I was googling for medical info to determine how long people (general people) can put off…er…unpleasant examinations. I ended up at
http://ezinearticles.com/?Prostate-Problems---Digital-Rectal-Examination&id=3696581
Suddenly, the virus warning bonged repeatedly and the task manager showed all sorts of randomly named processes with 2-letter names popping up. It took over a dozen tries to kill them all without new ones popping up immediately after each kill.
I ran full scans using MalwareBytes, SpybotS&D, and Avast. Loads of badware found. Spybot says it fixed a registry and some scheduled tasks. MalwareBytes said I had to reboot to complete the excision, but I held off until I scanned with all three. I suspect it was the right decision because I saw indication of things installed to run at startup. For example, after the scans, there were 4 similar attempts to modify the same registry:
BehaviourShield.txt
3/20/2011 2:07:26 AM Modification of: \REGISTRY\USER\S-1-5-21-1547161642-1284227242-839522115-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Hqumozahuyu
By: C:\DOCUME~1\MyID\LOCALS~1\Temp\censwmroxa.tmp
Via: C:\WINDOWS\system32\rundll32.exe
→ Action allowed
Three of the modifications were seconds apart at 12:47am-12:48am. The last one was at 2:07am (above).
I looked at the rundll32.exe shown above – it was created Aug 4/2004 8:00:00am and modified April 13/2008 8:12:33pm. I initially decided not to worry about it. As described below, however, these dates are suspiciously the same as a likely malware file that I describe below.
I then looked in the above Temp directory and there was no censwmroxa.tmp file. Instead, I found:
DD.exe.manifest 428 3/20/2011 12:49:42 AM
DD.tmp 0 3/20/2011 12:49:41 AM
D9.tmp 0 3/20/2011 12:49:38 AM
D5.tmp 0 3/20/2011 12:49:35 AM
D1.tmp 0 3/20/2011 12:49:32 AM
CD.tmp 0 3/20/2011 12:49:29 AM
C9.tmp 0 3/20/2011 12:49:26 AM
C5.tmp 0 3/20/2011 12:49:23 AM
C1.tmp 0 3/20/2011 12:49:20 AM
BD.tmp 0 3/20/2011 12:49:17 AM
B9.tmp 0 3/20/2011 12:49:14 AM
B5.tmp 0 3/20/2011 12:49:11 AM
B1.tmp 0 3/20/2011 12:49:08 AM
AD.tmp 0 3/20/2011 12:49:03 AM
A9.exe.manifest 428 3/20/2011 12:49:03 AM
AA.tmp 0 3/20/2011 12:49:02 AM
A9.tmp 0 3/20/2011 12:49:02 AM
9F.tmp 0 3/20/2011 12:48:48 AM
9C.tmp 0 3/20/2011 12:47:52 AM
Bd2.exe* 362496 3/20/2011 12:47:29 AM
95.tmp 0 3/20/2011 12:47:05 AM
Bd1.exe* 362496 3/20/2011 12:46:59 AM
8C.tmp 0 3/20/2011 12:46:59 AM
setup2471888616.exe.manifest 428 3/20/2011 12:46:51 AM
setup505220928.exe.manifest 428 3/20/2011 12:46:48 AM
setup1614868736.exe.manifest 428 3/20/2011 12:46:48 AM
The 2- and 3-letter filenames look alot like the processes that had popped up in the task manager. The contents of all the *.exe.manifest files were the same – 1 line:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>I looked in the registry listed in BehaviourShield.txt, and sure enough there is an entry Hqumozahuyu set to:
rundll32.exe "C:\Documents and Settings\MyID\Local Settings\Application Data\msoipshn.dll",Startup
This is after the scans by the three antimalware apps. What I found particularly suspicious is that msoipshn.dll file shown in the registry value has a creation date of Aug 4/2004 8:00:00am (identical to rundll32 above) and a modification date of April 13/2008 8:12:08pm (seconds apart from rundll32 above). I cannot delete msoipshn.dll – access is denied (“Make sure the disk is not full or write-protected and that the file is not currently in use”). I am the owner of the file, and according to the security properties, I have deletion rights (though I am quite unfamiliar with the security panel of the file properties). I ended up renaming it to tmp.msoipshn.dll.
As I type this, I got 2 Avast warnings of Explorer.exe attempting to access bad URLs. Not IE (which I don’t normally use), but Explorer. I find that disturbing.
I tried to erase the registry entry above, but it keeps coming back when I reopen regedit. If anyone can offer other suggestions, I’d appreciate it. In addition to the registry entry, I’m also concerned about getting rid of msoipshn.dll and whether rundll32.exe has been contaminated, since it has almost identical dates as msoipshn.dll.
Note that a re-scan with MalwareBytes shows both the Hqumozahuyu registry entry, msoipshn.dll, and tmp.msoipshn.dll. An examination of an earlier scan right after the infection showed that these were successfully quarantined and delete, so I’m not sure why they are still there (and undeletable). It is possible that rebooting will banish them, but I’m also worried that rebooting might cause them to run.
Based on the fact that SpybotS&D fixed some scheduled tasks, I looked and found /c/WINDOWS/Tasks to contain a whole bunch of jobs, including User_Feed_Syncrhonization-{LOTSA-ALPHANUMERIC-CHARACTERS}.job, dated March 20/2011 12:06am. The only jobs (I recognize them all except for User_Feed_Syncrhonization) are owned by a separate administrator account. Since the timestamp of User_Feed_Syncrhonization is about 40 minutes prior to the infection, I am assuming that it is nothing to be concerned about. I can’t actually examine it without logging out of the current account, something I’m hesitant to do without doing everything I can to ensure that the above malware doesn’t execute on startup.
Afternote: I couldn’t wait. I rebooted. msoipshn.dll is gone, but upon login, I got a warning box titled rundll saying that msoipshn could not be found. Is it possible that rundll was in fact modified to access msoipshn on startup? How can I determine how badly messed up it is?
Prior to reboot, Avast Network Shield was popping up warnings that Explorer.EXE was blocked from accessing <>.truminfi.com/get2.php?c=RORWXHDN&d=266… The “gibberish” looks something like 162067db0317. Since rebooting, I haven’t found a way to get at the details.
I see another posting on truminfi.com, http://forum.avast.com/index.php?topic=74242.0. I will try to get clues from there, but if anyone can provide more specific help based on the details above, thanks.