[b]I, too, have fallen victim to this beast. I’ve done some searching and have been reading about other peoples’ encounters with this malware to avoid being redundant, and I’ve scanned with three programs and I’ve got some logs. So, I would truly appreciate it if someone could offer me some help. Here is my summary of my problem so far:
-
I looked at my desktop to see my wallpaper replaced with this lame `ZOMG there’s spyware on your PC’ thing.
-
An `end user license agreement’ appeared to tell me to install Antivirus XP 2008
-
I’m not that stupid, okay? I closed the thing. :
-
Ran avast; moved everything to the chest, except some files that couldn’t be touched ‘coz they were `being used by another program.’ It told me it had hit the fan in the operating memory, I scheduled a boot scan and restarted.
-
Sent everything to the chest (there were about 7 items)
-
`End user license agreement’ appeared again. Ran avast again; same results. Scheduled another boot scan.
-
Deleted all items (about the same number)
-
Rinse, wash, & repeat. 'Nother boot scan.
-
Sent everything to the chest.
-
Avast said the same as before. Installed RogueRemover. Updated & scanned. The only item it detected was svchost. When I tried to remove it, as might be expected, I received a shutdown message stating that the RPC service was terminated unexpectedly. Crap. >:( Log below.
-
After starting up again, I repeated this with the same results. Log generated was the same.
-
Installed SUPERAntiSpyware. Scanned, 18 hits. Sent all to quarantine. Reboot. Log below.
-
My wallpaper has now been replaced with a blue screen; it’s not my wallpaper, but that damnable
spywhere has been detected screen' is gone. However, the
end user license agreement’ appeared once again. -
Ran RogueRemover. Told me I was clean.
-
While running a scan on SUPERAntiSpyware, I tried to change my desktop back to normal. Now, this COULD be the fact that it is 0’ dark-thirty in the morning right now, and I’m tired as all get-out, but… when you right click and go to properties on the desktop, where you have the
Themes,'
Appearance,’ andSettings,' tabs, should there not be one that says
Desktop’ for you to change your background? Or have I completely lost my mind? ??? Um… well anyway, onto more pressing matters… -
SAS found 6 items. I selected them all for quarantine. Reboot. Log Below.
-
SAS found the same 6 items. I exited.
Here’s the log for the RogueRemover scan (it’s the same for both instances):[/b]
Malwarebytes’ RogueRemover
Malwarebytes ©2007 hxxp://www.malwarebytes.org
6290 total fingerprints loaded.
Loading database …
Expanding environmental variables …
Scanning files … [ 100% ].
Scanning folders … [ 100% ].
Scanning registry keys … [ 100% ].
Scanning registry values … [ 100% ].
RogueRemover has detected rogue antispyware components! Results below…
Type: File
Vendor: Rogue.Misc
Location: C:\WINDOWS\system32\drivers\svchost.exe
Selected for removal: Yes
RogueRemover has found the objects above.(This is when my PC shut down)
Here is the log for the first SUPERAntiSpyware scan:
SUPERAntiSpyware Scan Log
hxxp://www.superantispyware.com
Generated 09/15/2008 at 04:11 AM
Application Version : 4.21.1004
Core Rules Database Version : 3566
Trace Rules Database Version: 1554
Scan type : Quick Scan
Total Scan Time : 00:08:57
Memory items scanned : 360
Memory threats detected : 4
Registry items scanned : 394
Registry threats detected : 5
File items scanned : 6029
File threats detected : 10
Rogue.Dropper/Gen
C:\WINDOWS\SYSTEM32\LPHCEOWJ0EVD5.EXE
C:\WINDOWS\SYSTEM32\LPHCEOWJ0EVD5.EXE
[lphceowj0evd5] C:\WINDOWS\SYSTEM32\LPHCEOWJ0EVD5.EXE
NotHarmful.Sysinternals Bluescreen Screen Saver
C:\WINDOWS\SYSTEM32\BLPHCEOWJ0EVD5.SCR
C:\WINDOWS\SYSTEM32\BLPHCEOWJ0EVD5.SCR
Trojan.Unknown Origin
C:\DOCUME~1\OWNER\LOCALS~1\TEMP\NSM5.TMP\EULADLG.DLL
C:\DOCUME~1\OWNER\LOCALS~1\TEMP\NSM5.TMP\EULADLG.DLL
C:\DOCUMENTS AND SETTINGS\OWNER\LOCAL SETTINGS\TEMP\NSG3.TMP\EULADLG.DLL
C:\DOCUMENTS AND SETTINGS\OWNER\LOCAL SETTINGS\TEMP\NSM5.TMP\EULADLG.DLL
C:\DOCUMENTS AND SETTINGS\OWNER\LOCAL SETTINGS\TEMP\NSX3.TMP\EULADLG.DLL
Trojan.Dropper/SVCHost-Fake
C:\WINDOWS\SYSTEM32\DRIVERS\SVCHOST.EXE
C:\WINDOWS\SYSTEM32\DRIVERS\SVCHOST.EXE
[SVCHOST.EXE] C:\WINDOWS\SYSTEM32\DRIVERS\SVCHOST.EXE
C:\WINDOWS\Prefetch\SVCHOST.EXE-0EB47E31.pf
Trojan.FakeAlert/Desktop
HKU\S-1-5-21-1126218974-2234933307-3374268103-1003\CONTROL PANEL\DESKTOP#WALLPAPER
HKU\S-1-5-21-1126218974-2234933307-3374268103-1003\CONTROL PANEL\DESKTOP#ORIGINALWALLPAPER
HKU\S-1-5-21-1126218974-2234933307-3374268103-1003\CONTROL PANEL\DESKTOP#CONVERTEDWALLPAPER
Rogue.AntiVirus 2008
C:\WINDOWS\SYSTEM32\PHCEOWJ0EVD5.BMP
Adware.WhenU
C:\DOCUMENTS AND SETTINGS\OWNER\LOCAL SETTINGS\TEMP\JC2FMMNS.EXE
Here’s the log for the second SUPERAntiSpyware scan:
SUPERAntiSpyware Scan Log
hxxp://www.superantispyware.com
Generated 09/15/2008 at 04:36 AM
Application Version : 4.21.1004
Core Rules Database Version : 3566
Trace Rules Database Version: 1554
Scan type : Quick Scan
Total Scan Time : 00:08:22
Memory items scanned : 336
Memory threats detected : 1
Registry items scanned : 393
Registry threats detected : 0
File items scanned : 6030
File threats detected : 2
Trojan.Unknown Origin
C:\DOCUME~1\OWNER\LOCALS~1\TEMP\NSQ3.TMP\EULADLG.DLL
C:\DOCUME~1\OWNER\LOCALS~1\TEMP\NSQ3.TMP\EULADLG.DLL
C:\DOCUMENTS AND SETTINGS\OWNER\LOCAL SETTINGS\TEMP\NSQ3.TMP\EULADLG.DLL
[b]The only difference generated in the third SAS scan was that NSQ3' became
NSK3’ .
The irony of all this? I was planning on letting my laptop defrag overnight while I slept, like a responsible individual. Instead, I am still up, combatting with evil. I am very tired.
I understand the `Antivirus XP 2008’ fakeware has been known to spread itself on sites like torrentreactor. As it so happens, I was doing a lot with torrents today, and at some point my computer froze up suspiciously (which it never does), so I’m fairly certain this was the source, in case that information is helpful. I’m running on Windows XP and my browser is Firefox 3.0, and I have no memory of ever seriously tinkering with the firewall settings, so I would venture to say I’m still using the default Windows Firewall (I checked, it is in fact still on), along with whatever security capabilities Firefox offers, and nothing else. :-\
I’ve tried to provide all the details I can so that this is as painless as possible-- I’m aware that this topic has quickly gotten old-- but I would be deeply grateful for any help anyone could offer. I’m gonna go to bed now, and schedule another boot scan with avast for tomorrow, and then I will post the log for that (I would have already, but I’ve done this so many times I don’t know what results are for what scan anymore). Thanks in advance to anyone willing to offer assistance; I’ll try to check up on this again as soon as I can, even though I’m dead tired.
-Chris[/b]
PS To those of you experiencing this same issue, when the fake End User License Agreement' message shows up and there is no way to exit out of it, find where the message says
click here to exit’ or something of that nature. Hovering the mouse over it yields no evidence of anything that could be construed as an exit, but if you click on the word `here’ the screen will nonetheless disappear; however, closing it from the Task Manager is equally effective. Hope someone finds this useful.