Post by Oaky on Feb 16, 2010 8:15:00 GMT
Posted and Recently Updated by Aayrl;
Hello Forum;
I recently caught a relatively new malware rootkit this weekend and was forced to rebuild my entire system. I did manage to locate where the rootkit installs, how it functions, what it targets on your system, and how to fix/prevent it.
Here's the premise; The rootkit can take on a multitude of names, the most common will be show as [randomtextcharacters]sftav.exe and another using [randomtextcharacters]sysguard.exe. Generally, you catch this malware by browsing ANY website with JAVA or FLASH. The malware is auto-installed through these two system processes automatically and the programs will self-execute (run) themselves. If you are lucky, you can stop the .exe files from running if you notice your antivirus freaking out early enough in the process. I managed to delete half of the rootkit before the other .exe managed to hack into my registry files. Who knows what both of them could do?
Here's essentially what the virus does; It poses as a "New Antivrus Software" under the name, ironically, "Antivirus Soft". This program will have an appearance close to that of the windows firewall program or the Norton AntiVirus window. You will notice a couple things immediantly;
- Your computer will begin to run slower.
- You will receive random talk bubbles from your taskbar stating you have no antivirus installed and that you should click to change this. DO NOT CLICK DUMBASS.
- You will start receiving fake pop-up error messages that state "Soandso.dll could not be launched because it is infected. Would you like to fix this error now? Y/N".
- IMMEDIANTLY AFTER SEEING THIS MESSAGE, ATTEMPT TO SHUT THE COMPUTER OFF, AND PRESS F8 WHEN YOU TURN IT BACK ON. ACCESS THE COMPUTER IN SAFE MODE AND YOU WILL THANK YOURSELF LATER. (See the green below)
- A new window will pop up with Antivirus Soft, the malware virus, that will appear to be running a virus scan. This is all fake, do not click anything on this window.
- Multiple red shields will appear in your tasktray bar suggesting to turn on your antivirus. You can hover your mouse over them if they take over your screen to remove some of them. Again, do not click.
- Random web-pages on Internet Explorer will begin to open on their own, including third party pronography websites and violent military photography. The malware will then direct you away from the website back to the fake antivirus window, suggesting you run a virus scan. Again, more fake crap.
- Your internet explorer program and mozilla firefox will become completely useless, for the malware will redirect everything to its porn sites and antivirus hacks.
- Every process will be unable to run, including CTRL ALT DELETE, Command Prompt, and Notepad.
- Your computer will shut off, then turn itself back on, rinse repeat.
- If you are unsure on how to defeat the virus at this point, turn off your computer, unplug it, and turn off the power supply. Most likely, you have reached the point of no return, and your best bet is to use another computer to connect to your hard drive and remove any important files you wish to salvage before rebuilding your computer.
- ADDITIONAL NOTES (EASY): If you managed to boot up Safe Mode successfully, congratulations, you win. From here, go to the directory where the malware installed (visit the link I posted below for instructions on locating it), and SHIFT + DEL key that bastard! Run virus scans using your antivirus to ensure it has been cleaned from the system.
- ADDITIONAL NOTES (HARD): If you know enough about computers and are daring enough to play with the registry files, I will provide my experience here. If not, please skip down to the URL and closing notes.
I took out my hard-drive from my computer and placed it into a machine I have running downstairs. The machine downstairs has no important components, just enough memory and a motherboard in order to run the windows OS. I also disconnected the machine from my network and prevented any interaction between my clean systems. This way, if the computer catches the virus from your hard drive, you can rebuild it anyway.
From there, I loaded my Hard Drive and was browsing through the HIVE files in order to locate the virus. **MAKE SURE YOU DISPLAY HIDDEN FOLDERS, OR ELSE YOU CANNOT LOCATE THE BASE .EXE IN YOUR APPLICATION DATA FOLDER**.
**The Antivirus Soft program will install itself into the registry in multiple locations, but the source program folder you're looking for will be in your HKEY_CURRENT_USER Hive. You will find multiple copies of the virus throughout the HKEY_LOCAL_SYSTEM/Software and HKEY_LOCAL_MACHINE/Security. You will locate the main hub in the folder 'avrsft'. Make sure you unload each hive before opening another one.
After you clean out the virus, Go through your entire system using a search for the root word \??\. This malware is a tricky little fucker that likes to rename all of your drivers for your antivirus, video card, java, flash, by placing a \??\C:\....etc in front of the directory. Why is this a problem? The computer BIOS cannot read drivers if they're named \??\. The BIOS only reads drivers using \C:\...etc. Smart Malware, eh?
Also - Your Safe Mode will most likely be fucked. If you experience blue-screens while accessing Safe Mode after cleaning the virus off the hard drive manually, you will most likely need to rebuild. (Not having Safe Mode for future malware makes you retarded vulnerable.)
You can probably place the hard drive back in and run it up in normal mode. If you have no Antivirus Soft pop up after 3 minutes, you're clean, and can start moving files off to prepare to rebuild the system.
For additional information on the virus, and how to prevent it, please click this sentence.
Now that you have an idea of what you're up against, here are a few key pointers I would like to inform every forum user about;
DO NOT VISIT WEBSITES YOU DO NOT TRUST. If you receive a link to a website you've never visited before, ensure ALL antivirus programs are running.
This Antivirus Soft hack is just an example of the dangers malware poses to systems on a daily basis. You should always back up your data, even when you think it becomes unnecessary and repetitive. Purchase a removable hard drive! These are expensive, but life-long investments for protecting your most valuable data (Like Marble Blast =P)
Here is a list of programs I use on a daily basis to fend off malicious content from being installed, and monitoring programs or files that may have infections; (They're all free, too!)
Spybot Search and Destroy (TeaTimer.exe is good to have running as well, even though it's a memory hog)
PrevX (The free version is very efficient at detecting malicious files as they enter your system, and show you the directory they are located. You will have to manually remove them, though.)
Malwarebytes' Anti-Malware (Super affective at removing malware from your system if you're too scared to do it manually)
Ad Blocker Plus Addon for Mozilla Firefox (Extremely helpful at preventing malware injection from flash banners and advertisements on various websites from opening new windows and/or installing malware on your hard drive)
Microsoft Security Essentials (I can't believe I'm saying this, but yes, Microsoft finally built an exceptional anti-malware program. So far, this thing has been as effective, if not better than Malwarebytes, since its database updates daily based on the community with the program, and the fact that all of the new computers with Windows 7 as of June 1st will have this automatically installed.)
Good Luck, Safe Web Browsing, and I hope you don't get fucked like I did
~Aayrl
Hello Forum;
I recently caught a relatively new malware rootkit this weekend and was forced to rebuild my entire system. I did manage to locate where the rootkit installs, how it functions, what it targets on your system, and how to fix/prevent it.
Here's the premise; The rootkit can take on a multitude of names, the most common will be show as [randomtextcharacters]sftav.exe and another using [randomtextcharacters]sysguard.exe. Generally, you catch this malware by browsing ANY website with JAVA or FLASH. The malware is auto-installed through these two system processes automatically and the programs will self-execute (run) themselves. If you are lucky, you can stop the .exe files from running if you notice your antivirus freaking out early enough in the process. I managed to delete half of the rootkit before the other .exe managed to hack into my registry files. Who knows what both of them could do?
Here's essentially what the virus does; It poses as a "New Antivrus Software" under the name, ironically, "Antivirus Soft". This program will have an appearance close to that of the windows firewall program or the Norton AntiVirus window. You will notice a couple things immediantly;
- Your computer will begin to run slower.
- You will receive random talk bubbles from your taskbar stating you have no antivirus installed and that you should click to change this. DO NOT CLICK DUMBASS.
- You will start receiving fake pop-up error messages that state "Soandso.dll could not be launched because it is infected. Would you like to fix this error now? Y/N".
- IMMEDIANTLY AFTER SEEING THIS MESSAGE, ATTEMPT TO SHUT THE COMPUTER OFF, AND PRESS F8 WHEN YOU TURN IT BACK ON. ACCESS THE COMPUTER IN SAFE MODE AND YOU WILL THANK YOURSELF LATER. (See the green below)
- A new window will pop up with Antivirus Soft, the malware virus, that will appear to be running a virus scan. This is all fake, do not click anything on this window.
- Multiple red shields will appear in your tasktray bar suggesting to turn on your antivirus. You can hover your mouse over them if they take over your screen to remove some of them. Again, do not click.
- Random web-pages on Internet Explorer will begin to open on their own, including third party pronography websites and violent military photography. The malware will then direct you away from the website back to the fake antivirus window, suggesting you run a virus scan. Again, more fake crap.
- Your internet explorer program and mozilla firefox will become completely useless, for the malware will redirect everything to its porn sites and antivirus hacks.
- Every process will be unable to run, including CTRL ALT DELETE, Command Prompt, and Notepad.
- Your computer will shut off, then turn itself back on, rinse repeat.
- If you are unsure on how to defeat the virus at this point, turn off your computer, unplug it, and turn off the power supply. Most likely, you have reached the point of no return, and your best bet is to use another computer to connect to your hard drive and remove any important files you wish to salvage before rebuilding your computer.
- ADDITIONAL NOTES (EASY): If you managed to boot up Safe Mode successfully, congratulations, you win. From here, go to the directory where the malware installed (visit the link I posted below for instructions on locating it), and SHIFT + DEL key that bastard! Run virus scans using your antivirus to ensure it has been cleaned from the system.
- ADDITIONAL NOTES (HARD): If you know enough about computers and are daring enough to play with the registry files, I will provide my experience here. If not, please skip down to the URL and closing notes.
I took out my hard-drive from my computer and placed it into a machine I have running downstairs. The machine downstairs has no important components, just enough memory and a motherboard in order to run the windows OS. I also disconnected the machine from my network and prevented any interaction between my clean systems. This way, if the computer catches the virus from your hard drive, you can rebuild it anyway.
From there, I loaded my Hard Drive and was browsing through the HIVE files in order to locate the virus. **MAKE SURE YOU DISPLAY HIDDEN FOLDERS, OR ELSE YOU CANNOT LOCATE THE BASE .EXE IN YOUR APPLICATION DATA FOLDER**.
**The Antivirus Soft program will install itself into the registry in multiple locations, but the source program folder you're looking for will be in your HKEY_CURRENT_USER Hive. You will find multiple copies of the virus throughout the HKEY_LOCAL_SYSTEM/Software and HKEY_LOCAL_MACHINE/Security. You will locate the main hub in the folder 'avrsft'. Make sure you unload each hive before opening another one.
After you clean out the virus, Go through your entire system using a search for the root word \??\. This malware is a tricky little fucker that likes to rename all of your drivers for your antivirus, video card, java, flash, by placing a \??\C:\....etc in front of the directory. Why is this a problem? The computer BIOS cannot read drivers if they're named \??\. The BIOS only reads drivers using \C:\...etc. Smart Malware, eh?
Also - Your Safe Mode will most likely be fucked. If you experience blue-screens while accessing Safe Mode after cleaning the virus off the hard drive manually, you will most likely need to rebuild. (Not having Safe Mode for future malware makes you retarded vulnerable.)
You can probably place the hard drive back in and run it up in normal mode. If you have no Antivirus Soft pop up after 3 minutes, you're clean, and can start moving files off to prepare to rebuild the system.
For additional information on the virus, and how to prevent it, please click this sentence.
Now that you have an idea of what you're up against, here are a few key pointers I would like to inform every forum user about;
DO NOT VISIT WEBSITES YOU DO NOT TRUST. If you receive a link to a website you've never visited before, ensure ALL antivirus programs are running.
This Antivirus Soft hack is just an example of the dangers malware poses to systems on a daily basis. You should always back up your data, even when you think it becomes unnecessary and repetitive. Purchase a removable hard drive! These are expensive, but life-long investments for protecting your most valuable data (Like Marble Blast =P)
Here is a list of programs I use on a daily basis to fend off malicious content from being installed, and monitoring programs or files that may have infections; (They're all free, too!)
Spybot Search and Destroy (TeaTimer.exe is good to have running as well, even though it's a memory hog)
PrevX (The free version is very efficient at detecting malicious files as they enter your system, and show you the directory they are located. You will have to manually remove them, though.)
Malwarebytes' Anti-Malware (Super affective at removing malware from your system if you're too scared to do it manually)
Ad Blocker Plus Addon for Mozilla Firefox (Extremely helpful at preventing malware injection from flash banners and advertisements on various websites from opening new windows and/or installing malware on your hard drive)
Microsoft Security Essentials (I can't believe I'm saying this, but yes, Microsoft finally built an exceptional anti-malware program. So far, this thing has been as effective, if not better than Malwarebytes, since its database updates daily based on the community with the program, and the fact that all of the new computers with Windows 7 as of June 1st will have this automatically installed.)
Good Luck, Safe Web Browsing, and I hope you don't get fucked like I did
~Aayrl