Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

XP ANTIVIRUS? Maybe, masquerades as many things.


  • This topic is locked This topic is locked
5 replies to this topic

#1 sideshowbob

sideshowbob

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:13 PM

Posted 06 May 2009 - 09:02 AM

I have an infection that is proving impossible to get rid of. It appears to be rogue anti-spyware, and exhibits all of the behaviour described elsewhere here, including constant error messages (no disk), browser re-direction, blocking tools such as system restore, safe mode etc, attempting to prevent anti-virus programmes running, dropping fake viruses with an endless variety of names and so on.

Scans always reveal a variety of infections which can be 'fixed' and one or two which require a reboot. The infection always returns after re-booting however, with an array of different names and a new set of registry keys and file infected.

I have folowed al the suggestions and procedures on this site, and used Malaware and Spybot (fresh installations of each) fully updated, but nothing seems to work. Any help would be very gratefully received!

DDS log below and I will attempt to attach the second file (if it lets me...)
Many thanks


DDS (Ver_09-03-16.01) - NTFSx86
Run by lb at 14:45:20.32 on 06/05/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.959.420 [GMT 1:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)
FW: Norton Internet Worm Protection *disabled*

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLCapSvc.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\CyberLink\PowerCinema\Kernel\CLML_NTService\CLMLServer.exe
C:\Program Files\DU Meter\DUMeterSvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\Pen_Tablet.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLSched.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\WTablet\Pen_TabletUser.exe
C:\WINDOWS\system32\Pen_Tablet.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Belkin\USB F5D7050\Wireless Utility\Belkinwcui.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
c:\windows\system\hpsysdrv.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Documents and Settings\lb\Desktop\dds.scr
C:\WINDOWS\system32\taskmgr.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_GB&c=64&bd=PRESARIO&pf=desktop
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_GB&c=64&bd=PRESARIO&pf=desktop
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_GB&c=64&bd=PRESARIO&pf=desktop
uSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_GB&c=64&bd=PRESARIO&pf=desktop
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [ftutil2] rundll32.exe ftutil2.dll,SetWriteCacheMode
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [PCDrProfiler]
mRun: [HPBootOp] "c:\program files\hewlett-packard\hp boot optimizer\HPBootOp.exe" /run
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [REGSHAVE] c:\program files\regshave\REGSHAVE.EXE /AUTORUN
mRun: [UnlockerAssistant] "c:\program files\unlocker\UnlockerAssistant.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [TQ566808] "E:\Setup.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [LogitechCommunicationsManager] "c:\program files\common files\logishrd\lcommgr\Communications_Helper.exe"
mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\quickcam\Quickcam.exe" /hide
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
dRun: [<NO NAME>] c:\windows\temp\kuzu7.exe
dRun: [uidenhiufgsduiazghs] c:\windows\temp\kuzu7.exe
dRun: [Diagnostic Manager] c:\windows\temp\1304612496.exe
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
IE: &Google Search - c:\program files\google\GoogleToolbar1.dll/cmsearch.html
IE: &Translate English Word - c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
IE: Backward Links - c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\google\GoogleToolbar1.dll/cmcache.html
IE: Similar Pages - c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate Page into English - c:\program files\google\GoogleToolbar1.dll/cmtrans.html
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} - hxxp://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} - hxxp://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\yinsthelper.dll
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - hxxp://www.creative.com/su2/CTL_V02002/ocx/15033/CTPID.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\lb\applic~1\mozilla\firefox\profiles\s2jlqgmv.default\
FF - prefs.js: browser.startup.homepage - hxxp://en-us.www.mozilla.com/en-US/firefox/about/
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava11.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava12.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava13.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava14.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava32.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPOJI610.dll
FF - plugin: c:\program files\mozilla firefox\plugins\np32dsw.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npagent.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npLegitCheckPlugin.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npnul32.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npqtplugin.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npqtplugin2.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npqtplugin3.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npqtplugin4.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npqtplugin5.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npqtplugin6.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npqtplugin7.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npvideoegg-loader.dll
FF - plugin: c:\program files\veoh networks\veoh\plugins\noreg\NPVeohVersion.dll
FF - plugin: c:\program files\veoh networks\veohwebplayer\NPVeohTVPlugin.dll
FF - plugin: c:\program files\veoh networks\veohwebplayer\npWebPlayerVideoPluginATL.dll

============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================

2009-05-05 19:55 61,440 a------- c:\windows\system32\drivers\uyuljnmz.sys
2009-05-05 12:47 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-05-05 12:47 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-04-29 11:48 61,440 a------- c:\windows\system32\drivers\uqplkzz.sys
2009-04-28 21:13 61,440 a------- c:\windows\system32\drivers\qsijml.sys
2009-04-28 18:19 0 a------- c:\windows\system32\drivers\ftsata2.sys
2009-04-28 18:19 0 a------- c:\windows\system32\drivers\EagleNT.sys
2009-04-28 18:19 0 a------- c:\windows\system32\drivers\BT4501G.sys
2009-04-28 18:19 0 a------- c:\windows\system32\drivers\aiptektp.sys
2009-04-28 15:51 1,089,593 -------- c:\windows\system32\dllcache\ntprint.cat
2009-04-28 14:45 <DIR> --d----- c:\documents and settings\lb\.housecall6.6
2009-04-28 14:00 0 a------- c:\docume~1\lb\applic~1\wklnhst.dat
2009-04-28 12:51 <DIR> --d----- c:\docume~1\lb\applic~1\Malwarebytes
2009-04-28 12:48 <DIR> --d----- c:\docume~1\lb\applic~1\WTablet
2009-04-28 12:47 <DIR> --d----- c:\documents and settings\lb\WINDOWS
2009-04-28 12:47 <DIR> --d----- c:\documents and settings\lb
2009-04-28 09:12 <DIR> --d----- c:\program files\Trend Micro
2009-04-27 22:24 <DIR> --d----- C:\314649ace5adc79081ee
2009-04-27 19:57 <DIR> --d----- C:\!KillBox
2009-04-27 18:09 6,853,096 a------- C:\SpyHunter-Compact-OS.exe
2009-04-27 18:09 <DIR> --d----- c:\program files\Enigma Software Group
2009-04-16 18:31 2,560 -------- c:\windows\system32\xpsp4res.dll
2009-04-16 18:31 284,160 -------- c:\windows\system32\dllcache\pdh.dll
2009-04-16 18:31 473,600 -------- c:\windows\system32\dllcache\fastprox.dll
2009-04-16 18:31 453,120 -------- c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-16 18:31 401,408 -------- c:\windows\system32\dllcache\rpcss.dll
2009-04-16 18:31 227,840 -------- c:\windows\system32\dllcache\wmiprvse.exe
2009-04-16 18:31 110,592 -------- c:\windows\system32\dllcache\services.exe
2009-04-16 18:30 729,088 -------- c:\windows\system32\dllcache\lsasrv.dll
2009-04-16 18:30 714,752 -------- c:\windows\system32\dllcache\ntdll.dll
2009-04-16 18:30 617,472 -------- c:\windows\system32\dllcache\advapi32.dll

==================== Find3M ====================

2009-04-29 11:42 170,216 a------- c:\windows\pchealth\helpctr\config\cache\Personal_32_1033.dat
2009-04-27 18:56 325,640 a------- c:\windows\system32\drivers\avgldx86.sys
2009-04-27 18:56 108,552 a------- c:\windows\system32\drivers\avgtdix.sys
2009-04-27 18:56 10,520 a------- c:\windows\system32\avgrsstx.dll
2009-04-27 16:03 104,960 a------- c:\windows\system32\userinit.exe
2009-04-06 15:32 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 15:32 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-03-22 14:13 61,440 a------- c:\windows\system32\drivers\eoaaku.sys
2009-03-22 14:02 124,928 a------- c:\windows\system32\uengqq.dll
2009-03-22 14:02 124,928 a------- c:\windows\system32\bagahone.dll
2009-03-22 14:02 79,872 a------- c:\windows\system32\zukumuha.dll
2009-03-22 14:02 84,992 a------- c:\windows\system32\zekizuma.dll
2009-03-21 15:06 989,696 -------- c:\windows\system32\dllcache\kernel32.dll
2009-03-06 15:22 284,160 a------- c:\windows\system32\pdh.dll
2009-03-03 01:18 826,368 a------- c:\windows\system32\wininet.dll
2009-03-03 01:18 826,368 a------- c:\windows\system32\dllcache\wininet.dll
2009-02-28 05:54 636,072 a------- c:\windows\system32\dllcache\iexplore.exe
2009-02-20 11:20 70,656 a------- c:\windows\system32\dllcache\ie4uinit.exe
2009-02-20 11:20 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2009-02-20 06:14 161,792 a------- c:\windows\system32\dllcache\ieakui.dll
2009-02-09 13:10 729,088 a------- c:\windows\system32\lsasrv.dll
2009-02-09 13:10 714,752 a------- c:\windows\system32\ntdll.dll
2009-02-09 13:10 617,472 a------- c:\windows\system32\advapi32.dll
2009-02-09 13:10 401,408 a------- c:\windows\system32\rpcss.dll
2009-02-09 12:13 1,846,784 a------- c:\windows\system32\win32k.sys
2009-02-09 12:13 1,846,784 -------- c:\windows\system32\dllcache\win32k.sys
2009-02-07 19:02 2,066,048 -------- c:\windows\system32\dllcache\ntkrnlpa.exe
2009-02-06 19:52 49,504 a------- c:\windows\system32\sirenacm.dll
2009-02-06 12:11 110,592 a------- c:\windows\system32\services.exe
2009-02-06 12:08 2,189,056 -------- c:\windows\system32\dllcache\ntoskrnl.exe
2009-02-06 12:06 2,145,280 a------- c:\windows\system32\ntoskrnl.exe
2009-02-06 12:06 2,145,280 -------- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-02-06 11:39 35,328 a------- c:\windows\system32\sc.exe
2009-02-06 11:39 35,328 a------- c:\windows\system32\dllcache\sc.exe
2009-02-06 11:32 2,023,936 a------- c:\windows\system32\ntkrnlpa.exe
2009-02-06 11:32 2,023,936 -------- c:\windows\system32\dllcache\ntkrpamp.exe
2007-02-21 19:24 278,528 ac------ c:\program files\common files\FDEUnInstaller.exe

============= FINISH: 14:48:13.29 ===============

BC AdBot (Login to Remove)

 


#2 sideshowbob

sideshowbob
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:13 PM

Posted 16 May 2009 - 06:21 AM

I am about to do a full recovery to eliminate this problem.

The root cause now appears to be a variant of the win32/heur virus which is pretty much impossible to remove.

Anti-virus and spyware products such as Mbam and Spybot do not work.

The virus replicates itself across a wide range of system files, whitelining them, and always reappears after re-booting. It prevents access to internet sites such as Microsoft by (amongst other things) hijacking the 'hosts' file and placing a phoney static IP address. No matter how many times this is edited or deleted, it replaces it with yet another address.

It opens a back door and downloads additional malware whenever connected to the net, dropping fake positives as well to keep antivirus applications busy. It prevents the use of utilities such as system restore, and presents a screen of garbage when trying to boot into safe mode.

It infects removable media, and then blocks access via usb hubs or optical drives. It seems to me that a reformat and reinstall is the only way out. Thankfully the infection is on my teenage daughter's computer so there was no financial or identity information to be stolen, but she has learnt the hard way the importance of keeping back ups (especially homework) and avoiding dodgy web sites!

#3 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:11:13 AM

Posted 19 May 2009 - 08:02 AM

Hello sideshowbob,

Posted Image

Sorry about the delay.:thumbup2: If you still need help, please post a new HijackThis log to make sure nothing has changed, and I'll be happy to look at it for you.

Please do this:
1. Download HijackThis™ here:
http://www.trendsecure.com/portal/en-US/th.../hijackthis.php

2. Click 'Do a System Scan and Save log'.
The HJT log will open in notepad.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#4 sideshowbob

sideshowbob
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:13 PM

Posted 20 May 2009 - 07:53 AM

Many thanks for your kind offer of help teacup61. As explained above, I feared that the pc was fatally compromised so have now done a full recovery operation. We did manage to save most of teenage daughter's homework, but not all of the videos she had been making...so she has learned her lesson about dodgy filesharing web sites!

Keep up the good work.

#5 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:11:13 AM

Posted 20 May 2009 - 08:19 AM

Thank you so much for letting me know. :thumbup2:

Take care!
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#6 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:11:13 AM

Posted 24 May 2009 - 04:28 PM

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users