*sigh* 'Nother `Antivirus XP 2008' fakeware situation

[b]I, too, have fallen victim to this beast. I’ve done some searching and have been reading about other peoples’ encounters with this malware to avoid being redundant, and I’ve scanned with three programs and I’ve got some logs. So, I would truly appreciate it if someone could offer me some help. Here is my summary of my problem so far:

  • I looked at my desktop to see my wallpaper replaced with this lame `ZOMG there’s spyware on your PC’ thing.

  • An `end user license agreement’ appeared to tell me to install Antivirus XP 2008

  • I’m not that stupid, okay? I closed the thing. ::slight_smile:

  • Ran avast; moved everything to the chest, except some files that couldn’t be touched ‘coz they were `being used by another program.’ It told me it had hit the fan in the operating memory, I scheduled a boot scan and restarted.

  • Sent everything to the chest (there were about 7 items)

  • `End user license agreement’ appeared again. Ran avast again; same results. Scheduled another boot scan.

  • Deleted all items (about the same number)

  • Rinse, wash, & repeat. 'Nother boot scan.

  • Sent everything to the chest.

  • Avast said the same as before. Installed RogueRemover. Updated & scanned. The only item it detected was svchost. When I tried to remove it, as might be expected, I received a shutdown message stating that the RPC service was terminated unexpectedly. Crap. >:( Log below.

  • After starting up again, I repeated this with the same results. Log generated was the same.

  • Installed SUPERAntiSpyware. Scanned, 18 hits. Sent all to quarantine. Reboot. Log below.

  • My wallpaper has now been replaced with a blue screen; it’s not my wallpaper, but that damnable spywhere has been detected screen' is gone. However, the end user license agreement’ appeared once again.

  • Ran RogueRemover. Told me I was clean.

  • While running a scan on SUPERAntiSpyware, I tried to change my desktop back to normal. Now, this COULD be the fact that it is 0’ dark-thirty in the morning right now, and I’m tired as all get-out, but… when you right click and go to properties on the desktop, where you have the Themes,' Appearance,’ and Settings,' tabs, should there not be one that says Desktop’ for you to change your background? Or have I completely lost my mind? ??? Um… well anyway, onto more pressing matters…

  • SAS found 6 items. I selected them all for quarantine. Reboot. Log Below.

  • SAS found the same 6 items. I exited.

Here’s the log for the RogueRemover scan (it’s the same for both instances):[/b]

Malwarebytes’ RogueRemover
Malwarebytes ©2007 hxxp://www.malwarebytes.org
6290 total fingerprints loaded.

Loading database …
Expanding environmental variables …

Scanning files … [ 100% ].
Scanning folders … [ 100% ].
Scanning registry keys … [ 100% ].
Scanning registry values … [ 100% ].

RogueRemover has detected rogue antispyware components! Results below…

Type: File
Vendor: Rogue.Misc
Location: C:\WINDOWS\system32\drivers\svchost.exe
Selected for removal: Yes

RogueRemover has found the objects above.(This is when my PC shut down)

Here is the log for the first SUPERAntiSpyware scan:

SUPERAntiSpyware Scan Log
hxxp://www.superantispyware.com

Generated 09/15/2008 at 04:11 AM

Application Version : 4.21.1004

Core Rules Database Version : 3566
Trace Rules Database Version: 1554

Scan type : Quick Scan
Total Scan Time : 00:08:57

Memory items scanned : 360
Memory threats detected : 4
Registry items scanned : 394
Registry threats detected : 5
File items scanned : 6029
File threats detected : 10

Rogue.Dropper/Gen
C:\WINDOWS\SYSTEM32\LPHCEOWJ0EVD5.EXE
C:\WINDOWS\SYSTEM32\LPHCEOWJ0EVD5.EXE
[lphceowj0evd5] C:\WINDOWS\SYSTEM32\LPHCEOWJ0EVD5.EXE

NotHarmful.Sysinternals Bluescreen Screen Saver
C:\WINDOWS\SYSTEM32\BLPHCEOWJ0EVD5.SCR
C:\WINDOWS\SYSTEM32\BLPHCEOWJ0EVD5.SCR

Trojan.Unknown Origin
C:\DOCUME~1\OWNER\LOCALS~1\TEMP\NSM5.TMP\EULADLG.DLL
C:\DOCUME~1\OWNER\LOCALS~1\TEMP\NSM5.TMP\EULADLG.DLL
C:\DOCUMENTS AND SETTINGS\OWNER\LOCAL SETTINGS\TEMP\NSG3.TMP\EULADLG.DLL
C:\DOCUMENTS AND SETTINGS\OWNER\LOCAL SETTINGS\TEMP\NSM5.TMP\EULADLG.DLL
C:\DOCUMENTS AND SETTINGS\OWNER\LOCAL SETTINGS\TEMP\NSX3.TMP\EULADLG.DLL

Trojan.Dropper/SVCHost-Fake
C:\WINDOWS\SYSTEM32\DRIVERS\SVCHOST.EXE
C:\WINDOWS\SYSTEM32\DRIVERS\SVCHOST.EXE
[SVCHOST.EXE] C:\WINDOWS\SYSTEM32\DRIVERS\SVCHOST.EXE
C:\WINDOWS\Prefetch\SVCHOST.EXE-0EB47E31.pf

Trojan.FakeAlert/Desktop
HKU\S-1-5-21-1126218974-2234933307-3374268103-1003\CONTROL PANEL\DESKTOP#WALLPAPER
HKU\S-1-5-21-1126218974-2234933307-3374268103-1003\CONTROL PANEL\DESKTOP#ORIGINALWALLPAPER
HKU\S-1-5-21-1126218974-2234933307-3374268103-1003\CONTROL PANEL\DESKTOP#CONVERTEDWALLPAPER

Rogue.AntiVirus 2008
C:\WINDOWS\SYSTEM32\PHCEOWJ0EVD5.BMP

Adware.WhenU
C:\DOCUMENTS AND SETTINGS\OWNER\LOCAL SETTINGS\TEMP\JC2FMMNS.EXE

Here’s the log for the second SUPERAntiSpyware scan:

SUPERAntiSpyware Scan Log
hxxp://www.superantispyware.com

Generated 09/15/2008 at 04:36 AM

Application Version : 4.21.1004

Core Rules Database Version : 3566
Trace Rules Database Version: 1554

Scan type : Quick Scan
Total Scan Time : 00:08:22

Memory items scanned : 336
Memory threats detected : 1
Registry items scanned : 393
Registry threats detected : 0
File items scanned : 6030
File threats detected : 2

Trojan.Unknown Origin
C:\DOCUME~1\OWNER\LOCALS~1\TEMP\NSQ3.TMP\EULADLG.DLL
C:\DOCUME~1\OWNER\LOCALS~1\TEMP\NSQ3.TMP\EULADLG.DLL
C:\DOCUMENTS AND SETTINGS\OWNER\LOCAL SETTINGS\TEMP\NSQ3.TMP\EULADLG.DLL

[b]The only difference generated in the third SAS scan was that NSQ3' became NSK3’ .

The irony of all this? I was planning on letting my laptop defrag overnight while I slept, like a responsible individual. Instead, I am still up, combatting with evil. I am very tired.

I understand the `Antivirus XP 2008’ fakeware has been known to spread itself on sites like torrentreactor. As it so happens, I was doing a lot with torrents today, and at some point my computer froze up suspiciously (which it never does), so I’m fairly certain this was the source, in case that information is helpful. I’m running on Windows XP and my browser is Firefox 3.0, and I have no memory of ever seriously tinkering with the firewall settings, so I would venture to say I’m still using the default Windows Firewall (I checked, it is in fact still on), along with whatever security capabilities Firefox offers, and nothing else. :-\

I’ve tried to provide all the details I can so that this is as painless as possible-- I’m aware that this topic has quickly gotten old-- but I would be deeply grateful for any help anyone could offer. I’m gonna go to bed now, and schedule another boot scan with avast for tomorrow, and then I will post the log for that (I would have already, but I’ve done this so many times I don’t know what results are for what scan anymore). Thanks in advance to anyone willing to offer assistance; I’ll try to check up on this again as soon as I can, even though I’m dead tired.

-Chris[/b]

PS To those of you experiencing this same issue, when the fake End User License Agreement' message shows up and there is no way to exit out of it, find where the message says click here to exit’ or something of that nature. Hovering the mouse over it yields no evidence of anything that could be construed as an exit, but if you click on the word `here’ the screen will nonetheless disappear; however, closing it from the Task Manager is equally effective. Hope someone finds this useful.

You should also use Mbam from www.malwarebytes.org. Let it clean everything it finds and post the created Report.

After you run the mbam scan and check all baddies and CLICK REMOVE
please read the stickie at tht top of this forum and post a hijackthis

Prior to the HJT
could you rt click the Avast Ball and update programs> just to make sure
then open avast and schedule a boot time scan reboot move anything to chest
this will also do/ redoo a rootkit check

andhttp://www.bleepingcomputer.com/forums/topic131299.html
run SD FIX follow the instructions exactly

actually post up the hjt anytime you have a pause in the proceedings
and/or at the end

FYI SAS is up to 3567 you might want to run a full scan with archives overnight after an update
do not defrag till we’re done glad to see you were current with your scans-- many are not

After were done will suggest some real time protection
did RR run all the way through? not necessary to run again now just asking

later run secunia software inspector and get everyting up to date
run javara get rid of all old java

let’s talk about outbound firwall protection

noscript for fiefox helps with this infection - at least some versions

THANKS FOR THE TIPS

[b]Okay-- will do all this in order it was given! Thanks for your advice, the both of you; you’re a lifesaver. Here’s my results:

  • Ran Mbam; most files removed immediately, all others were to be removed on restart. So I restarted. o_O Log below.

  • Well, what do you know? I’m not getting that kooky `end user license agreement’ popup anymore.

  • …desktop and screensaver tabs are back! So I’m not completely insane!

  • Made sure virus database was up to date on avast… seems to be fine. Ran boot time scan. Had the same results as previously.

  • Re-ran Mbam; 1 item. Removed. Log below.

  • Followed the instructions for SDFix word for word. Log below.

  • Re-ran Mbam again; says I’m clean.

  • Downloaded and ran HijackThis. Log below.

Malwarebytes’ Anti-Malware 1.28[/b]
Database version: 1155
Windows 5.1.2600 Service Pack 2

9/15/2008 1:30:24 PM
mbam-log-2008-09-15 (13-30-20).txt

Scan type: Quick Scan
Objects scanned: 43775
Time elapsed: 3 minute(s), 56 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 3
Registry Values Infected: 20
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 26

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\TDSSl.dll (Trojan.Agent) → No action taken.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata (Trojan.Agent) → No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\tdss (Trojan.Agent) → No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier (Rogue.Multiple) → No action taken.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xrt_Shell (Trojan.Agent) → No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\xrt_id (Backdoor.Agent) → No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\xrt_options (Backdoor.Agent) → No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\xrt_opt_server1 (Backdoor.Agent) → No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\xrt_opt_reserv (Backdoor.Agent) → No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\xrt_opt_forms (Backdoor.Agent) → No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\xrt_opt_certs (Backdoor.Agent) → No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\xrt_opt_options (Backdoor.Agent) → No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\xrt_opt_ss (Backdoor.Agent) → No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\xrt_opt_pstorage (Backdoor.Agent) → No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\xrt_opt_command (Backdoor.Agent) → No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\xrt_opt_file (Backdoor.Agent) → No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\xrt_opt_idproject (Backdoor.Agent) → No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\xrt_opt_pauseopt (Backdoor.Agent) → No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\xrt_opt_pausecert (Backdoor.Agent) → No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\xrt_opt_deletecookie (Backdoor.Agent) → No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\xrt_opt_deletesol (Backdoor.Agent) → No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\xrt_patch (Backdoor.Agent) → No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\inrhcaowj0evd5 (Trojan.FakeAlert) → No action taken.
HKEY_CURRENT_USER\Control Panel\Desktop\scrnsave.exe (Hijack.Wallpaper) → No action taken.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispBackgroundPage (Hijack.DisplayProperties) → Bad: (1) Good: (0) → No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispScrSavPage (Hijack.DisplayProperties) → Bad: (1) Good: (0) → No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Owner\xrt_tswv.exe (Trojan.Agent) → No action taken.
C:\WINDOWS\system32\tdssadw.dll (Trojan.Agent) → No action taken.
C:\WINDOWS\system32\tdssl.dll (Trojan.Agent) → No action taken.
C:\WINDOWS\system32\tdssserf.dll (Trojan.Agent) → No action taken.
C:\WINDOWS\system32\tdssmain.dll (Trojan.Agent) → No action taken.
C:\WINDOWS\system32\tdssinit.dll (Trojan.Agent) → No action taken.
C:\WINDOWS\system32\tdsslog.dll (Trojan.Agent) → No action taken.
C:\WINDOWS\system32\tdssservers.dat (Trojan.Agent) → No action taken.
C:\WINDOWS\system32\drivers\tdssserv.sys (Trojan.Agent) → No action taken.
C:\Documents and Settings\Owner\Local Settings\Temp.tt2.tmp (Trojan.Downloader) → No action taken.
C:\Documents and Settings\Owner\Local Settings\Temp.tt4.tmp (Trojan.Downloader) → No action taken.
C:\Documents and Settings\Owner\Local Settings\Temp.tt5.tmp (Trojan.Downloader) → No action taken.
C:\Documents and Settings\Owner\Local Settings\Temp.tt6.tmp (Trojan.Downloader) → No action taken.
C:\Documents and Settings\Owner\Local Settings\Temp.tt7.tmp (Trojan.Downloader) → No action taken.
C:\Documents and Settings\Owner\Local Settings\Temp.tt8.tmp (Trojan.Downloader) → No action taken.
C:\Documents and Settings\Owner\Local Settings\Temp.tt9.tmp (Trojan.Downloader) → No action taken.
C:\Documents and Settings\Owner\Local Settings\Temp.ttA.tmp (Trojan.Downloader) → No action taken.
C:\Documents and Settings\Owner\Local Settings\Temp.ttB.tmp (Trojan.Downloader) → No action taken.
C:\Documents and Settings\Owner\Local Settings\Temp.ttC.tmp (Trojan.Downloader) → No action taken.
C:\Documents and Settings\Owner\Local Settings\Temp.ttD.tmp (Trojan.Downloader) → No action taken.
C:\Documents and Settings\Owner\Local Settings\Temp.ttE.tmp (Trojan.Downloader) → No action taken.
C:\Documents and Settings\Owner\Local Settings\Temp.ttF.tmp (Trojan.Downloader) → No action taken.
C:\Documents and Settings\Owner\Local Settings\Temp\bnl3.tmp (Trojan.Agent) → No action taken.
C:\Documents and Settings\Owner\Local Settings\Temp\pey33.tmp (Backdoor.ProRat) → No action taken.
C:\Documents and Settings\Owner\Local Settings\Temp\opr31.tmp (Heuristics.Malware) → No action taken.
C:\WINDOWS\system32\winlogon.old (Heuristics.Reserved.Word.Exploit) → No action taken.

Second Mbam scan after reboot ( slightly condensed):

Malwarebytes’ Anti-Malware 1.28
Database version: 1155
Windows 5.1.2600 Service Pack 2

9/15/2008 2:46:15 PM
mbam-log-2008-09-15 (14-46-15).txt

Scan type: Quick Scan
Objects scanned: 43549
Time elapsed: 4 minute(s), 39 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Files Infected:
C:\Documents and Settings\Owner\Local Settings\Temp\TDSSfa73.tmp (Trojan.Multis) → Quarantined and deleted successfully.

To be continued on next post

SDFix: Version 1.225
Run by Administrator on Mon 09/15/2008 at 03:20 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :

Rootkit Found :
C:\WINDOWS\system32\drivers\tdssserv.sys - Rootkit.Win32.Agent.cku

Name :
tdssserv

Path :
\systemroot\system32\drivers\TDSSserv.sys

tdssserv - Deleted

Restoring Default Security Values
Restoring Default Hosts File

Rebooting

Checking Files :

Trojan Files Found:

C:\WINDOWS\system32\drivers\tdssserv.sys - Deleted

Removing Temp Files

ADS Check :

                             [b]Final Check [/b]:

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-15 15:28:50
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes …

scanning hidden services & system hive …

scanning hidden registry entries …

scanning hidden files …

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

Remaining Services :

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
“%windir%\system32\sessmgr.exe”=“%windir%\system32\sessmgr.exe::enabled:@xpsp2res.dll,-22019"
“C:\Program Files\Common Files\AOL\Loader\aolload.exe”="C:\Program Files\Common Files\AOL\Loader\aolload.exe:
:Enabled:AOL Application Loader”
“C:\Program Files\Common Files\AOL\ACS\AOLDial.exe”=“C:\Program Files\Common Files\AOL\ACS\AOLDial.exe::Enabled:AOL"
“C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe”="C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe:
:Enabled:AOL”
“C:\Program Files\America Online 9.0\waol.exe”=“C:\Program Files\America Online 9.0\waol.exe::Enabled:AOL"
“C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe”="C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe:
:Enabled:AOLTsMon”
“C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe”=“C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe::Enabled:AOLTopSpeed"
“C:\Program Files\Common Files\AOL\1133557586\EE\AOLServiceHost.exe”="C:\Program Files\Common Files\AOL\1133557586\EE\AOLServiceHost.exe:
:Enabled:AOL”
“C:\Program Files\Common Files\AOL\System Information\sinf.exe”=“C:\Program Files\Common Files\AOL\System Information\sinf.exe::Enabled:AOL"
“C:\Program Files\Common Files\AOL\AOL Spyware Protection\AOLSP Scheduler.exe”="C:\Program Files\Common Files\AOL\AOL Spyware Protection\AOLSP Scheduler.exe:
:Enabled:AOL”
“C:\Program Files\Common Files\AOL\AOL Spyware Protection\asp.exe”=“C:\Program Files\Common Files\AOL\AOL Spyware Protection\asp.exe::Enabled:AOL"
“C:\Program Files\Common Files\AolCoach\en_en\player\AOLNySEV.exe”="C:\Program Files\Common Files\AolCoach\en_en\player\AOLNySEV.exe:
:Enabled:AOL”
“C:\Program Files\LimeWire\LimeWire.exe”=“C:\Program Files\LimeWire\LimeWire.exe::Enabled:LimeWire"
“C:\Program Files\uTorrent\utorrent.exe”="C:\Program Files\uTorrent\utorrent.exe:
:Enabled:æTorrent”
“C:\Program Files\Trillian\trillian.exe”=“C:\Program Files\Trillian\trillian.exe::Enabled:Trillian"
“C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE”="C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:
:Enabled:Microsoft Office OneNote”
“C:\WINDOWS\system32\drivers\svchost.exe”=“C:\WINDOWS\system32\drivers\svchost.exe:*:Disabled:svchost”

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
“%windir%\system32\sessmgr.exe”=“%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019”

Remaining Files :

File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Wed 4 Aug 2004 1,667,584 …SH. — “C:\Program Files\Messenger\msmsgs.exe”
Wed 4 Aug 2004 60,416 A.SH. — “C:\Program Files\Outlook Express\msimn.exe”
Fri 6 Jun 2008 4,348 A.SH. — “C:\Documents and Settings\All Users\DRM\DRMv1.bak”
Sun 25 Nov 2007 0 A.SH. — “C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp”

[b]Finished!

Sorry this is so big… I’ve gotta continue it in another post. [/b]

Here’s the HJT:

Logfile of HijackThis v1.99.1
Scan saved at 3:41:50 PM, on 9/15/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\BigFix\BigFix.exe
C:\Program Files\Windows NT\Accessories\WORDPAD.EXE
C:\Documents and Settings\Owner\My Documents\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O4 - HKLM..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM..\Run: [RemoteControl] “C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe”
O4 - HKLM..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM..\Run: [TkBellExe] “C:\Program Files\Common Files\Real\Update_OB\realsched.exe” -osboot
O4 - HKLM..\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime
O4 - HKLM..\Run: [ISUSPM Startup] “C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe” -startup
O4 - HKLM..\Run: [ISUSScheduler] “C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe” -start
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\SIMPLE~1\PHOTOS~1\data\Xtras\mssysmgr.exe
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra ‘Tools’ menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

[b]Since your (wyrmrider) comment, I’ve disabled Java and JavaScript on Mozilla; I’ll fetch javara later today, thanks for the tip!

When I ran RogueRemover, it functioned normally until it falsely identified svchost as malware. After telling it to remove, the entire system shut down (with no perceived permanent damage), so RR may or may not have finished its job. Regardless, the svchost problem disappeared after the first SAS scan, so (at least now) RR runs all the way through.

As of now, I’m planning on doing a(nother) boot scan and possibly another full scan while I take a shower, and if no one has replied by then I’ll just edit it into this message.

Thanks again for the help. :smiley:

-Chris[/b]

Old versions of java are vulnerable even if disabled run the javara tool when you get a chance
then Secunia software inspector

your HJT is out of date new version is 2.02
nothing bad jumps out

most likely no rootkits
RR ran all the way through- good sign
let’s look at prevention

What fiewall?
what browser?

spywareblaster?
some preventive anti malware
your choice depending on system resources
Spybot Search and Destroy T-timer
Windows Defender
Spyware terminator with custom install without Clam AV and toolbar
Spyware Doctor from Google pack- de select all the other stuff

a hosts file MVPS or HP HOSTS
we will need to clean up any quarantine files if the start to show up on AV scans

you might try a Kaspersky on line scan for a final check and then run a scan with whatever proactive protection you chose
keep mbam and SAS on hand as on demand scanners

you can run CCLeaner or ATF cleaner
then do your defrag
and set new restore points

[b]I’m running Firefox 3.0 and the only firewalls I have are whatever standard protection comes with that, and Windows Security Center; avast is always running on the task bar, and the database updates daily. I’ll keep all the programs you mentioned in mind; after I run Javara and Secunia I’ll look into that. First I’ll run Kaspersky, then get something to eat. But before that, here’s my results since last time:

  • Boot scan went off without a hitch. No malicious files detected.

  • Ran a full Mbam. Only one result; I believe it was a false alarm. It was the launcher for an MMORPG that has been clean up until now, and it hasn’t been modified since May, so I’m confident it’s still clean. If the next avast scan catches it I’ll have it fixed.

  • Ran a full Avast scan. Well, the same couple files (both Win32:Adware-gen [adw]) before showed up, and I had them moved to the chest. The scan didn’t complete; it said a bunch of files had not been accessed. I’ve been gone for the past few hours, so I wasn’t there; I’m re-running to full scan, and so far no sign of anything evil, and in every other scan it had shown up much earlier. So, I think they might be gone for good; furthermore, there’s been no sign of the droppers that were there earlier.

  • I downloaded HJT 2.02. Log below.

  • Ran a Kaspersky online scan. 3 infected files. Log below.

  • Individually scanned these files with avast; infections confirmed in the first two, sent to chest… the file on the D:\ drive, avast (settings on thorough) said was clean.[/b]

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:23:37 PM, on 9/15/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\BigFix\BigFix.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O4 - HKLM..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM..\Run: [RemoteControl] “C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe”
O4 - HKLM..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM..\Run: [TkBellExe] “C:\Program Files\Common Files\Real\Update_OB\realsched.exe” -osboot
O4 - HKLM..\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime
O4 - HKLM..\Run: [ISUSPM Startup] “C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe” -startup
O4 - HKLM..\Run: [ISUSScheduler] “C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe” -start
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\SIMPLE~1\PHOTOS~1\data\Xtras\mssysmgr.exe
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra ‘Tools’ menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS


End of file - 4728 bytes

And the Kaspsersky:


KASPERSKY ONLINE SCANNER 7 REPORT
Monday, September 15, 2008
Operating System: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Tuesday, September 16, 2008 01:56:18
Records in database: 1238289

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:
D:
E:\

Scan statistics:
Files scanned: 42632
Threat name: 3
Infected objects: 3
Suspicious objects: 0
Duration of the scan: 01:16:23

File name / Threat name / Threats count
C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-2afc8601-73a781b5.zip Infected: Exploit.Java.Gimsh.b 1
C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-6d00d9f7-2c65157f.zip Infected: Exploit.Java.Gimsh.a 1
D:\i386\Apps\App17981\comps\toolbar\toolbr.exe Infected: not-a-virus:AdWare.Win32.SearchIt.t 1

The selected area was scanned.

[b]I think it may finally be cleaned up, but let me know if you see anything suspicious. I’ll take care of JavaRa, Secunia, grab some of the protections you recommended, and defrag a little later. If I catch anything else I’ll update on it. But-- and I hope I’m not speaking too soon-- I think the problem has been cleaned up. I can only imagine what sort of $hitstorm I would have stirred up if I had been foolish enough to download that Antivirus XP.' I'm going to avoid those torrent sites until I feel I'm sufficiently protected and I'll keep an eye out for news, and I've been warning some of my friends who also frequent those sites to watch out for this virus. I'm going to do another full scan with avast, and hopefully get an all-clear.’ Thanks again for the support!

-Chris[/b]

:slight_smile: Hi Chris :

I noticed an outdated Adobe Acrobat in your HijackThis log; this is a security
risk . If you had run the FREE Online “Software Inspector” at
http://secunia.com/software_inspector it most likely would have told you so .
At a minimum, you should “Upgrade” this program to a later “Version” and IF
you use this program as a pdf reader, should uninstall and get the safer
“Foxit Reader” .
In the Past, we have recommended uninstalling “Real Player” because of
security concerns and recommended “Real Alternative” as its
“replacement” .

@ Spiritsongs: I’ve finally gotten around to running JavaRa and Secunia. I had no idea older versions of these programs were a security risk-- I normally keep my programs and plug-ins updated, but I rarely use some of these and so I suppose I may have neglected them. Question: I only ever run Real Player to download embedded videos from websites. Usually I convert the files to .wmv or .avi to play in another player; since Real Player came by default on this computer, I thought it would be easier to simply upgrade it to download embedded videos rather than download a separate program. Is Real Player still a security vulnerability if I don’t actually run the program, but rather the IE plug-in? And is Real Alternative capable of downloading embedded videos? I may get rid of Real Player altogether and just find a Firefox plug-in for my purposes.

I plan on taking your advice and downloading Foxit Reader. It appears to be much smaller than Adobe Acrobat, which I rarely use anyway, so I will do that. Other than that, I have to remove the redundant older version of Adobe Flash Player and update my Quicktime, and then I’m all set.

As for the virus infection? It seems to have cleared up. Everything appears to be functioning normally, and all my scans are turning up clean now. So, thanks wyrmrider and raman for the help getting rid of this virus, and to you and Spiritsongs for the security advice. I always, always have Avast updated and running, so I don’t frequently encounter viruses, but I know that’s not always enough! I’m certainly glad Avast has a board full of knowledgeable people to cover up for its occasional security flaw. Thanks again!

-Chris