PowerKord 's vundo

[essexboy]

If you have never run it before and depending on the size of the drive it can take upwards of an hour.  Any longer than that and I would consider cancelling it.. 

But the main one to get is the AVZ scan and report as that will enable me to find the driver/service that is causing the problem and then Kill it

The fix will be posted on the forum but unfortunately you cannot attach zip or html files  here so they will need to be mailed to me or hosted on line so that I can download them for analysis

[PowerKord]

The thing was running well over an hour so I'm just gonna do the AVZ thing.

[essexboy]

OK waiting whenever you are ready 

[PowerKord]

I don't get it, EB:

Why are these virii so easy to catch at adult sites? Is it the adult webmasters who do this, deliberately? And if so--why?

And do these people honestly think that I would even dream of clicking one of the links that appear in one of these unwanted popup windows?

Your thoughts?

[essexboy]

Why are these virii so easy to catch at adult sites? Is it the adult webmasters who do this, deliberately? And if so--why?

And do these people honestly think that I would even dream of clicking one of the links that appear in one of these unwanted popup windows?

These are drive by downloads and are generally incorporated within the web page whether maliciously or not I don't know.. And there is allways someone who will click on demand

AVZ FIX

• Double click on AVZ.exe
• Click File > Custom scripts
• Copy & paste the contents of the following codebox in the box in the program (start with begin and end with end )
  

Code: [Select]

begin
SetAVZGuardStatus(True);
SearchRootkit(true, true);
 DelBHO('{c95fe080-8f5d-11d2-a20b-00aa003c157a}');
 DeleteService('nbmkmd');
 StopService('nbmkmd');
 DeleteService('mrxsmbb');
 StopService('mrxsmbb');
 DeleteFile('C:\WINDOWS\System32\drivers\mrxsmbb.sys');
 DeleteFile('C:\WINDOWS\System32\Drivers\nbmkmd.SYS');
 DeleteFile('C:\WINDOWS\web\related.htm');
BC_ImportDeletedList;
ExecuteSysClean;
BC_Activate;
RebootWindows(true);
end.

• Note: When you run the script, your PC will be restarted
• Click Run
• Restart your PC if it doesn't do it automatically.

ON COMPLETION

• Start AVZ.
• Choose from the menu "File" => "Standard scripts " and mark the “Advanced System Investigation" check box.
• Click on the "Execute selected scripts".
• A system check will be automatically performed, and the created logfile (avz_sysinfo.htm) will be saved in the LOG folder in the AVZ directory as virusinfo_syscheck.zip.

Attach the zip file to your next post

[essexboy]

OK we got one but not the other I see you have Avenger

1. Please download The Avenger by Swandog46 to your Desktop.

• Click on Avenger.zip to open the file
• Extract avenger.exe to your desktop

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Drivers to unload:
mrxsmbb

Files to delete:
C:\WINDOWS\System32\drivers\mrxsmbb.sys

Note: the above code was created specifically for this user.  If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, start The Avenger program by clicking on its icon on your desktop.

• Under "Script file to execute" choose "Input Script Manually".
  
• Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
  
• Paste the text copied to clipboard into this window by pressing (Ctrl+V).
  
• Click Done
  
• Now click on the Green Light to begin execution of the script
  
• Answer "Yes" twice when prompted.
  

4. The Avenger will automatically do the following:

• It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
  
• On reboot, it will briefly open a black command window on your desktop, this is normal.
  
• After the restart, it creates a log file that should open with the results of Avenger’s actions.  This log file will be located at  C:\avenger.txt
  
• The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
  

5. Please copy/paste the content of c:\avenger.txt into your reply along with a fresh HJT log   by using Add/Reply

[PowerKord]

Can I use my existing copy of Avenger?

[PowerKord]

I unzipped the Avenger .zip folder and created a new instance of the program, as the contents of the previously unzipped folder seem to have disappeared.

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\wrhnfhqi

*******************

Script file located at: \??\C:\Program Files\ltilccqr.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Driver mrxsmbb unloaded successfully.
File C:\WINDOWS\System32\drivers\mrxsmbb.sys deleted successfully.

Completed script processing.

*******************

Finished!  Terminate.




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:36:20 PM, on 1/25/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\LTSMMSG.exe
C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
C:\WINDOWS\System32\tp4serv.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
C:\WINDOWS\System32\RunDll32.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Olympus\DeviceDetector\DM1Service.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
C:\WINDOWS\SYSTEM32\NOTEPAD.EXE
C:\Program Files\HyperSnap 6\HprSnap6.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Documents and Settings\Vincent Christopher\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://messageofhope.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.integrity.com:80
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [TPKMAPMN] C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
O4 - HKLM\..\Run: [trackPointSrv] tp4serv.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [ACDSee] C:\Program Files\ACD Systems\ACDSee\9.0\ACDSee9.exe /tray
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Device Detector 3.lnk = C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
O4 - Global Startup: HyperSnap 6.lnk = C:\Program Files\HyperSnap 6\HprSnap6.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm (file missing)
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm (file missing)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{D14F581C-AD5C-4482-9892-2D28DEA465B2}: NameServer = 69.57.146.14,69.57.147.175
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: DM1Service - OLYMPUS Corporation - C:\Program Files\Olympus\DeviceDetector\DM1Service.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: QCONSVC - Unknown owner - C:\WINDOWS\System32\QCONSVC.EXE

--
End of file - 4565 bytes

[essexboy]

How is your system running now ?

[PowerKord]

So far those popup windows are no longer appearing. I will continue monitoring.

I've also experienced other strange things though, like my physical volume buttons no longer work.

Your thoughts on this?

[essexboy]

like my physical volume buttons no longer work

Do you mean the button on your speakers or the one on the systray ?

[PowerKord]

Pressing the buttons on my laptop itself used to control the system volume, and would bring up an onscreen bar graph to indicate volume level. Neither of those things happens anymore when I press a button.

Apparently the virus affected certain system operations?

[essexboy]

The controlling software was probably compromised by Vundo and no backup was found on your system to replace it.  It may require a driver reinstallation for your keyboard functions

[PowerKord]

Essexboy,

Ok, so far, so good! I'm still not seeing any symptoms!

You and oldman utterly rock! I can't tell you how thankful and grateful I am!

I have a number of "mop-up" questions if you don't mind; as you'll see some are more important than others. Some are *very* important (like what will now happen to the virus files presently under quarantine on my system). If you'd be so kind, please answer each one in order. Thanks so very much for your time and effort, then and now!


1. Do you and oldman work for Avast? Are you both programmers? I'm not sure about oldman but I get the impression that you are a programmer.


2. Some of the scans I've done since this problem started have apparently flagged certain files associated with HyperSnap Pro, a screen capture utility that I run. To your knowledge, are HyperSnap products associated with installing malware?


3. As posed by me in this thread in Reply #55 and #56, January 22, page 4 of this thread. I had just done an Avast scan. Again, this is a few days old, before you got involved with this:

"The scan finished; it scanned my C drive and my external hard drive, E.

The results:

A. The scan has apparently found eight new instances of the TratBHO virus, all located somewhere in "System Volume Information." See attached Snap1.

B. The scan has listed many, many instances, more than I've ever seen before in an Avast scan, of files of which Avast asserts:  "Unable to scan: archive is password protected." See attached Snap2 for a screen cap of a few of them.

Is this a tactic some malware or virii uses--conceal itself in a fake password-protected archive, so a virus scanner can't scan it?"

Both those replies, 55 and 56, contains screencaps of both problems I describe here.


4. I do not use any P2P client, whether for music file sharing, or chatting (AIM, Yahoo Messenger, etc.), though I have in the past. I have de-installed my AIM and Yahoo chat clients (though I'm pretty sure these de-installs don't remove every single file). Is it still necessary to run the P2P and Instant Messaging modules of Avast when running Avast?


5. So as far as you can tell, what is the actual upshot of all this--is every virus now gone from my system?


6. And exactly which viruses were on my system? I heard TratBHO, Vundo, and cutwail, and then there were what appeared as new instances of TratBHO in my System Volume Information (see above).


7. What exactly was this mrxsmbb.sys file? Was it a trojan containing a/the virus?


8. Avast has detected virii before, on, or trying to enter, my system, but has always deleted them immediately and successfully. Why was this virus/viruses so hard to get rid of? Is TratBHO or Vundo some tough new strain?


9. In solving all this, it wasn't a problem that I wasn't able to do the Cleanup, or the restore point procedure you wanted done initially?


10. Re my volume malfunction as described ("controlling software was probably compromised by Vundo"), and any other system changes that the virii created: I'll probably have to call IBM or Microsoft to help me reinstall things and make corrections, but until I do is it likely that these malfunctions and compromised system areas are virus-free and won't cause any other virus-related problems? In other words, can wait to restore these areas, or should I do it right away?


11. Maybe I should do it right away to prevent compromised software from causing corruption, etc., even apart from any virus issue?


10a. Apparently my Cleanmgr.exe is not working right, either, right? Running it, it does nothing but just sits there for hours, as I think I already mentioned to you. Could this be another result of my infections?


12. Does it appear that Ardamax keylogger lite is completely off my system? A previous scan, either HJT OR CF I think, detected it running (see ardamax listing in HJT scan Jan 11, reply #6).


13. Relatedly, EB, can you recommend a well-programmed, malware-free, simple to use keylogger to be used only by me to retrieve my own work in case of crashes and problems (not to spy on anyone else)? I don't need any actual spy or stealth features.


14. It appears that one of the functions of AVZ and/or SUPERAntiSpyware (not sure which) is a standard spyware scan and removal, like SpyBot S&D does. Should I use either of these two programs instead of SpyBot for this? Is one or the other, or something else you'd recommend, better than SpyBot?


15. And what about this nakido.exe file that apparently keeps putting itself back on my system? oldman tells me it's a legitimate file, but I never installed it. In fact, when a scan revealed its presence I deleted it, but it apparently returned on its own. Is this file/program as innocent as it seems? And how does it keep returning to my system? I'm not sure if it's on now, or not.


16. It appears that some of the programs I've installed as part of this removal effort, such as  ComboFix (qoobox) and Avenger, presently have virii quarantined. What should I do with these quarantined viruses? If I simply de-install these programs will the viruses they've quarantined be properly destroyed?

The removal programs presently installed on my system are these:

- Cleanup
- HiJackThis
- SUPERAntiSpyware


17. I'm now pretty afraid of visiting any adult, or even celebrity website, for fear of catching another virus! I used to feel very protected by Avast--until now. Your thoughts?


17a. Relatedly, in terms of catching a virus from a web page, you wrote: "there is allways someone who will click on demand." What do you mean by this?


18. Relatedly, EB, I've been using Avast Home version. Would the pro/paid version of Avast have prevented these infections?


19. oldman had me use RegistrySearch, I believe. Is my registry now ok?


20. oldman was pretty convinced that the Windows Recovery Console would be needed to solve my problems, but you solved them without using it, right? How did you do it w/out the Recovery Console?


I await your responses to these questions. Again, thanks so much!

Warm Regards,

vince

[essexboy]

Here we go :

1.  No
2.  No but it does use some of the same techniques as a key logger
3.  System volume information will be cleared when we do the housekeeping at the end.  Currently I know of no Malware that password protects
4.  If you do not use them, then no
5.  From the scans I have done yes, but as with all things in this world there is never a 100% sure answer
6.  Malware names vary by different AV/AS vendors ther is no straightforward naming convention
7.  That was the main driver file that generated the popups and protected the malware
8.  Antivirus programmers can only react to new malware, so they bad guys will allways start from the front
9.  That was probably because you had never used that function before, therefore there were a lot of files that needed compressing
10. The infections should now be gone, so you can wait
11.  Maybe a sfc / scannow would not come amiss
12.  If any is left it is now unuseable
13.  I have no knowledge of keyloggers apart from the bad ones
14.  Spybot is too old now, I would recommend Superantispyware
15.  That was the file taken out by AVZ
16.  All part of housekeeping
17.  Those sites are the prime target for hackers to insert malicious code.  See a box and click no, but guess what both boxes mean yes allways close by the x
18.  Home and Pro have the same capabilities with regard to virus protection
19.  As good as we can make it
20.  Recovery console was an option, but AVZ gave me the driver name to use with Avenger


Now the best part of the day ----- Your log now appears clean  :thumbsup:

Double click OTMoveIt once again and you should see a CleanUp! button, press that button, you may get prompted by your firewall that OTMoveIt wants to contact the internet, allow this, a cleanup.txt will be downloaded, a message dialog will ask you if you want to proceed with the cleanup process, click Yes. This will delete all the tools you have downloaded plus itself



Now to get you off to a good start we will re-set your restore points so that all the bad stuff is gone for good. Then if you need to restore at some stage you will be clean. There are several ways to reset your your restore point but this is my method:

1. Select Start > All Programs > Accessories > System tools > System Restore.
2. On the dialogue box that appears select Create a Restore Point
3. Click NEXT
4. Enter a name e.g. Clean
5. Click CREATE

You now have a clean restore point, to get rid of the bad ones:

1. Select Start > All Programs > Accessories > System tools > Disk Cleanup.
2. In the Drop down box that appears select your main drive e.g. C
3. Click OK
4. The System will do some calculation and the display a dialogue box with TABS
5. Select the More Options Tab.
6. At the bottom will be a system restore box with a CLEANUP button click this
7. Accept the Warning and select OK again, the program will close and you are done



Now that you are clean, to help protect your computer in the future I recommend that you get the following free program:

• SpywareBlaster to help prevent spyware from installing in the first place.
  

It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To keep your operating system up to date visit

• Microsoft Windows Update
  

To learn more about how to protect yourself while on the internet read this article by Tony Klien: So how did I get infected in the first place?


Keep safe  :wave: