[jethro53]

Hi all,

I have decided to spend sometime and create self help articles for known malwares that block MBAM from doing what it does best.

The problem is occuring because as we get better and more effective at cleaning infected computers then the bad guys single the effective tools out for special treatment so their creations can survive

So first off, the most prolific culprit currently as seen in our help forums!

CLB Rootkit infection aka WinNT-Alureon

Unremovable files with the following prefix's denotes it presence upon an infected computer.
TDSS
Seneka
GAOPDX
UAC
ovsft
kungsf
Skynet
MSIVX
hjgrui
wzszx
ESQUL
geyekr

Some of the symptoms of the infection that may be seen to be occuring.
1)MBAM will not install or run if already installed.
2)Other security tools also will not install or run if already installed.
3)Some installed security softwares that are still able to run no longer are able to update.
4)Some well known security/vendor sites are inaccesible as they are being blocked.
5)MBAM or other tools keep detecting file(s) or registry keys but failing to permamently remove.
6)Hijacked search results.

In order to get the MBAM to operate to its full potential the rootkit driver at the heart of the infection has to be located and nuked.

No small feat when it is intentionally being hidden by design and not viewable by traditional method/tools but it can be done

Here is my quick fix guide to locating,identifying and killing the CLB driver(.sys) file that is underpinning the infection and blocking the cleanup tools from running.

Download the following tool and only use as directed!
Download here

Install RootRepeal and select *Files* then scan only.

Reduced: 88% of original size [ 577 x 457 ] - Click to view full image


When the scan has completed there will be a list of files generated.Some will be ok(legitimate files) but some will be related to the Rootkit and it's hidden payload of files.

Reduced: 96% of original size [ 529 x 417 ] - Click to view full image


You will need to identify which is the CLB driver only and here's how.

This is not as difficult as it appears because it will be 1 of files listed with a .sys extension.

It will also carry one of the following prefix's in its filename +random letters+ .sys extension.

TDSS
Seneka
GAOPDX
UAC
ovfst
kungsf
SKYNET
MSIVX
hjgrui
wzszx
ESQUL
geyekr

*letters can appear in either upper case or lower case.

** the number of random letters vary so could be only a couple or upto 32 which has been seen so far.

***in my screenshot it is the file UACewsflctd.sys that is the Rootkit driver.

UAC prefix + random characters in this case= ewsflctd and .sys extension

Since there is a level of randomization in the file naming protocol there are many computations of how the file will be named and the list will be exhaustive.

But here are some examples so hopefully you can see the pattern forming.

TDSSspax.sys
TDSSServ.sys
GAOPDXserv.sys
gaopdxohocrlokojvgccmieiquramguxlachqk.sys
UACmxegjtve.sys
UACd.sys
Senekarstpqyy.sys
ovfsthxkwpjtxfk.sys
kungsfxwrtceey.sys
SKYNEToyfjtpeo.sys
MSIVXwfjwbpbivasavbfjmtkibegxvnftiqxt.sys
hjgruisaroylnf.sys
wzszxthydgteuirn.sys
ESQULoqkqcemwasjmlqahydcgqxywwvhtxpbx.sys
geyekrhfgdvswdstsak.sys

Once you have identified the CLB driver then use your mouse to highlight it in the Rootrepeal window after *Files* scan.
Next right mouse click on it and select *wipe file* option only then immediately reboot the computer!!!!

You will only need to attack the CLB driver as the rest once no longer being protected are easy pickings for MBAM

Next install and update MBAM and run a quick scan!

Allow it to delete what it detects and reboot immediately.

If you are not 100% confident in identifying the CLB driver then feel free to use Rootrepeal to generate an output log** and post it to a new topic in our HJT help forums.
http://www.malwarebytes.org/forums/i...hp?showforum=7

**To do this goto report tab then select scan.
Configure as below and when report(.txt file) is generated then copy and paste contents of the text file into a new topic and title it CLB driver infection.

Reduced: 82% of original size [ 621 x 485 ] - Click to view full image


We hope our application has helped you eradicate this malicious Malware.
If your current anti-virus solution let this infection through please consider purchasing the PRO version of Malwarebytes' Anti-Malware for additional protection against these types of malware.


--------------------
Ade Gill
Malwarebytes Researcher

[jethro53]

There ya go..............Jethro.......your welcome