Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Yet Another Virtumonde Infection. Help!


  • This topic is locked This topic is locked
4 replies to this topic

#1 tastyratz

tastyratz

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:12:36 PM

Posted 22 December 2007 - 11:35 PM

So I have tried running through the tutorial on here using vundofix.exe, virtumundobegone.exe... and also fxvmonde.exe from symantec on my own. Ive tried spyware doctor, nod32, and manually with hijackthis. I have used ccleaner and manually attempted attacking these files myself with my bare fingertips. This has shown up as virtumonde, ezula, and bho.g trojan through nod32. No traces of ezula seem to be showing up anywhere however.

I am not a noob I work in desktop support so it kills me to actually have to post for help but swallowing and posting :-)

I have at least 10,000 new files starting with the letters pos all over my C drive eating up space and being in general annoying.

If it wasn't infecting my computer personally I would probably find humor in the terrible english translations that are supposed to look windows genuine to users and convincing. Smart enough to write a program this sophisticated but fill it with broken english?

I have attempted to use combofix.exe on my own based on suggestions in the other similar threads (yes now I know hindsight 20/20). I tried creating a text file to kill the C:\WINDOWS\system32\ndqybfrq.dll as well as gebcb.dll. It killed the gebcb.dll and threw it in a zip file on the desktop. Combofix blue screened my computer and stopped while running, I booted back up fine however it did not appear permanent.

One thing to note that it did though is basically take out all my security tools I have installed. I currently had utilized: avg antispyware, eset nod32 antivirus, peerguardian2, and spyware doctor. All of these resided in C:\program files\security tools. It deleted the whole security tools folder however it appears that there is a full backup in c:\qoobox\quarantine with just *.vir added to the end. This folder for some reason showed up under spybot S&D as smitfraud earlier so perhaps that might have been the same cause?

It would be a lot of manual labor to rename them and too many dirs to just do a ren *.vir * command. Any way to get this stuff back where it belongs since it shouldn't have been taken out?



Heres the hjt log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:36, on 2007-12-22
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\ITE\Smart Guardian\ITESMART.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Utilities\UltraMon\UltraMon.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\utilities\UltraMon\UltraMonTaskbar.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\internet tools\Auction Sentry Deluxe\AuctionSentryDeluxe.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\drivers\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\internet tools\Auction Sentry Deluxe\AuctionSentryDeluxe.exe
C:\Program Files\internet tools\BPFTP Server\bpftpserver-service.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\internet tools\BPFTP Server\bpftpserver.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\WINDOWS\System32\GEARSec.exe
C:\Program Files\Citrix\GoToMyPC\g2svc.exe
C:\Program Files\system tools\HighPoint Technologies, Inc\HighPoint RAID Management Software\service\hptsvr.exe
C:\Program Files\Citrix\GoToMyPC\g2comm.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\system tools\HighPoint Technologies, Inc\HighPoint RAID Management Software\service\drvinst.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\system tools\Norton Ghost\Agent\VProSvc.exe
C:\Program Files\Citrix\GoToMyPC\g2pre.exe
C:\Program Files\drivers\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\Program Files\LClock\LClock.exe
C:\Program Files\Citrix\GoToMyPC\g2tray.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\drive tools\Raxco\PerfectDisk\PDAgent.exe
C:\Program Files\system tools\Norton Ghost\Agent\GhostTray.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe
C:\Program Files\Utilities\Core Temp\Core Temp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\file sharing\utorrent\utorrent.exe
g:\steam\steam.exe
C:\WINDOWS\VistaDrive\VistaDrive.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\drive tools\Raxco\PerfectDisk\PDEngine.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\tastyratz\Desktop\hellofluffyjakkbunnydis.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\cmd.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\WINDOWS\system32\cmd.exe
C:\Documents and Settings\tastyratz\Desktop\hibunnyjakkdis.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\WINDOWS\system32\ndqybfrq.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\business tools\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\INTERN~2\FlashFXP\IEFlash.dll
O2 - BHO: (no name) - {F0D94268-3FE5-4DBD-B294-DED5D8089487} - C:\WINDOWS\system32\gebcb.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\business tools\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: (no name) - {DE9C389F-3316-41A7-809B-AA305ED9D922} - (no file)
O4 - HKLM\..\Run: [StartupDelayer] "C:\Program Files\Utilities\StartDelay\Startup Launcher.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKLM\..\Run: [SmartGuardian] C:\Program Files\ITE\Smart Guardian\ITESMART.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [GoToMyPC] "C:\Program Files\Citrix\GoToMyPC\g2svc.exe" -logon
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\security tools\Spyware Doctor\SDTrayApp.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - Startup: UltraMon.lnk = C:\Program Files\Utilities\UltraMon\UltraMon.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\business tools\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\business tools\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\business tools\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\business tools\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\business tools\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\business tools\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\business tools\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\business tools\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\BUSINE~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\BUSINE~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://extranet.wspackaging.com/dana-cache...perSetupSP1.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: ndqybfrq - C:\WINDOWS\SYSTEM32\ndqybfrq.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\drivers\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: BPFTPServer - Unknown owner - C:\Program Files\internet tools\BPFTP Server\bpftpserver-service.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Juniper Network Connect Service (dsNcService) - Juniper Networks - C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: GoToMyPC - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToMyPC\g2svc.exe
O23 - Service: hptsvr - Unknown owner - C:\Program Files\system tools\HighPoint Technologies, Inc.\HighPoint RAID Management Software\service\hptsvr.exe
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: Remote HID Service (LvHidSvc) - Philips - C:\WINDOWS\system32\lvhidsvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\burning tools\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Unknown owner - C:\Program Files\security tools\Eset\nod32krn.exe (file missing)
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\system tools\Norton Ghost\Agent\VProSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\drive tools\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\drive tools\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: SiSoftware Database Agent Service (SandraDataSrv) - SiSoftware - C:\Program Files\bench tools\SiSoftware Sandra Lite XI.SP3\Win32\RpcDataSrv.exe
O23 - Service: SiSoftware Sandra Agent Service (SandraTheSrv) - SiSoftware - C:\Program Files\bench tools\SiSoftware Sandra Lite XI.SP3\RpcSandraSrv.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - Unknown owner - C:\Program Files\security tools\Spyware Doctor\svcntaux.exe (file missing)
O23 - Service: PC Tools Security Service (sdCoreService) - Unknown owner - C:\Program Files\security tools\Spyware Doctor\swdsvc.exe (file missing)
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 11458 bytes

Edited by tastyratz, 22 December 2007 - 11:39 PM.


BC AdBot (Login to Remove)

 


m

#2 SNOWHITE

SNOWHITE

    missy malware magnet


  • Members
  • 2,676 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Bitola, Macedonia
  • Local time:06:36 PM

Posted 23 December 2007 - 08:51 AM

Hello tastyratz and welcome to BC :thumbsup:

My name is SNOWHITE and I will be helping you with your Malware problem.

One thing to note that it did though is basically take out all my security tools I have installed. I currently had utilized: avg antispyware, eset nod32 antivirus, peerguardian2, and spyware doctor. All of these resided in C:\program files\security tools. It deleted the whole security tools folder however it appears that there is a full backup in c:\qoobox\quarantine with just *.vir added to the end.


\program files\security tools <--This folder is also known to be used by malware, therefor when you ran combofix it also picked up that folder too.

"security tools" folder is not the default folder for installations for those programs, example Spyware Doctor default folder for installing would be C:\Program Files\Spyware Doctor.

I wouldn't suggest moving them back yet and especially moving them into folder named security tools or anything similar, but if you are planning to use any of these tools in future I highly advice that you install them in their own default folders.

First I would like to see the contents of the report that combofix generated when you ran it. It should be at this location --> C:\ComboFix.txt, copy&paste the report back here, I need to see what exactly was removed by combofix.

Also run this tool too:

Please download Deckard's System Scanner (DSS) and save it to your Desktop.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.
What DSS will do:
  • create a new System Restore point in Windows XP and Vista.
  • clean your Temporary Files, Downloaded Program Files, and Internet Cache Files, and also empty the Recycle Bin on all drives.
  • check some important areas of your system and produce a report for your analyst to review. DSS automatically runs HijackThis for you, but it will also install and place a shortcut to HijackThis on your desktop if you do not already have HijackThis installed.
Post back with the reports I request in the above instructions and we will decide how to proceed next.

Best regards.

Edited by SNOWHITE, 23 December 2007 - 09:01 AM.

SNOWHITE
Posted Image

#3 tastyratz

tastyratz
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:12:36 PM

Posted 23 December 2007 - 10:53 AM

Thank you very much for the reply :-)

I wanted to update I tried 1 last thing last night and as of this morning I believe I may have cleared the vundo infection.

Cliffnotes: I created a boot disk from http://www.ubcd4win.com which allowed me to access my mass storage device and manually delete the files in question, then run several programs that were added to the disk to scan and find other traces. I believe that it is cleared so far this morning as I have no more symptoms of the spyware that I had before. I highly suggest this disc as a way to delete and access those pesky files attaching to critical system processes you cant end (like this one attaching to explorer.exe and winlogon.exe)

I do however still need to restore that security tools folder.

\program files\security tools <--This folder is also known to be used by malware, therefor when you ran combofix it also picked up that folder too.

"security tools" folder is not the default folder for installations for those programs, example Spyware Doctor default folder for installing would be C:\Program Files\Spyware Doctor.

I wouldn't suggest moving them back yet and especially moving them into folder named security tools or anything similar, but if you are planning to use any of these tools in future I highly advice that you install them in their own default folders.


As a little back ground I install hundreds of programs and utilities for a variety of tasks on my pc (far from your average joe). I have tried to utilize a categorized structure for as many programs that allow the option in my program files directory. This helps me keep my sanity and find items I need to. I do it for every program I can into about 10 categories and still have 81 folders in program files just of apps I cannot change the path to.

Everything installed in my security tools folder was legitimately "security tools" - thats a name I chose (like others such as web dev tools, media tools, disc tools, etc.)

First I would like to see the contents of the report that combofix generated when you ran it. It should be at this location --> C:\ComboFix.txt, copy&paste the report back here, I need to see what exactly was removed by combofix.


Unfortunately because combofix bluescreened the pc prior to being finished I was unable to locate any log files created by the application on C: or the running directory :-/


Also run this tool too:

Please download Deckard's System Scanner (DSS) and save it to your Desktop.

  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.
What DSS will do:
  • create a new System Restore point in Windows XP and Vista.
  • clean your Temporary Files, Downloaded Program Files, and Internet Cache Files, and also empty the Recycle Bin on all drives.
  • check some important areas of your system and produce a report for your analyst to review. DSS automatically runs HijackThis for you, but it will also install and place a shortcut to HijackThis on your desktop if you do not already have HijackThis installed.
Post back with the reports I request in the above instructions and we will decide how to proceed next.

Best regards.




Since I have run hjt and several other scans on the system for vundo and it appears I have beat the infection here is there any need for me to run Deckard's system scanner?


*EDIT*
I found a utility to mass rename files and remove the .vir extension added to all of them. I copied the folder, ran the util, and moved the files back- appears to all be running fine. Does the utility simply tag .vir on the end and move the files or does it modify the files in any other way that would render them problematic in the future?

Edited by tastyratz, 23 December 2007 - 11:39 AM.


#4 LonnyRJones

LonnyRJones

  • Members
  • 245 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:36 PM

Posted 23 December 2007 - 04:05 PM

Hi tastyratz
Having legit tools in program files\security tools was an unfortunate choice
Have you moved anything back yet ?
If not please delete c:\combofix folder if present redownload the tool and run again, post its log.
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

#5 SNOWHITE

SNOWHITE

    missy malware magnet


  • Members
  • 2,676 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Bitola, Macedonia
  • Local time:06:36 PM

Posted 17 January 2008 - 09:39 PM

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.

Thank you :thumbsup:
SNOWHITE
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users