jojomesozoic Posted June 5, 2012 ID:557792 Share Posted June 5, 2012 This is going to be a mouthfull, so a million thank-you's before hand.I'm working on a shared computer my office. I come in after several days off to find that the computer has a fake antivirus program. I don't know who downloaded it or from where. I run Malwarebytes Antimalware and Superantispyware as my protection programs. I was unable to update due to the fake antivurus, so I restarted in safe mode and ran some scans there. I ran a scan for both Malwarebytes and Superantispyware and this is what I found (Note to readers: The logs say "No Action Taken" becuase I saved the logfile before I quarantened and removed the malware with the above mentioned programs).Superantispyware Log:SUPERAntiSpyware Scan Loghttp://www.superantispyware.comGenerated 05/29/2012 at 03:14 PMApplication Version : 5.0.1148Core Rules Database Version : 8601Trace Rules Database Version: 6413Scan type : Complete ScanTotal Scan Time : 00:25:36Operating System InformationWindows 7 Professional 32-bit (Build 6.01.7600)UAC Off - AdministratorMemory items scanned : 342Memory threats detected : 0Registry items scanned : 42788Registry threats detected : 1File items scanned : 31213File threats detected : 17Adware.Tracking Cookie C:\USERS\BRENT\AppData\Roaming\Microsoft\Windows\Cookies\Low\brent@advertising[2].txt [ Cookie:brent@advertising.com/ ] C:\USERS\BRENT\AppData\Roaming\Microsoft\Windows\Cookies\Low\brent@atdmt[1].txt [ Cookie:brent@atdmt.com/ ] C:\USERS\BRENT\AppData\Roaming\Microsoft\Windows\Cookies\Low\brent@pointroll[2].txt [ Cookie:brent@pointroll.com/ ] C:\USERS\BRENT\AppData\Roaming\Microsoft\Windows\Cookies\Low\brent@ru4[2].txt [ Cookie:brent@ru4.com/ ] C:\USERS\BRENT\AppData\Roaming\Microsoft\Windows\Cookies\Low\brent@adbrite[2].txt [ Cookie:brent@adbrite.com/ ] C:\USERS\BRENT\AppData\Roaming\Microsoft\Windows\Cookies\Low\brent@c.atdmt[2].txt [ Cookie:brent@c.atdmt.com/ ] C:\USERS\BRENT\AppData\Roaming\Microsoft\Windows\Cookies\Low\brent@lucidmedia[1].txt [ Cookie:brent@lucidmedia.com/ ] C:\USERS\BRENT\AppData\Roaming\Microsoft\Windows\Cookies\Low\brent@yieldmanager[1].txt [ Cookie:brent@yieldmanager.net/ ] C:\USERS\BRENT\AppData\Roaming\Microsoft\Windows\Cookies\Low\brent@serving-sys[2].txt [ Cookie:brent@serving-sys.com/ ] C:\USERS\BRENT\AppData\Roaming\Microsoft\Windows\Cookies\Low\brent@kanoodle[2].txt [ Cookie:brent@kanoodle.com/ ] C:\USERS\BRENT\AppData\Roaming\Microsoft\Windows\Cookies\Low\brent@legolas-media[2].txt [ Cookie:brent@legolas-media.com/ ] ds.serving-sys.com [ C:\USERS\BRENT\APPDATA\ROAMING\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\N59VDAZK ] socialstreamingplayer.crystalmedianetworks.com [ C:\USERS\BRENT\APPDATA\ROAMING\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\N59VDAZK ] C:\WINDOWS\SYSTEM32\CONFIG\SYSTEMPROFILE\APPDATA\ROAMING\MICROSOFT\WINDOWS\COOKIES\SYSTEM@S3.TRAFFICNO[2].TXT [ /S3.TRAFFICNO ]Trojan.Agent/Gen-FakeAlert[Local] C:\PROGRAMDATA\B7E8586B000083BB67CF2E1FA6014588\B7E8586B000083BB67CF2E1FA6014588.EXE C:\$RECYCLE.BIN\S-1-5-21-1557514261-2431698323-2000263041-1000\$RM1A0AX.LNK [b7E8586B000083BB67CF2E1FA6014588] C:\PROGRAMDATA\B7E8586B000083BB67CF2E1FA6014588\B7E8586B000083BB67CF2E1FA6014588.EXE C:\USERS\USER\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\PROGRAMS\SMART FORTRESS 2012\SMART FORTRESS 2012.LNKMalwarebytes Log:Malwarebytes Anti-Malware 1.61.0.1400www.malwarebytes.orgDatabase version: v2012.05.29.07Windows 7 x86 NTFS (Safe Mode)Internet Explorer 8.0.7600.16385User :: QUERCUSCRUSADER [administrator]5/29/2012 3:28:07 PMmbam-log-2012-05-29 (15-54-52).txtScan type: Full scanScan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUMScan options disabled: P2PObjects scanned: 364709Time elapsed: 26 minute(s), 31 second(s)Memory Processes Detected: 0(No malicious items detected)Memory Modules Detected: 0(No malicious items detected)Registry Keys Detected: 0(No malicious items detected)Registry Values Detected: 0(No malicious items detected)Registry Data Items Detected: 2HKCR\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32| (Trojan.Zaccess) -> Bad: (C:\Users\User\AppData\Local\{4d4830d5-5942-7a78-b692-ddf374d48a2e}\n.) Good: (%SystemRoot%\system32\shdocvw.dll) -> No action taken.HKCR\CLSID\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32| (Trojan.Zaccess) -> Bad: (\\.\globalroot\systemroot\Installer\{4d4830d5-5942-7a78-b692-ddf374d48a2e}\n.) Good: (%systemroot%\system32\wbem\wbemess.dll) -> No action taken.Folders Detected: 0(No malicious items detected)Files Detected: 4C:\Users\User\AppData\Local\uzsqvv.exe (Trojan.Agent) -> No action taken.C:\Windows\Installer\{4d4830d5-5942-7a78-b692-ddf374d48a2e}\U\00000001.@ (Trojan.Small) -> No action taken.C:\Windows\Installer\{4d4830d5-5942-7a78-b692-ddf374d48a2e}\U\80000000.@ (Trojan.Sirefef) -> No action taken.C:\Windows\Installer\{4d4830d5-5942-7a78-b692-ddf374d48a2e}\U\800000cb.@ (Rootkit.0Access) -> No action taken.(end)After doing this in safemode, I restarted the copmuter, updaded both programs to the current versions, and restarted again in safemode and scanned again. Only Malwarebytes found infected files this time. Scan log follows (Note to readers: Again, the logs say "No Action Taken" becuase I saved the logfile before I quarantened and removed the malware with the above mentioned programs).Malwarebytes Anti-Malware 1.61.0.1400www.malwarebytes.orgDatabase version: v2012.05.15.06Windows 7 x86 NTFS (Safe Mode)Internet Explorer 8.0.7600.16385User :: QUERCUSCRUSADER [administrator]5/29/2012 2:49:26 PMmbam-log-2012-05-29 (15-16-54).txtScan type: Full scanScan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUMScan options disabled: P2PObjects scanned: 361863Time elapsed: 26 minute(s), 42 second(s)Memory Processes Detected: 0(No malicious items detected)Memory Modules Detected: 0(No malicious items detected)Registry Keys Detected: 1HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Smart Fortress 2012 (Trojan.LameShield) -> No action taken.Registry Values Detected: 3HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|ipcofmon (IPH.Trojan.Agent.CPN) -> Data: rundll32 "C:\Users\User\AppData\Local\Temp\audiicpl.dll",CreateProcessNotify -> No action taken.HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|MdRandomGeneratorCtrl (Trojan.Agent.SZ) -> Data: "C:\Users\User\AppData\Local\MdRandomGeneratorCtrl\MdRandomGeneratorCtrl.exe" /w -> No action taken.HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce|B7E8586B000083BB67CF2E1FA6014588 (Trojan.LameShield) -> Data: C:\ProgramData\B7E8586B000083BB67CF2E1FA6014588\B7E8586B000083BB67CF2E1FA6014588.exe -> No action taken.Registry Data Items Detected: 0(No malicious items detected)Folders Detected: 0(No malicious items detected)Files Detected: 6C:\Users\User\AppData\Local\Temp\audiicpl.dll (IPH.Trojan.Agent.CPN) -> No action taken.C:\Users\User\AppData\Local\MdRandomGeneratorCtrl\MdRandomGeneratorCtrl.exe (Trojan.Agent.SZ) -> No action taken.C:\ProgramData\B7E8586B000083BB67CF2E1FA6014588\B7E8586B000083BB67CF2E1FA6014588.exe (Trojan.LameShield) -> No action taken.C:\Users\User\AppData\Local\Temp\~!#6BC0.tmp (Trojan.Agent.SZ) -> No action taken.C:\Users\User\AppData\Local\{4d4830d5-5942-7a78-b692-ddf374d48a2e}\n (Trojan.Dropper.PE4) -> No action taken.C:\Windows\Installer\{4d4830d5-5942-7a78-b692-ddf374d48a2e}\n (Trojan.Dropper.PE4) -> No action taken.(end)I restarted in safe mode, scanned a third time and found nothing. I wasn't convinced it was gone, however, and decided ot try one more scan.I restarted regularly this time and scanned a third time to try and catch anything that might only be visible to the program after a normal startup.Malwarebytes Anti-Malware 1.61.0.1400www.malwarebytes.orgDatabase version: v2012.06.02.05Windows 7 x86 NTFSInternet Explorer 8.0.7600.16385User :: QUERCUSCRUSADER [administrator]6/2/2012 10:24:55 AMmbam-log-2012-06-02 (10-24-55).txtScan type: Full scanScan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUMScan options disabled: P2PObjects scanned: 369234Time elapsed: 32 minute(s), 52 second(s)Memory Processes Detected: 0(No malicious items detected)Memory Modules Detected: 1C:\Users\User\AppData\Local\Temp\qeupd.dll (Trojan.Agent) -> Delete on reboot.Registry Keys Detected: 0(No malicious items detected)Registry Values Detected: 1HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|qeupd (Trojan.Agent) -> Data: rundll32.exe "C:\Users\User\AppData\Local\Temp\qeupd.dll",SteamAPI_GetSteamInstallPath -> Quarantined and deleted successfully.Registry Data Items Detected: 0(No malicious items detected)Folders Detected: 0(No malicious items detected)Files Detected: 1C:\Users\User\AppData\Local\Temp\qeupd.dll (Trojan.Agent) -> Delete on reboot.(end)I scanned several times after, both in safe mode as well as after a normal startup, and found nothing. I kept an eye on the machine for several days, updating and scanning whenever I could. Today is about 5 days later, I even scanned this morning and didn't find any problems.This is where things get. . . wierd. . .I noticed while trying to work that a Microsoft Word file wouldn't open. There was no error message, the mouse would show the Windows loading wheel for about one full second and then. . . Nothing. Even after a restart, no joy. I tried Excel and PowerPoint as well. Same thing. Then I tried to open a new, blank document. Same thing. At this point, I'm confused so I go into program files and find. . .nothing (See attached "Office Clip 1-3").By now, I'm sure it has something to do with the virus. So I downlaod and Install HijackThis and run the scan, copy the log into two different online analyzers. Both of these didn't come up with anything that could be dnagerous (to my limited knowledge and experience). The log follows.Logfile of Trend Micro HijackThis v2.0.4Scan saved at 10:57:47 AM, on 6/5/2012Platform: Windows 7 (WinNT 6.00.3504)MSIE: Internet Explorer v8.00 (8.00.7600.16385)Boot mode: NormalRunning processes:C:\Windows\system32\Dwm.exeC:\Windows\Explorer.EXEC:\Windows\system32\taskhost.exeC:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exeC:\Program Files\Microsoft IntelliPoint\ipoint.exeC:\Program Files\Sophos\AutoUpdate\ALMon.exeC:\Program Files\Microsoft IntelliType Pro\itype.exeC:\Program Files\Common Files\Java\Java Update\jusched.exeC:\Program Files\Microsoft IntelliType Pro\dpupdchk.exeC:\Program Files\WordWeb\wweb32.exeC:\Windows\System32\rundll32.exeC:\Program Files\NVIDIA Corporation\Display\nvtray.exeC:\Program Files\Trend Micro\HiJackThis\HiJackThis.exeR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dllO2 - BHO: Sophos Web Content Scanner - {39EA7695-B3F2-4C44-A4BC-297ADA8FD235} - C:\Program Files\Sophos\Sophos Anti-Virus\SophosBHO.dllO2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dllO4 - HKLM\..\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe -sO4 - HKLM\..\Run: [igfxTray] C:\Windows\system32\igfxtray.exeO4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exeO4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exeO4 - HKLM\..\Run: [intelliPoint] "c:\Program Files\Microsoft IntelliPoint\ipoint.exe"O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscriptO4 - HKLM\..\Run: [sophos AutoUpdate Monitor] C:\Program Files\Sophos\AutoUpdate\almon.exeO4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"O4 - HKCU\..\Run: [WordWeb] "C:\Program Files\WordWeb\wweb32.exe" -startupO4 - HKCU\..\Run: [nemsv] rundll32.exe "C:\Users\User\AppData\Local\Temp\nemsv.dll",RectPatchSizeO4 - HKUS\S-1-5-21-1557514261-2431698323-2000263041-1000\..\Run: [WordWeb] "C:\Program Files\WordWeb\wweb32.exe" -startup (User '?')O4 - HKUS\S-1-5-21-1557514261-2431698323-2000263041-1000\..\Run: [nemsv] rundll32.exe "C:\Users\User\AppData\Local\Temp\nemsv.dll",RectPatchSize (User '?')O20 - AppInit_DLLs: C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLLO20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLLO23 - Service: SAS Core Service (!SASCORE) - SUPERAntiSpyware.com - C:\Program Files\SUPERAntiSpyware\SASCORE.EXEO23 - Service: ArcGIS License Manager - Acresso Software Inc. - C:\PROGRA~1\ESRI\License\arcgis9x\lmgrd.exeO23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exeO23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exeO23 - Service: Intel® Management and Security Application Local Management Service (LMS) - Intel Corporation - C:\Program Files\Intel\Intel® Management Engine Components\LMS\LMS.exeO23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exeO23 - Service: NVIDIA Update Service Daemon (nvUpdatusService) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exeO23 - Service: Sophos Anti-Virus status reporter (SAVAdminService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exeO23 - Service: Sophos Anti-Virus (SAVService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exeO23 - Service: Sentinel Protection Server (SentinelProtectionServer) - SafeNet, Inc - C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exeO23 - Service: Sophos AutoUpdate Service - Sophos Plc - C:\Program Files\Sophos\AutoUpdate\ALsvc.exeO23 - Service: NVIDIA Stereoscopic 3D Driver Service (Stereo Service) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exeO23 - Service: Intel® Management & Security Application User Notification Service (UNS) - Intel Corporation - C:\Program Files\Intel\Intel® Management Engine Components\UNS\UNS.exe--End of file - 5523 bytesI know that some viruses begin with a startup file, so here is also a log of my startup files copied out of CCleaner.Yes HKCU:Run nemsv rundll32.exe "C:\Users\User\AppData\Local\Temp\nemsv.dll",RectPatchSizeYes HKCU:Run WordWeb "C:\Program Files\WordWeb\wweb32.exe" -startupYes HKLM:Run Adobe ARM "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"Yes HKLM:Run Adobe Reader Speed Launcher "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"Yes HKLM:Run HotKeysCmds C:\Windows\system32\hkcmd.exeYes HKLM:Run IgfxTray C:\Windows\system32\igfxtray.exeYes HKLM:Run IntelliPoint "c:\Program Files\Microsoft IntelliPoint\ipoint.exe"Yes HKLM:Run itype "C:\Program Files\Microsoft IntelliType Pro\itype.exe"Yes HKLM:Run Malwarebytes Anti-Malware (reboot) "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscriptYes HKLM:Run Persistence C:\Windows\system32\igfxpers.exeYes HKLM:Run RtHDVCpl C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe -sYes HKLM:Run Sophos AutoUpdate Monitor C:\Program Files\Sophos\AutoUpdate\almon.exeYes HKLM:Run SunJavaUpdateSched "C:\Program Files\Common Files\Java\Java Update\jusched.exe"So, this is the gist of it. I have no clue what to do here, I don't even know what's wrong. I would just relaod MS Office, but I have a code key without a disk (for activating computers preloaded with MS Office) and I think you guys can help me better than having to jump through hoops to have Microsoft send me a CD with office on it.If I'm missing any information that is relevant, please let me know and I'll update as soon as possible. Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted June 5, 2012 Root Admin ID:557803 Share Posted June 5, 2012 Hello and welcome to MalwarebytesIf you think you are infected, here are the steps needed to get your computer cleaned....Please read the following so that you can begin the cleaning process:Don't use any temporary file cleaners unless requested - this can cause data loss and make recovery difficultYou have 3 Options that you can choose from as listed below: Option 1 —— Free Expert advice in the Malware Removal ForumOption 2 —— Paying customer -- Contact Support via emailOption 3 —— Premium, Fee-Based SupportOPTION 1As we don't deal with malware removal in the General Malwarebytes' Anti-Malware Forum, you need to start a topic in theMalware Removal forum so a qualified helper can help you fix any malware related problems or infections you may have.Please read and follow the directions here, skipping any steps you are unable to complete.After posting your new post, make sure under options, you select Follow this topic and choose Instantly,so that you're alerted when someone has replied to your post.NOTE: Please do not post back to (bump) your topic within the first 48 hours.Replying to your own posts changes the post count and helpers are looking for topics with zero replies.If you reply to your own post helpers may think that you're already being helped and thus overlook your post.If there is no reply from any experts after 48 hours, you can reply to the topic, asking for help again.OrYou may send a Private Message to a Moderator asking for assistance.OPTION 2Alternatively, as a paying customer, you can contact the help desk at support@malwarebytes.org or here.OPTION 3If you would like to use our Malwarebytes Premium Consumer Services partner, Comprehensive solutions to all your computer support needs—from installation and set-up to troubleshooting and tune-ups go to our Malwarebytes Premium Services support site. Please be patient, someone will assist you as soon as possible. Link to post Share on other sites More sharing options...
jojomesozoic Posted June 5, 2012 Author ID:557817 Share Posted June 5, 2012 Thank you very much. I was not aware that I was posting in the incorrect forum. I will copy my post there. Please feel free to delete this post. Link to post Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now