AV Anti Virus problems

Viruses and worms
1

Earlier today I encountered the Rogue-Anti Virus. At one point MBAM was accessable and supposivley quarantined and removed the Rogue AV but it has just recently popped back up >.<

A website somone here linked showed that these are common symptoms of the virus found running HighJackthis

 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:1041
O4 - HKLM\..\Run: [<random>] %UserProfile%\local settings\application data\<random>\<random>.exe
O4 - HKCU\..\Run: [<random>] %UserProfile%\local settings\application data\<random>\<random>.exe

Sure enough even after having ran MBAM to take care of it Highjackthis still found

 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:1041

and

O4 - HKLM..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM..\Run: [VTTimer] VTTimer.exe
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [ISUSScheduler] “C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe” -start
O4 - HKLM..\Run: [nwiz] nwiz.exe /install
O4 - HKLM..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM..\Run: [StartCCC] “C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe” MSRun
O4 - HKLM..\Run: [nutnumoqjp] c:\documents and settings\owner\local settings\application data\kwdlrgjh\surcigd.exe
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU..\Run: [nutnumoqjp] c:\documents and settings\owner\local settings\application data\kwdlrgjh\surcigd.exe

I am thinking that

O4 - HKCU..\Run: [nutnumoqjp] c:\documents and settings\owner\local settings\application data\kwdlrgjh\surcigd.exe

and
O4 - HKLM..\Run: [nutnumoqjp] c:\documents and settings\owner\local settings\application data\kwdlrgjh\surcigd.exe
are the other two…

Should I tell HighjackThis to fix these three and or any of the others?
I am also running MBAM again and it has found the Rogue Anti-Virus again

Being 04 from what I can think of, it’s possible that even though MBAM got rid of the rogue-av these are automaticaly reinstalling/downloading/having the rogue-av repop when I restart my PC causing the problem to reoccur every time I restart? >.<

2

Is this the one you have

How to remove AV Security Suite (Uninstall Guide)
http://www.bleepingcomputer.com/virus-removal/remove-av-security-suite

did you update MBAM before you scanned ?

3

Yes and yes

I’m fairly clueless when it comes to this stuff
I think MBAM is removing it but there seems to be something left behind somewhere that is automaticaly causing my PC to reobtain this Rogue-AV somehow

maybe the issue is something else

4

If you are not able to clean it using the guide, then follow this guide from Essexboy and post the MBAM and OTL log here
http://forum.avast.com/index.php?topic=53253.0

He will then remove this for you when he enters the forum today( late UK time )

if the log is big, see down left corner: additional options > attach

5

Post in this thread or the one you linked?

6

Post here in this tread that you have started

7

Current Results
Malwarebytes Anti-Malware found

Rogue.AVsec… - File - c:\documents and settings\Owner\local settin…

Rogue.AVsec… - Registry Value - HKEY_CURRENT_USER_SOFTWARE\Micr… Value: nutnumoqjp

(these nutnumoqjp detected seem to be the 04 mentioned above and that highjackthis and OTL both detected)

Rogue.AVSec… - Regristry Key - HKEY_LOCAL_MACHINE\SOFTWARE\Micr… Value: nutnumoqjp

Trojan.Fraudp… - Registry Key - HKEY_CURRENT_USER\Software/\vsoft

Rogue.Antivir… - Registry Key - HKEY_CURRENT_USER\Software\avsuite

Trojan.Fraudp… - Registry Key - HKEY_LOCAL_MACHINE\SOFTWARE\avsoft

Rogue.Antivir… - Registry Key - HKEY_LOCAL_MACHINE\SOFTWARE\avsu…

Malwarebytes’ Anti-Malware 1.46
www.malwarebytes.org

Database version: 4184

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

6/10/2010 12:32:06 AM
mbam-log-2010-06-10 (00-32-06).txt

Scan type: Full scan (C:|D:|)
Objects scanned: 211612
Time elapsed: 1 hour(s), 32 minute(s), 1 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\Software\avsoft (Trojan.Fraudpack) → Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\avsuite (Rogue.AntivirusSuite) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\avsoft (Trojan.Fraudpack) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\avsuite (Rogue.AntivirusSuite) → Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nutnumoqjp (Rogue.AVSecuritySuite) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nutnumoqjp (Rogue.AVSecuritySuite) → Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\documents and settings\Owner\local settings\application data\kwdlrgjh\surcigd.exe (Rogue.AVSecuritySuite) → Quarantined and deleted successfully.

Another scan with MBAM right after did not detect anything this time.

The above did not seem to be found when I re-scanned with HighJackThis and OTL
the things below look very suspicious to me is this something to worry about/should be adressed or are they something that is being blocked? ???

O1 HOSTS File: ([2009/03/31 14:42:06 | 000,303,844 | R— | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 www.007guard.com
O1 - Hosts: 127.0.0.1 007guard.com
O1 - Hosts: 127.0.0.1 008i.com
O1 - Hosts: 127.0.0.1 www.008k.com
O1 - Hosts: 127.0.0.1 008k.com
O1 - Hosts: 127.0.0.1 www.00hq.com
O1 - Hosts: 127.0.0.1 00hq.com
O1 - Hosts: 127.0.0.1 010402.com
O1 - Hosts: 127.0.0.1 www.032439.com
O1 - Hosts: 127.0.0.1 032439.com
O1 - Hosts: 127.0.0.1 www.0scan.com
O1 - Hosts: 127.0.0.1 0scan.com
O1 - Hosts: 127.0.0.1 1000gratisproben.com
O1 - Hosts: 127.0.0.1 www.1000gratisproben.com
O1 - Hosts: 127.0.0.1 www.1001namen.com
O1 - Hosts: 127.0.0.1 1001namen.com
O1 - Hosts: 127.0.0.1 www.100888290cs.com
O1 - Hosts: 127.0.0.1 100888290cs.com
O1 - Hosts: 127.0.0.1 www.100sexlinks.com
O1 - Hosts: 127.0.0.1 100sexlinks.com
O1 - Hosts: 127.0.0.1 www.10sek.com
O1 - Hosts: 127.0.0.1 10sek.com
O1 - Hosts: 127.0.0.1 www.1-2005-search.com
O1 - Hosts: 127.0.0.1 1-2005-search.com
O1 - Hosts: 10468 more lines…

doesn’t seem right

CREATERESTOREPOINT
Restore point Set: OTL Restore Point (16902109354000384)

========== Files/Folders - Created Within 90 Days ==========
[2010/06/09 12:34:39 | 000,000,000 | —D | C] – C:\Documents and Settings\Owner\Local Settings\Application Data\kwdlrgjh

is still under “Restore Point” and was the infected file according to MBAM

I am also unsure if there is anything else besides what I have just mentioned that are causing problems, or could potentialy cause problems later on or cause the Rogue-AV to reoccur.

I’ve attached the OTL log to this post btw

8

Essexboy will fix this, i will send him a PM. check back in about 12 hours

9

Did a scan with Spybot Search & Destroy
Spybot Search & Destroy found
Fraud. Sysguard (Malware entry) SBI $1D5898D0 - HKEY_USERS\S-1-5-21-789336058-879983540-725345543-1003\Software\Microsoft…

Win32.PPopUp .adbrite.com / (Apache)
Win32.PPopUp .adbrite.com / (VSD)
Win32.PPopUp .adbrite.com / (rb)
Win32.PPopUp .adbrite.com / (srh)

Browser/Internet Explorer, so this I’m sure is what was giving me the unwanted pop ups before MBAM removed the Rogue-AV

Spybot S&D said it successfully removed/fixed them

10

Is this the same problem as we’ve been discussing here?: http://forum.avast.com/index.php?topic=60621.0

If so, please keep only one thread, it’s harder to follow two threads for the same problem.

Thanks!

11

Yes sorry, if the other thread can be deleted please do.

12

SUPERAntiSpyware detected the following:

Trojan.Agent/Gen-Nullo[Short]
File > D:\PROGRAM FILES\WLPQS\SIGNABILITY.EXE

Trojan.Agent/Gen-Koobface[Bonkers]
Files > D\DOCUMENTS AND SETTINGS\HIGHVELOCITY PAINTBALL\TMPHVPB\HVPB.BIN

If the above is a game, it is not a game that I installed.

Trojan.Agent/Gen-Cryptor[Egun]
Files > C:\SYSTEM VOLUME INFORMATION_RESTORE{ECEC5774-OBE1-425F-A799-4507798FD890}\RP428\AO346366.EXE

Are these related to the AV/Rogue-Anti Virus?, something to worry about/fix, or most likely false positives?

13

The hvpb.exe file could be a false positive. Upload it to virustotal.com and see what it says.

The file in system restore could be the same thing, but I would suggest turning off system restore to get rid of the file.

Signability.exe seems to be something related to windows vista, but it could be a hook.

14

I use XP not Vista
VirusTotal showed 0/41 as Result when scanning HVPB.bin

Do you think there is any potential harm to Quarantine it and the Vista-related item or should I leave them be as false positives?

15

Hi you saved the log as Unicode which does not transcribe very well - I have taken out the main elements I can see. But, when you re-run could you save the log as ANSI

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTL
[2010/06/09 12:34:39 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Local Settings\Application Data\kwdlrgjh

:Files
C:\windows\tasks\ydthjdmd.job

:Commands
[resethosts]
[purity]
[emptytemp]
[EMPTYFLASH]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

THEN

Go to Control Panel and select Internet Options
Select the Connections TAB
Select LAN settings button
Ensure there is no tick in the Proxy Server box
Select OK and restart Internet explorer

And for Firefox there are instructions on this page and you want the setting to be no proxy

16

Here are the attached logs of OTL from the Fix you suggested and a new scan

[Edit] I also followed your steps for:
Go to Control Panel and select Internet Options
Select the Connections TAB
Select LAN settings button
Ensure there is no tick in the Proxy Server box
Select OK and restart Internet explorer