Blog: malware

I was attempting to remove malware from an infected PC and was unable to install Malwarebytes. I have found that sometimes infections will prevent Malwarebytes from being installed. I did a quick search based on the Malware I suspected of being installed and discovered a new feature in Malwarebytes called Chameleon.  In order for this to work, you will need a second PC which is not infected and a USB flash drive or blank CD and CD burner or some other means to transfer files from one computer to the other.  Here are the instructions for using the Chameleon feature: [more]

  1. From your clean computer, download and install Malwarebytes Anti-Malware
  2. Once installed, open the folder where the program was installed (usually C:\Program Files\Malwarebytes' Anti-Malware or C:\Program Files (x86)\Malwarebytes' Anti-Malware)
  3. Once there, right-click on the Chameleon folder and choose Copy
  4. Close the Malwarebytes' Anti-Malware folder
  5. Right-click on your USB flash drive or blank CD and choose Paste and proceed to burn the CD if using a blank CD or remove your flash drive if using a flash drive
  6. Now, insert your USB flash drive or CD which should now contain the Chameleon folder into the infected PC
  7. Open the USB flash drive or CD and copy/paste the Chameleon folder from the drive to the desktop of your infected PC.  Make certain that your infected PC is connected to the internet and then open the Chameleon folder which now resides on the desktop of your infected computer and double-click on the Chameleon help file chameleon.chm.  If the Chameleon help file itself will not open, then double-click each file one by one until you find one that works, which will be indicated by a black DOS/command prompt window Note: Do not attempt to open mbam-killer as that is not a Chameleon executable and serves a different purpose).
  8. Follow the onscreen instructions to press a key to continue and Chameleon will proceed to download and install Malwarebytes Anti-Malware for you
  9. Once it has done this, it will attempt to update Malwarebytes Anti-Malware, click OK when it says that the database was updated successful
  10. Next, Malwarebytes Anti-Malware will automatically open and perform a Quick scan
  11. Upon completion of the scan, if anything has been detected, click on Show Result
  12. Have Malwarebytes Anti-Malware remove any threats that are detected and click 'Yes' if prompted to reboot your computer to allow the removal process to complete
  13. After your computer restarts, open Malwarebytes Anti-Malware and perform one last Quick scan to verify that there are no remaining threats

 

Recently a customer had opened a phishing e-mail making rounds starting around the first of September.  This was an e-mail that is reported as an IRS version of Zeus Bot (some additional info: http://garwarner.blogspot.com/2009/09/irs-version-of-zeus-bot-continues.html).

After the virus definitions caught up with this, it was quarantined off and seemed to only affect the user profile on the terminal server where it was opened.  However, users started reporting also that Internet Explorer was crashing randomly. [more]

Looking through the event logs, I could see that IE was crashing from a faulting module named RASADHLP.dll.   This file is a remote access dialup helper and shouldn’t even be in use.  After comparing the files in Windows\system32 directory with another terminal server at the location, the files appeared identical.  However, the problematic server had another copy of RASADHLP.dll under C:\Program Files\Internet Explorer.

Further investigation of this file showed the creation date as the same day that the user received and opened the phishing e-mail.  Also it showed the user as the Owner of that file.  It is likely that IE was trying to use this file in it’s program directory first before the one in system32.

After renaming the file, IE was working without any problems.  The file was removed from the system.  Users running as non-admins likely helped to isolate the malware, but it still had written a bogus file to IE’s program directory.