Malicious Software Removal Notes

  • digitalMedia
  • a.k.a. dM
  • Genius
  • User avatar
  • Posts: 5149
  • Loc: SC-USA

Post 3+ Months Ago

BACK STORY
I recently contracted some malicious software on my computer. It was the first one I've had in just over 7 years. I'm posting my resolution info here in the hopes that it might help someone who encounters the same problem.

The bummer of all this is that I believe the initial payload was delivered while I was researching church websites (proprietary embedded video player or supposed codec). I'm 95% sure of this.

The only other candidates are...
- Software for a Microsoft mouse - highly highly unlikely, or impossible
- GoDaddy (registering a domain) and my own web server which is RedHat running Apache (setting up a hosting account) - possible, but unlikely
- A website analysis I did for my bro-in-law - possible, but unlikely
- A time-bomb that I downloaded some time ago and only now became active - I'm giving this the other 5%



FILES
The central file in all this seemed to be "wshost32.exe". It appeared persistently in system32 and had several recurring registry entries that were associated with that location.

In the applications tab of the task manager it appeared as multiple instances of "browseit". In the processes tab it showed itself as wshost32.exe and by randomly named executeables following the format of 3 numeric digits dot exe (e.g. 529.exe, 071.exe, and so on). It also spawned several junk files, most notably text files.

Another suspect file was "sbootn.exe". This appeared in Temp, WINDOWS and system32 folders, inconsistently.

The creature may have also tried to leverage ftp.exe in system32.

Internet reporting on these files seem to be limited to the last couple of weeks, so I assume it's new, or a new variant.


BEHAVIOURS
The processes remained dormant as long as there was no internet connection. Whenever a connection was achieved, it went into action and opened several visible and invisible browser sessions which directed themselves to ads. Most notably an ad for an online game called Evony. The ad was composed of a buxom blonde elfish looking woman.

While I didn't monitor processes very thoroughly, it seemed to seek out all kinds of communication ports, especially FTP.

Basic manual removal of files and registry entries were only effective during the current Windows session. Rebooting caused everything to be re-deployed.


REMOVAL PROCEDURES
***The first thing you should ALWAYS do when you suspect that your computer has become infected is disconnect all network connections (Internet and local networks). There are two reasons for this; First, to stop the software from downloading more malicious stuff. Second, to prevent infections from spreading to other computers. This can be achieved by booting into safe-mode, but for good measure(...and to make it st00pid-proof) disconnect the cable and/or remove wireless adapters. Find a clean machine with a CD burner and get all the resources you need for the dirty machine that way.

So, as any good low-level computer operator would, I followed the standard procedures for this type of situation. http://www.elephantboycomputers.com/pag ... ng_Malware (this set was suggested by my CTO)

I did this 3 times and each time the malicious software got more aggressive. So, of course, I got more aggressive. The following steps (some of which may have been overkill) were successful at cleaning the machine.

- First I disabled System Restore

- Again, I followed the instructions above to a T

- Then, I manually scoured Temp, Windows and System32 folders as there were a number of files that the automated programs didn’t remove

- Lastly, I reinstalled Windows upon itself in the hopes that I could overwrite system files that may had been corrupted and were preserving the program (e.g. “svchost.exe”, "*.dll", etc.)

The only downside was when I got back to being operational, Internet Explorer couldn't decide which version it was and prevented me from getting Windows Updates. So, I manually rolled back the browser to a pure IE6 - From a command line: "%windir%\ie8\spuninst\spuninst.exe" and "windir%\ie7\spuninst\spuninst.exe" (Thank you Brian!)

Then I hit the Windows Update site and was back in the saddle without the loss of any data - save for temporary internet files, cookies, saved passwords, etc.

That was it! The bad bad thing appears to be gone.


GOOD LUCK - BROWSE SAFE!
I hope that helps someone.
  • Anonymous
  • Bot
  • No Avatar
  • Posts: ?
  • Loc: Ozzuland
  • Status: Online

Post 3+ Months Ago

  • blindedfox
  • Born
  • Born
  • blindedfox
  • Posts: 1

Post 3+ Months Ago

I have been infected with the same malware since last week and I managed to remove it last night. Hope this works for others, too.

It's quick really.

1. Install Malwarebytes Anti-Malware.

2. Go to C:\Recycler. You will see 1 or more folders there with its icon like that of the Recycle Bin. Delete all of them. When you do this, Windows will say that it cannot delete one of those folders because a file is in use. THAT IS YOUR CULPRIT. Take note of the folder name.

3. Use Malwarebytes' FileASSASSIN on the folder you took note on the previous step. Its on the other tools if I'm not mistaken.

4. Navigate to C:\Recycler. You will notice that the icon is no longer like that of the Recycle Bin, but a simple folder icon. Inside it is the culprit. Use FileASSASSIN on it. It may require you to restart for FileASSASSIN to be able to delete it.

5. After restart, run a quick scan on Malwarebytes to remove files and registry entries the malware may have left.

At first, I thought the root cause was wshost32.exe and msdrive32.exe. I removed registry entries pertaining to both of them but they persist. The root of it all in my case was csvcs.exe on the C:\Recyler folder. It triggers all of the other executables including the two I mentioned and the ###.exe's.

That's it. That worked for me. Hope it does for you too.

Cheers!

Post Information

  • Total Posts in this topic: 2 posts
  • Users browsing this forum: No registered users and 57 guests
  • You cannot post new topics in this forum
  • You cannot reply to topics in this forum
  • You cannot edit your posts in this forum
  • You cannot delete your posts in this forum
  • You cannot post attachments in this forum
 
 

© 1998-2014. Ozzu® is a registered trademark of Unmelted, LLC.