Jump to content

Cannot remove trojan (Crypt.vub) from system


Recommended Posts

Hello all,

I've finally run into a trojan that I cannot seem to remove (it keeps recreating itself). Sorry for the length of this, but I figure maybe it will help save people from suggesting that which I have already done.

The syptoms/actions caused by the trojan (that I have noticed):

  • Spawns IE windows (often in background, with no entry on task bar)
  • IE windows usually seem to be directed to an ad site of some sort
  • an infected copy of SVCHOST.EXE keeps getting created in the System Volume Information folder
  • an infected copy of SMSS.EXE keeps getting created in System Volume Information folder (both of these in a sub folder with a name that looks like a registry key)
  • System eventually bogs down

The steps I have taken so far:

  • Run Combofix
  • Run Malwarebytes
  • Run Spyware Terminator (with ClamAV enabled). Enabled full comprehensive scan for ST run.
  • Run SuperAntiSpyware (also enabled full comprehensive scan)
  • Run AVG Full (also enabled full comprehensive scan)
  • Run Microsoft Security Essentials (hey, I was running out of options)
  • Run cCleaner
  • There are others I have run that escape me at the moment (NOD32 perhaps?)
  • Manually removed certain entries from the registry (for instance, the one associated with this and similar):
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.redlineroofing.com/web.php?q=43...3f2d.1.55202359

Interesting things to note that might be helpful:

  • All of the above removed "a bunch" of malware (but not this one)
  • AVG, even though now recognizing this one, cannot seem to combat it because even if it's forced removal on reboot is working, something recreates the files before bootup is complete anyway (confirmed by new file date/time).
  • Up until about 12-14 days ago, all reported the system clean - including the two infected files in the System Vol Info folder (even scanned the folder directly, after unlocking it) - now AVG reports them infected with "Crypt.VUB" trojan.
    It was kinda neat watching every AV/AS/AM app I tried report the machine clean, while IE windows were popping up - at least now AVG recognizes the files as malware.
  • I have booted off BartPE and UBCD (dependent on mood) to manually delete the files and their directory - the files and directory get recreated on boot
  • I have searched the registry for both files and removed any non-legit references
  • I have disabled System Restore - which while deleting all restore points, does not (obviously) prevent the recreation of these files
  • With or without the System Vol Info folder being marked read only, these files still get recreated
  • Though the iexplore.exe processes can be force killed from Task Mangler, they (as expected) respawn
  • Killing the infected svchost/smss processes triggers the (probably expected) Windows restart due to a critical service being stopped

Sadly, reformatting isnt quite an option on this system (per the customer) - though I am getting to the point where I may try to force him to reconsider.

That aside, the most interesting problem that I see in all of this is the following: AVG is only finding those two files infected. Which is obviously not the case, since when I delete them, something recreates them and starts controlling IE sessions.

Anyway, attached are the HJT logs.

Any help or suggestions you all have would be greatly appreciated. This is the first piece of malware I've run into in a while that a combination of ComboFix, MalwareBytes and AVG (and a little registry work) havent been able to handle.

Thanks in advance!

Robert

Hijack This Log:

Logfile of Trend Micro HijackThis v2.0.4

Scan saved at 6:49:09 PM, on 5/15/2010

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\System Volume Information\_restore{d5fffa500b1b}\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\Program Files\AVG\AVG9\avgchsvx.exe

C:\Program Files\AVG\AVG9\avgrsx.exe

C:\Program Files\AVG\AVG9\Identity Protection\Agent\Bin\AVGIDSAgent.exe

C:\System Volume Information\_restore{d5fffa500b1b}\smss.exe

C:\Program Files\AVG\AVG9\avgcsrvx.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Analog Devices\Core\smax4pnp.exe

C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe

C:\PROGRA~1\AVG\AVG9\avgtray.exe

C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\AVG\AVG9\Identity Protection\agent\bin\avgidsmonitor.exe

C:\Program Files\Intel\AMT\atchksrv.exe

C:\Program Files\AVG\AVG9\avgwdsvc.exe

C:\Program Files\AVG\AVG9\avgfws9.exe

C:\Program Files\Intel\AMT\LMS.exe

C:\Program Files\Spyware Terminator\sp_rsser.exe

C:\Program Files\AVG\AVG9\avgnsx.exe

C:\Program Files\Intel\AMT\UNS.exe

C:\Program Files\AVG\AVG9\avgemc.exe

C:\Program Files\AVG\AVG9\avgcsrvx.exe

C:\Program Files\AVG\AVG9\avgcsrvx.exe

C:\Program Files\AVG\AVG9\avgui.exe

C:\Program Files\AVG\AVG9\avgscanx.exe

C:\Program Files\AVG\AVG9\avgcsrvx.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Documents and Settings\Alan\My Documents\Downloads\HiJackThis.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.redlineroofing.com/web.php?q=43...3f2d.1.55202359

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555

R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll

O2 - BHO: (no name) - {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll

O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll

O3 - Toolbar: &Crawler Toolbar - {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll

O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll

O4 - HKLM\..\Run: [soundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe

O4 - HKLM\..\Run: [startCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun

O4 - HKLM\..\Run: [spywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"

O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe

O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O8 - Extra context menu item: Crawler Search - tbr:iemenu

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1273266911296

O16 - DPF: {8CFCF42C-1C64-47D6-AEEC-F9D001832ED3} (DellSystem.Scanner) - http://xserv.dell.com/DellDriverScanner/DellSystem.CAB

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O18 - Protocol: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll

O18 - Protocol: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

O20 - Winlogon Notify: avgrsstarter - avgrsstx.dll (file missing)

O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll

O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll

O23 - Service: Intel® Active Management Technology System Status Service (atchksrv) - Intel Corporation - C:\Program Files\Intel\AMT\atchksrv.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: AVG Security Toolbar Service - Unknown owner - C:\Program Files\AVG\AVG9\Toolbar\ToolbarBroker.exe

O23 - Service: AVG Free E-mail Scanner (avg9emc) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgemc.exe

O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe

O23 - Service: AVG Firewall (avgfws9) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgfws9.exe

O23 - Service: AVG9IDSAgent (AVGIDSAgent) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\Identity Protection\Agent\Bin\AVGIDSAgent.exe

O23 - Service: Intel® Active Management Technology Local Management Service (LMS) - Intel - C:\Program Files\Intel\AMT\LMS.exe

O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe

O23 - Service: Intel® Active Management Technology User Notification Service (UNS) - Intel - C:\Program Files\Intel\AMT\UNS.exe

--

End of file - 6896 bytes

Link to post
Share on other sites

Sorry I forgot to highlight these (though I am sure you all would have noticed) - these are the running culprits (though what's firing them up and recreating the first two is where I am stuck):

C:\System Volume Information\_restore{d5fffa500b1b}\svchost.exe (infected)

C:\System Volume Information\_restore{d5fffa500b1b}\smss.exe (infected)

C:\Program Files\Internet Explorer\IEXPLORE.EXE (not infected, but shouldnt be running)

C:\Program Files\Internet Explorer\IEXPLORE.EXE (not infected, but shouldnt be running)

Link to post
Share on other sites

Here is a thread with someone else who has the same problem, if that helps:

http://forums.malwarebytes.org/index.php?showtopic=50663

While his solution wont work for me (Dell, with no restore partition), perhaps it will be helpful to one of the Experts here who has reviewed his situation.

Also, AVG Anti-Rootkit shows clean. Currently running avz4.zip from: http://devbuilds.kaspersky-labs.com/devbuilds/AVZ/avz4.zip as suggested by Maniac to another user (for a different problem).

It has (so far) detected that C:\Dell\h8112\install.exe is a trojan - still doing thorough scan and have a few more hours until completion.

Link to post
Share on other sites

I'm not an expert and I have the same infection as you. I've posted a request for help on another help site.

Anyhow, I found the following on a site (it's been translated from the native language and my apologies for bad formatting). Orignally the poster said the only solution was to reformat the computer which I didn't do because I hoped someone would find a solution. I haven't tried it yet but I will once I've had a chance to see what it does. The original post can be found here...

http://translate.google.ca/translate?hl=en...00b1b%26hl%3Den

The fix...

http://www.esagelab.com/files/bootkit_remover.rar

For those experts on this forum who know way more than me, if you could analyze what the recommended fix does, perhaps you could let us know if this would work?

Cheers,

Marc

Friday, May 21, 2010 Friday, May 21, 2010

Whistler Whistler Bootkit Bootkit

Recently I bumped into at the Whistler Bootkit treating HijackThis logs. Recently I bumped Writing At The Whistler Bootkit treating HijackThis logs.

This malware takes aggressive and imperceptibly possession of your PC. This malware takes aggressive and imperceptibly Possession of Your PC.

Gmer, Avenger 2, Combofix, .. Gmer, Avenger 2, Combofix, .. to no avail. to no avail.

Following symptoms apply: Apply Following Symptoms:

Kaspersky: Kaspersky:

Heure: Trojan.Win32.Generic in the C: \ System Volume Information folder Heure: Trojan.Win32.Generic in the C: \ System Volume Information folder

Dr. Web: Dr. Web:

smss.exe C: \ System Volume Information \ Whistler Win32.HLLC.Asdas.8 Not repareerbaar.Verplaatst. smss.exe C: \ System Volume Information \ Whistler Win32.HLLC.Asdas.8 Not repareerbaar.Verplaatst.

svchost.exe C: \ System Volume Information \ Whistler Win32.HLLC.Asdas.8 Not repareerbaar.Verplaatst. svchost.exe C: \ System Volume Information \ Whistler Win32.HLLC.Asdas.8 Not repareerbaar.Verplaatst.

The HijackThis log is as follows apparent: The HijackThis log is as follows notice-able:

Running processes: Running processes:

C: \ System Volume Information \ Whistler \ svchost.exe C: \ System Volume Information \ Whistler \ svchost.exe

C: \ System Volume Information \ Whistler \ smss.exe C: \ System Volume Information \ Whistler \ smss.exe

or after an executed System: or after an executed System:

C: \ System Volume Information \ _restore (d5fffa500b1b) \ svchost.exe C: \ System Volume Information \ _restore (d5fffa500b1b) \ svchost.exe

C: \ System Volume Information \ _restore (d5fffa500b1b) \ smss.exe C: \ System Volume Information \ _restore (d5fffa500b1b) \ smss.exe

Combofix shows us: Combofix shows us:

Other Active Processes ------------------------ ----------------------- - Other Active Processes ------------------------ ---------------------- - -

c: \ System Volume Information \ _restore (d5fffa500b1b) \ svchost.exe c: \ System Volume Information \ _restore (d5fffa500b1b) \ svchost.exe

c: \ System Volume Information \ _restore (d5fffa500b1b) \ smss.exe c: \ System Volume Information \ _restore (d5fffa500b1b) \ smss.exe

The StartupList from HijackThis let our next show: The StartupList from HijackThis Allows us to see the:

Windows NT 'Wininit.ini "Windows NT" Wininit.ini':

PendingFileRenameOperations: C: \ System Volume Information \ _restore (d5fffa500b1b) \ svchost.exeC: \ System Volume Information \ _restore (d5fffa500b1b) \ smss.exeC: \ System Volume Information \ _restore (d5fffa500b1b) \ SMSS.EXEC: \ System Volume Information \ _restore (d5fffa500b1b) \ SVCHOST.EXE PendingFileRenameOperations: C: \ System Volume Information \ _restore (d5fffa500b1b) \ svchost.exeC: \ System Volume Information \ _restore (d5fffa500b1b) \ smss.exeC: \ System Volume Information \ _restore (d5fffa500b1b) \ SMSS.EXEC: \ System Volume Information \ _restore (d5fffa500b1b) \ SVCHOST.EXE

The PendingFileRenameOperations value under [HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ Session Manager] was not present. The PendingFileRenameOperations value under [HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ Session Manager] was not present.

Delete ComboFix and Avenger are the two files, but after a reboot immediately returned. Delete ComboFix and Avenger are the two files, but after a reboot Immediately Returned.

Identification: Identification:

Deeper and intesiever search on Google shows me Deeper and intesiever search on Google shows me

that we are dealing with Whistler Bootkit. That we are dealing with Whistler Bootkit.

The solution: The solution:

Because this infection is embedded in the boot sector, speed and accuracy is important. Because this infection is embedded in the boot sector, speed and accuracy is important.

Step 1 Step 1

Download bootkit_remover.rar (INFO) Download bootkit_remover.rar (INFO)

Unzip it. Unzip it.

Open the folder and double click bootkit_remover remover.exe. Open the folder and double click bootkit_remover remover.exe.

Post anything in the display. Post anything in the display.

Step 2 Step 2

An infected boot sector can look alsvolgd: An infected boot sector Can Look alsvolgd:

Bootkit Remover version 1.0.0.1

© 2009 eSage Lab

http://www.esagelab.com/

\ \. \ C: ->

\ \. \ PhysicalDrive0

MD5: 274955059efe9236c07688c5ff9242b2

Device Size

Name MBR Status

--------------------------------------------

74 GB

\ \. \ PhysicalDrive0 Unknown bootcode

Unknown bootcode Has Been Found on

Some of your physical disks.

To inspect the code manually, boot, dump the

master boot sector remover.exe dump [output_file]

To disinfect

the master boot sector, use the following command: fix remover.exe

Bootkit Remover version 1.0.0.1

© 2009 eSage Lab

http://www.esagelab.com/

\ \. \ C: ->

\ \. \ PhysicalDrive0

MD5: 274955059efe9236c07688c5ff9242b2

Device Size

Name MBR Status

--------------------------------------------

74 GB

\ \. \ PhysicalDrive0 Unknown bootcode

Unknown bootcode Has Been Found on

Some of your physical disks.

To inspect the code manually, boot, dump the

master boot sector remover.exe dump [output_file]

To disinfect

the master boot sector, use the following commandline: remover.exe fix

Bootkit Remover version 1.0.0.1

© 2009 eSage Lab

http://www.esagelab.com/

\ \. \ C: ->

\ \. \ PhysicalDrive0

MD5: 274955059efe9236c07688c5ff9242b2

Device Size

Name MBR Status

--------------------------------------------

74 GB

\ \. \ PhysicalDrive0 Unknown bootcode

Unknown bootcode Has Been Found on

Some of your physical disks.

To inspect manually, the boot code, dump the

master boot sector remover.exe dump [output_file]

To disinfect

the master boot sector, use the following commandline: remover.exe fix

This immediately attracts our attention: \ \. \ PhysicalDrive0 attract our attention This Immediately: \ \. \ PhysicalDrive0

We are going to remove it with a batch in which we put a switch for remover.exe: We are going to remove it with a batch in Which We put a switch for remover.exe:

@ ECHO OFF @ ECHO OFF

START remover.exe fix \ \. \ PhysicalDrive0 START remover.exe fix \. \ PhysicalDrive0

EXIT EXIT

When running this batch, the PC immediately restarted. When running this batch, the PC restarted Immediately.

This is important, otherwise we give the infection a chance to herinitializeren. This is important, we give Otherwise the infection a chance to herinitializeren.

Also we require a restart after the remover.exe log. Also we Require a restart after the remover.exe log.

So you let remover.exe after the restart, run back and asks for the output. So you watch remover.exe after the restart, run back and asks for the output.

If all went well, you get this: If all went well, you get this:

Bootkit Remover version 1.0.0.1 Bootkit Remover version 1.0.0.1

© 2009 eSage Lab © 2009 eSage Lab

http://www.esagelab.com http://www.esagelab.com

\ \. \ C: -> \ \. \ PhysicalDrive0 \ \. \ C: -> \ \. \ PhysicalDrive0

MD5: MD5 6def5ffcbcdbdb4082f1015625e597bd: 6def5ffcbcdbdb4082f1015625e597bd

MBR MBR Status Size Device Name Device Name Size Status

------ -------------------------------------------- --------------------------------------

74 GB \ \. \ PhysicalDrive0 OK (DOS/Win32 Boot code found) 74 GB \ \. \ PhysicalDrive0 OK (DOS/Win32 Boot code found)

For safety and to monitor, just to check all charges Gmer and HijackThis. For safety and to monitor, just to check all charges Gmer and HijackThis.

It is also advisable to change passwords. Also it is advisable to change passwords.

Emphyrio:) Emphyrio:)

Posted by 1:26 p.m. on Emphyrio Emphyrio Posted by at 1:26 pm

Link to post
Share on other sites

The fix...

http://www.esagelab.com/files/bootkit_remover.rar

For those experts on this forum who know way more than me, if you could analyze what the recommended fix does, perhaps you could let us know if this would work?

Cheers,

Marc

Thanks for posting verybusy, hopefully it will help others get rid of it. :D

Link to post
Share on other sites

  • 3 weeks later...
  • 2 weeks later...
  • Staff

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.