• Welcome to Overclockers Forums! Join us to reply in threads, receive reduced ads, and to customize your site experience!

Do I have a virus? Well, I have something...

Overclockers is supported by our readers. When you click a link to make a purchase, we may earn a commission. Learn More.

Foxie3a

Normal Member
Joined
Sep 7, 2003
This first post has sort of become a log of getting rid of this virus. In fact, I've already written a few updates before there is even a second post. When I eventually figure this out, I hope it comes up in search engines for other people and it helps them.

This one is sort of interesting. If you're interesting in helping, or seeing something unique, you may want to read my post. I don't know how I got it, but I have been infected with something, that's the most I know. I've spent a good part of the day trying to figure it out. I'm not a pro at this stuff, but I very rarely get any sort of virus. I never run any firewalls or AV, I do a scan once a month or so, and it's always clean.

The Problem: Popups. Firefox mostly(default browser), but sometimes IE too(I use both). There are a ton of connections being made, despite not actually getting a popup for everything. The popups are for weird sites I've never heard of, it appears to be an advertising virus. Sometimes I just see a Firefox window open for a split second, but never fully loads. Sometimes it just unhighlights the current window that's open. Something is definitely there doing something, but I have yet to identify it!

All of the programs running appear to be legit. One thing struck me as odd though. Rundll.exe looks different. There is only once instance of it running. It's under the startup tab of msconfig. The "startup item" is mmyftckg, then the command section says rundll32.exe, then has a path name, with the file mmyftckg.dll in the System32 folder. Google searches bring up nothing for this file name, so it's most suspicious. I have terminated the process, it does not come back, yet I am still having the problem.

Firefox is acting odd. It will start on its own(I can't see it, but the process is there). There are a few instances of it running, and when I close my windows, it remains running. Firefox has a lot of connections going, even when nothing is open. It says it's connected to "local host", but via some ports that I don't recognize. Before, it was ports 3016, 3017, 3018 and 3019, or something similar... Now, it's 1037, 1038, 1039, and 1040. It appears to randomly select new ports. I've terminated Firefox, and restarted it. Nothing I can have done has stopped these popups. The popups definitely are more common when I am using the web. If I sit here idle, they don't come up... Almost like it hitches a ride on what I am legitimately doing.

"System Process 0" has quite a few connections going to weirdo sites like privatedns.com, and I saw digg.com too, which are sites I never go on. I don't know, maybe it's a messenger like MSN/Yahoo/AIM getting its ads, I don't know, but they haven't always been there... I think they came when I got rid of rundll actually. Lets terminate them! Didn't seem to do anything when I got rid of them, Still popups.... Actually, now I've lost sound, must have been legit...

There are two sections for Firefox. The top ones all have the local address of those weird IPs, like 1037, then a second set that is connected via my ISP (gateway.2wire.net), I have AT&T. When a new window pops up, it uses the gateway.2wire ones though, so maybe the ones on the other ports are just there to keep the thing running?

Alright, So much for Adaware and Symantec Corporate, which came up clean... TrendMicro online cleaner found some malware, and removed 3/5. They were all DLL files in the System32 folder. Googling them comes up with NOTHING. Even a virus would have google hits! They're weird ones, such as, uftkcopx.dll. The two that Trendmicro could't delete happen to be the same size, 151kb. When I alt tabbed to another screen I just saw a good 20 connections to weirdo sites being opened(but not visible in Firefox). It's weird that it does so much communicating to sites, then only opens up one window here and there.

Finally, another weird thing. The sites it loads range from sites that promote things, to places to buy music, etc... But, it also loaded the whitepages.com, and performed a search... It did a search for government offices, in Stockton, CA, which the closest BIG city near me, even though Modesto is still pretty big. It's obvious it's using my IP for this. It's done another search for "ports", which is odd. The popups are inconsistent from odd ball sites, to personalized searches. I've never seen a virus act like this. Also, it's as hard as hell to resolve.

The remaining files are protected, and won't delete. I am going to close everything, and figure out how to kill them. If anyone has any suggestions, please let me know. I was planning on formatting soon, but I want to wait another week or two for my new hardware to come, then I'll format. There was a bad storm here today, the power went out twice. I feel like my computer went from a server to an instable unreliable heap overnight. Do you think this is a new virus that hasn't been circulated yet?

Thanks for listening!

Updates:

I closed everything...got the two remaining files to unlock, and I nuked them. I had nothing running, I killed all the processes. I gave it a good reboot, and things looked good. I was hesitant to open up Firefox, because I knew that would start things. Once I opened up Firefox, it lagged, but it was doing stuff.... connected to a nice random set of ports, now it's 1058, 1059, 1061, and 1061, then loaded up a popup for some warewolf game, then gave me google like I requested. It's still here.

However, I have learned something. Before I opened up Firefox I knew it was still here because I found Rundll32.exe was running as the file "ixcawapx.dll", also not found by google. It survived, and made a new file since I killed the others. Has it infected the kernel itself or what! Well, at least my sound is back now after the reboot, haha(if you read everything so far, you'll see where I lost it).

In my process viewing program, Rundll32 is the only program that gives its name in the "full path field". Everything else shows C:\blah blah blah.... but this one says rundll32 C:\blah bla/ixcawapx.dll , it's not consistent with every other process running. However, Rundll32(or should I say ixcawapxl.dll) isn't responsible for any TCP/UDP connections. It must be disguising itself in something else, maybe Firefox. I will continue to try resolving this. I think I'm onto a new virus, or at least I hope I am!

When I was on the symantec site I got a popup, it was of the purchasing page of symantec. That's sort of creepy, along with the whole stockton, CA thing before. Also, I should say these popups aren't just small popups, they are full sized pages being loaded. They only open in the browser that's open, so if I only have firefox open, it uses that one. If I have traffic in IE, it uses that one. Haven't used Safari or Opera during this yet, but I don't care to experiment.

I ran the trendmicro scan again, but this time only on that one file, and nothing was found. I think the popups have increased their frequency, or maybe it's just because I'm loading a lot of windows. It's definitely connected to my web traffic. I think the other stuff Trendmicro was detecting wasn't related to this, or at least isn't the root of the problem. I'm pretty sure these rundll32 files aren't legit, I'd bet on it. So Symantec Corporate, Trendmicro and Adaware all don't detect anything abnormal about the file. I'm going to play around further...

I tried opening up the rundll32 file ixcawapx.dll ... I also just relized the name of the process is .exe, and the actual file is .dll. Anyway... I opened up the DLL in a program for manipulating DLL files, and it had nothing to show. This leads me to believe it's not a DLL at all, and just a normal EXE in sheep's clothing. ;)

Ah ha! ixcawapx.dll is now in my startup tab of msconfig! So as I delete them and it makes new ones, it puts itself in the startup tab. Of course it's obvious that it would have to do something like that, but at least I know I am on the right track. Last time I stopped all processes, cleared msconfig, deleted the files, rebooted, and it still survived. It's leeched onto something, I just haven't figured out what yet. I'm going to try doing another wipe, and follow it as it resurrects itself. I think it's burrowed itself into Windows somehow. This is made all the more difficult that nothing is picking it up as a virus, it doesn't let me see what's infected.

With no programs running at all, only base windows components, the virus is still able to run. I clicked My Computer, and I saw connections being made to weird websites, Firefox started,but I never visually saw anything at all. It's doing a ton of behind the scenes communicating, I wonder why... I hope my info isn't being transferred over. I think I should change my passwords on another computer.

I saw explorer.exe make a connection to some weird site, I recognize the name as being from one of those odd port numbers, I forget what it was, I only saw it for a split second.

I'm going to stop explorer, delete stuff, then reboot.

I did everything right. Rundll32, or whatever it is, is no more. It is no longer running. I told Windows to shut down after I killed it, and I saw the process rundll32 start up again as another weird name, but I had killed every windows process, and it wasn't able to put itself in the startup, then I killed the new process, and rebooted. It does not come up anymore, it's done. HOWEVER! I connected to AOL Instant messenger, and I saw some communication with pilosoft.com, that's one that I've been seeing a lot with this, it was as a system process with only known good processes running. I knew it's still there then. I started up Firefox, it lags, opening up tons of its own things, but without ever showing it to me, I click it again, and it shows me google. It only shows itself when you have an internet browser open, but it's always there. It either must be running within a good system process, or something is tipping it off to start running once there is web activity, but I wouldn't know how that would work. It's trying to connect to "colo-69-31-80-181.pilosoft.com:http". I have also seen it take me to the website cativern, which brings up a forum thread by someone else who might be having this problem, but he definitely hasn't gone into it like I have....

http://support.mozilla.com/tiki-view_forum_thread.php?comments_parentId=190238&forumId=1

http://209.85.173.104/search?q=cach...e-affected/+cativern&hl=en&ct=clnk&cd=2&gl=us

The second link also sounds like my problem. It's a google cached version of the site since they've hit their bandwidth limits, I hope it works. Anyway, he goes on talking about the documents and files being created that look like codecs, but I see nothing like that in my documents, so maybe he's a little off on his problem, or I have a variation. I'm starting to get annoyed. Thinking about just formatting.

Calling it a night. I've tried just about everything, and nothing works. No matter what you do to the
"rundll32" file, it will be in vain because it's loaded in explorer, and winlogon. Kill explorer, and it keeps coming back instantly, it won't stay terminated...Use something like Spybot, and it causes winlogon to die, resulting in an immediate restart. I tried the stand alone removal tool, I think that it did something. I didn't see any popups for like 3 minutes after rebooting. But, once I had a bunch of tabs open it started doing it again, and now I'm right back where I was before. I'm going to try Symantec's stand alone remover, but I'm not optimistic. I might just live with it, then do a format.

____________________________________
Resolution!
____________________________________
Thank you for your replies. I have downloaded and ran "Malwarebytes' Anti-Malware". It detected a TON more instances of the Virtumonde Trojan than Spybot did. It wasn't able to clean them all up, but it successfully deleted them during a reboot. Windows booted up again showing a lot of errors due the deletions, but windows still works fine, and the trojan is no longer present!

I learned A LOT from this whole experience. I learned a ton about processes and how to monitor them, same goes for watching TCP/UDP connections. Another thing I learned is that the best defense, is a combination of programs. I guess you could say the Malwarebytes program is the best, and it's all you need, but I would bet that the other programs I tried using would pick up things that it didn't. Hope this helps someone out there someday, it was a PITA to get this resolved, I was up till 6AM working on it, but didn't fix it until today. I am relieved to have resolved it.

Thank you everyone!
 
Last edited:

Kendle6661

Member
Joined
Feb 23, 2008
okay the first thing I would do is download malwarebytes anti-malware. just do a Google search for it and run it. It's freeware/shareware, and it will find a lot of different malware.it sounds like you have a trojan hiding in your restore points
 
OP
Foxie3a

Foxie3a

Normal Member
Joined
Sep 7, 2003
Thank you both for that suggestion. It ended up being the only way I found to remove the trojan. All scanners are coming in clean now, and I have not seen any popups or odd connections since. I really hope my huge original post comes up in a good search and helps someone out someday. Thanks!