Help please!

Hi it’s me again, only this time this is my parents’ computer instead of mine. But on with the show…

I wasn’t around when it happened, but the story is that my mother went on a site and all of a sudden, bugs were crawling across the screen and it told her that she had spyware (win32:malware.alarm) and whether or not she wanted to remove it. Note: this wasn’t avast or any adware program, it was just a popup. I had something like this before, so yeah.

I’m not even quite sure what it is, but it might be Win32:Agent-UKF [trj], which is the only thing avast picked up on. Hope someone can help me. It’ll be greatly appreciated :).

Hi again yourself

Give this a shot
http://www.malwarebytes.org/rogueremover.php

If it was just a pop-up, and you mother declined the offer of the lying scumbag sleazy scamware program on offer, then she should be OK.

Does she have an up to date browser with a pop-up blocker? (Firefox, Opera, IE7)

As a routine check, do a full AV scan. Boot time with avast! if she has that.

A spyware scan with the scanner/s of your choice.

A scan with Secunia Software Inspector to eliminate vulnerable software that may lead to drive-by downloads- installation of malware without user action.

I downloaded it and ran a scan, but it didn’t detect anything.

And I definitely forgot to add in the first post that this thing has also taken over the desktop with a screen that says: Warning! Spyware detected on your computer! Install an antivirus or spyware remover to clean your computer.

Very similar to what I had before, but it looks different and it’s a different popup than the one that I had.

Click here to download HJTsetup.exe

[*]Save HJTsetup.exe to your desktop.
[*]Doubleclick on the HJTsetup.exe icon on your desktop.
[*]By default it will install to C:\Program Files\Hijack This.
[*]Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
[*]Put a check by Create a desktop icon then click Next again.
[*]Continue to follow the rest of the prompts from there.
[*]At the final dialogue box click Finish and it will launch Hijack This.
[*]Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
[*]Click on “Edit > Select All” then click on “Edit > Copy” to copy the entire contents of the log.
[*]Come back here to this thread and Paste the log in your next reply.
[*]DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.

Give SmitFraudFix a go: it’s a specialist tool for these desktop hijacks:

http://siri.geekstogo.com/SmitfraudFix.php

Otherwise, try the usual free adware/spyware scanners.

Online scanners:

Ewido Online Scan
X-Cleaner Micro Edition

Installed scanners:

Ad-Aware Free
Spybot Search & Destroy
SUPERAntiSpyware Free
a-Squared Free

Download, install and update the programs. Disconnect from the internet (pull the plug) before running scans in Safe Mode if possible.

Always select the option to quarantine any malware found rather than delete it, then you will be able to restore files or registry entries wrongly identified as malware- a rare but not unknown event for any malware scanner.

If still having problems, post a HijackThis! log.

Don’t forget the Secunia Software Inspector scan and to use a secure browser.

I’ll give those a go tomorrow and update you guys on the results. Thanks for trying to help me out! :slight_smile:

I tried the SmitfraudFix and it seemed to work. So far, the desktop hijack screen hasn’t come back yet.

However, avast continues to keep picking up something called Win32:Rootkit-gen [Rtk], and even after I delete it, it’s still there.

So I decided to run HiJackThis anyway to see if you guys could either help get rid of it and any remaining things that might still be on here. Here’s the log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:57:32 AM, on 5/24/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Maxtor\MaxBlast\MaxBlastMonitor.exe
C:\Program Files\Maxtor\MaxBlast\TimounterMonitor.exe
C:\Program Files\Common Files\Maxtor\Schedule2\schedhlp.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Ahead\ODD Toolkit\DVDTray.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\sysrest32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Hewlett-Packard\HP OfficeJet Series 600\Bin\HPOstr05.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Hewlett-Packard\HP OfficeJet Series 600\bin\HPOVDX05.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\Maxtor\Schedule2\schedul2.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Java\jre1.6.0_01\bin\jucheck.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O4 - HKLM..\Run: [MaxBlastMonitor.exe] C:\Program Files\Maxtor\MaxBlast\MaxBlastMonitor.exe
O4 - HKLM..\Run: [AcronisTimounterMonitor] C:\Program Files\Maxtor\MaxBlast\TimounterMonitor.exe
O4 - HKLM..\Run: [Acronis Scheduler2 Service] “C:\Program Files\Common Files\Maxtor\Schedule2\schedhlp.exe”
O4 - HKLM..\Run: [RemoteControl] “C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe”
O4 - HKLM..\Run: [TkBellExe] “C:\Program Files\Common Files\Real\Update_OB\realsched.exe” -osboot
O4 - HKLM..\Run: [SunJavaUpdateSched] “C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe”
O4 - HKLM..\Run: [C-Media Speaker Configuration] D:\Sound\C-Media\WinXP\Setup.exe /SPEAKER
O4 - HKLM..\Run: [C-Media Mixer] C:\Program Files\PCI Audio Applications\Bin\AudioRack.exe /MixerStartup
O4 - HKLM..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM..\Run: [DVDTray] C:\Program Files\Ahead\ODD Toolkit\DVDTray.exe
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] “C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe”
O4 - HKLM..\Run: [sysrest32.exe] C:\WINDOWS\system32\sysrest32.exe
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU..\Run: [NBJ] “C:\Program Files\Ahead\Nero BackItUp\NBJ.exe”
O4 - HKCU..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
O4 - Global Startup: HP OfficeJet Startup.lnk = C:\Program Files\Hewlett-Packard\HP OfficeJet Series 600\Bin\HPOstr05.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra ‘Tools’ menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Maxtor\Schedule2\schedul2.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe


End of file - 6136 bytes

Many thanks again!

This is a Trojan:

C:\WINDOWS\system32\sysrest32.exe

http://www.bleepingcomputer.com/startups/sysrest32.exe-20944.html

Please disable ‘Hide protected operating system files’ and enable ‘View Hidden Files and Folders’, and upload the above files to VirusTotal for analysis.

This will allow avast! and other AV programs to add the definition.

To deal with the rootkit, run a boot time scan: Right click the scanner screen, select ‘schedule a boot time scan’ and reboot when requested.

There is currently a false positive rootkit identification of this file:

C:\WINDOWS\system32\drivers\vga.sys

If this is the file identified by avast!, do not delete it or you may lose your monitor display.

http://forum.avast.com/index.php?topic=35761.0

To deal with the Trojan, Do a Ctr|Alt|del and kill the process sysrest32.exe.

Run HijackThis! again, tick the following entry:

O4 - HKLM..\Run: [sysrest32.exe] C:\WINDOWS\system32\sysrest32.exe

Close all other windows and click ‘fix’.

Reboot into Safe Mode and delete the file.

Your sun Java application is out of date. This will allow drive-by downloads- installation of malware just by visiting the wrong site.

Scan for out-of-date and insecure software using Secunia Software Inspector and update any vulnerable software: this will help to prevent future infections.

EDIT: Ad-Aware 2008 is available now: it’s claimed to have better detection.

http://lavasoft.com/products/ad_aware_free.php

All done and everything seems to be doing okay so far. sysrest32.exe is completely gone and avast! hasn’t picked up any rootkit trojan. So I think we may be in the clear.

Thanks so much for helping out. Now my parent can rest assured. My mother had called verizon and wanted to take all of these other measures and stuff rolls eyes. But ANYWAYS…thanks again! I’ll be back if anything comes up :P.

Okay, we may not have gotten rid of it completely.

Something else that this thing caused to happen was there was this screensaver type thing that comes on and bugs crawl over the screen, eating it and such. It acts just like a screensaver–activating when there’s no activity–so I looked to see if the trojan just left the screensaver like how it left a blank screen when I encountered something like it. But, there’s no screensaver set.

What else can I do now?

If your right click the destop and select Properties>Desktop>Customize Destop>Web is there anything odd in there?

(Default is just ‘My home page’ unticked.)

No, there isn’t anything weird. There’s actually nothing listed.

If your right click the destop and select Properties>Screensaver is Screensaver set to ‘none’?

Yes, it says none. That was the first thing I checked lol.

If you are confident editing the registry, check the SCRNSAVE.EXE string value. If it pointing to something odd, change the ScreenSaveActive value to zero and delete the sreensaver file the key is pointing to (in System32 unless another folder is named).

Change the logon screen saver1. Click Start, click Run, type regedt32, and click OK. 2. Locate the following registry key: HKEY_USERS\.DEFAULT\Control Panel\Desktop 3. In the Details pane, double-click the SCRNSAVE.EXE string value item. 4. In the Value data box, type the path and name of the screen saver, and then click OK.

Important Make sure that you specify the path correctly to the screen saver. If the screen saver is located in %SystemRoot%\System32, the explicit path is not required.

You have now changed the logon screen saver.

http://support.microsoft.com/kb/185348

Screenshot.

Done…I’ll leave the comp for a while to see if the thing comes up again, and then I’ll update you. Thanks!

It’s been a while now and it hasn’t come back. So, I’m thinking we’re in the clear for real now knocks on wood. Thank you so much for helping me out! It’s greatly appreciated :).