Lets start by saying that I have already read the thread http://forum.avast.com/index.php?topic=29944.0 about this virus.
However, none of the “symptoms” are present on this host machine.
Here’s the usual guff…

Jotti scan

File: rcScreen2[1].htm
Status: INFECTED/MALWARE
MD5: f00f658992cc52f4d68b691c75e33628
Packers detected: -
Bit9 reports: File not found

Scanner results
Scan taken on 22 Oct 2007 08:45:41 (GMT)
A-Squared Found nothing
AntiVir Found HEUR/Exploit.HTML
ArcaVir Found nothing
Avast Found HTML:Fujack
AVG Antivirus Found nothing
BitDefender Found Trojan.Psyme.DO
ClamAV Found Worm.Fujack-18
CPsecure Found BackDoor.ASP.Ace.cp
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found HTML/Dloader.GUR!tr
Kaspersky Anti-Virus Found nothing
NOD32 Found Win32/Fujack
Norman Virus Control Found HTML/Pardona
Panda Antivirus Found W32/Radoppan.J
Rising Antivirus Found Trojan.DL.Nimaya.e
Sophos Antivirus Found Troj/Fujif-Gen
VirusBuster Found HTML.ZeroSizeWindow.A
VBA32 Found nothing

Coming next…Hijack this…

Hijack This Log

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\aswServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\AvAgent.exe
C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
C:\WINDOWS\vsAOD.Exe
C:\Program Files\Alwil Software\Avast4\aswWebSv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\PROGRA~1\ALWILS~1\Avast4\aswDisp.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
c:\NEWPROF.EXE
C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\WINDOWS\system32\rundll32.exe
E:\HiJackThis_v2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://zeus/klweb/default.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://zeus
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\aswDisp.exe
O4 - HKLM..\Run: [Adobe Photo Downloader] “C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe”
O4 - HKLM..\Run: [SunJavaUpdateSched] “C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe”
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: profile.bat – Script we use to set up MS Outlook profile.
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra ‘Tools’ menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O14 - IERESET.INF: START_PAGE_URL=http://zeus – Our Companies Home page.
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = xqehkl.nhs.uk
O17 - HKLM\Software..\Telephony: DomainName = xqehkl.nhs.uk
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = xqehkl.nhs.uk
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswMaiSv.exe
O23 - Service: avast! NetAgent - ALWIL Software - C:\Program Files\Alwil Software\Avast4\AvAgent.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswWebSv.exe
O23 - Service: QEH3RSD - Unknown owner - c:\windows\srvany.exe – Client of a utility we have written ourselves.
O23 - Service: QEH3VNC - Unknown owner - c:\windows\srvany.exe – Client of a utility we have written ourselves.
O23 - Service: spkrmon - Unknown owner - C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
O23 - Service: Visionsoft Audit On Demand Service (vsAOD) - Visionsoft Limited - C:\WINDOWS\vsAOD.Exe
O23 - Service: www.ppandora.com - Unknown owner - C:\WINDOWS\System32\nsvc32.exe (file missing) – Old virus, service is disabled–
End of file - 4827 bytes

Now initially this virus was picked up on another PC, here’s it’s Hijack this log for comparisson.

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 10:10:31, on 22/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\aswServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\AvAgent.exe
C:\Program Files\Gemplus\GemSafe Libraries User\BIN\GCardSrvNT.exe
C:\WINDOWS\system32\RKillSrv.exe
C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
C:\Program Files\UPHClean\uphclean.exe
C:\Program Files\Alwil Software\Avast4\aswWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\aswDisp.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\WINDOWS\system32\userinit.exe
E:\HiJackThis_v2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://zeus/klweb/default.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://zeus
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O4 - HKLM..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM..\Run: [SystemTray] SysTray.Exe
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\aswDisp.exe
O4 - HKLM..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKUS\S-1-5-19..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘LOCAL SERVICE’)
O4 - HKUS\S-1-5-20..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘NETWORK SERVICE’)
O4 - HKUS\S-1-5-18..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘SYSTEM’)
O4 - HKUS.DEFAULT..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘Default user’)
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://zeus
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.euro.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=67633
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1E3F1348-4370-4BBE-A67A-CC7ED824CA85} (Microsoft Genuine Advantage Self Support Tool) - http://go.microsoft.com/fwlink/?LinkId=82580
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.hp.com/ediags/gmn/install/hpobjinstaller_gmn.cab
O16 - DPF: {2DAD3559-2923-4935-AD49-B673D2539944} (IASRunner Class) - https://www-307.ibm.com/pc/support/access/aslibmain/content/AcpIR.cab
O16 - DPF: {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} (MUCatalogWebControl Class) - http://test.catalog.update.microsoft.com/v7/site/ClientControl/en/x86/MuCatalogWebControl.cab?1179259659555
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1189421776727
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1189421721336
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - http://www-307.ibm.com/pc/support/IbmEgath.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://www.driveragent.com/files/driveragent.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = xqehkl.nhs.uk
O17 - HKLM\Software..\Telephony: DomainName = xqehkl.nhs.uk
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = xqehkl.nhs.uk
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = xqehkl.nhs.uk
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswMaiSv.exe
O23 - Service: avast! NetAgent - ALWIL Software - C:\Program Files\Alwil Software\Avast4\AvAgent.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswWebSv.exe
O23 - Service: GemSAFE Card Server - Gemplus - C:\Program Files\Gemplus\GemSafe Libraries User\BIN\GCardSrvNT.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: QEH3VNC - Unknown owner - c:\windows\srvany.exe
O23 - Service: Remote Process Killer - Unknown owner - C:\WINDOWS\system32\RKillSrv.exe
O23 - Service: SiSoftware Database Agent Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite XI.SP4a\Win32\RpcDataSrv.exe
O23 - Service: SiSoftware Sandra Agent Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite XI.SP4a\RpcSandraSrv.exe
O23 - Service: spkrmon - Unknown owner - C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe

–
End of file - 6892 bytes

Now the interesting thing about it is that the initial detection was in a temp file within the directory C:\Windows\TEMP_avast4_ on both machines.

After a full cleansing using a BART CD, more files show up the next day.
Has anyone any idea how this is popping up again and again?

Bump

Unscrupulous Bumpage.

I’m starting to get a little nervous about this as it seems to be slowly spreading.
Yes Avast! is detecting it, but it’s obviously not clearing up the root cause, maybe a dropper(?).
Anyway, the latest file to be infected reads like this …Virus total output…

AhnLab-V3 2007.10.31.1 2007.10.31 -
AntiVir 7.6.0.30 2007.10.31 -
Authentium 4.93.8 2007.10.30 -
Avast 4.7.1074.0 2007.10.30 HTML:Fujack
AVG 7.5.0.503 2007.10.30 -
BitDefender 7.2 2007.10.31 Trojan.Psyme.DO
CAT-QuickHeal 9.00 2007.10.30 -
ClamAV 0.91.2 2007.10.31 Worm.Fujack-18
DrWeb 4.44.0.09170 2007.10.31 -
eSafe 7.0.15.0 2007.10.28 -
eTrust-Vet 31.2.5256 2007.10.31 HTML/Emerleox
Ewido 4.0 2007.10.30 -
FileAdvisor 1 2007.10.31 -
Fortinet 3.11.0.0 2007.10.19 -
F-Prot 4.3.2.48 2007.10.30 -
F-Secure 6.70.13030.0 2007.10.31 HTML/Pardona
Ikarus T3.1.1.12 2007.10.31 -
Kaspersky 7.0.0.125 2007.10.31 -
McAfee 5152 2007.10.30 W32/Fujacks!htm
Microsoft 1.2908 2007.10.31 Exploit:HTML/IframeRef.gen
NOD32v2 2628 2007.10.31 Win32/Fujacks
Norman 5.80.02 2007.10.30 HTML/Pardona
Panda 9.0.0.4 2007.10.31 W32/Radoppan.J
Prevx1 V2 2007.10.31 -
Rising 19.47.20.00 2007.10.31 Trojan.DL.Nimaya.e
Sophos 4.23.0 2007.10.31 Troj/Fujif-Gen
Sunbelt 2.2.907.0 2007.10.31 -
Symantec 10 2007.10.31 -
TheHacker 6.2.9.110 2007.10.27 -
VBA32 3.12.2.4 2007.10.28 -
VirusBuster 4.3.26:9 2007.10.30 HTML.ZeroSizeWindow.A
Webwasher-Gateway 6.6.1 2007.10.31 -
Additional information
File size: 32479 bytes
MD5: a32c894a2483b17c0779444e134f4aad
SHA1: aa484a1aaa598e28866d2027c12618f046fdb0b4
packers: UTF-8
packers: UTF-8

It seems to only infect HTML files, I understand Fujacks is a variant of Nimaya; not that that helps an awful lot.

I need to get on top of this, but I feel I may be losing control of the situation.
Latest Infected file sent to the lab, for whatever good that will do, not that I don’t have faith in the guys, it’s just that I’m certain the virus is just a symptom of what’s really going on.

If a virus is replicant (coming and coming again), you could follow the general cleaning procedure:

1. Disable System Restore on Windows ME or Windows XP. System Restore cannot be disabled on Windows 9x and it’s not available in Windows 2k. After boot you can enable System Restore again after step 3.

2. Clean your temporary files. You can use CleanUp or the Windows Advanced Care features for that.

3. Schedule a boot time scanning with avast. Start avast! > Right click the skin > Schedule a boot-time scanning. Select for scanning archives. Boot. Other option is scanning in SafeMode (repeatedly press F8 while booting).

4. It will be good if you download, install, update and run AVG Antispyware. Some users recommend SUPERantispyware, Spyware Terminator and/or a-squared (take care about false positives).
   If any infection is detected, better and safer is send the file to Quarantine than to simple delete than.

5. If you still detecting any strange behavior or even you’re sure you’re not clean, maybe it will be good to test your machine with anti-rootkit applications. I suggest AVG or Trend Micro RootkitBuster (for XP/Vista). For XP: Panda (for XP).

6. Also, if you still detecting strange behaviors or you want to be sure you’re clean, maybe making a HijackThis log to post here and, specially, scan and submit to on-line analysis the RunScanner log would help to identify the problem and the solution.

7. After you’re clean, use the immunization of SpywareBlaster or, which is better, the Windows Advanced Care features of spyware/adware cleaning and removal.

8. Finally, when you’re clean, check for insecure applications with Secunia Software Inspector to update insecure applications and avoid reinfection.

If you do run SAS,

First update SAS Then

Under Configuration and Preferences, click the Preferences button.
Then click the Scanning Control tab.

Under Scanner Options make sure the following are checked

• Close browsers before scanning
• Scan for tracking cookies
• Terminate memory threats before quaranine.

leave the others unchecked.

Return to the main page by clicking close on that screen. On the main screen, under Scan for Harmful Software click Scan your computer. On the left check C:\Fixed Drive.(and other fixed drives)
Under Complete Scan, choose Perform Complete Scan.
· Click Next to start the scan.

When the scan is done, quaretine everthing found . Reboot if asked. You can post the log in your next reply if you wish.

I don’t know if you missed it, but I actually posted a Hijack this log.
It was , in my eyes, inconclusive.

Well it appears that the latest VPS has eliminated this threat.
I’ll continue to monitor the situation.