MBAM vulnerable to foldername bug

[j osh]

Hi

I recently catched a full dose of "System Tool 2011" on my WinXP PC. While my system is still infected, this thread is not about the infection, but about one detail:

After removing several items manually and through the use of HijackThis and the free MBAM software, the trojan seems to have switched to a fallback solution to keep itself installed. While it was using the Hijack.UserInit method earlier to start C:\WINDOWS\system32\appconf32.exe, it now used the same method with a new folder:

C:\Programme\pUljGAfA

[screen317]

Hi Josh and welcome to Malwarebytes.

Let's see if we can figure out what's going on here. What MBAM database version are you currently using?

Next, download DDS by sUBs and save it to your Desktop.

Double-click on the DDS icon and let the scan run. When it has run two logs will be produced, please post DDS.txt directly into your reply.

Can you write down the contents of the BSoD exactly as it's shown on your screen for me?

[j osh]

Hi screen317

The db version i am using is: Database version: 5296

I am sorry, but i can't get the contents of the BSoD because it would only stay on screen for a split second and then reboot.

Also i can't reproduce the bluescreen right now because i think i might have completely removed the infection by now. It kept annoying me and i actually didn't think i'd get another answer here, so i deleted several additional autostart items manually and uninstalled Internet Explorer and replaced it with Firefox. Since my last post, the file rxsyrdub.exe has once reappeared in a normally named subfolder of the autostart part of the start menu. After i removed it there, it did not reappear. Sorry for cleaning up a bit early.

However, two of the services look suspicious in the DDS log:

I could also just release some files from quarantine and reinfect my system to see if the folder will reappear.

DDS (Ver_10-12-12.02) - FAT32x86  
Run by j osh at 23:24:07,85 on 12.12.2010
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Professional  5.1.2600.3.1252.49.1031.18.3582.3081 [GMT 1:00]


============== Running Processes ===============

C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
SVCHOST.EXE
C:\WINDOWS\System32\svchost.exe -k netsvcs
SVCHOST.EXE
SVCHOST.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
SVCHOST.EXE
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Programme\Canon\CAL\CALMAIN.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
D:\Programs\Mozilla Firefox\firefox.exe
C:\Dokumente und Einstellungen\j osh\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
mRun: [JMB36X IDE Setup] c:\windows\raidtool\xInsIDE.exe
mRun: [36X Raid Configurer] c:\windows\system32\xRaidSetup.exe boot
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto
mRun: [nwiz] c:\programme\nvidia corporation\nview\nwiz.exe /install
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\gemein~1\skype\SKYPE4~1.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\dokume~1\josh~1\anwend~1\mozilla\firefox\profiles\4ozuoyvy.default\
FF - plugin: c:\dokumente und einstellungen\j osh\lokale einstellungen\anwendungsdaten\unity\webplayer\loader\npUnity3D32.dll
FF - plugin: c:\programme\divx\divx plus web player\npdivx32.dll
FF - plugin: d:\programs\canon\zoombrowser ex\program\NPCIG.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - d:\programs\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

============= SERVICES / DRIVERS ===============

S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2009-9-11 1684736]
S3 RTL8187B;Realtek RTL8187B Wireless 802.11g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\rtl8187b.sys --> c:\windows\system32\drivers\RTL8187B.sys [?]
S3 SetupNTGLM7X;SetupNTGLM7X;\??\d:\ntglm7x.sys --> d:\NTGLM7X.sys [?]
S3 SjyPkt;SjyPkt;\??\c:\windows\system32\drivers\sjypkt.sys --> c:\windows\system32\drivers\SjyPkt.sys [?]
S3 wip0204;Wippien Network Adapter 2.4;c:\windows\system32\drivers\wip0204.sys [2010-10-6 23480]

=============== Created Last 30 ================

2010-12-12 16:44:30	--------	d--h--w-	c:\windows\$hf_mig$
2010-12-12 16:27:30	--------	d-----w-	c:\dokume~1\josh~1\lokale~1\anwend~1\Mozilla
2010-12-09 19:07:56	--------	d-----w-	c:\dokume~1\josh~1\anwend~1\Malwarebytes
2010-12-09 19:07:38	38224	----a-w-	c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-09 19:07:35	--------	d-----w-	c:\dokume~1\alluse~1\anwend~1\Malwarebytes
2010-12-09 19:07:32	20952	----a-w-	c:\windows\system32\drivers\mbam.sys
2010-12-09 15:29:12	--------	d-----w-	c:\windows\system32
2010-12-08 20:49:20	29996	---h--w-	c:\dokume~1\josh~1\anwend~1\ntuser.dat
2010-12-04 23:03:31	--------	d-----w-	c:\windows\system32\cock
2010-11-27 03:44:13	--------	d-----w-	c:\dokume~1\josh~1\anwend~1\Unity
2010-11-27 03:02:58	--------	d-----w-	c:\dokume~1\josh~1\lokale~1\anwend~1\Unity
2010-11-16 19:20:30	--------	d-----w-	c:\dokume~1\josh~1\anwend~1\.minecraft

==================== Find3M  ====================

2010-12-09 00:59:26	9728	---h--w-	c:\dokume~1\josh~1\anwend~1\desktop.ini
2010-12-08 21:14:12	75136	----a-w-	c:\windows\system32\PnkBstrA.exe
2010-12-08 21:12:40	271200	----a-w-	c:\windows\system32\PnkBstrB.exe
2010-11-25 18:23:04	22328	----a-w-	c:\dokume~1\josh~1\anwend~1\PnkBstrK.sys
2010-10-12 00:41:10	214520	----a-w-	c:\windows\system32\PnkBstrB.xtr
2010-10-03 21:47:28	794408	----a-w-	c:\windows\system32\pbsvc.exe
2010-09-18 11:22:58	974848	----a-w-	c:\windows\system32\mfc42u.dll
2010-09-18 07:52:56	974848	----a-w-	c:\windows\system32\mfc42.dll
2010-09-18 07:52:56	954368	----a-w-	c:\windows\system32\mfc40.dll
2010-09-18 07:52:56	953856	----a-w-	c:\windows\system32\mfc40u.dll

============= FINISH: 23:24:17,10 ===============

[screen317]

Hi,

I'm going to move this to the malware removal forum just for sake of formality.

I'm going to ask our developers if they would like you to dequarantine and recreate the issue. I'll be back with you as soon as possible.

[screen317]

Hi Josh,

Have you ever run TDSSKiller? If not, please do the following:

• Download the file TDSSKiller.zip and extract it into a folder on the infected PC.
  
• Execute the file TDSSKiller.exe by double-clicking on it.
  
• Wait for the scan and disinfection process to be over.
  
• When its work is over, the utility prompts for a reboot to complete the disinfection.
  

By default, the utility outputs runtime log into the system disk root directory (the disk where the operating system is installed, C:\ as a rule).

The log is like UtilityName.Version_Date_Time_log.txt.

for example, C:\TDSSKiller.2.2.0_20.12.2009_15.31.43_log.txt.

Please post that log here.

Next, please run DDS again, except this time post attach.txt for me.

What loader are you using for your dual-booted setup for Linux?

-screen317

[screen317]

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!