Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan Infection BHO with Rootkit Very Persistent


  • This topic is locked This topic is locked
3 replies to this topic

#1 gunbeard

gunbeard

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:05:48 PM

Posted 30 April 2009 - 08:34 PM

Overview of the Problem
My AVG and MalwareBytes detected several infections, some of which were cleaned up. The persistent onces remain and continue to install and reinstall the same named .DLLs despite my efforts to delete them. AVG reports ndis.sys is infected with Rootkit-Agent.DI and also throws me Vundo.GH alerts with unfamiliar and uncommon .DLL names.

Things I have tried
I have tried using HJT to detect and remove the suspect files (carefully as i am not a complete moron) as well as disabling System Restore and using Safe Mode wherever necessary. I have used Delete-on-Boot programs for any stubborn system files installed by whatever maladies are present.

I am experienced enough to track down and kill most simple trojans but I need your help to eradicate this more complex virus(es).. I am not getting any error messages or BSODs that I can connect with this infection(s) but that does not mean my system is not compromised. I would appreciate any advice and will carry out instructions swiftly before reporting back here.

The suspect files I have noticed include (in sys32): gedesumi.dll (DDS reports an AppInit_DLL so most likely rootkit installed it)
toyipivo.dll
gorawuwi.dll
nikoloki.dll
..these files keep reinstalling along with other similarly named .dll.tmp files, making it very persistent and difficult to remove completely.

I am also getting iexplore and rundll32 processes in task else so please forgive any mistakes or lack of forum etiquette.

DDS (Ver_09-03-16.01) - NTFSx86
Run by Owner at 21:08:43.12 on Thu 04/30/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1535.902 [GMT -4:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\sstray.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Hithere\scanola.exe
C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\dds.scr

============== Pseudo HJT Report ===============

uSearch Bar = hxxp://www.google.com/ie
uStart Page = hxxp://google.com/
uInternet Connection Wizard,ShellNext = hxxp://www.emachines.com/
uInternet Settings,ProxyServer = http=localhost:7171
uInternet Settings,ProxyOverride = *.local
BHO: {cdf8cac0-4a99-43b1-a506-bf53a7310ae3} - c:\windows\system32\toyipivo.dll
TB: {4982D40A-C53B-4615-B15B-B5B5E98D167C} - No File
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [Google Update] "c:\documents and settings\owner\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [DAEMON Tools Lite] "c:\program files\daemon tools lite\daemon.exe" -autorun
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [nForce Tray Options] sstray.exe /r
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\CLIStart.exe"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [f03acd61] rundll32.exe "c:\windows\system32\nikoloki.dll",b
mRun: [pusurusuwe] Rundll32.exe "c:\windows\system32\gorawuwi.dll",s
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
LSP: c:\windows\system32\idmmbc.dll
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1241111269406
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1241111961125
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
AppInit_DLLs: c:\windows\system32\gedesumi.dll
LSA: Notification Packages = scecli c:\windows\system32\gedesumi.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\a3h0bs6x.default\
FF - plugin: c:\documents and settings\owner\local settings\application data\google\update\1.2.141.5\npGoogleOneClick7.dll

============= SERVICES / DRIVERS ===============

R0 viaide1;viaide1;c:\windows\system32\drivers\viaidexp.sys [2003-1-2 6144]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-3-21 325640]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-3-21 27656]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-3-21 298264]
S1 33393384;33393384;c:\windows\system32\drivers\33393384.sys --> c:\windows\system32\drivers\33393384.sys [?]
S3 EverestDriver;Lavalys EVEREST Kernel Driver;c:\program files\lavalys\everest home edition\kerneld.wnt [2005-8-18 7168]
S4 JKAZTV;JKAZTV;c:\docume~1\admini~1.you\locals~1\temp\jkaztv.exe --> c:\docume~1\admini~1.you\locals~1\temp\JKAZTV.exe [?]

=============== Created Last 30 ================

2009-04-30 21:07 360,021 a------- C:\dds.scr
2009-04-30 21:04 <DIR> --d----- C:\How To Use Sdfix_files
2009-04-30 21:04 48,027 a------- C:\How To Use Sdfix.htm
2009-04-30 20:43 1,407,024 ---sh--- c:\windows\system32\ikolokin.ini
2009-04-30 20:42 2,126 a------- c:\windows\system32\wpa.dbl
2009-04-30 20:35 <DIR> --d----- C:\Hithere
2009-04-30 20:28 1,744 a---h--- c:\windows\system32\terujaja
2009-04-30 20:10 331,805,736 a------- C:\WindowsXP-KB936929-SP3-x86-ENU.exe
2009-04-30 19:27 <DIR> --d----- C:\winupdates
2009-04-30 18:28 6,216,032 a------- C:\windowsupdateagent30-x86.exe
2009-04-30 18:27 235 a------- C:\register.bat
2009-04-30 16:39 221,184 a------- c:\windows\system32\wmpns.dll
2009-04-30 16:33 2,148 a------- c:\windows\system32\tmp.reg
2009-04-30 16:22 <DIR> --d----- c:\program files\Enigma Software Group
2009-04-30 16:21 79 a------- C:\Cutwail Removal Tool. Remove Cutwail Now.URL
2009-04-30 16:21 3,785,812 a------- C:\ExterminateItSetup.exe
2009-04-30 16:17 78 a------- C:\Cutwail Trojan Removal Guide - Computer Repair Info.URL
2009-04-30 16:16 1,883,317 a------- C:\SmitfraudFix.exe
2009-04-30 13:32 111 a------- C:\iexplore.exe virus internet disabled - Google Search.URL
2009-04-30 13:32 99 a------- C:\BleepingComputer.com iexplore.exe virus.URL
2009-04-30 13:32 72 a------- C:\Remove Iexplore.exe Errors (Removal Instructions) 411 on Spyware.URL
2009-04-30 13:32 70 a------- c:\windows\wininit.ini
2009-04-30 13:31 59 a------- C:\Prevx 3.0 for Home and Family.URL
2009-04-30 13:31 787,000 a------- C:\0F63B4753E78429B8CF6.EXE
2009-04-30 13:21 22,752 a------- c:\windows\system32\spupdsvc.exe
2009-04-30 13:20 <DIR> --d-h--- c:\windows\$hf_mig$
2009-04-30 13:15 176,640 a------- C:\Malware Removal Starter Kit.doc
2009-04-30 13:14 9,924,040 a------- C:\windows-kb890830-v2.9.exe
2009-04-30 13:10 <DIR> --d----- c:\windows\system32\SoftwareDistribution
2009-04-30 10:10 <DIR> --d----- C:\Rustbfix
2009-04-30 09:45 <DIR> --d----- c:\windows\ERUNT
2009-04-30 09:44 <DIR> --d----- C:\SDFix
2009-04-30 09:43 122 a------- C:\IEXPLORE.EXE trojan () - can somebody help.URL
2009-04-30 09:43 55 a------- C:\GMER - Rootkit Detector and Remover - Files.URL
2009-04-30 00:19 <DIR> --d-h--- C:\$AVG8.VAULT$
2009-04-30 00:09 401,108 a------- C:\rustbfix.exe
2009-04-30 00:07 286,208 a------- C:\7lx0mft6.exe
2009-04-30 00:04 1,529,241 a------- C:\SDFix.exe
2009-04-29 18:15 0 a------- c:\windows\mqcd.dbt
2009-04-29 17:45 719 a------- C:\dtools.lnk
2009-04-28 23:50 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SimCity Societies
2009-04-27 22:58 <DIR> --d----- c:\program files\Monopoly
2009-04-23 00:29 <DIR> --d-h--- c:\windows\msdownld.tmp
2009-04-22 22:50 4,178,264 a------- c:\windows\system32\D3DX9_41.dll
2009-04-22 22:50 1,846,632 a------- c:\windows\system32\D3DCompiler_41.dll
2009-04-22 22:50 453,456 a------- c:\windows\system32\d3dx10_41.dll
2009-04-22 22:50 517,448 a------- c:\windows\system32\XAudio2_4.dll
2009-04-22 22:50 235,352 a------- c:\windows\system32\xactengine3_4.dll
2009-04-22 22:50 69,448 a------- c:\windows\system32\XAPOFX1_3.dll
2009-04-22 22:50 22,360 a------- c:\windows\system32\X3DAudio1_6.dll
2009-04-22 15:52 3,638 a---h--- c:\windows\ps.ico
2009-04-22 15:52 <DIR> --d----- c:\program files\Texas Hold'em Poker 3D - Deluxe Edition
2009-04-21 16:58 <DIR> --d----- c:\windows\pss
2009-04-16 01:44 <DIR> --d----- C:\1M Edition
2009-04-14 12:13 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Ironclad Games
2009-04-14 12:07 <DIR> --d----- c:\windows\Sins of a Solar Empire
2009-04-11 23:45 <DIR> --d----- c:\program files\common files\DirectX
2009-04-11 23:26 <DIR> --d----- c:\program files\Codemasters
2009-04-11 17:48 <DIR> --d----- c:\docume~1\owner\applic~1\fltk.org
2009-04-11 16:15 <DIR> --d----- C:\Tor Browser
2009-04-11 13:34 <DIR> --d-h--- c:\windows\PIF
2009-04-10 20:16 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Soulseek
2009-04-10 20:16 <DIR> --d----- c:\program files\SoulseekNS
2009-04-10 20:08 <DIR> --d----- C:\Geometry Wars - Retro Evolved
2009-04-10 20:00 <DIR> --d----- c:\program files\MoveonBoot
2009-04-10 20:00 <DIR> --d----- c:\program files\common files\Gibinsoft Shared
2009-04-10 19:52 <DIR> --d----- C:\RootkitRevealer
2009-04-10 19:52 <DIR> --d----- c:\program files\Unlocker
2009-04-10 18:28 <DIR> --d----- c:\program files\Free Disk Analyzer
2009-04-10 18:28 <DIR> --d----- c:\docume~1\alluse~1\applic~1\DiskAnalyzer
2009-04-10 14:15 107,888 a------- c:\windows\system32\CmdLineExt.dll
2009-04-10 14:05 <DIR> --d----- c:\docume~1\owner\applic~1\DAEMON Tools Pro
2009-04-10 14:04 <DIR> --d----- c:\docume~1\alluse~1\applic~1\DAEMON Tools Lite
2009-04-10 14:04 <DIR> --d----- c:\program files\DAEMON Tools Lite
2009-04-10 14:01 717,296 a------- c:\windows\system32\drivers\sptd.sys
2009-04-10 14:01 <DIR> --d----- c:\docume~1\owner\applic~1\DAEMON Tools Lite
2009-04-10 12:45 561 a------- c:\windows\eReg.dat
2009-04-10 12:39 <DIR> --d----- c:\program files\Total War
2009-04-02 22:52 0 a------- c:\windows\system32\nfr.gpref
2009-04-02 22:52 0 a------- c:\windows\system32\nfr.assembly

==================== Find3M ====================

2009-04-30 20:28 100,352 a---h--- c:\windows\system32\nikoloki.dll
2009-04-30 20:13 100,352 -------- c:\windows\system32\zehifoze.dll
2009-04-29 18:20 182,912 a------- c:\windows\system32\drivers\ndis.sys
2009-04-06 15:32 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 15:32 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-03-24 19:50 94,208 a------- c:\windows\DUMP4af3.tmp
2009-03-21 18:32 10,520 a------- c:\windows\system32\avgrsstx.dll
2009-03-21 18:32 325,640 a------- c:\windows\system32\drivers\avgldx86.sys
2009-03-09 05:19 410,984 a------- c:\windows\system32\deploytk.dll
2009-01-31 20:14 69,120 a--sh--- c:\windows\system32\gedesumi.dll
2009-01-31 20:14 69,120 a---h--- c:\windows\system32\toyipivo.dll
2009-01-31 20:14 69,120 a--sh--- c:\windows\system32\gorawuwi.dll
2009-01-31 20:11 68,096 a--sh--- c:\windows\system32\visefiti.dll.tmp
2009-01-31 20:11 68,096 a--sh--- c:\windows\system32\vawakoto.dll.tmp
2009-01-31 20:11 68,096 a--sh--- c:\windows\system32\gupureje.dll.tmp

============= FINISH: 21:10:24.06 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:04:48 PM

Posted 01 May 2009 - 11:35 AM

Hello! :thumbup2:
My name is Sam and I will be helping you.

In order to see what's going on with your computer I'll ask for you to post various logs from the tools that we will use to resolve your issue. Please also share with me any information about how your computer is reacting and behaving each step of the way as we work through this process.



Please download ComboFix from one of these locations:

Link 1
Link 2
Link 3

Important!
You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an Malware Removal Expert, not for private use.
Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.



Make sure that you save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 gunbeard

gunbeard
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:05:48 PM

Posted 02 May 2009 - 03:29 PM

I successfully removed the infection.. Here are the steps I took to remove it and also to ensure this never happens again:

After Combofix did its magic, I rebooted to find that all of the offending .DLLs and their temporary backups were removed. HJT logs confirmed that the hostile items I detected were no longer there.

A malwarebytes scan revealed other different varieties of malware, so I repeated the HJT scan and fixed suspect items before re-scanning with malwarebytes & HJT.

After a few passes I still had problems remaining, the persistent and unexplained presence of iexplore.exe in task manager. Also, NDIS.SYS was still infected, and as it was a major network driver I did not delete it. I could not update windows either, as windows update was throwing me errors. This meant repairing my windows installation with the original files.

So I used my recovery DVD to reinstall windows and then I updated it fully to SP3. I downloaded all necessary fixes and updates, making sure to look up forum entries here on recommended software and safe practices. Then I installed Zonealarm and disabled Windows Firewall. I did a lot of research on what programs are absolutely necessary and made sure to block programs that could be easily exploited by malware.

Here's why I think my PC was at risk..

1. I had not updated windows to the latest version due to an error in Windows Update. This should have been the first red light that should have encouraged me to reinstall windows.
2. I relied on Windows Firewall (it doesnt do what firewalls are supposed to do) and my household's Router to protect me from attackers.. If I download & open files on my computer I am essentially opening the gates and letting a trojan horse come right on in.
3. I had applications that ran at startup that were not necessary for the operation of my PC and were also not updated on a regular basis. This meant that they were easily exploited by Malware.

..so thanks very much for replying so quickly to my problem, I hope that my remedy is an example to others who have had similar problems. It really wasn't that hard to remove, but it required a STRONG knowledge of what NOT to delete as much as what TO delete.

thanks again,

'Gun

#4 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:04:48 PM

Posted 02 May 2009 - 04:35 PM

Sounds good. Are you comfortable that you have removed all of it?
If so I will close this thread.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users