UBCD4Win Forums: Grateful - Viewing Profile

A while back, I came across a situation where UBCD4Win saved my cookies again. This time, my system drive was on the fritz. My computer was developing ever more errors in chkdsk, and finally was taking 25+ min to boot up. I booted onto my CD, and used HDTune to find out that my system drive had significant S.M.A.R.T. errors; and searching online using FireFox, I found out that I could expect things to get worse relatively quickly.

My situation then was this: I had made a backup of my personal documents months ago, and not many had significant changes since then. That being said, I wanted to keep the changes I did have. Before replacing my system disk, I wanted to copy the files I had to a folder on a good disk. Every time I tried to do it, the buggy disk would intermittently generate an error. A further attempt to copy would at first zip through the files that were still in memory cache, but copying a folder with many subfolders and large files soon broke that scheme too. I needed something that would either retry a copy, or copy the files that were not yet copied to a good drive, and ignore the others. I found FreeFileSync at SourceForge. It does those things, and can also refresh only newer files. I was able to get it to keep trying, until I'd gotten all my necessary files backed up.

I figure this is a not entirely uncommon situation: a HD is failing S.M.A.R.T. tests, and somebody is having trouble getting files off of it before it is totally kaput. FreeFileSync does this admirably. Also: 1) It is small. The necessary files, when uncompressed, are only 1.54 MB. 2) It is free. It has a GPL license. These things made me think it would be an excellent addition to the UBCD4Win. So there you go. I am not too inclined to follow this up much, as my problem is solved, and others can find it and download it like I did. Still, a fairly common reason for using the UBCD4Win is that a drive is failing; and in such a case, the files might need something better than windows, which gives up upon the first problem it encounters in copying a folder. Do with this idea what you will, and debate it among yourselves, but my contribution here is observing that I think this would be a really great candidate for inclusion.

Cheers,
JohnC

Hi,

Since one really big reason to use UBCD4Win is to go after virii for which there are no definitions yet in the commercial products, it would be really great if you guys had a forum for virii, or at least for unknown virii.

Since there is no such animal, and this is not a false positive, I am posting some info on a new virii I believe I recently defeated. Trendmicro didn't recognize the file, I found out later, and using Google and Yahoo, I only found a few hits to it. Since I know search engines pick these forums up, and I had to use the UBCD4Windows to defeat it, I'll post the details here. (I know this might add a lot of disk storage to the website as a general policy. Alternately, perhaps there could be a link to general alternate board for unknown virii discussion involving UBCD4Win.)

OK, here it is. I'm not sure what I was doing, but I think it had to do with installing a version of RK Dock. For some reason, every 5-15 seconds at random, I kept getting a link to http ://www.allowsearch.com that would then try to redirect me to some other website, undoubtedly to direct me to more spam and malware sites. Googling on allowsearch and spyware brought up a link to another one of these malware fake antivirus products that probably just installs more malware, perhaps after telling the initial malware to lie low for a while. Rebooting into Safe Mode with Networking kept IE from popping up at random with AllowSearch.com pages, but when I opened IE, it still kept happening.

I looked at the Run entry in HKCU, and noticed a foolish sounding entry there which I hadn't seen before. I Googled on it, "loyayono.dll", and found them in some HijackThis! logs people with some bad infections had posted. I think I nipped this one early enough in the bud so that I haven't had a recurrence yet, and hope not to.

The registry entry referred to a file that didn't show up in the Explorer: C:\WINDOWS\system32\ loyayono.dll. Having battled a RootKit in the past which also prevented me from seeing virus files that were really there, and it having been a great drain on my time of a number of days, I feared I was in for another real battle. I already had my UBCD4Win, so I booted up and set to work. I noticed two other entries in my Run registry key that looked pseudorandom, and went to the C:\Windows\System32 folder, and found them there when they had been missing before. I looked for files with similar time stamps and sizes, and found other files that showed up on the net as being virii associated, although in some cases only Prevx knew about them, and in some, nobody did except in HijackThis! logs. There were two different groups of time stamps - one of the day I caught the virus, and some a few months earlier. I searched the registry on the ones that weren't in Run, and moved them all to a zip file which couldn't be run directly. I rebooted my computer, and I have been clean now (to the best of my knowledge) since yesterday evening. TrendMicro didn't know anything about them, and also, scans from all the major antivirus suppliers wouldn't have found them, so I could have been doing virus scans for days, and still gotten nowhere. I do believe I will finally install the McAfee that I get free with my Scottrade account - not that I want it to EVER do a virus scan, but instead, to protect me against malware-like behavior. It seems that there could be a free utility that does that, and yet didn't have to bother with virus definitions. In any event, here are the offending malware entries:

[HKEY_LOCAL_MACHINE\SOFTWARE\ Microsoft\Windows\ CurrentVersion\Run]
"kuvozoyeti"=" Rundll32.exe \"C:\\ WINDOWS\\system32\ \loyayono.dll\" ,s"
"48890628"=" rundll32.exe \"C:\\ WINDOWS\\system32\ \rugobiho.dll\" ,b"
"CPM4bba35b4"=" Rundll32.exe \"c:\\ windows\\system32\ \beludafa.dll\" ,a"

[HKEY_CLASSES_ROOT\CLSID\ {d3306995-cdf3-4c32-b832-decefd2b1579}\ InprocServer32]
@="C:\\WINDOWS\ \system32\\fabireze. dll"
"ThreadingModel" ="Both"

[HKEY_LOCAL_MACHINE\SYSTEM\ ControlSet002\Control\ Lsa]
"Notification Packages"=hex(7):73,00, 63,00,65,00,63,00,6c,00,69, 00,00,00,43,00,\
3a,00,5c,00,57,00,49,00,4e, 00,44,00,4f,00,57,00,53,00, 5c,00,73,00,79,00,73,\
00,74,00,65,00,6d,00,33,00, 32,00,5c,00,74,00,6f,00,74, 00,6f,00,64,00,6f,00,\
76,00,61,00,2e,00,64,00,6c, 00,6c,00,00,00

- I had a totodova.dll entry that was not supposed to be there, along with one that presumably was.

[HKEY_LOCAL_MACHINE\SOFTWARE\ Microsoft\Windows NT\CurrentVersion\ Windows]
"AppInit_DLLs"=" C:\\WINDOWS\ \system32\\totodova. dll c:\\windows\ \system32\\beludafa. dll"

While I wasted a lot of time the last time around battling the RootKit, if this infection doesn't break out again, I think this time around, I got this crap off my machine nearly as fast as was possible with the UBCD4Win. I looked for some of the notorious offenders that I had the last time around in my RootKit battle, and none were present; which is good, considering how they download and install TONS of bad spyware that IS known to some of the major antivirus products. Some of these things identified themselves as FireFox extensions, which explains how the ads quit popping up in IE and started popping up in FireFox tabs when it was opened. I found I could surf in Safe Mode with Networking in Opera without the ads coming up.

I hope they find the people in charge of AllowSearch.com via their credit card records, and bring them to trial. I also hope that some courageous Netizen also is able a point of our displeasure with such people as them and those who sell fake Anti-Spyware products to suckers and newbies - preferably with a hollow point. Then, let us quit being so harsh to each other, have sensible population and pollution policies (and the carbon tax is NOT it), and make war no more.

Please reply with any products, preferably free, which prevent known spyware infection routes, but don't bother with virus definitions; since they are usually out of date, anyway.

Sincerely,
Grateful

Hi EBCD guys,

I've had a really tough time fighting a really new rootkit virus, and I thought it would be helpful if I gave back what
worked for me. First, I'll describe what I recommend to make things work, and then what I personally went through.

THE SYMPTOMS: Computer had one of those G$#$ D%()(& messages: "Your computer is infected with spyware. Use
xxx spyware remover to get rid of it. At first, it seemed that SuperAntiSpyware had gotten rid of it, but it came back.
Three to four weeks later, the messages hadn't returned, but I rebooted, and the computer began running VERY SLOW.
It turned out that I had Win32.Bagle.uy as the Rootkit Spyware. All spyware scans, whether TrendMicro,
SuperAntiSpyware, Avast!, or Microsoft's Malicious Software Removal Tool had no effect. (I don't know if there IS
a more malicious Spyware that doesn't delete your information.) To make matters worse, every time I started to
go into Safe Mode, the computer would reboot after I selected Safe Mode, and the list of drivers was printed to the
screen.

THINGS NEEDED:

UBCD4WIN: I downloaded and installed (but why, for a single use proggie?) it on another PC, got some warnings
with McAffe, put in my windows disk, and made the UBCD4Win, a flawless victory in hindsight.

Process Explorer: Available free from Microsoft, this was useful, but maybe not essential.

Yer favorite antivirus software: sysclean is available free from TrendMicro, and it cleans up a lot of stuff. Others
come with UBCD4Win, but I don't know which are better than others.

I put these last two on a keychain RAM stick I have.

WHAT I RECOMMEND:

Run some antivirus cleaner to remove most of the virii after booting from the UBCD4Win. This nasty Trojan (not
really a fitting name, since the Trojans of history were not the ones who engaged in the deception with the Trojan
Horse, but the Greeks) had downloaded some 50+ virii in a C:\Windows\downld folder, I believe it was.

The essential component was RootKitty. All it does is allow you to do a directory of everything on a drive (I just did
my 'C' drive) when you start up from the UBCD, and then another when you boot normally, with the spyware running.
Getting both listings and then doing a compare yielded some 450+ differences. Apparently M$ thinks even
Administrators don't need to see all the files, even when you tell it not to hide anything. This at first seemed
daunting, but then there was only one .exe and one .dll file that was different. Now, how to figure out what I had ...

I went to http://www.threatexpert. com/. It was the only way to move forward. I submitted the supicious file,
C:\WINDOWS\system32\ drivers\mdelk.exe, to their site, and apparently their servers automatically figure out
what something does, and what it is, or perhaps there is a minimum of intervention. It identified it as Win32.Bagle.uy.
Upon Googling on the identification it gave me, only two spyware removal vendors that I found knew of it:
CounterSpy, and Kaspersky AV. Norton, Macafee and even TrendMicro didn't know it, at least by that name.
Kaspersky can scan your computer for free, and so can TrendMicro's sysclean, but Kaspersky's scan does not
clean anything for free, and it runs in Java. It crashed while scanning my computer at about 87%, and TrendMicro
didn't know of the virus. The only way I was able to remove it for free was to use the Remote Regedit menu
option from the UBCD4Win, and use the list of files and registry entries that the spyware makes I got from
threatexpert.com. I moved the files to my own quarantine directory, and deleted all the registry entries.
This succeeded in removing the RootKit. After this, I still had a few issues. Double-clicking on Internet Explorer
only created a shortcut, and didn't open it at all, and the computer still rebooted when starting Safe Mode.
I feared I still had the virus, but this time, starting Task Manager revealed that taskman.exe and explorer.exe
were no longer chewing up gobs of CPU time. Booting from my Windows Setup CD, choosing to install, and then
doing a Repair fixed the last of my problems. I am running now with no symptoms.

At the end of this post, I'll put a list of affected files and registry entries. This was the short version of what I did,
and this should work for you too, for similar rootkits. I'll give an outline of what I really went through below.
These Vundo/Bagle variants are a major criminal enterprise, and need to be fought vigirously the world around.
One thing I don't understand, though. Why Bagle? Is that a misspelling of Bagel? Some AV manufactures
spell the names of those virii "Bagel". I also noticed that the .exe files had an icon on them - a crimson, italic,
lowercase letter "A", with horizontal lines in the background. Is this a corporate logo? If you can identify it,
please report it to the authorities of whatever country it is in. I'd love to see these guys busted, and hard.

OUTLINE OF WHAT I REALLY DID:

- I got the spyware, and ran SuperAntiVirus, which seemed to have removed it for some weeks.
- I rebooted one day, and the computer was running very slow, and I could no longer get into Safe Mode.
The computer was so slow, that a scan in a normal boot was simply impractical.
- I did a Windows Repair, using my setup CD, so I could even get into safe mode. I did this several times,
and in retrospect, a boot disk of some kind would have been much better.
- I ran a full scan with SuperANTISpyware.
- I rebooted normally. No improvement.
- I did a Windows Repair, using my setup CD, so I could even get into safe mode.
- I ran a full scan with TrendMicro's sysclean.
- I rebooted normally. No improvement.
- I did a Windows Repair, using my setup CD, so I could even get into safe mode.
- I ran a full scan with Avast!.
- I rebooted normally. No improvement.
- I did a Windows Repair, using my setup CD, so I could even get into safe mode.
- I ran a full scan with MicroSoft's Malicious Software Cleanup Tool.
- I rebooted normally. No improvement.
- I discovered the UBCD disk, downed it, made an image, and burned it to disk.
- I ran RootKitty from the UBCD4Win disk, and did the other list after booting normally, with the computer
still running at a crawl (as it were).
- I searched on the filename, got an idea that it might have yet another name, searched the 'Net by that name,
and found only CounterSpy and Kaspersky had heard of it. Searching on the full path of the file got me
possibly slightly closer yet.
- I came across http://www.threatexpert. com/, and submitted my file. It finally gave me the name of the
bug I had, and even listed many of the files and registry entries involved.
- At one point, I found out that I could no longer reboot, or do a Windows Restore. I turned out that I had shut
down with SuperAntiSpy's Reboot utility, choosing to go into safe mode without Active components, but had also
done a repair after that. Using SuperAntiSpy's Reboot, and then shutting down and doing a Windows
Repair instead of rebooting produces an unbootable computer. The fix? To use the UBCD4Win, and
edit C:\Boot.ini, and remove the safe mode switch from the second entry. I could then boot normally.
- I rebooted, to at long last, gratifyingly, see that taskman.exe and explorer.exe were no longer chewing up
most of my CPU time.
- I moved those files and deleted those registry entries, recording what I did (for you, reading this - feel
free to say thanks).
- Double-clicking on the explorer shortcut on my desktop only succeeded in creating a shortcut, and right-clicking
it produced a context menu with no "open" command. - I tried a command, ie_fix.reg utility someone had written,
and it made things worse. Now, IE6 started normally, but when I tried to load a website, it would open up
another window, so there were two open. When I tried to close one, another opened. The only way to
close both to open the Task Manager, and use <Alt-E> to end each as fast as I could, and close both before
one could open another. Also, I still could not start Safe Mode without it rebooting.
- I still saw no other spyware signs, so put this odd behavior down to the ie_fix.reg utility, even though it is
supposed to be for XP SP2 with IE6. I'm glad I'm back to IE6, because even though it has tabs, IE7 has a
tendency to start running slow for no reason, in situations where IE7 didn't. I put that down to M$'s new
Silverlight, which they were rolling out, to try to "bury" Adobe Flash. I've since heard Bill Gates advocate
radical population reduction, so if you value the lives of yourselves and your countrymen, sweet mammals,
I urge you to begin moving away from M$. Not that I am for unrestrained population growth either, but
500,000 people on the planet is an idiotically low number, unless you are a greedy elite. I did one more
Repair with my XP setup disk, and everything was right as rain.

Total removal time: About a week of nearly constant effort.

HERE ARE THE MALWARE FILES AND REGISTRY ENTRIES CREATED:

Known parts of the infection:
C:\WINDOWS\system32\ drivers\mdelk.exe
C:\WINDOWS\system32\ drivers\srosa.sys
C:\WINDOWS\system32\ drivers\hldrrr.exe

Files not reported by ThreatExpert.com:
C:\WINDOWS\SwSys1. bmp - was not a valid bitmap, but occured in other infections
C:\WINDOWS\SwSys2. bmp - was not a valid bitmap, but occured in other infections
C:\WINDOWS\WINPROD. DLL - a free utility for modifying the registry programatically

Registry keys reported by ThreatExpert.com:
HKEY_CURRENT_USER\Software\ FirstRRRun
HKEY_CURRENT_USER\Software\ Local AppWizard-Generated Applications
HKEY_CURRENT_USER\Software\ Local AppWizard-Generated Applications\hldrrr
HKEY_CURRENT_USER\Software\ Local AppWizard-Generated Applications\hldrrr\ Settings
HKEY_CURRENT_USER\Software\ Local AppWizard-Generated Applications\mdelk
HKEY_CURRENT_USER\Software\ Local AppWizard-Generated Applications\mdelk\ Settings
HKEY_CURRENT_USER\Software\ Local AppWizard-Generated Applications\[filename of the sample #1 without extension]
HKEY_CURRENT_USER\Software\ Local AppWizard-Generated Applications\[filename of the sample #1 without extension]\Settings
HKEY_CURRENT_USER\Software\ Local AppWizard-Generated Applications\VMwareTray
HKEY_CURRENT_USER\Software\ Local AppWizard-Generated Applications\VMwareTray\ Settings

Registry values reported by ThreatExpert.com are:
[HKEY_LOCAL_MACHINE\SOFTWARE\ Microsoft\Windows\ CurrentVersion\policies\ system]
+ EnableLUA = 0x00000000
[HKEY_LOCAL_MACHINE\SOFTWARE\ Microsoft\Windows\ Security Center\Svc]
+ EnableLUA = 0x00000016
[HKEY_LOCAL_MACHINE\SYSTEM\ ControlSet001\Enum\ Root\LEGACY_SROSA\ 0000]
+ Service = "srosa"
+ Legacy = 0x00000001
+ ConfigFlags = 0x00000000
+ Class = "LegacyDriver"
+ ClassGUID = "{8ECC055D-047F-11D1- A537-0000F8753ED1}"
+ DeviceDesc = "Megadrv3"
[HKEY_LOCAL_MACHINE\SYSTEM\ ControlSet001\Enum\ Root\LEGACY_SROSA]
+ NextInstance = 0x00000001
[HKEY_LOCAL_MACHINE\SYSTEM\ ControlSet001\Services\ srosa\Security]
+ Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0
[HKEY_LOCAL_MACHINE\SYSTEM\ ControlSet001\Services\ srosa]
+ Type = 0x00000001
+ Start = 0x00000001
+ ErrorControl = 0x00000000
+ ImagePath = "%System%\drivers\ srosa.sys"
+ DisplayName = "Megadrv3"
[HKEY_CURRENT_USER\Software\ Microsoft\Windows\ CurrentVersion\Run]
+ drvsyskit = "%System%\drivers\ hldrrr.exe"

so that hldrrr.exe runs every time Windows starts
[HKEY_CURRENT_USER\Software\ FirstRRRun]
+ First12Ru123n = 0x00000001

Missing registry keys:
HKEY_LOCAL_MACHINE\SOFTWARE\ Microsoft\Windows\ Security Center
HKEY_LOCAL_MACHINE\SOFTWARE\ Microsoft\Windows\ Security Center\Svc
HKEY_LOCAL_MACHINE\SYSTEM\ ControlSet001\Services\ srosa
HKEY_LOCAL_MACHINE\SYSTEM\ ControlSet001\Services\ srosa\Security

Moved registry keys:
HKEY_LOCAL_MACHINE\SYSTEM\ ControlSet001\Services\ srosa
HKEY_LOCAL_MACHINE\SYSTEM\ ControlSet001\Services\ srosa\Security
HKEY_LOCAL_MACHINE\SYSTEM\ ControlSet001\Enum\ Root\LEGACY_SROSA
HKEY_LOCAL_MACHINE\SYSTEM\ ControlSet001\Enum\ Root\LEGACY_SROSA\ 0000
- these were in ControlSet002 instead of ControlSet1

Registry keys not reported by ThreatExpert.com:
HKEY_USERS\S-1-5-18\ Software\Microsoft\ Windows\CurrentVersion\ Explorer\ComDlg32\ OpenSaveMRU\exe
+ "a"="C:\ \WINDOWS\\system32\ \drivers\\mdelk. exe"
+ "MRUList"=" ba"
+ "b"="C:\ \WINDOWS\\swreg. exe"
(I deleted one of these which I didn't record, also.)

Could not be deleted:
HKEY_CURRENT_USER\Software\ Microsoft\Windows\ ShellNoRoam\MUICache
+ C:\WINDOWS\system32\ drivers\hldrrr.exe
- someone on a forum said it is like a MRU list, and gets cleared when not in use

I also found mdelk and other references in the system restore area, and deleted the registry
snapshots.

This file and key also seems to be part of the infection, or a closely related one:
HKEY_CURRENT_USER\Software\ Microsoft\Windows\ CurrentVersion\Run
+ "Run"="\ "C:\\Documents and Settings\\Administrator\ \Application Data\\Adobe\ \Manager.exe\" "

If you are reading this, I am probably saving you a lot of time. A lot of time, tech-oriented guys do not take
the time to explain things well, but only give you the name of something to run, and they assume you know
how to use it, or accomplish some task, or find some command. While I am not hand-holding you, I think
I have done far better than many guides I've seen. If I have saved you a lot of time, I encourage you to
use some of it to fight spyware producers, or to alternately, find out about 9/11 Truth. There is a movement
called the 9/11 Truth Movement, which most people I meet in my home town STILL have not heard of. They
have large rallies, discussion panels, demonstrations, and distribute information all over the 'Web. The
mere fact that the news media blacks out news stories of those demonstrations should be enough to inform
you that there is some kind of cover-up going on, since most people I meet still haven't heard of it.
It is growing in size with time, not diminishing. The Dept. of Homeland Security has hit the million name
mark on the terrorism watch list, and some call it part of the Shadow Government. If they were really just
interested in real terrorists, how could there be a million suspects in the U.S.? It is for something else.
They are now applying parts of the Patriot Act (which nullifies parts of the U.S. Constitution virtually identical to
the parts of the Veimar Constitution the Nazi Enabling act nullified, and with much the same counter-measures) to
9/11 Truthers, and use legislation which they claim was against terrorists, against peaceful demonstrators.
They have been caught provocateuring violence at peaceful demonstrations using police troops disguised as
violent demonstrators, and have been caught, e.g. lying, and said Alex Jones advocated killing Michelle Malkin
(who is quite a piece of work herself). Both the Democrats and Republicans, many believe, are run through
with Satanists and soclaiists advocating racial cleansing every chance they get. If you are not already
spreading the word, you must either be an elite banker who advocates radical population reduction, or must
be sadly mistaken. Please wake up, see what they intend for you, and help others to wake up to the scam.

By the way, I am most sincerely greatful for the great rescue disk you guys have come up with. Keep up
the good work. One small recommendation: How about having the file listings in RootKitty include
file sizes down to the byte, and modification and creation dates? So, thanks hugely, guys.

Sincerely,
Grateful