BleepingComputer.com: System Security Infection:

Hello BleepingComputer,

Thank you for the brilliant site. I have been following several topics in the "Am I infected? What do I do?" forum to try and solve my problem. I've started the first few baby steps - trying not to overburden the moderators! and am now in a position where i need some personal assistance - no more steps until BC feels I should. I will try to simplify this rather long post - it is long!

Thanks again,
- mark
_______________________________________________________________
COMPUTER: Sony VAIO PCG-R505ECP laptop, Pentium III 1.2GHz, Windows XP SP3 - 6 month old re-install, 512MB Ram
Antivirus: AVG Free 8.5
Internet access: wireless only
_______________________________________________________________
POSSIBLE INFECTION PROCESS: Adobe Acrobat Reader 6.0, Javascript was enabled. Saw the Acrobat window popup several times while browsing in Firefox 3.0.6 without clicking on any PDF links. (I have since disabled Javascript in Acrobat and the Firefox Acrobat actions by following the BC topic: http://www.bleepingcomputer.com/forums/topic205018.html My ignorance in not updating what I thought was a trivial extra program. grrr.)
_______________________________________________________________
SYMPTOMS:
Symptom 1: System Security 2009 keeps asking to install itself. Window pops up and starts scanning.
Symptom 2: Wallpaper:
"WARNING
YOUR'RE IN DANGER!
YOUR COMPUTER IS INFECTED WITH SPYWARE!

ALL YOU DO WITH COMPUTER IS STORED FOREVER IN YOUR HARD DISK.
WHEN YOU VISIT SITES, SEND E-MAILS... ALL YOUR ACTIONS ARE
LOGGED. AND IT IS IMPOSSIBLE TO REMOVE THEM WITH STANDART TOOLS.
YOUR DATA IS STILL AVAILABLE FOR FORENSICS. AND IN SOME CASES

FOR YOUR BOSS, YOUR FRIENDS, YOUR WIFE, YOUR CHILDREN.
Every sit you or somebody or even something, like spyware, opened in your browsers,
with all images, and all downloaded and maybe later removed movies or mp3 songs -
ARE STILL THERE and could break your life!

SECURE YOURSELF RIGHT NOW!
REMOVE ALL SPYWARE FROM YOUR PC!"
Symptom 3: Firewall turned off automatically
Symptom 4: Balloon says avgrsx.exe (i think) is infected.
Symptom 5: Able to open My Computer window, but unable to see any additional windows due to the virus wallpaper
- cannot see task manager
- cannot see command window
- cannot see uninstall programs, or any other programs
Sympton 6: Switch off wireless (manual switch), System Security shows "cannot access internet" window
_______________________________________________________________
FOLLOW TOPIC: http://www.bleepingcomputer.com/virus-remo...system-security
- After the appearance of the virus, I went to the bleepingcomputer website on a second computer and started to follow several guides and topics.
- The first was the "System Security" removal guide.
- I could not follow this guide nor install Malwarebytes Anti-Malware because the wallpaper prevented me from seeing any installation windows.

- Restart in Safe Mode (it works!)
_______________________________________________________________
FOLLOW TOPIC: http://www.bleepingcomputer.com/forums/topic239401.html
- Download Malwarebytes Anti-Malware but will not install.
- disk cleanup, delete temp files
- Download Dr.Web Cureit, run it.
- Dr.Web Cureit is successful here is the log:

DRWEB:
hjgruixuhkmppj.sys;c:\windows\system32\drivers;BackDoor.Tdss.266;Deleted.;
Dc13.exe;C:\RECYCLER\S-1-5-21-439199626-951796526-1614765859-1004;Trojan.Cognac;Deleted.;
Dc15.exe\wiawow32.sys;C:\RECYCLER\S-1-5-21-439199626-951796526-1614765859-1004\Dc15.exe;Trojan.Click.26455;;
Dc15.exe;C:\RECYCLER\S-1-5-21-439199626-951796526-1614765859-1004;Archive contains infected objects;Moved.;
Dc24.tmp;C:\RECYCLER\S-1-5-21-439199626-951796526-1614765859-1004;Trojan.Alupko.origin;Incurable.Moved.;
Dc25.tmp;C:\RECYCLER\S-1-5-21-439199626-951796526-1614765859-1004;Trojan.Alupko.origin;Incurable.Moved.;
Dc28.tmp;C:\RECYCLER\S-1-5-21-439199626-951796526-1614765859-1004;Trojan.Alupko.origin;Incurable.Moved.;
Dc31;C:\RECYCLER\S-1-5-21-439199626-951796526-1614765859-1004;Trojan.PWS.Wow.1368;Deleted.;
hjgruidomyyuoc.dll;C:\WINDOWS\system32;BackDoor.Tdss.265;Deleted.;
UACmojbgwobiqojcoo.dll;C:\WINDOWS\system32;BackDoor.Tdss.105;Deleted.;
UACvtfconmayqhwcvl.dll;C:\WINDOWS\system32;Trojan.Packed.365;;
wiawow32.sys;C:\WINDOWS\system32;Trojan.Click.26455;Incurable.Moved.;
hjgruixuhkmppj.sys;C:\WINDOWS\system32\drivers;BackDoor.Tdss.266;Deleted.;
hjgruirxnixgqxcr.tmp;C:\WINDOWS\Temp;BackDoor.Tdss.265;Deleted.;
_______________________________________________________________
FOLLOW TOPIC (cont'): http://www.bleepingcomputer.com/forums/topic239401.html
- Restart in Safe Mode
- Install MBAM but had to rename the exe to do it.
- Rename the malwarebytes program file to "winlogon.exe" in the Program Files directory.
- Runs only in Safe Mode.
- Run Quick Scan (can post results if needed)
- reboot to Safe Mode
- Run the Full Scan (can post results if needed)
- reboot to Safe Mode
- MBAM Full Scan results, second Full Scan:

Malwarebytes' Anti-Malware 1.38
Database version: 2384
Windows 5.1.2600 Service Pack 3

7/7/2009 5:15:36 AM
mbam-log-2009-07-07 (05-15-34).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 135689
Time elapsed: 16 minute(s), 59 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Rootkit.Trace) -> No action taken.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> No action taken.
_______________________________________________________________
FOLLOW TOPIC (cont'): http://www.bleepingcomputer.com/forums/topic239401.html
- Download AFT Cleaner and SUPERAntiSypware
- In Safe Mode, run ATF-Cleaner. Successful
- In Safe Mode, try to install SUPERAntiSypware, Windows Explorer crashes, no start
- Reboot into Safe Mode, run MBAM Full Scan (results same as before - 2 infections).
- Reboot into Safe Mode
- Run AFT-Cleaner again
- SuperAntiSypware will not install
- Download alternate to SUPERAntiSypware called SAS_FREE.exe from website
- http://www.superantispyware.com/supportfaq...lay.html?faq=71
- Installs fine
- Start/Programs/SUPERAntiSpyware/ click SUPERAntiSpyware Free Edition - Program Crashes
- Start/Programs/SUPERAntiSpyware/ click SUPERAntiSpyware Alternate Start - Loads Successfully
- SUPERAntiSpyware Complete Scan results:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 07/07/2009 at 10:30 PM

Application Version : 4.26.1006

Core Rules Database Version : 3975
Trace Rules Database Version: 1915

Scan type : Complete Scan
Total Scan Time : 00:43:39

Memory items scanned : 407
Memory threats detected : 0
Registry items scanned : 4429
Registry threats detected : 0
File items scanned : 49907
File threats detected : 0
_______________________________________________________________
FOLLOW TOPIC (cont'): http://www.bleepingcomputer.com/forums/topic239401.html
- Will try to run SUPERAntiSpyware and MBAM in FULL MODE for first time.
- Reboot into Full Mode
- Run SUPERAntiSpyware
- Same results as before - no threats (can post results if needed)
- Run MBAM Quick Scan:

Malwarebytes' Anti-Malware 1.38
Database version: 2387
Windows 5.1.2600 Service Pack 3

7/7/2009 10:54:32 PM
mbam-log-2009-07-07 (22-54-27).txt

Scan type: Quick Scan
Objects scanned: 88445
Time elapsed: 3 minute(s), 27 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Rootkit.Trace) -> No action taken.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> No action taken.
_______________________________________________________________
FOLLOW TOPIC: http://www.bleepingcomputer.com/forums/topic235301.html
- Topic is similar to the previous topic, but suggests the next two steps using RootRepeal.zip and SDFix

_______________________________________________________________
FOLLOW TOPIC: http://www.bleepingcomputer.com/forums/topic239348.html
- Root Repeal process start:

Root Repeal: FILES Scan

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Time: 2009/07/07 23:37
Program Version: Version 1.3.0.0
Windows Version: Windows XP SP3
==================================================

Hidden/Locked Files
-------------------
Path: C:\WINDOWS\Temp\UACe134.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UACe835.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UACf012.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UACf47d.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UACf871.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACaoejdhaskipxurq.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UAChypksjbsrficeiv.dat
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACmojbgwobiqojcoo.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACpppwbwmltywyute.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACrjkwpjkaqrqoeyc.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\uactmp.db
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACydehlkelivxxwuy.db
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\uacinit.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\drivers\UACxujduirjlqgkvxf.sys
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\gullic\DoctorWeb\Quarantine\UACvtfconmayqhwcv0.dll
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\gullic\DoctorWeb\Quarantine\UACvtfconmayqhwcv1.dll
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\gullic\DoctorWeb\Quarantine\UACvtfconmayqhwcv2.dll
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\gullic\DoctorWeb\Quarantine\UACvtfconmayqhwcvl.dll
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\gullic\Local Settings\Temp\UAC60c9.tmp
Status: Invisible to the Windows API!

_______________________________________________________________
CURRENT STATUS:
So far my computer is working fine. Two notes:
- SUPERAntiSpyware needs to be started in the alternate method (as mentioned above)
- SPYBOT Search & Destroy (installed right after the crash) will not launch in both Full and Safe modes

That's as far as I'm willing to go, and hopefully I didn't proceed too far without any of BC's guidance. Thanks again BC.

sincerely,
mark

First off, the reason that you keep having to rerun Malwarebytes and the same things are showing up is you are not selecting to remove them. Please rescan, then make sure this time to remove the threats.

Now the next step...

Rerun Rootrepeal. After the scan completes, go to the files tab and find these files:

C:\WINDOWS\system32\UACaoejdhaskipxurq.dll
C:\WINDOWS\system32\UACmojbgwobiqojcoo.dll
C:\WINDOWS\system32\UACpppwbwmltywyute.dll

C:\WINDOWS\system32\UACrjkwpjkaqrqoeyc.dll
C:\WINDOWS\system32\uactmp.db
C:\WINDOWS\system32\UACydehlkelivxxwuy.db

C:\WINDOWS\system32\uacinit.dll
C:\WINDOWS\system32\drivers\UACxujduirjlqgkvxf.sys
C:\Documents and Settings\gullic\DoctorWeb\Quarantine\UACvtfconmayqhwcv0.dll

C:\Documents and Settings\gullic\DoctorWeb\Quarantine\UACvtfconmayqhwcv1.dll
C:\Documents and Settings\gullic\DoctorWeb\Quarantine\UACvtfconmayqhwcv2.dll
C:\Documents and Settings\gullic\DoctorWeb\Quarantine\UACvtfconmayqhwcvl.dll

Then use your mouse to highlight it in the Rootrepeal window.
Next right mouse click on it and select *wipe file* option only.
Then immediately reboot the computer.



Rerun MBAM like this:

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan.
After scan click Remove Selected, Post new scan log and Reboot into normal mode.

Hey Computer Pro,

Thanks for the reply. i could have sworn Malwarebytes was saying "Quarantined and deleted successfully" and "Delete on reboot" for those two files right after I did a File scan. so i double checked and what i found out was that if I immediately save the log file to the desktop, it says as i posted: "No action taken". But the log file under the "log" tab in Malwarebytes does indeed say "Quarantined and deleted successfully" and "Delete on reboot". Thanks for the catch - i have been posting the wrong log file.

Now performing Boopme's advice, RootRepeal and MBAM.......

thanks again, brilliant site!

Hi Boopme,

Thanks for the help.

- Reran Rootrepeal
- *wipe file* performed on your highlighted files
- Reboot
- MBAM update
- MBAM Quick Scan
- removed selected
- Reboot
- below is the logfile:

Malwarebytes' Anti-Malware 1.38
Database version: 2394
Windows 5.1.2600 Service Pack 3

7/8/2009 10:54:22 AM
mbam-log-2009-07-08 (10-54-22).txt

Scan type: Quick Scan
Objects scanned: 89351
Time elapsed: 3 minute(s), 53 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 6

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Rootkit.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\UACaoejdhaskipxurq.dll (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\UACmojbgwobiqojcoo.dll (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\UACpppwbwmltywyute.dll (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\UACrjkwpjkaqrqoeyc.dll (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\drivers\UACxujduirjlqgkvxf.sys (Trojan.Agent) -> Quarantined and deleted successfully.

Ok,good...Let's run these next and we could be done.

Next run ATF and SAS:

Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

From your regular user account..
Download Attribune's ATF Cleaner and then SUPERAntiSpyware , Free Home Version. Save both to desktop ..
DO NOT run yet.
Open SUPER from icon and install and Update it
Under Scanner Options make sure the following are checked (leave all others unchecked):
Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining.
Click the "Close" button to leave the control center screen and exit the program. DO NOT run yet.

Now reboot into Safe Mode: How to enter safe mode(XP)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode.

Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.

If you use Firefox or Opera browser click that browser at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.

NOW Scan with SUPER
Open from the desktop icon or the program Files list
On the left, make sure you check C:\Fixed Drive.
Perform a Complete scan. After scan,Verify they are all checked.
Click OK on the summary screen to quarantine all found items.
If asked if you want to reboot, click "Yes" and reboot normally.

To retrieve the removal information after reboot, launch SUPERAntispyware again.
Click Preferences, then click the Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
If there are several logs, click the current dated log and press View log.
A text file will open in your default text editor.
Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.


Please ask any needed questions,post logs and Let us know how the PC is running now.

Thanks Boopme,

- completed ATF Cleaner
- completed SUPERAntiSpyware
- btw, SUPERAntiSpyware Regular download now works - previously had to use the "Alternate Start" version
- post:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 07/08/2009 at 01:32 PM

Application Version : 4.26.1006

Core Rules Database Version : 3979
Trace Rules Database Version: 1919

Scan type : Complete Scan
Total Scan Time : 00:37:23

Memory items scanned : 240
Memory threats detected : 0
Registry items scanned : 4432
Registry threats detected : 0
File items scanned : 49497
File threats detected : 0

Hi Boopme,

Thank you for your help, everything seems back to normal so far. no issues with speed or launching programs. I re-ran RootRepeal and MBAM, all clean!

Again thank you and BleepingComputer for your support.

sincerely,
mark

You're welcome Mark..
Now you should Create a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been backed up, renamed and saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:

• Go to Start > Programs > Accessories > System Tools and click "System Restore".
  
• Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.

• Then use Disk Cleanup to remove all but the most recently created Restore Point.
  
• Go to Start > Run and type: Cleanmgr
  
• Click "Ok". Disk Cleanup will scan your files for several minutes, then open.
  
• Click the "More Options" tab, then click the "Clean up" button under System Restore.
  
• Click Ok. You will be prompted with "Are you sure you want to delete all but the most recent restore point?"
  
• Click Yes, then click Ok.
  
• Click Yes again when prompted with "Are you sure you want to perform these actions?"
  
• Disk Cleanup will remove the files and close automatically.

Vista Users can refer to these links: Create a New Restore Point and Disk Cleanup.

Boopme, sincerely, thanks for the advice! you and your team are invaluable.

skol
mark

You're most welcome and thanks for the kind words, please take a moment to read quietman7's excellent prevention tips in post 17 here
Click>>Tips to protect yourself against malware and reduce the potential for re-infection:

Thanks again Boopme, i've started going thru quietman7's instructions.

can't say enough thanks!

mark