Yesterday Avast! detected a suspicious file and some malware called Internet Security 2010 launched. After a quick Internet search, I downloaded Malwarebyte’s Anti-Malware from CNET and it detected and deleted several files and instructed me to reboot. Upon reboot, Internet Security 2010 appears to be gone.

However, Avast! now detects a suspicious file C:\WINDOWS\System32\Drivers\asc3550p.sys after each log in. I’ve deleted it, but it keeps coming back every reboot. After deleting it, Avast! says it has detected a virus in the operating memory and recommends doing a scan in the boot phase. I’ve already done this a couple times and the same thing keeps happening (it continues to detect the same suspicious file).

I have no idea how Internet Security 2010 got installed to begin with… and am not sure if I’ve still got a problem or if Avast! is just confused…

Thanks a lot for your assistance and let me know if you have any questions,

S.P. Gass
Windows XP

Hi spgass, welcome to the forum

http://www.bleepingcomputer.com/virus-removal/remove-internet-security-2010
This says that MBAM should be able to take care of it, but apparently there was what appears to be a rootkit, judging from your post, helping it to stay alive…(Wow I sound like I know what I am talking about… ;D)

For those that will try to help (I am of no real help here sorry)

Could you please post the MBAM scan log?

It may also be a good idea to follow essexboy’s advice, one of our resident malware experts… http://forum.avast.com/index.php?topic=53253.0

-Scott-

...(Wow I sound like I know what I am talking about... )

Log from last night’s scan:

Malwarebytes’ Anti-Malware 1.44
Database version: 3630
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

1/24/2010 7:28:44 PM
mbam-log-2010-01-24 (19-28-44).txt

Scan type: Quick Scan
Objects scanned: 124720
Time elapsed: 13 minute(s), 25 second(s)

Memory Processes Infected: 2
Memory Modules Infected: 1
Registry Keys Infected: 2
Registry Values Infected: 3
Registry Data Items Infected: 10
Folders Infected: 1
Files Infected: 10

Memory Processes Infected:
C:\WINDOWS\system32\smss32.exe (Trojan.Downloader) → Unloaded process successfully.
C:\Program Files\InternetSecurity2010\IS2010.exe (Rogue.Installer) → Unloaded process successfully.

Memory Modules Infected:
C:\WINDOWS\system32\helper32.dll (Trojan.FakeAlert) → Delete on reboot.

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\IS2010 (Rogue.InternetSecurity2010) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\asc3550p (Rootkit.Agent) → Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss32.exe (Trojan.Downloader) → Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\internet security 2010 (Rogue.Installer) → Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\General\wallpaper (Hijack.Wallpaper) → Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Downloader) → Data: c:\windows\system32\winlogon32.exe → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Downloader) → Data: system32\winlogon32.exe → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.UserInit) → Bad: (C:\WINDOWS\system32\winlogon32.exe) Good: (userinit.exe) → Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoChangingWallpaper (Hijack.DisplayProperties) → Bad: (1) Good: (0) → Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) → Bad: (1) Good: (0) → Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) → Bad: (1) Good: (0) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\activedesktop\NoChangingWallpaper (Hijack.DisplayProperties) → Bad: (1) Good: (0) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) → Bad: (1) Good: (0) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) → Bad: (1) Good: (0) → Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) → Bad: (1) Good: (0) → Quarantined and deleted successfully.

Folders Infected:
C:\Program Files\InternetSecurity2010 (Rogue.InternetSecurity2010) → Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\smss32.exe (Trojan.Downloader) → Quarantined and deleted successfully.
C:\Program Files\InternetSecurity2010\IS2010.exe (Rogue.Installer) → Quarantined and deleted successfully.
C:\WINDOWS\system32\winlogon32.exe (Trojan.Downloader) → Quarantined and deleted successfully.
C:\Documents and Settings\Gass\Local Settings\Temp\cueqjh.exe (Trojan.Downloader) → Quarantined and deleted successfully.
C:\Documents and Settings\Gass\Local Settings\Temporary Internet Files\Content.IE5\B7V4IUYB\SetupIS2010[1].exe (Rogue.Installer) → Quarantined and deleted successfully.
C:\WINDOWS\system32\helper32.dll (Trojan.FakeAlert) → Delete on reboot.
C:\Documents and Settings\Gass\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Security 2010.lnk (Rogue.InternetSecurity2010) → Quarantined and deleted successfully.
C:\Documents and Settings\Gass\Start Menu\Internet Security 2010.lnk (Rogue.InternetSecurity2010) → Quarantined and deleted successfully.
C:\WINDOWS\system32\41.exe (Trojan.FakeAlert) → Quarantined and deleted successfully.
C:\WINDOWS\system32\warning.html (Trojan.FakeAlert) → Quarantined and deleted successfully.

Just ran it again and got:

Malwarebytes’ Anti-Malware 1.44
Database version: 3630
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

1/25/2010 12:03:10 PM
mbam-log-2010-01-25 (12-03-10).txt

Scan type: Quick Scan
Objects scanned: 124688
Time elapsed: 18 minute(s), 43 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\asc3550p (Rootkit.Agent) → Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

That was found in the last scan also…it looks like it keeps returning…I think that essexboy may need a look at this…hit it with a stronger tool…
I will send him a PM to let him know

In the meantime it may be worth running OTL as outlined in the thread I mentioned, to prepare for essexboy…

-Scott-

OTL log attached

Malwarebytes have been updatet since your scan
Database is now 3635 …you have 3630

OK, ran the updated version. Seems to keep finding the same thing after delete & reboot:

Malwarebytes’ Anti-Malware 1.44
Database version: 3637
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

1/25/2010 3:47:11 PM
mbam-log-2010-01-25 (15-47-11).txt

Scan type: Quick Scan
Objects scanned: 124606
Time elapsed: 13 minute(s), 13 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\asc3550p (Rootkit.Agent) → Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

On completion of this run let me know if MBAM still reports the registry entry

Run OTL.exe

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTL
[2010/01/24 19:12:41 | 00,000,000 | ---- | M] () -- C:\WINDOWS\System32\18467.exe
[2010/01/24 18:57:15 | 00,000,756 | ---- | M] () -- C:\Documents and Settings\Gass\Desktop\Internet Security 2010.lnk
[2010/01/24 18:47:29 | 00,000,001 | ---- | M] () -- C:\s

:Commands
[purity]
[emptytemp]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot when it is done
[*]Then post a new OTL log ( don’t check the boxes beside LOP Check or Purity this time )

Extras attached

Does MBAM show the registry key now after the OTL fix ?

OK, I ran the FIX as specified, rebooted and ran another quick scan. I unchecked the two boxes as it was running and attached the logs. Let me know if I didn’t do anything right.

Could you now run a quick scan with MBAM to see if the entry has disappeared

Still there unfortunately. I really appreciate your help!

In that case it is time for the big boy to find the driver/respawner responsible

Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

[*]Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

[*]Double click on ComboFix.exe & follow the prompts.

[*]As part of it’s process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it’s strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

[*]Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it’s malware removal procedures.

http://img.photobucket.com/albums/v706/ried7/RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

http://img.photobucket.com/albums/v706/ried7/whatnext.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

OK, I turned off Avast and ran ComboFix. Here’s the log.

I reran MBAM and it didn’t find anything. Does this mean I’m cured?

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

1/25/2010 8:27:11 PM
mbam-log-2010-01-25 (20-27-11).txt

Scan type: Quick Scan
Objects scanned: 108697
Time elapsed: 5 minute(s), 28 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Combofix killed the file and removed the legacy keys ;D

Run OTS and hit the cleanup button then all the tools should disappear

Essexboy, you rock!

Thank you, thank you, thank you!

Best Regards,

S.P. Gass