Internet disabled by malware: blank browsers, can't update AVs

Hi Guys,

For the past 2 weeks, I’ve been battling this far advanced malware. It was attached in a phishy email, whereas the package was actually downloaded and exec’d from a Yahoo account. The email was completed deleted (gone from trash), so I cannot provide an .exe name.

System at Instance of Infection:

  • Windows XP Pro, Service Pack 3, usually up-to-date
  • P4 2.4ghz, 1.5GB
  • AVGfree updated
  • Spybot Search & Destroy
  • Spyware Blaster

Symptoms:

  • Immediately, screen was flashing (white, or could just be windows glitching)
  • Later, AVG detected a malware (most likely while digging through FF temp folder)
  • Every 5-15 mins, AVG would re-list that same malware as detected, even after system restart

Observations:

  • No browser connectivity: when turning on FF, no URL shows up in address bar. when typing in an address and hit enter, the URL disappears. no status information appears in the bottom left corner.
  • Cannot access anything via internet, even though, LAN adapter has same IP and is connected to router. When installing Avast!, it could not complete due to no connectivity. Cannot Putty. Cannot update software.
  • Can PING to google.com and router. But get weird characters in the brackets as follows: “Pinging google.com [°ÿ] with 32 bytes of data: … Reply from 74.125.127.100: bytes=32 time=35ms TTL=54…” and “Pinging °ÿ with 32 bytes of data: … Reply from 192.168.1.10: bytes=32 time<1ms TTL=150”
  • Can RDP into this machine from my own machine.
  • CPU usage rate: minimal. No unusual Processes.
  • Memory usage: nothing more than FF.
  • Network usage: close to 0%, but rate rises to 1 pixel higher when running PING
  • Checked “hosts” file for odd entries; cannot access as admin, even in safe mode; seems to be under control.

Diagnostics:

  • Installed Avast offline version in safe mode, and installed latest VPSupdate; ran boot-time scan, found nothing.

  • Ran drWebCureIt; found nothing.

  • Installed MalwareByte’s Anti-Malware; found nothing.

  • Cannot install Spyware Terminator; stalls at “Downloading:…”

  • Installed SUPERAntiSpyware; found nothing, except some bad cookies.

  • Ran Avast AntiRootKit; found nothing.

  • Ran TrendMicro RootKitBuster; found nothing.

  • Tried System Restore back to 3-6 weeks; failed every time.

  • Ran HiJackThis for logs. no action taken yet.

What does this smell like?

Thanks for Analyzing,

Transattic

Can you give us the name of the malware that AVG is detecting over and over again?

Try http://download.cnet.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html?part=dl-10804572&subj=dl&tag=button hope they can help you… :wink:

mathboyx215: I had to reinstall AVG to find the name… Trojan horse PSW.OnlineGames3.PDX (located at C:\WINDOWS\system32\ro.dll). The warning seemed to pop-up anything FF/IE was trying to be accessed by the user. It was first detected 9/28/09. I hope this helps!

emantoyaks: Thanks for the advice, but I’ve actually already tried scanning with that program. But nothing found. (Same version too!)

C:\WINDOWS\system32\ro.dll

Please disable ‘Hide protected operating system files’ and enable ‘View Hidden Files and Folders’, and upload the above file(s) to VirusTotal for analysis. Post the results here.

So digging out “ro.dll” and getting it analyzed at VirusTotal, about 68.29% AVs detected malware: http://www.virustotal.com/analisis/6796cbb3916864291a7b13ec3263a6fa024d9d9ed4fba14e3a58902a9d8ce48b-1254868529 .

Does it look familiar to you?

It’s a Trojan, sadly undetected by avast!

Try a scan with Kaspersky Virus removal Tool

Try this free scanner.

a-Squared Free

Download, install and update the program.
Always select the option to quarantine any malware found rather than delete it, then you will be able to restore files or registry entries wrongly identified as malware- a rare but not unknown event for any malware scanner.

Hi transattic,

I reported on this here: http://forum.avast.com/index.php?topic=33594.msg280289#msg280289
See: http://www.prevx.com/filenames/X152998063105351566-X1/RO.DLL.html
part of removal

Locate and delete the following files:
rundll132.exe
rodll.dll

Stop and Kill processes:
rundll132.exe

Delete registry values:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\regro=%Windir%\rundll132.exe

Remove following registry key:
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun
egro=%Windir%
undll132.exe

Unregister the following DLL files:
rodll.dll

Delete files:
rundll132.exe, rodll.dll

Misc:
Exact file location:
rundll132.exe - C:\Windows or C:\Winnt
rodll.dll - C:\Windows\System, C:\Windows\System32 or C:\Winnt\System32,

polonus

Hey Polonus,

Thanks for all that info. It seems like you’ve had quite the challenge to break through the infestation. I’m going to give it a shot when I get home.

But I gota say, this worm definitely won a Race-to-Zero award.

transattic

Hi Polonus,

Unfortunately I could not find any signs of rodll.dll or rundll123.exe using the search companion tool (looking in my computer and hidden folders/files).

Also, I also checked the system and system32 folder via cmd prompt but dont see those files. nor do I see amvo0.dll,amvo.exe,wincab.sys. and nor do i see usdeiect.com,autorun.inf in C: or other drives.

Those registry values/keys do not exist. After getting into …\CurrentVersion\run, I do not see regro=%Windir%. The only folder I see is OptionalComponents. But I did look for the Run folder for rundll132.exe values/keys but found nothing.

I’ve tried to find Trojan-PSW.OnLineGames.bs using Search Companion tool but found nothing, also.

After reading the worm descriptions at the site you recommended, it is described as a polymorphic malware. So do you think this is the reason why I am not seeing anything?

What’s the next step?

transattic

Hi FreeWheelinFrank,

I scanned my sys in safe_mode using Kaspersky (supposedly updated and signed Oct 5 2009), but found nothing interesting.

This worm is definitely AV proof. It needs to be manually removed…

transattic

Hey All,

I finally have some positive results, but nothing dramatic. After running the most updated version of Registry Mechanic, it repaired/replaced all the modified .dll’s resulting from the worm. Now at least, I can see the URL in the address bar after attempting to visit a website. And also, I can now see a default browser error page (usually appears when your internet is not connected).

Any other leads on this punk?

transattic

Hi!

I would follow each of these steps (if you have already done one you can skip it):

I recommend doing the following:

  1. Download and update Avast (http://files.avast.com/files/latest/avast_home_setup.exe)
  2. Download and update MBAM (http://www.malwarebytes.org/mbam-download.php)
  3. Disconnect your computer from the internet (ie. pull the cable out or turn the router off)
  4. Run a boot-time scan with Avast
  5. Do a full scan with MBAM
  6. Download and update SAS (http://downloads.superantispyware.com/downloads/SUPERAntiSpyware.exe)
  7. Do a full scan with SAS
  8. Download CCleaner (http://www.ccleaner.com/download/builds/downloading-slim)
  9. Run Ccleaner
  10. Download HJT (http://go.trendmicro.com/free-tools/hijackthis/HijackThisInstaller.exe)
  11. Run HJT and click 'Do a scan and save a logfile)

Post the results from Avast, MBAM, SAS and HJT here. The friendly Avast Forum members will be able to help you further :slight_smile:

Good luck!

Avastfan1

Hi Avastfan1,

Thanks for providing a different set of instructions. I’ve followed every step and re-scanned using Avast, MBAM, and SuperAntispyware, while also producing HJT logs. See the downloads below.

Unfortunately, I didn’t have any results for any other Avast logs sections besides Errors and System Info. I can upload the System Info logs if you wish.

See anything interesting?

Anyone see anything suspicious in the logs I uploaded in the previous post?

I see:
O10 - Broken Internet access because of LSP provider ‘c:\windows\system32\ro.dll’ missing

How to fix a corrupt or deleted Winsock:

To resolve this issue, delete the corrupted registry keys, and then reinstall of the TCP/IP protocol.

Step 1: Delete the corrupted registry keys

  1. Click Start, and then click Run.

  2. In the Open box, type regedit
    and then click OK.

  3. In Registry Editor, locate the following keys, right-click each key, and then click Delete:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Winsock

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Winsock2

  1. When you are prompted to confirm the deletion, click Yes.

Note: Restart the computer after you delete the Winsock keys.

Doing so causes the Windows XP operating system to create new shell entries for those two keys.
If you do not restart the computer after you delete the Winsock keys, the next step does not work correctly.

Step 2: Install TCP/IP

  1. Right-click the network connection, and then click Properties.

  2. Click Install.

  3. Click Protocol, and then click Add.

  4. Click Have Disk.

  5. Type C:\Windows\inf
    and then click OK.

  6. On the list of available protocols, click Internet Protocol (TCP/IP), and then click OK.

  7. Restart the computer.

You can not run avast! and AVG at the same time so you will have to choose which anti virus application you want.

AWESOME! It works! Thank you YoKenny. This totally hit the spot. And btw, I always only have 1 AV installed at a time.

Also, I would like to thank all the members which gave me a hand here at this thread:
YoKenny
Avastfan1
polonus
FreewheelinFrank
emantoyaks
mathboyx215

All of you contributed to this unexpected turn-around.

-Cheers-

transattic

@transattic

I fought that problem a lot when I was working and it was really nasty to figure out at first and the usual cure was a clean install of Windows.

There are some awsome people that visit here and contribute a bit of their experience helping avast! to be one of the best anti virus applications available.

avast! V5 is looking better as well.

Just for some info, these will steal any online gaming passwords. Better hope you don’t play any.

good thing i don’t on that computer =)