Tired of annoying virus - XP Internet Security 2012

I have not ever gotten a virus for about five years now on this computer and suddenly as of December this last year I randomly get this “XP Internet Security 2012” virus come trucking in out of nowhere.

Sure, I removed it and cleaned everything out, Avast has never had a problem before now with blocking anything or identifying what might come my way but what strikes me as strange is that Avast does not seem to be blocking this, or identifying it at all. It literally is like the virus itself is not in the definitions at all and so every few weeks it keeps showing up.

Need I state beforehand, XP Internet Security first shuts any browser down, then starts downloading itself… Avast is still running and does not shut off; hell as I said it may as well just be twiddling it’s thumbs as far as I am concerned because it isn’t identifying anything is wrong at all!

Every time it shows up (four times so far in the past month) I just clean my computer, check the registry… all that jazz so I know that it is gone and not attached to anything.

I will go two weeks, a week, three weeks without it randomly showing up after browsing whatever random websites that it may be attached to in a pop-up or what have you. After dealing with it this many times I just have to curiously ask…

Is this even in Avast’s registry at all to block it?
Is Avast literally just ignoring it because it does not exist in the virus database?
Is there going to actually be an update to block this because man its just so annoying…

Yes, you are deeply infected…if it keeps coming back, it might be a rootkit behind it all. Downloading a fresh copy of the rogue for your entertainment after every time you clean it.

Anyway, follow this guide for starters>>http://forum.avast.com/index.php?topic=53253.msg451454#msg451454, Essexboy will breath digital dragon fire on your infection. :wink:

Hm, well I already run all the programs and things necessary to remove it, that is why it is annoying that it continues to try and return. I have a friend that has the same issue (though they run Windows 7) that also clears the issue and runs Avast and so we are just unsure if the thing even exists in the virus database yet for Avast. I have no way to confirm that it does or doesn’t since there has been no threads stating that “Yes, we have already added this to our definition updates”.

Either way, I just always go through the same process of removing it each time, which is still the same as what is told to everyone else to do since I just read the instructions because they are easy enough to follow and I have had to always help others remove things off of their computers in the past.

You mistake the rogue AV (XP IS 2012) for the illness…it is more like a symptom.

Light metaphor/You keep getting a cold, so you keep taking cold medicine. But it will do little good if you have AIDS. The reality is much more complicated than that, but you get the general idea? If you have a rootkit installed, all bets and safeguards are off.

This is all on the assumption you have a rootkit infection, I could easily be wrong…but thats the most common source of “it keeps coming back” that I have seen. 2nd would be someone keeps going back to the same “trusted site” that is compromised and keeps infecting them.

Not trying to sweep under the fact that Avast! has failed to perform for you as advertised, just an explanation.

Yep, I know, this is why I tossed it out there to see if there could be a definitive answer on whether it exists in their definitions or not. That way it narrows down what I have to do.

Of course, right now I am cleaning up any sort of potential, lingering, effects of this last ninja-attack that happened as we speak. Since it just happened prior to me posting this thread. So unless one of the programs is not doing what it ought to in order to clean it up, it beats me. Arbitrarily, I will obviously have the logs of tonight’s fiasco when programs are done scanning so that someone else can look at them.

Malwarebytes Anti-Malware 1.60.0.1800
www.malwarebytes.org

Database version: v2012.01.12.01

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 6.0.2900.5512
Lunactic Inferno :: AVRAIL [administrator]

1/11/2012 7:37:08 PM
mbam-log-2012-01-11 (19-37-08).txt

Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 406708
Time elapsed: 1 hour(s), 34 minute(s), 17 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 5
c:\documents and settings\lunactic inferno\local settings\application data\mcl.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
C:\Documents and Settings\Lunactic Inferno\Local Settings\Application Data\ncv.exe (Trojan.ExeShell.Gen) -> Quarantined and deleted successfully.
c:\documents and settings\lunactic inferno\my documents\42n1l.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
c:\system volume information\_restore{e0e29660-213b-489e-aaf8-e5de0d975889}\rp39\a0014710.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
C:\Documents and Settings\Lunactic Inferno\Local Settings\temp\oiu0.018459031998561692.exe (Exploit.Drop.7) -> Quarantined and deleted successfully.

(end)

Removed, Restarted. OTL ran, logs posted in clips.

aswMBR log file posted in clip.

RKill.

RogueKiller V6.2.3 [01/09/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User: Lunactic Inferno [Admin rights]
Mode: Shortcuts HJfix -- Date : 01/12/2012 00:18:24

¤¤¤ Bad processes: 2 ¤¤¤
[SUSP PATH] Adobelm_Cleanup.0001 -- C:\DOCUME~1\LUNACT~1\LOCALS~1\Temp\Adobelm_Cleanup.0001 -> KILLED [TermProc]
[SUSP PATH] Adobelm_Cleanup.0001 -- C:\DOCUME~1\LUNACT~1\LOCALS~1\Temp\Adobelm_Cleanup.0001 -> KILLED [TermProc]

¤¤¤ Driver: [LOADED] ¤¤¤

¤¤¤ File attributes restored: ¤¤¤
Desktop: Success 0 / Fail 0
Quick launch: Success 0 / Fail 0
Programs: Success 17 / Fail 0
Start menu: Success 0 / Fail 0
User folder: Success 48 / Fail 0
My documents: Success 0 / Fail 0
My favorites: Success 0 / Fail 0
My pictures: Success 0 / Fail 0
My music: Success 0 / Fail 0
My videos: Success 0 / Fail 0
Local drives: Success 140 / Fail 0
Backup: [NOT FOUND]

Drives:
[A:] \Device\Floppy0 -- 0x2 --> Skipped
[C:] \Device\HarddiskVolume1 -- 0x3 --> Restored
[D:] \Device\HarddiskVolume2 -- 0x3 --> Restored
[E:] \Device\CdRom0 -- 0x5 --> Skipped
[F:] \Device\CdRom1 -- 0x5 --> Skipped
[G:] \Device\Harddisk2\DP(1)0-0+8 -- 0x2 --> Restored
[H:] \Device\Harddisk3\DP(1)0-0+9 -- 0x2 --> Restored
[I:] \Device\Harddisk4\DP(1)0-0+a -- 0x2 --> Restored
[J:] \Device\Harddisk5\DP(1)0-0+b -- 0x2 --> Restored
[L:] \Device\IsoCdRom0 -- 0x5 --> Skipped
[X:] \Device\WinDfs\X:000000000001e118 -- 0x4 --> Skipped
[Y:] \Device\WinDfs\Y:000000000001e118 -- 0x4 --> Skipped

¤¤¤ Infection : ZeroAccess ¤¤¤

Finished : << RKreport[1].txt >>
RKreport[1].txt




^ Course it says ZA, though not much seems to ever come up. I did have that once but then it got removed. I will have to have it looked into if it comes up again.

and so we are just unsure if the thing even exists in the virus database yet for Avast. I have no way to confirm that it does or doesn't since there has been no threads stating that "Yes, we have already added this to our definition updates".
This is not one program...even if they look the same they are changed inside. So new versions are released every day...needing new signatures

Fake antivirus overwhelming scanners
http://www.networkworld.com/news/2009/100209-fake-antivirus-overwhelming.html

Gotcha.

I always just send in what avast does find in order to update against what might be there. It is pretty annoying to just get the same dull thing trying to get on my computer every so often.

The logs are up, I am doing one last scan to see if it finds anything else. I don’t really know what RKill was going on about if it thinks that I have ZeroAccess again. That thing was a pain in the arse to remove last time I had it.

Malwarebytes Anti-Malware 1.60.0.1800
www.malwarebytes.org

Database version: v2012.01.12.01

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 6.0.2900.5512
Lunactic Inferno :: AVRAIL [administrator]

Protection: Enabled

1/12/2012 12:26:03 AM
mbam-log-2012-01-12 (00-26-03).txt

Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 389270
Time elapsed: 2 hour(s), 14 minute(s), 8 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

Final Report.

I hope that it is gone for good, but I don’t really know for sure. Someone else probably should go through this just in case I overlooked something.

For now, I am heading to sleep and will check back later on to see if anything has been updated here or someone had something else to say.

This is Zaccess infection…

download and scan with AVPTool:

http://devbuilds.kaspersky-labs.com/devbuilds/AVPTool/

@ LunacticInferno,

Since you have made many attempts to get rid of this malware, I have contacted our malware removal expert named Essexboy. He comes on the forum late UK time zone around 18:00 (6:00 PM). Please make no further changes to your machine and follow his instructions. If you are on a network, please disconnect this machine from the network. Thank you.

Hi there I have found the folders that are just sitting and waiting to be re-activated, aswMBR has also detected an unusual file as suspicious

Service .cdrom * LOCKED 123

This is not a legitimate service name

To date no AV has a handle on this beast as it mutates daily (sometimes hourly)

So after the initial OTL fix I will give you a script so that I can investigate it… It has the hallmarks of zero access though

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTL [2012/01/11 19:02:13 | 000,005,356 | -HS- | M] () -- C:\Documents and Settings\Lunactic Inferno\Local Settings\Application Data\852q38k376363dc3jw128du [2012/01/11 19:02:13 | 000,005,356 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\852q38k376363dc3jw128du [2012/01/09 01:39:26 | 000,009,806 | -HS- | M] () -- C:\Documents and Settings\Lunactic Inferno\Local Settings\Application Data\63esb00gqj4618awmur11ljill5og64pcd4p17c2b40hqr [2012/01/09 01:39:26 | 000,009,806 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\63esb00gqj4618awmur11ljill5og64pcd4p17c2b40hqr [2011/12/16 02:50:41 | 000,013,708 | -HS- | M] () -- C:\Documents and Settings\Lunactic Inferno\Local Settings\Application Data\060526s0k731w840m316p3quc4c5 [2011/12/16 02:46:29 | 000,013,712 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\060526s0k731w840m316p3quc4c5

:Files
ipconfig /flushdns /c

:Commands
[purity]
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]


[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done

THEN

Re-run OTL and paste the following in the custom scans and fixes box

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services.cdrom /s

Then press the quick scan button

I will do that now that I am awake.

»OTL did not want to run in normal windows mode, it would hang. Restarted>Safe Mode+Networking>Ran OTL with script and worked fine.

With custom snipet—v

All processes killed
========== OTL ==========
C:\Documents and Settings\Lunactic Inferno\Local Settings\Application Data\852q38k376363dc3jw128du moved successfully.
C:\Documents and Settings\All Users\Application Data\852q38k376363dc3jw128du moved successfully.
C:\Documents and Settings\Lunactic Inferno\Local Settings\Application Data\63esb00gqj4618awmur11ljill5og64pcd4p17c2b40hqr moved successfully.
C:\Documents and Settings\All Users\Application Data\63esb00gqj4618awmur11ljill5og64pcd4p17c2b40hqr moved successfully.
C:\Documents and Settings\Lunactic Inferno\Local Settings\Application Data\060526s0k731w840m316p3quc4c5 moved successfully.
C:\Documents and Settings\All Users\Application Data\060526s0k731w840m316p3quc4c5 moved successfully.
========== FILES ==========
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Documents and Settings\Lunactic Inferno\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\Lunactic Inferno\Desktop\cmd.txt deleted successfully.
========== COMMANDS ==========
C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully
 
[EMPTYTEMP]
 
User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
 
User: All Users
 
User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
 
User: LocalService
->Temp folder emptied: 65984 bytes
->Temporary Internet Files folder emptied: 32902 bytes
->FireFox cache emptied: 14548517 bytes
->Flash cache emptied: 405 bytes
 
User: Lunactic Inferno
->Temp folder emptied: 27584595 bytes
->Temporary Internet Files folder emptied: 3257085 bytes
->Java cache emptied: 120461 bytes
->FireFox cache emptied: 51494633 bytes
->Flash cache emptied: 5476 bytes
 
User: NetworkService
->Temp folder emptied: 6 bytes
->Temporary Internet Files folder emptied: 33170 bytes
 
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 4814856 bytes
%systemroot%\System32 .tmp files removed: 9711345 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 28795 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 42984522 bytes
 
Total Files Cleaned = 148.00 mb
 
Error starting restore point: The function was called in safe mode.
Error closing restore point: The sequence number is invalid.
 
OTL by OldTimer - Version 3.2.31.0 log created on 01122012_203734

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...

» Running second script now. Log provided in clip.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\.cdrom /s > "Type" = 1 "Start" = 3 "ImagePath" = \*
Yep tis a bad entry

Once done can you let me know what problems remain

Also do you have the latest MBAM installed as that appears to be causing problems with OTL

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:Reg [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\.cdrom]

:Files
ipconfig /flushdns /c

:Commands
[CREATERESTOREPOINT]
[Reboot]


[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

Okay, running this now.

I do have the latest Mbam.

When the computer restarted after OTL ran with the last script we had a minor power-outage from the weather so I don’t have the log for it. I am running Mbam and aswMBR again to see if they pick anything else up since I could not get the log from OTL.

The cdrom thing did not show up again in aswMBR when scanned, nothing showed up on Mbam. Rkill still states ZA.

RogueKiller V6.2.4 [01/12/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User: Lunactic Inferno [Admin rights]
Mode: Scan -- Date : 01/14/2012 04:05:49

¤¤¤ Bad processes: 0 ¤¤¤

¤¤¤ Registry Entries: 2 ¤¤¤
[HJ] HKCU\[...]\ClassicStartMenu : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
[HJ] HKCU\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver: [LOADED] ¤¤¤

¤¤¤ Infection : ZeroAccess ¤¤¤
[ZeroAccess] (LOCKED) windir\NtUpdateKBxxxx present!

¤¤¤ HOSTS File: ¤¤¤
ÿþ1
127.0.0.1	www.007guard.com
127.0.0.1	007guard.com
127.0.0.1	008i.com
127.0.0.1	www.008k.com
127.0.0.1	008k.com
127.0.0.1	www.00hq.com
127.0.0.1	00hq.com
127.0.0.1	010402.com
127.0.0.1	www.032439.com
127.0.0.1	032439.com
127.0.0.1	www.0scan.com
127.0.0.1	0scan.com
127.0.0.1	1000gratisproben.com
127.0.0.1	www.1000gratisproben.com
127.0.0.1	1001namen.com
127.0.0.1	www.1001namen.com
127.0.0.1	100888290cs.com
127.0.0.1	www.100888290cs.com
127.0.0.1	www.100sexlinks.com
[...]


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: +++++
--- User ---
[MBR] 7363adf36d8e872b19cd06f829973af5
[BSP] 59e6e5e25adc36f1c7d0322b9e2c3180 : Windows XP MBR Code
Partition table:
0 - [ACTIVE] NTFS [VISIBLE] Offset (sectors): 63 | Size: 250048 Mo
User = LL1 ... OK!
User = LL2 ... OK!

+++++ PhysicalDrive1: +++++
--- User ---
[MBR] 58d5d8d1486c4505f69dc64b33f839f8
[BSP] 0e667feb6452a6589648bbd85603dfb2 : Windows XP MBR Code
Partition table:
0 - [XXXXXX] NTFS [VISIBLE] Offset (sectors): 63 | Size: 750153 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[1].txt >>
RKreport[1].txt




I was hoping we could skip combofix on this one, but it looks like we will need to use it

windir\NtUpdateKBxxxx present!

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

  • IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

[*]Double click on ComboFix.exe & follow the prompts.
[]Accept the disclaimer and allow to update if it asks
[
]Allow the installation of the recovery console

http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png

http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png

[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.

Notes:

  1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
  2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
  3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

Combofix log on clip.

Rebooted to see if anything really changes right now. After reboot, things were pretty much the same as always. Nothing faster, nothing slower - I did have to fix my start menu back to having the default items off of it that I never use, but that really isn’t anything big.

The remnants of zero access have now been removed so you will now be less prone to re-infection

I have discovered that MBAM will stop OTL from running - so I will change my approach to reflect this

Do windows updates and firewall function normally

They do, though I have to update adobe acrobat (poo, I hate doing that.)

So far it seems alright, the thing that makes me wonder a little is that if I have everything closed (as far as windows are concerned) Mbam still has “blocked incoming ip address”. I only started using Mbam for two months so I don’t know if this is suppose to be normal or not… or if its similar Ip addresses trying to download host files that have to do with the rootkit…like they are trying to connect or search for obvious things that were erased.

Uninstalling ComboFix now.

"blocked incoming ip address".
as it is incoming there is nothing on your system doing that

Does it give an IP address