Type: Trojan.Offiz
Anti-Viruses: Avast, Symantec
Action: Pending Analysis
Risk Type: File
Infecting: Symantec Quarantine, Avast
From: hxxp://www.youareanidiot.org

Why didn’t WOT, McAfee, and Avast block it?
Got It From the You are an idiot website. >_>

Avast won’t even detect it!
Symantec detected it but it can’t delete it!
I tryed updating Symantec. No Good!

The virus is a folder!
Its infecting my quarantine folder and Avast from these directorys:
C:\Windows\Temp_Avast4_
C:\Documents And Settings\All Users.Windows\Application Data\Symantec\Quarantine\

I can’t delete the folder directly!
It makes hundreds of copys of itself every minute to slow down my PC!
I searched and found that you can stop it redownloading itself
by typing iexplorer -skull.
HELP PLEASE!!!

Trojan.Offiz - Removal
http://www.symantec.com/security_response/writeup.jsp?docid=2004-051713-3434-99&tabid=3

Program to clean malware from infected computers
http://www.norman.com/Virus/Virus_removal_tools/24789/en

The Symedic thing didn’t work.

Avast Virus Removal Thingy Log:

avast! Antirootkit, version 0.9.6
Scan started: Monday, April 06, 2009 11:05:05 AM

Registry item [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\EventHandlersDefaultSelection] PlayCDAudioOnArrival=“MSRipCDAudioOnArrival” HIDDEN
Registry item [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\EventHandlersDefaultSelection] PlayDVDMovieOnArrival=“MSPlayDVDMovieOnArrival” HIDDEN
Registry item [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders] Local AppData=“%userprofile%\Local Settings\Application Data” HIDDEN
Registry item [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy\GroupMembership] Count=7 HIDDEN
Registry item [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy\History] HIDDEN
Registry item [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy\History{35378EAC-683F-11D2-A89A-00C04FBBCFA2}] HIDDEN
Registry item [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy\History{35378EAC-683F-11D2-A89A-00C04FBBCFA2}\0] HIDDEN
Registry item [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy\History{35378EAC-683F-11D2-A89A-00C04FBBCFA2}\0] Options=0 HIDDEN
Registry item [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy\History{35378EAC-683F-11D2-A89A-00C04FBBCFA2}\0] Version=65537 HIDDEN
Registry item [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy\History{35378EAC-683F-11D2-A89A-00C04FBBCFA2}\0] DSPath=“LocalGPO” HIDDEN
Registry item [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy\History{35378EAC-683F-11D2-A89A-00C04FBBCFA2}\0] FileSysPath=“C:\WINDOWS\System32\GroupPolicy\User” HIDDEN
Registry item [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy\History{35378EAC-683F-11D2-A89A-00C04FBBCFA2}\0] DisplayName=“Local Group Policy” HIDDEN
Registry item [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy\History{35378EAC-683F-11D2-A89A-00C04FBBCFA2}\0] Extensions=“[{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{0F6B957E-509E-11D1-A7CC-0000F87571E3}]” HIDDEN
Registry item [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy\History{35378EAC-683F-11D2-A89A-00C04FBBCFA2}\0] Link=“Local” HIDDEN
Registry item [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy\History{35378EAC-683F-11D2-A89A-00C04FBBCFA2}\0] GPOName=“Local Group Policy” HIDDEN
Registry item [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy\History{35378EAC-683F-11D2-A89A-00C04FBBCFA2}\0] GPOLink=1 HIDDEN
Registry item [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy\History{35378EAC-683F-11D2-A89A-00C04FBBCFA2}\0] lParam=0 HIDDEN
Registry item [HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions] HIDDEN
Registry item [HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions{35378EAC-683F-11D2-A89A-00C04FBBCFA2}] HIDDEN
Registry item [HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions{35378EAC-683F-11D2-A89A-00C04FBBCFA2}] Status=0 HIDDEN
Registry item [HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions{35378EAC-683F-11D2-A89A-00C04FBBCFA2}] RsopStatus=0 HIDDEN
Registry item [HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions{35378EAC-683F-11D2-A89A-00C04FBBCFA2}] LastPolicyTime=14908392 HIDDEN
Registry item [HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions{35378EAC-683F-11D2-A89A-00C04FBBCFA2}] PrevSlowLink=0 HIDDEN
Registry item [HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions{35378EAC-683F-11D2-A89A-00C04FBBCFA2}] PrevRsopLogging=1 HIDDEN
Registry item [HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions{35378EAC-683F-11D2-A89A-00C04FBBCFA2}] ForceRefreshFG=0 HIDDEN

Scan finished: Monday, April 06, 2009 11:17:30 AM
Hidden files found: 0
Hidden registry items found: 25
Hidden processes found: 0
Hidden services found: 0
Hidden boot sectors found: 0

http://i244.photobucket.com/albums/gg12/donovansrb2/AvastPro.jpg

Avast Pro Detected nothing.

http://i244.photobucket.com/albums/gg12/donovansrb2/AvastRootKit.jpg

Avast Root Kit detects lots of hidden icons.

http://i244.photobucket.com/albums/gg12/donovansrb2/Symantec.jpg

Symantec detects viruses.

http://i244.photobucket.com/albums/gg12/donovansrb2/Symantec2.jpg

Symantec can’t delete viruses.

Hi Donovansrb10,

When you checked it against a meta scanner like Jotti’s or VirusTotal.com what were the findings there, can you serve us up with the link of your upload of the file(s) found,

polonus

I download Malwarebytes’ Anti-Malware and did a quick scan.
Here is what I found:

Malwarebytes’ Anti-Malware 1.35
Database version: 1945
Windows 5.1.2600 Service Pack 3

4/6/2009 2:59:40 PM
mbam-log-2009-04-06 (14-59-40).txt

Scan type: Quick Scan
Objects scanned: 164090
Time elapsed: 30 minute(s), 50 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 16
Registry Values Infected: 1
Registry Data Items Infected: 3
Folders Infected: 10
Files Infected: 9

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface{2e9937fc-cf2f-4f56-af54-5a6a3dd375cc} (Adware.MyWebSearch) → Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface{741de825-a6f0-4497-9aa6-8023cf9b0fff} (Adware.MyWebSearch) → Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID{147a976f-eee1-4377-8ea7-4716e4cdd239} (Adware.MyWebSearch) → Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID{a4730ebe-43a6-443e-9776-36915d323ad3} (Adware.MyWebSearch) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes{56256a51-b582-467e-b8d4-7786eda79ae0} (Trojan.Vundo) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved{90b5a95a-afd5-4d11-b9bd-a69d53d22226} (Adware.Hotbar) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved{8109fd3d-d891-4f80-8339-50a4913ace6f} (Adware.Zango) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Weather Services (Adware.Hotbar) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\MyWebSearch (Adware.MyWebSearch) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\FunWebProducts (Adware.MyWebSearch) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Fun Web Products (Adware.MyWebSearch) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\FocusInteractive (Adware.MyWebSearch) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\InternetGameBox (Adware.Popup) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\IGB (Malware.Trace) → Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\Cpls\wxfw.dll (Adware.Hotbar) → Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) → Bad: (1) Good: (0) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) → Bad: (1) Good: (0) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) → Bad: (1) Good: (0) → Quarantined and deleted successfully.

Folders Infected:
C:\Program Files\MyWebSearch (Adware.MyWebSearch) → Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar (Adware.MyWebSearch) → Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\History (Adware.MyWebSearch) → Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Settings (Adware.MyWebSearch) → Quarantined and deleted successfully.
C:\Program Files\FunWebProducts (Adware.MyWebSearch) → Quarantined and deleted successfully.
C:\Program Files\FunWebProducts\Installr (Adware.MyWebSearch) → Quarantined and deleted successfully.
C:\Program Files\FunWebProducts\Installr\2.bin (Adware.MyWebSearch) → Quarantined and deleted successfully.
C:\Program Files\FunWebProducts\ScreenSaver (Adware.MyWebSearch) → Quarantined and deleted successfully.
C:\Program Files\FunWebProducts\ScreenSaver\Images (Adware.MyWebSearch) → Quarantined and deleted successfully.
C:\Program Files\FunWebProducts\Shared (Adware.MyWebSearch) → Quarantined and deleted successfully.

Files Infected:
C:\Program Files\MyWebSearch\bar\History\search2 (Adware.MyWebSearch) → Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Settings\setting2.htm (Adware.MyWebSearch) → Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Settings\settings.dat (Adware.MyWebSearch) → Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Settings\s_pid.dat (Adware.MyWebSearch) → Quarantined and deleted successfully.
C:\Program Files\FunWebProducts\Installr\2.bin\F3EZSETP.DLL (Adware.MyWebSearch) → Quarantined and deleted successfully.
C:\Program Files\FunWebProducts\ScreenSaver\Images\000C3463.urr (Adware.MyWebSearch) → Quarantined and deleted successfully.
C:\WINDOWS\system32\ebcypnmkca_navps.dat (Adware.NaviPromo) → Quarantined and deleted successfully.
C:\WINDOWS\system32\ebcypnmkca_nav.dat (Adware.NaviPromo) → Quarantined and deleted successfully.
C:\WINDOWS\system32\nvs2.inf (Adware.EGDAccess) → Quarantined and deleted successfully.

=====================================

I still want to know why didn’t Avast detect it and can they still know everything I typed?

Hi Donovansrb10,

For the successful removal of this virus, you have to temporarily disable system restore, how to you can read here:
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid
/2001111912274039?OpenDocument&src=sec_doc_nam
Then perform a full bootscan with avast,

polonus

I had system restore off about a week ago.
How do I do a “Full Bootscan” and will it detect this time because last time, it didn’t detect it.

Scheduling the Boot Time Scan
Click on the Menu button.
Choose Schedule Boot Time Scan.
Doing so displays a dialog allowing you to schedule virus scanning.
Check Archives, if you want scan all the archives.
Specify whether all the disks or just a specific folder should be scanned.
Select Advanced options for scheduling details.
Select how to automatically process infected files (suggestion: send to Chest)
Choose how to automatically process infected system files (suggestion: ignore/do nothing)
Click the Schedule button to confirm the settings.

Ok, I’ll try that after MBAM does a full scan.
Its going to take a while because my computer has over 75,000 files.

When I did the Avast! Boot scan, it found nothing.

I downloaded Spybot Search and Destroy and did a scan.
Here is the log of the scan:

FunWebProducts: [SBI $685582A8] Configuration file (File, fixed)
C:\WINDOWS\Downloaded Program Files\f3initialsetup1.0.0.15-3.inf
Properties.size=0
Properties.md5=D41D8CD98F00B204E9800998ECF8427E

Hotbar: [SBI $95B76932] Settings (Registry key, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\HBTV

Microsoft.WindowsSecurityCenter.AntiVirusOverride: [SBI $3604910C] Settings (Registry change, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusOverride

Microsoft.WindowsSecurityCenter.FirewallOverride: [SBI $0C94D702] Settings (Registry change, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallOverride

Microsoft.Windows.AppFirewallBypass: [SBI $9FD0556E] Settings (Registry value, fixed)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\WINDOWS\system32\usmt\migwiz.exe

Microsoft.Windows.AppFirewallBypass: [SBI $9DD943AA] Settings (Registry value, fixed)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\WINDOWS\system32\usmt\migwiz.exe

DSSAgent: [SBI $BF58EA32] Global settings (Registry key, fixed)
HKEY_LOCAL_MACHINE\Software\Broderbund software\dss

— Spybot - Search & Destroy version: 1.6.2 (build: 20090126) —

2009-01-26 blindman.exe (1.0.0.8)
2009-01-26 SDFiles.exe (1.6.1.7)
2009-01-26 SDMain.exe (1.0.0.6)
2009-01-26 SDShred.exe (1.0.2.5)
2009-01-26 SDUpdate.exe (1.6.0.12)
2009-01-26 SpybotSD.exe (1.6.2.46)
2009-03-05 TeaTimer.exe (1.6.6.32)
2009-04-07 unins000.exe (51.49.0.0)
2009-01-26 Update.exe (1.6.0.7)
2009-01-26 advcheck.dll (1.6.2.15)
2007-04-02 aports.dll (2.1.0.0)
2008-06-14 DelZip179.dll (1.79.11.1)
2009-01-26 SDHelper.dll (1.6.2.14)
2008-06-19 sqlite3.dll
2009-01-26 Tools.dll (2.1.6.10)
2009-01-16 UninsSrv.dll (1.0.0.0)
2009-01-22 Includes\Adware.sbi ()
2009-03-25 Includes\AdwareC.sbi ()
2009-01-22 Includes\Cookies.sbi ()
2009-03-31 Includes\Dialer.sbi ()
2009-03-25 Includes\DialerC.sbi ()
2009-01-22 Includes\HeavyDuty.sbi ()
2009-02-10 Includes\Hijackers.sbi ()
2009-03-03 Includes\HijackersC.sbi ()
2009-03-17 Includes\Keyloggers.sbi ()
2009-03-17 Includes\KeyloggersC.sbi ()
2004-11-29 Includes\LSP.sbi ()
2009-03-25 Includes\Malware.sbi ()
2009-03-31 Includes\MalwareC.sbi ()
2009-03-25 Includes\PUPS.sbi ()
2009-03-31 Includes\PUPSC.sbi ()
2009-01-22 Includes\Revision.sbi ()
2009-01-13 Includes\Security.sbi ()
2009-03-23 Includes\SecurityC.sbi ()
2008-06-03 Includes\Spybots.sbi ()
2008-06-03 Includes\SpybotsC.sbi ()
2009-01-28 Includes\Spyware.sbi ()
2009-01-28 Includes\SpywareC.sbi ()
2009-03-25 Includes\Tracks.uti
2009-03-30 Includes\Trojans.sbi ()
2009-03-31 Includes\TrojansC.sbi ()
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll
2007-12-24 Plugins\TCPIPAddress.dll

Still, no Anti-Virus has detected the folder virus.

I’m not sure about the Spybot detections… it’s strange that it detects what other miss. Maybe false positives. Again, I’m not sure. Just take care.

Anti-Viruses I tryed to scan to see if it found the infected folder virus:
Avast! Anti-Virus Professional Edition
Spybot Search and Destroy
Malware Bytes’ Anti-Malware
SUPERAntiSpyware Professional Edition
Avast! Virus Cleaner
Avast! Rootkit Finder
Hijack This

Now I’m trying DrWeb CureIt.

Dr.Web CureIt log.

acsd.exe;c:\program files\common files\aol\acs;Probably DLOADER.Trojan;Deleted.;
00000465/stream002_94126C67196F4E539DD322A1A8799AFA;C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\00000465/stream0;Probably SCRIPT.Virus;;
stream002;C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5;Archive contains infected objects;;
00000465;C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5;Archive contains infected objects;Moved.;

I’m going to do full scans on safe mode with:
DrWeb CureIt
Avast! AntiVirus Professional Edition
Spybot - Search and Destroy
Malware Bytes’ Anti-Malware
SUPERAnti-Virus Professional
Avast! Cleaner
Avast! Anti-Rootkit
Hijack This

I will report the logs and anything suspicious while I’m scanning.

Still, why won’t any anti-virus detect the FOLDER virus?

Now I know that I do have a virus because Safe Boot Mode won’t start!

I don’t know if this will help but SUPERAntiSpyware Professionial started a scan automadicly.

I GIVE UP ON THIS DUMB VIRUS! I AM GOING TO WATCH TV ALL NIGHT WHILE ALL MY ANTI-VIRUSES DO A FULL SCAN.

My Avast! Anti-Rootkit has been hacked! How do I know this? It automatically said that it accured a problem and had to close when it was almost done! Is their any possible way to get rit/detect this dumb virus??

How to restore Safe Boot.
The malware may have deleted the SafeBoot registry keys.
Here are some options to restore them:

http://didierstevens.wordpress.com/2006/06/26/restoring-safeboot/
http://didierstevens.wordpress.com/2007/02/19/restoring-safe-mode-with-a-reg-file/
Also see http://forum.avast.com/index.php?topic=26554.msg216924#msg216924