1,105,177 Community Members

Ping.exe virus

Member Avatar
toddthirtyone
Newbie Poster
17 posts since Dec 2011
Reputation Points: 0 [?]
Q&As Helped to Solve: 0 [?]
Skill Endorsements: 0 [?]
 
0
 

Definitely! I'll post updates as I go along.

As for the symptoms, I don't seem to be getting any of the mentioned ones.

1. Browser redirection is still the most noticable symptom

2. All scan results, including dedicated MBR and rootkit scanners come back negative or inconclusive

3. Infects the Windows XP operating system on upward

4. If a user has ESET Smart Security onboard, its resident protection monitor will alert with: "Win32/Olmarik.TDL4 trojan in operating memory unable to clean"

5. Multiple Internet Explorer processes (that were not invoked by the user), persistently run in the background and respawn if they are terminated

6. Executing Bootrec /fixmbr from the Windows Recovery Environment will no longer be effective in removing the rootkit because this new TDL4 variant does not modify the original Windows MBR code

7. Executing Bootrec /fixboot from the Windows Recovery Environment is likely to result in a non-booting system because /fixboot will attempt to repair the TDL4 partition while leaving the malicious entry in the partition table intact.

I haven't been redirected while browsing (using either Internet Explorer or Firefox). There aren't multiple instances of IEXPLORE.EXE (not iexplorer.exe). And ESET has found some viruses but it hasn't finished. I can't understand symptoms 6 or 7, however.

Member Avatar
toddthirtyone
Newbie Poster
17 posts since Dec 2011
Reputation Points: 0 [?]
Q&As Helped to Solve: 0 [?]
Skill Endorsements: 0 [?]
 
0
 

ESET
C:\Documents and Settings\All Users\Application Data\PopCap\PopCapLoader\popcap\installers\insaniquariumsetup.exe probably a variant of Win32/Agent.NAPAILZ trojan cleaned by deleting - quarantined
C:\Documents and Settings\HP_Administrator\My Documents\My Music\Incomplete\CORRUPT-0-Metric - The Police And The Private.mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan cleaned - quarantined
C:\Documents and Settings\HP_Administrator\My Documents\My Music\Incomplete\T-3429759-when im gone remix - best track ever.mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan cleaned - quarantined
C:\Program Files\Common Files\AOL\Backup\ACS\Rollback\acslang.exe probably a variant of Win32/StartPage.HSZAKFT trojan deleted - quarantined
C:\Program Files\Common Files\AOL\Backup\ACS\Rollback\acssetup.exe probably a variant of Win32/StartPage.HSZAKFT trojan deleted - quarantined
C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP1470\A0490270.sys Win32/Sirefef.DA trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP1470\A0491270.sys Win32/Sirefef.DA trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP1470\A0491286.sys Win32/Sirefef.DA trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP1470\A0491306.sys Win32/Sirefef.DA trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP1471\A0492306.sys Win32/Sirefef.DA trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP1471\A0493306.sys Win32/Sirefef.DA trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP1471\A0494309.sys Win32/Sirefef.DA trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP1471\A0494438.sys Win32/Sirefef.DA trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP1471\A0495445.sys Win32/Sirefef.DA trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP1477\A0496809.exe probably a variant of Win32/Agent.NAPAILZ trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP1477\A0496886.exe probably a variant of Win32/StartPage.HSZAKFT trojan deleted - quarantined
C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP1477\A0496887.exe probably a variant of Win32/StartPage.HSZAKFT trojan deleted - quarantined
C:\WINDOWS\system32\drivers\netbt.sys Win32/Sirefef.DA trojan unable to clean

Member Avatar
toddthirtyone
Newbie Poster
17 posts since Dec 2011
Reputation Points: 0 [?]
Q&As Helped to Solve: 0 [?]
Skill Endorsements: 0 [?]
 
0
 

I will use GParted to check the partitions etc. And will be backing up my files in the meantime.

Member Avatar
PhilliePhan
Central Scrutinizer
1,667 posts since Dec 2006
Reputation Points: 171 [?]
Q&As Helped to Solve: 115 [?]
Skill Endorsements: 5 [?]
Team Colleague
 
0
 

As for the symptoms, I don't seem to be getting any of the mentioned ones.

Yeah - I don't think you have this variant.
This is more a case on my part of "better safe than sorry." With this malware and with rootkits in general, there are a lot of things I do not know. And, there are a lot of things you cannot be "certain" of with these malware.
They are ever evolving....

I would think a restoration would remove any malware created partition, but I don't know for certain. For all I know, it could protect itself.

It ain't going to hurt anything to check with GParted and see if the signs are there. If there's no sign of the malware partition, then you can proceed to do the restore with confidence.

I can't understand symptoms 6 or 7, however.

Those pertain to the fixes for previous versions which infected the MBR. Obviously, if the malware has created it's own partition, then those remedies will have no effect or actually create more problems...


** I have attached a new CFScript that should dequarantine those legit files combofix removed. Just run it as you did the previous one and post me the resulting log.

PP:)

Attachments CFScript.txt (0.09KB)
Member Avatar
PhilliePhan
Central Scrutinizer
1,667 posts since Dec 2006
Reputation Points: 171 [?]
Q&As Helped to Solve: 115 [?]
Skill Endorsements: 5 [?]
Team Colleague
 
0
 

C:\WINDOWS\system32\drivers\netbt.sys Win32/Sirefef.DA trojan unable to clean

This is problematic - fixing this will bork the internet connection. We ought to be able to fix that, but some cases are considerably more difficult than others.

'Course, if you do a Recovery, then no worries :)

-- Be careful backing up the files. I doubt you'll backup any malware because this baddie seems to limit itself to certain drivers, but again I'm not certain....

Member Avatar
PhilliePhan
Central Scrutinizer
1,667 posts since Dec 2006
Reputation Points: 171 [?]
Q&As Helped to Solve: 115 [?]
Skill Endorsements: 5 [?]
Team Colleague
 
0
 

As for the symptoms, I don't seem to be getting any of the mentioned ones.

Sorry I'm not as up to date on these baddies as I used to be. Just don't have as much free time to indulge my malware-fighting hobby as I used to....

OK - I took a quick look at some writeups and you should be OK on this front.
The Sirefef family doesn't employ a bootkit function like the Olmarik/Olmasco TDL type rootkit family does.

Still a pain in the ###, though....

PP:)

Member Avatar
toddthirtyone
Newbie Poster
17 posts since Dec 2011
Reputation Points: 0 [?]
Q&As Helped to Solve: 0 [?]
Skill Endorsements: 0 [?]
 
0
 

It's totally OK, you've helped me so much!

I did the complete system destructive recovery and downloaded Kaspersky Internet Security 2012.
HOWEVER, I totally forgot I wasn't supposed to do that until I ran ComboFix. I've gotten just 1 error so far, although I can't remember exactly what it said.

It only came up with that message after I installed Kaspersky. I am running Kaspersky right now and will post the results afterwards. I don't know why, but it seems to have found a couple threats (already).

I'm also updating Windows to Service Pack 3. What steps would you like me to take next?
Also, thank you very much for your help so far. It's been a couple weeks!

Member Avatar
PhilliePhan
Central Scrutinizer
1,667 posts since Dec 2006
Reputation Points: 171 [?]
Q&As Helped to Solve: 115 [?]
Skill Endorsements: 5 [?]
Team Colleague
 
0
 

It's totally OK, you've helped me so much!
I did the complete system destructive recovery and downloaded Kaspersky Internet Security 2012.
HOWEVER, I totally forgot I wasn't supposed to do that until I ran ComboFix. I've gotten just 1 error so far, although I can't remember exactly what it said.

Happy to try to help :)

OK - Well I guess if the recovery has gone well enough that you are installing SP3, then those files removed by combofix must not have been too vital.... No need now to DL or run combofix - so don't do that.

-- The AV detections may be heuristic detections based on known malware patterns - probably false positives. No worries at this point.

Let me know when you get everything back to normal. Do Not run any other tools other than Kaspersky.

I would suggest getting hold of some recovery disks from the OEM of your compy. Or, order them from M$. I never understood why OEMs stopped including OS disk with compy (well... greed, I guess), but these days they are more needed than ever...

PP:)

You
This article has been dead for over three months: Start a new discussion instead
Post:
Start New Discussion
View similar articles that have also been tagged: