NIS 2007 FAILED to detect Virtumundo!

Norton Security | Norton Internet Security
1

Duis mollis, est non commodo luctus, nisi erat porttitor ligula, eget lacinia odio sem nec elit. Sed posuere consectetur est at lobortis. Vestibulum id ligula porta felis euismod semper. Donec ullamcorper nulla non metus auctor fringilla. Aenean lacinia bibendum nulla sed consectetur. Cras justo odio, dapibus ac facilisis in, egestas eget quam. Cras mattis consectetur purus sit amet fermentum. Morbi leo risus, porta ac consectetur ac, vestibulum at eros. Sed posuere consectetur est at lobortis. Etiam porta sem malesuada magna mollis euismod. Cum sociis natoque penatibus et magnis dis parturient montes, nascetur ridiculus mus. Duis mollis, est non commodo luctus, nisi erat porttitor ligula, eget lacinia odio sem nec elit. Cras justo odio, dapibus ac facilisis in, egestas eget quam. Aenean eu leo quam. Pellentesque ornare sem lacinia quam venenatis vestibulum. Curabitur blandit tempus porttitor. Sed posuere consectetur est at lobortis.

2

That's right, Norton Internet Security failed to detect Virtumundo in my windows xp home with service pack installed.  However these programs found it and thankfully removed it:

 

Spybot Search & Destroy - without teatimer installed

SuperAntiSpyware

MalwareBytes Anti Malware 

and

Ccleaner

 

All of these noticed bizarre registry entries and all of them detected multiple instances of the Virtumundo aka vundo, virus.  After a little help from the community of majorgeeks I was able to successfully remove it.

 

I'm almost ashamed for having Norton Internet Security because it failed to pick up on MAJOR stuff like:

 

* The security center being disabled

* Not able to search in firefox but being able to search in internet explorer

* Java console failing in firefox to the infection but without it failing in internet explorer

* Microsoft Automatic Updates were disabled

and various other ailments including at one point, the Norton Phising scanner became disabled by the virus.

 

And here is even a scan log by SuperAntiSpyware to show even further what NIS 2007 failed to find!

 

SUPERAntiSpyware Scan Log

Generated 06/21/2008 at 03:05 PM

Application Version : 4.15.1000

Core Rules Database Version : 3487
Trace Rules Database Version: 1478

Scan type       : Complete Scan
Total Scan Time : 00:42:42

Memory items scanned      : 422
Memory threats detected   : 2
Registry items scanned    : 4150
Registry threats detected : 8
File items scanned        : 13756
File threats detected     : 8

Adware.Vundo Variant/Resident
    C:\WINDOWS\SYSTEM32\RQRLJHYR.DLL
    C:\WINDOWS\SYSTEM32\RQRLJHYR.DLL

Trojan.Downloader-NewJuan/VM
    C:\WINDOWS\SYSTEM32\PPFDACAB.DLL
    C:\WINDOWS\SYSTEM32\PPFDACAB.DLL

Trojan.Vundo-Variant/Small-GEN
    HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6C8D7960-7EF4-4D2C-949A-F0D59D7D7B0B}
    HKCR\CLSID\{6C8D7960-7EF4-4D2C-949A-F0D59D7D7B0B}
    HKCR\CLSID\{6C8D7960-7EF4-4D2C-949A-F0D59D7D7B0B}\InprocServer32
    HKCR\CLSID\{6C8D7960-7EF4-4D2C-949A-F0D59D7D7B0B}\InprocServer32#ThreadingModel

Adware.Tracking Cookie
    C:\Documents and Settings\Avalanch\Cookies\avalanch@atdmt[2].txt
    C:\Documents and Settings\Avalanch\Cookies\avalanch@tribalfusion[2].txt

Adware.Vundo Variant/Rel
    HKLM\SOFTWARE\Microsoft\aoprndtws
    HKLM\SOFTWARE\Microsoft\FCOVM
    HKLM\SOFTWARE\Microsoft\RemoveRP
    HKU\S-1-5-21-1343024091-1960408961-682003330-1004\Software\Microsoft\rdfa

Trojan.Downloader-Gen/Suspicious
    C:\PROGRAM FILES\GLOBALSCAPE\CUTEFTP 8 PROFESSIONAL\PATCH.EXE

Trojan.Vundo-Variant/Small
    C:\WINDOWS\SYSTEM32\HVRUTVHS.DLL
    C:\WINDOWS\SYSTEM32\PLSHTEXB.DLL
    C:\WINDOWS\SYSTEM32\WATIEPKQ.DLL

 

Message Edited by avalanch on 06-22-2008 09:22 AM
3
4runner wrote:

hmmm, i'm not sure I really understand.  So you removed and reinfected your PC over and over again to test all these differnt packages?  

 

hmmm, only ONE link in your post, but you mention 3 others packages....

 

this seems to me like an ad for superantispyware disguised as a discussion topic.   Oh wait, what was your question?

 

I think the moderators here should just remove this topic... it is spam in disguise.

 

Did you click on the link: Report Abuse to a Moderator ? They do pay attention.
4

This is NOT spam and the virtumundo virus cant easily be removed by normal removal procedures.  And that link wasn't posted on purpose, it just happened to be in the scan log.  And if you are asking to see the other logs, I see no problem with that.  Here they come. After nearly every scan with spybot and others the vundo virus would've returned.  And no, Norton did NOT pick up any of the information that the other scanners did and that's why I'm mad.

 

This one is from virtumundobegone

 

[06/21/2008, 9:25:58] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\Avalanch\Desktop\VirtumundoBeGone.exe" )
[06/21/2008, 9:26:04] - Detected System Information:
[06/21/2008, 9:26:04] -  Windows Version: 5.1.2600, Service Pack 2
[06/21/2008, 9:26:04] -  Current Username: Avalanch (Admin)
[06/21/2008, 9:26:04] -  Windows is in NORMAL mode.
[06/21/2008, 9:26:04] - Searching for Browser Helper Objects:
[06/21/2008, 9:26:04] -  BHO 1: {1E8A6170-7264-4D0F-BEAE-D42A53123C75} ()
[06/21/2008, 9:26:04] - WARNING: BHO has no default name. Checking for Winlogon reference.
[06/21/2008, 9:26:05] -  Checking for HKLM\...\Winlogon\Notify\NppBho
[06/21/2008, 9:26:05] -  Key not found: HKLM\...\Winlogon\Notify\NppBho, continuing.
[06/21/2008, 9:26:05] -  BHO 2: {31C1941D-E928-49B3-AD22-4AB71C936CC4} ()
[06/21/2008, 9:26:05] - WARNING: BHO has no default name. Checking for Winlogon reference.
[06/21/2008, 9:26:05] -  Checking for HKLM\...\Winlogon\Notify\rqRljHYR
[06/21/2008, 9:26:05] -  Key not found: HKLM\...\Winlogon\Notify\rqRljHYR, continuing.
[06/21/2008, 9:26:05] -  BHO 3: {52706EF7-D7A2-49AD-A615-E903858CF284} (Pop-up Blocker)
[06/21/2008, 9:26:05] -  BHO 4: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[06/21/2008, 9:26:05] -  BHO 5: {AA58ED58-01DD-4d91-8333-CF10577473F7} (Google Toolbar Helper)
[06/21/2008, 9:26:05] -  BHO 6: {AC519E4E-EDF0-48C7-8ADA-2A4A5B1C81C9} ()
[06/21/2008, 9:26:05] - WARNING: BHO has no default name. Checking for Winlogon reference.
[06/21/2008, 9:26:05] -  Checking for HKLM\...\Winlogon\Notify\iifghhii
[06/21/2008, 9:26:05] -  Found: HKLM\...\Winlogon\Notify\iifghhii - This is probably Virtumundo.
[06/21/2008, 9:26:05] -  Assigning {AC519E4E-EDF0-48C7-8ADA-2A4A5B1C81C9} MSEvents Object
[06/21/2008, 9:26:05] - BHO list has been changed! Starting over...
[06/21/2008, 9:26:05] -  BHO 1: {1E8A6170-7264-4D0F-BEAE-D42A53123C75} ()
[06/21/2008, 9:26:05] - WARNING: BHO has no default name. Checking for Winlogon reference.
[06/21/2008, 9:26:05] -  Checking for HKLM\...\Winlogon\Notify\NppBho
[06/21/2008, 9:26:05] -  Key not found: HKLM\...\Winlogon\Notify\NppBho, continuing.
[06/21/2008, 9:26:05] -  BHO 2: {31C1941D-E928-49B3-AD22-4AB71C936CC4} ()
[06/21/2008, 9:26:05] - WARNING: BHO has no default name. Checking for Winlogon reference.
[06/21/2008, 9:26:05] -  Checking for HKLM\...\Winlogon\Notify\rqRljHYR
[06/21/2008, 9:26:05] -  Key not found: HKLM\...\Winlogon\Notify\rqRljHYR, continuing.
[06/21/2008, 9:26:05] -  BHO 3: {52706EF7-D7A2-49AD-A615-E903858CF284} (Pop-up Blocker)
[06/21/2008, 9:26:05] -  BHO 4: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[06/21/2008, 9:26:05] -  BHO 5: {AA58ED58-01DD-4d91-8333-CF10577473F7} (Google Toolbar Helper)
[06/21/2008, 9:26:05] -  BHO 6: {AC519E4E-EDF0-48C7-8ADA-2A4A5B1C81C9} (MSEvents Object)
[06/21/2008, 9:26:05] - ALERT: Found MSEvents Object!
[06/21/2008, 9:26:05] -  BHO 7: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} (Google Toolbar Notifier BHO)
[06/21/2008, 9:26:05] - Finished Searching Browser Helper Objects
[06/21/2008, 9:26:05] - *** Detected MSEvents Object
[06/21/2008, 9:26:05] - Trying to remove MSEvents Object...
[06/21/2008, 9:26:06] -    Terminating Process: IEXPLORE.EXE
[06/21/2008, 9:26:08] -    Terminating Process: RUNDLL32.EXE
[06/21/2008, 9:26:09] -    Disabling Automatic Shell Restart
[06/21/2008, 9:26:09] -    Terminating Process: EXPLORER.EXE
[06/21/2008, 9:26:09] -    Suspending the NT Session Manager System Service
[06/21/2008, 9:26:09] -    Terminating Windows NT Logon/Logoff Manager
[06/21/2008, 9:26:10] -    Re-enabling Automatic Shell Restart
[06/21/2008, 9:26:10] -   File to disable: C:\WINDOWS\System32\iifghhii.dll
[06/21/2008, 9:26:10] -  Renaming C:\WINDOWS\System32\iifghhii.dll -> C:\WINDOWS\System32\iifghhii.dll.vir
[06/21/2008, 9:26:10] -  File successfully renamed!
[06/21/2008, 9:26:10] -   Removing HKLM\...\Browser Helper Objects\{AC519E4E-EDF0-48C7-8ADA-2A4A5B1C81C9}
[06/21/2008, 9:26:10] -   Removing HKCR\CLSID\{AC519E4E-EDF0-48C7-8ADA-2A4A5B1C81C9}
[06/21/2008, 9:26:10] -   Adding Kill Bit for ActiveX for GUID: {AC519E4E-EDF0-48C7-8ADA-2A4A5B1C81C9}
[06/21/2008, 9:26:10] -   Deleting ATLEvents/MSEvents Registry entries
[06/21/2008, 9:26:10] -   Removing HKLM\...\Winlogon\Notify\iifghhii
[06/21/2008, 9:26:10] - Searching for Browser Helper Objects:
[06/21/2008, 9:26:10] -  BHO 1: {1E8A6170-7264-4D0F-BEAE-D42A53123C75} ()
[06/21/2008, 9:26:10] - WARNING: BHO has no default name. Checking for Winlogon reference.
[06/21/2008, 9:26:10] -  Checking for HKLM\...\Winlogon\Notify\NppBho
[06/21/2008, 9:26:10] -  Key not found: HKLM\...\Winlogon\Notify\NppBho, continuing.
[06/21/2008, 9:26:10] -  BHO 2: {31C1941D-E928-49B3-AD22-4AB71C936CC4} ()
[06/21/2008, 9:26:10] - WARNING: BHO has no default name. Checking for Winlogon reference.
[06/21/2008, 9:26:10] -  Checking for HKLM\...\Winlogon\Notify\rqRljHYR
[06/21/2008, 9:26:10] -  Key not found: HKLM\...\Winlogon\Notify\rqRljHYR, continuing.
[06/21/2008, 9:26:10] -  BHO 3: {52706EF7-D7A2-49AD-A615-E903858CF284} (Pop-up Blocker)
[06/21/2008, 9:26:10] -  BHO 4: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[06/21/2008, 9:26:10] -  BHO 5: {AA58ED58-01DD-4d91-8333-CF10577473F7} (Google Toolbar Helper)
[06/21/2008, 9:26:10] -  BHO 6: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} (Google Toolbar Notifier BHO)
[06/21/2008, 9:26:10] - Finished Searching Browser Helper Objects
[06/21/2008, 9:26:10] - Finishing up...
[06/21/2008, 9:26:10] - A restart is needed.
[06/21/2008, 9:26:11] - Automatic Reboot on STOP Error is not set. User will have to manually restart.
[06/21/2008, 9:26:23] - Attempting to Restart via STOP error (Blue Screen!)

 

and this one is from malwarebytes

Malwarebytes' Anti-Malware 1.18
Database version: 870

15:49:28 2008-06-21
mbam-log-6-21-2008 (15-49-23).txt

Scan type: Full Scan (C:\|)
Objects scanned: 63294
Time elapsed: 15 minute(s), 23 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 3
Registry Values Infected: 2
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\SYSTEM32\rauidnsk.dll (Trojan.Vundo) -> No action taken.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Malware.Trace) -> No action taken.
HKEY_CURRENT_USER\Software\Microsoft\rdfa (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> No action taken.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bc75b718 (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BMbf468484 (Trojan.Agent) -> No action taken.

Registry Data Items Infected:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\StartMenuLogOff (Hijack.StartMenu) -> Bad: (1) Good: (0) -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\SYSTEM32\rauidnsk.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\SYSTEM32\ksndiuar.ini (Trojan.Vundo) -> No action taken.
C:\WINDOWS\SYSTEM32\iifghhii.dll.vir (Trojan.Vundo) -> No action taken.
C:\WINDOWS\SYSTEM32\miwbhhhk.dll (Trojan.Agent) -> No action taken.
C:\WINDOWS\SYSTEM32\clkcnt.txt (Trojan.Vundo) -> No action taken.
 

Message Edited by avalanch on 06-22-2008 09:32 AM
5

This must be some new version or variant then?   did you submit it to symantec?

 

I went and looked at the virus and threat explorer http://www.symantec.com/norton/security_response/threatexplorer/azlisting.jsp?azid=T and saw the one you are talking about has been included in the definitions since 11/20/2004 and another varient of it has been included since 4/27/2005 and both varients listed have seperate removal tools.

 

 

was your machine clean when you installed NIS or were you already infected?  nasty trojans know how to live thru an install after the fact... i know i had one of those that i got when i had mcafee installed once.

 

6

I’m pretty sure that the version of vundo that hit me is fairly new.  The latest update from spybot was on the 18th and in that update was new vundo detections, also I’m certain that it was new due to norton internet security 2007 not picking it up and I update NIS 2007 everyday keeping it up to date.  And I made sure to install Norton in less than 10 minutes after a fresh install, after I did that, it found over 100 MB’s of updates which it promptly fetched.

7
avalanch wrote: 
.....  I update NIS 2007 everyday keeping it up to date.  .....

I don't know if you have seen this in other threads or not but LiveUpdate does not necessarily update totally to the latest version of an application so you could be well advised to update to NIS 2008 unless you are certain that any renewals you have paid for have updated the "engine" and not just the definitions.

 

If you are still running what is operationally NIS 2007 you will certainly see a major improvement in performance with NIS2008.

8

I was going to say the same thing but huwyngr beat me to it… you need to update to 2008 dude…  go here:  http://www.symantec.com/newnis/  it doesn’t even cost you if you have a valid subscription…

9

I would also advise you to Update to N.I.S. 2008.

 

Here is the Web Link to a Post with regard to the Subscriptions and Re-newals/Upgrades: http://community.norton.com/norton/board/message?board.id=nis_feedback&thread.id=2267 .

Message Edited by Floating_Red on 06-22-2008 10:37 PM
10

I would have replied sooner but I was busy downloading it on dialup, lol.  Anyways right now it’s busy installing itself.

11
avalanch wrote:
I would have replied sooner but I was busy downloading it on dialup, lol.  Anyways right now it's busy installing itself.

 

Ouch! That must hurt .....

 

Hope all goes well with the install. Check out which version you have when you are done.

12

The download and Upgrade went fine. I downloaded it via the ftp option so it was able to resume the download when the connection broke.  Now there's only one more problem that I need to work out with it...

 

Whenever I try to connect via netzero, I get an error message saying that the modem is already in use...  So I have to block symantec liveupdate from connecting via the norton firewall.  In my last phone bill it ran up 6 seperate charges for 50 cents each.  Are there any alternatives to make it quit trying to use the modem except for when I want it to search for updates?

 

Oh and I didn't have to renew my subscription as the upgrade was free http://www.symantec.com/newnis/

Message Edited by avalanch on 06-22-2008 06:45 PM
13

this is a win xp setting.....   i don't have my winxp system handy right now so i'm doing this from memory... if its a little bit off and you can't find where i'm sending you post back.....

 

open control panel and click on internet options.... then switch to the tab that says connections (i think).... and you should find a place that says 'never dial a connection' and make sure thats set.....   it doesn't stop you from dialing by clicking your dialer shortcut... it means that xp won't do it automatically...........

 

 

14

I know of that old trick.  However in the Network Connection tab it shows dialup and under that category it shows a network connection called netzero (and this is the one it uses, dialing 2222, giving up and retrying the same bleep number) and if I leave that field blank, xp just fills it back in with the 2222 thing.

15

you might try then hiliting the netzero dialer, click settings to to make sure you know what they are (assuming you already know the password)....

 

then close out of settings and back in the first window...DELETE the dialer for netzero....  (if there are others there that are not used then get rid of them too.....)

 

reboot...

if you have a registry cleaner run it....

reboot again if you cleaned the registry.....

 

then go back and readd the dialer...  change the name if you can... i dont know if anything would be dependent on the dialer name of netzero but it shouldn't be....

 

it sounds like something got hosed somewhere...   i used to have to clean these up alot for people a few years ago... something about 2222 sounds really familliar as well....  back in that day it was really popular to have malware that dialed offshore numbers and ran up your bill... these type of viruses are not too much of a problem now that most people use broadband......

 

if that doesn't help you i don't think i can make anymore suggestions...  only other thing i might do if it was myself was go search the registry by hand for things like netzero and 2222 and look for stuff to get rid of...  with the general idea being get it out so that you can readd the dialer correctly.....   another thought might be is if netzero has software that can be removed from the control panel then do so, and reinstall it, or even better yet set the dialer and tcp/ip stuff up without installing there software.... just let windows do all the work.............

 

basically you need your computer to wait until you dial a connection, and not have it dial one when something wants a network resource thats not available...

 

 

Message Edited by 4runner on 06-22-2008 09:55 PM
16
avalanch wrote:

The download and Upgrade went fine. I downloaded it via the ftp option so it was able to resume the download when the connection broke.  Now there's only one more problem that I need to work out with it...

 

Whenever I try to connect via netzero, I get an error message saying that the modem is already in use...  So I have to block symantec liveupdate from connecting via the norton firewall.  In my last phone bill it ran up 6 seperate charges for 50 cents each.  Are there any alternatives to make it quit trying to use the modem except for when I want it to search for updates?

 

Oh and I didn't have to renew my subscription as the upgrade was free http://www.symantec.com/newnis/

Message Edited by avalanch on 06-22-2008 06:45 PM

 

Glad to hear the download was not too painful.

 

Networking is a weak point for me since mine [have always seemed work] which I don't dare say out loud <g> and I'd hate to say when I last used a modem. How about trying the install in SAFE Mode unless someone else more knowledgable knows what to do.

 

Glad your subscription was OK although I guess you may not fully know until you enter it during installation ..... ?

17

The subscription went through fine, it autodetected my subs. number

2 Likes
18
avalanch wrote:
The subscription went through fine, it autodetected my subs. number

 

Good to know that works!
19

hmmm, i'm not sure I really understand.  So you removed and reinfected your PC over and over again to test all these differnt packages?  

 

hmmm, only ONE link in your post, but you mention 3 others packages....

 

this seems to me like an ad for superantispyware disguised as a discussion topic.   Oh wait, what was your question?

 

I think the moderators here should just remove this topic... it is spam in disguise.