For the past 2 weeks, I’ve been battling this far advanced malware. It was attached in a phishy email, whereas the package was actually downloaded and exec’d from a Yahoo account. The email was completed deleted (gone from trash), so I cannot provide an .exe name.
System at Instance of Infection:
Windows XP Pro, Service Pack 3, usually up-to-date
P4 2.4ghz, 1.5GB
AVGfree updated
Spybot Search & Destroy
Spyware Blaster
Symptoms:
Immediately, screen was flashing (white, or could just be windows glitching)
Later, AVG detected a malware (most likely while digging through FF temp folder)
Every 5-15 mins, AVG would re-list that same malware as detected, even after system restart
Observations:
No browser connectivity: when turning on FF, no URL shows up in address bar. when typing in an address and hit enter, the URL disappears. no status information appears in the bottom left corner.
Cannot access anything via internet, even though, LAN adapter has same IP and is connected to router. When installing Avast!, it could not complete due to no connectivity. Cannot Putty. Cannot update software.
Can PING to google.com and router. But get weird characters in the brackets as follows: “Pinging google.com [°ÿ] with 32 bytes of data: … Reply from 74.125.127.100: bytes=32 time=35ms TTL=54…” and “Pinging °ÿ with 32 bytes of data: … Reply from 192.168.1.10: bytes=32 time<1ms TTL=150”
Can RDP into this machine from my own machine.
CPU usage rate: minimal. No unusual Processes.
Memory usage: nothing more than FF.
Network usage: close to 0%, but rate rises to 1 pixel higher when running PING
Checked “hosts” file for odd entries; cannot access as admin, even in safe mode; seems to be under control.
Diagnostics:
Installed Avast offline version in safe mode, and installed latest VPSupdate; ran boot-time scan, found nothing.
Ran drWebCureIt; found nothing.
Installed MalwareByte’s Anti-Malware; found nothing.
Cannot install Spyware Terminator; stalls at “Downloading:…”
Installed SUPERAntiSpyware; found nothing, except some bad cookies.
Ran Avast AntiRootKit; found nothing.
Ran TrendMicro RootKitBuster; found nothing.
Tried System Restore back to 3-6 weeks; failed every time.
mathboyx215: I had to reinstall AVG to find the name… Trojan horse PSW.OnlineGames3.PDX (located at C:\WINDOWS\system32\ro.dll). The warning seemed to pop-up anything FF/IE was trying to be accessed by the user. It was first detected 9/28/09. I hope this helps!
emantoyaks: Thanks for the advice, but I’ve actually already tried scanning with that program. But nothing found. (Same version too!)
Download, install and update the program.
Always select the option to quarantine any malware found rather than delete it, then you will be able to restore files or registry entries wrongly identified as malware- a rare but not unknown event for any malware scanner.
Unfortunately I could not find any signs of rodll.dll or rundll123.exe using the search companion tool (looking in my computer and hidden folders/files).
Also, I also checked the system and system32 folder via cmd prompt but dont see those files. nor do I see amvo0.dll,amvo.exe,wincab.sys. and nor do i see usdeiect.com,autorun.inf in C: or other drives.
Those registry values/keys do not exist. After getting into …\CurrentVersion\run, I do not see regro=%Windir%. The only folder I see is OptionalComponents. But I did look for the Run folder for rundll132.exe values/keys but found nothing.
I’ve tried to find Trojan-PSW.OnLineGames.bs using Search Companion tool but found nothing, also.
After reading the worm descriptions at the site you recommended, it is described as a polymorphic malware. So do you think this is the reason why I am not seeing anything?
I finally have some positive results, but nothing dramatic. After running the most updated version of Registry Mechanic, it repaired/replaced all the modified .dll’s resulting from the worm. Now at least, I can see the URL in the address bar after attempting to visit a website. And also, I can now see a default browser error page (usually appears when your internet is not connected).
Thanks for providing a different set of instructions. I’ve followed every step and re-scanned using Avast, MBAM, and SuperAntispyware, while also producing HJT logs. See the downloads below.
Unfortunately, I didn’t have any results for any other Avast logs sections besides Errors and System Info. I can upload the System Info logs if you wish.
When you are prompted to confirm the deletion, click Yes.
Note: Restart the computer after you delete the Winsock keys.
Doing so causes the Windows XP operating system to create new shell entries for those two keys.
If you do not restart the computer after you delete the Winsock keys, the next step does not work correctly.
Step 2: Install TCP/IP
Right-click the network connection, and then click Properties.
Click Install.
Click Protocol, and then click Add.
Click Have Disk.
Type C:\Windows\inf
and then click OK.
On the list of available protocols, click Internet Protocol (TCP/IP), and then click OK.
Restart the computer.
You can not run avast! and AVG at the same time so you will have to choose which anti virus application you want.
AWESOME! It works! Thank you YoKenny. This totally hit the spot. And btw, I always only have 1 AV installed at a time.
Also, I would like to thank all the members which gave me a hand here at this thread:
YoKenny
Avastfan1
polonus
FreewheelinFrank
emantoyaks
mathboyx215
All of you contributed to this unexpected turn-around.
I fought that problem a lot when I was working and it was really nasty to figure out at first and the usual cure was a clean install of Windows.
There are some awsome people that visit here and contribute a bit of their experience helping avast! to be one of the best anti virus applications available.