Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unknown Malware Infection Possible


  • This topic is locked This topic is locked
6 replies to this topic

#1 BlakeTyner

BlakeTyner

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:01:19 PM

Posted 29 September 2008 - 07:31 PM

Hello, this is my first post here. Thank you in advance for any help. I've read the topic on what to do, with one caveat - I am on a dial-up connection and that limits me a little bit.

BACKGROUND:

A few days ago, my computer went crazy with some sort of malware or trojan. I believe it was Virtumonde, as the bug would reset my screensaver to a fake blue screen, and change my desktop background to a fake spyware warning. After repeated attempts, I could not get rid of the malware and opted to do a hard drive wipe and reinstall of XP Pro.

One problem with the reinstall of the OS is that my install disc is old -- pre SP1 -- and I have not as yet installed a service pack. Because of my dial-up connection, it takes forever to download updates, and in some cases (such as the BITS update) they fail to install anyway. So I have ordered SP3 from Microsoft on a disc, which should be here within a week or two.

After the wipe, I immediately did the following:

Downloaded and installed Firefox 3
Downloaded and Installed Spybot and Adaware
Downloaded the software from NetZero to connect to the internet
Downloaded ZoneAlarm free firewall, and installed
Downloaded SpyWare Guard, installed, and set to autorun on boot
Set TeaTimer to run on boot

All of the above have current virus databases

In addition, I have now downloaded and installed HiJackThis and Combofix.

As soon as I could, I created a limited account on the computer and only log in to the Admin account when I absolutely have to (such as to see what my Windows\temp folder contains, or to delete certain items in \system32

As you can probably tell, my need to get into System32 to delete files indicates that something came back. I'm unsure how, since I immediately upgraded to the latest version of Java from Sun (a tip I read here on the forums--that older Java platforms had vulnerabilities) and have not been to any disreputable websites that I know of. Mostly just google searches for help on this problem.

I have been alerted that "runner.exe" was on my system and present at startup, so I booted to Safe Mode and deleted the .exe from the command line. I also got rid of a process present both at startup and in the registry for an .exe program with a nonsense name (something like lidbbeyakenddn.exe).

After that, the Adaware and Spybot scans came back clean.

However...

Now I'm getting strange programs trying to access the internet. Zonealarm will alert me every so often about a process VST#.tmp that is trying to access the trusted zone, which I then deny. The # part of the filename varies, sometimes it's 9, sometimes 19, etc. So far I've denied all of those alerts.

That's about as detailed as I can think of as far as the problem and what I've done to date.

Here is a new Hijackthis log (which, sadly, contains that random letter .exe in the HKLM run tree, so I apparently didn't get it.)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:29:31 PM, on 9/29/2008
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal

Running processes:
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\NetZero\exec.exe
C:\Program Files\NetZero\exec.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://my.netzero.net/s/search?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.netzero.net/s/search?r=minisearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.netzero.net/s/search?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.netzero.net/s/search?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://my.netzero.net/s/sp?r=al&cf=sp&...mp;UT=companion
R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\Program Files\NetZero\SearchEnh1.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: ZeroBar - {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - C:\Program Files\NetZero\Toolbar.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [SpyGuard] C:\Program Files\SpywareGuard\sgmain.exe
O4 - HKLM\..\Run: [lphcn7jj0el7r] C:\WINDOWS\System32\lphcn7jj0el7r.exe
O4 - HKCU\..\Run: [NetZero_uoltray] C:\Program Files\NetZero\exec.exe regrun
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1222532444654
O17 - HKLM\System\CCS\Services\Tcpip\..\{3C280620-5D80-44E5-A540-DB15FABF03A9}: NameServer = 64.136.52.73 64.136.44.73
O17 - HKLM\System\CS1\Services\Tcpip\..\{3C280620-5D80-44E5-A540-DB15FABF03A9}: NameServer = 64.136.52.73 64.136.44.73
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 4832 bytes



Thanks again,
Blake

BC AdBot (Login to Remove)

 


#2 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:11:19 AM

Posted 09 October 2008 - 03:46 PM

:thumbsup: to BleepingComputer.com

I want to apologise that it has taken so long to get back to you. We on the HJT Team are working as fast as possible to get your log answered.

If you do not still need help, please let me know, so that I can move on to other users who still need help.

Please take note of the following:
  • While a HJT Team member is working with you, please refrain from making any changes to your computer.
  • Also, even if things appear to be running better, there is no guarantee that everything is finished. Please continue to check this forum post in order to ensure we get your system completely clean. We do not want to clean you part-way up, only to have the system re-infect itself. :)
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
  • Please reply using the Posted Image button in the lower left hand corner of your screen.
  • Old topics are closed after 3 days with no reply, and working topics are closed after 5 days. If for any reason you cannot complete instructions within that time, that's fine, just put a post here so that I know you're still here. We get a lot of people who simply leave, and if there is no contact for that amount of time I will have to assume you have "vanished" :).
If you would still like help, please follow the instructions below:

We need to create an OTViewIt Report
  • Please download OTViewIt by OldTimer.
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
  • OTViewIt.txt <-- Will be opened
  • Extra.txt <-- Will be minimized
Please do an online scan with Kaspersky WebScanner.
  • Please visit the Kaspersky Online Scanner website.
    Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.
  • Click on the Accept button and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
In your next reply, please include the following:
  • OTViewIt.txt
  • Extra.txt
  • Kaspersky's Log

Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#3 BlakeTyner

BlakeTyner
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:01:19 PM

Posted 10 October 2008 - 11:06 PM

Okay, the requested files are attached to this post.

Thanks,
Blake

Attached Files



#4 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:11:19 AM

Posted 11 October 2008 - 12:05 AM

Hello, BlakeTyner

You need to pull power on this machine immediately and read the rest of this post from a clean machine!

Your system is infected with the VIRUT file infecting virus.
More info on that here:
http://www.f-secure.com/v-descs/virus_w32_...t.shtml#details

What this means is that all executable files on this system which Virut can get access to are now compromised and turned into copies of itself, and disinfection of these is difficult if not impossible. I'm going to do some research to see if there's anything we can do about this particular variant, but generally the only way to fix Virut infections is a complete format and re installation of the Operating System.

EDIT: From AVG's writeup:

There are bugs in the viral code. When the virus produces infected files, it also creates non-functional files that also contain the virus.

Due to the damaged caused to files by virut it's possible to find repaired but corrupted files. They became corrupted by the incorrect writing of the viral code during the process of infection. undetected, corrupted files (possibly still containing part of the viral code) can also be found. this is caused by incorrectly written and non-function viral code present in these files.


In addition, Virut is a backdoor!
One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We may be forced to reinstall anyway, but I'm not certain yet.

THE MOST IMPORTANT THING IS THAT THIS MACHINE IS SHUT DOWN UNTIL WE ARE ABLE TO ATTEMPT FIXES. THE LONGER THIS SYSTEM IS RUNNING, THE MORE FILES VIRUT WILL DESTROY!!!

I'll get back to you when I have some more concrete information about this specific variant.

Sorry for the bad news,
Billy3

Edited by Billy O'Neal, 11 October 2008 - 12:11 AM.

Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#5 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:11:19 AM

Posted 11 October 2008 - 04:50 PM

Alright... after further research, it is possible to recover some of these infected files. Some are destroyed by the virus and are toast.. nothing we can do about them.

I'd really recomend reformatting, but I'll attempt to get things okay if you want.. keep in mind most of your applications will have to be reinstalled either way.

Let me know if you decide to format or not.

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#6 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:11:19 AM

Posted 13 October 2008 - 03:54 PM

Hello, BlakeTyner.
Have you decided what to do?

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#7 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:11:19 AM

Posted 16 October 2008 - 05:47 AM

Hello, BlakeTyner.
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please send me or another moderator a PM.

Everyone else please begin a new topic.

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users