the GUID trail on some of these keys led back to a key 00020424-0000-0000-C000-000000000046 which has a subkey InprocServer with a default value of ole2disp.dll and a subkey InprocServer32 with a InprocServer32 value with some strange characters as the data. Comparing this value to the one for a very similar machine, it looked like the infected entry was a whole lot longer than maybe it should be. Copied in the data from the UBCD registry for the same key/value.

At some point, rebooted and got MBAM reinstalled, updated, and did a quick scan - said it found and fixed some problems, but gmer still said I was rootkitted. Downloaded the SuperAntiSpyware portable scanner and ran it - said it found and fixed some problems.

Opened Group Policy editor and looked at Computer Configuration/Windows Settings/Security Settings. Clicking that node gave an warning that said something about the file was messed up or the parameter was wrong but it was going to show me anyway. I didn't really know what I was looking at after it opened, but I was left with the impression the file had seen some tampering. Looked at Windows\Security\Database folder and noted there was a secedit.sdb file and one named Service pack 3.sdb (unlike the similar machine which just has the former). It seems odd the modified date on the infected machine is two years ago as opposed to the similar machine which was modified today.

Somewhere or another I ended up getting a message that said 'Changes to the view of a console file are saved in your profile. The files in your profile that store these console changes are using the following amount of disk space on this computer: 5.78Kb.' There was a button to delete the file(s) - as if that and unused desktop icons are the big problems with this POS operating (aggravating?) system. I deleted the file(s) because I had noted that the device manager didn't list the hard drive item - maybe that's just because I'm in safe mode?

Oh, and by the way, for a LONG time this computer has had a problem about being excruciatingly slow to switch focus between sessions of IE or to create a new tab. If a page was set to self-refresh, you would almost think the computer locked up for 5-10 seconds regardless of what other application you may have been in at the time. This is how I happened to have the rootkit tool handy. Prior to getting infected (or it becoming obvious) I had run some of these including RKUnhook and Ice Sword. The former showed I had some process hooking, but I don't know if that's normal or not. I ran it after infection and it said it was, itself infected, and offered to fix the problem before opening itself. I don't know whether to trust that one or not. I couldn't make much sense of Ice Sword, but the splash graphic is really cool.

That's about where I'm at. The 'similar' machine has a really clean gmer report and the infected one shows Pragmavstiwuycye as a hidden service so I'm still worried. HiJackThis doesn't show anything I'd be suspicious of... well, maybe entries for WUWebControl Class and MUWebControl Class which look to be related to Windows Update. Windows Update has proved to be the most damaging piece of software on this computer having cost me unsaved work when it downloaded, updated and rebooted with extreme prejudice and without permission when I looked away too long. Also cost me a complete rebuild when XP SP3 failed to install properly, wouldn't reboot, and couldn't system restore - can I give a Thanks, Ass Bites shoutout to the Microdinks? Maybe that will cause somebody who could help me to ignore me instead? Maybe it will encourage one of the many to assuage their guilt by helping when they ordinarily wouldn't? Could go either way, I guess.

Anyway, here is the gmer log. I hope somebody out there likes a challenge. You guys must be doing something right or this pest wouldn't have deleted your application first thing. I'm in the process of evaluating courses of action for our virus problems in the office so help me build a case for MBAM.

GMER 1.0.15.15281 - http://www.gmer.net

Rootkit scan 2010-05-01 15:14:45

Windows 5.1.2600 Service Pack 3

Running: remg.exe; Driver: C:\DOCUME~1\MAIN\LOCALS~1\Temp\pxtdapog.sys

---- Kernel code sections - GMER 1.0.15 ----

.rsrc C:\WINDOWS\system32\drivers\pcmcia.sys entry point in ".rsrc" section [0xF74F4614]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\Explorer.EXE[1084] ntdll.dll!NtProtectVirtualMemory 7C90D6D0 5 Bytes JMP 00B7000A

.text C:\WINDOWS\Explorer.EXE[1084] ntdll.dll!NtWriteVirtualMemory 7C90DF90 5 Bytes JMP 00BD000A

.text C:\WINDOWS\Explorer.EXE[1084] ntdll.dll!KiUserExceptionDispatcher 7C90E45C 5 Bytes JMP 00B6000C

.text C:\WINDOWS\system32\svchost.exe[1972] ntdll.dll!NtProtectVirtualMemory 7C90D6D0 3 Bytes JMP 0091000A

.text C:\WINDOWS\system32\svchost.exe[1972] ntdll.dll!NtProtectVirtualMemory + 4 7C90D6D4 1 Byte [84]

.text C:\WINDOWS\system32\svchost.exe[1972] ntdll.dll!NtWriteVirtualMemory 7C90DF90 5 Bytes JMP 0092000A

.text C:\WINDOWS\system32\svchost.exe[1972] ntdll.dll!KiUserExceptionDispatcher 7C90E45C 5 Bytes JMP 0090000C

.text C:\WINDOWS\system32\svchost.exe[1972] USER32.dll!GetCursorPos 7E42974E 5 Bytes JMP 0185000A

.text C:\WINDOWS\system32\svchost.exe[1972] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 00AA000A

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 VMkbd.sys (VMware keyboard filter driver (32-bit)/VMware, Inc.)

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 VMkbd.sys (VMware keyboard filter driver (32-bit)/VMware, Inc.)

Device -> \Driver\atapi \Device\Harddisk0\DR0 8A425EE4

---- Services - GMER 1.0.15 ----

Service (*** hidden *** ) PRAGMAvstiwuycye <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\0010c67ed041

Reg HKLM\SYSTEM\CurrentControlSet\Services\PRAGMAvstiwuycye

Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\0010c67ed041 (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet003\Services\PRAGMAvstiwuycye (not active ControlSet)

---- Files - GMER 1.0.15 ----

File C:\Documents and Settings\NetworkService\Cookies\system@chinaontv[2].txt 0 bytes

File C:\Documents and Settings\NetworkService\Cookies\system@content.yieldmanager[1].txt 0 bytes

File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\Z9G7MZCM\094019_24Car_Drifting_modification_1[1].flv 1106457 bytes

File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\Z9G7MZCM\AdDisplayTrackerServlet[1].htm 0 bytes

File C:\WINDOWS\system32\drivers\pcmcia.sys suspicious modification

File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----

[marktreg]

Hello, and welcome to malwarebytes.org

From seeing suspicious modifications in atapi.sys and another driver, it looks like you may have a relatively new rootkit known as TDL4 (unofficial).

malwarebytes.org has a team of experts who will give you free help to fix any malware related problems on your system. But it is the policy of this forum that we can only work on malware related problems in the Malware Removal - HijackThis Logs forum, not in the other general forums.

If you would like a malware removal expert to give you personal assistance, please print out, read and follow the directions here, skipping any steps you are unable to complete. Then post a NEW topic in the Malware Removal - HijackThis Logs forum here. If you cannot complete any of the steps, just post a NEW topic here and describe the problems you are having.

One of the expert helpers there will give you one-on-one assistance when one becomes available. Please do not worry if you are not 'technically minded', the expert helpers will give you clear, concise instructions which are easy to follow.

After posting your new post make sure under options that you select Track this topic and choose one of the Email options so that you're alerted when someone has replied to your post.

Alternatively, as a paying customer, you can contact the help desk at support@malwarebytes.org

If you follow the expert helper's instructions you should be up and running again pretty soon.

[doogieschnauzer]

Really sorry. I don't know how I ended up posting to the wrong forum. I'll

try to follow the instructions and post in the correct place. Thanks much.

Hello, and welcome to malwarebytes.org

From seeing suspicious modifications in atapi.sys and another driver, it looks like you may have a relatively new rootkit known as TDL4 (unofficial).

malwarebytes.org has a team of experts who will give you free help to fix any malware related problems on your system. But it is the policy of this forum that we can only work on malware related problems in the Malware Removal - HijackThis Logs forum, not in the other general forums.

If you would like a malware removal expert to give you personal assistance, please print out, read and follow the directions here, skipping any steps you are unable to complete. Then post a NEW topic in the Malware Removal - HijackThis Logs forum here. If you cannot complete any of the steps, just post a NEW topic here and describe the problems you are having.

One of the expert helpers there will give you one-on-one assistance when one becomes available. Please do not worry if you are not 'technically minded', the expert helpers will give you clear, concise instructions which are easy to follow.

After posting your new post make sure under options that you select Track this topic and choose one of the Email options so that you're alerted when someone has replied to your post.

Alternatively, as a paying customer, you can contact the help desk at support@malwarebytes.org

If you follow the expert helper's instructions you should be up and running again pretty soon.

[marktreg]

No worries, doogieschnauzer. You already have a GMER log which shows very useful information. One of the expert helpers will get you cleaned up as soon as possible.