Hi, I’ve recently run into a nasty little trojan that isn’t being picked up by Avast (Or NOD32 or AVG or any of the various spyware scanners, i.e. Ad-Aware). Hijackthis isn’t showing anything terribly useful, either. I’m wondering what the general procedures are for dealing with something like this.
Currently, the trojan is in the form of four DLLs in the system32 folder, the names are gibberish. It seems to be one ‘parent’ DLL, which is loaded into explorer.exe, WINLOGON.EXE, and one other random process at start up and then loads the other three DLLs. The three DLLs also periodically rename themselves (they don’t copy themselves, they only change their names), but the parent doesn’t, probably for obvious reasons. As far as I can tell, they only cause random pop-ups, they aren’t opening any visible connections or anything.
I’m able to disable them by manually killing the threads the parent is running in, then killing the child threads. Unfortunately, I’m still unable to delete the DLLs themselves, it gives me an Access Denied message. That would lead me to believe they’re still running somewhere, but I’m relatively sure they aren’t; if they are, I’m not sure where else to look. I also have full permissions to the files.
The best solution I can come up with would be deleting them from the Windows Recovery Console, but unfortunately I can’t run it because the Windows XP CD doesn’t seem to think I have a hard drive. Any ideas?
Before deleting send the samples to avast for analysis and inclusion in the VPS to improve detections for all avast users. The files might be in use and as such protected by windows, the location system32 could also be a factor.
Send the sample to virus@avast.com zipped and password protected with the password in email body, a link to this topic might help and undetected malware in the subject.
Or you can also add the file to the User Files (File, Add) section of the avast chest (if it isn’t already there) where it can do no harm and send it from there (select the file, right click, email to Alwil Software). No need to zip and PW protect when the sample is sent from chest. A copy of the file/s will remain in the original location, so any further action you take can remove that. Send it from the User Files section of the chest (select the file, right click, email to Alwil Software).
This process has been modified in the latest version to make it easier, it doesn’t actually get emailed, but transferred when the next avast auto (or manual) update is done.
You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner and report the findings here the URL in the Address bar of the VT results page. You can’t do this with the file securely in the chest, you need to extract it to a temporary (not original) location first, see below.
Random file names are often associated with Vundo/Virtumondo, etc. these tools may detect more.
If you haven’t already got this software (freeware), download, install, update and run it, preferably in safe mode and report the findings (it should product a log file).
MalwareBytes Anti-Malware, On-Demand only in free version http://download.bleepingcomputer.com/malwarebytes/mbam-setup.exe, right click on the link and select Save As or Save File (As depending on your browser), save it to a location where you can find it easily later.
MalwareBytes Anti-Malware identifies it as Virtumondo/Vundo, but is unable to remove it.
SUPERantispyware identifies it as Virtumundo/Vundo and removes it with a restart, but it recreates itself, so it’s no good.
I’ve tried removing it three times, and each time it creates/attaches a different number of DLLs to explorer.exe and other random processes. It also identifies as either Virtumundo or Vundo each time it reappears (it’s not always coming up as just Virtumundo or just Vundo).
At the moment, there’s only one DLL, and it’s only attached to explorer.exe, so it’s not causing a problem.
I had the links for the other DLLs in a text document, but unfortunately I hit Enter just as a restart dialog popped up and lost them. I’ve gotten anywhere from 5-9 matches for each file, but never the same matches for any two.
Did you a) do a boot-time scan with avast first b) run SAS and MBAM from safe mode, where they are more efficient ?
At the moment, there's only one DLL, and it's only attached to explorer.exe, so it's not causing a problem.
This is possibly the biggest underestimate of a problem I have seen. Windows explorer is deeply embedded into the OS so has a lot of power, you just don’t know what is going on under the scenes (like the duck, serene above the water and paddling like crazy under the water).
Download and run HJT and post the contents of the log file (cut and paste) into this topic, you may need to split it over two or more posts depending on how large it is.
These may or may not come with a rootkit to hide elements that do the restoration.
Also see, anti-rootkit, detection, removal & protection http://www.antirootkit.com/software/index.htm. Try these as they are some of the more efficient and user friendly anti-rootkit tools.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:09:02 PM, on 12/13/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal
You don’t appear to have a firewall that provides outbound protection, what is your firewall ?
You have lots of remnants of Symantec/Norton on your system.
This could cause clashes and actually lower your protection levels, so what did you have on your system ?
A link worth looking at, which is a program removal tool that can remove the remnants of a number of different Norton Programs: Removing your Norton program using SymNRT
WinXP SP2 is also out of date, SP3 has been out about 6 months, so when this is sorted you should update to SP3.
Your JAVA is way out of date (latest is jre 6 update 11) and vulnerable, especially to this.
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
Ensure you have the latest version of JRE (JAVA Runtime Environment) because older versions can be vulnerable to malware. First remove All Older Versions From Add/Remove Programs.
Then get the latest update from here http://java.sun.com/javase/downloads/index.jsp
Or JRE version 6 update 11 http://www.majorgeeks.com/Sun_Java_Runtime_Environment_d4648.html
Are these something that you set-up ?
O1 - Hosts: 208.69.57.87 game01.us.segaonline.jp
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Larry Dauphinee\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O10 - Unknown file in Winsock LSP: c:\windows\system32\prxernsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\prxerdrv.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\prxerdrv.dll
O16 - DPF: {2357B3CF-7F8D-4451-8D81-FD6097610AEE} - http://activex.camfrogweb.com/advanced/cfweb_activex.camfrogweb.com-advanced_ins tmodule.exe
FIX:
O2 - BHO: (no name) - {90AB9B4E-D061-4357-9725-E69790EAF804} - C:\WINDOWS\system32\khfdeDvv.dll (file missing)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file) - If you no longer use McAfee virus scan
O4 - HKLM..\Run: [dcec825d] rundll32.exe “C:\WINDOWS\system32\ctkoqott.dll”,b
O20 - AppInit_DLLs: zongqv.dll
Viewpoint software is considered adware by many
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
That should be enough to be getting on with, it is almost 1a.m. here so I shall be calling it a night soon.