Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with TDSS, Vundo, Virtumunde


  • This topic is locked This topic is locked
12 replies to this topic

#1 sparky310

sparky310

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:12:27 AM

Posted 11 February 2009 - 06:05 PM

Last night I was browsing the net and had an error come up for Adobe Acrobat. It closed out, and I didn't think much of it. I have Spybot S&D running, and shortly thereafter it began giving me alerts about all sorts of registry changes. At this point I figured I had gotten infected somehow, so I closed everything out and updated AVG, Spybot, and Malware Bytes. I pulled the net connection, rebooted in safe mode and ran AVG, which came up with a clean scan. I then let Malware Bytes run over night. By morning it had completed scanning, and found some 16 or so infections (relating to trojan.tdss and trojan.vundo.H). I selected all entries and had Malware address them - some were deleted successfully, some said they required a reboot to finish removing. I allowed the system to reboot into regular mode. I then rebooted again in safe mode, and ran Spybot, which came up with an additional infection (virtumunde). I selected to have Spybot remove it, then rebooted again in safe mode. I ran both Malware Bytes and Spybot, both of which came up clean. I then rebooted in normal mode, uninstalled AVG, and downloaded and installed Avast!. I thought perhaps having gotten clean scans on both MB and Spybot that the infections had been taken care of, but in the process of downloading Avast! I was still getting browser redirects. At this point I updated Spybot (full version update available, apparently) and MB (no further updates) again and came here for help. I read the "Preparation Guide .." and followed the steps therein, leading me here to this forum and this thread.

If it is relevant, approximately 4-5 months ago I was infected by the Windows XP 2009 Antispyware malware (not sure that's the full, correct name, but hoping it's close enough to be recognizable). I was instructed on how to use MB and Combofix in order to remove the infection, and to the best of my knowledge was successful in cleaning the computer.

I'm fairly certain the answer to this will be "It cannot be determined with any accuracy, and better safe than sorry", but I'm wondering if from the following logs it might be determined round about when I was infected. I saw absolutely no abnormal behavior prior to last evening.

Thank you for any help you may be able to provide me.


DDS (Ver_09-02-01.01) - NTFSx86
Run by Chris at 17:05:34.37 on Wed 02/11/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_02
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3327.2840 [GMT -5:00]

AV: avast! antivirus 4.8.1335 [VPS 090211-0] *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe
C:\Program Files\Spybot - Search & Destroy\Updates\sbsd162upd.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\DOCUME~1\Chris\LOCALS~1\Temp\is-JTGG6.tmp\sbsd162upd.tmp
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Chris\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
uInternet Settings,ProxyOverride = *.local
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [RivaTunerStartupDaemon] "c:\program files\rivatuner\rivatuner v2.02\RivaTuner.exe" /S
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_02\bin\ssv.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1187467556562
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
AppInit_DLLs: karna.dat krokza.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\chris\applic~1\mozilla\firefox\profiles\3kxhvw4v.default\
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll

============= SERVICES / DRIVERS ===============

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-2-11 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-2-11 20560]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2009-2-11 138680]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2009-2-11 254040]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2009-2-11 352920]
R3 RTLWUSB;Realtek RTL8187 Wireless 802.11g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8187.sys [2007-8-17 235648]
S0 xjvpl;xjvpl;c:\windows\system32\drivers\tcfuznzn.sys --> c:\windows\system32\drivers\tcfuznzn.sys [?]
S3 YWJ;YWJ;c:\docume~1\chris\locals~1\temp\ywj.exe --> c:\docume~1\chris\locals~1\temp\YWJ.exe [?]

=============== Created Last 30 ================

2009-02-10 22:33 129,024 a------- c:\windows\system32\krokza.dll
2009-02-10 22:33 129,024 a------- c:\windows\system32\pnkctgvn.dll

==================== Find3M ====================

2009-01-14 16:11 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-14 16:11 15,504 a------- c:\windows\system32\drivers\mbam.sys
2007-12-26 19:02 22,328 a------- c:\docume~1\chris\applic~1\PnkBstrK.sys
2006-06-23 01:48 32,768 a----r-- c:\windows\inf\UpdateUSB.exe
2008-10-28 08:11 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008102820081029\index.dat

============= FINISH: 17:06:05.56 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:12:27 PM

Posted 12 February 2009 - 01:46 AM

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix.. Please visit HERE if you don't know how.. Please re-enable them back after performing all steps given..

Please download ComboFix by sUBs from one of the locations below, and save it to your Desktop.

Link 1
Link 2
Link 3

Double click combofix.exe and follow the prompts. Please, never rename Combofix unless instructed.

If ComboFix asked you to install Recovery Console, please do so.. It will be your best interest..

When finished, it shall produce a log for you. Post that log and a fresh HijackThis log in your next reply..

Note: DON'T do anything with your computer while ComboFix is running.. Let ComboFix finishes its job..

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#3 sparky310

sparky310
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:12:27 AM

Posted 12 February 2009 - 10:58 AM

Disabled everything (under the TeaTimer steps for Spybot there was no checkbox under the startup icon, though). Downloaded Combofix off the first link. Should I be running Combofix in safe mode, or just out of Windows regularly? If I do run it normally, should I leave the computer connected to the 'net?

There a particular place you'd suggest I go to get HijackThis?

I have to leave the house until later this afternoon, so I'm going to pull the 'net connection so that the computer isn't connected while I'm gone.

#4 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:12:27 PM

Posted 12 February 2009 - 12:28 PM

Just run ComboFix normally.. in Normal Mode, with internet connection..

Don't forget to disable all antivirus/antispyware/firewall that you have before running ComboFix :thumbup2:

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#5 sparky310

sparky310
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:12:27 AM

Posted 12 February 2009 - 05:38 PM

Here are the ComboFix and HijackThis log files.

Attached Files



#6 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:12:27 PM

Posted 13 February 2009 - 01:47 AM

1. Please open Notepad
  • Click Start, then Run
  • Type notepad.exe in the Run Box.
2. Now copy/paste the entire content of the codebox below into the Notepad window:

KillAll::

Driver::
xjvpl
YWJ

Rootkit::
c:\windows\system32\drivers\tcfuznzn.sys
C:\Documents and Settings\Chris\Local Settings\temp\YWJ.exe

File::
c:\windows\system32\drivers\tcfuznzn.sys
C:\Documents and Settings\Chris\Local Settings\temp\YWJ.exe

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=""

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the ComboFix log in your next reply..



NEXT


Please download GMER and unzip it to your Desktop.
  • Open the program and click on the Rootkit tab.
  • Make sure all the boxes on the right of the screen are checked, EXCEPT for ‘Show All’.
  • Click on Scan.
  • When the scan has run click Copy and paste the results into a Notepad >> save it and attach in this thread.


Post these logs in your next reply..

1. ComboFix
2. GMER

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#7 sparky310

sparky310
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:12:27 AM

Posted 13 February 2009 - 01:26 PM

Wasn't 100% sure Gmer was done running, but I left it to sit for 30ish minutes and nothing else happened, so.

I don't suppose there's some indication as to when (as in, what day/date) the computer was infected?

Attached Files



#8 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:12:27 PM

Posted 13 February 2009 - 01:54 PM

I don't suppose there's some indication as to when (as in, what day/date) the computer was infected?


From your logs, it could be from 10 feb.. But since the computer has a rootkit before, I couldn't tell for sure..


Logs look good however, lets do an online scan to make sure we got them all :thumbup2:


Please run a free online scan with the ESET Online Scanner
Note: You will need to use Internet Explorer for this scan.
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the ActiveX control to install
  • Click Start
  • Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  • Click Scan
    Wait for the scan to finish
  • Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#9 sparky310

sparky310
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:12:27 AM

Posted 13 February 2009 - 08:21 PM

So if I'm understanding what you said correctly, there was a bunch of new stuff that the computer was recently infected with, but it's had a rootkit for awhile now?

I suppose given there was a rootkit, the standard idea that the system is always suspicious now applies?

EDIT: There's also a few new files I've noticed pop up directly on c:\ .. namely, boot.bak, cmldr, and IPH.PH ... are those files from the various scanners we've run, or?

# version=4
# OnlineScanner.ocx=1.0.0.635
# OnlineScannerDLLA.dll=1, 0, 0, 79
# OnlineScannerDLLW.dll=1, 0, 0, 78
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=3852 (20090213)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.066 (20070917)
# EOSSerial=54f907f7e87948479bc38dba3acffe78
# end=finished
# remove_checked=true
# unwanted_checked=true
# utc_time=2009-02-14 01:07:00
# local_time=2009-02-13 08:07:00 (-0500, Eastern Standard Time)
# country="United States"
# osver=5.1.2600 NT Service Pack 2
# scanned=434132
# found=3
# scan_time=2729
C:\Qoobox\Quarantine\C\WINDOWS\system32\TDSSedwv.dll.vir Win32/Agent.ODG trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\system32\TDSSghvw.dll.vir Win32/Agent.OIO trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\system32\TDSSgnax.dll.vir Win32/Agent.ODG trojan (unable to clean - deleted) 00000000000000000000000000000000

Edited by sparky310, 13 February 2009 - 08:22 PM.


#10 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:12:27 PM

Posted 14 February 2009 - 02:37 AM

So if I'm understanding what you said correctly, there was a bunch of new stuff that the computer was recently infected with, but it's had a rootkit for awhile now?


Correct..


I suppose given there was a rootkit, the standard idea that the system is always suspicious now applies?


We successfully get rid of the rootkit, so don't worry about it too much :thumbup2:


EDIT: There's also a few new files I've noticed pop up directly on c:\ .. namely, boot.bak, cmldr, and IPH.PH ... are those files from the various scanners we've run, or?


Erm.. You mean new files right?.. Can you give me more details about it?.. About those file?.. Are they hidden files? Their names and so on..

As for those three files, they are the Recovery Console files that installed by ComboFix earlier before..



Lets do some cleanup...


Please download OTCleanIt and save it to Desktop.
  • Make sure you have internet connection..
  • Double-click OTCleanIt.exe
  • Click the CleanUp! button.
  • Select Yes when the "Begin cleanup Process?" prompt appears.
  • If you are prompted to Reboot during the cleanup, select Yes



Please read these excellent articles by miekiemoes :
Help! My computer is slow!
How to prevent Malware

Please reply to this thread once more and tell us about the computer behaviour before we can close this thread :)



Have a safe and happy computing day!


Regards
fenzodahl512

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#11 sparky310

sparky310
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:12:27 AM

Posted 14 February 2009 - 03:52 AM

The files I was referencing are the three I specifically mentioned (boot.bak, cmldr, and IPH.PH). They are new from after we started running the scanners, yes. IPH.PH is a 2KB hidden file, cmldr is a 255KB file that is not hidden, and Boot.bak is a 1KB file that is also not hidden. They're not in any sub-directory or anything, just right on c:. You're saying those are just some of the backup files created by the scanners, though, nothing to worry about?

Seems to be functioning just fine. The redirects and pop-ups while surfing with firefox/IE seem to be gone.

So the three files that the online scanner found and deleted were files that had already been caught and quarantined? Or so I assume from the file path that the log gave.

I turned the real time Avast! scanners back on, reenabled the Windows firewall, and will be updating Spybot, MBAM, Avast!, and Windows tomorrow. Once I finish with that I figure I'll run a defrag (haven't run it in eons, and with all the downloading, installing, deleting, etc. seems like a good time, no?). Is there anything else you'd suggest I do to safeguard the computer? Or different scanners you'd use besides Avast!, Spybot, and MBAM? I believe I've seen one by the name of Spyware Blaster or something to that effect highly recommended here?

#12 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:12:27 PM

Posted 14 February 2009 - 06:52 AM

Personally, I feel what you have in your computer is good enough.. In addition, I want to suggest you to use a third party firewall, which is a lot better than Windows internal firewall.. There's a lot of excellent third party firewall out there, but for the sake of simplicity, I only recommend these two free and excellent firewall.. Just install ONLY ONE of them..

About those three files, if you have any doubt, just upload them (one at a time) at VirusTotal and post the result here..


Do you have anymore questions? :thumbup2:

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#13 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:12:27 PM

Posted 25 February 2009 - 07:47 AM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users