Jump to content
denzilla

Got a problem with regenerating malware

Recommended Posts

I've got a PC that was infected with vundo and fakealert variants. I rana full scan using the most recent version of SAS and todays defs, but its dlls, reg keys are being regenerated almost immediately after removal. HJT also has the same problem. I'm not currently at the PC, but I did zip up 3 dll files that regenerate as well as a HJT logfile. The dll files are named fodulivu.dll, ligutafo.dll, and kovihihi.dll. Here is this HTJ log:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 5:08:02 PM, on 12/1/2008

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16674)

Boot mode: Normal

Running processes:

C:\windows\System32\smss.exe

C:\windows\system32\winlogon.exe

C:\windows\system32\services.exe

C:\windows\system32\lsass.exe

C:\windows\system32\svchost.exe

C:\windows\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

C:\windows\system32\spoolsv.exe

C:\Program Files\Symantec AntiVirus\DefWatch.exe

C:\WINDOWS\system32\ofps.exe

C:\Program Files\Symantec AntiVirus\SavRoam.exe

C:\Program Files\Symantec AntiVirus\Rtvscan.exe

C:\windows\Explorer.EXE

C:\WINDOWS\system32\hkcmd.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\PROGRA~1\SYMANT~1\VPTray.exe

C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe

C:\windows\system32\ctfmon.exe

C:\Program Files\CCleaner\CCleaner.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

C:\Program Files\Internet Explorer\iexplore.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch

O2 - BHO: (no name) - {0f4eaeab-2c34-40f3-b8f9-1ef4af5aa2f1} - C:\windows\system32\fodulivu.dll

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [vasujavoye] Rundll32.exe "C:\windows\system32\ligutafo.dll",s

O4 - HKCU\..\Run: [ctfmon.exe] C:\windows\system32\ctfmon.exe

O4 - HKUS\S-1-5-19\..\Run: [vasujavoye] Rundll32.exe "C:\windows\system32\ligutafo.dll",s (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [vasujavoye] Rundll32.exe "C:\windows\system32\ligutafo.dll",s (User 'NETWORK SERVICE')

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\windows\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\windows\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 1267341423

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = UUU.int

O17 - HKLM\Software\..\Telephony: DomainName = UUU.int

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = UUU.int

O20 - AppInit_DLLs: C:\windows\system32\kovihihi.dll

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: OmniForm Printer - Unknown owner - C:\WINDOWS\system32\ofps.exe

O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--

End of file - 5266 bytes

These are the keys I deleted:

O2 - BHO: (no name) - {0f4eaeab-2c34-40f3-b8f9-1ef4af5aa2f1} - C:\windows\system32\fodulivu.dll

O4 - HKLM\..\Run: [vasujavoye] Rundll32.exe "C:\windows\system32\ligutafo.dll",s

O4 - HKUS\S-1-5-19\..\Run: [vasujavoye] Rundll32.exe "C:\windows\system32\ligutafo.dll",s (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [vasujavoye] Rundll32.exe "C:\windows\system32\ligutafo.dll",s (User 'NETWORK SERVICE')

O20 - AppInit_DLLs: C:\windows\system32\kovihihi.dll

These keys come back a fews seconds after deletion.

I'm reporting this in order to help the SAS community, but it would be nice to to get some assistance with this as well if possible. I will be back at the PC tomorrow morning if there is some more info that needs gathered.

Share this post


Link to post
Share on other sites

I was under pressure to return my friends PC so I was unable to keep it any longer. KAV and SAS together finally killed the infection. I sent what samples I could though. Sorry I can't do more :(

Share this post


Link to post
Share on other sites

I'm having the same problem! Every day I run SAS and it removes 14 threats (vundo variants and a fake trojan alert), but they regenerate quickly. I've tried all the "vundo removal tools" online and nothing seems to work permanently. There must be some hidden file that is regenerating. FYI, I've been scanning with the most recent updates each day. My daily routine is to run the manual update and then scan. Seriously, don't people who create malware have better things to do with their time?

Share this post


Link to post
Share on other sites

Install Kaspersky AV 2009 update it, disconnect the PC from the net and run a full scan. Run SAS after KAV has done its thing to cleanup the remaining mess. If you have the time however, you may want to take the opportunity to work with SAS team to help them get info on this infection since I was unable to.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×