Jump to content


Photo

New trojan? (Regrading or related to vbgtorfd.dll)


  • Please log in to reply
2 replies to this topic

#1 0vermind

0vermind

    Internet Security Junkie

  • Full Member
  • Pip
  • 36 posts

Posted 23 March 2008 - 03:48 PM

Okay so my dad's computer has gotten infected with a new trojan and I am not sure how to alert the vendors I have tried to remove it with Spy Sweeper, Spyware Doctor, AntiVir, AVG. PC Tools ThreatFire doesn't find anything and Panda AntiRootkit didn't dectect it either.

I don't really need help removing this trojan I know how to do it but I wanted to make people aware that there is a new trojan of some sort. And to give information for other people infromation. Explained further down, I think this might have been a planned attack.
Just to sum it up my dad's PC got infected YESTERDAY just like the user in http://www.spywarein...howtopic=114698.

How weird. Very targeted. I don't believe this. :unsure:

One of the trojans pals is located in C:\Windows\system32WINWGPX.EXE noticed how I didn't put a "\" after system32 there isn't one that's the file name. Very weird.
Also there is a DLL that latches on to explorer.exe and uses 60-95% of CPU. That DLL is NOT SIGNED.
It is: vbgtorfd.dll located in C:\Windows
Size: 264KB (270,336 bytes) created Yesterday, March 22, 2008 at 5:44:47 PM.

I am getting popups from this website called "Safenavweb.com" and sometimes that popup will change to glorayweb (not exact spelling) and then changes to an ad domain and finally the window changes to an alert popups up asking me to install "Trustantivirus" or an alert from the address hxxp://scan.malwarrior.com/504/8/
asking me to install Malwarrior. Currently there is a stupid blinking red X icon in the system tray that tells me that I have a virus.

The trojan/rootkit/whatever also completely disabled Webroot SpySweeper and I can no longer open Spy Sweeper.

there have also been three shortcuts on the Desktop recently created late last night after I rebooted dad's PC. These shortcuts are:
"Spyware&Malware Protection" "Privacy Protector" "Error Cleaner" all three shortcuts are pointing to the website hxxp://viruswebprotect.com/shandler.php?sid=502&said=1&aid=615&pn=5&sg=2

**Bleh.... Wow lots of information, but I am dedicated to fight against this. Here's more...**

I scanned the vbgtorfd dll (which was already scanned TODAY by someone else, wow this is interesting!!)
and here is the virus total information:

File vbgtorfd.dll received on 03.23.2008 01:54:31 (CET)
Current status: finished
Result: 11/32 (34.38%)

Print results Print results
Antivirus 	Version 	Last Update 	Result
AhnLab-V3 	- 	- 	Win-Trojan/Agent.253952.U
AntiVir 	- 	- 	ADSPY/Agent.PB
Authentium 	- 	- 	Possibly a new variant of W32/Adware-Vapsup!Maximus
Avast 	- 	- 	Win32:Agent-LTS
AVG 	- 	- 	Downloader.Zlob.ACU
BitDefender 	- 	- 	-
CAT-QuickHeal 	- 	- 	-
ClamAV 	- 	- 	-
DrWeb 	- 	- 	-
eSafe 	- 	- 	-
eTrust-Vet 	- 	- 	Win32/Pripecs!generic
Ewido 	- 	- 	-
FileAdvisor 	- 	- 	-
Fortinet 	- 	- 	-
F-Prot 	- 	- 	-
F-Secure 	- 	- 	-
Ikarus 	- 	- 	Virus.Win32.Agent.LTS
Kaspersky 	- 	- 	-
McAfee 	- 	- 	-
Microsoft 	- 	- 	-
NOD32v2 	- 	- 	-
Norman 	- 	- 	-
Panda 	- 	- 	-
Prevx1 	- 	- 	Downloader.Zlob
Rising 	- 	- 	Trojan.DL.Win32.QQHelper.bcy
Sophos 	- 	- 	-
Sunbelt 	- 	- 	-
Symantec 	- 	- 	-
TheHacker 	- 	- 	-
VBA32 	- 	- 	suspected of Downloader.Zlob.7
VirusBuster 	- 	- 	-
Webwasher-Gateway 	- 	- 	Ad-Spyware.Agent.PB
Additional information
MD5: bcd477b6393cab4cc29e320093f027d5
SHA1: f0afca2ebe9357706660a518fcddb396251d077a
SHA256: f76f4d30c8a9a6d719151febf869e43e23af570737ee3ed4597266d7320608ce
SHA512: 7d96e67055b2e1252ad58c36254388f8dbf62aa6ee9f24f3666d0e63a0053d5a c03a477cfd535170753ed344f9584c4040241c30daea27050af4c79d646e86ea

Here are some pictures of the infected computer to help whoever has a similar trojan infection:

Posted Image

Posted Image

Posted Image

Posted Image

My logic is that since web browsing is really random this had to have been a planned out attack against some computers, my dad's being one of the targeted ones. Espceially since the other user's pc in the HJT Section was infected yesterday.

Any information, thoughts, ideas, and anyone else who got infected with this trojan please reply here.
Also, any more information, files, details you need from me. I'd be more than happy to supply it!

Sorry for such a long post, I just have so much information. Being a technician it irritates me to see new trojans and viruses.


Thanks guys,
-Mike

Update 1: (3/23) I am getting more and more popups from different rogue sites like AdvancedCleaner, and names that are not easy to remember (sorry, I will update with more info as soon as I can). Floods of popups from this rogue applications all are related to tune-up, antivirus, and maintenance)

Update 2: (3/23) I am CONVINCED this is a planned attack. A few minutes ago I could only find 3 results on Google when I searched up vbgtorfd.dll. Just searched now and more results appeared. One on CastleCops posted 6 hours ago: http://www.castlecop...going_bald.html. Wow! I can't figure out what exactly how this was done I wouldn't be surprised if this turned into a ZERO-DAY attack.
Also, there is something related to C:\Windows\Installer\{longnumber/number path}\VolumeContainer.dll and the trojan.

Update 3: (2/23 - 2h to 12:00) After working on this all day remembering that I have to think smart than the person who wrote the trojan (I learned this a few years ago, great method to apply) I finally found a solution. See the solution below..

Edited by 0vermind, 23 March 2008 - 10:06 PM.

My blog: www.MikesSupport.com/blog

Computer Repair in Orem, Utah


#2 0vermind

0vermind

    Internet Security Junkie

  • Full Member
  • Pip
  • 36 posts

Posted 23 March 2008 - 10:04 PM

I found a solution guys!

Here is how I eradicated this stupid trojan:
Note: User gerryyf found an easier method of cleaning this trojan, found here.


I grabbed Avira AntiVir and installed in Safe Mode, rebooted into normal mode and opened up Process Explorer (from Microsoft) which I had downloaded on to my flash drive from a different computer. From Process Explorer I was able to right click on Explorer.exe which was freezing my computer solid clicked on the threads tab and saw that vbgtorfd.dll was latched on, so I clicked module only to find it was created March 22 at the time the PC was infected so I suspended the vbgtorfd.dll. Then the PC jumped to life, so I set Process Explorer to startup (created a shortcut and moved it to the Startup folder in the start menu) so I could easily start it without waiting 10 minutes.

Then I started a scan using AntiVir, that found some trojans and deleted some but I was still getting popups.
So I rebooted into safe mode scanned again that found more. Reboot into Normal mode scanned again which found some left overs and removed them. At this point it was only missing a few files so I rebooted into safe mode and deleted all of the .exes from the C:\Windows directory that started with System32 and deleted vbgtorfd.dll. Then I rebooted and poof no more popups. So I grabbed Autoruns and put it on my flashdrive (from a different PC) and ran it on my dad's PC. I hide the Microsoft entries (via the entry menu) and restarted autoruns.

From this point I looked through the entries in the list and unchecked any that said "File not found:" or were ones I just didn't want to start.

Wow now the computer didn't freeze anymore but I wasn't so sure if it would get reinfected or not so I grabbed AVG AntiVirus and started a Full System Scan and that found a bunch of stuff in the Temp folders. Know that trojans can sometimes resurface from the temp folders I grabbed CleanUp! and that cleared the temp folders and other temp locations.

Now the computer is running just fine. I installed a firewall on to my Dad's PC (I recommend Comodo, 32-bit is the most common. Comodo's been rated the best firewall of all time on PCMag.com and I can see why, it's awesome).

So everything is working fine. Have had no popups, startup is fast again and my homepage is back to normal.

My method of removing this trojan is a bit more complicated then what gerryyf did. However, I suggest you install and ran a scan with AntiVir (or AVG) after running SDFix to make sure your PC is clean. Reason I say this is your infection might be a little different. My Dad's PC was a little different it was more infected cause the trojan ran a few things that installed a fake alert antispyware (which is what the system32blabla.exe files were).

Cheers!

-Mike

Edited by 0vermind, 23 March 2008 - 10:12 PM.

My blog: www.MikesSupport.com/blog

Computer Repair in Orem, Utah


#3 mocks1

mocks1

    Member

  • New Member
  • Pip
  • 1 posts

Posted 29 March 2008 - 04:25 PM

Overmind----Thank you very much for your detailed post and all the direct links to the various programs that you used to fix your spyware problem There were a couple of new ones in there I hadn't tried yet, or heard of, so your links were invaluable. Thank you again for taking the time to post to this forum---your info will help many people




Member of UNITE
Support SpywareInfo Forum - click the button