Vundo, Trojan-Spy.VBStat.B, Backdoor.Shellbot

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by Algorhythm42, May 17, 2007.

  1. Algorhythm42

    Algorhythm42 Private E-2

    I performed steps 1-6 of the malware guide, removing almost 50 trojans, restoring Windows Task Manager, restoring corrupted Windows Update, and eliminating Rustock (using special removal procedures) which was causing resets during windows update. The remaining malware comes back no matter how many times I repeat step 5 in Safe Mode with CCleaner, Spybot Search and Destroy, Counterspy, Bitdefender and Vundo Fix. Ran Panda Active Scan after Bitdender, finding more things but Active Scan window is malformed, not allowing me to select the output of the report.

    Current protection is fully operational with:
    McAfee Antivirus
    Spy Sweeper (still reporting stoppage of links to know adware sites on a recurring interval)
    all Microsoft updates


    Attached are logs for:
    HiJack This
    bitdefender (bdscan)


    Other report info from Safe Mode:

    Vundo v6.3.23 (deleted already)
    C:\WINDOWS\system32\rqtss.ini
    C:\WINDOWS\system32\sstqr.dll
    C:\WINDOWS\system32\ymyrsisi.dll

    BitDefender 2007.0516.wed.2142 reported Trojan-Spy.VBStat.B (Worm)

    Counterspy: clean

    Spybot S&D 2007.0516.wed.2238 Backdoor.Shellbot is back
    Backdoor.Shellbot
    HKEY_LOCALMACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\WINDOWSUP

    Thank you for your in-depth information which took me much farther than my usual methods.
    Please help me clear the rest of the culprits.

    Algorhtym42
     

    Attached Files:

  2. Algorhythm42

    Algorhythm42 Private E-2

    newfiles.txt and runkeys.txt attachments

    just uploading these attachements
     

    Attached Files:

  3. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Continue by downloading a tool we will need - Pocket KillBox

    Save it to its own folder somewhere that you will be able to locate it later.

    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    Please copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

    Now run Pocket Killbox by doubleclicking on killbox.exe
    Choose Tools > Delete Temp Files and click Delete Selected Temp Files.
    Then after it deletes the files click the Exit (Save Settings) button.
    NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue.

    Select:

    * Delete on Reboot
    * then Click on the All Files button.*(or on the folders option)*
    * Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\WINDOWS\ALCMTR.EXE
    C:\WINDOWS\dsb.exe
    C:\WINDOWS\vxddsk.exe
    C:\WINDOWS\wml.exe
    C:\WINDOWS\cdsm32.dll
    C:\WINDOWS\flt.dll
    C:\WINDOWS\mspphe.dll
    C:\WINDOWS\pbar.dll
    C:\WINDOWS\saiemod.dll
    C:\WINDOWS\swin32.dll
    C:\WINDOWS\system32\awtqr.dll
    C:\WINDOWS\system32\efcabxv.dll
    C:\WINDOWS\system32\rlrbypvt.dll
    C:\WINDOWS\system32\vtuttro.dll
    C:\WINDOWS\system32\gjkmp~1.bak
    C:\WINDOWS\system32\mlkkj~1.bak
    C:\WINDOWS\system32\rqtwa~1.bak
    C:\WINDOWS\system32\fuamfu32.ini
    C:\WINDOWS\system32\gjkmp.ini
    C:\WINDOWS\system32\lclcfg32.ini
    C:\WINDOWS\system32\lfd32.ini
    C:\WINDOWS\system32\mlkkj.ini
    C:\WINDOWS\system32\rqtwa.ini

    * Return to Killbox, go to the File menu, and choose Paste from Clipboard.
    * Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt.

    If you receive a PendingFileRenameOperations prompt, just click OK to continue (But please let me know if you receive this message!).

    If Killbox does not reboot just reboot your PC yourself.

    Now attach the below new logs and tell me how the above steps went.

    1. GetRunKey
    2. ShowNew
    3. HJT
     
  4. Algorhythm42

    Algorhythm42 Private E-2

    Tim, thank you for your quick reply and detailed instructions.

    I woke up this morning to find that Spy Sweeper claimed to find and quarantine Virtumonde, which it never claimed to find before even though the MG fix 6.3.23 repeatedly finds it. Maybe Spy Sweeper updated overnight. I'm attaching that segment of the Spy Sweeper log.

    After this I went through your procedures.

    HJT could not remove these two on repeated attempts:
    O2 - BHO: (no name) - {482521E0-E0FC-411D-8183-B93F7FD4B0AC} - C:\WINDOWS\system32\efcabxv.dll
    O20 - Winlogon Notify: efcabxv - C:\WINDOWS\SYSTEM32\efcabxv.dll

    HJT did remove:
    O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

    HJT did not show:
    O2 - BHO: (no name) - {55DB983C-BDBF-426f-86F0-187B02DDA39B} - C:\WINDOWS\system32\rlrbypvt.dll


    regedit went fine


    did not receive PendingFileRenameOperations prompt



    These procedures were performed in normal mode, going to reattempt them in Safe Mode. Previous attempts in Safe Mode did not remove efcabxv.dll, but hopefully the other items you targetted will loosen things up.


    I'll keep looking at things on my end. I think we made progress but something is still causing efcabxv.dll to immediately replace when I rescan with HJT.

    Thanks so much for helping me progress Tim. I'm looking forward to having an all clear.
     

    Attached Files:

  5. Algorhythm42

    Algorhythm42 Private E-2

    2nd post with Spy Sweeper log segment

    no text
     

    Attached Files:

  6. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Now

    1. Download this file - Combofix.exe
    2. Double click combofix.exe & follow the prompts.
    3. When finished, it will produce a log for you. Attach this log to your next reply

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    Please copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    After clicking Fix, exit HJT.

    Now attach new logs for:
    * Combo log
    * GetRunKey
    * ShowNew
    * HJT
     
  7. Algorhythm42

    Algorhythm42 Private E-2

    This session performed in Safe Mode with no network support

    Just before I got your last post, Spybot S&D found Smitfraud-C.Toolbar888, which I did not delete. I closed the Spybot and accomplished your procedures. I previously tried the Smitfraud removal tool and that did not work.

    Combofix: accomplished

    fixMe.reg installed

    HJT: awtqr.dll was not present to be removed this time


    additionally:
    Killbox for efcabxv.dll, PendingFileRenameOperations Registry Data has been Removed by External Process!

    Is removing the HD from the computer and attaching it to another an option for removing the efcabxv.dll file?
     

    Attached Files:

  8. Algorhythm42

    Algorhythm42 Private E-2

    HJT log upload

    no text
     

    Attached Files:

  9. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    After clicking Fix, exit HJT.

    Please copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

    Now run Pocket Killbox by doubleclicking on killbox.exe
    Choose Tools > Delete Temp Files and click Delete Selected Temp Files.
    Then after it deletes the files click the Exit (Save Settings) button.
    NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue.

    Select:

    * Delete on Reboot
    * then Click on the All Files button.*(or on the folders option)*
    * Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\WINDOWS\system32\fuamfu32.ini
    C:\WINDOWS\system32\gjkmp.ini
    C:\WINDOWS\system32\lclcfg32.ini
    C:\WINDOWS\system32\lfd32.ini
    C:\WINDOWS\system32\mlkkj.ini
    C:\WINDOWS\system32\gjkmp~1.bak
    C:\WINDOWS\system32\mlkkj~1.bak
    C:\WINDOWS\system32\efcabxv.dll
    C:\WINDOWS\system32\msorcl32.exe
    C:\WINDOWS\system32\wml.exe
    C:\WINDOWS\cdsm32.dll
    C:\WINDOWS\flt.dll"
    C:\WINDOWS\mspphe.dll
    C:\WINDOWS\pbar.dll
    C:\WINDOWS\saiemod.dll
    C:\WINDOWS\swin32.dll
    C:\WINDOWS\vxddsk.exe
    C:\WINDOWS\wml.exe
    C:\WINDOWS\dsb.exe
    C:\WINDOWS\instal~1.exe

    * Return to Killbox, go to the File menu, and choose Paste from Clipboard.
    * Click the red-and-white Delete File button. Cllick the bos to unregister .dll's. Click Yes at the Delete on Reboot prompt.

    If you receive a PendingFileRenameOperations prompt, just click OK to continue (But please let me know if you receive this message!).

    If Killbox does not reboot just reboot your PC yourself.

    Use windows explorer to check that the above items have been removed by PKB...if you find any...delete them.


    Now attach the below new logs and tell me how the above steps went.

    1. GetRunKey
    2. ShowNew
    3. HJT
     
  10. Algorhythm42

    Algorhythm42 Private E-2

    HJT could not delete efcabxv.dll
    regedit accomplished
    Killbox first attempt: "Unregister .dll before Deleting" cb (checkbox) not present on first attempt, present on second attempt after killbox reboot
    proceeded

    rebooted

    Killbox second attempt: PendingFileRenameOperations Registry Data has been Removed by External Process!
    unregister .dlls option was present

    checking with Windows Explorer after killbox, "gone" means the files was no longer there, "deleted" means I manually deleted the file
    attached: killbox file delete notes.txt in second post
     

    Attached Files:

  11. Algorhythm42

    Algorhythm42 Private E-2

    file upload for explorer file deletions

    no text
     

    Attached Files:

  12. Algorhythm42

    Algorhythm42 Private E-2

    Problem on hold, had to return the computer to my brother

    Tim,

    Thanks so much for your help. I really wanted to finish it out, getting that one last file off the hard drive. Well, hopefully, efcabxv.dll is the last real problem causing all the others. I warned my brother that the problem is still present and showed him how to check on the firewall, Windows Update, Spy Sweeper and the antivirus program. My brother had to get back to work since I have had his computer for four days straight.

    I'm so glad I went through the whole process of doing all of the steps to lead up to the posting of the HJT log file. I'm still shocked that the latest comercial checkers were unable to solve this issue and from the way it looks, the folks here are leading the way at solving the current problems with malware.

    I'll stay in touch with the forums,




    Algorhythm42
     
  13. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Do you have any add-ons or toolbars in Internet Explorer? The last file that will not delete and the reg. item, I can not find any good references to what it is....so I wouldn't be to worried about it.
    Please pass along the following to your brother:

    It is time to do our final steps:

    1. If we used Pocket Killbox during your cleanup, do the below
    * Run Pocket Killbox and select File, Cleanup, Delete All Backups
    2. If we used ComboFix you can delete the ComboFix.exe file and associated C:\combofix.txt log that was created.
    3. If we user SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
    4. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
    5. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
    6. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    7. You can delete the ShowNew.Zip and GetRunkey.Zip files and the files that you extracted from the ZIP files. You can also delete the C:\newfiles.txt and C:\runkeys.txt logs that were created
    8. If you are running Windows XP or Windows ME, do the below:
    * go back to step 8 of the READ & RUN ME to Disable System Restore which will flush your Restore Points.
    * Then reboot and Enable System Restore to create a new clean Restore Point.
    9. After doing the above, you should work thru the below link:
    * How to Protect yourself from malware!
     
  14. Algorhythm42

    Algorhythm42 Private E-2

    Thanks Tim, for all of your help.

    My brother is very happy now that his system is running faster and doesn't have all the pop-ups. I wish I had the chance to get that one last thing, but everything is in check now and no worries. Some day later on I'll get another crack at it.

    My thoughts on that one last file efcabxv.dll, is that it is part of a new variant which the tools can't remove as yet. I was surprised that I couldn't modify the permissions to remove the file directly. My only thought to remove the file is to remove the hard drive and put it on another computer where the registry hasn't been alterred protecting the file from being deleted. The scanners do alert periodically with Smittfraud or Vundo.

    Anyways, I'll keep reading the forums since you guys have me hooked now on fixing this stuff with your methods.




    Algorhythm42
     
  15. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    No problem ....safe surfing. (As I said...not sure you have to worry about that file.)
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds