Vista Antispyware 2010 returns after removal with MBAM

[deacon1959]

My daughter's laptop. Vista Home Premium. She is using it with admin rights, but is not normally a high risk user.

She showed me the pop-up for Vista Antispy. I showed her how to stop the process via Ctrl/Alt/Del.

I downloaded MBAM and it appeared to remove the rogue and av files. About three days later, she got the popups again. So I bought and registered MBAM, ran, removed again, and enabled the Protection Module. I tried to run a full scan, and the full scans do fail - I have been unable to complete a full scan.

Another 3 days, and she "says" she has not used the system on the Internet at all, but antispy is back. I ran MBAM again, and found that the Protection Module was turned off. I turned Enabled Protection and removed antispy with a quickscan. Upon reboot my Norton Antivirus blocked installation of downloader trojan. I then let Norton delete downloader. I opened MBAM again, and found Protection Module was turned off again.

I have used defogger and DDS, have run GMER as suggested elsewhere in this form. I include as follows:

1. the log of my last run of MBAM that said it "removed" antispy

2. my hijackthis log

3. my GMER log

4. my attach and dds log

I have no illusions that my system is clean, so all suggestions are appreciated.

============================================

dirty MBAM log

Malwarebytes' Anti-Malware 1.44

Database version: 3807

Windows 6.0.6002 Service Pack 2

Internet Explorer 8.0.6001.18882

3/4/2010 9:17:07 PM

mbam-log-2010-03-04 (21-17-07).txt

Scan type: Quick Scan

Objects scanned: 106857

Time elapsed: 7 minute(s), 7 second(s)

Memory Processes Infected: 1

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 6

Registry Data Items Infected: 2

Folders Infected: 0

Files Infected: 9

Memory Processes Infected:

C:\Users\Heimerl\AppData\Local\av.exe (Rogue.MultipleAV) -> Unloaded process successfully.

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msnfo32 (Trojan.Inject) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nah_shell (Trojan.Dropper) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\winid (Malware.Trace) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\taskman (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\asg984jgkfmgasi8ug98jgkfgfb (Trojan.Downloader) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\uishf9wuifwuh387fh3wufinhjfdwefe (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:

HKEY_CLASSES_ROOT\.exe\(default) (Hijacked.exeFile) -> Bad: (secfile) Good: (exefile) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Hijack.Shell) -> Bad: (explorer.exe,C:\RECYCLER\S-1-5-21-3604952309-0607771783-554017545-7923\msimfo32.exe) Good: (Explorer.exe) -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

C:\Users\Heimerl\AppData\Local\Temp\msnfo32.exe (Trojan.Inject) -> Quarantined and deleted successfully.

C:\Users\Heimerl\nah_ojbb.exe (Trojan.Dropper) -> Quarantined and deleted successfully.

C:\RECYCLER\S-1-5-21-3604952309-0607771783-554017545-7923\msimfo32.exe (Trojan.Inject) -> Delete on reboot.

C:\Windows\Temp\clk1005.nls (Rootkit.Agent) -> Quarantined and deleted successfully.

C:\Users\Heimerl\AppData\Local\Temp\lwue.exe (Trojan.Dropper) -> Quarantined and deleted successfully.

C:\Users\Heimerl\AppData\Local\av.exe (Rogue.MultipleAV) -> Quarantined and deleted successfully.

C:\Users\Heimerl\Local Settings\Application Data\av.exe (ROGUE.Win7Antispyware2010) -> Quarantined and deleted successfully.

C:\Users\Heimerl\AppData\Local\Temp\iexplore.exe (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Users\Heimerl\AppData\Local\Temp\jisfije9fjoiee.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.

===================================================

HIJACKTHIS log

Logfile of Trend Micro HijackThis v2.0.3 (BETA)

Scan saved at 12:28:33 AM, on 3/5/2010

Platform: Windows Vista SP2 (WinNT 6.00.1906)

MSIE: Internet Explorer v8.00 (8.00.6001.18882)

Boot mode: Normal

Running processes:

C:\Program Files\Norton 360 Premier Edition\Engine\3.8.0.41\ccSvcHst.exe

C:\Program Files\Norton PC Checkup\Norton PC Checkup\Engine\2.0.2.506\ccSvcHst.exe

C:\Windows\system32\taskeng.exe

C:\Windows\SYSTEM32\WISPTIS.EXE

C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe

C:\Windows\system32\taskeng.exe

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\Windows\system32\WTablet\Wacom_TabletUser.exe

C:\Program Files\Sony\VAIO Update 3\VAIOUpdt.exe

C:\Program Files\Sony\Wireless Switch Setting Utility\Switcher.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Windows\ehome\ehtray.exe

C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe

C:\Program Files\Logitech\SetPoint\SetPoint.exe

C:\Program Files\Windows Home Server\WHSTrayApp.exe

C:\Windows\ehome\ehmsas.exe

C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Windows\system32\Macromed\Flash\FlashUtil10c.exe

C:\Program Files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeople

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;localhost

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

R3 - URLSearchHook: AIM Toolbar Search Class - {03402f96-3dc7-4285-bc50-9e81fefafe43} - C:\Program Files\AIM Toolbar\aimtb.dll

F2 - REG:system.ini: UserInit=C:\Windows\system32\Userinit.exe

O1 - Hosts:

[deacon1959]

DDS log file

DDS (Ver_09-12-01.01) - NTFSx86

Run by Heimerl at 23:30:31.22 on Thu 03/04/2010

Internet Explorer: 8.0.6001.18882

Microsoft

ark.txt

Attach.txt

[deacon1959]

it has been 4 full days since filing my initial information and am updating to refresh my request for help

Nortons virus scan did find downloader trojan on about March 7 and says it removed it

A subsequent malwarebytes quick scan found nothing, and a subsequent malwarebytes full scan stopped as usual with no error message, just the Windows feedback that "malwarebytes has stopped working"

any feedback is appreciated

[deacon1959]

been an additional 2 full days for a total of 8 days, or 6 work days since my initial post.

one additional note - I was initially unable to run malwarebytes because the shortcut on my desktop was calling "mbamgui.exe"

but the actual file on my drive was named "mbamgui .exe" with a space prior to the .exe

I have completed all of the steps according to

http://forums.malwarebytes.org/index.php?s...st&p=193288

BUT I have never had the "unable to run a .exe" problem

[miekiemoes]

Hi,

I guess your thread was overlooked because you posted in your own thread all the time. The helpers always look at the threads with 0 replies, because if there are replies in there already, they assume someone is already helping them.

In your case, it looks like your are dealing with several different malware here, including a variant that replaces legitimate programs with a malicious version, which explains why you are also having problems with malwarebytes, because I guess its components are infected.

We can try to clean this, but don't expect miracles.

Please do the following...* Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post the log from ComboFix in your next reply.

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix..This because Security Software may see some components ComboFix uses (prep.com for example) as suspicious and blocks the tool, or even deletes it. Please visit HERE if you don't know how.

[deacon1959]

somewhere on this forum I had seen guidance to reply to the post if I had not seen a response in 2 days

regardless - I downloaded combofix to my desktop, rightclicked and ran as administrator

log follows--------------------------------

ComboFix 10-03-15.02 - Heimerl 03/15/2010 16:34:09.1.2 - x86

Microsoft

[miekiemoes]

Hi,

* Open notepad - don't use any other texteditor than notepad or the script will fail.

Copy/paste the text in the quotebox below into notepad:

Folder::
c:\programdata\pofusido
c:\programdata\gikuyaju
c:\programdata\vipukeyu
Renv::
c:\program files\Apoint\apoint .exe
c:\program files\Google\GoogleToolbarNotifier\googletoolbarnotifier .exe
c:\program files\Logitech\Desktop Messenger\8876480\Program\backweb-8876480 .exe
c:\program files\Sony\ISB Utility\isbmgr .exe
Filelook::
c:\users\Heimerl\AppData\Local\Microsoft\Internet Explorer\Downloaded Program Files\npsoe.dll
Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"lphcl3nj0eebc"=-

Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

[deacon1959]

per your directions - created CFScript file and ran combofix -

results follow-----

ComboFix 10-03-15.04 - Heimerl 03/15/2010 17:12:26.2.2 - x86

Microsoft

[miekiemoes]

Hi,

I see you have Viewpoint installed...

Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This will change from what we know in 2006 read this article: http://www.clickz.com/news/article.php/3561546

I suggest you remove the program now. Go to Start > Settings > Control Panel > Add/Remove Programs and remove the following programs if present.

• Viewpoint
  
• Viewpoint Manager
  
• Viewpoint Media Player
  

Then, * Go to start > run and copy and paste next command in the field:

ComboFix /Uninstall

Make sure there's a space between Combofix and /

Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

I suggest to reinstall your Norton and malwarebytes again, just to be sure, because some components may be compromised.

Then, as a final checkup..

* Go here to run an online scannner from ESET.

• Note: You will need to use Internet explorer for this scan
  
• Tick the box next to YES, I accept the Terms of Use.
  
• Click Start
  
• When asked, allow the activex control to install
  
• Click Start
  
• Check next options: Remove found threats and Scan unwanted applications.
  
• Click Scan
  
• Wait for the scan to finish
  
• Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  
• Copy and paste that log in your next reply and also let me know how things are now.
  

[deacon1959]

per your instructions

deleted viewpoint

Vista does not have a "Run" option under start, so I opened a cmd window, changed dir to desktop for the current user and ran ComboFix /Uninstall - appeared to run correctly.

uninstalled Norton and Malwarebytes, and reinstalled from original sources.

updated each

ran full malwarebytes scan - 1 hour 45 minutes - full scan successfull with no findings - previously full scan would stop after 10-12 minutes.

ran eset online scanner

log file you reference included this information ///////////////////

ESETSmartInstaller@High as CAB hook log:

OnlineScanner.ocx - registred OK

also available on eset results screen was this information////////////////////////////

C:\Program Files\The Game Of LIFE PTS\THE GAME OF LIFE - Path to Success.exe a variant of Win32/ReflexiveArcade application cleaned by deleting - quarantined

C:\Users\Heimerl\Desktop\Documents\Documents\Ashleys docs\downloads\TheGameOfLIFEPTSSetup.exe a variant of Win32/FenomenGame application cleaned by deleting - quarantined

////////////

browsing and system use otherwise appears normal

explorer is not redirected and brings up no fake virus alerts

no fake virus alerts at boot

registry search finds no av.exe key

malwarebytes reports no blocked IP addresses

Norton firewall does not report any updates to firewall config or new services attempting any outbound connections

as of 3/16 2:00 pm central time U.S. I see no obvious signs of "contamination"

[miekiemoes]

Hi,

Well, it looks like we are done here then

Please read my Prevention page with lots of info and tips how to prevent this in the future.

And if you want to improve speed/system performance after malware removal, take a look here.

Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!

[deacon1959]

Thank you much for your help.

Could this infection have happened through something as simple as my daughter clicking the X to close the fake virus warning, but the X was part of the main image, not actually part of the explorer window? I've tried to get her to use Alt-F4 to close pop-ups, but with the mouse in hand I am sure the "X" is very inviting. Without spending any real time looking, is there any obvious indication of the original problem?

[miekiemoes]

Hi,

FSecure actually has a good writeup how many of these variants are getting installed: http://www.f-secure.com/weblog/archives/00001897.html

In most cases it's via a search result which leads to these fake scanners. If you then click the "popup", it does indeed install the rogue instead.

[deacon1959]

I am having my daughter read the information you referenced as well.

Thank you much for your help.

cheers,

[miekiemoes]

You're most welcome

[miekiemoes]

Since this issue is resolved I will close the thread to prevent others from posting here. If you need assistance please start your own topic and someone will be happy to assist you.