Virus got passed all avast! scanners :-(

Viruses and worms
1

Here is a report on a virus that got into my system passed ALL avast!
protection (web, network, on-access). I find this VERY disturbing :frowning:

I hope you can use the files (I made a copy of them before cleaning) to
add check for this (the file names change so check the content of them)

It’s very hard to remove, so it should not be allowed to hook on at all!

Smitfraud becomes installed on the infected computer by an adware program,
detected as CWS.EXE. Sadly I have no image of that program to send you,
but I have send you samples of the other files that infiltrate the PC…

avast! on-access (web, network, on-access) initial messages (that made me check further):

Warned about virus/spyware trying to access the net, but said my system was safe (that it had blocked virus).
But did NOT notice that the virus had hooked up to the system “Winlogon” and auto-start). See Spybot S&D report.

Spybot S&D statup files report (these entries recreated themselves when deleted):

Located: System.ini, jkhhh
command: C:\WINDOWS\system32\jkhhh.dll
file: C:\WINDOWS\system32\jkhhh.dll
size: 263220
MD5: e01ab91555d0c1bb339ff88875df4841

Located: System.ini, qomnnkj
command: qomnnkj.dll
file: qomnnkj.dll

Spybot S&D scan report (full can for spyware):

Product: Smitfraud-C.Toolbar888
Threat: Malware
Description: Smitfraud-C.Toolbar888 is connecting to malicious website without giving the user a possibility to cancel that process.
It also adds a randomly named dll to the Winlogon Notify, which will make it very resistable to removal. If you need help with removal pleas contact Team Spybot S&D via forums or email.

Spyware Doctor report (full system scan):

Virtumonde (Trojan-Downloader.Win32.Agent.br [Kaspersky]
Trojan.Win32.Agent.NY [Kaspersky]
Trojan.Vundo [Symantec]
Trojan-Spy.Win32.VBStat)
Threat Level: Elevated
Description: Virtumonde modifies the Windows Internet connection mechanism and display various pop-up advertisements.
Advice: Toss

In addition to the files Spybut S&D found it also found it in: C:\WINDOWS\SYSTEM32\pmnnm.dll

avast! on-demand scanner report (scan all files):

Found NOTHING! That’s even more disturbing :frowning:

2

Hi Lars-Erik,

There is a tool for trojan vundo removal or it can be done manually:
http://www.precisesecurity.com/adware-spy/aw-vundo.htm
The main reason you were infected is that you had an old and therefore vulnerable version of Sun Java on your machine(s). We cannot stress enough how vital it is to keep your computer fully upgraded and patched.
Malcreants know that many users have older versions of programs and abuse common holes. Read here:
http://en.wikipedia.org/wiki/Vundo_trojan

polonus

3

The new SunJava version refuses to install (and Sun didn’t have any good answer) :frowning:
And the version I have isn’t that old (last I checked it was the newest by one version)

But anyway. Shouldn’t avast! scan ALL new binary files written to the system?
I have setup the on-access scanners with very tight parameters too…

I managed to get rid of it (with VundoFix 6), but I was not easy :frowning:
I see that the other anti-virus makers calims they can remove it

4

Can you post them? Maybe we can learn…