Author Topic: PowerKord 's vundo  (Read 54712 times)

0 Members and 1 Guest are viewing this topic.

Offline oldman

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4142
  • Some days..... MOS...this bug's for you
Re: PowerKord 's vundo
« Reply #45 on: January 21, 2008, 05:13:50 AM »
It looks like two files are back, so since we got them with avenger last time we'll use it again.

Quote
files to delete:
C:\TEMP\tn3
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\tmp.reg

Use avenger like you did last time, with the above quote box and please post the results.

Thanks to sUBs, we have a way of installing the control consle on your computer.

Take care of this and I'll get the instructions up for installing the console.

« Last Edit: January 21, 2008, 05:49:29 AM by oldman »

PowerKord

  • Guest
Re: PowerKord 's vundo
« Reply #46 on: January 21, 2008, 06:23:31 AM »
Hi, oldman,

Below is the result of the Avenger scan, followed by a new HJT scan.

Now what exactly is this console you refer to? Is it something that, once installed, becomes a part of Windows, and cannot be removed later? Or can it be cleanly removed?

AVENGER SCAN

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\vhrolwof

*******************

Script file located at: \??\C:\WINDOWS\System32\sbbngbth.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:



Error: C:\TEMP\tn3 is a folder, not a file!
Deletion of file C:\TEMP\tn3 failed!

Could not process line:
C:\TEMP\tn3
Status: 0xc00000ba

File C:\WINDOWS\system32\drivers\core.cache.dsk deleted successfully.
File C:\WINDOWS\system32\tmp.reg deleted successfully.

Completed script processing.

*******************

Finished!  Terminate.
« Last Edit: January 21, 2008, 06:25:15 AM by PowerKord »

PowerKord

  • Guest
Re: PowerKord 's vundo
« Reply #47 on: January 21, 2008, 06:25:43 AM »
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:23:59 AM, on 1/21/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\LTSMMSG.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
C:\WINDOWS\System32\tp4serv.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
C:\WINDOWS\System32\RunDll32.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
C:\Program Files\HyperSnap 6\HprSnap6.exe
C:\WINDOWS\SYSTEM32\NOTEPAD.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Olympus\DeviceDetector\DM1Service.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\mozilla.org\SeaMonkey\seamonkey.exe
C:\Documents and Settings\Vincent Christopher\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://messageofhope.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.integrity.com:80
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [TPKMAPMN] C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
O4 - HKLM\..\Run: [trackPointSrv] tp4serv.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [ACDSee] C:\Program Files\ACD Systems\ACDSee\9.0\ACDSee9.exe /tray
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Device Detector 3.lnk = C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
O4 - Global Startup: HyperSnap 6.lnk = C:\Program Files\HyperSnap 6\HprSnap6.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{622850C9-2536-4A0E-9F3D-49149C1237F8}: NameServer = 64.136.173.5 64.136.164.77
O17 - HKLM\System\CCS\Services\Tcpip\..\{D14F581C-AD5C-4482-9892-2D28DEA465B2}: NameServer = 69.57.146.14,69.57.147.175
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: DM1Service - OLYMPUS Corporation - C:\Program Files\Olympus\DeviceDetector\DM1Service.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: QCONSVC - Unknown owner - C:\WINDOWS\System32\QCONSVC.EXE

--
End of file - 4711 bytes

Offline oldman

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4142
  • Some days..... MOS...this bug's for you
Re: PowerKord 's vundo
« Reply #48 on: January 21, 2008, 06:40:11 AM »
The recovery console is a utility that is part of xp, but only if it's retail. It is not installed by default when the OS is installed, though in my opinion should be.

It allows repairs to be made when windows can't be started. You can also do some changes that can't be made when windows is running, because the console is a separate boot routine. Windows is not running.

Having the console installed is becoming a increasing nesseccity these days as there are new boot sector virus that will make a computer unbootable. The only way to correct the changes is throught the console. OEMs do not come with the console on their disks, only retail versions do.

Once installed, it gives you another boot options besides safe mode, safe mode with networking, etc.

We've got one more to get rid of then we can start.

In avenger remove this

Quote
Folders to delete::
C:\TEMP\tn3

Offline oldman

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4142
  • Some days..... MOS...this bug's for you
Re: PowerKord 's vundo
« Reply #49 on: January 21, 2008, 06:41:24 PM »
A little more time to write a clearer answer, I tried to catch you on line with the last one.

For what the recovery console is see this link

http://support.microsoft.com/kb/314058

And for the improtance of having it installed and what prompted the author of combofix to add not only the ability to detect if the recovery console was installed, but to install it.

http://forum.avast.com/index.php?topic=32559.0

PowerKord

  • Guest
Re: PowerKord 's vundo
« Reply #50 on: January 21, 2008, 10:39:14 PM »
Ok, a potential complication.

While surfing last night Avast detected an incoming virus. I selected Abort Connection.

Then I set the program to scan my hard drive and I went to bed. Upon waking I find that it, while still not done scannning, has detected several things. First, a file that is apparently associated with Avenger. But also, a few files in the QooBox quarantine, with a path something like c/qoobox/c/program files/...

I've attached a screen cap of one of the warnings.

I've already performed the Avenger deletion (results below), and I'm beginning a new complete Avast scan.

Should I wait until the scan is done, or proceed with your next step?

Also, re the Avenger code you gave me, it would not work until I deleted one of the two sets of colons you had on line 1. Correct?

Please advise, oldman. Thanks.

PS. Is there some kind of partial reformat I could do, that would wipe out all these virii, yet not require me to reinstall my apps?



Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\jmdkhymc

*******************

Script file located at: \??\C:\WINDOWS\System32\kmsvqoxs.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Folder C:\TEMP\tn3 deleted successfully.

Completed script processing.

*******************

Finished!  Terminate.

Offline oldman

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4142
  • Some days..... MOS...this bug's for you
Re: PowerKord 's vundo
« Reply #51 on: January 21, 2008, 10:50:51 PM »
Hi PowerKord.

Quote
PS. Is there some kind of partial reformat I could do, that would wipe out all these virii, yet not require me to reinstall my apps?

No, sorry.


The avast warning you got was from the webshield, it stopped it before it got in. The others are in combofix quaratine (qoobox)

Avenger, yes right thing, I'm used to writting combofix script.

Let's see if we can put an end to this. If avast is almost done , let it complete, if it's got a long  ways to go stop it and procede.

Here's the instructions for the recovery console install. I have requested another forum member to keep an eye on this thread, just in case I'm not here when you are.


Go to Microsoft's website => http://support.microsoft.com/kb/310994
Select the download that's appropriate for your Operating System.





Download the file  & save it as it's originally named, next to ComboFix.exe.






Now close all open windows and programs, then drag the setup package onto ComboFix.exe and drop it. Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console. When complete, a log named CF_RC.txt will open. Please post the contents of that log.

Please do not reboot your machine until we have reviewed the log.

« Last Edit: January 21, 2008, 11:02:23 PM by oldman »

PowerKord

  • Guest
Re: PowerKord 's vundo
« Reply #52 on: January 21, 2008, 11:38:52 PM »
Firstly, yes, it may have been stupid to keep surfing while my system has active viruses, but I can tell you I was not surfing the kinds of sites that tend to cause these infections.

Second, I'm going to do one last full scan of my hard drive before embarking upon the console step. I'd just feel better.

Third, you really seem to know what you're doing, oldman, so if there's any way you personally can continue assisting me, I'd really appreciate it.

ok, talk soon.

Offline oldman

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4142
  • Some days..... MOS...this bug's for you
Re: PowerKord 's vundo
« Reply #53 on: January 22, 2008, 04:42:30 AM »
You don't have to be visiting those sites to get infected, a lot of this crud is just floating around looking for a system to land in. It happens.

I didn' plan on deserting you, just wanted to keep this process moving. The other forum member I mentioned is essexboy. You would have been in very good hands.  ;D

So let's carry on.

Offline oldman

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4142
  • Some days..... MOS...this bug's for you
Re: PowerKord 's vundo
« Reply #54 on: January 22, 2008, 07:57:32 AM »
PowerKord please check your messages at the top of the page.  :)

PowerKord

  • Guest
Re: PowerKord 's vundo
« Reply #55 on: January 22, 2008, 10:53:29 AM »
Hello, Essexboy,

Oldman has apprised me that you are quite the technical Master, and that you'll be assisting me in resolving the balance of my virus problems. Thanks so very much, in advance!

I presume that in assisting me you will first review our existing thread. In doing so you will find that the last step advised by oldman was to install the windows console; however, I wanted to first run a full Avast scan, which I have now done.

The scan finished; it scanned my C drive and my external hard drive, E.

The results:

1. The scan has apparently found eight new instances of the TratBHO virus, all located somewhere in "System Volume Information." See attached Snap1.

2. The scan has listed many, many instances, more than I've ever seen before in an Avast scan, of files of which Avast asserts:  "Unable to scan: archive is password protected." See attached Snap2 for a screen cap of a few of them.

Is this a tactic some malware or virii uses--conceal itself in a fake password-protected archive, so a virus scanner can't scan it?

3. At the top of Snap2 is a file listed in the Avenger folder, which I assume is alright.

Please examine the two attached screen snaps and advise!

(Snap2 is in a subsequent post.)

Regards,

vince
« Last Edit: January 22, 2008, 11:21:27 AM by PowerKord »

PowerKord

  • Guest
Re: PowerKord 's vundo
« Reply #56 on: January 22, 2008, 10:55:01 AM »
SCREEN SNAP #2

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: PowerKord 's vundo
« Reply #57 on: January 22, 2008, 07:38:32 PM »
OK on the case now - just reviewing the thread to see where we are


Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: PowerKord 's vundo
« Reply #58 on: January 22, 2008, 07:47:22 PM »
OK I will now ask you to run a programme which will do a deep analysis of services and drivers.  However, because of the format I will need you to e-mail the zip file to me.  I will PM the address on completion of this post. 

Firstly I will need you to clean the system restore

1. Select Start > All Programs > Accessories > System tools > System Restore.
2. On the dialogue box that appears select Create a Restore Point
3. Click NEXT
4. Enter a name e.g. Clean
5. Click CREATE

You now have a new restore point, to get rid of the bad ones:

1. Select Start > All Programs > Accessories > System tools > Disk Cleanup.
2. In the Drop down box that appears select your main drive e.g. C
3. Click OK
4. The System will do some calculation and the display a dialogue box with TABS
5. Select the More Options Tab.
6. At the bottom will be a system restore box with a CLEANUP button click this
7. Accept the Warning and select OK again, the program will close and you are done
 
We will now do a deep search of your processes and files

Download avz4.zip from here
  • Unzip it to your desktop to a folder named avz4
  • Double click on AVZ.exe to run it.
  • Run an update by clicking the Auto Update button on the Right of the Log window:
  • Click Start to begin the update
Note: If you recieve an error message, chose a different source, then click Start again


  • Start AVZ.
  • Choose from the menu "File" => "Standard scripts " and mark the "Healing/Quarantine and Advanced System Investigation" check box.
  • Click on the “Execute selected scripts”.
  • Automatic scanning, healing and system check will be executed.
  • A logfile (avz_sysinfo.htm) will be created and saved in the LOG folder in the AVZ directory as virusinfo_syscure.zip.
  • It is necessary to reboot your machine, because AVZ might disturb some program operations (like antiviruses and firewall) during the system scan.
  • All applications will work properly after the system restart.
.
When restarted
.
  • Start AVZ.
  • Choose from the menu "File" => "Standard scripts " and mark the “Advanced System Investigation" check box.
  • Click on the "Execute selected scripts".
  • A system check will be automatically performed, and the created logfile (avz_sysinfo.htm) will be saved in the LOG folder in the AVZ directory as virusinfo_syscheck.zip.
.
Mail both zip files to me

PowerKord

  • Guest
Re: PowerKord 's vundo
« Reply #59 on: January 23, 2008, 10:39:10 PM »
Assuming that the Clean procedure is really necessary and I should still perform it:

1. How long could the procedure take? I had thing running for probably two hours and it just sat there. How long could the process take? Should I just leave it running overnight? Could it really take that long? At what point, eight hours, twelve hours, whatever, should I assume that the thing is actually not running properly?

2. Is it advisable not to use the computer while the cleanup is running?

Just so I know what to expect.

Thanks.
« Last Edit: January 23, 2008, 11:04:21 PM by PowerKord »