Avast WEBforum
Other => Viruses and worms => Topic started by: Zoko on June 10, 2010, 06:03:56 AM
-
Earlier today I encountered the Rogue-Anti Virus. At one point MBAM was accessable and supposivley quarantined and removed the Rogue AV but it has just recently popped back up >.<
A website somone here linked showed that these are common symptoms of the virus found running HighJackthis
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:1041
O4 - HKLM\..\Run: [<random>] %UserProfile%\local settings\application data\<random>\<random>.exe
O4 - HKCU\..\Run: [<random>] %UserProfile%\local settings\application data\<random>\<random>.exe
Sure enough even after having ran MBAM to take care of it Highjackthis still found
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:1041
and
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [nutnumoqjp] c:\documents and settings\owner\local settings\application data\kwdlrgjh\surcigd.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [nutnumoqjp] c:\documents and settings\owner\local settings\application data\kwdlrgjh\surcigd.exe
I am thinking that
O4 - HKCU\..\Run: [nutnumoqjp] c:\documents and settings\owner\local settings\application data\kwdlrgjh\surcigd.exe
and
O4 - HKLM\..\Run: [nutnumoqjp] c:\documents and settings\owner\local settings\application data\kwdlrgjh\surcigd.exe
are the other two...
Should I tell HighjackThis to fix these three and or any of the others?
I am also running MBAM again and it has found the Rogue Anti-Virus again
Being 04 from what I can think of, it's possible that even though MBAM got rid of the rogue-av these are automaticaly reinstalling/downloading/having the rogue-av repop when I restart my PC causing the problem to reoccur every time I restart? >.<
-
Is this the one you have
How to remove AV Security Suite (Uninstall Guide)
http://www.bleepingcomputer.com/virus-removal/remove-av-security-suite
did you update MBAM before you scanned ?
-
Yes and yes
I'm fairly clueless when it comes to this stuff
I think MBAM is removing it but there seems to be something left behind somewhere that is automaticaly causing my PC to reobtain this Rogue-AV somehow
maybe the issue is something else
-
If you are not able to clean it using the guide, then follow this guide from Essexboy and post the MBAM and OTL log here
http://forum.avast.com/index.php?topic=53253.0
He will then remove this for you when he enters the forum today( late UK time )
if the log is big, see down left corner: additional options > attach
-
Post in this thread or the one you linked?
-
Post here in this tread that you have started
-
Current Results
Malwarebytes Anti-Malware found
Rogue.AVsec... - File - c:\documents and settings\Owner\local settin..
Rogue.AVsec... - Registry Value - HKEY_CURRENT_USER_SOFTWARE\Micr... Value: nutnumoqjp
(these nutnumoqjp detected seem to be the 04 mentioned above and that highjackthis and OTL both detected)
Rogue.AVSec... - Regristry Key - HKEY_LOCAL_MACHINE\SOFTWARE\Micr... Value: nutnumoqjp
Trojan.Fraudp... - Registry Key - HKEY_CURRENT_USER\Software/\vsoft
Rogue.Antivir... - Registry Key - HKEY_CURRENT_USER\Software\avsuite
Trojan.Fraudp... - Registry Key - HKEY_LOCAL_MACHINE\SOFTWARE\avsoft
Rogue.Antivir... - Registry Key - HKEY_LOCAL_MACHINE\SOFTWARE\avsu...
_____
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org
Database version: 4184
Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13
6/10/2010 12:32:06 AM
mbam-log-2010-06-10 (00-32-06).txt
Scan type: Full scan (C:\|D:\|)
Objects scanned: 211612
Time elapsed: 1 hour(s), 32 minute(s), 1 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CURRENT_USER\Software\avsoft (Trojan.Fraudpack) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\avsuite (Rogue.AntivirusSuite) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\avsoft (Trojan.Fraudpack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\avsuite (Rogue.AntivirusSuite) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nutnumoqjp (Rogue.AVSecuritySuite) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nutnumoqjp (Rogue.AVSecuritySuite) -> Quarantined and deleted successfully.
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
c:\documents and settings\Owner\local settings\application data\kwdlrgjh\surcigd.exe (Rogue.AVSecuritySuite) -> Quarantined and deleted successfully.
Another scan with MBAM right after did not detect anything this time.
The above did not seem to be found when I re-scanned with HighJackThis and OTL
the things below look very suspicious to me is this something to worry about/should be adressed or are they something that is being blocked? ???
O1 HOSTS File: ([2009/03/31 14:42:06 | 000,303,844 | R--- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 www.007guard.com
O1 - Hosts: 127.0.0.1 007guard.com
O1 - Hosts: 127.0.0.1 008i.com
O1 - Hosts: 127.0.0.1 www.008k.com
O1 - Hosts: 127.0.0.1 008k.com
O1 - Hosts: 127.0.0.1 www.00hq.com
O1 - Hosts: 127.0.0.1 00hq.com
O1 - Hosts: 127.0.0.1 010402.com
O1 - Hosts: 127.0.0.1 www.032439.com
O1 - Hosts: 127.0.0.1 032439.com
O1 - Hosts: 127.0.0.1 www.0scan.com
O1 - Hosts: 127.0.0.1 0scan.com
O1 - Hosts: 127.0.0.1 1000gratisproben.com
O1 - Hosts: 127.0.0.1 www.1000gratisproben.com
O1 - Hosts: 127.0.0.1 www.1001namen.com
O1 - Hosts: 127.0.0.1 1001namen.com
O1 - Hosts: 127.0.0.1 www.100888290cs.com
O1 - Hosts: 127.0.0.1 100888290cs.com
O1 - Hosts: 127.0.0.1 www.100sexlinks.com
O1 - Hosts: 127.0.0.1 100sexlinks.com
O1 - Hosts: 127.0.0.1 www.10sek.com
O1 - Hosts: 127.0.0.1 10sek.com
O1 - Hosts: 127.0.0.1 www.1-2005-search.com
O1 - Hosts: 127.0.0.1 1-2005-search.com
O1 - Hosts: 10468 more lines...
doesn't seem right
CREATERESTOREPOINT
Restore point Set: OTL Restore Point (16902109354000384)
========== Files/Folders - Created Within 90 Days ==========
[2010/06/09 12:34:39 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Local Settings\Application Data\kwdlrgjh
is still under "Restore Point" and was the infected file according to MBAM
I am also unsure if there is anything else besides what I have just mentioned that are causing problems, or could potentialy cause problems later on or cause the Rogue-AV to reoccur.
I've attached the OTL log to this post btw
-
Essexboy will fix this, i will send him a PM. check back in about 12 hours
-
Did a scan with Spybot Search & Destroy
Spybot Search & Destroy found
Fraud. Sysguard (Malware entry) SBI $1D5898D0 - HKEY_USERS\S-1-5-21-789336058-879983540-725345543-1003\Software\Microsoft...
Win32.PPopUp .adbrite.com / (Apache)
Win32.PPopUp .adbrite.com / (VSD)
Win32.PPopUp .adbrite.com / (rb)
Win32.PPopUp .adbrite.com / (srh)
Browser/Internet Explorer, so this I'm sure is what was giving me the unwanted pop ups before MBAM removed the Rogue-AV
Spybot S&D said it successfully removed/fixed them
-
Is this the same problem as we've been discussing here?: http://forum.avast.com/index.php?topic=60621.0
If so, please keep only one thread, it's harder to follow two threads for the same problem.
Thanks!
-
Yes sorry, if the other thread can be deleted please do.
-
SUPERAntiSpyware detected the following:
Trojan.Agent/Gen-Nullo[Short]
File > D:\PROGRAM FILES\WLPQS\SIGNABILITY.EXE
Trojan.Agent/Gen-Koobface[Bonkers]
Files > D\DOCUMENTS AND SETTINGS\HIGHVELOCITY PAINTBALL\TMPHVPB\HVPB.BIN
If the above is a game, it is not a game that I installed.
Trojan.Agent/Gen-Cryptor[Egun]
Files > C:\SYSTEM VOLUME INFORMATION\_RESTORE{ECEC5774-OBE1-425F-A799-4507798FD890}\RP428\AO346366.EXE
Are these related to the AV/Rogue-Anti Virus?, something to worry about/fix, or most likely false positives?
-
The hvpb.exe file could be a false positive. Upload it to virustotal.com and see what it says.
The file in system restore could be the same thing, but I would suggest turning off system restore to get rid of the file.
Signability.exe seems to be something related to windows vista, but it could be a hook.
-
I use XP not Vista
VirusTotal showed 0/41 as Result when scanning HVPB.bin
Do you think there is any potential harm to Quarantine it and the Vista-related item or should I leave them be as false positives?
-
Hi you saved the log as Unicode which does not transcribe very well - I have taken out the main elements I can see. But, when you re-run could you save the log as ANSI
Run OTL
- Under the Custom Scans/Fixes box at the bottom, paste in the following
:OTL
[2010/06/09 12:34:39 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Local Settings\Application Data\kwdlrgjh
:Files
C:\windows\tasks\ydthjdmd.job
:Commands
[resethosts]
[purity]
[emptytemp]
[EMPTYFLASH]
[Reboot]
- Then click the Run Fix button at the top
- Let the program run unhindered, reboot the PC when it is done
- Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
THEN
Go to Control Panel and select Internet Options
Select the Connections TAB
Select LAN settings button
Ensure there is no tick in the Proxy Server box
Select OK and restart Internet explorer
And for Firefox there are instructions on this page (http://davidtse916.wordpress.com/2008/07/05/university-of-otago-firefoxs-proxy-auto-detection-problem-in-vista/)and you want the setting to be no proxy
-
Here are the attached logs of OTL from the Fix you suggested and a new scan
[Edit] I also followed your steps for:
Go to Control Panel and select Internet Options
Select the Connections TAB
Select LAN settings button
Ensure there is no tick in the Proxy Server box
Select OK and restart Internet explorer