floydo Posted March 5, 2010 ID:210157 Share Posted March 5, 2010 In spite of McAfee current antivirus signatures ( and indicating it stopped a virus) the subject variants are popping up. I havent gone thru the combo tool yet, but these are the steps taken on the infected Windows XP computer that has Malwarebytes loaded and current as of yesterday (but will not currently run).Booting into safe mode task manager shows whenever a program (malwarebytes, etc) is attempted to be run (other than for instance windows explorer) msascuai.exe runs. Searching for this, it is found in docs settings\locals\applicdata and there is a prefetch file msascui.exe-099fd6d4.pf also. Renaming the extensions on these disables the popups, but no programs run and windows explorer shows directories, but no files. Renaming msascui back to .exe continues the popups if the process isnt ended immediatly in task manager. But then programs such a mbam.exe will not run.Renaming mbam.exe to winlogin.exe gives the same result when trying to execute.Downloaded rootrepeal.zip on another computer from malwarebytes forum link and copied rootrepeal.exe to desktop of infected computer via cd (based on mbam wont run TDL2 instructions). Safe mode startup - rootrepeal executes and is resident after stopping msacui.exe via task manager!Scan files with rootrepeal and nothing found B).Started firefox to try Kaspersky on line scan and Internetsecurity2010 pops up.Not sure what might be a next step and hoping for some guidance. This is a very nasty malware....I do have a clone of the hard drive from 4 months back and could load it as a secondary, but do not want to risk tranfering the infection.Comments?Thanks.F Link to post Share on other sites More sharing options...
floydo Posted March 5, 2010 Author ID:210195 Share Posted March 5, 2010 In addition to the information above, was able to run Hijack This ver2.02, but cannot burn the log to a cd (no cd in drive error) with windows cd burner, and other programs such as nero do not run...Thx Link to post Share on other sites More sharing options...
floydo Posted March 5, 2010 Author ID:210221 Share Posted March 5, 2010 In addition to the information above, was able to run Hijack This ver2.02, but cannot burn the log to a cd (no cd in drive error) with windows cd burner, and other programs such as nero do not run...ThxI booted up (not in safe mode since that was the problem with not being able to burn above) and with the virus mscuai.exe showing in task manager, was able to capture and transfer the HyjackThis log. Here is the log, although it does not show the mscuai running that I can see. I also have logs from in safe mode with and without the process showing as running in task manager.Hope this helps as I am stumped for whats next at this point. Apologies for the multiple posts, but I couldn't see an edit option for an existing post.Logfile of Trend Micro HijackThis v2.0.2Scan saved at 2:56:40 PM, on 3/5/2010Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16981)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\ISS\Proventia Desktop\blackd.exeC:\WINDOWS\Explorer.EXEC:\Program Files\McAfee\Common Framework\FrameworkService.exeC:\Program Files\McAfee\VirusScan Enterprise\mcshield.exeC:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exeC:\WINDOWS\system32\nvsvc32.exeC:\Program Files\ISS\Proventia Desktop\RapApp.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\ISS\Proventia Desktop\vpatch.exeC:\WINDOWS\system32\taskmgr.exeC:\Program Files\McAfee\Common Framework\UdaterUI.exeC:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exeC:\Program Files\Caere\OmniPagePro80\opware32.exeC:\Program Files\ISS\Proventia Desktop\blackice.exeC:\WINDOWS\system32\ctfmon.exeC:\WINDOWS\system32\ntvdm.exeC:\Program Files\McAfee\Common Framework\McTray.exeC:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exeC:\Documents and Settings\Administrator\Local Settings\Application Data\MSASCui.exeC:\Documents and Settings\Administrator\Desktop\HijackThis.exeR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.localO2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dllO2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dllO2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dllO2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dllO3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dllO4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startupO4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartupO4 - HKLM\..\Run: [OmniPage] C:\Program Files\Caere\OmniPagePro80\opware32.exeO4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"O4 - HKLM\..\Run: [Adobe_ID0EYTHM] C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXEO4 - HKLM\..\Run: [shStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONEO4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKeyO4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exeO4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXEO4 - Global Startup: Proventia Desktop Agent.lnk = ?O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINDOWS\System32\shdocvw.dllO9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINDOWS\System32\shdocvw.dllO9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO16 - DPF: Garmin Communicator Plug-In - https://static.garmincdn.com/gcp/ie/2.9.1.0...inAxControl.CABO16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/vers...vex-2.2.5.0.cabO16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase6087.cabO16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1128279942546O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exeO23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\ISS\Proventia Desktop\blackd.exeO23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exeO23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exeO23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exeO23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exeO23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exeO23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exeO23 - Service: RapApp - Internet Security Systems, Inc. - C:\Program Files\ISS\Proventia Desktop\RapApp.exeO23 - Service: ISS Buffer Overflow Exploit Prevention (VPatch) - Internet Security Systems, Inc. - C:\Program Files\ISS\Proventia Desktop\vpatch.exe--End of file - 6727 bytes Link to post Share on other sites More sharing options...
dennydm Posted March 5, 2010 ID:210230 Share Posted March 5, 2010 I have hopefully just removed InternetSecurity 2010. I used system restore to go back a couple of days. MalwareBytes was then allowed to run, was updated and apparently removed the infection. Link to post Share on other sites More sharing options...
floydo Posted March 6, 2010 Author ID:210242 Share Posted March 6, 2010 I have hopefully just removed InternetSecurity 2010. I used system restore to go back a couple of days. MalwareBytes was then allowed to run, was updated and apparently removed the infection.One of my early steps was to turn off system restore, as some viruses "hide" there, so this is not an option for me. Hope it works for you. I'm hoping the hijack log reveals a clue to a knowledgeable person.ThxF Link to post Share on other sites More sharing options...
floydo Posted March 6, 2010 Author ID:210534 Share Posted March 6, 2010 It appears that a self help solution solved the problem and purged the maleware!The process used came from bleepingcomputer.com/virus-removal/remove-maleware-defense core advice (step 7 and on)Boot up normal mode, maleware runningcopied rkill and randomly named mbam.exe to desktopran rkill - log shownThis log file is located at C:\rkill.log. Please post this only if requested to by the person helping you. Otherwise you can close this log when you wish. Ran as Administrator on 03/06/2010 at 8:44:57. Processes terminated by Rkill or while it was running: C:\WINDOWS\system32\nvsvc32.exeC:\Program Files\Caere\OmniPagePro80\opware32.exeC:\Documents and Settings\Administrator\Local Settings\Application Data\MSASCui.exeC:\Program Files\McAfee\VirusScan Enterprise\SCAN32.EXEC:\Documents and Settings\Administrator\Desktop\iExplore.exeRkill completed on 03/06/2010 at 8:45:17.virus stoppedcopied renamed mbam.exe to malewarebytes program folderran renamed mbam.exemalwarebytes ranudated malwarebytesranlog is shownMalwarebytes' Anti-Malware 1.44Database version: 3829Windows 5.1.2600 Service Pack 3Internet Explorer 7.0.5730.113/6/2010 10:17:17 AMmbam-log-2010-03-06 (10-16-53)afterkillroot.txtScan type: Full Scan (C:\|)Objects scanned: 212362Time elapsed: 1 hour(s), 12 minute(s), 20 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 0Registry Values Infected: 0Registry Data Items Infected: 4Folders Infected: 0Files Infected: 2Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:(No malicious items detected)Registry Values Infected:(No malicious items detected)Registry Data Items Infected:HKEY_CLASSES_ROOT\.exe\(default) (Hijacked.exeFile) -> Bad: (secfile) Good: (exefile) -> No action taken.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.Folders Infected:(No malicious items detected)Files Infected:C:\Documents and Settings\Administrator\Local Settings\Application Data\MSASCui.exe (Trojan.FakeAlert) -> No action taken.C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\RUEEENLI\z002106201r0409Rf6bd6fd1Xf1b01a92Yba209036Z0100f07030dP000201080[1] (Trojan.FakeAlert) -> No action taken.Virus entries were cleaned.Rebooted appears normal!!!!Rescanning with Mbytes and Antivirus program and kysperski online scan, but expect them to come up as OK.Thanks to this and other help forums!! F Link to post Share on other sites More sharing options...
Staff screen317 Posted March 17, 2010 Staff ID:215747 Share Posted March 17, 2010 Since this issue is resolved I will close the thread to prevent others from posting here. If you need assistance please start your own topic and someone will be happy to assist you. Link to post Share on other sites More sharing options...
Recommended Posts