Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

XP Antivirus2009 keeps returning


  • This topic is locked This topic is locked
2 replies to this topic

#1 garen13

garen13

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:01:57 AM

Posted 10 October 2008 - 10:57 AM

I'm having a problem with the XPAntivirus2009 malware. I have cleaned it off of the system several times, but it keep returning after a reboot. I have used Symantec Antivirus 10 with all the latest updates and definitions and it caught nothing. I have also used Ad-Aware, Malwarebytes' Anti-Malware, Spybot, McAfee Stinger, Windows Defender and tried tracing down processes with Process Explorer.

I've cleaned the system several times, even while in Safe Mode, and it comes back every reboot. See the log file from MBAM, which seems the best at cleanup. Here is the log after the last reboot:

Malwarebytes' Anti-Malware 1.28
Database version: 1248
Windows 5.2.3790 Service Pack 2

10/9/2008 4:36:11 PM
mbam-log-2008-10-09 (22-36-11).txt

Scan type: Full Scan (C:\|)
Objects scanned: 86125
Time elapsed: 33 minute(s), 6 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 3
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINNT\system32\btilmfpw.dll (Trojan.FakeAlert) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\btilmfpw (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\tcpsr (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier (Rogue.Multiple) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\inrhctr2j0ev4t (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lphcpr2j0ev4t (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINNT\system32\btilmfpw.dll (Trojan.FakeAlert) -> Delete on reboot.
C:\WINNT\system32\lphcpr2j0ev4t.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.


I've used Process Explorer to trace back the obvious processes, but eventually I find the ultimate parent process that started everything has stopped and I can't find any more information about what called it. Below is my HijackThis log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:46:12 AM, on 10/10/2008
Platform: Windows 2003 SP2 (WinNT 5.02.3790)
MSIE: Internet Explorer v6.00 SP2 (6.00.3790.3959)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\WScript.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec\Backup Exec\NT\dlomaintsvcu.exe
C:\WINNT\System32\dns.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\inetsrv\inetinfo.exe
C:\PROGRA~1\MICROS~3\MSSQL\binn\sqlservr.exe
C:\Nagios\nsclient\pNSClient.exe
C:\PROGRA~1\POWERC~1\pcns.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Dell\OpenManage\iws\bin\win32\omaws32.exe
C:\WINNT\System32\snmp.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Symantec\Backup Exec\RAWS\beremote.exe
C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe
C:\Program Files\Microsoft SQL Server\MSSQL\binn\sqlagent.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\dmadmin.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\rdpclip.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~2\VPTray.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\SurfControl E-mail Filter\Monitor.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\system32\macromed\flash\GetFlash.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\rdpclip.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~2\VPTray.exe
C:\Program Files\SurfControl E-mail Filter\Monitor.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\SurfControl E-mail Filter\MessageAdmin.exe
C:\AdAware\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://shdoclc.dll/softAdmin.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://shdoclc.dll/softAdmin.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://localhost:8090/
O1 - Hosts: 216.75.205.59 st4update.surfcontrol.com #Surfcontrol update server
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [AuFlag] 
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~2\VPTray.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [!teamcfg] %SystemRoot%\..\dell\nicteaming\intel\nicteamconfig.bat (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Display SurfControl E-mail Icon.lnk = C:\Program Files\SurfControl E-mail Filter\Monitor.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1119545422156
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1119545517750
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://surfcontrol.webex.com/client/v_mywe...bex/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = xxxxx.com
O17 - HKLM\Software\..\Telephony: DomainName = xxxxx.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{0C9E2515-B26C-4626-BC1B-85DF329C852D}: NameServer = 64.132.94.250,216.136.95.2
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = xxxxx.com
O17 - HKLM\System\CS1\Services\Tcpip\..\{0C9E2515-B26C-4626-BC1B-85DF329C852D}: NameServer = 64.132.94.250,216.136.95.2
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = xxxxx.com
O17 - HKLM\System\CS2\Services\Tcpip\..\{0C9E2515-B26C-4626-BC1B-85DF329C852D}: NameServer = 64.132.94.250,216.136.95.2
O20 - Winlogon Notify: AutorunsDisabled - C:\WINNT\
O23 - Service: Backup Exec Remote Agent for Windows Systems (BackupExecAgentAccelerator) - Symantec Corporation - C:\Program Files\Symantec\Backup Exec\RAWS\beremote.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Backup Exec DLO Maintenance Service (DLOMaintenanceSvc) - Symantec Corporation - C:\Program Files\Symantec\Backup Exec\NT\dlomaintsvcu.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Nagios Agent (NSClient) - ClearCentral Software Inc - C:\Nagios\nsclient\pNSClient.exe
O23 - Service: PowerChute network shutdown (PowerChuteNetShut) - APC - C:\PROGRA~1\POWERC~1\pcns.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Secure Port Server (Server Administrator) - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\iws\bin\win32\omaws32.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: SurfControl E-mail Filter Receive (STEMRCV) - SurfControl plc - C:\Program Files\SurfControl E-mail Filter\STEMRCV.exe
O23 - Service: SurfControl E-mail Filter Rules (STEMRULES) - SurfControl plc - C:\Program Files\SurfControl E-mail Filter\STEMRULES.exe
O23 - Service: SurfControl E-mail Filter Scheduler (STEMSCHED) - SurfControl plc - C:\Program Files\SurfControl E-mail Filter\SchedService.exe
O23 - Service: SurfControl E-mail Filter Send (STEMSND) - SurfControl plc - C:\Program Files\SurfControl E-mail Filter\STEMSND.exe
O23 - Service: SurfControl E-mail Web Administrator (STEMWADM) - SurfControl plc - C:\Program Files\SurfControl E-mail Filter\STEMWADM.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 8286 bytes

BC AdBot (Login to Remove)

 


#2 suebaby41

suebaby41

    W.A.M. (Women Against Malware)


  • Malware Response Team
  • 6,248 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Carolina, USA
  • Local time:01:57 AM

Posted 19 October 2008 - 12:29 PM

Welcome to the BleepingComputer Forums. Since it has been a few days since you scanned your computer with HijackThis, please post a new HijackThis log. Please see Preparation Guide for use before posting about your potential Malware problem. Thank you for your patience.

If you have already posted this log at another forum or if you decide to seek help at another forum, please let us know. There is a shortage of helpers and taking the time of two volunteer helpers means that someone else may not be helped.
You don't stop laughing when you get old; you get old when you stop laughing.
A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
Malware Removal University Masters Graduate

Posted Image
Join The Fight Against Malware
No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.

#3 suebaby41

suebaby41

    W.A.M. (Women Against Malware)


  • Malware Response Team
  • 6,248 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Carolina, USA
  • Local time:01:57 AM

Posted 03 November 2008 - 12:57 PM

This subject is now closed. If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request. If you should have a new issue, please start a new topic. This applies only to the original topic starter. Everyone else please begin a New Topic.
You don't stop laughing when you get old; you get old when you stop laughing.
A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
Malware Removal University Masters Graduate

Posted Image
Join The Fight Against Malware
No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users