Win32:Rontokbr-I2 [Wrm] Please help

Viruses and worms
1

Hi everyone, this is my first post here, hopefully I’ve provided enough information but if not please let me know what else I need to include to diagnose the problem I would very much appreciate the help.

Two days ago Avast, using its own background scan, the “Win32:Rontokbr-I2 [Wrm]” on my netbook. In quick succession it finds multiple instances of the worm in these locations:

C:\Documents and Settings\All Users\Documents\Data Admin.exe
C:\Documents and Settings\All Users\Documents\My Music\My Music.exe
C:\Documents and Settings\All Users\Documents\My Pictures\My Pictures.exe
C:\Documents and Settings\All Users\Documents\My Videos\My Videos.exe
C:\Documents and Settings\All Users\Documents\My Music\Sample Music\Sample Music.exe
C:\Documents and Settings\All Users\Documents\My Music\Sample Music\Sample Music.exe
C:\Documents and Settings\All Users\Documents\My Music\Sample Music\Sample Music.exe
C:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Sample Pictures.exe
C:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Sample Pictures.exe
C:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Sample Pictures.exe
C:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Sample Pictures.exe
C:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Sample Pictures.exe
C:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Sample Pictures.exe
C:\Documents and Settings\All Users\Documents\SharedDocs.exe
C:\Documents and Settings\All Users\Documents\SharedDocs.exe

First off I sent all the files to the chest to look at them, then I deleted them. What happens then is that either the next day or maybe just 10 minutes later Avast will detect all the same files again, so they are clearly being installed by another process.

I have stopped System restore, run HijackThis (log below) and scanned using Avast! AntiRootkit (log below)

HijackThis Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:45:51, on 18/03/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\a-squared Free\a2service.exe
C:\Program Files\Raxco\PerfectDisk10\PDAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Samsung\Samsung EDS\EDSAgent.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Vista Drive Icon\DrvIcon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Samsung\Easy Display Manager\dmhkcore.exe
C:\WINDOWS\system32\igfxext.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\SAMSUNG\MagicKBD\MagicKBD.exe
C:\Program Files\SAMSUNG\MagicKBD\PerformanceManager.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Alwil Software\Avast4\ashSimp2.exe
C:\Program Files\Alwil Software\Avast4\ashChest.exe
C:\Program Files\Alwil Software\Avast4\setup\avast.setup
C:\Documents and Settings\Kyle\Desktop\Anti-Virus\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM..\Run: [EDS] C:\Program Files\Samsung\Samsung EDS\EDSAgent.exe
O4 - HKLM..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM..\Run: [DMHotKey] C:\Program Files\Samsung\Easy Display Manager\DMLoader.exe
O4 - HKLM..\Run: [MagicKeyboard] C:\Program Files\SAMSUNG\MagicKBD\PreMKBD.exe
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [DrvIcon] C:\Program Files\Vista Drive Icon\DrvIcon.exe
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘SYSTEM’)
O4 - HKUS.DEFAULT..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘Default user’)
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device… - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - AutorunsDisabled - (no file)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk10\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk10\PDEngine.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Marvell Yukon Service (yksvc) - Unknown owner - RUNDLL32.EXE (file missing)


End of file - 5301 bytes

Avast! AntiRootkit log:

avast! Antirootkit, version 0.9.6
Scan started: 18 March 2009 19:18:03

Registry item [HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail] SqmSrvSuccessCount HTTPMail=570 HIDDEN

Scan finished: 18 March 2009 19:20:47
Hidden files found: 0
Hidden registry items found: 1
Hidden processes found: 0
Hidden services found: 0
Hidden boot sectors found: 0

Other than the warnings, I am not seeing any adverse effects of this worm, but I am very uncomfortable with it on my laptop. I normally sit behind a router with inbuilt hardware firewall but I am currently staying away during the week so using the hotel wireless.

Thank you for your time, an I appreciate any help.

Many thanks,
Kyle

2

Hi kscd,

Nothing much in your HJT logfile, but you do not seem to have an active process of a software firewall running (Do you have a hardware one, or do you use the Windows firewall and is that properly installed (dual way)?

A removal instruction for the malware you report you can find here:
http://ittutor.wordpress.com/2007/08/20/win32rontokbr-i2-worm-infection/
Apply the instructions given there,

polonus

3

An analysis of your HJT log shows the following :

We didn’t detect any active process of a firewall on your system. Reasons maybe:
(1.) You are using the windows firewall or a hardware firewall.
(2.) You are using a firewall of an unknown vendor.
(3.) You are using a firewall, but for unknown reasons it is disabled
(4.) You don’t use any firewall at all.
We recommend you to use a firewall.

O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
Unnecessary (deactivated) entry that can be fixed.

O9 - Extra button: (no name) - AutorunsDisabled - (no file)
Unnecessary (deactivated) entry that can be fixed.

That is it. Over all, not a bad HJT log.

EDIT: Oops … Polonus posted first. Please follow his advice as to the removal instructions.

4

Hi CharleyO,

So we came to the same overall conclusion actually, where the HJT logfile txt was concerned.
I have seen these two entries also, but as they are not flagged, they must have been disabled by the user and are just leftovers of his activities. We could emphasize that the user should cleanse and then update and patch his OS by going to Microsoft update site, and also all the third party software that he has going on that OS, a good tool that takes that job out of his hands and checks this for him is Secunia PS, download from here: http://secunia.com/PSISetup.exe

5

Yes, I just noted them as they are useless entries in the registry and removing such items can speed up the computer. Although, in this case, there would be little difference since there were only 2 useless entries. But over time, 2 useless entries become 4, 8, etc as other programs are uninstalled. So, I just prefer to remove them as soon as possible.

You are right and I should suggest Secunia PSI more often.

6

Hi to both CharleyO an Polonus, thank you for taking the time to reply.

I failed to mention that I have already exhausted Google search in looking for a fix, and that posting here is my last option. Consequently I have already tried the link you provided Polonus, but oddly enough I have neither of the two entries that the site talks about:

C:\WINDOWS\eksplorasi.exe

or

C:\WINDOWS\shellnew\sempalong.exe

I have also run both a squared free and Avast! boot time scan and found nothing.

Regarding the Firewall, I currently use the Windows firewall because I am used to being behind a hardware firewall too, (my router), but whilst I’m in hte hotel and not behind a hardware firewall I may install an extra third part one instead of the Windows Firewall.

I tend to keep my computer pretty up to date, and the Secunia PSI scan gave me a rating of 94% and I’ve since updated Adobe Flash player as a result.

As with regard to the worm I’m still stumped! Is there any extra information I can provided to help?

Thanks again,

Kyle

7

Hi kcsd,

Go here: http://www.bleepingcomputer.com/forums/lofiversion/index.php/t43051.html[/t203770.html
and run SDFix, report and then run a DRWebCureIt scan as given there but loaded and updated from a pendrive (USB stick),

polonus

8

Hi Polonus,

I ran SDfix in safe mode, here’s the report:

SDFix: Version 1.240
Run by Kyle on 18/03/2009 at 22:48

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :

Restoring Default Security Values
Restoring Default Hosts File

Rebooting

Checking Files :

No Trojan Files Found

Removing Temp Files

ADS Check :

                             [b]Final Check [/b]:

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-18 22:53:46
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes …

scanning hidden services & system hive …

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\002269e1d373]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\002269e1d373]

scanning hidden registry entries …

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher]
“TracesProcessed”=dword:00000000
“TracesSuccessful”=dword:00000000
“LastTraceFailure”=dword:00000000
source file error: C:\Documents and Settings\Kyle\ntuser.dat

scanning hidden files …

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

Remaining Services :

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
“%windir%\Network Diagnostic\xpnetdiag.exe”=“%windir%\Network Diagnostic\xpnetdiag.exe::Enabled:@xpsp3res.dll,-20000"
“%windir%\system32\sessmgr.exe”="%windir%\system32\sessmgr.exe::enabled:@xpsp2res.dll,-22019”
“C:\Program Files\Internet Explorer\IEXPLORE.EXE”=“C:\Program Files\Internet Explorer\IEXPLORE.EXE::Enabled:Internet Explorer"
“C:\WINDOWS\system32\dpvsetup.exe”="C:\WINDOWS\system32\dpvsetup.exe::Enabled:Microsoft DirectPlay Voice Test”
“C:\Program Files\Bonjour\mDNSResponder.exe”=“C:\Program Files\Bonjour\mDNSResponder.exe::Enabled:Bonjour"
“C:\Program Files\iTunes\iTunes.exe”="C:\Program Files\iTunes\iTunes.exe::Enabled:iTunes”
“C:\Program Files\Windows Live\Messenger\msnmsgr.exe”=“C:\Program Files\Windows Live\Messenger\msnmsgr.exe::Enabled:Windows Live Messenger"
“C:\Program Files\uTorrent\uTorrent.exe”="C:\Program Files\uTorrent\uTorrent.exe::Enabled:æTorrent”

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
“%windir%\Network Diagnostic\xpnetdiag.exe”=“%windir%\Network Diagnostic\xpnetdiag.exe::Enabled:@xpsp3res.dll,-20000"
“%windir%\system32\sessmgr.exe”="%windir%\system32\sessmgr.exe::enabled:@xpsp2res.dll,-22019”
“C:\Program Files\Windows Live\Messenger\msnmsgr.exe”=“C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger”

Remaining Files :

Files with Hidden Attributes :

Mon 26 Jan 2009 1,740,632 A.SHR — “C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe”
Mon 26 Jan 2009 5,365,592 A.SHR — “C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe”
Thu 5 Mar 2009 2,260,480 A.SHR — “C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe”
Fri 19 Nov 2004 28,672 A…H. — “C:\WINDOWS\SEC\SECINSTALL.EXE”
Sat 24 Jan 2009 952 A.SH. — “C:\WINDOWS\system32\KGyGaAvL.sys”
Thu 22 Jan 2009 0 A.SH. — “C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp”

Finished!

I also ran DrWeb in safe mode from a USB drive, and here is the report:

SDFix.exe\SDFix\apps\Process.exe;C:\Documents and Settings\Kyle\Desktop\Anti-Virus\SDFix.exe;Tool.Prockill;;
SDFix.exe;C:\Documents and Settings\Kyle\Desktop\Anti-Virus;Archive contains infected objects;Moved.;
212B1840d01\SDFix\apps\Process.exe;C:\Documents and Settings\Kyle\Local Settings\Application Data\Mozilla\Firefox\Profiles\7o4cuq0z.default\Cache\212B1840d;Tool.Prockill;;
212B1840d01;C:\Documents and Settings\Kyle\Local Settings\Application Data\Mozilla\Firefox\Profiles\7o4cuq0z.default\Cache;Archive contains infected objects;Moved.;
Process.exe;C:\SDFix\apps;Tool.Prockill;;

Thanks,
Kyle

9

Something keeps creating the above files in the first post, Avast! picks them up every hour or so now and I have to send the whole lot to the chest. It’s getting pretty full now!

10

Hi kscd,

Next time you should scan in SafeMode and with System Restore diabled, maybe the files aren’t restored that way. If they do not come back, enable System Restore again,

pol

11

Hi Polonus,

I did scan with both SDfix and DrWeb in Safemode with System restore disabled.

This one has me completely stumped :frowning:

12

Hi kscd,

As this is a network worm it could be the re-infection comes from one or more machines on a network, with what computers are you sharing your machine? All these computers should be cleansed before the worm has gone,

polonus

13

Hi Polonus,

It’s only just clicked for me that it must be a network virus, since I have been home for the weekend I have not had the problem.

So next week I am back at the hotel and there’s no way I can know what computers are on the network and which ones are infected, is there any extra software I should use to protect my laptop whilst I’m there? I currently only use Avast! and the Windows Firewall as I’ve mentioned.

Many thanks,

Kyle

14

I’m having the exact same problem, but I would get a warning from avast every second after I clicked “Move to chest”.
I had my Windows Firewall disabled, and as soon as i enabled it, the warnings didn’t come anymore. I currently have no idea,
why it could possibly help my situation to enable Windows Firewall, when it doesn’t help you, but I’m not keeping my hopes up. Might just be a coincidence.

15

why do you have .exe files? taking the name of your my documents/my music ect

16

He didn’t necessarily make them himself, in my case they were just suddenly there.