Undetected infection?

[noob123]

Hello,

I'm 80% sure my PC is infected with some virus or worm : the PC spontaneously comes out of stand-by (I've turned off all wake-on-X I could find, and it never did this in the past); when I run shutdown I'm now told rundll32.exe is not responding and I have to kill it; Process Explorer tells me rundll32.exe has a rundll target of weird DLLs like of ctqicwjx.dll or yayWQIaa.dll; finally I have LOTS of weirdly named files in system32:

-rwx------+ 1 Administrators None     304128 Mar 29 11:54 yayWQIaa.dll
-rwx------+ 1 Administrators None     124928 Mar 29 11:54 gfbyeb.dll
-rwx------+ 1 Administrators None     124928 Mar 29 11:54 dccrcubk.dll
drwxrwx---+ 2 Administrators SYSTEM        0 Mar 29 18:16 config
-rwx------+ 1 Administrators None     125440 Mar 30 11:57 vawtmhty.dll
-rwx------+ 1 Administrators None     125440 Mar 30 11:57 ekivbd.dll
-rwx------+ 1 Administrators None    3389949 Mar 30 11:58 bhajkqdh.ini
-rwx------+ 1 Administrators None    3389962 Mar 30 12:21 uevhavuq.ini
-rwx------+ 1 Administrators None     118272 Mar 30 17:55 xusbuuap.dll
-rwx------+ 1 Administrators None     118272 Mar 30 17:55 bjemuv.dll
-rwx------+ 1 Administrators None      81920 Mar 31 07:49 bcpvqcmo.dll
-rwx------+ 1 Administrators None    3450783 Mar 31 07:49 onwxguwh.ini
-rwx------+ 1 Administrators None        121 Mar 31 07:49 omcqvpcb.ini
-rwx------+ 1 Administrators None     118272 Mar 31 07:51 roqpin.dll
-rwx------+ 1 Administrators None     118272 Mar 31 07:51 pgdcxivs.dll
-rwxrwx---+ 1 Administrators SYSTEM     2617 Mar 31 08:03 CONFIG.NT
-rwxrwx---+ 1 Administrators SYSTEM    16384 Mar 31 08:32 Perflib_Perfdata_23c.dat
-rwx------+ 1 Administrators None     118272 Mar 31 20:08 hhgogqry.dll
-rwx------+ 1 Administrators None     118272 Mar 31 20:08 dgwgye.dll
-rwx------+ 1 Administrators None      81920 Mar 31 20:11 bllscndi.dll
-rwx------+ 1 Administrators None    3457737 Mar 31 20:35 idncsllb.ini
-rwxrwx---+ 1 Administrators SYSTEM    16384 Apr  1 07:43 Perflib_Perfdata_240.dat
-rwx------+ 1 Administrators None      16384 Apr  1 08:06 Perflib_Perfdata_410.dat
-rwx------+ 1 Administrators None     118272 Apr  1 08:07 hflafd.dll
-rwx------+ 1 Administrators None     118272 Apr  1 08:26 pyrwug.dll
-rwx------+ 1 Administrators None      81920 Apr  1 08:26 ctqicwjx.dll
drwxrwx---  2 Administrators SYSTEM        0 Apr  1 08:46 NtmsData
drwxrwx---+ 4 Administrators SYSTEM        0 Apr  1 08:54 drivers
-rwx------+ 1 Administrators None    3457750 Apr  1 08:56 xjwciqtc.ini
-rwx------+ 1 Administrators None      88723 Apr  1 09:10 nvapps.xml
-rwx------+ 1 Administrators None      16384 Apr  1 09:24 Perflib_Perfdata_530.dat
-rwx------+ 1 Administrators None       4689 Apr  1 09:28 aaIQWyay.ini2
-rwx------+ 1 Administrators None       4689 Apr  1 09:29 aaIQWyay.ini

Avast does not find any virus in the memory scan.
However, it has found several different viruses on my disk.
Win32:Trojan-gen {Other}
Win32:Obfuscated-FVB [trj]

I can't seem to clean this infection.

Microsoft's malware removal tool (windows-kb890830-v2.8.exe) seems to not want to run on my system.

I have Win2000 SP5.1 (an unofficial SP on top of SP4) which had worked flawlessly for years.

Can Avast clean the mess I've made ? ;-)

[noob123]

I scanned ctqicwjx.dll on virusscan.jotti.org

 Scan taken on 01 Apr 2009 07:46:15 (GMT)
A-Squared    
Found Trojan.Win32.Vundo!IK
AntiVir    
Found TR/Crypt.XPACK.Gen
ArcaVir    
Found nothing
Avast    
Found nothing
AVG Antivirus    
Found nothing
BitDefender    
Found nothing
ClamAV    
Found nothing
CPsecure    
Found nothing
Dr.Web    
Found nothing
F-Prot Antivirus    
Found W32/Virtumonde.AR.gen!Eldorado
F-Secure Anti-Virus    
Found nothing
Ikarus    
Found Trojan.Win32.Vundo
Kaspersky Anti-Virus    
Found nothing
NOD32    
Found nothing
Norman Virus Control    
Found nothing
Panda Antivirus    
Found nothing
Quick Heal    
Found nothing
Sophos Antivirus    
Found Troj/Virtum-Gen
VirusBuster    
Found Trojan.Vundo.Gen!Pac.31
VBA32    
Found nothing

Avast devs: do you want me to send some sample files?

[DavidR]

Yes the weird file names are very Vundo/Virtumonde like.

If you can zip and password protect those files into one archive and send it to virus@avast.com zipped and password protected with the password in email body, a link to this topic might help and false positive/undetected malware in the subject.
 
Or you can also add the file to the User Files (File, Add) section of the avast chest (if it isn't already there) where it can do no harm and send it from there. A copy of the file/s will remain in the original location, so you will need to take further action and can remove/rename that.
 
Send it from the User Files section of the chest (select the file, right click, email to Alwil Software). It will be uploaded (not actually emailed) to avast when the next avast auto (or manual) update is done.

This will help avast detections - Once you have done that, try these two applications.

If you haven't already got this software (freeware), download, install, update and run it, preferably in safe mode and report the findings (it should product a log file).

• 1. SUPERantispyware On-Demand only in free version.
• 2. MalwareBytes Anti-Malware, On-Demand only in free version http://download.bleepingcomputer.com/malwarebytes/mbam-setup.exe, right click on the link and select Save As or Save File (As depending on your browser), save it to a location where you can find it easily later.

You can actually install MBAM from safe mode (but not SAS, without registry changes), running from safe mode makes these more effective at cleaning up and the reason I wanted you to send the samples to avast first.

Edit: For the future you could try: VirusTotal - Multi engine on-line virus scanner currently 40 scanners and I think better than jotti.

[noob123]

The virus drops several files (of different size) in system32 (and makes multiple copies of each file, with random names).
I renamed them VIRUSi and stripped their extension (.dll, .ini, .tmp)

  118272  VIRUS1
   81920  VIRUS2
 3457750  VIRUS3
    4629  VIRUS4

http://www.virustotal.com/analisis/9d370e24e57ab6ae81bf39f5da1b4820
http://www.virustotal.com/analisis/db2aade2a569d31dcf3c5e5855195383
http://www.virustotal.com/analisis/7df4f306d2f68f938fdfd84a65080517
http://www.virustotal.com/analisis/95893e851bf581a330adf9e7c6ce843e

Regards.

[noob123]

By the way, I've tried many things to clean up my mess.

Avast, AVG, a-squared, Spybot, VundoFix.

None of them worked so far. The problem is that the virus attaches itself several times with several names to all the major OS processes (LSASS, explorer, rundll32, ...) and when the antivirus tries to clean the mess, it just hoses Windows, and I'm back to square one.

I'll try what David suggested this evening.

Does Avast scan the registry? Because AFAIU, this virus adds several entries to RunOnce (or such) to reinfect the system on start-up. Spybot did find some suspicious registry entries but could not remove the virus from memory.

[oldman]

Hi

This is a non intrusive scanner, it won't remove anything but will show what's going on.

Please download DDS and save it to your desktop.

• Disable any script blocking protection
• Double click dds.scr to run the tool.
• When done, DDS.txt will open.
• Click Yes at the next prompt for Optional Scan.
  
• Save both reports to your desktop.

---------------------------------------------------

Please include the contents of the following in your next reply:

DDS.txt

Please attach the second file; Attach.txt.

[noob123]

oldman,

Why would a legitimate app come as a screen saver?
I couldn't find a single page describing what this tool is suppposed to do.

Regards.

[noob123]

David,

It looks like SUPERAntiSpyware was able to save the day.
As far as I can tell, all traces of Vundo are gone.
SAS left a few non-executable files (.ini, .ini2) in system32. I removed them manually.

Thanks for your suggestion.

[noob123]

Trojan.Downloader-Gen/A
   C:\CYGWIN\HOME\BOB\A.EXE
   C:\CYGWIN\TMP\A.EXE

These two are false positives, I generated them myself.
a.exe (a.out in Unix) is the default name given to an executable by gcc.

[DavidR]

David,

It looks like SUPERAntiSpyware was able to save the day.
As far as I can tell, all traces of Vundo are gone.
SAS left a few non-executable files (.ini, .ini2) in system32. I removed them manually.

You're welcome.

I wouldn't have removed anything as I would suggest you leave SAS installed and periodically run it (after updating signatures).

I would also suggest that you do as oldman suggests and run DDS, the fact that is is names as a screen saver seems to get past some malware on the hunt for things like SAS and MBAM. It is a legit analysis tool. As the initials DDS state it Doesn't Do Squat, it is an analysis tool only the output requires manual analysis.

[oldman]

oldman,

Why would a legitimate app come as a screen saver?
I couldn't find a single page describing what this tool is suppposed to do.

Regards.

It's a scan tool. It will produce a log far more detailed than HJT and similar to a combofix log. It will not remove anything. The .scr is to enable it run almost undetected by malware. It's not a screensaver. It's perfectly safe.

You didn't google hard enough 

http://forum.aumha.org/viewtopic.php?f=62&t=36605
http://www.geekstogo.com/forum/Lots-Errors-Certain-Programs-won-t-open-t218351.html&pid=1385507

[noob123]

Hello David, oldman,

Here's the output of DDS.

I don't see anything suspicious except...

  LSA: Authentication Packages = msv1_0 c:\winnt\system32\yayWQIaa

yayWQIaa.dll was the virus DLL which attached itself to many running processes.
What does "LSA:" mean. How do I "clean" this entry?

PnkBstr is Punk Buster, an anti-cheat program.
CDAC11BA.EXE is some DRM crapware (Macrovision RTS Service, Cdilla)

Regards.

[Jtaylor83]

Download HiJackThis and post a log here.

[DavidR]

I believe oldman wanted you to also attach the second attach.txt file that DDS creates.

I didn't see anything obvious, but oldman is much more experienced in analysing these files.

[oldman]

Hi

LSA

"Local Security Authentication Server", generates the process responsible for authenticating users for the Winlogon service.
At System startup, the LSA will load the authentication package DLLs referenced in the following registry value:
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"

I don't see any bad files in the log so if you are not experiencing any other problems, this can be cleared up with a reg fix.

First

Back up your registry with ERUNT

• Download ERUNT from Here and save it to your desktop.
  
• Double click erunt-setup.exe to install the program
• Follow the prompts, and then uncheck Create NTREGOPT desktop icon at the Additional Tasks screen.
  
• Click No when you are prompted about creating an ERUNT entry in the startup folder.
• At the next screen, uncheck Show documentation and check Launch ERUNT
• If ERUNT doesn't start by itself, launch it from the desktop shortcut.
• At the configuration screen, make sure all 3 checkboxes are checked
  
• Click Ok to run the backup process

The program should notify you when it's finished.

REGISTRY FIX

REGEDIT4

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00

Next you will need to create the repair registry fix to do that copy and paste ALL of the above in the quote box to a notepad file.  Ensure there is no space above the REGEDIT4.
Then in notepad go to FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES
Then in the FILE NAME box type fix.reg

Make sure the box at the top is set to Desktop

This will create a fix.reg file on your desktop

To use this file you will need to right click the icon and select merge, accept the warning if it appears and you are done.