HDTVxvid.net -- VIRUS!!! Logs n' seech

Viruses and worms
1

I posted this at the tech guy forums but I’ll throw everything here too:

Allllright, I’m dumb, I know. I went to HDTVxvid.net and downloaded an application I thought was a codec, though it turns out to just tell you your video card isn’t up to snuff and installs a few things.

Firstly, Spybot Search & Destroy picks up Smitfraud-C and Virtumonde.

(Condensed) Report from SSD:

Smitfraud-C.: [SBI $99619F8C] Settings (Registry key, nothing done)
HKEY_USERS\S-1-5-21-343818398-73586283-682003330-500\Software\Microsoft\instkey

Virtumonde: [SBI $779C9C0D] Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP

Virtumonde: [SBI $FD08B4B7] Configuration file (File, nothing done)
C:\WINDOWS\system32\iOpXbccf.ini2

Virtumonde: [SBI $2A2DCEAC] Configuration file (File, nothing done)
C:\WINDOWS\system32\iOpXbccf.ini

— Browser helper object list —

{C369C9CD-29AA-4E75-83EC-2D6F03067CC6} ()
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Brows er Helper Objects
BHO name:
CLSID name:
Path: C:\WINDOWS\system32
Long name: fccbXpOi.dll
Short name:
Date (created): 11/23/2008 10:57:02 PM
Date (last access): 11/23/2008 10:57:02 PM
Date (last write): 11/23/2008 10:57:04 PM
Filesize: 245760
Attributes: archive
MD5: A7B44C09F69269FC29490315F2CDD262
CRC32: 38493B10

Full Hijack-This Report (Highlighted with what I find suspicious:)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:53:18 AM, on 11/24/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\nvsvc32.exe
c:\docume~1\admini~1\locals~1\temp\cdm{cc37ec0f-0ffa-4e67-b577-503e2361f8f9}\STacSV.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\IDT\WDM\sttray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM..\Run: [nwiz] nwiz.exe /install
O4 - HKLM..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [SunJavaUpdateSched] “C:\Program Files\Java\jre6\bin\jusched.exe”
O4 - HKLM..\Run: [DAEMON Tools-1033] “C:\Program Files\D-Tools\daemon.exe” -lang 1033
O4 - HKLM..\Run: [SysTrayApp] %ProgramFiles%\IDT\WDM\sttray.exe
O4 - HKLM..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,4,N (User ‘LOCAL SERVICE’)
O4 - HKUS\S-1-5-20..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,4,N (User ‘NETWORK SERVICE’)
O4 - HKUS\S-1-5-18..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,4,N (User ‘SYSTEM’)
O4 - HKUS.DEFAULT..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,4,N (User ‘Default user’)
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra ‘Tools’ menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O17 - HKLM\System\CCS\Services\Tcpip..{21579621-7834-4E31-B5B0-15850C5B109E}: NameServer = 192.168.1.1
O17 - HKLM\System\CS1\Services\Tcpip..{21579621-7834-4E31-B5B0-15850C5B109E}: NameServer = 192.168.1.1
O17 - HKLM\System\CS2\Services\Tcpip..{21579621-7834-4E31-B5B0-15850C5B109E}: NameServer = 192.168.1.1
O20 - AppInit_DLLs: mogmyg.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Audio Service (STacSV) - IDT, Inc. - c:\docume~1\admini~1\locals~1\temp\cdm{cc37ec0f-0ffa-4e67-b577-503e2361f8f9}\STacSV.exe
O23 - Service: WMP54Gv4SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe

But wait, I have more!

I’m finding using the SSD process tool that there are DLLs loading as modules in Explorer.exe: mogmyg.dll, fccbXpOi.dll and there are a few others that I’m assuming are just more random filenames.

Avast doesn’t get it, SSD helps but doesn’t resolve the issue. I see NO red X, but there are the occasional popups. I’m also running Teatimer, so I think I’ve blocked all of the attempts to reedit the registry, but from what I notice it randomizes it’s SID and tries again every few minutes.

Trying Windows Defender now, but I’m not holding my breath.

I found this thread: http://forums.techguy.org/malware-re...ption-gif.html

I don’t have corrupted gif’s, but I’ve also locked my hosts file, so if you’re getting redirects then this might too be a symptom.

Any help is appreciated! I’m stuck, I’ve tried manual removal in safe mode, even Avast said it removed 2 infected files when I ran it on startup but it still persists. Thanks!

~J

EDIT: I used Hijacthis to “fix” the selected (what I’d highlighted red.) It seems to have worked. Avast isn’t returning anything, nor is Spybot now. I’ll reboot and see if it reappears (crossing fingers!)


Grr
Nope, didn't work. Still all there even after numerous attempts to remove. Also, it's trying to monitor my websites visited because the popups have what page I'm looking at in the query.

http://url. adtrgt. com/ cpv.jsp?blahblahblah{insert pages I'm on here} (do not visit, this is just for reference! I put spaces in the addy so hopefully it doesn't parse)


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

What I've done since

I've booted into command prompt safe mode to delete, no luck. I remove the regedit entries (for the BHO and the winlogon notify) and they return immediately, even in safe mode!!!

So I tried going into my windows xp recovery console (booted from the CD,) with the same results. Couldn't do regedit easily (command line regediting isn't my forte) but it appeared to work. I rebooted and here I am, back where I started.

I'm about to just format and start over, my storage drive wasn't affected so I figure a new fresh start in Windows might be good for me.

Avast does a good job of blocking the malicious sites, and it looks like I got the Smitfraud-C gone, it's just the new Virtumonde that's causing a problem.

Popups are still occuring, but I refuse to open IE (using only firefox for now.)

In Firefox Addons I found a browser plugin called Move Media Player. With no research done, I'm disabling it (I've never seen it before.) I just tried restarting firefox after choosing uninstall and it's not gone (still enabled.)

I'll keep trying but at this point I'm about to give up because I'm losing work time.
2

Hi beckerist,

Considering your HJT logfile, I would fix: O20 - AppInit_DLLs: mogmyg.dll
xpnetdiag.exe is part of a software package.
You can disable it if in need of more memory or CPU power
Classification, Application, Part of
Microsoft® Windows® Operating System
Firm Microsoft Corporation
Safe - secure

  • xpnetdiag.exe is a Network Diagnostic tool for Windows XP by Microsoft Corporation

Your system now seems clean of malware, but you have no active firewall running. You have an advanced risk for outside attacks

Survey of your active tasks
smss.exe

System task

Session Manager Subsystem
winlogon.exe

System task

Microsoft Windows Logon Process
services.exe

System task

Windows Service Controller
lsass.exe

System task

Local Security Authority Service
svchost.exe

System task

Microsoft Service Host Process
svchost.exe

System task

Microsoft Service Host Process
aswUpdSv.exe

Virusscan

Avast Anti-Virus Component
ashServ.exe

Virusscan

Avast
spoolsv.exe

System task

Microsoft Printer Spooler Service
Explorer.EXE

System task

Microsoft Windows Explorer
nvsvc32.exe

Application

NVIDIA Driver Helper Service
STacSV.exe

Driver

C-Major Audio Service
RUNDLL32.EXE

System task

Microsoft Rundll32
ashDisp.exe

Virusscan

Avast AntiVirus
jusched.exe

Backgroundtask

Sun Java Update Scheduler
sttray.exe

Backgroundtask

Intel WebOutfitter service System Tray icon
ctfmon.exe

System task

Alternative User Input Services
TeaTimer.exe

Application

Spybot S&D Realtime Scanner
ashMaiSv.exe

Virusscan

Avast Anti-Virus Component
ashWebSv.exe

Virusscan

avast! Web Scanner
svchost.exe

System task

Microsoft Service Host Process
SpybotSD.exe

Anti Add/Spyware software

Spybot - Search & Destroy
HijackThis.exe

Application Hijackthis,

That’s all for now, do another complete scan using MBAM and SAS,
download: http://www.malwarebytes.org/mbam/program/mbam-setup.exe
SAS download: http://www.superantispyware.com/downloadfile.html?productid=SUPERANTISPYWAREFREE

polonus

P.S. Click emoticon to animate…

3

Sorry for my hastiness but I just reinstalled windows to avoid it. I tried EVERYTHING to remove that mogmwhatever.dll file, I used HJT, Spybot’s Module killer tools, I even got a program called “Unlocker 1.8.7” from a french website (www.free.fr)

None of it worked, though the unlocker showed me something interesting. The dll file will change it’s name randomly IF you figure out how to delete it. I also attaches to lsass and tries to force a shutdown. BTW: if you ever run into this where it says “you have 30 seconds to reboot” or anything go to start > run > and type “shutdown -a” (without the quotes) as it aborts the command.

It also seemed to be attached to the System module, and therefore anything opened by System (explorer.exe, all instances of svchost and rundll…) and therefore anything opened by THEM (EVERYTHING ELSE!!! including my anti-virus app!) would hold onto the file making it IMPOSSIBLE to delete. I managed to delete it in safe mode using the unlocker tool and a vbs I wrote to constantly try deleting it. Upon doing so though, a new file (fccoXsomething.dll, basically a random name) appeared, the ID’s in the registry for the BHO changed (again, probably a new random string) and it started the attack right over.

As of now I’m clean, but that was a full harddrive wipe and reinstall. Better luck to the next person that falls for it!

4

Hi beckerist,

Your luck were in, it is always a sad thing when it has to come to this. Couldn’t you have done it with a disabling of system restore in XP?
Anyway you have made sure now your system is absolutely as clean as a baby buttock, and so keep it that way. Install all patches, updates, check with Secunia PSI RC4, keep MBAM and SAS updated and on your comp for a quick scan once in a while, I also have COMODO BoClean 4.27 installed to keep the nasties out of the dungeon as good as I can. Have a happy thanksgiving, stay safe and secure on the Internet, is the wish and command of,

polonus

5

Thank you, likewise. Like I said, I’d tried everything I knew including deleting and disabling system restore (it’s off now.) I will try the applications you recommended and next time I won’t be so impulsive in my codecs!
~J

6

Might I finally add, this is the first virus I have ever admitted defeat on! As soon as I get some downtime I’m going to load it in a vmware session and study it. I will post my results here.

7

Hi beckerist,

Been there, done that, also had that T shirt handed out to me once, and then became inspired to be a malware fighter when I knew a little more about malware and how to fight it. You have all it takes to become one as well, welcome to the forums, this could have been just the spark that ignited your malware fighting mood,

your malware fighting webforum friend,

polonus