Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Vundo - Rootkit?


  • Please log in to reply
9 replies to this topic

#1 Tekn0cat

Tekn0cat

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:02:24 AM

Posted 31 July 2008 - 04:27 PM

For two days I've been trying to get rid of this thing. Steps taken so far:

Day 1 - User had downloaded PCCleaner malware, loads of popups. Ran Mbam in normal mode - found and deleted a bunch of stuff. Rebooted into Safe Mode, ran ATF Cleaner and then SAS. Ran VundoFix, it found nothing. Rebooted to normal mode, ran Mbam, nothing found. Ran HJT and found no unfamiliar entries. Updated him to IE7, latest Java, checked his browser settings.

Day 2 - User reported Symantec virus alerts but no more malware popups. Virus found by Symantec was Trojan.Vundo. Symantec couldn't quarantine or delete it. I ran VundoFix in safe mode again, it found nothing. Tried SAS again - it found nothing. Tried VirtumundoBegone - it found nothing. Rebooted to normal mode, updated and ran Mbam again. Here's the log:

Malwarebytes' Anti-Malware 1.24
Database version: 1013
Windows 5.1.2600 Service Pack 2

5:08:33 PM 7/31/2008
mbam-log-7-31-2008 (17-08-19).txt

Scan type: Quick Scan
Objects scanned: 43600
Time elapsed: 3 minute(s), 22 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\IProxyProvider (Trojan.Vundo) -> No action taken.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\pskt.ini (Trojan.Vundo) -> No action taken.
C:\WINDOWS\BM6f771c1d.xml (Trojan.Vundo) -> No action taken.
C:\WINDOWS\BM6f771c1d.txt (Trojan.Vundo) -> No action taken.

I deleted the infected objects using Mbam then ran another HJT, but I won't post the HJT until asked. It looks clean to me, but I'm no expert. Ran Mbam a second time and here's the log now:

Malwarebytes' Anti-Malware 1.24
Database version: 1013
Windows 5.1.2600 Service Pack 2

5:25:34 PM 7/31/2008
mbam-log-7-31-2008 (17-25-34).txt

Scan type: Quick Scan
Objects scanned: 43586
Time elapsed: 2 minute(s), 54 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Since it looked like that at the end of Day 1, and the bug came back today - I don't trust it.

Or should I just go to the HJT forum?

Thanks!

BC AdBot (Login to Remove)

 


#2 Richard Fu

Richard Fu

  • Members
  • 135 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:24 PM

Posted 31 July 2008 - 06:38 PM

Run SAS in normal mode then post the log.

#3 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,266 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:24 AM

Posted 01 August 2008 - 07:43 AM

User reported Symantec virus alerts but no more malware popups

Did Symantec provide a specific file name associated with this malware threat and if so, where is it located (full file path) at on the system?
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#4 Tekn0cat

Tekn0cat
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:02:24 AM

Posted 01 August 2008 - 08:14 AM

User reported Symantec virus alerts but no more malware popups

Did Symantec provide a specific file name associated with this malware threat and if so, where is it located (full file path) at on the system?


Filenames in Symantec log (filepath):

vclheerr.dll (C:\windows\system32)
A0000032.dll (C:\System Volume Information\_restore(4E4ECD0F-3EF2-446D-9329-2A24EB5506A6}\RP2\)
A0000031.dll (C:\System Volume Information\_restore{4E4ECD0F-3EF2-446D-9329-2A24EB5506A6}\RP2\)
gllrqc.dll ((C:\windows\system32)
nomnbjux.dll [this one appears many times] (C:\windows\system32)

I also ran a program called webroot spysweeper last night, it was the free version so it couldn't remove anything. It found the following (no logfile available)

virtumonde
pcprivacycleaner
antimalwareguard
2o7.net cookie

I'm arranging to get a paid copy of spysweeper so I can try to remove these.

I also did the SAS scan in normal mode. It found nothing but three tracking cookies, same result as when I did it in safe mode. And I couldn't find a way to generate a log file in the free version of SAS.

(Update) I tried another mbam update and scan this morning (normal mode) and it didn't find anything. Logfile was clean:
Malwarebytes' Anti-Malware 1.24
Database version: 1014
Windows 5.1.2600 Service Pack 2

9:32:36 AM 8/1/2008
mbam-log-8-1-2008 (09-32-36).txt

Scan type: Quick Scan
Objects scanned: 43890
Time elapsed: 4 minute(s), 19 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Edited by Tekn0cat, 01 August 2008 - 08:34 AM.


#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,266 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:24 AM

Posted 01 August 2008 - 08:37 AM

Please download OTMoveIt2 by OldTimer and save to your Desktop.
  • Double-click on OTMoveIt2.exe to launch the program.
  • Copy the file(s)/folder(s) paths listed below - highlight everything in the quote box and press CTRL+C or right-click and choose Copy.

[kill explorer]
C:\windows\system32\vclheerr.dll
C:\windows\system32\gllrqc.dll
C:\windows\system32\nomnbjux.dll
EmptyTemp
[start explorer]

  • Return to OTMoveIt2, right-click in the open text box labeled "Paste List of Files/Folders to be Moved" (under the yellow bar) and choose Paste.
  • Click the red MoveIt! button.
  • The list will be processed and the results will be displayed in the right-hand pane.
  • Highlight everything in the Results window (under the green bar), press CTRL+C or right-click, choose Copy, right-click again and Paste it in your next reply.
  • Click Exit when done.
  • A log of the results is automatically created and saved to C:\_OTMoveIt\MovedFiles \mmddyyyy_hhmmss.log <- the date/time the tool was run.
-- Note: If a file or folder cannot be moved immediately you may be asked to reboot your computer in order to finish the move process. If asked to reboot, choose Yes. If not, reboot anyway.

Caution: Be careful of what you copy and paste with this tool. OTMoveIt is a powerful program, designed to move highly persistent files and folders. Not following the directions as instructed or using incorrectly could lead to disastrous problems with your operating system.


Please download and scan with Dr.Web CureIt. Follow the instructions here for performing a scan in "safe mode".
-- Post the log in your next reply and let me know how your computer is running.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#6 Tekn0cat

Tekn0cat
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:02:24 AM

Posted 01 August 2008 - 09:00 AM

Explorer killed successfully
File/Folder C:\windows\system32\vclheerr.dll not found.
File/Folder C:\windows\system32\gllrqc.dll not found.
File/Folder C:\windows\system32\nomnbjux.dll not found.
< EmptyTemp >
Temp folders emptied.
IE temp folders emptied.
Explorer started successfully

OTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 08012008_094518

Dr. Web CureIt in safe mode found nothing but VNC.

#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,266 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:24 AM

Posted 01 August 2008 - 09:19 AM

Is Symantec still finding any files?
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#8 Tekn0cat

Tekn0cat
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:02:24 AM

Posted 01 August 2008 - 09:23 AM

So far Symantec has not found anything today. However, it didn't find anything for a couple of hours yesterday, then it started popping up warning messages.

I'm also concerned because the Webroot Spysweeper scan I ran last night found the items I mentioned earlier, and I didn't/couldn't remove any of them.

I will keep you posted - I've asked the user to let me know right away if he gets any more warnings or unexpected behaviour.

#9 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,266 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:24 AM

Posted 01 August 2008 - 09:29 AM

OK.

BTW, the infected RP***\A00*****.dll file(s) identified by Symantec are in the System Volume Information Folder (SVI) which is a part of System Restore. This is the feature that allows you to set points in time to roll back your computer to a clean working state. The SVI folder is protected by permissions that only allow the system to have access and is hidden by default unless you have reconfigured Windows to show it.

System Restore will back up the good as well as the bad files so when malware is present on the system it gets included in any restore points as an A00***** file. When you scan your system with anti-virus or anti-malware tools, you may receive an alert or notification that a virus was found in the SVI folder (System Restore points) but the anti-virus software was unable to remove it. Since the SVI folder is a protected directory, most scanning tools cannot access it to disinfect or delete these files. If not removed, they sometimes can reinfect your system if you accidentally use an old restore point.

To remove these file(s), the easiest thing to do is Create a New Restore Point to enable your computer to "roll-back" to a clean working state and use Disk Cleanup to remove all but the most recent restore point.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#10 Tekn0cat

Tekn0cat
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:02:24 AM

Posted 01 August 2008 - 09:47 AM

To remove these file(s), the easiest thing to do is Create a New Restore Point to enable your computer to "roll-back" to a clean working state and use Disk Cleanup to remove all but the most recent restore point.


One thing I forgot to mention earlier - at the end of the first day after I got the clean HJT etc. I turned off System Restore (to clear all prior restore points), then reenabled it and created a restore point.

Still, it looks like I'll have to do this again.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users