Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rootkit - Zonealarm being tweaked by rouge process


  • This topic is locked This topic is locked
6 replies to this topic

#1 Maj. Matt Mason

Maj. Matt Mason

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:11:42 AM

Posted 22 February 2009 - 03:33 PM

After visiting an infected website, over 1000 .EXE files had been altered (but their dates were not changed). Multiple virii, rootkits and the like were showing up.

I pulled the HD and booted an older one to diagnose it. I deleted all files created at the time I went to the website. I then ran the antivirus, but was unable to clean the files and so I had to replace them almost one at a time! For the files I did not have, I just had to reinstall the apps and hope for the best. I was also able to load the infected registry into Regedit and pull out some of the more obvious changes. After doing what I could, I pulled out the backup drive and booted the system. I then spent the next couple of days going over everything I could think of, deleting suspicious-looking files and scanning and rescanning for virii, spyware, and rootkits.

Just when I thought I might have gotten it all, I noticed something very strange. ZoneAlarm would have entries in its program list for EVERY app I launched, even the command window and Notepad! But it never reported accesses to the internet. After several hours of searching, I found Jestertb.dll in the Windows directory and removed it. I also tried uninstalling ZoneAlarm and then manually going through both the registry and HD, deleting all of the leftover pieces. I then reinstalled it, and for at least a few hours, it appeared to fix the problem, but it soon returned, adding programs like Notepad and task manager to the program list. One thing to note, if I deleted an item like cmd.exe from the list, it just would not return the next time I launched it. It would wait until I ran something like Tracert and then add Tracert AND cmd.exe to the list. With Notepad, it only added it to the list when I printed a document from it (I have an IP printer). ZoneAlarm never placed a pop up warning me that items like Notepad were trying to access the network, it only added it to the program list.

Sophos Anti-Rootkit and found two hidden registry entries:

HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Ext
HKEY_USERS\S-1-5-18\Software\Microsoft\WindowsNT\CurrentVersion\Windows\load


When I opened Regedit and looked at the entry for the second item, the load value was "missing". I created a new load value (empty) and ran the scan again and found that entry was fixed. I then added the Ext key and ran the scan again and found this hidden entry:

HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Ext\Settings

I kept adding the entries and rescanning, progressively finding more until it finally came up with this:

[HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{4eb89ff4-7f78-4a0f-8b8d-2bf02e94e4b2}]
"Flags"=dword:00000001
"Version"="*"

[HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{4EDCB26C-D24C-4e72-AF07-B576699AC0DE}]
"Flags"=dword:00000001
"Version"="*"

[HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{7390f3d8-0439-4c05-91e3-cf5cb290c3d0}]
"Flags"=dword:00000001
"Version"="*"

[HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{7584c670-2274-4efb-b00b-d6aaba6d3850}]
"Flags"=dword:00000001
"Version"="*"

[HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{9059f30f-4eb1-4bd2-9fdc-36f43a218f4a}]
"Flags"=dword:00000001
"Version"="*"


If I deleted the Ext key, the scan would again show it as hidden. If I delete any of the subkeys, they show back up as hidden.

In poking around the registry, I discovered that the HKLM\SYSTEM\CurrentControlSet\Services\VxD appears to be "missing". A scan with Sophos Anti-Rootkit and Rootkit Revealer don't show anything, but I would think that the entry should be there and populated with something.

Occasionally, I find the W32/Virut.n.gen virus when scanning with McAfee and cleaned the infected files.

I also found ERDNT.EXE, which did not show as a virus, but deleted anyway as an internet search indicated it was probably a trojan.

Skydie ( :thumbup2: )has been very helpful in assisting with this and has me run Malwarebytes and SuperAntiSpyware, which themselves never found anything, but did trip McAfee a few times on some files with @32/Virut.n.gen.

P.S. I just ran an F-Secure online scan and found a VNC-based remote admin program (the online scan would not be more specific, not even what file was cleaned).

P.P.S. I have gotten a couple of reports that I sent email out with the W32/Netsky B@MM!zip virus. I may or may not also still be a victim of a botnet as well.

Below is the DDS log file:

DDS (Ver_09-02-01.01) - NTFSx86
Run by Jeff at 11:59:56.51 on Sun 02/22/2009
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_10
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1148 [GMT -8:00]

FW: ZoneAlarm Firewall *enabled*

============== Running Processes ===============

D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
D:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
D:\WINDOWS\system32\ZoneLabs\vsmon.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Common Files\EPSON\eEBAPI\eEBSVC.exe
D:\Program Files\IOGEAR\Bluetooth Software\bin\btwdins.exe
D:\Program Files\Network Associates\Common Framework\FrameworkService.exe
D:\Program Files\Network Associates\VirusScan\Mcshield.exe
D:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
D:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
D:\WINDOWS\system32\PnkBstrA.exe
D:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
D:\WINDOWS\system32\vmnat.exe
D:\Program Files\VMware\VMware Server\tomcat\bin\Tomcat6.exe
D:\Program Files\VMware\VMware Server\vmware-authd.exe
D:\WINDOWS\system32\vmnetdhcp.exe
D:\Program Files\VMware\VMware Server\vmware-hostd.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
D:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
D:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
D:\Program Files\IOGEAR\Bluetooth Software\BTTray.exe
D:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
D:\WINDOWS\regedit.exe
D:\WINDOWS\system32\notepad.exe
D:\Program Files\Mozilla Firefox\firefox.exe
D:\Documents and Settings\Jeff\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - d:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: Contribute Toolbar: {517bdde4-e3a7-4570-b21e-2b52b6139fc7} - d:\program files\adobe\/Adobe Contribute CS3/contributeieplugin.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - d:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
mRun: [StartCCC] "d:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [ShStatEXE] "d:\program files\network associates\virusscan\SHSTAT.EXE" /STANDALONE
mRun: [Ad-Watch] d:\program files\lavasoft\ad-aware\AAWTray.exe
mRun: [ZoneAlarm Client] "d:\program files\zone labs\zonealarm\zlclient.exe"
StartupFolder: d:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - d:\program files\iogear\bluetooth software\BTTray.exe
IE: Append to existing PDF - d:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - d:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - d:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - d:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - d:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - d:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - d:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - d:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - d:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - d:\program files\iogear\bluetooth software\btsendto_ie_ctx.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - d:\program files\iogear\bluetooth software\btsendto_ie.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - d:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - d:\progra~1\micros~2\office11\REFIEBAR.DLL
LSP: d:\program files\vmware\vmware server\vsocklib.dll
Trusted Zone: internet
Trusted Zone: mcafee.com
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1228881448890
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1228881407828
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
TCP: {8A2E8CD6-B42F-46FF-82CD-D2A252CE193F} = 192.168.0.1
Notify: !SASWinLogon - d:\program files\superantispyware\SASWINLO.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: PCANotify - PCANotify.dll
SEH: Eudora's Shell Extension: {edb0e980-90bd-11d4-8599-0008c7d3b6f8} - c:\program files\deltanet\eudora\EuShlExt.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - d:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - d:\docume~1\jeff\applic~1\mozilla\firefox\profiles\qsdzgvob.default\
FF - plugin: d:\windows\system32\npmirage.dll
FF - plugin: d:\windows\system32\NPSWF32.dll
FF - plugin: d:\windows\system32\npwmsdrm.dll

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;d:\windows\system32\drivers\Lbd.sys [2009-2-5 64160]
R0 Si3124r5;SiI-3124 SoftRaid 5 Controller;d:\windows\system32\drivers\Si3124r5.sys [2008-11-14 207152]
R0 SiWinAcc;SiWinAcc;d:\windows\system32\drivers\SiWinAcc.sys [2008-11-14 17328]
R1 AW_HOST;AW_HOST;d:\windows\system32\drivers\AW_HOST5.sys [2007-3-30 18232]
R1 awlegacy;awlegacy;d:\windows\system32\drivers\AWLEGACY.sys [2007-3-30 17848]
R1 NaiAvTdi1;NaiAvTdi1;d:\windows\system32\drivers\mvstdi5x.sys [2008-11-15 59904]
R1 SASDIFSV;SASDIFSV;d:\program files\superantispyware\sasdifsv.sys [2009-1-15 8944]
R1 SASKUTIL;SASKUTIL;d:\program files\superantispyware\SASKUTIL.SYS [2009-1-15 55024]
R1 vsdatant;vsdatant;d:\windows\system32\vsdatant.sys [2009-2-21 353680]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;d:\program files\lavasoft\ad-aware\AAWService.exe [2009-1-18 950096]
R2 McAfeeFramework;McAfee Framework Service;d:\program files\network associates\common framework\FrameworkService.exe [2009-2-15 102463]
R2 McShield;Network Associates McShield;d:\program files\network associates\virusscan\Mcshield.exe [2007-11-26 221191]
R2 McTaskManager;Network Associates Task Manager;d:\program files\network associates\virusscan\VsTskMgr.exe [2007-11-26 29184]
R2 vmci;VMware vmci;d:\windows\system32\drivers\vmci.sys [2008-10-12 54960]
R2 VMwareHostd;VMware Host Agent;d:\program files\vmware\vmware server\vmware-hostd.exe [2008-10-12 322096]
R2 VMwareServerWebAccess;VMware Server Web Access;d:\program files\vmware\vmware server\tomcat\bin\tomcat6.exe [2008-10-12 57344]
R2 vsmon;TrueVector Internet Monitor;d:\windows\system32\zonelabs\vsmon.exe -service --> d:\windows\system32\zonelabs\vsmon.exe -service [?]
R3 NaiAvFilter1;NaiAvFilter1;d:\windows\system32\drivers\naiavf5x.sys [2008-11-15 117024]
S2 SATARaid5 Config Service;SATARaid5 Configuration Service;"d:\program files\silicon image\3124-w-i32-r sataraid5\sataraid5configservice.exe" --> d:\program files\silicon image\3124-w-i32-r sataraid5\SATARaid5ConfigService.exe [?]
S3 awhost32;Symantec pcAnywhere Host Service;d:\program files\symantec\pcanywhere\awhost32.exe [2007-5-11 132728]
S3 MEMSWEEP2;MEMSWEEP2;\??\d:\windows\system32\3.tmp --> d:\windows\system32\3.tmp [?]
S3 motccgp;Motorola USB Composite Device Driver;d:\windows\system32\drivers\motccgp.sys [2008-11-16 18688]
S3 motccgpfl;MotCcgpFlService;d:\windows\system32\drivers\motccgpfl.sys [2008-11-16 8320]
S3 MotDev;Motorola Inc. USB Device;d:\windows\system32\drivers\motodrv.sys [2008-11-16 42112]
S3 SASENUM;SASENUM;d:\program files\superantispyware\SASENUM.SYS [2009-1-15 7408]
S3 vmwriter;VMware VSS Writer;d:\program files\vmware\vmware server\vmVssWriter.exe [2008-10-12 29744]

=============== Created Last 30 ================

2009-02-22 11:59 <DIR> --d----- d:\temp\RarSFX0
2009-02-22 11:30 <DIR> --d----- d:\temp\plugtmp
2009-02-22 11:05 16,384 a------t d:\temp\Perflib_Perfdata_d58.dat
2009-02-22 10:01 16,384 a------t d:\temp\Perflib_Perfdata_9e4.dat
2009-02-22 10:01 16,384 a------t d:\temp\Perflib_Perfdata_938.dat
2009-02-22 03:37 16,384 a------t d:\temp\Perflib_Perfdata_920.dat
2009-02-21 20:54 <DIR> --d----- d:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-02-21 20:53 <DIR> --d----- d:\program files\SUPERAntiSpyware
2009-02-21 20:53 <DIR> --d----- d:\docume~1\jeff\applic~1\SUPERAntiSpyware.com
2009-02-21 19:49 16,384 a------t d:\temp\Perflib_Perfdata_9e0.dat
2009-02-21 19:48 16,384 a------t d:\temp\Perflib_Perfdata_918.dat
2009-02-21 12:17 1,221,008 a------- d:\windows\system32\zpeng25.dll
2009-02-21 12:17 <DIR> --d----- d:\windows\system32\ZoneLabs
2009-02-21 12:17 <DIR> --d----- d:\program files\Zone Labs
2009-02-21 12:17 348,371 a------- d:\windows\system32\vsconfig.xml
2009-02-21 11:02 <DIR> --d-h--- d:\windows\system32\GroupPolicy
2009-02-20 07:44 <DIR> --d----- d:\program files\Sophos
2009-02-19 20:57 <DIR> --d----- d:\docume~1\jeff\applic~1\Malwarebytes
2009-02-19 20:57 15,504 a------- d:\windows\system32\drivers\mbam.sys
2009-02-19 20:57 38,496 a------- d:\windows\system32\drivers\mbamswissarmy.sys
2009-02-19 20:57 <DIR> --d----- d:\docume~1\alluse~1\applic~1\Malwarebytes
2009-02-19 20:57 <DIR> --d----- d:\program files\Malwarebytes' Anti-Malware
2009-02-18 17:56 116,224 ac------ d:\windows\system32\dllcache\xrxwiadr.dll
2009-02-18 17:56 23,040 ac------ d:\windows\system32\dllcache\xrxwbtmp.dll
2009-02-18 17:56 18,944 ac------ d:\windows\system32\dllcache\xrxscnui.dll
2009-02-18 17:56 16,970 ac------ d:\windows\system32\dllcache\xem336n5.sys
2009-02-18 17:56 19,455 ac------ d:\windows\system32\dllcache\wvchntxx.sys
2009-02-18 17:56 12,063 ac------ d:\windows\system32\dllcache\wsiintxx.sys
2009-02-18 17:56 8,192 ac------ d:\windows\system32\dllcache\wshirda.dll
2009-02-18 17:54 11,871 ac------ d:\windows\system32\dllcache\wadv09nt.sys
2009-02-18 17:53 7,556 ac------ d:\windows\system32\dllcache\usroslba.sys
2009-02-18 17:52 211,968 ac------ d:\windows\system32\dllcache\um54scan.dll
2009-02-18 17:51 230,912 ac------ d:\windows\system32\dllcache\tosdvd03.sys
2009-02-18 17:50 16,256 ac------ d:\windows\system32\dllcache\symc810.sys
2009-02-18 17:49 24,660 ac------ d:\windows\system32\dllcache\spxupchk.dll
2009-02-18 17:48 24,576 ac------ d:\windows\system32\dllcache\smc8000n.sys
2009-02-18 17:47 68,608 ac------ d:\windows\system32\dllcache\sis6306p.sys
2009-02-18 17:46 23,936 ac------ d:\windows\system32\dllcache\sccmn50m.sys
2009-02-18 17:45 19,017 ac------ d:\windows\system32\dllcache\rtl8029.sys
2009-02-18 17:44 40,448 ac------ d:\windows\system32\dllcache\ql1240.sys
2009-02-18 17:43 92,416 ac------ d:\windows\system32\dllcache\phildec.sys
2009-02-18 17:42 20,480 ac------ d:\windows\system32\dllcache\ovcomc.dll
2009-02-18 17:41 9,344 ac------ d:\windows\system32\dllcache\ntapm.sys
2009-02-18 17:40 75,520 ac------ d:\windows\system32\dllcache\mxport.sys
2009-02-18 17:39 17,280 ac------ d:\windows\system32\dllcache\mraid35x.sys
2009-02-18 17:39 16,128 ac------ d:\windows\system32\dllcache\modemcsa.sys
2009-02-18 17:39 6,528 ac------ d:\windows\system32\dllcache\miniqic.sys
2009-02-18 17:39 320,384 ac------ d:\windows\system32\dllcache\mgaum.sys
2009-02-18 17:39 235,648 ac------ d:\windows\system32\dllcache\mgaud.dll
2009-02-18 17:39 26,112 ac------ d:\windows\system32\dllcache\memstpci.sys
2009-02-18 17:39 47,616 ac------ d:\windows\system32\dllcache\memgrp.dll
2009-02-18 17:39 8,320 ac------ d:\windows\system32\dllcache\memcard.sys
2009-02-18 17:39 164,586 ac------ d:\windows\system32\dllcache\mdgndis5.sys
2009-02-18 17:39 7,424 ac------ d:\windows\system32\dllcache\mammoth.sys
2009-02-18 17:39 48,768 ac------ d:\windows\system32\dllcache\maestro.sys
2009-02-18 17:39 58,880 ac------ d:\windows\system32\dllcache\m3092dc.dll
2009-02-18 17:39 58,368 ac------ d:\windows\system32\dllcache\m3091dc.dll
2009-02-18 17:37 8,192 ac------ d:\windows\system32\dllcache\kbdkor.dll
2009-02-18 17:36 372,824 ac------ d:\windows\system32\dllcache\iconf32.dll
2009-02-18 17:35 58,592 ac------ d:\windows\system32\dllcache\i740nt5.sys
2009-02-18 17:34 5,760 ac------ d:\windows\system32\dllcache\hpt4qic.sys
2009-02-18 17:33 322,432 ac------ d:\windows\system32\dllcache\g400m.sys
2009-02-18 17:32 45,568 ac------ d:\windows\system32\dllcache\esunib.dll
2009-02-18 17:31 26,141 ac------ d:\windows\system32\dllcache\el589nd5.sys
2009-02-18 17:30 103,044 ac------ d:\windows\system32\dllcache\digidxb.sys
2009-02-18 17:29 10,240 ac------ d:\windows\system32\dllcache\compbatt.sys
2009-02-18 17:28 13,824 ac------ d:\windows\system32\dllcache\bulltlp3.sys
2009-02-18 17:27 28,672 ac------ d:\windows\system32\dllcache\atinsnxx.sys
2009-02-18 17:26 12,288 ac------ d:\windows\system32\dllcache\4mmdat.sys
2009-02-18 17:26 689,216 ac------ d:\windows\system32\dllcache\3dfxvs.dll
2009-02-18 17:26 148,352 ac------ d:\windows\system32\dllcache\3dfxvsm.sys
2009-02-18 17:26 762,780 ac------ d:\windows\system32\dllcache\3cwmcru.sys
2009-02-18 17:26 11,264 ac------ d:\windows\system32\dllcache\1394vdbg.sys
2009-02-18 17:26 66,048 ac------ d:\windows\system32\dllcache\s3legacy.dll
2009-02-18 16:43 161,792 a------- d:\windows\SWREG.exe
2009-02-18 16:43 98,816 a------- d:\windows\sed.exe
2009-02-18 16:03 <DIR> --d----- d:\temp\hsperfdata_SYSTEM
2009-02-18 15:54 <DIR> --d----- D:\TEMP
2009-02-18 12:25 <DIR> --d----- d:\program files\Trend Micro
2009-02-17 23:56 <DIR> --d----- d:\program files\MediaInfo
2009-02-17 23:24 <DIR> --d----- d:\docume~1\alluse~1\applic~1\eFax Messenger 4.4 Output
2009-02-17 23:21 326,192 a------- d:\windows\system32\vmnetdhcp.exe
2009-02-17 23:21 399,920 a------- d:\windows\system32\vmnat.exe
2009-02-17 23:21 26,288 a------- d:\windows\system32\drivers\vmnetuserif.sys
2009-02-17 23:20 723,504 a------- d:\windows\system32\vnetlib.dll
2009-02-17 22:24 <DIR> --d----- d:\program files\RivaTuner v2.23
2009-02-17 16:55 <DIR> --d----- d:\docume~1\jeff\applic~1\McAfee
2009-02-16 23:18 <DIR> --d----- d:\windows\system32\XPSViewer
2009-02-16 23:17 1,676,288 -c------ d:\windows\system32\dllcache\xpssvcs.dll
2009-02-16 23:17 597,504 -c------ d:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-02-16 23:17 575,488 -c------ d:\windows\system32\dllcache\xpsshhdr.dll
2009-02-16 23:17 89,088 -c------ d:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-02-16 23:17 1,676,288 -------- d:\windows\system32\xpssvcs.dll
2009-02-16 23:17 575,488 -------- d:\windows\system32\xpsshhdr.dll
2009-02-16 23:17 117,760 -------- d:\windows\system32\prntvpt.dll
2009-02-16 23:17 <DIR> --d----- D:\8ea40eb0aca37a8849134682c277ee
2009-02-16 23:17 <DIR> --d----- d:\windows\SxsCaPendDel
2009-02-16 22:32 168,448 a------- d:\windows\system32\unrar.dll
2009-02-16 22:32 839,680 a------- d:\windows\system32\lameACM.acm
2009-02-16 22:32 118,784 a------- d:\windows\system32\ac3acm.acm
2009-02-16 22:32 414 a------- d:\windows\system32\lame_acm.xml
2009-02-16 22:32 217,088 a------- d:\windows\system32\yv12vfw.dll
2009-02-16 22:32 3,596,288 a------- d:\windows\system32\qt-dx331.dll
2009-02-16 22:32 795,648 a------- d:\windows\system32\xvidcore.dll
2009-02-16 22:32 130,048 a------- d:\windows\system32\xvidvfw.dll
2009-02-16 22:32 684,032 a------- d:\windows\system32\divx.dll
2009-02-16 22:32 86,016 a------- d:\windows\system32\dpl100.dll
2009-02-16 22:32 67,584 a------- d:\windows\system32\ff_vfw.dll
2009-02-16 22:32 547 a------- d:\windows\system32\ff_vfw.dll.manifest
2009-02-16 22:05 <DIR> --d----- d:\program files\Bonjour
2009-02-16 21:17 4,212 a---h--- d:\windows\system32\zllictbl.dat
2009-02-16 21:16 <DIR> --d----- d:\windows\Internet Logs
2009-02-16 15:15 <DIR> --dsh--- D:\found.000
2009-02-16 00:54 358,912 ac------ d:\windows\system32\dllcache\wmic.exe
2009-02-16 00:54 218,112 ac------ d:\windows\system32\dllcache\wmiprvse.exe
2009-02-16 00:54 196,608 ac------ d:\windows\system32\dllcache\wmiadap.exe
2009-02-16 00:54 126,464 ac------ d:\windows\system32\dllcache\wmiapsrv.exe
2009-02-16 00:54 116,224 ac------ d:\windows\system32\dllcache\wbemtest.exe
2009-02-16 00:54 36,352 ac------ d:\windows\system32\dllcache\scrcons.exe
2009-02-16 00:54 16,896 ac------ d:\windows\system32\dllcache\unsecapp.exe
2009-02-16 00:54 16,384 ac------ d:\windows\system32\dllcache\mofcomp.exe
2009-02-16 00:54 13,312 ac------ d:\windows\system32\dllcache\winmgmt.exe
2009-02-16 00:52 245,248 ac------ d:\windows\system32\dllcache\migwiz.exe
2009-02-16 00:52 241,152 ac------ d:\windows\system32\dllcache\migwiza.exe
2009-02-16 00:52 103,936 ac------ d:\windows\system32\dllcache\migload.exe
2009-02-16 00:46 51,200 ac------ d:\windows\system32\dllcache\oobebaln.exe
2009-02-16 00:46 29,184 ac------ d:\windows\system32\dllcache\msoobe.exe
2009-02-16 00:42 16,384 ac------ d:\windows\system32\dllcache\quser.exe
2009-02-16 00:40 9,728 ac------ d:\windows\system32\dllcache\comrepl.exe
2009-02-16 00:39 107,520 ac------ d:\windows\system32\dllcache\rsnotify.exe
2009-02-16 00:36 35,328 ac------ d:\windows\system32\dllcache\notiflag.exe
2009-02-16 00:36 169,984 ac------ d:\windows\system32\dllcache\msconfig.exe
2009-02-16 00:36 18,432 ac------ d:\windows\system32\dllcache\hscupd.exe
2009-02-16 00:36 769,024 ac------ d:\windows\system32\dllcache\helpctr.exe
2009-02-16 00:36 744,448 ac------ d:\windows\system32\dllcache\helpsvc.exe
2009-02-16 00:36 99,840 ac------ d:\windows\system32\dllcache\helphost.exe
2009-02-15 23:41 73,728 ac------ d:\windows\system32\dllcache\wmplayer.exe
2009-02-15 23:41 4,639 ac------ d:\windows\system32\dllcache\mplayer2.exe
2009-02-15 23:24 60,416 ac-s---- d:\windows\system32\dllcache\msimn.exe
2009-02-15 23:24 46,080 ac------ d:\windows\system32\dllcache\wab.exe
2009-02-15 23:16 42,577 ac------ d:\windows\system32\dllcache\bckgzm.exe
2009-02-15 23:16 42,575 ac------ d:\windows\system32\dllcache\chkrzm.exe
2009-02-15 23:16 42,574 ac------ d:\windows\system32\dllcache\rvsezm.exe
2009-02-15 23:16 42,573 ac------ d:\windows\system32\dllcache\shvlzm.exe
2009-02-15 23:16 42,573 ac------ d:\windows\system32\dllcache\hrtzzm.exe
2009-02-15 23:00 214,528 ac------ d:\windows\system32\dllcache\icwconn1.exe
2009-02-15 22:40 39,936 ac------ d:\windows\system32\dllcache\msinfo32.exe
2009-02-15 21:37 303,104 a------- d:\program files\DupFinder.exe
2009-02-15 17:26 332,800 a------- D:\wget.exe
2009-02-15 14:24 2,206 a------- d:\windows\system32\wpa.dbl
2009-02-14 08:45 <DIR> --d----- d:\program files\Seagate
2009-02-14 08:44 <DIR> --d----- d:\program files\common files\Wise Installation Wizard
2009-02-07 22:18 <DIR> --d----- d:\program files\Trivial Pursuit Choice
2009-02-07 22:18 <DIR> --d----- d:\docume~1\jeff\applic~1\Hasbro
2009-02-07 16:55 <DIR> --d----- d:\program files\VTFEdit
2009-02-06 23:17 <DIR> --d----- d:\docume~1\alluse~1\applic~1\ALM
2009-02-06 22:52 2,463,976 a------- d:\windows\system32\NPSWF32.dll
2009-02-06 22:52 190,696 a------- d:\windows\system32\NPSWF32_FlashUtil.exe
2009-02-06 22:37 <DIR> --d----- d:\program files\common files\Macrovision Shared
2009-02-06 08:07 15,688 a------- d:\windows\system32\lsdelete.exe
2009-02-05 18:26 64,160 a------- d:\windows\system32\drivers\Lbd.sys
2009-02-05 18:24 <DIR> -cd-h--- d:\docume~1\alluse~1\applic~1\{83C91755-2546-441D-AC40-9A6B4B860800}
2009-02-05 18:24 <DIR> --d----- d:\program files\Lavasoft

==================== Find3M ====================

2009-01-26 17:11 138,512 a------- d:\windows\system32\drivers\PnkBstrK.sys
2009-01-26 17:11 201,440 a------- d:\windows\system32\PnkBstrB.exe
2008-12-01 12:52 425,984 a------- d:\windows\system32\ATIDEMGX.dll
2008-12-01 12:51 318,464 a------- d:\windows\system32\ati2dvag.dll
2008-12-01 12:46 11,304,960 a------- d:\windows\system32\atioglxx.dll
2008-12-01 12:41 188,416 a------- d:\windows\system32\atipdlxx.dll
2008-12-01 12:40 147,456 a------- d:\windows\system32\Oemdspif.dll
2008-12-01 12:40 43,520 a------- d:\windows\system32\ati2edxx.dll
2008-12-01 12:40 143,360 a------- d:\windows\system32\ati2evxx.dll
2008-12-01 12:37 53,248 a------- d:\windows\system32\ATIDDC.DLL
2008-12-01 12:27 4,120,384 a------- d:\windows\system32\ati3duag.dll
2008-12-01 12:19 307,200 a------- d:\windows\system32\atiiiexx.dll
2008-12-01 12:11 2,495,360 a------- d:\windows\system32\ativvaxx.dll
2008-12-01 12:11 3,107,788 a------- d:\windows\system32\ativvaxx.dat
2008-12-01 12:11 3,107,788 a------- d:\windows\system32\ativva5x.dat
2008-12-01 12:11 887,724 a------- d:\windows\system32\ativva6x.dat
2008-12-01 11:57 48,640 a------- d:\windows\system32\amdpcom32.dll
2008-12-01 11:53 401,408 a------- d:\windows\system32\atikvmag.dll
2008-12-01 11:53 45,056 a------- d:\windows\system32\amdcalrt.dll
2008-12-01 11:53 45,056 a------- d:\windows\system32\amdcalcl.dll
2008-12-01 11:52 86,016 a------- d:\windows\system32\atiadlxx.dll
2008-12-01 11:52 17,408 a------- d:\windows\system32\atitvo32.dll
2008-12-01 11:50 286,720 a------- d:\windows\system32\atiok3x2.dll
2008-12-01 11:50 3,252,224 a------- d:\windows\system32\Amdcaldd.dll
2008-12-01 11:45 577,536 a------- d:\windows\system32\ati2cqag.dll
2008-11-24 14:33 66,872 a------- d:\windows\system32\PnkBstrA.exe
2006-11-01 13:07 334,720 a------- d:\program files\RootkitRevealer.exe
2005-12-07 14:19 102,160 a------- d:\program files\RootkitRevealer.chm

============= FINISH: 12:00:34.64 ===============

Attached Files


Edited by Maj. Matt Mason, 23 February 2009 - 12:08 PM.


BC AdBot (Login to Remove)

 


#2 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:42 PM

Posted 23 February 2009 - 08:48 PM

Posted ImageVirut File Infector Warning

Your system is infected with a polymorphic file infector called Virut. Virut is capable of infecting all the machine's executable files (.exe) and screensaver files (.scr) and also web pages (.html and .htm). However, the problem is that the virus has a number of bugs in its code, and as a result, it may misinfect a proportion of executable files and therefore, the files are corrupted beyond repair. As of now, security experts suggest that a clean Reinstall or Reformat is the only way to clean the infection and it is the only way to return the machine to its normal working state.

Backup all your documents and important items (personal data, work documents, etc) only. DO NOT backup any executable files (softwares) and screensavers (*.scr) or any web pages (*.html or *.htm). It attempts to infect any accessed .exe or .scr or .html/.htm files by appending itself to the executable.

Also, try to avoid backing up compressed files (zip/cab/rar) files that have .exe or .scr files inside them. Virut can penetrate and infect .exe files inside compressed files too.

Tell me what you decide to do.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#3 Maj. Matt Mason

Maj. Matt Mason
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:11:42 AM

Posted 23 February 2009 - 11:22 PM

Are you sure there is no way to clean out the infection? I have the ability to boot with a different drive or even another computer and attach the drive to that to clean it out. I would like to avoid having to backup/restore the mountain of data if I could, but if if that truly is the only way, please be kind enough to beat it into my head one last time! :thumbup2:

Also, can you point me to where I can see how it effects .HTM and .HTML files? I have a number of web pages I created and would rather not have to recreate them from scratch if I can look them over and see if they are OK.

I've blocked some IP address ranges as described at McAfee's website on my router, but I'm sure those guys have moved on to greener servers.

Is it the polymorphic properties of the virus that is keeping all the antivirus scans from finding it, or is it just because it's in memory and is able to protect itself? I think I may have gotten the actual Virut virus out of the system (Per McAfee's website, it should easily find and either remove or designate the file uncleanable and multiple full scans have revealed nothing). I think I have something else actually running in the system, and at the very least, altering the way ZoneAlarm works to keep the backdoor open.

Lastly, I have never seen an infection like this run so fast through a system simply by visiting a web page. Is there a system setting or program you can recommend that would prevent this from happening again?

I'm sure you hear this a lot, but I really do appreciate your help (even if I have to reinstall).

Edited by Maj. Matt Mason, 23 February 2009 - 11:57 PM.


#4 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:42 PM

Posted 24 February 2009 - 04:34 PM

Hello again.

Are you sure there is no way to clean out the infection? I have the ability to boot with a different drive or even another computer and attach the drive to that to clean it out. I would like to avoid having to backup/restore the mountain of data if I could, but if if that truly is the only way, please be kind enough to beat it into my head one last time! :)

It's not that we can't clean this infection out. Sometimes we can clean out these file-infectors and sometimes not, depending on how sever it is. Once you get infected by this your system is already unstable and fixing can cause more damage to it. Your computer is also compromised and even after fixing it would you still trust it? My suggestion would be to reinstall/format. So to answer your question it is: Yes.

Also, can you point me to where I can see how it effects .HTM and .HTML files? I have a number of web pages I created and would rather not have to recreate them from scratch if I can look them over and see if they are OK.

Yes, you can try it but they are probably infected. Some may not, but a few may be but not sure how you will be able to tell if they are infected or not with your own eyes. You may wish to scan a few of those files and see if they are indeed infected or not.

Is it the polymorphic properties of the virus that is keeping all the antivirus scans from finding it, or is it just because it's in memory and is able to protect itself?

No. Most anti-virus can detect it usually after it has injected it's code into executables. Once it's successfully installed it connects to a IRC server to execute things onto your machine. Take a read from my previous post for more information.

Lastly, I have never seen an infection like this run so fast through a system simply by visiting a web page. Is there a system setting or program you can recommend that would prevent this from happening again?

3 things I would avoid, if you want to avoid this infection.

1) Do not use P2P sharing programs
2) Be careful with removable drives. Best if you can disable autoplay/autorun feature in windows.
3) Do not visit any sites that are know to carry malware infections. These include: cracks,keygens, pornographic sites or poker related sites that may be malicious.

Good luck on the format/reinstall. Below are some prevention tips.

Preventing Infections in the Future

Please also have a look at the following links, giving some advice and Tips to protect yourself against malware and reduce the potential for re-infection:
  • Avoid gaming sites, underground web pages, pirated software sites, and peer-to-peer (P2P) file sharing programs. They are a security risk which can make your computer susceptible to a smörgåsbord of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites. Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users.
Disable Autorun on Flash-Drive/Removable Drives

When is AUTORUN.INF really an AUTORUN.INF?

USB worms work by creating a file called AUTORUN.INF on the root of USB drives. These INF files then use Autorun or Autoplay (not the same thing!) to execute themselves either when the stick is inserted, or more commonly, when the user double-clicks on the USB drive icon from My Computer (Windows Explorer)...


Keeping Autorun enabled on USB and other removable drives has become a significant security risk due to the increasing number of malware variants that can infect them and transfer the infection to your computer. Read USB-Based Malware Attacks and Please disable Autorun asap!.

If using Windows Vista, please refer to:
"Disable AutoPlay in Windows Vista"
"Preventing AutoPlay with Local Group Policy Editor or AutoPlay options panel"

Note: When Autorun is disabled, double-clicking a drive which has autorun.inf in its root directory may still activate Autorun so be careful.

Vist the WindowsUpdate Site Regularly

I recommend you regularly visit the Windows Update Site!
  • Lots of Hacking/Trojans use the methods found (plugged by the updates) that have not been stopped by people not updating.
  • Update ALL Critical updates and any other Windows updates for services/programs that you use.
  • If you wish to turn on automatic updates then you will find here is a nice little article about turning on automatic updates.
  • Note that it will download them for you, but you still have to actually click install.
Update Non-Microsoft Programs

It is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates.

Update all programs regularly - Make sure you update all the programs you have installed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically.
Finally, and definitely the MOST IMPORTANT step, click on the following tutorial and follow each step listed there:

Simple and easy ways to keep your computer safe and secure on the Internet


Glad I was able to help and thank you for choosing Bleeping Computer as you malware removal source.
Don't forget to tell your friends about us and Good luck :thumbup2:

With Regards,
Extremeboy

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#5 Maj. Matt Mason

Maj. Matt Mason
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:11:42 AM

Posted 24 February 2009 - 09:07 PM

Thank you so much for taking the time to answer the question in as much detail as you have. I'm sure it will save a little time for those who come across it instead of, as in my case, try for over a week until the wee hours of the morning trying to kill this thing.

You made some very valid points (including the "trust" one, which would be in the back of my mind). It was not what I wanted to hear, but I just needed to hear it again, especially considering the number of hours I've put in trying to clean it up. Thanks for your patience on that point!

Thanks as well for the "safety" suggestions. I already follow those items already. Autorun is disabled on the system and the like, I normally don't troll around P2P sites, etc. I was more looking for a suggestion to safeguard the system against this kind of attack. While it was a Torrent search site I was going to, I was actually looking for something legal for me to obtain. But it could have very well been a mistyped URL or even a legitimate site that had been hacked that brought me to my woes. I was using a fully patch system and a current version of Firefox when it happened. Could there have been anything I can do (different antivirus, setting in Firefox, additional protection software) that would have prevented this from happening in the first place?

When USB drives first came out, some of them had a write protect switch. I haven't seen any like that any more. That would save a lot of problems!

One last question: is this virus, or any other, able to infect a file without altering its byte count?

Again, thanks so much.

#6 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:42 PM

Posted 24 February 2009 - 09:13 PM

Hello.

Could there have been anything I can do (different antivirus, setting in Firefox, additional protection software) that would have prevented this from happening in the first place?

Well my general rule for security programs are:

1) One AV/FW program with real-time protection enabled
2) A few AS programs
3) Good surfing habits <-Very Important

When USB drives first came out, some of them had a write protect switch. I haven't seen any like that any more. That would save a lot of problems!

Well, have fun moving only read-only format files then...

One last question: is this virus, or any other, able to infect a file without altering its byte count?

Not sure what you mean exactly there. As long as you don't backup any executables then everything is fine. All other files should be safe.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#7 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:42 PM

Posted 26 February 2009 - 04:40 PM

Hello.

Since the problem appears to be resolved, this topic is now Closed
If you need this topic reopened, please Send Me a Message. In your message please include the address of this thread in your request.

This applies only to the original topic starter.

Everyone else please start a new topic in the Hijackthis-Malware Removal Forum.

With Regards,
Extremeboy

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users