One bugger of an infection, seems like rundll32.exe unfixable

I was googling for medical info to determine how long people (general people) can put off…er…unpleasant examinations. I ended up at

http://ezinearticles.com/?Prostate-Problems---Digital-Rectal-Examination&id=3696581

Suddenly, the virus warning bonged repeatedly and the task manager showed all sorts of randomly named processes with 2-letter names popping up. It took over a dozen tries to kill them all without new ones popping up immediately after each kill.

I ran full scans using MalwareBytes, SpybotS&D, and Avast. Loads of badware found. Spybot says it fixed a registry and some scheduled tasks. MalwareBytes said I had to reboot to complete the excision, but I held off until I scanned with all three. I suspect it was the right decision because I saw indication of things installed to run at startup. For example, after the scans, there were 4 similar attempts to modify the same registry:

BehaviourShield.txt
3/20/2011 2:07:26 AM Modification of: \REGISTRY\USER\S-1-5-21-1547161642-1284227242-839522115-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Hqumozahuyu
By: C:\DOCUME~1\MyID\LOCALS~1\Temp\censwmroxa.tmp
Via: C:\WINDOWS\system32\rundll32.exe
→ Action allowed

Three of the modifications were seconds apart at 12:47am-12:48am. The last one was at 2:07am (above).

I looked at the rundll32.exe shown above – it was created Aug 4/2004 8:00:00am and modified April 13/2008 8:12:33pm. I initially decided not to worry about it. As described below, however, these dates are suspiciously the same as a likely malware file that I describe below.

I then looked in the above Temp directory and there was no censwmroxa.tmp file. Instead, I found:

DD.exe.manifest              428 3/20/2011 12:49:42 AM
DD.tmp                         0 3/20/2011 12:49:41 AM
D9.tmp                         0 3/20/2011 12:49:38 AM
D5.tmp                         0 3/20/2011 12:49:35 AM
D1.tmp                         0 3/20/2011 12:49:32 AM
CD.tmp                         0 3/20/2011 12:49:29 AM
C9.tmp                         0 3/20/2011 12:49:26 AM
C5.tmp                         0 3/20/2011 12:49:23 AM
C1.tmp                         0 3/20/2011 12:49:20 AM
BD.tmp                         0 3/20/2011 12:49:17 AM
B9.tmp                         0 3/20/2011 12:49:14 AM
B5.tmp                         0 3/20/2011 12:49:11 AM
B1.tmp                         0 3/20/2011 12:49:08 AM
AD.tmp                         0 3/20/2011 12:49:03 AM
A9.exe.manifest              428 3/20/2011 12:49:03 AM
AA.tmp                         0 3/20/2011 12:49:02 AM
A9.tmp                         0 3/20/2011 12:49:02 AM
9F.tmp                         0 3/20/2011 12:48:48 AM
9C.tmp                         0 3/20/2011 12:47:52 AM
Bd2.exe*                  362496 3/20/2011 12:47:29 AM
95.tmp                         0 3/20/2011 12:47:05 AM
Bd1.exe*                  362496 3/20/2011 12:46:59 AM
8C.tmp                         0 3/20/2011 12:46:59 AM
setup2471888616.exe.manifest 428 3/20/2011 12:46:51 AM
setup505220928.exe.manifest  428 3/20/2011 12:46:48 AM
setup1614868736.exe.manifest 428 3/20/2011 12:46:48 AM

The 2- and 3-letter filenames look alot like the processes that had popped up in the task manager. The contents of all the *.exe.manifest files were the same – 1 line:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>

I looked in the registry listed in BehaviourShield.txt, and sure enough there is an entry Hqumozahuyu set to:

rundll32.exe  "C:\Documents and Settings\MyID\Local Settings\Application Data\msoipshn.dll",Startup

This is after the scans by the three antimalware apps. What I found particularly suspicious is that msoipshn.dll file shown in the registry value has a creation date of Aug 4/2004 8:00:00am (identical to rundll32 above) and a modification date of April 13/2008 8:12:08pm (seconds apart from rundll32 above). I cannot delete msoipshn.dll – access is denied (“Make sure the disk is not full or write-protected and that the file is not currently in use”). I am the owner of the file, and according to the security properties, I have deletion rights (though I am quite unfamiliar with the security panel of the file properties). I ended up renaming it to tmp.msoipshn.dll.

As I type this, I got 2 Avast warnings of Explorer.exe attempting to access bad URLs. Not IE (which I don’t normally use), but Explorer. I find that disturbing.

I tried to erase the registry entry above, but it keeps coming back when I reopen regedit. If anyone can offer other suggestions, I’d appreciate it. In addition to the registry entry, I’m also concerned about getting rid of msoipshn.dll and whether rundll32.exe has been contaminated, since it has almost identical dates as msoipshn.dll.

Note that a re-scan with MalwareBytes shows both the Hqumozahuyu registry entry, msoipshn.dll, and tmp.msoipshn.dll. An examination of an earlier scan right after the infection showed that these were successfully quarantined and delete, so I’m not sure why they are still there (and undeletable). It is possible that rebooting will banish them, but I’m also worried that rebooting might cause them to run.

Based on the fact that SpybotS&D fixed some scheduled tasks, I looked and found /c/WINDOWS/Tasks to contain a whole bunch of jobs, including User_Feed_Syncrhonization-{LOTSA-ALPHANUMERIC-CHARACTERS}.job, dated March 20/2011 12:06am. The only jobs (I recognize them all except for User_Feed_Syncrhonization) are owned by a separate administrator account. Since the timestamp of User_Feed_Syncrhonization is about 40 minutes prior to the infection, I am assuming that it is nothing to be concerned about. I can’t actually examine it without logging out of the current account, something I’m hesitant to do without doing everything I can to ensure that the above malware doesn’t execute on startup.

Afternote: I couldn’t wait. I rebooted. msoipshn.dll is gone, but upon login, I got a warning box titled rundll saying that msoipshn could not be found. Is it possible that rundll was in fact modified to access msoipshn on startup? How can I determine how badly messed up it is?

Prior to reboot, Avast Network Shield was popping up warnings that Explorer.EXE was blocked from accessing <>.truminfi.com/get2.php?c=RORWXHDN&d=266… The “gibberish” looks something like 162067db0317. Since rebooting, I haven’t found a way to get at the details.

I see another posting on truminfi.com, http://forum.avast.com/index.php?topic=74242.0. I will try to get clues from there, but if anyone can provide more specific help based on the details above, thanks.

Hi follow the directions for running an OTS scan from that thread and post it here please

Here it is. I’ve anonymized the user name and computer name. Thanks.

You appear to have got the majority of it - I will clear all temp folders and a few stray entries. What problems do you have at the moment ?

Start OTS. Copy/Paste the information in the quotebox below into the panel where it says “Paste fix here” and then click the Run Fix button.

[Unregister Dlls]
[Registry - Safe List]
< Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YN -> "CY_BG" -> [C:\WINDOWS\bp_bg.exe]
YN -> "KernelFaultCheck" -> [%systemroot%\system32\dumprep 0 -k]
< Internet Explorer Extensions [HKEY_USERS\S-1-5-21-1547161642-1284227242-839522115-1006\] > -> HKEY_USERS\S-1-5-21-1547161642-1284227242-839522115-1006\Software\Microsoft\Internet Explorer\Extensions\
YN -> CmdMapping\\"{08B0E5C0-4FCB-11CF-AAA5-00401C608501}" [HKLM] -> [Reg Error: Value error.]
< Downloaded Program Files > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\
YN -> {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} [HKLM] -> http://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab [Reg Error: Key error.]
YN -> {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} [HKLM] -> http://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab [Reg Error: Key error.]
YN -> {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} [HKLM] -> http://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab [Reg Error: Key error.]
YN -> {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} [HKLM] -> http://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab [Reg Error: Key error.]
YN -> {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} [HKLM] -> http://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab [Reg Error: Key error.]
YN -> {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} [HKLM] -> http://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab [Reg Error: Key error.]
[Empty Temp Folders]
[EmptyFlash]
[CreateRestorePoint]
  

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here

I will review the information when it comes back in.

Will do. I was wondering, though, if you could briefly give me a rundown on what the code does? It would be very reassuring if I could understand before applying it. Thanks if you could.

About what symptoms I now see, none so far. The Temp directory is still filled with the files I listed in my original post, but I will erase them. I rebooted and didn’t get the rundll warning about the inability to access msoipshn.dll. So far, no Network Shield popup warnings about <>.truminfi.com.

However, I am wondering what to make of the fact that rundll32.exe was timestamped virtually identically to msoipshn.dll. Perhaps that’s a ruse ie. maybe msoipshn.dll was given fake timestamps corresponding to rundll32.exe. I wonder if faking a file timestamp is possible in Windows XP.

As well, the User_Feed_Syncrhonization is a source of confusion for me. I’ve never seen that before. Then again, I’ve never looked at the task folder using the command line before (cygwin command line), so maybe it’s always been there. I logged in using an administrator account to look at the scheduled tasks – I saw all the ones I created, but no User_Feed_Syncrhonization (outside of using the command line to see it, that is). Web searching reveals that it is for RSS feeds, but I’ve never subscribed to such feeds before.

Afternote
Well, I couldn’t wait…the suspense. I applied the fix. A popup said I had to reboot, and there was no option to decline. After the reboot, there was no notepad file showing what changes were applied. There is no such file on the desktop, where OTS ran from. Is the file of interest saved by default somewhere?

P.S. I’m still reflecting on what a toll malware has. Half the weekend blown away…all those to-do’s… Glad you guys are here to help.

The run key is for a USB device - but it is in the wrong folder this makes it highly suspect as it should be in system32 if legitimate

The Active x files are just redundant ones

The remainder is to flush fully all temporary files and create a restore point

user_Feed_Syncrhonization is part of the RSS feed synchroniser

However, I am wondering what to make of the fact that rundll32.exe was timestamped virtually identically to msoipshn.dll. Perhaps that's a ruse ie. maybe msoipshn.dll was given fake timestamps corresponding to rundll32.exe. I wonder if faking a file timestamp is possible in Windows XP.
The time stamp here is normal

OK. That explanation went over my head, so I’m not going to worry about it. Thanks, though.

Since I was unable to get the log of fixes, I tried to open OTS again and reapply your changes. Well I didn’t have to. It immediately opened the log file, which I’ve attached (again, nonstandard account names and domains anonymized, but the account in question is still “UserName”). I noted that some registry deletions failed, so deletions were scheduled during reboot. If happened as scheduled, they should be gone. So I’m going to reapply your changes to see if those messages still come up.

About User_Feed_Syncrhonization, is it normal for that to exist on a computer that has never been used to subscribe to RSS feeds?

As well, I mentioned that msoipshn.dll had file timestamps that were virtually identical to Rundll32.exe. I understand your answer that the timestamp is normal, and I’m assuming that you meant normal for Rundll32.exe. What I was wondering, though, was whether Windows XP would allow a malicious installer to give msoipshn.dll the same timestamps. For all I know, it could be trivial to fake file timestamps, but file management under the hood is not something that I have any insight into.

Windows bases the time stamp on last modification date, even malware, it is equal opportunities ;D

Again removing entries on reboot is normal but they should be gone

Total temp files cleaned 136.00 mb

OK, sounds like it’s actually hard to fake file timestamps. It’s quite the coincidence, though, that both the file creation and modification dates match (rundll32.exe and msoipshn.dll).

I re-ran your fixes, and some of the registry deletion failures seem to be persist. I’m not too concerned about the “not found” or “unable to locate”, since probably means deletion was successful. However, lines 3, 5, and 8 show persistent deletion failures. What do you think?

Unable to locate HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce key.
This is why the registry key is not being deleted

The other keys are purely cosmetic tidy up

Run me a fresh OTS scan please no custom scan required this time

I was a bit confused by your description of custom scan. There is a region of the OTS GUI called “Custom Scans”, but that area is blank. I suspect that you might mean to not worry about:

•Select All Users
•Under additional scans select the following
→ Reg - Disabled MS Config Items
→ Reg - Drivers32
→ Reg - NetSvcs
→ Reg - SafeBoot Minimal
→ Reg - Shell Spawning
→ Evnt - EventViewer Logs (Last 10 Errors)
→ File - Lop Check

However, I’m not sure, so I did a scan with these selected (log attached). Please let me know if that is OK.

You mentioned that the absence of HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce is why the registry keys are not being deleted. Perhaps I’m not fully understanding, but RunOnce is not in the same part of the tree as the registry entries listed on lines 3, 5, and 8 of the log file. Again, my insight into the registry is limited, but it seems to me that the absence of RunOnce should not prevent the successful deletion of those 3 registry entries. I used regedit to browse to the 3 registry entries, and they do in fact exist. Am I missing something?

OTS was looking to make an entry in the run once key but could not find it - the run once key is used so that all references to OTS are removed on reboot. As the name suggests the key is used for programmes that only want to run one time - the file has gone though

Here is the key in my registry

Essexboy,

I apologize if I misunderstand you here. I realize that RunOnce can’t be located. However, the three errors on line 3, 5, and 8 of the fix log seem to be outside of that part of the registry tree:

  • Registry delete failed. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CY_BG scheduled to be deleted on reboot.
  • Registry delete failed. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KernelFaultCheck scheduled to be deleted on reboot.
  • Unable to delete registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\ .

Those entries exist. I just didn’t see how the absence of RunOnce is related to those entries. If they are inconsequential, I won’t worry about them. Hopefully, that means I’m in the clear?

They are just so much baggage now and of no consequence. OTS will not create a registry key unless I tell it to, but it does need to use the run once key to delete those entries, no run once key and it can’t do it … But you can delete them yourself if you wish

If they’re inconsequential, I’d rather not mess with the registry. Thanks for explaining them.

I guess I’m in the clear. Thanks for your help.

Out of curiosity, does the nature of this infection get written up and summarized somewhere? It’d be interesting to know what all that malware did. It seemed like an all-out campaign rather than a single infection.

There is no write up that will cover all variants as they change too rapidly … But, there is a writeup on the changes made by the malware by variant here http://www.geekstogo.com/forum/forum/121-malware-removal-guides-and-tutorials/ all the threads by Metallica are from the MBAM analysis

Hmm, OK. Thanks…er…how do I determine the “variant” to look up?

Unfortunately they change daily - so it really is a matter of seeing which one came closest to what you had

'kay. Thanks.