Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

At wits end with VRT*.TMP/DD*.TMP


  • This topic is locked This topic is locked
5 replies to this topic

#1 Nicholas Basso

Nicholas Basso

  • Members
  • 90 posts
  • OFFLINE
  •  
  • Local time:10:15 AM

Posted 19 February 2009 - 02:24 AM

Have been a, well, self-styled security-conscious user for some time.
Anything I do not explicitly trust is usually run in a VMWare process or not run at all.

However, the other night, I somehow opened something (missed an icon and hit another) and, well, depressingly saw no window open up and saw no visible behavior on system. Recognizing the error of my ways I immediately brought out good ol' UBCD4W and proceeded to perform a pre-emptive surgical attack on the system.
Some time later, having found a few bits of minor annoyance that were removed, I rebooted into system.
Now the Avast AV shield, on startup, warns me of VRT1.tmp regularly.
This file is located in %Windir%/Temp.
Also sometimes it may be VRT*.tmp, where * may be one or two numbers.
Also, DD*.tmp, and various others have found their way into the party.

I have found some misbehaviors in Firewall and other programs, and sadly some programs are unable to load their assorted runtimes any longer. Wherefore art thou, runtimes? ;)

Removal of the threat through the UBCD4W or SM/Networking have been fruitless, and I am unable to find ANYTHING using autoruns or assorted utilities.

EDIT: As I posted this I noticed an entry titled "xccef090131.exe" - Upon bringing it up in Explorer Avast took it upon itself to advise annihilation of the intruder. Sadly I hit upon my instinctual Alt+D key combination and deleted the beast, but I have no doubt its ugly head shall once again be reared.
Also, attached, attach.txt.

So without further ado, DDS.TXT and attached Attach.txt:

DDS (Ver_09-02-01.01) - NTFSx86
Run by Gedrean at 2:09:26.01 on Thu 02/19/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1474 [GMT -5:00]

AV: avast! antivirus 4.8.1335 [VPS 090218-0] *On-access scanning enabled* (Updated)

============== Running Processes ===============

D:\WINDOWS.0\system32\Ati2evxx.exe
D:\WINDOWS.0\system32\svchost -k DcomLaunch
D:\WINDOWS.0\system32\svchost -k rpcss
D:\WINDOWS.0\System32\svchost.exe -k netsvcs
D:\WINDOWS.0\system32\svchost.exe -k WudfServiceGroup
D:\WINDOWS.0\system32\Ati2evxx.exe
D:\WINDOWS.0\system32\svchost.exe -k NetworkService
D:\WINDOWS.0\Explorer.EXE
D:\WINDOWS.0\system32\svchost.exe -k LocalService
D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
D:\Program Files\Alwil Software\Avast4\ashServ.exe
D:\Program Files\Unlocker\UnlockerAssistant.exe
D:\WINDOWS.0\system32\spoolsv.exe
D:\Program Files\Java\jre6\bin\jusched.exe
D:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
D:\WINDOWS.0\system32\taskswitch.exe
D:\WINDOWS.0\system32\ctfmon.exe
D:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
D:\Program Files\PeerGuardian2\pg2.exe
D:\Program Files\Semagic\LiveJournalU.exe
D:\Program Files\Java\jre6\bin\jqs.exe
D:\WINDOWS.0\system32\svchost.exe -k imgsvc
D:\Program Files\RealVNC\VNC4\WinVNC4.exe
D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
D:\Program Files\Alwil Software\Avast4\ashWebSv.exe
D:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
D:\WINDOWS.0\System32\alg.exe
D:\WINDOWS.0\System32\svchost.exe -k HTTPFilter
D:\Program Files\Trillian\trillian.exe
D:\Program Files\uTorrent\uTorrent.exe
D:\Program Files\Mozilla Firefox\firefox.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe
D:\Documents and Settings\Gedrean.FOX-DEMONS\Desktop\dds.scr
D:\WINDOWS.0\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
mWinlogon: SfcDisable=-99 (0xffffff9d)
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - d:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - d:\program files\java\jre6\bin\ssv.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - d:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - d:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ctfmon.exe] d:\windows.0\system32\ctfmon.exe
uRun: [uTorrent] "d:\program files\utorrent\uTorrent.exe"
uRun: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "d:\program files\common files\nero\lib\NMIndexStoreSvr.exe"

ASO-616B5711-6DAE-4795-A05F-39A1E5104020
uRun: [PeerGuardian] d:\program files\peerguardian2\pg2.exe
uRun: [Semagic] d:\program files\semagic\LiveJournalU.exe
uRun: [Skype] "d:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [DAEMON Tools Lite] "d:\program files\daemon tools lite\daemon.exe" -autorun
mRun: [UnlockerAssistant] "d:\program files\unlocker\UnlockerAssistant.exe"
mRun: [SunJavaUpdateSched] "d:\program files\java\jre6\bin\jusched.exe"
mRun: [NVMixerTray] "d:\program files\nvidia corporation\nvmixer\NVMixerTray.exe"
mRun: [Adobe Reader Speed Launcher] "d:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [NeroFilterCheck] d:\program files\common files\nero\lib\NeroCheck.exe
mRun: [avast!] d:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [CoolSwitch] d:\windows.0\system32\taskswitch.exe
dRunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N
dRunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32
uPolicies-explorer: NoSMHelp = 01000000
uPolicies-explorer: NoLogoff = 01000000
uPolicies-explorer: NoActiveDesktop = 00000000
uPolicies-explorer: NoActiveDesktopChanges = 00000000
uPolicies-explorer: NoSMMyPictures = 01000000
IE: Copy to Semagic - d:\documents and settings\gedrean.fox-demons\my documents\LJ Entriescopy.htm
IE: Semagic - d:\documents and settings\gedrean.fox-demons\my documents\LJ Entrieslink.htm
IE: Send to &Bluetooth Device... - d:\program files\iogear\bluetooth software\btsendto_ie_ctx.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - d:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - d:\windows.0\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - d:\docume~1\gedrea~1.fox\applic~1\mozilla\firefox\profiles\ug16h7hb.default\

============= SERVICES / DRIVERS ===============

R0 nvcchflt;NVIDIA Disk Cache Filter Driver;d:\windows.0\system32\drivers\nvcchflt.sys [2008-8-26 16640]
R0 SI3112r;Silicon Image SiI 3112 SATARaid Controller;d:\windows.0\system32\drivers\SI3112r.sys [2008-8-26 110128]
R1 aswSP;avast! Self Protection;d:\windows.0\system32\drivers\aswSP.sys [2008-10-27 114768]
R2 aswFsBlk;aswFsBlk;d:\windows.0\system32\drivers\aswFsBlk.sys [2008-10-27 20560]
R2 avast! Antivirus;avast! Antivirus;d:\program files\alwil software\avast4\ashServ.exe [2008-10-27 138680]
R3 avast! Mail Scanner;avast! Mail Scanner;d:\program files\alwil software\avast4\ashMaiSv.exe [2008-10-27 254040]
R3 avast! Web Scanner;avast! Web Scanner;d:\program files\alwil software\avast4\ashWebSv.exe [2008-10-27 352920]
S0 3112Rx47;3112Rx47;d:\windows.0\system32\drivers\3112Rx47.sys [2008-6-19 110128]
S3 QCEmerald;Logitech QuickCam Web;d:\windows.0\system32\drivers\OVCE.sys [2009-1-8 31872]

=============== Created Last 30 ================

2009-02-19 02:05 <DIR> --d----- d:\program files\Trend Micro
2009-02-19 01:53 <DIR> --d----- d:\program files\DVDFab 5
2009-02-18 23:14 71 a------- d:\windows.0\DiskPie95.ini
2009-02-17 15:42 717,296 a------- d:\windows.0\system32\drivers\sptd.sys
2009-02-17 15:36 <DIR> --d----- d:\program files\DAEMON Tools Lite
2009-02-16 13:29 155,216 a------- d:\windows.0\system\xccef090131.exe
2009-02-16 13:29 361 a------- d:\windows.0\xccwinsys.ini
2009-02-16 13:29 <DIR> --d----- d:\windows.0\system32\inf
2009-02-12 19:37 <DIR> --d--r-- d:\program files\Skype
2009-02-02 12:58 <DIR> --d----- d:\docume~1\alluse~1.0\applic~1\2DBoy
2009-02-02 12:57 <DIR> --d----- d:\program files\WorldOfGoo
2009-01-31 15:22 <DIR> --d----- d:\program files\Universal Extractor
2009-01-31 12:54 <DIR> --d----- d:\program files\BeRoTrackerClassic
2009-01-31 10:57 <DIR> --d----- d:\documents and settings\gedrean.fox-demons\.psycle
2009-01-31 10:56 4,445 a------- d:\windows.0\PsycleKeys.INI
2009-01-31 10:55 <DIR> --d----- d:\program files\Psycle
2009-01-31 10:30 <DIR> --d----- d:\program files\Audacity
2009-01-30 17:00 <DIR> --d----- d:\docume~1\alluse~1.0\applic~1\Nokia
2009-01-30 16:53 18,816 a------- d:\windows.0\system32\drivers\pccsmcfd.sys
2009-01-30 16:53 <DIR> --d----- d:\program files\PC Connectivity Solution
2009-01-30 16:52 90,624 a------- d:\windows.0\system32\nmwcdcls.dll
2009-01-30 16:09 60,032 a------- d:\windows.0\system32\drivers\USBAUDIO.sys
2009-01-30 15:51 <DIR> --d----- d:\docume~1\gedrea~1.fox\applic~1\REALbasic
2009-01-30 15:50 <DIR> --d----- d:\program files\REAL Software
2009-01-29 11:02 <DIR> --d-h--- d:\windows.0\PIF
2009-01-29 09:58 <DIR> --d----- d:\windows.0\Modio
2009-01-29 08:12 22,016 a------- d:\windows.0\system32\rrspy.sys
2009-01-29 08:12 18,944 a------- d:\windows.0\system32\rrspy64.sys
2009-01-29 08:12 <DIR> --d----- d:\program files\Registrar Registry Manager
2009-01-26 15:47 <DIR> --d----- d:\program files\Mozilla XULRunner
2009-01-25 16:40 <DIR> --d----- d:\docume~1\gedrea~1.fox\applic~1\MozillaControl
2009-01-25 15:33 <DIR> --d----- d:\program files\Semagic
2009-01-22 09:32 4,608 a--sh--- d:\windows.0\system32\Thumbs.db

==================== Find3M ====================

2009-01-16 11:24 3,596,288 -------- d:\windows.0\system32\dllcache\mshtml.dll
2009-01-08 16:43 270,336 -------- d:\windows.0\Setup1.exe
2009-01-08 16:43 90,112 a------- d:\windows.0\ST6UNST.EXE
2008-12-21 19:37 107,888 a------- d:\windows.0\system32\CmdLineExt.dll
2008-12-20 18:56 827,904 a------- d:\windows.0\system32\wininet.dll
2008-12-20 18:56 827,904 -------- d:\windows.0\system32\dllcache\wininet.dll
2008-12-19 04:41 13,824 -------- d:\windows.0\system32\dllcache\ieudinit.exe
2008-12-19 04:41 70,656 -------- d:\windows.0\system32\dllcache\ie4uinit.exe
2008-12-19 00:25 634,024 -------- d:\windows.0\system32\dllcache\iexplore.exe
2008-12-19 00:24 161,792 -------- d:\windows.0\system32\dllcache\ieakui.dll
2008-12-18 17:52 35,827 a------- d:\windows.0\DIIUnin.dat
2008-12-18 17:48 114,688 a------- d:\windows.0\DIIUnin.exe
2008-12-18 17:48 2,829 a------- d:\windows.0\DIIUnin.pif
2008-12-14 12:48 410,984 a------- d:\windows.0\system32\deploytk.dll
2008-12-11 05:57 333,952 -------- d:\windows.0\system32\dllcache\srv.sys
2008-10-25 23:56 16,384 a--sh--- d:\windows.0\system32\config\systemprofile\cookies\index.dat
2008-10-25 23:56 32,768 a--sh--- d:\windows.0\system32\config\systemprofile\local settings\history\history.ie5\index.dat
2008-10-25 23:56 32,768 a--sh--- d:\windows.0\system32\config\systemprofile\local

settings\history\history.ie5\mshist012008102620081027\index.dat
2008-10-25 23:56 32,768 a--sh--- d:\windows.0\system32\config\systemprofile\local settings\temporary internet files\content.ie5\index.dat

============= FINISH: 2:09:38.18 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Nicholas Basso

Nicholas Basso
  • Topic Starter

  • Members
  • 90 posts
  • OFFLINE
  •  
  • Local time:10:15 AM

Posted 20 February 2009 - 04:12 PM

Alright I'm not bumping, but I am posting new information. Besides other entries (that were made after mine) have already been served so I am left to wonder if my post was passed up, but aside from that:

Avast updated itself today. Now /everything/ short of Firefox (which I post now with) is claiming to be infected with Win32/Vitro.
Doesn't seem to be false positives either - it caught a notepad.exe but if I run notepad.exe it still runs without so I think it's a double program.
Looking it up, it's made by the folks who made Win32/Virut -- VRT sounds like it's attached to the Virut virus so I believe myself to be possibly infected with Virut/Vitro to explain the files I have been finding.

It seems to be in programs like wmplayer and notepad.exe - very odd.
I will repost a new DDS Log and attach.txt if desired.

The Xccef etc. files are not currently part of the issue - in fact I think they may have been neutralized by Avast finding about a dozen hits right before this VRT issue cropped up - Avast may have killed whatever referenced them.

Just to be safe I renamed the questionable files using UBCD4W - system booted up fine and they remain but as .*.vir files now instead of their original extensions.

Still cannot find the culprits here but Avast has gone nuts over the last few... minutes.

#3 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:15 AM

Posted 23 February 2009 - 09:00 PM

Hello.

You have a nasty infection called "Virut".

Posted ImageVirut File Infector Warning

Your system is infected with a polymorphic file infector called Virut. Virut is capable of infecting all the machine's executable files (.exe) and screensaver files (.scr) and also web pages (.html and .htm). However, the problem is that the virus has a number of bugs in its code, and as a result, it may misinfect a proportion of executable files and therefore, the files are corrupted beyond repair. As of now, security experts suggest that a clean Reinstall or Reformat is the only way to clean the infection and it is the only way to return the machine to its normal working state.

Backup all your documents and important items (personal data, work documents, etc) only. DO NOT backup any executable files (softwares) and screensavers (*.scr) or any web pages (*.html or *.htm). It attempts to infect any accessed .exe or .scr or .html/.htm files by appending itself to the executable.

Also, try to avoid backing up compressed files (zip/cab/rar) files that have .exe or .scr files inside them. Virut can penetrate and infect .exe files inside compressed files too.

Tell me what you decide to do.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#4 Nicholas Basso

Nicholas Basso
  • Topic Starter

  • Members
  • 90 posts
  • OFFLINE
  •  
  • Local time:10:15 AM

Posted 24 February 2009 - 12:25 AM

Yeah that was the result of my research as well. I have begun performing a backup from UBCD4W, and a standalone DVD Burner program that was put in only running UBCD4W.
Luckily the first step I did was "corrupt" out all options in the boot.ini to prevent the core OS from loading until I am prepared to reload it.

How fun.

Been scanning for about an hour now and already 400+ infections on one of two HDDs.

I'm in for a long job.

#5 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:15 AM

Posted 24 February 2009 - 03:50 PM

Hello.

Yes, a format/reinstall would be a good option. Be carefull when you are backing up right now. You don't want to get it again, do you?

Below are just some prevention tips.

Preventing Infections in the Future

Please also have a look at the following links, giving some advice and Tips to protect yourself against malware and reduce the potential for re-infection:
  • Avoid gaming sites, underground web pages, pirated software sites, and peer-to-peer (P2P) file sharing programs. They are a security risk which can make your computer susceptible to a smörgåsbord of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites. Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users.
Disable Autorun on Flash-Drive/Removable Drives

When is AUTORUN.INF really an AUTORUN.INF?

USB worms work by creating a file called AUTORUN.INF on the root of USB drives. These INF files then use Autorun or Autoplay (not the same thing!) to execute themselves either when the stick is inserted, or more commonly, when the user double-clicks on the USB drive icon from My Computer (Windows Explorer)...


Keeping Autorun enabled on USB and other removable drives has become a significant security risk due to the increasing number of malware variants that can infect them and transfer the infection to your computer. Read USB-Based Malware Attacks and Please disable Autorun asap!.

If using Windows Vista, please refer to:
"Disable AutoPlay in Windows Vista"
"Preventing AutoPlay with Local Group Policy Editor or AutoPlay options panel"

Note: When Autorun is disabled, double-clicking a drive which has autorun.inf in its root directory may still activate Autorun so be careful.

Vist the WindowsUpdate Site Regularly

I recommend you regularly visit the Windows Update Site!
  • Lots of Hacking/Trojans use the methods found (plugged by the updates) that have not been stopped by people not updating.
  • Update ALL Critical updates and any other Windows updates for services/programs that you use.
  • If you wish to turn on automatic updates then you will find here is a nice little article about turning on automatic updates.
  • Note that it will download them for you, but you still have to actually click install.
Update Non-Microsoft Programs

It is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates.

Update all programs regularly - Make sure you update all the programs you have installed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically.
Finally, and definitely the MOST IMPORTANT step, click on the following tutorial and follow each step listed there:

Simple and easy ways to keep your computer safe and secure on the Internet


Glad I was able to help and thank you for choosing Bleeping Computer as you malware removal source.
Don't forget to tell your friends about us and Good luck :thumbup2:

With Regards,
Extremeboy

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#6 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:15 AM

Posted 24 February 2009 - 03:51 PM

Hello.

Since the problem appears to be resolved, this topic is now Closed
If you need this topic reopened, please Send Me a Message. In your message please include the address of this thread in your request.

This applies only to the original topic starter.

Everyone else please start a new topic in the Hijackthis-Malware Removal Forum.

With Regards,
Extremeboy

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users