Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

virtumonde and possible rootkit


  • Please log in to reply
7 replies to this topic

#1 Tedfs3

Tedfs3

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:21 AM

Posted 13 January 2009 - 10:02 PM

I've had luck getting rid of these things the first time I had them but not this time.

After running every free tool , I'm at a loss.

I can not enable the Automatic Windows updates via the Security Center or via Administrator Tools/Services. Every option I select reverts the Service back to disabled.
I understand we aren't supposed to post ComboFix Logs, however, it did report rootkit activity. If that information is needed. it can be posted later.

Here is the log before removal, just in case the machine needs to reboot while this is posted.
MBAM log :

Malwarebytes' Anti-Malware 1.32
Database version: 1649
Windows 5.1.2600 Service Pack 3

1/13/2009 9:59:58 PM
mbam-log-2009-01-13 (21-59-53).txt

Scan type: Quick Scan
Objects scanned: 52654
Time elapsed: 1 minute(s), 55 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 3
Registry Keys Infected: 15
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 11

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\ntmdfjnu.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\geBtUnnl.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\tyxbin.dll (Trojan.Vundo.H) -> No action taken.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5e775b62-7bf8-4c1b-8e21-d467a36178d1} (Trojan.Vundo.H) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{5e775b62-7bf8-4c1b-8e21-d467a36178d1} (Trojan.Vundo.H) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{f71851be-83a9-406f-9ea3-06eeed978af6} (Trojan.Vundo.H) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{f71851be-83a9-406f-9ea3-06eeed978af6} (Trojan.Vundo.H) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{5e775b62-7bf8-4c1b-8e21-d467a36178d1} (Trojan.Vundo.H) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{f71851be-83a9-406f-9ea3-06eeed978af6} (Trojan.Vundo.H) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\inszzyox (Rootkit.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\inszzyox (Rootkit.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\inszzyox (Rootkit.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> No action taken.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\784587f5 (Trojan.Vundo.H) -> No action taken.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\geBtUnnl.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\geBtUnnl.dllbox (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\c:\windows\system32\gebtunnl.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\lnnUtBeg.ini (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\lnnUtBeg.ini2 (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\tyxbin.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\ntmdfjnu.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\unjfdmtn.ini (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\xvgguemo.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\Drivers\liuwmgil.sys (Rootkit.Agent) -> No action taken.
C:\Documents and Settings\Disturbed\Local Settings\Temporary Internet Files\Content.IE5\SHI70PIV\upd105320[1] (Trojan.Vundo.H) -> No action taken.


After 2 + hours of trying to get rid of this, I clicked the update button in MBAM yet again and it updated.
After removing, rebooting and scanning again everything seems to be gone.

I'll leave the log quote here in case it may help someone else.

Edited by Tedfs3, 13 January 2009 - 10:13 PM.


BC AdBot (Login to Remove)

 


#2 buddy215

buddy215

  • BC Advisor
  • 12,874 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:10:21 AM

Posted 13 January 2009 - 10:15 PM

You will need to reboot to finish the removal of malware.
Then run another scan with MBAM.

Best to use more than one program. Use Super Antispyware. After downloading, installing, and UPDATING SAS in regular mode, exit SAS and boot to safe mode to run the scan.
Directions for SAS setup are in the link below.
http://www.bleepingcomputer.com/forums/ind...t&p=1040160

“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss

A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”


#3 Tedfs3

Tedfs3
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:21 AM

Posted 13 January 2009 - 10:24 PM

I edited the original post instead of adding another reply.

After 2 + hours of trying to get rid of this, I clicked the update button in MBAM yet again and it updated.
After removing, rebooting and scanning again everything seems to be gone.

I'll leave the log quote here in case it may help someone else.

#4 Tedfs3

Tedfs3
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:21 AM

Posted 14 January 2009 - 02:38 AM

I'm still getting DEP errors for winlogon.exe even though scans are clean and pop ups have stopped.

Looks like this isn't quite solved yet. What's my next step ?

#5 buddy215

buddy215

  • BC Advisor
  • 12,874 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:10:21 AM

Posted 14 January 2009 - 06:33 AM

Did you run Super Antispyware? If not, suggest you do that.

The malware you have is constantly changing to hide from the security programs. MBAM and SAS update daily or more often to include the latest items to identify the malware. Update both and run them again.

“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss

A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”


#6 Tedfs3

Tedfs3
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:21 AM

Posted 14 January 2009 - 07:39 AM

I did end up running Super Antispyware and it did remove 1 file the others missed. The winlogon.exe DEP error has happened 4 out of the last 5 times the machine has been rebooted for Windows Updates. The last time the machine was rebooted the error did not appear.

While I'm not 100% sure everything is really fixed, no pop ups or errors have appeared since last reboot. I've settled on building an install image with nLite as I'm about due for a fresh install anyway.

Thank you for your help.

#7 buddy215

buddy215

  • BC Advisor
  • 12,874 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:10:21 AM

Posted 14 January 2009 - 08:45 AM

If you use nLite and have the time, would you post a brief summary and link to it in Bleeping Computer's "Freeware Replacements for Common Commercial........"
http://www.bleepingcomputer.com/forums/ind...l=free+programs

I did look for it there and did not find it. I read up on it and if you find it does the job, please add it to the list. Only members who have used the program can add to the list.

“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss

A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”


#8 Tedfs3

Tedfs3
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:21 AM

Posted 14 January 2009 - 03:31 PM

I'll post info nLite for XP and vLite for Vista. They both do really good jobs and are free, can't beat that.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users