retrevo.com

[ackthbbft]

On Monday, I performed a simple search for a kitchen appliance review: "foodsaver v3840 v3860". The top Google search result was for "retrevo.com", which actually took me to "mytrevo", after which I saw an odd "Updating" message appear in my taskbar, followed by an rogue antivirus app suddenly appearing over my already-running AVG window. Going back to the page caused it to reload with a Canadian Pharmacy site. (This really pisses me off, because we know companies pay Google to be rated at the top of searches, so basically retrevo paid Google to infect me.)

I suspect a Flash exploit caused it to load simply by inadvertantly mousing over it, without even clicking anything, but I really can't be sure. I know I didn't click anything, though.

Here's the interesting part. I was using a Guest account (named simply "Bill") running Firefox at the time of infection, but after running MalwareBytes to clean the infection (which at the time showed 8 hits, but the log only shows 1), Firefox still works, but IE and Chrome do not (they load, but can't connect to any sites I try to access). This is only on the Guest account, however. My admin account has no problems connecting to any sites using IE or Chrome.

Here's are the important parts of the log file:

Malwarebytes' Anti-Malware 1.44
Database version: 3741
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

2/15/2010 11:40:04 AM
mbam-log-2010-02-15 (11-40-04).txt

Scan type: Full Scan (C:\|)
Objects scanned: 223383
Time elapsed: 1 hour(s), 27 minute(s), 0 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 8

Files Infected:
C:\Documents and Settings\Bill\Local Settings\Application Data\mcxpmw\bwinsftav.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Bill\Local Settings\Temp\2C.tmp (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\Bill\Local Settings\Temp\2D.tmp (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\Bill\Local Settings\Temp\30.tmp (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\Bill\Local Settings\Temp\uJpC.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Bill\Local Settings\Temp\ktLL.dll (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\Bill\Local Settings\Temporary Internet Files\Content.IE5\2XCDIHAD\eHfffd8b5cV0100f036002R8bf228e3102Tb48401f6Q00000000901801F002a000aJ1100060
1l0409Ke5aea8d230dP000001080[1] (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Bill\Local Settings\Temporary Internet Files\Content.IE5\2XCDIHAD\eU230d9c2eHfffd8b5cV0100f036002Rc4d61207102Tb484011dQ00000000901801F002a000
aJ11000601l0409K70987d2730dP000001080[1] (Trojan.Dropper) -> Quarantined and deleted successfully.

Did MalwareBytes somehow kill IE and Chrome on the Guest account when it cleaned the infection?

My next question may be off-topic, but still related to the overall trojan/rogueAV subject. My coworker (a top-notch IT genius and MENSA member) said he just had to format 26 PCs at his home (don't ask why he has so many, because I didn't ask), because he got hit with a rogue app again, as well (unknown if it is the same one I was hit with), and he is under the impression that the latest rogues will actually rewrite MalwareBytes to download fake definition updates, making you think you are clean but actually still infected.

Is there any weight behind this? Should I reformat/reimage? If not, should I just delete the existing Guest account and create a new one to get IE and Chrome working again?

[ackthbbft]

Clarification: I forgot to edit my previous statement about the log file showing only 1 infection after finding the correct log file. The correct log shows the 8 I had seen when running the scan.

[Maurice Naggar]

Hello ackthbbft and welcome to MalwareBytes forums.

Some comments first.

One cannot tell what your friend's infection was. It must have been an exceedinly virulent infection that got to all his network.

As to your other comments: It is not entirely out of the realm, but it is unheard of that a malware will overwrite MBAM with fakes.

I would suggest your run your antivirus and have it do a full scan and see what it finds.

Let it quarantine what it tags.

Do not delete any accounts. Your system does need more research and fixing.

and, no, MalwareBytes did not kill IE and Chrome on the Guest account. I expect the infection(s) messed some settings.

We don't work on Malware removal or diagnostics in the general forums.

Please print out, read, and follow the directions here, skipping any steps you are unable to complete. Then post a NEW topic here.

One of the expert helpers there will give you one-on-one assistance when one becomes available.

After posting your new post, make sure under Options that you select Track this topic and choose one of the Email options so that you're alerted when someone has replied to your post.