Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Spyware infestation (Possibly Virtumonde)


  • Please log in to reply
2 replies to this topic

#1 AllenG

AllenG

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:06:09 PM

Posted 13 March 2009 - 07:38 AM

Hi.

I have a virus and/or spyware infestation, and would like some advice and help please.

I have Windows XP Home (up to date), networked with a Linksys WAG54P2P ADSL Router with the Router Firewall enabled. (Wireless is disabled).
I have AVGfree, Spybot S&D with resident Teatimer up to date, and windows firewall enabled (or so I thought). I have a ghost 8 backup from a month ago. made with an out of date miniPE by Digiwiz boot CD.

While searching for information on fixes for some viruses that a friend has on his laptop I downloaded & installed Malwarebytes and downloaded an updated ISO of MiniPE-XT V2K5.09.03 from megaupload.com\minipe-iso-updated-to-05012009. This iso was in several Rar files. around the time I was downloading this I got a popup asking if I wanted to save or run another file that I didn't request. I clicked cancel or the "x", can't remember which. Can't remember the filename either, maybe started with "SI" ?

First Question:

MiniPE: I know it contains "dodgy" utilities, and some of the "tools" register as infections, but three files that worry me are:
1: M:\I386\system32\wzcsvc.dll is detected as Virtumonde by spybot. The same file on my C drive registers as Virtumonde as well.
2: M:\.....wordpad.exe is detected as Win32:Trojan-Gen {other} by Avast
3: X:\programs\winrar\winrar.exe is detected as win32:backdoor.ceckno
I havn't used wordpad or winrar, not sure about wzcsvc (wireless zero confuration service).

Is it likely that this iso is boobytrapped? What recovery CD do you recommend, and from which site?

Symptoms:

1. For some time (possibly 2 years), MSpaint stopped working. My attempts to remove and reinstall it havn't helped .
2. about 50% of the time half of the icons on the system tray do not show. These include Winzip quick launch, my internet usage monitor, DYNDNS updater etc. Taskmanager shows that the processes seem to have started.
I had two fraudulent transactions on my Creditcard in January a few days after using my creditcard online.

On first reboot after the unexpected file download popup

Spybot warned me of two attempted changes: Security Centre notification disabled, and Malwarebytes removed from startup. I denied both.
Windows Security centre shield on the systemtray warned that my firewall was disabled.
AVGfree warned that it was unable to connect to the update server.
system restore shows no restorepoints.

My attempts to restart windows firewall failed.

I have done the following to try and recover my system:

Powered off.
Booted with MiniPE.
Checked the integrity of the Ghost files.
Formatted C drive.
Restored from Ghost.
Refreshed the MBR on C
Scanned with Avast which found worms in my inbox. They were in spam emails that I'm sure I would not have opened the links.
The worms were Win32:netsky-c@UPX and win32:ZAFI-M. I removed them
The same worms were found in two locations in C:\Recycler\....
Adaware found 1 reg key & 2 reg values with win32:backdoor.ceckno, on the boot CD.

Win32.Backdoor.Ceckno Object Recognized!
Type : Regkey
Data : X:\Programs\WinRAR\WinRAR.exe
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\WinRAR.exe

Win32.Backdoor.Ceckno Object Recognized!
Type : RegValue
Data : X:\Programs\WinRAR\WinRAR.exe
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\WinRAR.exe
Value : Path

Win32.Backdoor.Ceckno Object Recognized!
Type : File
Data : winrar.exe
TAC Rating : 10
Category : Malware
Comment :
Object : x:\programs\winrar\

Spybot reports Virtumonde in c:\windows\system32\wzcsvc.exe. I repaired this.

Avira reports a JS/Dldr.Iframe.DK Javascript Virus in .....\temporary internet files\content.ie5\CIZZDM4R\Flashwrite_1_2[1].htm
I have deleted this.

Powered off/on
Security centre still pops up a notification that the firewall is disable. Again attempts to restart result in "windows cannot start windows firewall/internet security"
I ran "sfc/scannow".
Still can't start windows firewall.

2nd question:
I am currently on the internet using Firefox PE from the minipe boot CD, and don't want to start windows on the network without an active firewall. How can I get the firewall going again?

3rd question:
I was not getting any firewall warnings a month ago when I created the ghost, whats up here? more evidence that my minipe CD is infected and reinfecting the HDD?

4th question

How should I proceed?

I have the install files for Malwarebytes, Superantispyware, Avira Antivir, Threatfire, & sandboxie, but have not got the DDS tool, or an up to date hijackthis.

I look forward to some expert help please.

Regards, Allen.

Edited by AllenG, 13 March 2009 - 07:58 AM.


BC AdBot (Login to Remove)

 


#2 AllenG

AllenG
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:06:09 PM

Posted 16 March 2009 - 05:17 AM

Hi. Just an update.
I have unplugged from the network and restarted Windows.
I have installed and run Malwarebytes, and it found nothing.
I have installed and run Superantispyware, and it found nothing.
I also tried both in safe mode, and found nothing. However Superantispyware screen behaves strangely during scanning of some files especially EXE files. The digits for the number of modules, registry items, and files scanned and threats found flicker on screen as if they are being overwritten, but don't actually change? This doesn't happen for every file.

Since installing Malwarebytes, when I reboot spybot reports that something is trying to remove malwarebytes from startup.

I have now downloaded DDS while running from the boot CD. I installed and ran it from windows started normally but unplugged from the network. Should I plug back in a run it again? I'm reluctant to connect while running windows as I am still unable to start the windows firewall.

Should I post the DDS logs here, or repost all of this in the Hijackthis logs and Virus/Trojan/spyware/malware area?

Also, last time I started windows I connected it to the net for a short period and did a netstat. I got the following suspicious connection:
TCP 1082 xxxx.xxxxx.llnw.net (xxxx details omitted) Port 1082 is listed on virus sites as Winhole aka Backgate/Wingate.
The llnw.net is a domain of Limelight Networks Inc, Arizona, United States. Is this a legit ISP?
I have had creditcard info stolen (card now cancelled) & used at Swiss online stores, I would quite like to provide the creditcard company whatever info I can to prosecute. Can someone guide me on how to gather info without alerting the connected PC that I'm doing it? Or should I pass what I know to the creditcard company and let the professionals do the detective work?

Regards, Allen.

Edited by AllenG, 16 March 2009 - 01:39 PM.


#3 garmanma

garmanma

    Computer Masochist


  • Members
  • 27,809 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cleveland, Ohio
  • Local time:02:09 AM

Posted 25 March 2009 - 12:25 PM

I am very sorry for the long wait. We're very busy and a man down at the moment, In AII.
Because of the severity (hacked bank accounts) and what you have already done, I would proceed to posting a HJT log
Please keep in mind that the HJT forum is extremely busy for now

Please read the pinned topic titled "Preparation Guide For Use Before Posting A Hijackthis Log". If you cannot complete a step, then skip it and continue with the next. In Step 6 there are instructions for downloading and running DDS which will create a Pseudo HJT Report as part of its log.

When you have done that, post your log in the HijackThis Logs and Malware Removal forum, NOT here, for assistance by the HJT Team Experts. A member of the Team will walk you through, step by step, on how to clean your computer. If you post your log back in this thread, the response from the HJT Team will be delayed because your post will have to be moved. This means it will fall in line behind any others posted that same day.

Start a new topic, give it a relevant title and post your log along with a brief description of your problem, a summary of any anti-malware tools you have used and a summary of any steps that you have performed on your own. An expert will analyze your log and reply with instructions advising you what to fix. After doing this, we would appreciate if you post a link to your log back here so we know that your getting help from the HJT Team.

Please be patient. It may take a while to get a response because the HJT Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT "bump" your post or make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users