I immediately did the following:
Allowed Symantec (Corp ver 10) to quarantine & then clean infection noted as “Trojan low zones”
Followed instructions for removal on Symantec site which included
• Disable System Restore (Windows Me/XP).
• Update the virus definitions.
• Ran a full system scan and delete all the files detected. (both while computer running and in safe mode) Nothing found in safe mode but repeatedly pops up autoprotect aftewrwards while computer running.
• Delete any values added to the registry. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run (random dll’s being launched using rundll32.exe from the c:\winnt\system32 folder)
• Edited the Win.ini file. (found nothing as instructed)
• Reset the Internet security zone settings.
After rebooting, i realized had not solved my problem, because i continued to receive symantec notifications that trojan low zones keeps getting quarantined.
I ended both rundll32.exe and child processes using taskkill.
I opened cmd line and deleted dll’s listed in registry (under windows they were hidden)
Rebooted into safe mode and checked tasklist - none created in safe mode
Reboot regular mode & started getting alerts from symantec that trojan low zones was stopped & quarantined
Saw entries for randomly named dlls recreated in registry under the the same reg key as above. (One name kept being reproduced for entry bm27b31488.exe) from the c:\winnt\system32 folder
Killed tasks, deleted new dll’s again, removed entries in registry, restored rundll32.exe from CD to verify rundll32.exe not corrupted.
Manually deleted folders forcing hidden and system from command prompt that Symantec says were infected. Used cmd prompt because windows explorer couldn’t’ see. (Folders were randomly generated names.)
Rebooted & still same problem.
Not knowing what else to do, I started with procedures listed in the “Must-Read-Before-Posting-HijackThisLog” After doing all of that and running the panda active scan, I am seeing i am still infected and it appears to be a variant of vundo. Here are the results of the scans and HJT log.
Malwarebytes' Anti-Malware 1.15
Database version: 834
1:17:27 PM 6/6/2008
mbam-log-6-6-2008 (13-17-27).txt
Scan type: Quick Scan
Objects scanned: 38818
Time elapsed: 7 minute(s), 0 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 2
Registry Keys Infected: 12
Registry Values Infected: 2
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 12
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
C:\WINNT\system32\awTligGY.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\WINNT\system32\cbxYOIbb.dll (Trojan.Vundo) -> Unloaded module successfully.
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c329f020-96e9-42f5-a152-f768e2d64295} (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{c329f020-96e9-42f5-a152-f768e2d64295} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{bd962bab-f429-460f-805b-b137087ab623} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{bd962bab-f429-460f-805b-b137087ab623} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cbxyoibb (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BM27b31488 (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{bd962bab-f429-460f-805b-b137087ab623} (Trojan.Vundo) -> Delete on reboot.
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\winnt\system32\awtliggy -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Authentication Packages (Trojan.Vundo) -> Data: c:\winnt\system32\awtliggy -> Delete on reboot.
Folders Infected:
(No malicious items detected)
Files Infected:
C:\WINNT\system32\awTligGY.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINNT\system32\YGgilTwa.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINNT\system32\YGgilTwa.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINNT\system32\cbojloap.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINNT\system32\edruncuc.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINNT\system32\epwvvvsw.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
SUPERAntiSpyware Scan Log
Generated 06/06/2008 at 02:56 PM
Application Version : 3.6.1000
Core Rules Database Version : 3476
Trace Rules Database Version: 1467
Scan type : Complete Scan
Total Scan Time : 01:27:39
Memory items scanned : 399
Memory threats detected : 0
Registry items scanned : 6291
Registry threats detected : 0
File items scanned : 70433
File threats detected : 18
Adware.Tracking Cookie
C:\Documents and Settings\Administrator.JAH\Cookies\administrator@adnetserver[1].txt
Adware.Vundo Variant/Rel
C:\WINNT\SYSTEM32\MCRH.TMP
Trace.Known Threat Sources
C:\Documents and Settings\Administrator.JAH\Local Settings\Temporary Internet Files\Content.IE5\0L8DO5O7\green_point[1].gif
C:\Documents and Settings\Administrator.JAH\Local Settings\Temporary Internet Files\Content.IE5\6XKXEZGB\all_bg[1].gif
C:\Documents and Settings\Administrator.JAH\Local Settings\Temporary Internet Files\Content.IE5\6XKXEZGB\found[1].gif
C:\Documents and Settings\Administrator.JAH\Local Settings\Temporary Internet Files\Content.IE5\0D0X8VMD\ycell[1].gif
C:\Documents and Settings\Administrator.JAH\Local Settings\Temporary Internet Files\Content.IE5\SL6BKPA3\red_point[1].gif
C:\Documents and Settings\Administrator.JAH\Local Settings\Temporary Internet Files\Content.IE5\0D0X8VMD\prod_bg[1].gif
C:\Documents and Settings\Administrator.JAH\Local Settings\Temporary Internet Files\Content.IE5\0D0X8VMD\top[1].gif
C:\Documents and Settings\Administrator.JAH\Local Settings\Temporary Internet Files\Content.IE5\0L8DO5O7\settings[1].js
C:\Documents and Settings\Administrator.JAH\Local Settings\Temporary Internet Files\Content.IE5\SL6BKPA3\prod_right[1].gif
C:\Documents and Settings\Administrator.JAH\Local Settings\Temporary Internet Files\Content.IE5\0L8DO5O7\line_dot[1].gif
C:\Documents and Settings\Administrator.JAH\Local Settings\Temporary Internet Files\Content.IE5\0D0X8VMD\midl_bg[1].gif
C:\Documents and Settings\Administrator.JAH\Local Settings\Temporary Internet
;*******************************************************************************
********************************************************************************
*
*******************
ANALYSIS: 2008-06-06 16:15:28
PROTECTIONS: 1
MALWARE: 5
SUSPECTS: 0
;*******************************************************************************
********************************************************************************
*
*******************
PROTECTIONS
Description Version Active Updated
;===============================================================================
================================================================================
=
===================
Symantec AntiVirus Corporate Edition 10.1.0.394 Yes Yes
;===============================================================================
================================================================================
=
===================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===============================================================================
================================================================================
=
===================
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator.JAH\Application Data\Mozilla\Firefox\Profiles\iipisylg.default\cookies.txt[.doubleclick.net/]
02998680 Spyware/Virtumonde Spyware No 1 Yes No C:\WINNT\system32\upgnejrw.dll
03015501 Spyware/Virtumonde Spyware No 1 Yes No C:\WINNT\system32\xgjannya.dll
03021432 Spyware/Virtumonde Spyware No 1 Yes No C:\WINNT\system32\rxmavbrh.dll
03042529 Spyware/Virtumonde Spyware No 1 Yes No C:\WINNT\system32\fdrvaavn.dll
;===============================================================================
================================================================================
=
===================
SUSPECTS
Sent Location o
;===============================================================================
================================================================================
=
===================
;===============================================================================
================================================================================
=
===================
VULNERABILITIES
Id Severity Description o
;===============================================================================
================================================================================
=
===================
108742 MEDIUM MS06-006 o
;===============================================================================
============================
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:23:40 PM, on 6/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Symantec\Ghost\ngserver.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\WINNT\System32\hkcmd.exe
C:\WINNT\System32\igfxpers.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~2\VPTray.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Symantec\Ghost\bin\dbserv.exe
C:\Program Files\Symantec\Ghost\bin\rteng7.exe
C:\WINNT\system32\WgaTray.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Advanced Networking & ComputerS
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: {16125534-db6b-545b-7504-3d3f5f6113f8} - {8f3116f5-f3d3-4057-b545-b6bd43552161} - C:\WINNT\system32\paxcpqmh.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [NGServer] C:\Program Files\Symantec\Ghost\ngserver.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINNT\System32\igfxpers.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINNT\system32\\PSDrvCheck.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~2\VPTray.exe
O4 - HKCU\..\Run: [webcamXP] "W:\Program Files\webcamXP\webcamXP.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = C:\Program Files\Adobe\Acrobat 7.0\Acrobat\acrobat_sl.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1131241954171
O16 - DPF: {EFFDEEEC-F9E1-4461-91D2-DAEB8CC595F1} (CSViewer Control) - http://66.47.111.253:84/CSViewer.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = jah.com
O17 - HKLM\Software\..\Telephony: DomainName = jah.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{E01E0A74-4D61-478E-B5E1-4854E6D8E6BD}: Domain = jah.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{E01E0A74-4D61-478E-B5E1-4854E6D8E6BD}: NameServer = 10.100.100.20
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = jah.com
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Symantec Ghost Database Service (ngdbserv) - Symantec Corporation - C:\Program Files\Symantec\Ghost\bin\dbserv.exe
O23 - Service: Symantec Ghost Configuration Server (NGServer) - Symantec Corporation - C:\Program Files\Symantec\Ghost\ngserver.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
--
End of file - 9217 bytes
Edited by SuperJuice, 08 June 2008 - 09:38 AM.