Vundo seems to be gone But are there any other Major Malware Lurking ?

Posted this on June 30th in the CMF thread

“Got a nasty infection of Vundo. Kept rebooting luckily I had a copy of Malwarebytes open and stored so I was able to go to Safe Mode and using Windows Task Manager was able to run it and stop the reboots. Ran it a 2nd and 3rd time and seems to have solved that problem.”

I have since updated and scanned over several days using various products.
Normal and Safe Mode I have used Avira free, SuperAntiSpyware, Asquared, AVG (Ewido), Windows Defender, Spybot Search and Destroy, SpywareTerminator, Dr.Web, MalwareBytes, PrevixCSI, reinstalled SpywareDoctor Starter Edition (Google Pack), VundoFix, FixVundo (norton), VirtumundoBeGone, and ComboFix

Online scans were

Comodo Web Based Scan. Posted this in its thread 8th down

https://forums.comodo.com/feedbackcommentsannouncementsnews_about_cavs/web_based_av_scanner_from_comodo-t24421.45.html

Also online scanned with, Kapersky, Node32, F-Secure, Norton, Panda, amd bit Defender. Bit defender had the most questionalbe False Positives.

I am attaching several of the logs.

Waiting to be advised to run HiJack This or several other anti malware scans.

WARNING: Since it was rated so high I had wanted to run an online scan using G Data 2008, and did a Google search for it. Be Warned currently there is no online scan for it ! I clicked on a link and when I saw the photos on the left side I knew the site was not what I wanted and within 15 seconds it started downloading (reputable scans are going to ask you to accept their eula and again you have to accept before the active x is downloaded.
Needless to say I immediately aborted that site.

Thank you for your time
UncleDoug

(:m*) Mod Revised bitdefender_log.txt to remove private content

[attachment deleted by admin]

Dear Uncle:

I have the same EvID4226Patch.exe file on my PC. It’s “legit”, depending on the perspective and usage. Some AV’s including Comodo’s flag it as malware because it patches the tcpip.sys file (which controls the maximum # of half-open outgoing connections). The reason why I patch mine is I constantly run uTorrent (p2p program) and it great helps increase my download speed.

Your VGB.txt report looks fine. Unfortunately, not being an expert, the others I’m not sure on.

Sincerely,

Soyabeaner

PS: Does this seem too much like a formal letter? (:TNG)

Only the

Sincerely,

UncleDoug

Ok, I did another check on your other logs:

mbam-log-6-30-2008 (08-52-23).txt - As stated above on the EvID4226Patch.exe file. I also PM’d you about something.

bitdefender_log.txt - Ok, now this is ironic: BitDefender detected ComboFix.exe as a malicious…um isn’t ComoboFix your other running anti-malware (:LGH). freshdow.exe and SuperScan4.exe don’t feel legit to me (not well-known programs at least), although I could be completely wrong ;D

VBG.txt - The only entry that remotely looks suspicous is 7E853D72-626A-48EC-A868-BA8D5E23E045, but I googled and found it’s the Windows Live Call HoverToCall class from Windows Live Messenger.

ComboFix.txt - This report’s the longest, so I only quickly skimmed through and didn’t notice anything unsual except maybe those *.tmp.dll (temporary dll files?) and 5AE067D3-9AFB-48E0-853A-EBB7F4A000DA

ComboFix is not persay a scanner but a tool that looks for certain malware and if found removes and repairs.
After using the advice is to delete ComboFix. It is just like scanners finding Evid and SmitFraudFix as malware.

Freshdow is from FreshDevices and is Fresh Download Manager. Not used it in a while. They require an email address other than a free Hot Mail, Yahoo, or Google type email account. The ONLY problem were the ads by Google on the side 3 years ago some seemed really questionable. Their programs are pretty good !

SuperScan I think I was first introduced here. 4 is the latest version I was having problems with Qnext and someone suggested I use it to check settings. But I had run a tool from grc that turned a needed service off.

Just checked and SuperScan4 is a scanner from Foundstone a part of McAffee
http://www.foundstone.com/us/resources/proddesc/superscan4.htm

There might be another file with a similar name, but since it scans ports again the scanners might classify it as malware?

UncleDoug

Yes, that was the other possibility. At first I wasn’t sure whether the port scanner was subtool that you used or a result of the past infection. Since you do recognize the names I suppose they must be ok. That crosses all the reports off the list except the last by ComboFix’s - we’ll wait for an expert to arrive.

Application.Generic.9790 - ComboFix.exe
Trojan.Generic.106527 - freshdow.exe
Application.Superscan.F - SuperScan4.exe

Looks like your bitdefender is cleaning up Possible unwanted Software.
Combofix uses “suspicious” routines and get’s flagged Application.Generic.
Freshdow appears to be a downloadmanager and can “download” files and get’s flagged Trojan that way.
Superscan4 is just an other portscanner and get’s deleted also ? (if you need it its fine).

The part that worries me is the MEMSWEEP2 detection in the combofix.log,
i found this link referring to it as a rootkit behavioral file.
http://forum.emsisoft.com/Default.aspx?g=posts&t=1914
S3 MEMSWEEP2;MEMSWEEP2;C:\WINDOWS\system32\7E1.tmp []

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\MEMSWEEP2]
“ImagePath”=“??\C:\WINDOWS\system32\7E1.tmp”

I think you need to get rid of that, it looks like it’s still active.

Not that I’m any kind of expert. I just wandered in the door.

A few things in your Combofix log that I’m curious about

S3 MEMSWEEP2;MEMSWEEP2;C:\WINDOWS\system32\7E1.tmp []
and
[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\MEMSWEEP2]
“ImagePath”=“??\C:\WINDOWS\system32\7E1.tmp”

Google search turns up that MEMSWEEP2 may be something unwanted. Do you have such a service running/present-but-disabled? And tmp files in system32 almost always put up a warning flag for me. Especially something running, much less as a service.

And this stuff in the Combofix log

------- Sigcheck -------

2005-05-25 14:07 359936 63fdfea54eb53de2d863ee454937ce1e C:\WINDOWS$hf_mig$\KB893066\SP2QFE\tcpip.sys
2006-01-13 12:07 360448 5562cc0a47b2aef06d3417b733f3c195 C:\WINDOWS$hf_mig$\KB913446\SP2QFE\tcpip.sys
2006-04-20 07:18 360576 b2220c618b42a2212a59d91ebd6fc4b4 C:\WINDOWS$hf_mig$\KB917953\SP2QFE\tcpip.sys
2007-10-30 11:53 360832 64798ecfa43d78c7178375fcdd16d8c8 C:\WINDOWS$hf_mig$\KB941644\SP2QFE\tcpip.sys
2008-04-13 14:20 361344 93ea8d04ec73a85db02eb8805988f733 C:\WINDOWS\ServicePackFiles\i386\TCPIP.SYS
2008-06-30 12:30 361344 f0bfed848d92bb4dd0619246e20fc20c C:\WINDOWS\system32\dllcache\TCPIP.SYS
2008-06-30 12:30 361344 f0bfed848d92bb4dd0619246e20fc20c C:\WINDOWS\system32\drivers\TCPIP.SYS
.

The tcpip.sys signatures don’t match any of the patches/fixes/base install stuff. Did you rebuild your stack? You might try this as a just-in-case: How to determine and to recover from Winsock2 corruption in Windows Server 2003, in Windows XP, and in Windows Vista - Microsoft Support

And then run an fciv check on the tcpip.sys to see if it has changed. The fciv utility is described here: http://support.microsoft.com/kb/841290

And what can you tell me about these, from the file properties (size, owners, authors, version, stuff)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
“msacm.ctmp3”= C:\WINDOWS\system32\ctmp3.acm
“VIDC.YU12”= ATIYUV12.DLL
“VIDC.MJPG”= pvmjpg21.dll
“VIDC.YV12”= yv12vfw.dll

And this thing

[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
“1723:TCP”= 1723:TCP:@xpsp2res.dll,-22015
“1701:UDP”= 1701:UDP:@xpsp2res.dll,-22016
“500:UDP”= 500:UDP:@xpsp2res.dll,-22017

matches the description for an IPSec VPN, which tends to be coporate grade stuff. 1723 is PPTP VPN, but the other ports are IPSec. Is this something you would be using?

It may be worthwhile to run Combofix again, but with the current version. (Combofix is undergoing constant change. What you got last week, isn’t the same as what you’d get today, and won’t be the same next week).
There is a Combofix tutorial at http://www.bleepingcomputer.com/combofix/how-to-use-combofix If you haven’t read that yet, read it now. Combofix is a very capable and powerful package, and ranks right up there with juggling chainsaws. And, no, I’m not an expert with it. I’ve seen it used, and I’ve got a lot of respect for it.

And I think it’d be worthwhile to run a DSS scan. Deckards System Scanner is available at http://www.techsupportforum.com/sectools/Deckard/dss.ex and will do a HiJackThis scan, and check a few other things.

Hi Grue,

Glad where on the same level with the Memsweep2 (:WIN)

For the tcpip.sys is probably patched with EvID4226Patch.exe as it’s detected in the mbam-log.
And as it allows more halfopen connections and having SuperScan as a portscanner on the system i guess this is a “user intended” install/patch of the tcpip.sys.

So, EvID4226Patch.exe is this thing: www.LvlLord.de - Tipps, Tricks & Utilities - Tools ?? If so, then to check tcpip.sys, I’d suggest backing out the patch setting, per instructions, then runnng fciv to get a checksum and compare against the Microsoft base/patches. Just to rule out there being something else mucking about in tcpip.sys.

And multiple eyes going over this kind of stuff is a good thing. I haven’t really looked at the other logs, which can confirm or lay to rest anything that would raise a question from just a Combofix log. Thanks, Ronny.

I can find out my patched tcpip.sys if that helps 88)

Here is a new log file from ComboFix.

Added a new program to clean junk files, empty folders and dead links.
But think most of the malware seen before has been removed.

Waiting for one of the Comodo Experts in malware identification and removal to recommend programs to scan my system with besides HiJackThis. The others should have a lot shorter log ;D

See several Norton products from years past that need to be removed from the Windows Scheduler. (:TNG)

UncleDoug

[attachment deleted by admin]

Eyeballing your Combofix log, I can say that it looks a bit cleaner. There’s still a couple of entries that I have questins about.

The tcpip.sys signatures don’t match, and they’re different from the prior log ??? And it looks like the Windows monthly patches downloaded, but haven’t, or aren’t installed, or have been and then tweaked.

------- Sigcheck -------

2005-05-25 14:07 359936 63fdfea54eb53de2d863ee454937ce1e C:\WINDOWS$hf_mig$\KB893066\SP2QFE\tcpip.sys
2006-01-13 12:07 360448 5562cc0a47b2aef06d3417b733f3c195 C:\WINDOWS$hf_mig$\KB913446\SP2QFE\tcpip.sys
2006-04-20 07:18 360576 b2220c618b42a2212a59d91ebd6fc4b4 C:\WINDOWS$hf_mig$\KB917953\SP2QFE\tcpip.sys
2007-10-30 11:53 360832 64798ecfa43d78c7178375fcdd16d8c8 C:\WINDOWS$hf_mig$\KB941644\SP2QFE\tcpip.sys
2008-06-20 06:59 361600 ad978a1b783b5719720cff204b666c8e C:\WINDOWS$hf_mig$\KB951748\SP3QFE\tcpip.sys
2008-04-13 14:20 361344 93ea8d04ec73a85db02eb8805988f733 C:\WINDOWS\ServicePackFiles\i386\TCPIP.SYS
2008-06-20 06:51 361600 9aefa14bd6b182d61e3119fa5f436d3d C:\WINDOWS\SoftwareDistribution\Download\663e7188bbb3d768555f5280d384ddab\sp3gdr\tcpip.sys
2008-06-20 06:59 361600 ad978a1b783b5719720cff204b666c8e C:\WINDOWS\SoftwareDistribution\Download\663e7188bbb3d768555f5280d384ddab\sp3qfe\tcpip.sys
2008-07-08 22:54 361600 f2fe29c3d932e12e38d203877e9e3cd7 C:\WINDOWS\system32\dllcache\TCPIP.SYS
2008-07-08 22:54 361600 f2fe29c3d932e12e38d203877e9e3cd7 C:\WINDOWS\system32\drivers\TCPIP.SYS

And, have you been doing anything with Firewire? This entry showed up.

*Newly Created Service* - NIC1394

Running as a service, it should be in the services.msc list, and should have properties - like path, version, author, etc etc. Does it look okay?

It does look a lot better.

Wondered if there were 2 different areas in the Comodo Forum to analyze and help remove malware?
This area and/or this area under CAVS https://forums.comodo.com/virusmalware_removal_assistance-b58.0/ ?? It could get confusing !

After the patch download and installations I ran tools and patches to tweek my connections.
TCP/Optimizer, then Speed Guide Patch for webtweek, not sure if I ran the Speed Guide patch for DNS cache, but did run Evid.

Could those possibly have also created the firewire entry? Have not hooked up anything via fireware, connect the camera via USB. The nic is a 3com, again wondered it those tools and patches might have done something?

Not sure if Qnext was running but it is a multi-protocol messenger and a private / semi public p2p program, if they might have an affect on tcp readings?

I was going to paste Deckard’s System Scanner log, so I saved it as text with word wrap to keep everything on the screen.

But read the last lines to attach it, which I will do, and think it presents a cleaner posting.

Thanks for your help and observations.

UncleDoug

[attachment deleted by admin]

The Virus/Malware Removal Assistance is more general, which I think this thread maybe more appropriate to be, at least so far because the Free Virus/Spyware/Trojan/Malware Removal by Comodo Experts board seems like it’s reserved for those who needs help directly from Comodo employees.

But I do agree it seems redundant. Perhaps and admin will consider merging the existing threads or something.

Eyeballing your DSS log, I didn’t find anything that worries me. You do have what looks to be Symantec plugins in the O16 list, which could be eating into your browser performance. Theres like a half dozen entries, along with all those other O16 entries. You may want to open Internet Explorer, click Tools → Manage Addons, Enable/Disable, and turn some of those off if they’re not off already.

The only other thing odd is in the Services list, the S3 and S4 entries that look like random ALLCAP strings. I’m presuming that, at this stage, there are no such services actually running in the background, which makes these entries just some leftover junk.

It looks clean, so far as I can tell.

It’d be a good idea to watch the CFP Defense+ logs for a while. Or, if you’re feeling adventureous/brave/insane, you could set Defense+ to Learning mode, and then watch what rules Defense+ makes. If you get some kind of file association or reference that makes no sense, then there’s something running around in the background. But you want Defense+ to stop that beforehand, not after the fact. So I’ll say to watch the log instead. ;D

How is the machine running?

Sorry for the late Thank YOU,

Trying to identify those services and decide what to do. One I have had in hidden services for a year and not been able restart it.

Again Thank You grue155, for Your Time and Help.

UncleDoug