Popped my Virus virginity cherry today. How embarrassing...

[ProfHawking]

I've been a bit of a tit and installed a nasty crapload of adware/shite that came down in a bit of floorware.

NOD32 flashed a couple of warnings and quarantined a few files but obviously not enough.

It majorly fucked over my machine, dissabeling various essential services, hiding start menus, C: drives, taskbar messages, changing wallpapers to nasty virus logos etc.

It looked very similar to the "Antivirus 2008 XP" infected machines i saw at work.

A safe-mode nod32 scan didn't do anything except delete my crysis keygen.
Even more embarrassingly enough, simply running add/remove programs from the command line and uninstalling something called "WebVideo Support" removed the majority of the crap.

Anyway, another poke in system32 with nod revealed some dodgy dlls, so im not sure its 100% gone.

This is my hijackthis log:




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:22:34, on 15/09/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\MozyHome\mozybackup.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\USBDLM\USBDLM.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\CTHELPER.EXE
C:\WINDOWS\system32\CTXFIHLP.EXE
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\system32\taskswitch.exe
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\Program Files\Google\Google Talk\googletalk.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\MozyHome\mozystat.exe
C:\Program Files\UltraMon\UltraMon.exe
C:\Program Files\UltraMon\UltraMonTaskbar.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Documents and Settings\Rob\Desktop\hjt\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wm ... Ojg5&lid=2
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe
O4 - HKLM\..\Run: [ExtremeSync Background Scheduler] C:\Program Files\SuperFlexible\ExtremeSyncService.exe /TIMERASAPP /STARTUP
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [8873ef3a] rundll32.exe "C:\WINDOWS\system32\iphtprrn.dll",b
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - Global Startup: MozyHome Status.lnk = C:\Program Files\MozyHome\mozystat.exe
O4 - Global Startup: UltraMon.lnk = C:\Program Files\UltraMon\UltraMon.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.4.15.0\gears.dll
O9 - Extra 'Tools' menuitem: &Gears Settings - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.4.15.0\gears.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - AppInit_DLLs: iqdotb.dll
O23 - Service: ExtremeSync Service (ExtremeSync_Service) - Unknown owner - C:\Program Files\SuperFlexible\ExtremeSyncService.exe
O23 - Service: Google Update Service (gupdate1c914c7398bcfe2) (gupdate1c914c7398bcfe2) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: MozyHome Backup Service (mozybackup) - Unknown owner - C:\Program Files\MozyHome\mozybackup.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: USBDLM - Uwe Sieber - www.uwe-sieber.de - C:\Program Files\USBDLM\USBDLM.exe
O24 - Desktop Component 1: SqueezeCenter - http://nano:9000/status_header.html?pla ... %3A34%3A40

--
End of file - 5064 bytes


One thing i dont recognise is:

O20 - AppInit_DLLs: iqdotb.dll

nod32 says nothing, google says nothing. the dll contents doesnt give much away.

Any ideas what it could be, safe to delete?

Oh, yeah and i forgot to reset the IE homepage - still some shite...

[No1Jew]

Did this virus get through NOD32 or did you not have it running at the tine?

The reason I ask is that I've just started to use NOD32.

[HereComesPete]

Would appear that he downloaded and ran the virus as part of a sweep. Not much an anti-virus can do after that if you let the thing run.

What I tend to do is turn everything except essential services off, and let nothing but the barest minimum start with a bit of msconfig. Anything that starts itself up again generally= bad thing.

Problem is that google tends to say nothing, or some tit posting on a site that gets read a lot says 'I dunno what that is, must be uber l33t death worm!!!0ne!' and every fucker reads it and panics, when it's normally just a shit bloated utility that arrived with a bit of hangy offy hardware.

Delete it, see what happens.

[ProfHawking]

Nod32 was running, but didnt see it fast enough to stop it.

It went:
1 - Downloaded 700mb of supposed application
2 - .nfo file says unpack trial version of said app, then install, then replace .exe file. Standard stuff with floorware.
3 - ran the .exe unpacker, branded as expected.

What looks like a command window flashes up and goes, NOD32 loads up a red warning window. Files quarantined. Then another, thread terminated.
I quit the unpacker immediately, but damage was done.

[TezzRexx]

Don't be ashamed, happens to the best of us

[Stoat]

Be sure to check Scheduled Tasks too.

[Dr. kitteny berk]

Be sure to check Scheduled Tasks too.

and startup stuff

[deject]

if iqdotb.dll is located anywhere in C:\Windows then it's definitely malicious. Legitimate .dll's will be fairly obvious abbreviations once you know what it's for, and google should be able to tell you that. If google doesn't know about it and it's in system32 or something like that give it the boot like in Battletoads.

[fabyak]

http://www.5punk.co.uk/phpbb/viewtopic. ... 654#146654

Also other stuff in that thread

[fabyak]

Also omghats on losing your cherry!

And it does happen to all of us, did it myself a few months back when half asleep and spent the whole day clearing up the mess

[HereComesPete]

Keep forgetting about autoruns, rather useful for stray crap.

[cheeseandham]

I'm sorry to say I've started to see NOD32 letting users run some nastys in the last week. If it carries on I might have to reevaluate our AV recommendation.

Anyway, here's what I've found works quite well with these. (Only to be done by Prof or people who know what they are doing, I will not be blamed if this kills your puppies)

* Get DTaskManager - http://dimio.altervista.org/eng/
* Sort by user and select all processes run by you (including C:\WINDOWS\Explorer.EXE I'm not sure the EXE should be in upper case and it's something I've noticed gets rectified when you kill it)
* Select all of these processes with the old SHIFT select. (use CTRL to deselect the DTaskmanager process)
* Kill all (I use the Kill Task Override) it'll then kill all those processes at once.
* Once done, use HijackThis/Autoruns and get rid of any weird things (iphtprrn.dll?) remember that HijackThis backs up your removals, so if you do something you regret it is undoable
* Go into your C:\Windows\System32 folder.. Sort by date. Ignore WPA.DBL and the imon file, but otherwise kill/move any exe or dll created in the last couple of days.
* Reboot and check


The DTaskManager seems quite useful, it has a "Suspend" process which could be used for those nasty "run two processes at the same time and respawn the one that is killed" buggers (this one doesn't seem like this)

If you find your Display properties tabs have been removed or default wallpaper has been changed. http://www.runpcrun.com/xp-antivirus-20 ... bs-missing

[cheeseandham]

Oh and came across a variant today that uses the BSOD screensaver immediately on booting..
The PC got shipped to the office, and we thought there was something very wrong hardware-wise as the BSOD codes kept changing (oh and the front fascia was completely melted, it looked like a Dell painted by Salvador Dali which threw us off completely)
After my colleague ran memtest for 30 minutes two of us looking at it in puzzlement, someone touched the keyboard during the BSOD and it flipped back to windows...
Pretty funny

[deject]

Oh and came across a variant today that uses the BSOD screensaver immediately on booting..
The PC got shipped to the office, and we thought there was something very wrong hardware-wise as the BSOD codes kept changing (oh and the front fascia was completely melted, it looked like a Dell painted by Salvador Dali which threw us off completely)
After my colleague ran memtest for 30 minutes two of us looking at it in puzzlement, someone touched the keyboard during the BSOD and it flipped back to windows...
Pretty funny

now that is fucking brilliant

[HereComesPete]

[Dr. kitteny berk]

[cheeseandham]

It's bloody everywhere, I just had my sister ring as her screen was filled with "ZOMG YOUR TEH INFECTED!!111" and wouldn't let her close the browser.

Luckily she had the presence of mind to just ring me rather than believe it outright and install anything, but from what I'm seeing with this week and today, there are many variants and they use java and javascript when coming in via the web.

So to the population in general. Make sure your Java is up to date, and consider running NoScript if you use Firefox when browsing untrusted sites. (My sis was researching 'Zombies' at the time, bless her)

[HereComesPete]

Yay zombies! Boo viruses!

[Dr. kitteny berk]

It's bloody everywhere

nasty little fucker too from what I've heard.

[ProfHawking]

Yep it is a nasty one.

Cheers for the pointers guys. I have found a few more dodgey dlls. I think a backup & format will be done when i get a sec. For now i'll just delete them all.