Infected with "Antivirus soft" but cant get rid..

[Jarv]

Hi,

I seem have a couple of machines infected with "Antivirus soft" and in the past have got rid of these using safe mode and malwarebytes'. However this one seems a bit more serious in that it is stopping most processes run in normal mode in XP (dosent this make it a virus and not spyware??). As well as saying you have a "virus" one of the users has reported porn displaying which I have not seen before with these fake AV vendors.

I have booted into safe mode and run malwarebytes but it dosent find anything. I have tried a couple of the methods listed on here including renaming the file to firefox.exe but without any luck.

As well as popping up with the various messages saying I am infected and need to buy the software I can also see files associated with this "virus" - under the users \Local Settings\Application Data directory is a random(?) directory called "qnpele" and a file within it called "vnofsftav.exe".

I have enclosed the requested files and wonder if anyone could with this further?

DDS.TXT

DDS (Ver_09-12-01.01) - NTFSx86 MINIMAL

Run by Super at 13:45:25.96 on 18/02/2010

Internet Explorer: 6.0.2900.5512

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.837 [GMT 0:00]

AV: VirusScan Enterprise + AntiSpyware Enterprise *On-access scanning enabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\system32\svchost.exe -k netsvcs

C:\WINDOWS\Explorer.EXE

C:\Documents and Settings\Super.D620-XPIMAGE\Desktop\Defogger.exe

C:\Documents and Settings\Super.D620-XPIMAGE\Desktop\dds.com

============== Pseudo HJT Report ===============

BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll

BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_07\bin\ssv.dll

BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan enterprise\scriptcl.dll

uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe

mRun: [igfxtray] c:\windows\system32\igfxtray.exe

mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe

mRun: [igfxpers] c:\windows\system32\igfxpers.exe

mRun: [sigmatelSysTrayApp] stsystra.exe

mRun: [Apoint] c:\program files\apoint\Apoint.exe

mRun: [Dell QuickSet] c:\program files\dell\quickset\quickset.exe

mRun: [Client Access Service] "c:\program files\ibm\client access\cwbsvstr.exe"

mRun: [Client Access Help Update] "c:\program files\ibm\client access\cwbinhlp.exe"

mRun: [Client Access Check Version] "c:\program files\ibm\client access\cwbckver.exe" LOGIN

mRun: [Client Access Express Welcome] "c:\program files\ibm\client access\cwbwlwiz.exe"

mRun: [storageGuard] "c:\program files\veritas software\update manager\sgtray.exe" /r

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [nwiz] nwiz.exe /installquiet

mRun: [NVHotkey] rundll32.exe nvHotkey.dll,Start

mRun: [broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe

mRun: [shStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE

mRun: [McAfeeUpdaterUI] "c:\program files\mcafee\common framework\udaterui.exe" /StartedFromRunKey

mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE

dRunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs"

dRunOnce: [TSClientAXDisabler] cmd.exe /C "%systemroot%\Installer\TSClientMsiTrans\tscdsbl.bat"

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\facsys~1.lnk - c:\program files\facsys\facsys desktop client\facsys.exe

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_07\bin\ssv.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL

DPF: {2A0B9B82-D5C8-4D3D-8338-AD55B23662B1} - file://C:/Program Files/F5 VPN/F5_TMP/cachecleaner.cab

DPF: {2BCDB465-81F9-41CB-832C-8037A4064446} - c:\windows\temp\f5tmp\urxvpn.cab

DPF: {41EF3CD2-D8CC-4438-84B1-280BB4E77C8E} - c:\windows\temp\f5tmp\f5tunsrv.cab

DPF: {45B69029-F3AB-4204-92DE-D5140C3E8E74} - c:\windows\temp\f5tmp\InstallerControl.cab

DPF: {57C76689-F052-487B-A19F-855AFDDF28EE} - file://C:/Program Files/F5 VPN/F5_TMP/f5InspectionHost.cab

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1153831188840

DPF: {6C275925-A1ED-4DD2-9CEE-9823F5FDAA10} - c:\windows\temp\f5tmp\urTermProxy.cab

DPF: {7584c670-2274-4efb-b00b-d6aaba6d3850} - file://C:/Program Files/F5 VPN/F5_TMP/msrdp.cab

DPF: {7E73BE8F-FD87-44EC-8E22-023D5FF960FF} - file://C:/Program Files/F5 VPN/F5_TMP/vdeskctrl.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_07-windows-i586.cab

DPF: {B8693DEF-98AC-43FC-AA00-E7D728334C80} - file://C:/Program Files/F5 VPN/F5_TMP/ur5250x.cab

DPF: {CAFEEFAC-0015-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_07-windows-i586.cab

DPF: {CC85ACDF-B277-486F-8C70-2C9B2ED2A4E7} - c:\windows\temp\f5tmp\urxshost.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab

DPF: {E0FF21FA-B857-45C5-8621-F120A0C17FF2} - c:\windows\temp\f5tmp\urxhost.cab

DPF: {E615C9EA-AD69-4AE9-83C9-9D906A0ACA6D} - file://C:/Program Files/F5 VPN/F5_TMP/f5syschk.cab

Notify: igfxcui - igfxdev.dll

Hosts: 172.17.189.44 mcf-portal2 [sonoma DNS Change for HP Shared Services]

Hosts: 172.16.227.44 content.foodservice.mcain.ca

Hosts: 172.16.227.124 staging.retail.mcain.ca

Hosts: 172.16.227.44 staging.content.foodservice.mcain.ca

Hosts: 172.16.227.124 staging.foodservice.mcain.ca

Note: multiple HOSTS entries found. Please refer to Attach.txt

============= SERVICES / DRIVERS ===============

S1 mferkdk;VSCore mferkdk;c:\program files\mcafee\virusscan enterprise\mferkdk.sys [2008-10-6 31816]

S2 ASFIPmon;Broadcom ASF IP Monitor;c:\program files\broadcom\asfipmon\AsfIpMon.exe [2005-10-18 61440]

S2 F5 Networks Component Installer;F5 Networks Component Installer;c:\windows\system32\F5InstallerService.exe [2006-10-12 242296]

S2 McAfeeFramework;McAfee Framework Service;c:\program files\mcafee\common framework\FrameworkService.exe [2009-9-22 103744]

S2 McShield;McAfee McShield;c:\program files\mcafee\virusscan enterprise\Mcshield.exe [2008-10-6 144704]

S2 McTaskManager;McAfee Task Manager;c:\program files\mcafee\virusscan enterprise\VsTskMgr.exe [2008-10-6 54608]

S3 f5ipfw;F5 Networks StoneWall Filter;c:\windows\system32\drivers\urfltw2k.sys [2006-11-22 10752]

S3 mfeavfk;McAfee Inc.;c:\windows\system32\drivers\mfeavfk.sys [2008-1-21 72904]

S3 mfebopk;McAfee Inc.;c:\windows\system32\drivers\mfebopk.sys [2008-1-21 34344]

S3 mfehidk;McAfee Inc.;c:\windows\system32\drivers\mfehidk.sys [2008-1-21 177672]

S3 urvpndrv;F5 Networks VPN Adapter;c:\windows\system32\drivers\covpndrv.sys [2009-3-27 33920]

=============== Created Last 30 ================

2010-02-18 12:28:29 0 ----a-w- c:\documents and settings\super.d620-xpimage\defogger_reenable

2010-02-18 10:10:13 0 d-----w- c:\docume~1\super~1.d62\applic~1\Malwarebytes

2010-02-18 10:10:05 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-02-18 10:10:03 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-02-18 10:10:03 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes

2010-02-18 10:10:02 0 d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-02-16 18:00:01 621 ----a-w- c:\windows\system32\CcmFramework.h

2010-02-16 18:00:01 4764 ----a-w- c:\windows\system32\CcmFramework.ini

2010-02-16 17:58:24 0 d-----w- c:\windows\ms

2010-02-11 14:04:38 0 d-----w- c:\program files\Self Serve

2010-01-19 16:01:54 0 d--h--w- c:\windows\system32\GroupPolicy

==================== Find3M ====================

2010-02-18 11:40:04 119171 ----a-w- c:\windows\system32\nvModes.dat

2009-12-22 05:21:05 667136 ----a-w- c:\windows\system32\wininet.dll

2009-12-22 05:20:58 81920 ----a-w- c:\windows\system32\ieencode.dll

============= FINISH: 13:46:11.68 ===============

attach.zip

[Ltangelic]

Hey Jarv,

Welcome to Malwarebytes! I'm Ltangelic and I'll be helping you fix your computer problem.

Before we proceed, here are some things that you can take note of so that the cleaning up process will be more smooth and efficient. Do not worry, the points below are not any form of rules, it's just a few pointers that can ensure that you will get the best help from me.

• To ensure that you are informed of the latest replies to your thread, you may like to right click on Options at the top right hand corner of this page and select "Subscribe to this forum". That way, you will be notified via email when a reply was posted to your thread.
  
• If you have any doubts or uncertainty about any part of my instructions, feel free to post on here and ask me about them.
  
• Please do NOT attempt to run any tools or do any fixing on your own unless I tell you to, this will avoid any confusion that can occur during the cleaning process. Furthermore, fixing malware problems without sufficient knowledge can be dangerous at times and you can mess up your own computer without knowing.
  
• Please do not PM me for malware removal assistance, any request for malware removal assistance should be posted in this thread only. The only time you can and should PM me is when I have not been replying to you for several days (usually around 4 days) and you need an explanation. If that's the case, just send me a message to me on here.
  
• Please do not start multiple topics (especially when you are already being assisted by an authorised staff). All staff are volunteers on here, starting multiple topics will waste the limited resource of manpower we have here at Malwarebytes, and this can further hinder our ability to assist other users. Please be considerate and stick to one thread.
  

I'm looking at your log now and will be back with a fix soon. Thanks for your patience and understanding.

[Ltangelic]

Hey Jarv,

I don't see much in your log, let's run some tools to see what we can find.

Please follow my instructions in the order they were given, and print out a copy of it as you may not have access to the forums during the fix.

Before we go on to run the tools, it would be advisable to temporarily disable your protection software(s) (McAfee VirScan Enterprise) as it/they may hinder the tools from running. Instructions is in the link below:

http://www.bleepingcomputer.com/forums/topic114351.html

1) Run ComboFix

Download ComboFix from one of these locations:

Link 1

Link 2

Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  
• Double click on ComboFix.exe & follow the prompts.
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

2) Run OTS

To ensure that I get all the information this log will need to be attached (instructions at the end) if it is to large to attach then upload to Mediafire and post the sharing link.

Download OTS to your Desktop

• Close ALL OTHER PROGRAMS.
  
• Double-click on OTS.exe to start the program.
  
• Check the box that says Scan All Users
  
• Under Additional Scans check the following:
  • Reg - Shell Spawning
    
  • File - Lop Check
    
  • File - Purity Scan
    
  • Evnt - EvtViewer (last 10)
    

  [*]Under custom scans copy and paste the following

  • netsvcs
    %SYSTEMDRIVE%\*.exe
    %SYSTEMDRIVE%\*.*
    %ProgramFiles%\Movie Maker\*.dll
    %ALLUSERSAPPDATA%\*.dll
    %SYSTEMROOT%\*.tmp
    %PROGRAMFILES%\Internet Explorer\*.dll
    %DriveLetter%\RECYCLER\*S-%d-%d-%d-%d%d%d-%d%d%d-%d%d%d-%d*.
    %systemroot%\system32\*.dll /lockedfiles
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    /md5stop
    %systemroot%\*. /mp /s
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    c:\$recycle.bin\*.* /s
    CREATERESTOREPOINT
    

  [*]Now click the Run Scan button on the toolbar.

  [*]Let it run unhindered until it finishes.

  [*]When the scan is complete Notepad will open with the report file loaded in it.

  [*]Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

Please attach the log in your next post.

To attach a file, do the following:

• Click Add Reply
  
• Under the reply panel is the Attachments Panel
  
• Browse for the attachment file you want to upload, then click the green Upload button
  
• Once it has uploaded, click the Manage Current Attachments drop down box
  
• Click on to insert the attachment into your post
  

Next reply (please include in your post):

ComboFix.txt

OTS.txt

[Maurice Naggar]

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!