Hit by 2 fake infected .dlls - nasty work

hamster

Hi,

I got hit by 2 infected fake .dlls in my windows system 32 (xp MCE). The filenames are random.

These are:
1. ddccb.dll
2. nnnlihi.dll

No.1 can be removed using a tool called VundoFix.exe (from TechGuyForums). It removes it and reboots the system. But upon reboot a new random .dll is generated to replace 1. It then infects two files in the local temp dir in docs and settings folder. Each time it's the same trojan's.
Trojan horse Generic3.QLS
Trojan horse Collected.11.B
AVG picks these and heals them. Fine.

That is what happens when I try to remove 1. It can't be deleted manually.

Now, for 2. nnnlihi.dll - this is not detected by VundoFix.exe but if I scan with CALMAV - both 1 and 2 are detected and described as trojan.Packed-7. Of course CALM-AV tries and fails to remove these.


Next, I tried HiJackThis version 2 - to remove nnnlihi.dll (this guy is the main culprit) - by going "Delete a file on reboot" - but upon reboot this file is not removed - even in safe mode.

Next, I tried killbox.exe which does the same thing, you select to delete upon reboot, but the system sees this and stops it. eg.


I was even thinking of getting a linux distro that has kernal (2.17.20) to support NTFS write so I could mount the sd0 (c: drive) and remove the file from the linux side.

Can anyone suggest something I could try short of a reinstall? I do not have restore points and do not use them.

Again it's nnnlihi.dll I am trying to specificly kill.

Thomas_S_Hunterson

I'd go with the linux distro.

Ideally you might find a live boot disk with NTFS support so that you wouldn't have to actually install linux.

I think this one might fit the bill: http://overclockix.octeams.com/

ActorSeeksJob

post a hijackthis log here please

hamster

Ok Actor, see what you think of this...

Look at:
O20 - Winlogon Notify: ddccb - C:\WINDOWS\system32\ddccb.dll
O20 - Winlogon Notify: nnnlihi - C:\WINDOWS\SYSTEM32\nnnlihi.dll

These are the 2 messers right now...
Also, bccdd.ini is created by ddccb.ini (like I said I can remove this one) - but a new .dll will take it's place (ie, described in 1 above). nnnlihi - is only spotted by CalmAV (which sees both)

hamster

file attached:

ActorSeeksJob

Please do all these steps, including running VundoFix again(my way though)

We need to disable your Windows Defender Real-time Protection as it may interfere with the fixes that we need to make.

Open Windows Defender.
Click on Tools, General Settings.
Scroll down and uncheck Turn on real-time protection (recommended).
After you uncheck this, click on the Save button and close Windows Defender.

Please download VundoFix.exe
to your desktop.

• Double-click VundoFix.exe to run it.
• Click the Scan for Vundo button.
• Once it's done scanning, click the Remove Vundo button.
• You will receive a prompt asking if you want to remove the files, click YES
• Once you click yes, your desktop will go blank as it starts removing Vundo.
• When completed, it will prompt that it will reboot your computer, click OK.
  
  Note: It is possible that VundoFix encountered a file it could not remove.
  In this case, VundoFix will run on reboot, simply follow the above
  instructions starting from "Click the Scan for Vundo button." when
  VundoFix appears at reboot.
  
  Run HijackThis, click "Do a system scan only" and check these entries :
  
  O2 - BHO: (no name) - {483CC496-D041-4545-8D9E-2D64294F97B2} - C:\WINDOWS\system32\nnnlihi.dll
  O2 - BHO: (no name) - {7D03071D-145B-467F-9D0C-FCB4FBF88EF7} - C:\WINDOWS\system32\ddccb.dll
  O4 - HKLM\..\Run: [SoundService] rundll32.exe "C:\WINDOWS\system32\kpccbyan.dll",setvm
  O4 - HKCU\..\Run: [C:\utilities\NetMeter\NetMeter.exe] C:\utilities\NetMeter\NetMeter.exe
  O20 - Winlogon Notify: ddccb - C:\WINDOWS\system32\ddccb.dll
  O20 - Winlogon Notify: nnnlihi - C:\WINDOWS\SYSTEM32\nnnlihi.dll
  
  Close all windows except for HijackThis and click "Fix checked".
  
  Next delete this file in bold :
  C:\WINDOWS\system32\kpccbyan.dll
  
  Next delete this folder in bold :
  C:\utilities\NetMeter
  
  You now need to update your Java and remove your older versions.
  Please follow these steps to remove older version Java components.
  
  * Click Start > Control Panel.
  * Click Add/Remove Programs.
  * Check any item with Java Runtime Environment (JRE) in the name.
  * Click the Remove or Change/Remove button.
  
  Download the latest version of Java Runtime Environment (JRE) 6, and install it to your computer.
  http://java.sun.com/javase/downloads/index.jsp
  Go to Java Runtime Environment (JRE) 6u1 > Click Download > Accept the license agreement > Download Windows Offline Installation, Multi-language jre-6u1-windows-i586-p.exe 13.16 MB
  
  Now to re-enable Windows Defender
  Open Windows Defender.
  Click on Tools, General Settings.
  Scroll down and check Turn on real-time protection (recommended).
  After you check this, click on the Save button and close Windows Defender.
  
  You seem to be running ClamWin anti-virus and AVG anti-virus. This can lead to a lot of problems so please uninstall one of them by going to :
  Start > Control Panel > Add or Remove Programs > Remove whichever one you want
  I recommend that you keep AVG anti-virus
  
  Do all these steps, tell me how it goes, and post a new HijackThis log

hamster

Hi Actor,

I disabled realtime protection on windows defender as mentioned. Re-downloaded Vundofix again. Ran it. It found the two boys ddccb.dll and nnnlihi.dll. Clicked remove and after few moments informed me that it could'nt and would do after a reboot. Rebooted and it tried to remove them - seemed to be gone.
Went to HiJack and checked the list - the two boys were still there with the same. Check the fields you mentioned below at O2,O4 and O20 and clicked fix. Restarted and scanned again - still there. Buggers! Netmeter is a freeware utilitity I had for years - it monitors download rates in graph and unit format. Removed anyway.
Yes, the ref to kpccbyan.dll was removed yesterday - and upon reboot it always looked for that. Searching dll pages on the net - shows its a fake name. Some process was looking for it to cause trouble.
C:\WINDOWS\system32\kpccbyan.dll

Agree - with JRE - fairly behind with it and only updated when absolutely necessary. Will get it for new install. Thanks for path... doing that now.

I had ClamWin installed to verify the two files - AVG didnt identify them - I was alerted to this when I went to a good online multiple virus tools scan page which showed two or three of the virus scanners could see them.

What alerted me to this yesterday was sudden popups and this morning tried to access the net when the router was off. Off, to the system32 dir and I saw the latest dated files were timed around the problems when they started. Checking the dll names on the net aroused my fears on this.

Anyway, I tried Ultimate CD boot (nice tool) to use a tool called NTFS private which claimed to let you access the file in a limit dos mode - it didn't work.

In the end I started a reinstall there 3 hours ago and now I am back with all my updates on XP pro sp2...... and 73 updates!


Maddness! Anyway, it's a been year since and it's nice to have a clean slate - uptodate GT7600 video drivers and no reg-crap. 3.5Gb used for a clean slate.


Total Files Listed:
13279 File(s) 2,165,703,267 bytes
2862 Dir(s) 54,561,275,904 bytes free

Thanks for the help though Author - seriously appreciate your input here. In the end - it was due for a reinstall - but Easter Sunday was bad timing. Oh well, didn't take too long.

Better... do a grafting XP CD with the latest patches to avoid that again.

ActorSeeksJob

No problem at all man. Not sure why those 02,04,020s came back...Vundo can use your old versions of java to attack your pc hence why you have to keep it updated regularly. Could you link me to the post on TechGuyForums, just curious what their feedback was.

Below I have included a number of recommendations for how to protect your computer against malware infections.

* To reduce re-infection for malware in the future, I strongly recommend installing these free programs:
SpywareBlaster protects against bad ActiveX
IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all

*SpywareGuard offers realtime protection from spyware installation attempts.

* I recommend the following anti-spyware programs to protect yourself against spyware, make sure you only use one real-time anti-spyware protection program though :
AVG anti-spyware
Spybot - Search and Destroy
Ad-Aware SE Personal

* Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more
secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in pop up
blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from
Here

* Some good free firewalls are ZoneAlarm, Kerio, or
Outpost
Make sure you only use one firewall though. A tutorial on understanding and using firewalls may be found here.

* Take a good look at the following suggestions for malware prevention by reading Tony Klein’s article 'How Did I Get Infected In The First Place'
Here

EDIT : I had a feeling NetMeter was probably something you installed yourself. However it comes bundled with malware hence why I said to fix it in case your wonderng

hamster

Nice one - I'll check these out. Prior to this - I usually have:

AVG Free, Spybot, Ad-aware SE and Windows Defender and the standard firewall with the Eircom's router on medium. I didn't want to have too much installed. It would start to match Norton's snail pace.

Would you believe Kerio's offering would be better than the standard XP (not vista) firewall? I was tempted to try it out there as many people do recommend it.

On TechGuyForums there is a busy thread on "Cannot delete infected dll used by winlogon" - almost the same issues described by the title.
http://forums.techguy.org/security/557097-cannot-delete-infected-dll-used.html

It was there I got the ref to Vundofix.exe and killbox.

Unlocker is another useful tool which you probably know about - right clicking on my .dlls using "unlock" showed me it was locked via the winlogon.exe. Of course that was too much for unlocker as well. Normally use that to delete files locked because of a program crash or what not.

ActorSeeksJob

Well in my opinion Windows Defender is the worst of those programs you listed. I definitely recommend getting rid of it. AVG anti-spyware is by far the best imo, Ad-Aware and Spybot are both pretty old. What i use are AVG anti-spyware, SpywareGuard, and SpywareBlaster, the last two make sure very little spyware gets on my pc, and any that gets past them gets fixed with AVG AS( I would definitely recommend using these 3 programs only).

Windows XP Firewall is pretty bad, and definitely shouldn't be relied on for security. I've heard excellent stuff about Kerio, but it seems you only get a 30day free trial now. Usually you can get just as good freeware programs, so i'd save your money, and get either Comodo or Outpost, would pick Comodo myself(it gets excellent reviews, should have mentioned it earlier).

Yes i've heard of Unlocker, i hear its pretty good. I use Killbox! myself whenever it's needed.

Another excellent program that I recommend is
http://www.ccleaner.com/download/
Has a solid registry cleaner in it that you should use every once in a while.

If you got any more questions just ask, doing some work so here for a while

Ruu_Old

Spybot-Search and Destroy has real time protection called TeaTimer and is very good, it is fine to use as long as you keep it updated just like any anti spyware software. The XP firewall is fine for most users but another like Comodo or ZoneAlarm on top of that is good.