I had a migraine yesterday – a pretty severe one that lasted 12hours plus. So today I was off to the Doctors to figure out what it was and get some drugs to deal with it again. Ok – so then I went to the Pharmacy to get the prescription filled. I’ve been going to the same Doctor and Pharmacist for 10 years now. Behind the counter, the pharmacist – Allan was on the phone with Telstra. It turned out that his computer was infected by a virus and had been down since last Friday. He had been on the phone and had lodged a case with Microsoft, and they had taken him so far, but then referred him to Telstra Bigpond as it was their antivirus protection package that he had installed. Microsoft walked him through clearing the Internet History, AND they told him to remove the existing antivirus software in an attempt to fix the problem. Telstra Bigpond support was totally lost with this and they could not get his other AV software reinstalled. Anyway – I walked in the door and offered to help. I know that this thing is particularly bad right now and it appears to be constantly changing which makes it hard for the antivirus packages to keep up with it. I however was very lucky. One of my close friends is Sandi Hardmeirer a known and respected Antimalware fighter. I called Sandi and said “what do I do here…”
Sandi’s response was to use Smitfraudfix and Malwarebytes Anti-Malware to clean it. Ok – so I attempted to go to the Smitfraudfix website and found myself redirected to some funky website that was most certainly NOT the Smitfraudfix site. Ok – this is one bad ass piece of malware on this computer. The issue here is that I don’t truly know what the malware on this computer will do now. It could contain a keylogger which is capturing every keystroke I type. Hmm – this is a risk now as anything I do it may be logged. The malware was also obviously preventing me from getting to the known sites to get the things I needed to fix this problem. So I thought I’ll connect back to my SBS server which is fully protected and I guessed that the malware would not know about my URLs etc. The risk though was that the keylogger might capture my passwords! Again this did not bother me as my servers are protected with two factor authentication by AuthAnvil. I have a cool key token which generates one time password that means even if the keylogger captures my password it is totally useless. So I logged into my SBS server via which is protected by RWWGuard and then on to my SBS server itself. I quickly downloaded the files I need and emailed them to myself. I was then able to access my email using RWW again and download the files to the computer. There, I bypassed the bad guys attempts to block me AND protected my passwords at the same time.
Once downloaded I rant Smitfraudfix and set it to scan the system. It produced a logfile which is reproduced in part below.
VACFix
!!!Attention, following keys are not inevitably infected!!!VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri
+————————————————–+
[!] Suspicious: nfavxwdbmqx.dll
BHO: QXK Olive – {2419FE5A-CAAD-4C36-B45C-90D53379A7B3}
TypeLib: {35068476-D597-421A-A128-5A86F89D5C4C}
Interface: {C9CE49A0-843B-4A0E-8932-491C487B2EB7}
Interface: {D04BC5F0-97AA-404F-B8E4-AED0EF871551}
+————————————————–+
[!] Suspicious: kgxmotapktx.dll
BHO: QXK Olive – {812AE34E-162C-4C94-BAA1-A2C0431AEC84}
TypeLib: {8C6AACDD-4862-496C-BA20-D712AD679760}
Interface: {6A4A71B0-36D2-4674-87AF-288F60E3EC71}
Interface: {A74CD9A1-9348-4B3F-87A4-4852C2CE802E}[!] Suspicious: eqvwamkl.dll
SSODL: eqvwamkl – {EF2A52A0-938B-4234-B611-AD17904E9996}[!] Suspicious: evgratsm.dll
SSODL: evgratsm – {EC578342-2C34-40DC-B2DA-4E04D35A0E0C}
I then ran it to clean and it gave me the following (again an excerpt from the log file)
VACFix
VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri
C:\WINDOWS\nfavxwdbmqx.dll deleted.
C:\WINDOWS\kgxmotapktx.dll deleted.
C:\WINDOWS\eqvwamkl.dll deleted.
C:\WINDOWS\evgratsm.dll deleted.
Ok – so that was some of the bad stuff – I then ran the Malwarebytes Anti-Malware across the system and it showed me that the system was HEAVILY infected with a load of bad stuff.
Malwarebytes’ Anti-Malware 1.23
Database version: 1008
Windows 5.1.2600 Service Pack 211:00:12 30/07/2008
mbam-log-7-30-2008 (11-00-12).txtScan type: Quick Scan
Objects scanned: 44702
Time elapsed: 6 minute(s), 51 second(s)Memory Processes Infected: 0
Memory Modules Infected: 3
Registry Keys Infected: 23
Registry Values Infected: 10
Registry Data Items Infected: 2
Folders Infected: 13
Files Infected: 50Memory Processes Infected:
(No malicious items detected)Memory Modules Infected:
C:\WINDOWS\system32\xxyyVmji.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\efccyayA.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\yttcyivq.dll (Trojan.Vundo) -> Delete on reboot.Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\chilkatmail2.chilkatemail2.1 (Rogue.AntiSpamBoy) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\chilkatmail2.chilkatemailbundle2 (Rogue.AntiSpamBoy) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\chilkatmail2.chilkatemailbundle2.1 (Rogue.AntiSpamBoy) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\chilkatmail2.chilkatmailman2.1 (Rogue.AntiSpamBoy) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\chilkatmail2.chilkatmailman2 (Rogue.AntiSpamBoy) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\chilkatmail2.chilkatemail2 (Rogue.AntiSpamBoy) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\rhcn66j0er8j (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\rhcn66j0er8j (Rogue.Multiple) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WinCtrl32 (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\VSPlugin (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0b399c3f-11f4-493e-95b5-22346ad53f93} (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{0b399c3f-11f4-493e-95b5-22346ad53f93} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{b44e2b70-ed5a-4704-8c0c-2d0a09eb5a90} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{b44e2b70-ed5a-4704-8c0c-2d0a09eb5a90} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{040ba7f9-cdc9-4f2a-bafd-5b13501b2dad} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{040ba7f9-cdc9-4f2a-bafd-5b13501b2dad} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\xxyyvmji (Trojan.Vundo) -> Delete on reboot.Registry Values Infected:
HKEY_CURRENT_USER\Control Panel\Desktop\scrnsave.exe (Hijack.Wallpaper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\originalwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\convertedwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smrhcn66j0er8j (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lphcj66j0er8j (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\wnslvxtf (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\kvxqmtre (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\advap32 (Trojan.Spammer) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\247d4af7 (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{040ba7f9-cdc9-4f2a-bafd-5b13501b2dad} (Trojan.Vundo) -> Delete on reboot.Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo) -> Data: c:\windows\system32\efccyaya -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\efccyaya -> Delete on reboot.Folders Infected:
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008 (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.
C:\Program Files\rhcn66j0er8j (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Support\Application Data\rhcn66j0er8j\Quarantine\Autorun\StartMenuAllUsers (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Support\Application Data\rhcn66j0er8j\Quarantine\Autorun\StartMenuCurrentUser (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Support\Application Data\rhcn66j0er8j\Quarantine\BrowserObjects (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Support\Application Data\rhcn66j0er8j\Quarantine\Packages (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Support\Application Data\rhcn66j0er8j\Quarantine\Autorun (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Support\Application Data\rhcn66j0er8j (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Support\Application Data\rhcn66j0er8j\Quarantine\Autorun\HKLM\RunOnce (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Support\Application Data\rhcn66j0er8j\Quarantine\Autorun\HKCU (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Support\Application Data\rhcn66j0er8j\Quarantine\Autorun\HKCU\RunOnce (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Support\Application Data\rhcn66j0er8j\Quarantine (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Support\Application Data\rhcn66j0er8j\Quarantine\Autorun\HKLM (Rogue.Multiple) -> Quarantined and deleted successfully.Files Infected:
C:\WINDOWS\cookies.ini (Malware.Trace) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008.lnk (Rogue.AntivirusXP) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Uninstall.lnk (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Register Antivirus XP 2008.lnk (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\How to Register Antivirus XP 2008.lnk (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Antivirus XP 2008.lnk (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\License Agreement.lnk (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.
C:\Program Files\rhcn66j0er8j\msvcp71.dll (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Program Files\rhcn66j0er8j\msvcr71.dll (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Program Files\rhcn66j0er8j\license.txt (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Program Files\rhcn66j0er8j\MFC71.dll (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Program Files\rhcn66j0er8j\database.dat (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Program Files\rhcn66j0er8j\MFC71ENU.DLL (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Program Files\rhcn66j0er8j\rhcn66j0er8j.exe (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Program Files\rhcn66j0er8j\rhcn66j0er8j.exe.local (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Program Files\rhcn66j0er8j\Uninstall.exe (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\clbdriver.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\Winfe36.sys (Rootkit.Agent) -> Delete on reboot.
C:\WINDOWS\system32\WinCtrl32.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lphcj66j0er8j.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\BN1.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\clbdll.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\agpqlrfm.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\blphcj66j0er8j.scr (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\phcj66j0er8j.bmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\grswptdl.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\pphcj66j0er8j.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\esea.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\erms.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\xdhyfgcj.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\efccyayA.dll (Trojan.Vundo) -> Delete on reboot.
C:\Documents and Settings\Support\Local Settings\Temporary Internet Files\Content.IE5\Q33B17XP\kb456456[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\opnlLefc.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ccoqtf.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ixmgasew.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Support\Local Settings\Temporary Internet Files\Content.IE5\M10K8Y3M\kb767887[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\pxefpj.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\qcjuhnwx.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\oeyvtc.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\btlnvy.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\vnwmdxwb.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\kwqxqdrt.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ysvbxo.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\cpwwljuo.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\Ayayccfe.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\Ayayccfe.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\djgazb.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\yttcyivq.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\qviyctty.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\xxyyVmji.dll (Trojan.Vundo) -> Delete on reboot.
Ok – so at this point it looks like it was clean. To be sure I went to TrendMicros website and ran a Housecall – this now looks clean.
Advice to the pharmacist then was to ensure he changed all passwords for all online systems. I suggested also that he consider a format and rebuild of the system to be sure and left it in his hands for his regular support people to take over.
Anonymous says
How long did it take to clean this up / where you at the Rx all the time?
I got Antivirus 2009 on one of my lab PCs. Running those 2 apps took a long time from what I remember. When dealing with a client, the labor costs to go there, start the apps, then return later and hope its all clean is a pain / expensive. I start to think about recommending a flatten and reinstall.
mouseman says
This windows antivirus cause such a headache, its nothing more an update that try to put itself on your computer. Don’t be sucker into buying it when it pop up because it is nothing more than a fraud scam.
Tony says
Had the same problem,(Antivirus 2008) got some advice and it worked. Logged onto the internet and downloaded a program called SuperAntiSpyWare Remover.The home addition is completely free, and after the scan it deletes the spyware for you. When you reboot, do so in safe mode by Pressing the F8 key at startup. reset you screen resolution and then reboot in normal mode, your problem will be solved and no data will be lost or corrupted.
Dont know much, not much to know.
f8browser says
Great blog you’ve got here.. It’s difficult to find high-quality
writing like yours nowadays. I honestly appreciate individuals like you!
Take care!!