Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Isolation And Destruction Of A Virtumonde Infection


  • Please log in to reply
No replies to this topic

#1 Love My Name

Love My Name

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:05:10 AM

Posted 04 July 2008 - 01:46 PM

####################################
// [ System ] +++
####################################

Model: HP Compaq-Presario A900 Notebook PC
Processor: Intel Dual T2370
Memory(RAM): 3.00 GB
System type: 32-Bit OS
OS: Windows Vista™ Home Premium (SP1)
Browsers: Internet Explorer 7.0.6001.1800, Firefox 3, Opera 9.51
Security: McAfee Protection total

####################################
// [ Problem discovery ] +++
####################################

Problem was noticed after I installed VeohTV player. IE7 was opened, and I notice a standard random popup. About a minute later, I get a false positive popup about potentially infection stating: "NOTICE: If your computer is infected, you could suffer data loss, erratic PC behavior, PC freezes and crashes. Detect and remove viruses before they activate themselves on your PC to prevent all these problems. Do you want to install AntiSpywareMaster to scan your PC for malware now? (Recommended)", with only an "OK" and "Cancel" option. McAfee site advisor went red alert.

Note: Maybe the problem came about after me not knowingly downloaded an altered Trojan/infected version of the veoh player, or simply the problem had existed already but due to me using Firefox, for most of my browsing, it was not active until Internet explorer was opened.

####################################
// [ Speedy Actions ] +++
####################################

With this knew unknown infection discovery on my mind, my motto/priority became, NO RESTART UNTIL PROBLEM [INTRUDER] IS ISOLATED+BOMBARDED WITH FIRST LINE OF DEFENSE AND IF NEED TO RESTART, RESTART IMMEDIATELY INTO SAFEMODE TO CARRY OUT FURTHER ASSALT ON THE INVADER.

####################################
// [ Primary Assault Before Restart into Safe mode ] +++
####################################

-------------------------------------------
| Spybot - Search & Destroy (Most Current Version, with most up-to-date Rules)
`-+ URL: http://www.safer-networking.org/en/spybotsd/
|
| Sysinternals Suite (as of June 26, 2008)
`-+ Download (~8 MB): http://download.sysinternals.com/Files/SysinternalsSuite.zip
`-+ URL Documentation: http://technet.microsoft.com/en-us/sysinte...7c5a693683.aspx
|
| Opera
`-+ http://www.opera.com/download/
-------------------------------------------


----------------------
[1.] Download and install opera (not necessary, but seems most unaffected by infection, and operates more swiftly than a fox on fire at the time of intrusion).
----------------------
|
`+ You can use this browser for most of your browsing needs during the repair process (i.e. for going to help forums like this one etc...)

----------------------
[2.] Download and unzip sysinternals suite in its own folder, in a folder on your desktop is fine.
----------------------
|
`+ Make the following two utilities in this folder your two best friends:
|
`---+ procexp.exe - Monitoring and controlling active processes
`---+ End most irrelevant/unimportant programs running in background (END: iexplore.exe, ieuser.exe ... , DONOT END: TeaTimer.exe, Antivirus, drivers, firewall ...). Use view> Select Columns> Image Path, to see where items are located on PC.
|
`---+ autoruns.exe - Monitoring and controlling Startup processes
`---+ Look for oddities, particularly under Logon, Explorer, Internet Explorer, Scheduled tasks, Services. Intrusion can be indicated by publisher column, usually no publisher listed (BE CAREFUL, NOT ALL WITHOUT PUBLISHER ARE). Under LOGON note the image paths. If uncertain about intruder can right click the suspect and select "Search Online". Can deactivate by unchecking or deleting.

--[Example 1, under LOGON]--

> HKCU\Software\Microsoft\Windows\CurrentVersion\Run
> C:\Users\YOURNAME\AppData\Local\Temp\cbXrOeff.dll, with no publisher and no info upon online search.
I browsed to C:\Users\YOURNAME\AppData\Local\Temp\ and deleted all files that were deletable. what remained were:
- TMP000000016BFBE9D96D079086
- ptvhihqq.dll
- cbXrOeff.dll
Note: This result, tells that be files are being used and in order to attack the intrusion fully we need to hit it with our secondary assault "SAFEMODE", but not yet. Also, when entry in autoruns was deleted or deactivate entry returned after refresh, another indication that secondary assault is needed.

--[Example 2, under EXPLORER]--

>c:\windows\system32\FILE.DLL, I forgot name, Had no company name or File description, found nothing online.
I browsed to c:\windows\system32\ and deleted this file, and delete entry in autoruns.

----------------------
[3.] Download and Install Spybot - Search & Destroy with SpybotSD TeaTimer active. After spybot starts go through the wizard:
----------------------
|
`+ get all the up-to-date rules/definitions
|
`+ IMMUNIZE
|
`+ TeaTimer should be active in the system tray, with resident protection Active - Tell you when something tries to modify registry (i.e. Add/Remove/Change a value/key etc..) Right click, and select Resident IE > display dialog when blocking. If you try deleting the entry noted above at this point TeaTimer will notify you, that the file in image path noted above is constantly being added simultaneously to the registry after delete, i.e. "C:\Users\YOURNAME\AppData\Local\Temp\cbXrOeff.dll".
|
`+ "Check for problems"
|
`---+ [spybot found VIRTUMONDE KEY and FIXED]
### Virtumonde: [SBI $42352499] User settings (Registry key, fixed), location in Registry @ HKEY_USERS\S-1-5-21-15.....\Software\Microsoft\rdfa

----------------------
[4.] Proceed to secondary Assault on the Intrusion
----------------------
|
`+ Restart and Press F8 Before Windows Startup Screen, To Get into SAFEMODE.
|
`+ ### DO Not let window start up normally. Intrusion may get wilder/more uncontrollable. ###
|
`+ HOLD DOWN the power button for ~5+ seconds if you miss the safe mode prompt, computer will shut off, turn on and try getting safe mode again using F8

####################################
// [ Secondary Assault IN SAFEMODE ] +++
####################################

----------------------
[1.] Start: autoruns.exe
----------------------
- Delete the SUSPECTED ENTRIES, this time, after refresh should not return.

----------------------
[2.] Browse to suspected compromised directories:
----------------------

[ C:\Users\YOURNAME\AppData\Local\Temp\ ]
'=> ### DELETE ALL FILES ###

[ C:\windows\system32\ ]
'=> ### CAUTION HERE, DELETE ONLY DEFINITE SUSPECTS- see below ###
'- VIEW > DETAILS
'- Press ALT, get menu bar, select VIEW> Choose Details.. > Check Company, Program description others of file recognition and verification importance.
'- VIEW > Sort By > Company

[[[ NOTE ]]]==> not all without company name are suspect, your judgment also depends on the name of the file, file size.... GENERAL RULE OF "SYSTEM32": IF YOU ARE UNSURE, LEAVE IT.

example file I deleted without problem:
- "awtqrPFV.dll", 25 KB, No Company, Application Extension, Created and modified at the Same date and time, Letters 'looks' random in nature no comprehensive meaning...


#################################
##THE METHOD ABOVE SOLVED MY PROBLEM ###
#################################
NO MORE RANDOM POPUPS, AND FASTER
RESPONDING SYSTEM - Hopefully helps you.

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++


==(( NOTE ))========================
AFTER Solving problem I found Utility called VundoFix.
URL: http://vundofix.atribune.org/ (~117 KB)
I executed the utility during after the whole process,
in the normally started windows and it found nothing (CLEAN?).
However, I think you are better off running it during both
primary and secondary assault on the intrusion.
================================

P.S. TRY ALSO: Deactivation/deletion of suspected Browser Addons/ Browser Help Objects (BHOs).


FIN... Another effort to save ourselves from ourselves. Good Luck.

BC AdBot (Login to Remove)

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users