Virtumonde? Polybot? QHosts? Multi!

repstein33 · Apr 4, 2008

Hi,

Thanks for taking the time to look at my logs. urock.

I have gone through the (very helpful) Read and Run me first, as well as the specific instructions for win2k3 as well as trying a couple of the special tools. Here's where I am:

1. When things first went downhill, I had a reboot timer of 55 seconds that I had to disable, and my tskmgr and control panel were hidden, and windows installer was disabled. I was able to address the symptoms and run enough removal tools to get (relatively) stable.

2. For a while, my home page was hijacked over to windows live.

3. I still appear to be infected with something. Upon rebooting, after each step of the preliminary scanners and installs you have advised, I get a Yellow Triangle in my tray, with a 'you are infected' even if not clicked, from time to time an "anti-spyware warning' comes on the screen and stays on top.

4. This may be a red herring (i just installed a second monitor for my wife on this server ) but after running the malwarebytes scanner, I BSOD'd. I can repeat it at will, and saved off the log last time, prior to BSODing. I've included the pre-removal log from that, and if you like I can include the error log from the blue screen.

Thanks for your help.

Robert

TimW · Apr 4, 2008

Please re-run MalwareBytes and this time have it fix everything it finds ....afterwards, please do another MGTools scan (by run the C:\MGtools\GetLogs.bat file) and attach a new MGLogs.zip as well as the new MalwareBytes log.

repstein33 · Apr 4, 2008

Hi,

Sorry, I wasn't clear. I can't use the fix feature on malwarebytes, I blue screen everytime. I tried to fix one at a time, but each one blue screened me.

i can include the blue screen memory dump if you think it would help, or run an adplus dump, not that I have symbols, though...

btw, yer awesome for helpin -- thanks! I've been bangin' my head for 4 days with this. urock.

r

TimW · Apr 4, 2008

Then I guess we'll do it the old fashioned way...........
Do you know what these are:
C:\Windows\ADAM
C:\Windows\ADFS
If not, delete them.

Please disable all anti-virus and anti-spyware programs while we do the following:

Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O2 - BHO: (no name) - {4D043C1C-162A-D1C1-3549-06379AE28F56} - C:\WINDOWS\system32\mfgdzeii.dll
O2 - BHO: (no name) - {52837C45-0F7F-AABE-2183-0ABA0DB2EB11} - C:\WINDOWS\system32\uhaxvlap.dll
O4 - HKLM\..\Run: [sitbvjle] C:\WINDOWS\system32\sitbvjle.exe
O4 - HKLM\..\Run: [uzexsdix] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\uzexsdix.dll"
O4 - HKLM\..\Run: [qrgvolof] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\qrgvolof.dll"
O4 - HKLM\..\Run: [a0074ea3] rundll32.exe "C:\WINDOWS\system32\exwifqee.dll",b
O4 - HKLM\..\Run: [BMa3347d3f] Rundll32.exe "C:\WINDOWS\system32\okvhieqa.dll",s
O20 - Winlogon Notify: ssqNFUOG - ssqNFUOG.dll (file missing)
O20 - Winlogon Notify: winpsa32 - winpsa32.dll (file missing)
Click to expand...

After clicking Fix, exit HJT.

Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\Run]
"uzexsdix"=-
"qrgvolof"=-
"a0074ea3"=-
"SunJavaUpdateSched"=-
"BMa3347d3f"=-

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dimsntfy]

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ssqNFUOG]

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\winpsa32]

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4D043C1C-162A-D1C1-3549-06379AE28F56}]

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{52837C45-0F7F-AABE-2183-0ABA0DB2EB11}]
Click to expand...

Now download The Avenger by Swandog469, and save it to your Desktop.
* Extract avenger.exe from the Zip file and save it to your desktop
* Run avenger.exe by double-clicking on it.
* Do not change any check box options!!
* Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

Files to delete:
C:\Windows\unins000.dat
C:\Windows\unins000.exe
C:\WINDOWS\system32\sitbvjle.exe
C:\WINDOWS\system32\bfuqewxa.dll
C:\WINDOWS\system32\byXOghih.dll
C:\WINDOWS\system32\eeqfiwxe.ini
C:\WINDOWS\system32\hovuutwa.ini
C:\WINDOWS\system32\hovuut~1.ini
C:\WINDOWS\system32\ihippxny.ini
C:\WINDOWS\system32\lgnnnoip.ini
C:\WINDOWS\system32\sybikuvw.ini
C:\WINDOWS\system32\sybiku~1.ini
C:\WINDOWS\system32\exwifqee.dll
C:\Documents and Settings\All Users\Application Data\qrgvolof.dll
C:\Documents and Settings\All Users\Application Data\uzexsdix.dll
C:\Documents and Settings\All Users\Application Data\zixudazw.dll
Click to expand...

* Now click the Execute button.
* Click Yes to the prompt to confirm you want to execute.
* Click Yes to the Reboot now? question that will appear when Avenger finishes running.
* Your PC should reboot, if not, reboot it yourself.
* A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

Please download ATF Cleaner by Atribune. This program does not require an installation. The executable actually runs the program.

NOTE: This program is for Windows XP and Windows 2000 only. ATF Cleaner will remove all files from the items that are checked so if you have some cookies you'd like to save. Please move them to a different directory first.

* Double-click ATF-Cleaner.exe to run the program.
* Under Main choose: Select All
* Click the Empty Selected button.

If you use Firefox browser

* Click Firefox at the top and choose: Select All
* Click the Empty Selected button.
o NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

* Click Opera at the top and choose: Select All
* Click the Empty Selected button.
o NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main ATF Cleaner menu to close the program.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and also attach the log from Avenger.

Be sure to tell us how things are running.

repstein33 · Apr 4, 2008

awesome. this is some good deed y'all are doin'. Avenger couldn't run (fatal error); I'm win2k3, and from what you wrote, it sounds like ATF wouldn't run on win2k3 either. Should I continue with the other instructions?

r

repstein33 · Apr 4, 2008

update: I was able to delete the following files with Delete Doctor:

C:\WINDOWS\system32\sitbvjle.exe
C:\WINDOWS\system32\bfuqewxa.dll
C:\WINDOWS\system32\byXOghih.dll
C:\WINDOWS\system32\eeqfiwxe.ini
C:\WINDOWS\system32\hovuutwa.ini
C:\WINDOWS\system32\hovuut~1.ini
C:\WINDOWS\system32\ihippxny.ini
C:\WINDOWS\system32\lgnnnoip.ini
C:\WINDOWS\system32\sybikuvw.ini
C:\WINDOWS\system32\sybiku~1.ini
C:\Documents and Settings\All Users\Application Data\zixudazw.dll

I was unable to delete the following files with that same tool:

C:\Windows\unins000.dat
C:\Windows\unins000.exe
C:\WINDOWS\system32\exwifqee.dll
C:\Documents and Settings\All Users\Application Data\qrgvolof.dll
C:\Documents and Settings\All Users\Application Data\uzexsdix.dll
C:\Documents and Settings\All Users\Application Data\zixudazw.dll

I didn't see the uninstall files above in c:\windows, and am displaying hidden. I'll see what other delete software might help.

repstein33 · Apr 4, 2008

update:

I was able to delete the following file with file assassin:

C:\Documents and Settings\All Users\Application Data\qrgvolof.dll

File assassin was unable to delete:

C:\Documents and Settings\All Users\Application Data\uzexsdix.dll

I couldn't find the following file with a simple search of the hard drives:

C:\WINDOWS\system32\exwifqee.dll

And I found the following files in a number of places, just not in c:\windows:

unins000.dat and unins000.exe

But in the program files folders for a number of different apps: dvd shrink, iewatch, pctools av, plato ipod convert, spybot and spyware blaster.

TimW · Apr 5, 2008

Then lets see what is left ...run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file.

repstein33 · Apr 6, 2008

Awesome. I've attached the logs. In the time since my last update, I was able to manually delete:

C:\Documents and Settings\All Users\Application Data\uzexsdix.dll

And was surprised that it was so easy.

Also, not sure if this has anything to do with it, but since getting a better firewall, I block a process called:

NDIS User mode I/O driver.

I know MS had a weakness in this driver allowing it to be hijacked, maybe by blocking it, I've also minimized some of the malware's ability to act? (total buffoonery to you geeky smart people I'm sure, but hey, a guy's gotta take a shot!)

Anyway, I know I've said it before, but thanks an awful lot for helping me out. Are there any volunteer efforts I could undertake for y'all?

r

repstein33 · Apr 6, 2008

and just like in real life, I'm the guy who sends the email saying there's an attachment and there's no attachment.

This time there's an attachment

r

TimW · Apr 6, 2008

If you don't use User-mode authentication for 802.11 (Wireless LAN) devices, then block it if you like.

Please re-run ATF Cleaner and make sure these folders are cleaned:
C:\WINDOWS\Temp\
C:\Documents and Settings\Administrator\Local Settings\Temp\

Otherwise you are clean.

If you are not having any other malware problems, it is time to do our final steps:

1. If we used ComboFix then UNINSTALL COMBOFIX (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
2.
* Click START then RUN
* Now type "%userprofile%\Desktop\cf" /u in the runbox and click OK.
* Note: The space between the cf and the /U, it must be there.
3. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
4. You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip
5. If you are running Windows XP or Windows ME, do the below:
* Refer to the cleaning steps in the READ ME for your Window version and see the steps to Disable System Restore which will flush your Restore Points.
* Then reboot and Enable System Restore to create a new clean Restore Point.
6. After doing the above, you should work thru the below link:
How to Protect yourself from malware!

Log in or Sign up

Virtumonde? Polybot? QHosts? Multi!

repstein33 Private E-2

Attached Files:

mbam-log-pre-bsod.txt

MGlogs.zip

SUPERAntiSpyware Scan Log - 04-03-2008 - 00-36-20.log

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

repstein33 Private E-2

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

repstein33 Private E-2

repstein33 Private E-2

repstein33 Private E-2

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

repstein33 Private E-2

repstein33 Private E-2

Attached Files:

MGlogs.zip

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member