Trojan.ZbotR.Gen and PUP.BitCoinMiner -- Cleaned or Not?

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by Mitchle, Feb 7, 2013.

  1. Mitchle

    Mitchle Private E-2

    Sunday morning around 10:00 AM I was infected by the ZbotR.Gen trojan (identified by a Malwarebytes scan).

    NOTE: I am running Vista SP2 32-bit on a Dell Inspiron desktop. Antivirus is Microsoft Security essentials, backed up by Ad-Aware. Both are kept turned off (including the Windows Services, which are stopped and either set to "Manual" or "Disabled" mode) and only activated for periodic (every few months) scanning. I always keep real-time protection turned off and have relied successfully upon best practices (which failed me this time due to inattention). Vista is updated regularly via Windows Update and is currently up-to-date. I use Windows Firewall.


    WHAT HAPPENED AND HOW:

    I was attempting to download a document from Usenet using the Usenet provider Newshosting's search and downloading application. Once I select a file I want, an .nzb file is created and downloaded to Newshosting's folder. Clicking on the .nzb file starts the download of the actual file via an associated application named GrabIt.

    I have more than enough sense not to click on .exe files. I was multitasking, opened the folder while focused on something else and clicked on what I thought was an .nzb -- just a split second later I saw it was an .exe.

    [This file, according to the Usenet search, was uploaded about two years ago, so its age may have something to do with what variant it is.]

    Unlike the last (and first) time I was infected with a rootkit this did not immediately disappear out of the folder and off the system. The desktop/Explorer hung up a bit while I frantically tried to find indication of the file in Task Manager and a few other places to force quit its execution. Once everything got back to normal I refreshed the folder and the .exe was gone.

    I immediately ran a Malwarebytes scan which returned the following (immediately quarantined):

    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|{4DDD7937-8521-5CD8-616B-B5551FE38BFE} (PUP.BitCoinMiner) -> C:\Users\lmitchell108\AppData\Roaming\Ivzeq\ezbup.exe ->
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowCpl|1 (Malware.Trace) -> Welcome Center ->
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|{4DDD7937-8521-5CD8-616B-B5551FE38BFE} (Trojan.ZbotR.Gen) -> C:\Users\lmitchell108\AppData\Roaming\Ivzeq\ezbup.exe ->


    HKCR\batfile\shell\open\command| (Broken.OpenCommand) -> () ("%1" %*) ->
    HKCR\comfile\shell\open\command| (Broken.OpenCommand) -> () ("%1" %*) ->
    HKCR\piffile\shell\open\command| (Broken.OpenCommand) -> () ("%1" %*) ->



    FURTHER STEPS TAKEN


    I also ran HijackThis, TDSS Killer and Trojan Remover. In the midst of this and approximately 90 minutes later, the display blacked out (flashed) a couple of times. I then decided to do remaining diagnostics in Safe Mode. In the interval i remained logged in after the infection I didn't notice any severe slowing down of the internet connection. I also got no pop-ups, redirects or other typical signs of infection.

    All scans after MWB did not return any negatives except a few of the typical false positives I get that I mark to "ignore".

    In Safe Mode I ran all the above programs again, as well as (in no particular order) RogueKiller, RKill, GMER, Trojan Remover, Microsoft Security Essentials, Spybot Search & Destroy, and Super AntiSpyware. I also cleaned with CCleaner and somewhere in all this ran sfc / scannow. Nothing was blocked from running and again there were no negative results beyond false positives for items I've had residing in folders or installed for a while.

    The above was done instinctively before reading the instructions at this forum. I've seen that many of the scans I did are required here for assistance.

    I finally rebooted back into standard Vista and redid most of the scans, mainly trying to reassure things might be clean. I also did a quick scan and full scan with Ad-Aware. That brings me to today.

    The only other thing I discovered was, in manually scanning the root directory and System32, the following: System32\Ryxa\kixuz.tmp (12:08 PM). I think this what about the time the display flashed. I deleted it manually Otherwise, I have found nothing else untoward by visual scan of folders and no unidentified new Services. Also, no rogue programs or processes were added to startup at any point since Sunday.


    PREPARATION FOR ASSISTANCE

    • For the last few days have gone online minimally for websurfing only. Have not signed in to any financial accounts, Facebook, etc. Have been in my Yahoo mail briefly. Had already had a keystroke encryption program installed and used RoboForm (also already in use) autofill for the couple of logons I've had to do.

    • I installed a few small programs because they had been on the desktop for days and I wanted to get them out of the way.

    • Have activated Microsoft Security Essentials and its real-time protection to keep alert to status changes in the short term.

    • Trojan Remover has been installed to scan after each start up, does so, and has not reported any threats.

    • Downloaded RogueKiller, MalwareBytes, TDSSKiller, and Hitman Pro to my desktop, and downloaded and extracted MGtools to the root directory.

    • UAC has been disabled on my system since Day One.

    • Likewise, System Restore is disabled. I'm short on drive space and it has never worked for me anyway.

    • Cleaned temp files with CCleaner.

    • Have run RogueKiller, MalwareBytes, TDSSKiller, Hitman Pro and MGtools. Kept logs for all, only repaired what was requested.

    • Uninstalled Avira anti-virus (belatedly).


    What I need is assistance and assurance that this thing or any variants are gone. For all I know it may be lying dormant and timed to flare up again. It seemed too easy to remove. Although I have scanned the logs and don't see anything unusual I'm not experienced enough to know what to look for. The computer is not exhibiting any networking problems, slowdowns or other unusual behavior but want to make sure.

    I am up all night (Eastern Standard Time). I'm online mostly all day except sleep time ~ 9 AM - 2 PM and will respond promptly to instructions when messaged if I am not away.

    Thank you in advance for any assistance that will be provided.
     

    Attached Files:

  2. Mitchle

    Mitchle Private E-2

    MGlogs is split due to size.

    The prefs.js included (in MGlogs1) is not my main Firefox profile and rarely used. Don't know how it was selected out of the three.

    The MGlogs2 file is large (2.04M) because of its ~10M hosts file. The host file is managed with HostsMan and compiled from various sources. There are no duplicates entries if its built-in duplicate finder works properly. I've scanned the file visually and see no redirects -- everything is 127.0.0.1.

    I have split the text file components of MGlogs into two zips (MGlogs3 and MGlogs4).



    P.S. I could not upload MGlogs2 (hosts file). It is smidgen too large. I awit advauce on how I can do so, if it turns out to be needed.
     
  3. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    First, rerun Hitman and have it fix all that it finds. Then go into the C:\MGLogs.zip / NewFiles and edit out the host file. Then you should be able to upload the C:\MGLogs.zip. Also attach the new Hitman log.
     
  4. Mitchle

    Mitchle Private E-2

    Hello, TimW.

    Thank you for your assistance. I will get this all done shortly.

    However, there is a caveat with all those HitmanPro hits for Malware. I study internet marketing and e-commerce and all those .exes tend to be two types of files: most are "ebooks" from when the rage (2001 - 2006) was to format ebooks as .exes, and earlier (same era) "viral marketing" applications such as programs that would pop-up window when a person was leaving a website to propmt to sign up to a newsletter. I obtained those files currently on my hard drive from known sources in the past.

    All the files are together in my various "E-Comm *" folders. I get enough false hits on them during different scans that I've always excluded the folders, but was not able to do so with Hitman Pro. Is it possible to keep them as exclusions, or would it be enough to manually move them to an external drive?
     
  5. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Well, they were all flagged as viruses. So I don't know if they actually contain malware or not. I would tend to want to move them off the computer to either an external or a flash drive.
     
  6. Mitchle

    Mitchle Private E-2

    Tim, I have just unzipped MGlogs.zip. The newfiles.txt file (if that's what you were referring to) is only 130 kb and does not include any HOSTS file information. There is no Newfiles folder within the MGlogs folder.

    The Hosts file I was referring to is located here within MGlogs: "C:\Users\MYUSERNAME\Desktop\MGlogs\Windows\system32\drivers\etc\hosts". This Windows folder shows as 10.0MB in the Properties box. The file size itself shows as 10,301 kb in Explorer.
     
  7. Mitchle

    Mitchle Private E-2

    I will go ahead and move those files to a flash drive now (not sure how long it will take), then run Hitman again. In the meantime will await word on what to do with the Host file within MGlogs.
     
  8. Mitchle

    Mitchle Private E-2

    This is the latest Hitman Pro log.

    The previously alerted malware we discussed was moved on to a Flash drive.

    When Hitman finished it the window displayed a message of "No Threats Found", with Trojan Remover indicated as "Suspicious" and Softonic listed but with no options except to Ignore or Delete. I quarantined Trojan Remover and left Softonic (RegEdit shows it for Ad-Aware -- I have Ad-Aware Free installed) alone.

    Since I had said in my first post that I uninstalled Avast Anti-Virus after the first scans, I will just run MGlogs againwhile waiting for word about what to do with the HOSTS file.
     

    Attached Files:

  9. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Just remove it from the logs and attach the C:\MGLogs.zip.

    Also, tell me how things are running and what issues you may still have.
     
  10. Mitchle

    Mitchle Private E-2

    Hello, TimW.

    Things seem to be running fine and always have been, but in researching yesterday while waiting for a response I found some interesting information:



    SPECIFICS ABOUT THIS TROJAN

    This article, linked to from a post at the KernelMode.info forum:


    The writer, C. Guarnieri, wrote his article inspired by a notorious Reddit thread from last year where a self-described "malware coder and botnet operator" described his techniques and motivations, as well as opinions on current user-grade internet security and user awareness. Basically he is making money off similar malware and can work as a fully anonymized sole operator with relatively little effort. He does BitCoin mining and also sells off online credentials (username / password combos for banking and othe lucrative sites and credit card info). I will not post the link here (it's in the article) but would encourage anyone to read it for some insight as he tries to give some advice to users to mitigate risk, but acknowledges that many are so unknowing or clueless (i.e., great numbers of users still attached to extremely vulnerable IE6) that breaches can't be avoided.

    This is exactly what I seem have, something like this "Skynet: a Tor-powered trojan with DDoS, Bitcoin mining and Banking capabilities", or a variation.

    These are the elements of the Skynet described in the article:
    "The malware comes along with 4 additional embedded resources:

    A ZeuS bot.
    The Tor client for Windows.
    The CGMiner bitcoin mining tool.
    A copy of OpenCL.dll, used by CGMiner for CPU and GPU hash cracking."



    Just before I got yesterday's reply from you I was scanning my User/AppData/Roaming folders. Something I read in a troubleshooting thread (another site) convinced me to check my Tor folder, which was already installed (used sometimes, but infrequently). Inside it is, per the article, a hidden-service folder. The date stamps of the folder and some of the files told me something had been altered when I released the Trojan, (02/03/2013 10:29 AM). Finding the above article provided confirmation on exactly what it meant and what happened.



    TOR DETAILS

    I'm not really informed about Tor inner workings but want to provide some info.

    • I found reference to a Tor onion pseudo-domain in the file "C:\Users\MYUSERNAME\AppData\Roaming\Tor\hidden_service\hostname" (I guess they are randomized, found no info on this specific domain in a web search): qjyofczybtmlzkda.onion. The domain supposedly changes up each time the bot calls the compromised computer.

    • In the "C:\Users\lmitchell108\AppData\Roaming\Tor\state" file I see that some of the the EntryGuards listed were, I think, deactivated, like this:

      EntryGuard Tonga 4A0CCD2DDC7995083D73F5D667100C8A5831F16D
      EntryGuardDownSince 2013-02-03 15:40:49 2013-02-03 15:40:49
      EntryGuardUnlistedSince 2013-02-03 15:40:52

      An entry in the Tor FAQ (https://www.torproject.org/docs/faq#EntryGuards) is a bit too convoluted for me but EntryGuards are basically "sentries" at random relay points that prevent various forms of attack and intrusion. A post on the Tor blog acknowledges that this can be exploited.

    • The article's Skynet botnet referred to intrusion through Port 55080 ("...the malware also creates a Tor Hidden Service on every compromised computer on port 55080. Nothing is listening on such port by default, but when the operator issue a particular command on the IRC C&C, the malware will open a SOCKS proxy on port 55080 which will then be reachable through a newly created .onion domain."). It may very well be different for me but I decided to block the port anyway.

      I created a new Inbound Rule in Windows Firewall and Security for named "Block Port 55080" yesterday but can't find it in the list of rules. I've done it again just now and it still doesn't show. Maybe I should be looking elsewhere besides the Firewall's Inbound Rules list for custom entries, just for confirmation?

    • Then, I found this file ("C:\Users\MyUserName\AppData\Roaming\Vidalia\torrc") last night in the directory of the Vidalia, which is how I installed Tor. It bundles Tor and a few other online privacy tools. The datestamp of the file is unchanged from when the bundle was installed last September, but the contents might provide further info about the hidden service:
    SocksPort 9050
    ControlPort 9051
    clientonly 1
    MaxCircuitDirtiness 450
    CircuitBuildTimeout 45

    ############### This section is just for location-hidden services ###

    ## Once you have configured a hidden service, you can look at the
    ## contents of the file ".../hidden_service/hostname" for the address
    ## to tell people.
    ##
    ## HiddenServicePort x y:z says to redirect requests on port x to the
    ## address y:z.

    HiddenServiceDir C:\Documents and Settings\MyUserName\Application Data\Tor\hidden_service
    HiddenServicePort 11009 127.0.0.1:11009

    #HiddenServiceDir C:\Documents and Settings\MyUserName\Application Data\Tor\other_hidden_service/
    #HiddenServicePort 80 127.0.0.1:80
    #HiddenServicePort 22 127.0.0.1:22



    MY SITUATION NOW, MORE DETAILED

    So I have all the (visible) elements of intrusion as described the article and the malware coder / botnet operator from a Reddit interview the article refers to.

    • No apparent malware activity. The coder says keyboard and mouse movement are monitored to indicate idle time and operations are conducted under a certain threshold so as not increase CPU use or induce video lagging to arouse user suspicion
    • Infected via a Usenet file (the .exe file that should have been an .nzb that I clicked on by mistake)
    • Malware copied into a randomized directory when first installed (that was this -- C:\Users\lmitchell108\AppData\Roaming\Ivzeq\ezbup.exe -- eradicated by Malwarebytes)
    • Creation of a traditional entry in the Run registry key (this -- HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|{4DDD7937-8521-5CD8-616B-B5551FE38BFE})
    • Hidden Service added to my Tor profile (if I had not had Tor installed already it would have been installed then rather than just adding and updating files)
    • A Bitcoin mining tool (BitCoinMiner instead of CGMiner)



    CURRENT STATUS

    The randomized directory is gone, I have manually scanned the AppData folders and see no additional suspicious folders at the top level. I have also looked at the Run registry key and it only conains the entries that I know are supposed to be there.

    The "Welcome Center" is back in my control panel. I had it suppressed a long time ago using TweakVI. I didn't make the connection to this Malwarebytes line item (HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowCpl|1 (Malware.Trace) -> Welcome Center ->) until yesterday either. Welcome Center has not been visible in my Control Panel for years.

    The Tor directory remains altered with addition of the hidden service

    The files and registry entries referenced in the first post are still in Malwarebytes quarantine

    I added a new inbound rules (twice) in Windows Firewall with Advanced Security, for Port 55080



    WHAT NEXT?

    I am concerned now having found out all this other info, thinking I was okay because the computer isn't lagging.

    Basically I have been avoiding signing into anything when this happened except for one mail account, so should be okay, but I still intend to change passwords across all sensitive accounts when this is all cleared up.

    I disable the network access when walking away from the computer for even a few minutes, and log off at the end of a session instead of allowing hibernation.

    But even though Malwarebytes got rid of the front-end elements, was that enough? I found the Tor thing and the AppData\Roaming entries may have just been temporary.

    The article states that the malware, after creating the randomized directory with .exe (mine:\Ivzeq\ezbup.exe), starts a routine that then disguises its core as Internet Explorer or svchost.exe. It could be different files in my case, but I'm wondering if that would have been caught when I did sfc /scannow?

    Is there an OpenCL.dll (or similar) file still in my system , or would that hae been removed during sfc /scannow? I checked "C:\Windows\System32" and found nothing, but am not sure if that's where it should be.

    Can I confirm that the port I blocked is actually blocked? Is there anyway to tell where this bot may or has already intruded, considering it's potentially intermittent activity) so I can block it's port?



    I don't mean to bombard you, TimW, some of this is for the benefit of people reseaerchng their own problems in the future. It is (slightly) more reassuring to have a some knowledge and more details of what has actually happened and how much one has been compromised.

    I am starting the MGtools run again as soon as I send this message and will attach it as you've directed when it completes. I got totally distracted following up on the new source of information.
     
  11. Mitchle

    Mitchle Private E-2

    Here isthe MG tools logs archive, minus the HOSTS file.
     

    Attached Files:

  12. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    What are these:
    C:\Users\lmitchell108\AppData\Local\join.me ??

    C:\Users\lmitchell108\AppData\Roaming\join.me ??

    You have three AV programs:
    Microsoft Security Essentials
    Ad-Aware Antivirus
    AVG 2012

    Uninstall all but one.

    I am suspicious about this file:
    C:\Windows\System32\drivers\gfibto.sys

    Click on the following link and scan that file: Virustotal

    Let me know what it finds.
     
  13. Mitchle

    Mitchle Private E-2

    I apologize for the delay in responding. The latest mail notification from MajorGeeks somehow ended up in my spam folder.

    Those are related to an online-based screen-sharing / desktop sharing program (see https://join.me/). I have plans to experiment with it with a friend.

    Okay. I will keep MSSE for now. Sort of confused about differences between A-Vs and simple scanners so was awaiting your word on this. But maybe whatever AVG folder you saw is just a leftover somewhere? I only have AVG PC Tuneup. I thought AVG Free Anti-virus was gone (since last year). I even still have an "AVG remover" (for 2011) type-file in my Program Files folder. Revo Unistaller and Windows' Add/Remove programs only show AVG PC Tuneup installed right now.[/QUOTE]


    Here is the VirusTotol info:

    SHA256: fedac3616709f081a0fa48e2bf521cbcc35e11e523ebaddeaca7308ad14338b3
    SHA1: 7aa04e18310a6559959aaba7928a1e1b7ea74551
    MD5: 483924f92e55a5f9423201ec635e2ced
    File size: 13.2 KB ( 13560 bytes )
    File name: gfibto.sys
    File type: Win32 EXE
    Detection ratio: 0 / 44
    Analysis date: 2013-02-10 22:41:16 UTC ( 0 minutes ago ) ​

    From the file's "Digtal Signatures" tab:
    GFI Software Development Ltd., signed Thursday, September 01, 2011 08:59:16 PM, [countersignature] VeriSign Time Stamping Services Signer - G2

    From the file's "Details" tab: Type - System File, Size - 13.2 KB, Date modified - 02/05/2013 05:21 PM


    To be honest I'm not sure what this could be related to. I installed AVG Anti-Virus Free that day when still trying to throw every possiible detection device at this (and if it counts as an anti-virus let me know to uninstall. It doesn't include real-time protection or monitoring.).

    Wikipedia lists various subsidiary companies of "GFI Software" but none trigger a recollection of what I may have used or done.
     
  14. Mitchle

    Mitchle Private E-2

    Since this file is small I opened it in Resource Tuner. It shows --

    CompanyName: GFI Software
    FileDescription: GFI Boot Time Operations Driver
    FileVersion: 5.0.5003
    InternalName: gfibto.sys
    LegalCopyright: Copyright (c) 2002-2011 GFI Software. All rights reserved.
    OriginalFilename: gfibto.sys
    ProductName: VIPRE Antivirus
    ProductVersion: 5.0.5003
    Product Build Date: 08/01/2011 10:10:00 AM

    I'm very sure I have not installed a VIPRE product ever, but I'm can't out it being related to anything else.

    (NOTE: For some reason the above info shows on the file's "Details" tab when I right click the file from the dialogue box that opens in-browser to select the file for Virus Total, but when I check the same tab directly from Windows Explorer it just shows Type, Size and Date Modified. The Product Version is different when the tab is looked at from within the dialogue box -- 4.0.0.0 instead of 5.0.5003).

    I have A TrojanScanner application that I set to run at boot this week, but it is part of Trojan Remover by Super Simple Software and I already had installed it sometime last year.
     

    Attached Files:

  15. Mitchle

    Mitchle Private E-2

    Please excuse me, re: Message #13. It should have read -

    "I installed Ad-Aware Free that day when..."

    NOT AVG Anti-Virus Free. I got mixed up. I need no further direction and will remove it as you asked, but still wondering about the AVG PC Tuneup (which is the 2011, not 2012, version).
     
  16. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Well, they were the only things I saw that were in question. Other than that, which seems to be ok, I am not finding any malware in your logs. Any other issues you may have should be addressed in the software forum.

    Since you are not having any malware problems, it is time to do our final steps:
    1. We recommend you keep Malwarebytes Anti-Malware for scanning/removal of malware. You can uninstall RogueKiller and HitManPro.
    2. Go back to step 4 of the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
    3. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    4. If running Vista or Win 7, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    5. Go to add/remove programs and uninstall HijackThis.
    6. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
      related to MGtools and some other items from our cleaning procedures.
    7. After doing the above, you should work thru the below link


    Malware removal from a National Chain = $149
    Malware removal from MajorGeeks = $0
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds